1 diff -urNp linux-2.6.38.6/arch/alpha/include/asm/dma-mapping.h linux-2.6.38.6/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.38.6/arch/alpha/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3 +++ linux-2.6.38.6/arch/alpha/include/asm/dma-mapping.h 2011-04-28 19:34:14.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.38.6/arch/alpha/include/asm/elf.h linux-2.6.38.6/arch/alpha/include/asm/elf.h
17 --- linux-2.6.38.6/arch/alpha/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
18 +++ linux-2.6.38.6/arch/alpha/include/asm/elf.h 2011-04-28 19:34:14.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.38.6/arch/alpha/include/asm/pgtable.h linux-2.6.38.6/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.38.6/arch/alpha/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
35 +++ linux-2.6.38.6/arch/alpha/include/asm/pgtable.h 2011-04-28 19:34:14.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.38.6/arch/alpha/kernel/module.c linux-2.6.38.6/arch/alpha/kernel/module.c
55 --- linux-2.6.38.6/arch/alpha/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
56 +++ linux-2.6.38.6/arch/alpha/kernel/module.c 2011-04-28 19:34:14.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.38.6/arch/alpha/kernel/osf_sys.c linux-2.6.38.6/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.38.6/arch/alpha/kernel/osf_sys.c 2011-03-14 21:20:32.000000000 -0400
68 +++ linux-2.6.38.6/arch/alpha/kernel/osf_sys.c 2011-04-28 19:34:14.000000000 -0400
69 @@ -1162,7 +1162,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1198,6 +1198,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1205,8 +1209,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.38.6/arch/alpha/kernel/pci_iommu.c linux-2.6.38.6/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.38.6/arch/alpha/kernel/pci_iommu.c 2011-03-14 21:20:32.000000000 -0400
102 +++ linux-2.6.38.6/arch/alpha/kernel/pci_iommu.c 2011-04-28 19:34:14.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.38.6/arch/alpha/kernel/pci-noop.c linux-2.6.38.6/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.38.6/arch/alpha/kernel/pci-noop.c 2011-03-14 21:20:32.000000000 -0400
121 +++ linux-2.6.38.6/arch/alpha/kernel/pci-noop.c 2011-04-28 19:34:14.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.38.6/arch/alpha/mm/fault.c linux-2.6.38.6/arch/alpha/mm/fault.c
141 --- linux-2.6.38.6/arch/alpha/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
142 +++ linux-2.6.38.6/arch/alpha/mm/fault.c 2011-04-28 19:34:14.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.38.6/arch/arm/include/asm/elf.h linux-2.6.38.6/arch/arm/include/asm/elf.h
300 --- linux-2.6.38.6/arch/arm/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
301 +++ linux-2.6.38.6/arch/arm/include/asm/elf.h 2011-04-28 19:34:14.000000000 -0400
302 @@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 @@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t
319 extern void elf_set_personality(const struct elf32_hdr *);
320 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
323 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
324 -#define arch_randomize_brk arch_randomize_brk
326 extern int vectors_user_mapping(void);
327 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
328 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
329 diff -urNp linux-2.6.38.6/arch/arm/include/asm/kmap_types.h linux-2.6.38.6/arch/arm/include/asm/kmap_types.h
330 --- linux-2.6.38.6/arch/arm/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
331 +++ linux-2.6.38.6/arch/arm/include/asm/kmap_types.h 2011-04-28 19:34:14.000000000 -0400
332 @@ -21,6 +21,7 @@ enum km_type {
340 diff -urNp linux-2.6.38.6/arch/arm/include/asm/uaccess.h linux-2.6.38.6/arch/arm/include/asm/uaccess.h
341 --- linux-2.6.38.6/arch/arm/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
342 +++ linux-2.6.38.6/arch/arm/include/asm/uaccess.h 2011-04-28 19:34:14.000000000 -0400
343 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
345 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
350 if (access_ok(VERIFY_READ, from, n))
351 n = __copy_from_user(to, from, n);
352 else /* security hole - plug it */
353 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
355 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
360 if (access_ok(VERIFY_WRITE, to, n))
361 n = __copy_to_user(to, from, n);
363 diff -urNp linux-2.6.38.6/arch/arm/kernel/kgdb.c linux-2.6.38.6/arch/arm/kernel/kgdb.c
364 --- linux-2.6.38.6/arch/arm/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
365 +++ linux-2.6.38.6/arch/arm/kernel/kgdb.c 2011-04-28 19:34:14.000000000 -0400
366 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
367 * and we handle the normal undef case within the do_undefinstr
370 -struct kgdb_arch arch_kgdb_ops = {
371 +const struct kgdb_arch arch_kgdb_ops = {
373 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
374 #else /* ! __ARMEB__ */
375 diff -urNp linux-2.6.38.6/arch/arm/kernel/process.c linux-2.6.38.6/arch/arm/kernel/process.c
376 --- linux-2.6.38.6/arch/arm/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
377 +++ linux-2.6.38.6/arch/arm/kernel/process.c 2011-04-28 19:34:14.000000000 -0400
379 #include <linux/tick.h>
380 #include <linux/utsname.h>
381 #include <linux/uaccess.h>
382 -#include <linux/random.h>
383 #include <linux/hw_breakpoint.h>
385 #include <asm/cacheflush.h>
386 @@ -477,12 +476,6 @@ unsigned long get_wchan(struct task_stru
390 -unsigned long arch_randomize_brk(struct mm_struct *mm)
392 - unsigned long range_end = mm->brk + 0x02000000;
393 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
398 * The vectors page is always readable from user space for the
399 diff -urNp linux-2.6.38.6/arch/arm/mach-msm/last_radio_log.c linux-2.6.38.6/arch/arm/mach-msm/last_radio_log.c
400 --- linux-2.6.38.6/arch/arm/mach-msm/last_radio_log.c 2011-03-14 21:20:32.000000000 -0400
401 +++ linux-2.6.38.6/arch/arm/mach-msm/last_radio_log.c 2011-04-28 19:34:14.000000000 -0400
402 @@ -47,7 +47,7 @@ static ssize_t last_radio_log_read(struc
406 -static struct file_operations last_radio_log_fops = {
407 +static struct file_operations last_radio_log_fops = { /* cannot be const, see msm_init_last_radio_log */
408 .read = last_radio_log_read,
409 .llseek = default_llseek,
411 diff -urNp linux-2.6.38.6/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.38.6/arch/arm/mach-ux500/mbox-db5500.c
412 --- linux-2.6.38.6/arch/arm/mach-ux500/mbox-db5500.c 2011-03-14 21:20:32.000000000 -0400
413 +++ linux-2.6.38.6/arch/arm/mach-ux500/mbox-db5500.c 2011-04-28 19:34:14.000000000 -0400
414 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
415 return sprintf(buf, "0x%X\n", mbox_value);
418 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
419 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
421 static int mbox_show(struct seq_file *s, void *data)
423 diff -urNp linux-2.6.38.6/arch/arm/mm/fault.c linux-2.6.38.6/arch/arm/mm/fault.c
424 --- linux-2.6.38.6/arch/arm/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
425 +++ linux-2.6.38.6/arch/arm/mm/fault.c 2011-04-28 19:34:14.000000000 -0400
426 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
430 +#ifdef CONFIG_PAX_PAGEEXEC
431 + if (fsr & FSR_LNX_PF) {
432 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
433 + do_group_exit(SIGKILL);
437 tsk->thread.address = addr;
438 tsk->thread.error_code = fsr;
439 tsk->thread.trap_no = 14;
440 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
442 #endif /* CONFIG_MMU */
444 +#ifdef CONFIG_PAX_PAGEEXEC
445 +void pax_report_insns(void *pc, void *sp)
449 + printk(KERN_ERR "PAX: bytes at PC: ");
450 + for (i = 0; i < 20; i++) {
452 + if (get_user(c, (__force unsigned char __user *)pc+i))
453 + printk(KERN_CONT "?? ");
455 + printk(KERN_CONT "%02x ", c);
459 + printk(KERN_ERR "PAX: bytes at SP-4: ");
460 + for (i = -1; i < 20; i++) {
462 + if (get_user(c, (__force unsigned long __user *)sp+i))
463 + printk(KERN_CONT "???????? ");
465 + printk(KERN_CONT "%08lx ", c);
472 * First Level Translation Fault Handler
474 diff -urNp linux-2.6.38.6/arch/arm/mm/mmap.c linux-2.6.38.6/arch/arm/mm/mmap.c
475 --- linux-2.6.38.6/arch/arm/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
476 +++ linux-2.6.38.6/arch/arm/mm/mmap.c 2011-04-28 19:34:14.000000000 -0400
477 @@ -64,6 +64,10 @@ arch_get_unmapped_area(struct file *filp
481 +#ifdef CONFIG_PAX_RANDMMAP
482 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
487 addr = COLOUR_ALIGN(addr, pgoff);
488 @@ -71,15 +75,14 @@ arch_get_unmapped_area(struct file *filp
489 addr = PAGE_ALIGN(addr);
491 vma = find_vma(mm, addr);
492 - if (TASK_SIZE - len >= addr &&
493 - (!vma || addr + len <= vma->vm_start))
494 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
497 if (len > mm->cached_hole_size) {
498 - start_addr = addr = mm->free_area_cache;
499 + start_addr = addr = mm->free_area_cache;
501 - start_addr = addr = TASK_UNMAPPED_BASE;
502 - mm->cached_hole_size = 0;
503 + start_addr = addr = mm->mmap_base;
504 + mm->cached_hole_size = 0;
506 /* 8 bits of randomness in 20 address space bits */
507 if (current->flags & PF_RANDOMIZE)
508 @@ -98,14 +101,14 @@ full_search:
509 * Start a new search - just in case we missed
512 - if (start_addr != TASK_UNMAPPED_BASE) {
513 - start_addr = addr = TASK_UNMAPPED_BASE;
514 + if (start_addr != mm->mmap_base) {
515 + start_addr = addr = mm->mmap_base;
516 mm->cached_hole_size = 0;
521 - if (!vma || addr + len <= vma->vm_start) {
522 + if (check_heap_stack_gap(vma, addr, len)) {
524 * Remember the place where we stopped the search:
526 diff -urNp linux-2.6.38.6/arch/avr32/include/asm/elf.h linux-2.6.38.6/arch/avr32/include/asm/elf.h
527 --- linux-2.6.38.6/arch/avr32/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
528 +++ linux-2.6.38.6/arch/avr32/include/asm/elf.h 2011-04-28 19:34:14.000000000 -0400
529 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
530 the loader. We need to make sure that it is out of the way of the program
531 that it will "exec", and that there is sufficient room for the brk. */
533 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
534 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
536 +#ifdef CONFIG_PAX_ASLR
537 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
539 +#define PAX_DELTA_MMAP_LEN 15
540 +#define PAX_DELTA_STACK_LEN 15
543 /* This yields a mask that user programs can use to figure out what
544 instruction set this CPU supports. This could be done in user space,
545 diff -urNp linux-2.6.38.6/arch/avr32/include/asm/kmap_types.h linux-2.6.38.6/arch/avr32/include/asm/kmap_types.h
546 --- linux-2.6.38.6/arch/avr32/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
547 +++ linux-2.6.38.6/arch/avr32/include/asm/kmap_types.h 2011-04-28 19:34:14.000000000 -0400
548 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
558 diff -urNp linux-2.6.38.6/arch/avr32/mm/fault.c linux-2.6.38.6/arch/avr32/mm/fault.c
559 --- linux-2.6.38.6/arch/avr32/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
560 +++ linux-2.6.38.6/arch/avr32/mm/fault.c 2011-04-28 19:34:14.000000000 -0400
561 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
563 int exception_trace = 1;
565 +#ifdef CONFIG_PAX_PAGEEXEC
566 +void pax_report_insns(void *pc, void *sp)
570 + printk(KERN_ERR "PAX: bytes at PC: ");
571 + for (i = 0; i < 20; i++) {
573 + if (get_user(c, (unsigned char *)pc+i))
574 + printk(KERN_CONT "???????? ");
576 + printk(KERN_CONT "%02x ", c);
583 * This routine handles page faults. It determines the address and the
584 * problem, and then passes it off to one of the appropriate routines.
585 @@ -156,6 +173,16 @@ bad_area:
586 up_read(&mm->mmap_sem);
588 if (user_mode(regs)) {
590 +#ifdef CONFIG_PAX_PAGEEXEC
591 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
592 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
593 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
594 + do_group_exit(SIGKILL);
599 if (exception_trace && printk_ratelimit())
600 printk("%s%s[%d]: segfault at %08lx pc %08lx "
601 "sp %08lx ecr %lu\n",
602 diff -urNp linux-2.6.38.6/arch/blackfin/kernel/kgdb.c linux-2.6.38.6/arch/blackfin/kernel/kgdb.c
603 --- linux-2.6.38.6/arch/blackfin/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
604 +++ linux-2.6.38.6/arch/blackfin/kernel/kgdb.c 2011-04-28 19:34:14.000000000 -0400
605 @@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto
606 return -1; /* this means that we do not want to exit from the handler */
609 -struct kgdb_arch arch_kgdb_ops = {
610 +const struct kgdb_arch arch_kgdb_ops = {
611 .gdb_bpt_instr = {0xa1},
613 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
614 diff -urNp linux-2.6.38.6/arch/blackfin/mm/maccess.c linux-2.6.38.6/arch/blackfin/mm/maccess.c
615 --- linux-2.6.38.6/arch/blackfin/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
616 +++ linux-2.6.38.6/arch/blackfin/mm/maccess.c 2011-04-28 19:34:14.000000000 -0400
617 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
618 return bfin_mem_access_type(addr, size);
621 -long probe_kernel_read(void *dst, void *src, size_t size)
622 +long probe_kernel_read(void *dst, const void *src, size_t size)
624 unsigned long lsrc = (unsigned long)src;
626 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
630 -long probe_kernel_write(void *dst, void *src, size_t size)
631 +long probe_kernel_write(void *dst, const void *src, size_t size)
633 unsigned long ldst = (unsigned long)dst;
635 diff -urNp linux-2.6.38.6/arch/frv/include/asm/kmap_types.h linux-2.6.38.6/arch/frv/include/asm/kmap_types.h
636 --- linux-2.6.38.6/arch/frv/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
637 +++ linux-2.6.38.6/arch/frv/include/asm/kmap_types.h 2011-04-28 19:34:14.000000000 -0400
638 @@ -23,6 +23,7 @@ enum km_type {
646 diff -urNp linux-2.6.38.6/arch/frv/mm/elf-fdpic.c linux-2.6.38.6/arch/frv/mm/elf-fdpic.c
647 --- linux-2.6.38.6/arch/frv/mm/elf-fdpic.c 2011-03-14 21:20:32.000000000 -0400
648 +++ linux-2.6.38.6/arch/frv/mm/elf-fdpic.c 2011-04-28 19:34:14.000000000 -0400
649 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
651 addr = PAGE_ALIGN(addr);
652 vma = find_vma(current->mm, addr);
653 - if (TASK_SIZE - len >= addr &&
654 - (!vma || addr + len <= vma->vm_start))
655 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
659 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
660 for (; vma; vma = vma->vm_next) {
663 - if (addr + len <= vma->vm_start)
664 + if (check_heap_stack_gap(vma, addr, len))
668 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
669 for (; vma; vma = vma->vm_next) {
672 - if (addr + len <= vma->vm_start)
673 + if (check_heap_stack_gap(vma, addr, len))
677 diff -urNp linux-2.6.38.6/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.38.6/arch/ia64/hp/common/hwsw_iommu.c
678 --- linux-2.6.38.6/arch/ia64/hp/common/hwsw_iommu.c 2011-03-14 21:20:32.000000000 -0400
679 +++ linux-2.6.38.6/arch/ia64/hp/common/hwsw_iommu.c 2011-04-28 19:34:14.000000000 -0400
681 #include <linux/swiotlb.h>
682 #include <asm/machvec.h>
684 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
685 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
687 /* swiotlb declarations & definitions: */
688 extern int swiotlb_late_init_with_default_size (size_t size);
689 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
690 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
693 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
694 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
696 if (use_swiotlb(dev))
697 return &swiotlb_dma_ops;
698 diff -urNp linux-2.6.38.6/arch/ia64/hp/common/sba_iommu.c linux-2.6.38.6/arch/ia64/hp/common/sba_iommu.c
699 --- linux-2.6.38.6/arch/ia64/hp/common/sba_iommu.c 2011-03-14 21:20:32.000000000 -0400
700 +++ linux-2.6.38.6/arch/ia64/hp/common/sba_iommu.c 2011-04-28 19:34:14.000000000 -0400
701 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
705 -extern struct dma_map_ops swiotlb_dma_ops;
706 +extern const struct dma_map_ops swiotlb_dma_ops;
710 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
712 __setup("sbapagesize=",sba_page_override);
714 -struct dma_map_ops sba_dma_ops = {
715 +const struct dma_map_ops sba_dma_ops = {
716 .alloc_coherent = sba_alloc_coherent,
717 .free_coherent = sba_free_coherent,
718 .map_page = sba_map_page,
719 diff -urNp linux-2.6.38.6/arch/ia64/include/asm/dma-mapping.h linux-2.6.38.6/arch/ia64/include/asm/dma-mapping.h
720 --- linux-2.6.38.6/arch/ia64/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
721 +++ linux-2.6.38.6/arch/ia64/include/asm/dma-mapping.h 2011-04-28 19:34:14.000000000 -0400
724 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
726 -extern struct dma_map_ops *dma_ops;
727 +extern const struct dma_map_ops *dma_ops;
728 extern struct ia64_machine_vector ia64_mv;
729 extern void set_iommu_machvec(void);
731 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
732 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
733 dma_addr_t *daddr, gfp_t gfp)
735 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
736 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
739 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
740 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
741 static inline void dma_free_coherent(struct device *dev, size_t size,
742 void *caddr, dma_addr_t daddr)
744 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
745 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
746 debug_dma_free_coherent(dev, size, caddr, daddr);
747 ops->free_coherent(dev, size, caddr, daddr);
749 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
751 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
753 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
754 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
755 return ops->mapping_error(dev, daddr);
758 static inline int dma_supported(struct device *dev, u64 mask)
760 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
761 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
762 return ops->dma_supported(dev, mask);
765 diff -urNp linux-2.6.38.6/arch/ia64/include/asm/elf.h linux-2.6.38.6/arch/ia64/include/asm/elf.h
766 --- linux-2.6.38.6/arch/ia64/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
767 +++ linux-2.6.38.6/arch/ia64/include/asm/elf.h 2011-04-28 19:34:14.000000000 -0400
770 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
772 +#ifdef CONFIG_PAX_ASLR
773 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
775 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
776 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
779 #define PT_IA_64_UNWIND 0x70000001
781 /* IA-64 relocations: */
782 diff -urNp linux-2.6.38.6/arch/ia64/include/asm/machvec.h linux-2.6.38.6/arch/ia64/include/asm/machvec.h
783 --- linux-2.6.38.6/arch/ia64/include/asm/machvec.h 2011-03-14 21:20:32.000000000 -0400
784 +++ linux-2.6.38.6/arch/ia64/include/asm/machvec.h 2011-04-28 19:34:14.000000000 -0400
785 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
786 /* DMA-mapping interface: */
787 typedef void ia64_mv_dma_init (void);
788 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
789 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
790 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
793 * WARNING: The legacy I/O space is _architected_. Platforms are
794 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
795 # endif /* CONFIG_IA64_GENERIC */
797 extern void swiotlb_dma_init(void);
798 -extern struct dma_map_ops *dma_get_ops(struct device *);
799 +extern const struct dma_map_ops *dma_get_ops(struct device *);
802 * Define default versions so we can extend machvec for new platforms without having
803 diff -urNp linux-2.6.38.6/arch/ia64/include/asm/pgtable.h linux-2.6.38.6/arch/ia64/include/asm/pgtable.h
804 --- linux-2.6.38.6/arch/ia64/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
805 +++ linux-2.6.38.6/arch/ia64/include/asm/pgtable.h 2011-04-28 19:34:14.000000000 -0400
807 * David Mosberger-Tang <davidm@hpl.hp.com>
811 +#include <linux/const.h>
812 #include <asm/mman.h>
813 #include <asm/page.h>
814 #include <asm/processor.h>
816 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
817 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
818 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
820 +#ifdef CONFIG_PAX_PAGEEXEC
821 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
822 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
823 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
825 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
826 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
827 +# define PAGE_COPY_NOEXEC PAGE_COPY
830 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
831 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
832 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
833 diff -urNp linux-2.6.38.6/arch/ia64/include/asm/spinlock.h linux-2.6.38.6/arch/ia64/include/asm/spinlock.h
834 --- linux-2.6.38.6/arch/ia64/include/asm/spinlock.h 2011-03-14 21:20:32.000000000 -0400
835 +++ linux-2.6.38.6/arch/ia64/include/asm/spinlock.h 2011-04-28 19:34:14.000000000 -0400
836 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
837 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
839 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
840 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
841 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
844 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
845 diff -urNp linux-2.6.38.6/arch/ia64/include/asm/uaccess.h linux-2.6.38.6/arch/ia64/include/asm/uaccess.h
846 --- linux-2.6.38.6/arch/ia64/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
847 +++ linux-2.6.38.6/arch/ia64/include/asm/uaccess.h 2011-04-28 19:34:14.000000000 -0400
848 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
849 const void *__cu_from = (from); \
850 long __cu_len = (n); \
852 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
853 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
854 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
857 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
858 long __cu_len = (n); \
860 __chk_user_ptr(__cu_from); \
861 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
862 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
863 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
866 diff -urNp linux-2.6.38.6/arch/ia64/kernel/dma-mapping.c linux-2.6.38.6/arch/ia64/kernel/dma-mapping.c
867 --- linux-2.6.38.6/arch/ia64/kernel/dma-mapping.c 2011-03-14 21:20:32.000000000 -0400
868 +++ linux-2.6.38.6/arch/ia64/kernel/dma-mapping.c 2011-04-28 19:34:14.000000000 -0400
870 /* Set this to 1 if there is a HW IOMMU in the system */
871 int iommu_detected __read_mostly;
873 -struct dma_map_ops *dma_ops;
874 +const struct dma_map_ops *dma_ops;
875 EXPORT_SYMBOL(dma_ops);
877 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
878 @@ -16,7 +16,7 @@ static int __init dma_init(void)
880 fs_initcall(dma_init);
882 -struct dma_map_ops *dma_get_ops(struct device *dev)
883 +const struct dma_map_ops *dma_get_ops(struct device *dev)
887 diff -urNp linux-2.6.38.6/arch/ia64/kernel/module.c linux-2.6.38.6/arch/ia64/kernel/module.c
888 --- linux-2.6.38.6/arch/ia64/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
889 +++ linux-2.6.38.6/arch/ia64/kernel/module.c 2011-04-28 19:34:14.000000000 -0400
890 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
892 module_free (struct module *mod, void *module_region)
894 - if (mod && mod->arch.init_unw_table &&
895 - module_region == mod->module_init) {
896 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
897 unw_remove_unwind_table(mod->arch.init_unw_table);
898 mod->arch.init_unw_table = NULL;
900 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
904 +in_init_rx (const struct module *mod, uint64_t addr)
906 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
910 +in_init_rw (const struct module *mod, uint64_t addr)
912 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
916 in_init (const struct module *mod, uint64_t addr)
918 - return addr - (uint64_t) mod->module_init < mod->init_size;
919 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
923 +in_core_rx (const struct module *mod, uint64_t addr)
925 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
929 +in_core_rw (const struct module *mod, uint64_t addr)
931 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
935 in_core (const struct module *mod, uint64_t addr)
937 - return addr - (uint64_t) mod->module_core < mod->core_size;
938 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
942 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
946 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
947 + if (in_init_rx(mod, val))
948 + val -= (uint64_t) mod->module_init_rx;
949 + else if (in_init_rw(mod, val))
950 + val -= (uint64_t) mod->module_init_rw;
951 + else if (in_core_rx(mod, val))
952 + val -= (uint64_t) mod->module_core_rx;
953 + else if (in_core_rw(mod, val))
954 + val -= (uint64_t) mod->module_core_rw;
958 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
959 * addresses have been selected...
962 - if (mod->core_size > MAX_LTOFF)
963 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
965 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
966 * at the end of the module.
968 - gp = mod->core_size - MAX_LTOFF / 2;
969 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
971 - gp = mod->core_size / 2;
972 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
973 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
974 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
976 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
978 diff -urNp linux-2.6.38.6/arch/ia64/kernel/pci-dma.c linux-2.6.38.6/arch/ia64/kernel/pci-dma.c
979 --- linux-2.6.38.6/arch/ia64/kernel/pci-dma.c 2011-03-14 21:20:32.000000000 -0400
980 +++ linux-2.6.38.6/arch/ia64/kernel/pci-dma.c 2011-04-28 19:34:14.000000000 -0400
981 @@ -43,7 +43,7 @@ struct device fallback_dev = {
982 .dma_mask = &fallback_dev.coherent_dma_mask,
985 -extern struct dma_map_ops intel_dma_ops;
986 +extern const struct dma_map_ops intel_dma_ops;
988 static int __init pci_iommu_init(void)
990 diff -urNp linux-2.6.38.6/arch/ia64/kernel/pci-swiotlb.c linux-2.6.38.6/arch/ia64/kernel/pci-swiotlb.c
991 --- linux-2.6.38.6/arch/ia64/kernel/pci-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
992 +++ linux-2.6.38.6/arch/ia64/kernel/pci-swiotlb.c 2011-04-28 19:34:14.000000000 -0400
993 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
994 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
997 -struct dma_map_ops swiotlb_dma_ops = {
998 +const struct dma_map_ops swiotlb_dma_ops = {
999 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1000 .free_coherent = swiotlb_free_coherent,
1001 .map_page = swiotlb_map_page,
1002 diff -urNp linux-2.6.38.6/arch/ia64/kernel/sys_ia64.c linux-2.6.38.6/arch/ia64/kernel/sys_ia64.c
1003 --- linux-2.6.38.6/arch/ia64/kernel/sys_ia64.c 2011-03-14 21:20:32.000000000 -0400
1004 +++ linux-2.6.38.6/arch/ia64/kernel/sys_ia64.c 2011-04-28 19:34:14.000000000 -0400
1005 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1006 if (REGION_NUMBER(addr) == RGN_HPAGE)
1010 +#ifdef CONFIG_PAX_RANDMMAP
1011 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1012 + addr = mm->free_area_cache;
1017 addr = mm->free_area_cache;
1019 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1020 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1021 /* At this point: (!vma || addr < vma->vm_end). */
1022 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1023 - if (start_addr != TASK_UNMAPPED_BASE) {
1024 + if (start_addr != mm->mmap_base) {
1025 /* Start a new search --- just in case we missed some holes. */
1026 - addr = TASK_UNMAPPED_BASE;
1027 + addr = mm->mmap_base;
1032 - if (!vma || addr + len <= vma->vm_start) {
1033 + if (check_heap_stack_gap(vma, addr, len)) {
1034 /* Remember the address where we stopped this search: */
1035 mm->free_area_cache = addr + len;
1037 diff -urNp linux-2.6.38.6/arch/ia64/kernel/vmlinux.lds.S linux-2.6.38.6/arch/ia64/kernel/vmlinux.lds.S
1038 --- linux-2.6.38.6/arch/ia64/kernel/vmlinux.lds.S 2011-03-14 21:20:32.000000000 -0400
1039 +++ linux-2.6.38.6/arch/ia64/kernel/vmlinux.lds.S 2011-04-28 19:34:14.000000000 -0400
1040 @@ -199,7 +199,7 @@ SECTIONS {
1042 . = ALIGN(PERCPU_PAGE_SIZE);
1043 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1044 - __phys_per_cpu_start = __per_cpu_load;
1045 + __phys_per_cpu_start = per_cpu_load;
1047 * ensure percpu data fits
1048 * into percpu page size
1049 diff -urNp linux-2.6.38.6/arch/ia64/mm/fault.c linux-2.6.38.6/arch/ia64/mm/fault.c
1050 --- linux-2.6.38.6/arch/ia64/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1051 +++ linux-2.6.38.6/arch/ia64/mm/fault.c 2011-04-28 19:34:14.000000000 -0400
1052 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1053 return pte_present(pte);
1056 +#ifdef CONFIG_PAX_PAGEEXEC
1057 +void pax_report_insns(void *pc, void *sp)
1061 + printk(KERN_ERR "PAX: bytes at PC: ");
1062 + for (i = 0; i < 8; i++) {
1064 + if (get_user(c, (unsigned int *)pc+i))
1065 + printk(KERN_CONT "???????? ");
1067 + printk(KERN_CONT "%08x ", c);
1074 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1076 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1077 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1078 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1080 - if ((vma->vm_flags & mask) != mask)
1081 + if ((vma->vm_flags & mask) != mask) {
1083 +#ifdef CONFIG_PAX_PAGEEXEC
1084 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1085 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1088 + up_read(&mm->mmap_sem);
1089 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1090 + do_group_exit(SIGKILL);
1099 * If for any reason at all we couldn't handle the fault, make
1100 * sure we exit gracefully rather than endlessly redo the
1101 diff -urNp linux-2.6.38.6/arch/ia64/mm/hugetlbpage.c linux-2.6.38.6/arch/ia64/mm/hugetlbpage.c
1102 --- linux-2.6.38.6/arch/ia64/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
1103 +++ linux-2.6.38.6/arch/ia64/mm/hugetlbpage.c 2011-04-28 19:34:14.000000000 -0400
1104 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1105 /* At this point: (!vmm || addr < vmm->vm_end). */
1106 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1108 - if (!vmm || (addr + len) <= vmm->vm_start)
1109 + if (check_heap_stack_gap(vmm, addr, len))
1111 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1113 diff -urNp linux-2.6.38.6/arch/ia64/mm/init.c linux-2.6.38.6/arch/ia64/mm/init.c
1114 --- linux-2.6.38.6/arch/ia64/mm/init.c 2011-03-14 21:20:32.000000000 -0400
1115 +++ linux-2.6.38.6/arch/ia64/mm/init.c 2011-04-28 19:34:14.000000000 -0400
1116 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1117 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1118 vma->vm_end = vma->vm_start + PAGE_SIZE;
1119 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1121 +#ifdef CONFIG_PAX_PAGEEXEC
1122 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1123 + vma->vm_flags &= ~VM_EXEC;
1125 +#ifdef CONFIG_PAX_MPROTECT
1126 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1127 + vma->vm_flags &= ~VM_MAYEXEC;
1133 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1134 down_write(¤t->mm->mmap_sem);
1135 if (insert_vm_struct(current->mm, vma)) {
1136 diff -urNp linux-2.6.38.6/arch/ia64/sn/pci/pci_dma.c linux-2.6.38.6/arch/ia64/sn/pci/pci_dma.c
1137 --- linux-2.6.38.6/arch/ia64/sn/pci/pci_dma.c 2011-03-14 21:20:32.000000000 -0400
1138 +++ linux-2.6.38.6/arch/ia64/sn/pci/pci_dma.c 2011-04-28 19:34:14.000000000 -0400
1139 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1143 -static struct dma_map_ops sn_dma_ops = {
1144 +static const struct dma_map_ops sn_dma_ops = {
1145 .alloc_coherent = sn_dma_alloc_coherent,
1146 .free_coherent = sn_dma_free_coherent,
1147 .map_page = sn_dma_map_page,
1148 diff -urNp linux-2.6.38.6/arch/m32r/lib/usercopy.c linux-2.6.38.6/arch/m32r/lib/usercopy.c
1149 --- linux-2.6.38.6/arch/m32r/lib/usercopy.c 2011-03-14 21:20:32.000000000 -0400
1150 +++ linux-2.6.38.6/arch/m32r/lib/usercopy.c 2011-04-28 19:34:14.000000000 -0400
1153 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1159 if (access_ok(VERIFY_WRITE, to, n))
1160 __copy_user(to,from,n);
1161 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1163 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1169 if (access_ok(VERIFY_READ, from, n))
1170 __copy_user_zeroing(to,from,n);
1171 diff -urNp linux-2.6.38.6/arch/microblaze/include/asm/device.h linux-2.6.38.6/arch/microblaze/include/asm/device.h
1172 --- linux-2.6.38.6/arch/microblaze/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1173 +++ linux-2.6.38.6/arch/microblaze/include/asm/device.h 2011-04-28 19:34:14.000000000 -0400
1174 @@ -13,7 +13,7 @@ struct device_node;
1176 struct dev_archdata {
1177 /* DMA operations on that device */
1178 - struct dma_map_ops *dma_ops;
1179 + const struct dma_map_ops *dma_ops;
1183 diff -urNp linux-2.6.38.6/arch/microblaze/include/asm/dma-mapping.h linux-2.6.38.6/arch/microblaze/include/asm/dma-mapping.h
1184 --- linux-2.6.38.6/arch/microblaze/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1185 +++ linux-2.6.38.6/arch/microblaze/include/asm/dma-mapping.h 2011-04-28 19:34:14.000000000 -0400
1186 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1187 return 0xfffffffful;
1190 -extern struct dma_map_ops *dma_ops;
1191 +extern const struct dma_map_ops *dma_ops;
1194 * Available generic sets of operations
1196 -extern struct dma_map_ops dma_direct_ops;
1197 +extern const struct dma_map_ops dma_direct_ops;
1199 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1200 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1202 /* We don't handle the NULL dev case for ISA for now. We could
1203 * do it via an out of line call but it is not needed for now. The
1204 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1205 return dev->archdata.dma_ops;
1208 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1209 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1211 dev->archdata.dma_ops = ops;
1214 static inline int dma_supported(struct device *dev, u64 mask)
1216 - struct dma_map_ops *ops = get_dma_ops(dev);
1217 + const struct dma_map_ops *ops = get_dma_ops(dev);
1221 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
1223 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1225 - struct dma_map_ops *ops = get_dma_ops(dev);
1226 + const struct dma_map_ops *ops = get_dma_ops(dev);
1228 if (unlikely(ops == NULL))
1230 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
1232 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1234 - struct dma_map_ops *ops = get_dma_ops(dev);
1235 + const struct dma_map_ops *ops = get_dma_ops(dev);
1236 if (ops->mapping_error)
1237 return ops->mapping_error(dev, dma_addr);
1239 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
1240 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1241 dma_addr_t *dma_handle, gfp_t flag)
1243 - struct dma_map_ops *ops = get_dma_ops(dev);
1244 + const struct dma_map_ops *ops = get_dma_ops(dev);
1248 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
1249 static inline void dma_free_coherent(struct device *dev, size_t size,
1250 void *cpu_addr, dma_addr_t dma_handle)
1252 - struct dma_map_ops *ops = get_dma_ops(dev);
1253 + const struct dma_map_ops *ops = get_dma_ops(dev);
1256 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1257 diff -urNp linux-2.6.38.6/arch/microblaze/include/asm/pci.h linux-2.6.38.6/arch/microblaze/include/asm/pci.h
1258 --- linux-2.6.38.6/arch/microblaze/include/asm/pci.h 2011-03-14 21:20:32.000000000 -0400
1259 +++ linux-2.6.38.6/arch/microblaze/include/asm/pci.h 2011-04-28 19:34:14.000000000 -0400
1260 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1264 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1265 -extern struct dma_map_ops *get_pci_dma_ops(void);
1266 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1267 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1268 #else /* CONFIG_PCI */
1269 #define set_pci_dma_ops(d)
1270 #define get_pci_dma_ops() NULL
1271 diff -urNp linux-2.6.38.6/arch/microblaze/kernel/dma.c linux-2.6.38.6/arch/microblaze/kernel/dma.c
1272 --- linux-2.6.38.6/arch/microblaze/kernel/dma.c 2011-03-14 21:20:32.000000000 -0400
1273 +++ linux-2.6.38.6/arch/microblaze/kernel/dma.c 2011-04-28 19:34:14.000000000 -0400
1274 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1275 __dma_sync_page(dma_address, 0 , size, direction);
1278 -struct dma_map_ops dma_direct_ops = {
1279 +const struct dma_map_ops dma_direct_ops = {
1280 .alloc_coherent = dma_direct_alloc_coherent,
1281 .free_coherent = dma_direct_free_coherent,
1282 .map_sg = dma_direct_map_sg,
1283 diff -urNp linux-2.6.38.6/arch/microblaze/kernel/kgdb.c linux-2.6.38.6/arch/microblaze/kernel/kgdb.c
1284 --- linux-2.6.38.6/arch/microblaze/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
1285 +++ linux-2.6.38.6/arch/microblaze/kernel/kgdb.c 2011-04-28 19:34:14.000000000 -0400
1286 @@ -141,10 +141,11 @@ void kgdb_arch_exit(void)
1290 -struct kgdb_arch arch_kgdb_ops = {
1291 +const struct kgdb_arch arch_kgdb_ops = {
1292 #ifdef __MICROBLAZEEL__
1293 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
1296 .gdb_bpt_instr = {0xba, 0x0c, 0x00, 0x18}, /* brki r16, 0x18 */
1299 diff -urNp linux-2.6.38.6/arch/microblaze/pci/pci-common.c linux-2.6.38.6/arch/microblaze/pci/pci-common.c
1300 --- linux-2.6.38.6/arch/microblaze/pci/pci-common.c 2011-03-14 21:20:32.000000000 -0400
1301 +++ linux-2.6.38.6/arch/microblaze/pci/pci-common.c 2011-04-28 19:34:14.000000000 -0400
1302 @@ -47,14 +47,14 @@ resource_size_t isa_mem_base;
1303 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1304 unsigned int pci_flags;
1306 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1307 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1309 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1310 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1312 pci_dma_ops = dma_ops;
1315 -struct dma_map_ops *get_pci_dma_ops(void)
1316 +const struct dma_map_ops *get_pci_dma_ops(void)
1320 diff -urNp linux-2.6.38.6/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.38.6/arch/mips/cavium-octeon/dma-octeon.c
1321 --- linux-2.6.38.6/arch/mips/cavium-octeon/dma-octeon.c 2011-03-14 21:20:32.000000000 -0400
1322 +++ linux-2.6.38.6/arch/mips/cavium-octeon/dma-octeon.c 2011-04-28 19:34:14.000000000 -0400
1323 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
1326 struct octeon_dma_map_ops {
1327 - struct dma_map_ops dma_map_ops;
1328 + const struct dma_map_ops dma_map_ops;
1329 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
1330 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
1332 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
1336 -struct dma_map_ops *octeon_pci_dma_map_ops;
1337 +const struct dma_map_ops *octeon_pci_dma_map_ops;
1339 void __init octeon_pci_dma_init(void)
1341 diff -urNp linux-2.6.38.6/arch/mips/include/asm/device.h linux-2.6.38.6/arch/mips/include/asm/device.h
1342 --- linux-2.6.38.6/arch/mips/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1343 +++ linux-2.6.38.6/arch/mips/include/asm/device.h 2011-04-28 19:34:14.000000000 -0400
1344 @@ -10,7 +10,7 @@ struct dma_map_ops;
1346 struct dev_archdata {
1347 /* DMA operations on that device */
1348 - struct dma_map_ops *dma_ops;
1349 + const struct dma_map_ops *dma_ops;
1352 struct pdev_archdata {
1353 diff -urNp linux-2.6.38.6/arch/mips/include/asm/dma-mapping.h linux-2.6.38.6/arch/mips/include/asm/dma-mapping.h
1354 --- linux-2.6.38.6/arch/mips/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1355 +++ linux-2.6.38.6/arch/mips/include/asm/dma-mapping.h 2011-04-28 19:34:14.000000000 -0400
1358 #include <dma-coherence.h>
1360 -extern struct dma_map_ops *mips_dma_map_ops;
1361 +extern const struct dma_map_ops *mips_dma_map_ops;
1363 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1364 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1366 if (dev && dev->archdata.dma_ops)
1367 return dev->archdata.dma_ops;
1368 @@ -31,13 +31,13 @@ static inline void dma_mark_clean(void *
1370 static inline int dma_supported(struct device *dev, u64 mask)
1372 - struct dma_map_ops *ops = get_dma_ops(dev);
1373 + const struct dma_map_ops *ops = get_dma_ops(dev);
1374 return ops->dma_supported(dev, mask);
1377 static inline int dma_mapping_error(struct device *dev, u64 mask)
1379 - struct dma_map_ops *ops = get_dma_ops(dev);
1380 + const struct dma_map_ops *ops = get_dma_ops(dev);
1381 return ops->mapping_error(dev, mask);
1384 @@ -59,7 +59,7 @@ static inline void *dma_alloc_coherent(s
1385 dma_addr_t *dma_handle, gfp_t gfp)
1388 - struct dma_map_ops *ops = get_dma_ops(dev);
1389 + const struct dma_map_ops *ops = get_dma_ops(dev);
1391 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
1393 @@ -71,7 +71,7 @@ static inline void *dma_alloc_coherent(s
1394 static inline void dma_free_coherent(struct device *dev, size_t size,
1395 void *vaddr, dma_addr_t dma_handle)
1397 - struct dma_map_ops *ops = get_dma_ops(dev);
1398 + const struct dma_map_ops *ops = get_dma_ops(dev);
1400 ops->free_coherent(dev, size, vaddr, dma_handle);
1402 diff -urNp linux-2.6.38.6/arch/mips/include/asm/elf.h linux-2.6.38.6/arch/mips/include/asm/elf.h
1403 --- linux-2.6.38.6/arch/mips/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
1404 +++ linux-2.6.38.6/arch/mips/include/asm/elf.h 2011-04-30 19:58:48.000000000 -0400
1405 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
1406 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1409 +#ifdef CONFIG_PAX_ASLR
1410 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1412 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1413 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1416 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1417 struct linux_binprm;
1418 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1422 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1423 -#define arch_randomize_brk arch_randomize_brk
1425 #endif /* _ASM_ELF_H */
1426 diff -urNp linux-2.6.38.6/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.38.6/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
1427 --- linux-2.6.38.6/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-03-14 21:20:32.000000000 -0400
1428 +++ linux-2.6.38.6/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-04-28 19:34:14.000000000 -0400
1429 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
1430 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
1433 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
1434 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
1435 extern char *octeon_swiotlb;
1437 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
1438 diff -urNp linux-2.6.38.6/arch/mips/include/asm/page.h linux-2.6.38.6/arch/mips/include/asm/page.h
1439 --- linux-2.6.38.6/arch/mips/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
1440 +++ linux-2.6.38.6/arch/mips/include/asm/page.h 2011-04-28 19:34:14.000000000 -0400
1441 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1442 #ifdef CONFIG_CPU_MIPS32
1443 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1444 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1445 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1446 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1448 typedef struct { unsigned long long pte; } pte_t;
1449 #define pte_val(x) ((x).pte)
1450 diff -urNp linux-2.6.38.6/arch/mips/include/asm/system.h linux-2.6.38.6/arch/mips/include/asm/system.h
1451 --- linux-2.6.38.6/arch/mips/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
1452 +++ linux-2.6.38.6/arch/mips/include/asm/system.h 2011-04-28 19:34:14.000000000 -0400
1453 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1455 #define __ARCH_WANT_UNLOCKED_CTXSW
1457 -extern unsigned long arch_align_stack(unsigned long sp);
1458 +#define arch_align_stack(x) ((x) & ~0xfUL)
1460 #endif /* _ASM_SYSTEM_H */
1461 diff -urNp linux-2.6.38.6/arch/mips/kernel/binfmt_elfn32.c linux-2.6.38.6/arch/mips/kernel/binfmt_elfn32.c
1462 --- linux-2.6.38.6/arch/mips/kernel/binfmt_elfn32.c 2011-03-14 21:20:32.000000000 -0400
1463 +++ linux-2.6.38.6/arch/mips/kernel/binfmt_elfn32.c 2011-04-30 19:58:48.000000000 -0400
1464 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1465 #undef ELF_ET_DYN_BASE
1466 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1468 +#ifdef CONFIG_PAX_ASLR
1469 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1471 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1472 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1475 #include <asm/processor.h>
1476 #include <linux/module.h>
1477 #include <linux/elfcore.h>
1478 diff -urNp linux-2.6.38.6/arch/mips/kernel/binfmt_elfo32.c linux-2.6.38.6/arch/mips/kernel/binfmt_elfo32.c
1479 --- linux-2.6.38.6/arch/mips/kernel/binfmt_elfo32.c 2011-03-14 21:20:32.000000000 -0400
1480 +++ linux-2.6.38.6/arch/mips/kernel/binfmt_elfo32.c 2011-04-30 19:58:48.000000000 -0400
1481 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1482 #undef ELF_ET_DYN_BASE
1483 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1485 +#ifdef CONFIG_PAX_ASLR
1486 +#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1488 +#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1489 +#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1492 #include <asm/processor.h>
1495 diff -urNp linux-2.6.38.6/arch/mips/kernel/kgdb.c linux-2.6.38.6/arch/mips/kernel/kgdb.c
1496 --- linux-2.6.38.6/arch/mips/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
1497 +++ linux-2.6.38.6/arch/mips/kernel/kgdb.c 2011-04-28 19:34:14.000000000 -0400
1498 @@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto
1502 -struct kgdb_arch arch_kgdb_ops;
1503 +struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */
1506 * We use kgdb_early_setup so that functions we need to call now don't
1507 diff -urNp linux-2.6.38.6/arch/mips/kernel/process.c linux-2.6.38.6/arch/mips/kernel/process.c
1508 --- linux-2.6.38.6/arch/mips/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
1509 +++ linux-2.6.38.6/arch/mips/kernel/process.c 2011-04-28 19:34:14.000000000 -0400
1510 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
1516 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1517 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1519 -unsigned long arch_align_stack(unsigned long sp)
1521 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1522 - sp -= get_random_int() & ~PAGE_MASK;
1524 - return sp & ALMASK;
1526 diff -urNp linux-2.6.38.6/arch/mips/kernel/syscall.c linux-2.6.38.6/arch/mips/kernel/syscall.c
1527 --- linux-2.6.38.6/arch/mips/kernel/syscall.c 2011-03-14 21:20:32.000000000 -0400
1528 +++ linux-2.6.38.6/arch/mips/kernel/syscall.c 2011-04-30 19:58:48.000000000 -0400
1529 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
1531 if (filp || (flags & MAP_SHARED))
1534 +#ifdef CONFIG_PAX_RANDMMAP
1535 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1540 addr = COLOUR_ALIGN(addr, pgoff);
1542 addr = PAGE_ALIGN(addr);
1543 vmm = find_vma(current->mm, addr);
1544 - if (task_size - len >= addr &&
1545 - (!vmm || addr + len <= vmm->vm_start))
1546 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1549 addr = current->mm->mmap_base;
1550 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
1551 /* At this point: (!vmm || addr < vmm->vm_end). */
1552 if (task_size - len < addr)
1554 - if (!vmm || addr + len <= vmm->vm_start)
1555 + if (check_heap_stack_gap(vmm, addr, len))
1559 @@ -154,33 +158,6 @@ void arch_pick_mmap_layout(struct mm_str
1560 mm->unmap_area = arch_unmap_area;
1563 -static inline unsigned long brk_rnd(void)
1565 - unsigned long rnd = get_random_int();
1567 - rnd = rnd << PAGE_SHIFT;
1568 - /* 8MB for 32bit, 256MB for 64bit */
1569 - if (TASK_IS_32BIT_ADDR)
1570 - rnd = rnd & 0x7ffffful;
1572 - rnd = rnd & 0xffffffful;
1577 -unsigned long arch_randomize_brk(struct mm_struct *mm)
1579 - unsigned long base = mm->brk;
1580 - unsigned long ret;
1582 - ret = PAGE_ALIGN(base + brk_rnd());
1584 - if (ret < mm->brk)
1590 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
1591 unsigned long, prot, unsigned long, flags, unsigned long,
1593 diff -urNp linux-2.6.38.6/arch/mips/mm/dma-default.c linux-2.6.38.6/arch/mips/mm/dma-default.c
1594 --- linux-2.6.38.6/arch/mips/mm/dma-default.c 2011-03-14 21:20:32.000000000 -0400
1595 +++ linux-2.6.38.6/arch/mips/mm/dma-default.c 2011-04-28 19:34:14.000000000 -0400
1596 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
1598 EXPORT_SYMBOL(dma_cache_sync);
1600 -static struct dma_map_ops mips_default_dma_map_ops = {
1601 +static const struct dma_map_ops mips_default_dma_map_ops = {
1602 .alloc_coherent = mips_dma_alloc_coherent,
1603 .free_coherent = mips_dma_free_coherent,
1604 .map_page = mips_dma_map_page,
1605 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
1606 .dma_supported = mips_dma_supported
1609 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1610 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1611 EXPORT_SYMBOL(mips_dma_map_ops);
1613 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1614 diff -urNp linux-2.6.38.6/arch/mips/mm/fault.c linux-2.6.38.6/arch/mips/mm/fault.c
1615 --- linux-2.6.38.6/arch/mips/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1616 +++ linux-2.6.38.6/arch/mips/mm/fault.c 2011-04-28 19:34:14.000000000 -0400
1618 #include <asm/highmem.h> /* For VMALLOC_END */
1619 #include <linux/kdebug.h>
1621 +#ifdef CONFIG_PAX_PAGEEXEC
1622 +void pax_report_insns(void *pc, void *sp)
1626 + printk(KERN_ERR "PAX: bytes at PC: ");
1627 + for (i = 0; i < 5; i++) {
1629 + if (get_user(c, (unsigned int *)pc+i))
1630 + printk(KERN_CONT "???????? ");
1632 + printk(KERN_CONT "%08x ", c);
1639 * This routine handles page faults. It determines the address,
1640 * and the problem, and then passes it off to one of the appropriate
1641 diff -urNp linux-2.6.38.6/arch/parisc/include/asm/elf.h linux-2.6.38.6/arch/parisc/include/asm/elf.h
1642 --- linux-2.6.38.6/arch/parisc/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
1643 +++ linux-2.6.38.6/arch/parisc/include/asm/elf.h 2011-04-28 19:34:14.000000000 -0400
1644 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1646 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1648 +#ifdef CONFIG_PAX_ASLR
1649 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1651 +#define PAX_DELTA_MMAP_LEN 16
1652 +#define PAX_DELTA_STACK_LEN 16
1655 /* This yields a mask that user programs can use to figure out what
1656 instruction set this CPU supports. This could be done in user space,
1657 but it's not easy, and we've already done it here. */
1658 diff -urNp linux-2.6.38.6/arch/parisc/include/asm/pgtable.h linux-2.6.38.6/arch/parisc/include/asm/pgtable.h
1659 --- linux-2.6.38.6/arch/parisc/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
1660 +++ linux-2.6.38.6/arch/parisc/include/asm/pgtable.h 2011-04-28 19:34:14.000000000 -0400
1661 @@ -209,6 +209,17 @@ struct vm_area_struct;
1662 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1663 #define PAGE_COPY PAGE_EXECREAD
1664 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1666 +#ifdef CONFIG_PAX_PAGEEXEC
1667 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1668 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1669 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1671 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1672 +# define PAGE_COPY_NOEXEC PAGE_COPY
1673 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1676 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1677 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1678 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1679 diff -urNp linux-2.6.38.6/arch/parisc/kernel/module.c linux-2.6.38.6/arch/parisc/kernel/module.c
1680 --- linux-2.6.38.6/arch/parisc/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
1681 +++ linux-2.6.38.6/arch/parisc/kernel/module.c 2011-04-28 19:34:14.000000000 -0400
1684 /* three functions to determine where in the module core
1685 * or init pieces the location is */
1686 +static inline int in_init_rx(struct module *me, void *loc)
1688 + return (loc >= me->module_init_rx &&
1689 + loc < (me->module_init_rx + me->init_size_rx));
1692 +static inline int in_init_rw(struct module *me, void *loc)
1694 + return (loc >= me->module_init_rw &&
1695 + loc < (me->module_init_rw + me->init_size_rw));
1698 static inline int in_init(struct module *me, void *loc)
1700 - return (loc >= me->module_init &&
1701 - loc <= (me->module_init + me->init_size));
1702 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1705 +static inline int in_core_rx(struct module *me, void *loc)
1707 + return (loc >= me->module_core_rx &&
1708 + loc < (me->module_core_rx + me->core_size_rx));
1711 +static inline int in_core_rw(struct module *me, void *loc)
1713 + return (loc >= me->module_core_rw &&
1714 + loc < (me->module_core_rw + me->core_size_rw));
1717 static inline int in_core(struct module *me, void *loc)
1719 - return (loc >= me->module_core &&
1720 - loc <= (me->module_core + me->core_size));
1721 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1724 static inline int in_local(struct module *me, void *loc)
1725 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1728 /* align things a bit */
1729 - me->core_size = ALIGN(me->core_size, 16);
1730 - me->arch.got_offset = me->core_size;
1731 - me->core_size += gots * sizeof(struct got_entry);
1733 - me->core_size = ALIGN(me->core_size, 16);
1734 - me->arch.fdesc_offset = me->core_size;
1735 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1736 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1737 + me->arch.got_offset = me->core_size_rw;
1738 + me->core_size_rw += gots * sizeof(struct got_entry);
1740 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1741 + me->arch.fdesc_offset = me->core_size_rw;
1742 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1744 me->arch.got_max = gots;
1745 me->arch.fdesc_max = fdescs;
1746 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1750 - got = me->module_core + me->arch.got_offset;
1751 + got = me->module_core_rw + me->arch.got_offset;
1752 for (i = 0; got[i].addr; i++)
1753 if (got[i].addr == value)
1755 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1757 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1759 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1760 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1763 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1764 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1766 /* Create new one */
1767 fdesc->addr = value;
1768 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1769 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1770 return (Elf_Addr)fdesc;
1772 #endif /* CONFIG_64BIT */
1773 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1775 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1776 end = table + sechdrs[me->arch.unwind_section].sh_size;
1777 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1778 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1780 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1781 me->arch.unwind_section, table, end, gp);
1782 diff -urNp linux-2.6.38.6/arch/parisc/kernel/sys_parisc.c linux-2.6.38.6/arch/parisc/kernel/sys_parisc.c
1783 --- linux-2.6.38.6/arch/parisc/kernel/sys_parisc.c 2011-03-14 21:20:32.000000000 -0400
1784 +++ linux-2.6.38.6/arch/parisc/kernel/sys_parisc.c 2011-04-28 19:34:14.000000000 -0400
1785 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1786 /* At this point: (!vma || addr < vma->vm_end). */
1787 if (TASK_SIZE - len < addr)
1789 - if (!vma || addr + len <= vma->vm_start)
1790 + if (check_heap_stack_gap(vma, addr, len))
1794 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1795 /* At this point: (!vma || addr < vma->vm_end). */
1796 if (TASK_SIZE - len < addr)
1798 - if (!vma || addr + len <= vma->vm_start)
1799 + if (check_heap_stack_gap(vma, addr, len))
1801 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1802 if (addr < vma->vm_end) /* handle wraparound */
1803 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1804 if (flags & MAP_FIXED)
1807 - addr = TASK_UNMAPPED_BASE;
1808 + addr = current->mm->mmap_base;
1811 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1812 diff -urNp linux-2.6.38.6/arch/parisc/kernel/traps.c linux-2.6.38.6/arch/parisc/kernel/traps.c
1813 --- linux-2.6.38.6/arch/parisc/kernel/traps.c 2011-03-14 21:20:32.000000000 -0400
1814 +++ linux-2.6.38.6/arch/parisc/kernel/traps.c 2011-04-28 19:34:14.000000000 -0400
1815 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1817 down_read(¤t->mm->mmap_sem);
1818 vma = find_vma(current->mm,regs->iaoq[0]);
1819 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1820 - && (vma->vm_flags & VM_EXEC)) {
1822 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1823 fault_address = regs->iaoq[0];
1824 fault_space = regs->iasq[0];
1826 diff -urNp linux-2.6.38.6/arch/parisc/mm/fault.c linux-2.6.38.6/arch/parisc/mm/fault.c
1827 --- linux-2.6.38.6/arch/parisc/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1828 +++ linux-2.6.38.6/arch/parisc/mm/fault.c 2011-04-28 19:34:14.000000000 -0400
1830 #include <linux/sched.h>
1831 #include <linux/interrupt.h>
1832 #include <linux/module.h>
1833 +#include <linux/unistd.h>
1835 #include <asm/uaccess.h>
1836 #include <asm/traps.h>
1837 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1838 static unsigned long
1839 parisc_acctyp(unsigned long code, unsigned int inst)
1841 - if (code == 6 || code == 16)
1842 + if (code == 6 || code == 7 || code == 16)
1845 switch (inst & 0xf0000000) {
1846 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1850 +#ifdef CONFIG_PAX_PAGEEXEC
1852 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1854 + * returns 1 when task should be killed
1855 + * 2 when rt_sigreturn trampoline was detected
1856 + * 3 when unpatched PLT trampoline was detected
1858 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1861 +#ifdef CONFIG_PAX_EMUPLT
1864 + do { /* PaX: unpatched PLT emulation */
1865 + unsigned int bl, depwi;
1867 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1868 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1873 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1874 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1876 + err = get_user(ldw, (unsigned int *)addr);
1877 + err |= get_user(bv, (unsigned int *)(addr+4));
1878 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1883 + if (ldw == 0x0E801096U &&
1884 + bv == 0xEAC0C000U &&
1885 + ldw2 == 0x0E881095U)
1887 + unsigned int resolver, map;
1889 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1890 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1894 + regs->gr[20] = instruction_pointer(regs)+8;
1895 + regs->gr[21] = map;
1896 + regs->gr[22] = resolver;
1897 + regs->iaoq[0] = resolver | 3UL;
1898 + regs->iaoq[1] = regs->iaoq[0] + 4;
1905 +#ifdef CONFIG_PAX_EMUTRAMP
1907 +#ifndef CONFIG_PAX_EMUSIGRT
1908 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1912 + do { /* PaX: rt_sigreturn emulation */
1913 + unsigned int ldi1, ldi2, bel, nop;
1915 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1916 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1917 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1918 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1923 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1924 + ldi2 == 0x3414015AU &&
1925 + bel == 0xE4008200U &&
1926 + nop == 0x08000240U)
1928 + regs->gr[25] = (ldi1 & 2) >> 1;
1929 + regs->gr[20] = __NR_rt_sigreturn;
1930 + regs->gr[31] = regs->iaoq[1] + 16;
1931 + regs->sr[0] = regs->iasq[1];
1932 + regs->iaoq[0] = 0x100UL;
1933 + regs->iaoq[1] = regs->iaoq[0] + 4;
1934 + regs->iasq[0] = regs->sr[2];
1935 + regs->iasq[1] = regs->sr[2];
1944 +void pax_report_insns(void *pc, void *sp)
1948 + printk(KERN_ERR "PAX: bytes at PC: ");
1949 + for (i = 0; i < 5; i++) {
1951 + if (get_user(c, (unsigned int *)pc+i))
1952 + printk(KERN_CONT "???????? ");
1954 + printk(KERN_CONT "%08x ", c);
1960 int fixup_exception(struct pt_regs *regs)
1962 const struct exception_table_entry *fix;
1963 @@ -192,8 +303,33 @@ good_area:
1965 acc_type = parisc_acctyp(code,regs->iir);
1967 - if ((vma->vm_flags & acc_type) != acc_type)
1968 + if ((vma->vm_flags & acc_type) != acc_type) {
1970 +#ifdef CONFIG_PAX_PAGEEXEC
1971 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1972 + (address & ~3UL) == instruction_pointer(regs))
1974 + up_read(&mm->mmap_sem);
1975 + switch (pax_handle_fetch_fault(regs)) {
1977 +#ifdef CONFIG_PAX_EMUPLT
1982 +#ifdef CONFIG_PAX_EMUTRAMP
1988 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1989 + do_group_exit(SIGKILL);
1997 * If for any reason at all we couldn't handle the fault, make
1998 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/device.h linux-2.6.38.6/arch/powerpc/include/asm/device.h
1999 --- linux-2.6.38.6/arch/powerpc/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
2000 +++ linux-2.6.38.6/arch/powerpc/include/asm/device.h 2011-04-28 19:34:14.000000000 -0400
2001 @@ -17,7 +17,7 @@ struct device_node;
2003 struct dev_archdata {
2004 /* DMA operations on that device */
2005 - struct dma_map_ops *dma_ops;
2006 + const struct dma_map_ops *dma_ops;
2009 * When an iommu is in use, dma_data is used as a ptr to the base of the
2010 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/dma-mapping.h linux-2.6.38.6/arch/powerpc/include/asm/dma-mapping.h
2011 --- linux-2.6.38.6/arch/powerpc/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
2012 +++ linux-2.6.38.6/arch/powerpc/include/asm/dma-mapping.h 2011-04-28 19:34:14.000000000 -0400
2013 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2015 * Available generic sets of operations
2017 +/* cannot be const */
2019 -extern struct dma_map_ops dma_iommu_ops;
2020 +extern const struct dma_map_ops dma_iommu_ops;
2022 -extern struct dma_map_ops dma_direct_ops;
2023 +extern const struct dma_map_ops dma_direct_ops;
2025 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2026 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2028 /* We don't handle the NULL dev case for ISA for now. We could
2029 * do it via an out of line call but it is not needed for now. The
2030 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
2031 return dev->archdata.dma_ops;
2034 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2035 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2037 dev->archdata.dma_ops = ops;
2039 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
2041 static inline int dma_supported(struct device *dev, u64 mask)
2043 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2044 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2046 if (unlikely(dma_ops == NULL))
2048 @@ -132,7 +133,7 @@ extern int dma_set_mask(struct device *d
2049 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2050 dma_addr_t *dma_handle, gfp_t flag)
2052 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2053 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2057 @@ -147,7 +148,7 @@ static inline void *dma_alloc_coherent(s
2058 static inline void dma_free_coherent(struct device *dev, size_t size,
2059 void *cpu_addr, dma_addr_t dma_handle)
2061 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2062 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2066 @@ -158,7 +159,7 @@ static inline void dma_free_coherent(str
2068 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2070 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2071 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2073 if (dma_ops->mapping_error)
2074 return dma_ops->mapping_error(dev, dma_addr);
2075 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/elf.h linux-2.6.38.6/arch/powerpc/include/asm/elf.h
2076 --- linux-2.6.38.6/arch/powerpc/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
2077 +++ linux-2.6.38.6/arch/powerpc/include/asm/elf.h 2011-04-28 19:34:14.000000000 -0400
2078 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2079 the loader. We need to make sure that it is out of the way of the program
2080 that it will "exec", and that there is sufficient room for the brk. */
2082 -extern unsigned long randomize_et_dyn(unsigned long base);
2083 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2084 +#define ELF_ET_DYN_BASE (0x20000000)
2086 +#ifdef CONFIG_PAX_ASLR
2087 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2089 +#ifdef __powerpc64__
2090 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
2091 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
2093 +#define PAX_DELTA_MMAP_LEN 15
2094 +#define PAX_DELTA_STACK_LEN 15
2099 * Our registers are always unsigned longs, whether we're a 32 bit
2100 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2101 (0x7ff >> (PAGE_SHIFT - 12)) : \
2102 (0x3ffff >> (PAGE_SHIFT - 12)))
2104 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2105 -#define arch_randomize_brk arch_randomize_brk
2107 #endif /* __KERNEL__ */
2110 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/iommu.h linux-2.6.38.6/arch/powerpc/include/asm/iommu.h
2111 --- linux-2.6.38.6/arch/powerpc/include/asm/iommu.h 2011-03-14 21:20:32.000000000 -0400
2112 +++ linux-2.6.38.6/arch/powerpc/include/asm/iommu.h 2011-04-28 19:34:14.000000000 -0400
2113 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2114 extern void iommu_init_early_dart(void);
2115 extern void iommu_init_early_pasemi(void);
2118 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2121 extern void pci_iommu_init(void);
2122 extern void pci_direct_iommu_init(void);
2123 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/kmap_types.h linux-2.6.38.6/arch/powerpc/include/asm/kmap_types.h
2124 --- linux-2.6.38.6/arch/powerpc/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
2125 +++ linux-2.6.38.6/arch/powerpc/include/asm/kmap_types.h 2011-04-28 19:34:14.000000000 -0400
2126 @@ -27,6 +27,7 @@ enum km_type {
2134 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/page_64.h linux-2.6.38.6/arch/powerpc/include/asm/page_64.h
2135 --- linux-2.6.38.6/arch/powerpc/include/asm/page_64.h 2011-03-14 21:20:32.000000000 -0400
2136 +++ linux-2.6.38.6/arch/powerpc/include/asm/page_64.h 2011-04-28 19:34:14.000000000 -0400
2137 @@ -172,15 +172,18 @@ do { \
2138 * stack by default, so in the absense of a PT_GNU_STACK program header
2139 * we turn execute permission off.
2141 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2142 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2143 +#define VM_STACK_DEFAULT_FLAGS32 \
2144 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2145 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2147 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2148 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2150 +#ifndef CONFIG_PAX_PAGEEXEC
2151 #define VM_STACK_DEFAULT_FLAGS \
2152 (is_32bit_task() ? \
2153 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2156 #include <asm-generic/getorder.h>
2158 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/page.h linux-2.6.38.6/arch/powerpc/include/asm/page.h
2159 --- linux-2.6.38.6/arch/powerpc/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
2160 +++ linux-2.6.38.6/arch/powerpc/include/asm/page.h 2011-04-28 19:34:14.000000000 -0400
2161 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2162 * and needs to be executable. This means the whole heap ends
2163 * up being executable.
2165 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2166 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2167 +#define VM_DATA_DEFAULT_FLAGS32 \
2168 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2169 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2171 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2172 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2173 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2174 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2177 +#define ktla_ktva(addr) (addr)
2178 +#define ktva_ktla(addr) (addr)
2180 #ifndef __ASSEMBLY__
2182 #undef STRICT_MM_TYPECHECKS
2183 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/pci.h linux-2.6.38.6/arch/powerpc/include/asm/pci.h
2184 --- linux-2.6.38.6/arch/powerpc/include/asm/pci.h 2011-03-14 21:20:32.000000000 -0400
2185 +++ linux-2.6.38.6/arch/powerpc/include/asm/pci.h 2011-04-28 19:34:14.000000000 -0400
2186 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2190 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2191 -extern struct dma_map_ops *get_pci_dma_ops(void);
2192 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2193 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2194 #else /* CONFIG_PCI */
2195 #define set_pci_dma_ops(d)
2196 #define get_pci_dma_ops() NULL
2197 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/pgtable.h linux-2.6.38.6/arch/powerpc/include/asm/pgtable.h
2198 --- linux-2.6.38.6/arch/powerpc/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
2199 +++ linux-2.6.38.6/arch/powerpc/include/asm/pgtable.h 2011-04-28 19:34:14.000000000 -0400
2201 #define _ASM_POWERPC_PGTABLE_H
2204 +#include <linux/const.h>
2205 #ifndef __ASSEMBLY__
2206 #include <asm/processor.h> /* For TASK_SIZE */
2207 #include <asm/mmu.h>
2208 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/pte-hash32.h linux-2.6.38.6/arch/powerpc/include/asm/pte-hash32.h
2209 --- linux-2.6.38.6/arch/powerpc/include/asm/pte-hash32.h 2011-03-14 21:20:32.000000000 -0400
2210 +++ linux-2.6.38.6/arch/powerpc/include/asm/pte-hash32.h 2011-04-28 19:34:14.000000000 -0400
2212 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2213 #define _PAGE_USER 0x004 /* usermode access allowed */
2214 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2215 +#define _PAGE_EXEC _PAGE_GUARDED
2216 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2217 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2218 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2219 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/reg.h linux-2.6.38.6/arch/powerpc/include/asm/reg.h
2220 --- linux-2.6.38.6/arch/powerpc/include/asm/reg.h 2011-04-18 17:27:13.000000000 -0400
2221 +++ linux-2.6.38.6/arch/powerpc/include/asm/reg.h 2011-04-28 19:34:14.000000000 -0400
2223 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2224 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2225 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2226 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2227 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2228 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2229 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2230 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/swiotlb.h linux-2.6.38.6/arch/powerpc/include/asm/swiotlb.h
2231 --- linux-2.6.38.6/arch/powerpc/include/asm/swiotlb.h 2011-03-14 21:20:32.000000000 -0400
2232 +++ linux-2.6.38.6/arch/powerpc/include/asm/swiotlb.h 2011-04-28 19:34:14.000000000 -0400
2235 #include <linux/swiotlb.h>
2237 -extern struct dma_map_ops swiotlb_dma_ops;
2238 +extern const struct dma_map_ops swiotlb_dma_ops;
2240 static inline void dma_mark_clean(void *addr, size_t size) {}
2242 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/system.h linux-2.6.38.6/arch/powerpc/include/asm/system.h
2243 --- linux-2.6.38.6/arch/powerpc/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
2244 +++ linux-2.6.38.6/arch/powerpc/include/asm/system.h 2011-04-28 19:34:14.000000000 -0400
2245 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2246 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2249 -extern unsigned long arch_align_stack(unsigned long sp);
2250 +#define arch_align_stack(x) ((x) & ~0xfUL)
2252 /* Used in very early kernel initialization. */
2253 extern unsigned long reloc_offset(void);
2254 diff -urNp linux-2.6.38.6/arch/powerpc/include/asm/uaccess.h linux-2.6.38.6/arch/powerpc/include/asm/uaccess.h
2255 --- linux-2.6.38.6/arch/powerpc/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
2256 +++ linux-2.6.38.6/arch/powerpc/include/asm/uaccess.h 2011-04-28 19:34:14.000000000 -0400
2258 #define VERIFY_READ 0
2259 #define VERIFY_WRITE 1
2261 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2264 * The fs value determines whether argument validity checking should be
2265 * performed or not. If get_fs() == USER_DS, checking is performed, with
2266 @@ -327,52 +329,6 @@ do { \
2267 extern unsigned long __copy_tofrom_user(void __user *to,
2268 const void __user *from, unsigned long size);
2270 -#ifndef __powerpc64__
2272 -static inline unsigned long copy_from_user(void *to,
2273 - const void __user *from, unsigned long n)
2275 - unsigned long over;
2277 - if (access_ok(VERIFY_READ, from, n))
2278 - return __copy_tofrom_user((__force void __user *)to, from, n);
2279 - if ((unsigned long)from < TASK_SIZE) {
2280 - over = (unsigned long)from + n - TASK_SIZE;
2281 - return __copy_tofrom_user((__force void __user *)to, from,
2287 -static inline unsigned long copy_to_user(void __user *to,
2288 - const void *from, unsigned long n)
2290 - unsigned long over;
2292 - if (access_ok(VERIFY_WRITE, to, n))
2293 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2294 - if ((unsigned long)to < TASK_SIZE) {
2295 - over = (unsigned long)to + n - TASK_SIZE;
2296 - return __copy_tofrom_user(to, (__force void __user *)from,
2302 -#else /* __powerpc64__ */
2304 -#define __copy_in_user(to, from, size) \
2305 - __copy_tofrom_user((to), (from), (size))
2307 -extern unsigned long copy_from_user(void *to, const void __user *from,
2309 -extern unsigned long copy_to_user(void __user *to, const void *from,
2311 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2314 -#endif /* __powerpc64__ */
2316 static inline unsigned long __copy_from_user_inatomic(void *to,
2317 const void __user *from, unsigned long n)
2319 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2324 + if (!__builtin_constant_p(n))
2325 + check_object_size(to, n, false);
2327 return __copy_tofrom_user((__force void __user *)to, from, n);
2330 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2335 + if (!__builtin_constant_p(n))
2336 + check_object_size(from, n, true);
2338 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2341 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2342 return __copy_to_user_inatomic(to, from, size);
2345 +#ifndef __powerpc64__
2347 +static inline unsigned long __must_check copy_from_user(void *to,
2348 + const void __user *from, unsigned long n)
2350 + unsigned long over;
2355 + if (access_ok(VERIFY_READ, from, n)) {
2356 + if (!__builtin_constant_p(n))
2357 + check_object_size(to, n, false);
2358 + return __copy_tofrom_user((__force void __user *)to, from, n);
2360 + if ((unsigned long)from < TASK_SIZE) {
2361 + over = (unsigned long)from + n - TASK_SIZE;
2362 + if (!__builtin_constant_p(n - over))
2363 + check_object_size(to, n - over, false);
2364 + return __copy_tofrom_user((__force void __user *)to, from,
2370 +static inline unsigned long __must_check copy_to_user(void __user *to,
2371 + const void *from, unsigned long n)
2373 + unsigned long over;
2378 + if (access_ok(VERIFY_WRITE, to, n)) {
2379 + if (!__builtin_constant_p(n))
2380 + check_object_size(from, n, true);
2381 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2383 + if ((unsigned long)to < TASK_SIZE) {
2384 + over = (unsigned long)to + n - TASK_SIZE;
2385 + if (!__builtin_constant_p(n))
2386 + check_object_size(from, n - over, true);
2387 + return __copy_tofrom_user(to, (__force void __user *)from,
2393 +#else /* __powerpc64__ */
2395 +#define __copy_in_user(to, from, size) \
2396 + __copy_tofrom_user((to), (from), (size))
2398 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2400 + if ((long)n < 0 || n > INT_MAX)
2403 + if (!__builtin_constant_p(n))
2404 + check_object_size(to, n, false);
2406 + if (likely(access_ok(VERIFY_READ, from, n)))
2407 + n = __copy_from_user(to, from, n);
2413 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2415 + if ((long)n < 0 || n > INT_MAX)
2418 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2419 + if (!__builtin_constant_p(n))
2420 + check_object_size(from, n, true);
2421 + n = __copy_to_user(to, from, n);
2426 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2429 +#endif /* __powerpc64__ */
2431 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2433 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2434 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/dma.c linux-2.6.38.6/arch/powerpc/kernel/dma.c
2435 --- linux-2.6.38.6/arch/powerpc/kernel/dma.c 2011-03-14 21:20:32.000000000 -0400
2436 +++ linux-2.6.38.6/arch/powerpc/kernel/dma.c 2011-04-28 19:34:14.000000000 -0400
2437 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
2441 -struct dma_map_ops dma_direct_ops = {
2442 +const struct dma_map_ops dma_direct_ops = {
2443 .alloc_coherent = dma_direct_alloc_coherent,
2444 .free_coherent = dma_direct_free_coherent,
2445 .map_sg = dma_direct_map_sg,
2446 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
2448 int dma_set_mask(struct device *dev, u64 dma_mask)
2450 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2451 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2453 if (ppc_md.dma_set_mask)
2454 return ppc_md.dma_set_mask(dev, dma_mask);
2455 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/dma-iommu.c linux-2.6.38.6/arch/powerpc/kernel/dma-iommu.c
2456 --- linux-2.6.38.6/arch/powerpc/kernel/dma-iommu.c 2011-03-14 21:20:32.000000000 -0400
2457 +++ linux-2.6.38.6/arch/powerpc/kernel/dma-iommu.c 2011-04-28 19:34:14.000000000 -0400
2458 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2461 /* We support DMA to/from any memory page via the iommu */
2462 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2463 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2465 struct iommu_table *tbl = get_iommu_table_base(dev);
2467 @@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc
2471 -struct dma_map_ops dma_iommu_ops = {
2472 +struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
2473 .alloc_coherent = dma_iommu_alloc_coherent,
2474 .free_coherent = dma_iommu_free_coherent,
2475 .map_sg = dma_iommu_map_sg,
2476 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.38.6/arch/powerpc/kernel/dma-swiotlb.c
2477 --- linux-2.6.38.6/arch/powerpc/kernel/dma-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
2478 +++ linux-2.6.38.6/arch/powerpc/kernel/dma-swiotlb.c 2011-04-28 19:34:14.000000000 -0400
2479 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2480 * map_page, and unmap_page on highmem, use normal dma_ops
2481 * for everything else.
2483 -struct dma_map_ops swiotlb_dma_ops = {
2484 +const struct dma_map_ops swiotlb_dma_ops = {
2485 .alloc_coherent = dma_direct_alloc_coherent,
2486 .free_coherent = dma_direct_free_coherent,
2487 .map_sg = swiotlb_map_sg_attrs,
2488 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/exceptions-64e.S linux-2.6.38.6/arch/powerpc/kernel/exceptions-64e.S
2489 --- linux-2.6.38.6/arch/powerpc/kernel/exceptions-64e.S 2011-03-14 21:20:32.000000000 -0400
2490 +++ linux-2.6.38.6/arch/powerpc/kernel/exceptions-64e.S 2011-04-28 19:34:14.000000000 -0400
2491 @@ -495,6 +495,7 @@ storage_fault_common:
2494 addi r3,r1,STACK_FRAME_OVERHEAD
2498 ld r14,PACA_EXGEN+EX_R14(r13)
2499 @@ -504,8 +505,7 @@ storage_fault_common:
2502 b .ret_from_except_lite
2506 addi r3,r1,STACK_FRAME_OVERHEAD
2509 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/exceptions-64s.S linux-2.6.38.6/arch/powerpc/kernel/exceptions-64s.S
2510 --- linux-2.6.38.6/arch/powerpc/kernel/exceptions-64s.S 2011-03-14 21:20:32.000000000 -0400
2511 +++ linux-2.6.38.6/arch/powerpc/kernel/exceptions-64s.S 2011-04-28 19:34:14.000000000 -0400
2512 @@ -848,10 +848,10 @@ handle_page_fault:
2515 addi r3,r1,STACK_FRAME_OVERHEAD
2522 addi r3,r1,STACK_FRAME_OVERHEAD
2524 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/ibmebus.c linux-2.6.38.6/arch/powerpc/kernel/ibmebus.c
2525 --- linux-2.6.38.6/arch/powerpc/kernel/ibmebus.c 2011-03-14 21:20:32.000000000 -0400
2526 +++ linux-2.6.38.6/arch/powerpc/kernel/ibmebus.c 2011-04-28 19:34:14.000000000 -0400
2527 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2531 -static struct dma_map_ops ibmebus_dma_ops = {
2532 +static const struct dma_map_ops ibmebus_dma_ops = {
2533 .alloc_coherent = ibmebus_alloc_coherent,
2534 .free_coherent = ibmebus_free_coherent,
2535 .map_sg = ibmebus_map_sg,
2536 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/kgdb.c linux-2.6.38.6/arch/powerpc/kernel/kgdb.c
2537 --- linux-2.6.38.6/arch/powerpc/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
2538 +++ linux-2.6.38.6/arch/powerpc/kernel/kgdb.c 2011-04-28 19:34:14.000000000 -0400
2539 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
2543 -struct kgdb_arch arch_kgdb_ops = {
2544 +const struct kgdb_arch arch_kgdb_ops = {
2545 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2548 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/module_32.c linux-2.6.38.6/arch/powerpc/kernel/module_32.c
2549 --- linux-2.6.38.6/arch/powerpc/kernel/module_32.c 2011-03-14 21:20:32.000000000 -0400
2550 +++ linux-2.6.38.6/arch/powerpc/kernel/module_32.c 2011-04-28 19:34:14.000000000 -0400
2551 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2552 me->arch.core_plt_section = i;
2554 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2555 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2556 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2560 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2562 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2563 /* Init, or core PLT? */
2564 - if (location >= mod->module_core
2565 - && location < mod->module_core + mod->core_size)
2566 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2567 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2568 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2570 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2571 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2572 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2574 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2578 /* Find this entry, or if that fails, the next avail. entry */
2579 while (entry->jump[0]) {
2580 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/module.c linux-2.6.38.6/arch/powerpc/kernel/module.c
2581 --- linux-2.6.38.6/arch/powerpc/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
2582 +++ linux-2.6.38.6/arch/powerpc/kernel/module.c 2011-04-28 19:34:14.000000000 -0400
2585 LIST_HEAD(module_bug_list);
2587 +#ifdef CONFIG_PAX_KERNEXEC
2588 void *module_alloc(unsigned long size)
2593 + return vmalloc(size);
2596 +void *module_alloc_exec(unsigned long size)
2598 +void *module_alloc(unsigned long size)
2605 return vmalloc_exec(size);
2608 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2609 vfree(module_region);
2612 +#ifdef CONFIG_PAX_KERNEXEC
2613 +void module_free_exec(struct module *mod, void *module_region)
2615 + module_free(mod, module_region);
2619 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2620 const Elf_Shdr *sechdrs,
2622 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/pci-common.c linux-2.6.38.6/arch/powerpc/kernel/pci-common.c
2623 --- linux-2.6.38.6/arch/powerpc/kernel/pci-common.c 2011-03-14 21:20:32.000000000 -0400
2624 +++ linux-2.6.38.6/arch/powerpc/kernel/pci-common.c 2011-04-28 19:34:14.000000000 -0400
2625 @@ -52,14 +52,14 @@ resource_size_t isa_mem_base;
2626 unsigned int ppc_pci_flags = 0;
2629 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2630 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2632 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2633 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2635 pci_dma_ops = dma_ops;
2638 -struct dma_map_ops *get_pci_dma_ops(void)
2639 +const struct dma_map_ops *get_pci_dma_ops(void)
2643 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/process.c linux-2.6.38.6/arch/powerpc/kernel/process.c
2644 --- linux-2.6.38.6/arch/powerpc/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
2645 +++ linux-2.6.38.6/arch/powerpc/kernel/process.c 2011-04-28 19:34:14.000000000 -0400
2646 @@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs)
2647 * Lookup NIP late so we have the best change of getting the
2648 * above info out without failing
2650 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2651 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2652 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2653 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2655 show_stack(current, (unsigned long *) regs->gpr[1]);
2656 if (!user_mode(regs))
2657 @@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk,
2659 ip = stack[STACK_FRAME_LR_SAVE];
2660 if (!firstframe || ip != lr) {
2661 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2662 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2663 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2664 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2667 (void *)current->ret_stack[curr_frame].ret);
2670 @@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk,
2671 struct pt_regs *regs = (struct pt_regs *)
2672 (sp + STACK_FRAME_OVERHEAD);
2674 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2675 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2676 regs->trap, (void *)regs->nip, (void *)lr);
2679 @@ -1244,58 +1244,3 @@ void thread_info_cache_init(void)
2682 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2684 -unsigned long arch_align_stack(unsigned long sp)
2686 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2687 - sp -= get_random_int() & ~PAGE_MASK;
2691 -static inline unsigned long brk_rnd(void)
2693 - unsigned long rnd = 0;
2695 - /* 8MB for 32bit, 1GB for 64bit */
2696 - if (is_32bit_task())
2697 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2699 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2701 - return rnd << PAGE_SHIFT;
2704 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2706 - unsigned long base = mm->brk;
2707 - unsigned long ret;
2709 -#ifdef CONFIG_PPC_STD_MMU_64
2711 - * If we are using 1TB segments and we are allowed to randomise
2712 - * the heap, we can put it above 1TB so it is backed by a 1TB
2713 - * segment. Otherwise the heap will be in the bottom 1TB
2714 - * which always uses 256MB segments and this may result in a
2715 - * performance penalty.
2717 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2718 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2721 - ret = PAGE_ALIGN(base + brk_rnd());
2723 - if (ret < mm->brk)
2729 -unsigned long randomize_et_dyn(unsigned long base)
2731 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2738 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/signal_32.c linux-2.6.38.6/arch/powerpc/kernel/signal_32.c
2739 --- linux-2.6.38.6/arch/powerpc/kernel/signal_32.c 2011-03-14 21:20:32.000000000 -0400
2740 +++ linux-2.6.38.6/arch/powerpc/kernel/signal_32.c 2011-04-28 19:34:14.000000000 -0400
2741 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
2742 /* Save user registers on the stack */
2743 frame = &rt_sf->uc.uc_mcontext;
2745 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2746 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2747 if (save_user_regs(regs, frame, 0, 1))
2749 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2750 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/signal_64.c linux-2.6.38.6/arch/powerpc/kernel/signal_64.c
2751 --- linux-2.6.38.6/arch/powerpc/kernel/signal_64.c 2011-03-14 21:20:32.000000000 -0400
2752 +++ linux-2.6.38.6/arch/powerpc/kernel/signal_64.c 2011-04-28 19:34:14.000000000 -0400
2753 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2754 current->thread.fpscr.val = 0;
2756 /* Set up to return from userspace. */
2757 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2758 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2759 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2761 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2762 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/vdso.c linux-2.6.38.6/arch/powerpc/kernel/vdso.c
2763 --- linux-2.6.38.6/arch/powerpc/kernel/vdso.c 2011-03-14 21:20:32.000000000 -0400
2764 +++ linux-2.6.38.6/arch/powerpc/kernel/vdso.c 2011-04-28 19:34:14.000000000 -0400
2766 #include <asm/firmware.h>
2767 #include <asm/vdso.h>
2768 #include <asm/vdso_datapage.h>
2769 +#include <asm/mman.h>
2773 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2774 vdso_base = VDSO32_MBASE;
2777 - current->mm->context.vdso_base = 0;
2778 + current->mm->context.vdso_base = ~0UL;
2780 /* vDSO has a problem and was disabled, just don't "enable" it for the
2782 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2783 vdso_base = get_unmapped_area(NULL, vdso_base,
2784 (vdso_pages << PAGE_SHIFT) +
2785 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2787 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2788 if (IS_ERR_VALUE(vdso_base)) {
2791 diff -urNp linux-2.6.38.6/arch/powerpc/kernel/vio.c linux-2.6.38.6/arch/powerpc/kernel/vio.c
2792 --- linux-2.6.38.6/arch/powerpc/kernel/vio.c 2011-03-14 21:20:32.000000000 -0400
2793 +++ linux-2.6.38.6/arch/powerpc/kernel/vio.c 2011-04-28 19:34:14.000000000 -0400
2794 @@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s
2795 return dma_iommu_ops.dma_supported(dev, mask);
2798 -struct dma_map_ops vio_dma_mapping_ops = {
2799 +const struct dma_map_ops vio_dma_mapping_ops = {
2800 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2801 .free_coherent = vio_dma_iommu_free_coherent,
2802 .map_sg = vio_dma_iommu_map_sg,
2803 .unmap_sg = vio_dma_iommu_unmap_sg,
2804 + .dma_supported = dma_iommu_dma_supported,
2805 .map_page = vio_dma_iommu_map_page,
2806 .unmap_page = vio_dma_iommu_unmap_page,
2807 .dma_supported = vio_dma_iommu_dma_supported,
2808 diff -urNp linux-2.6.38.6/arch/powerpc/lib/usercopy_64.c linux-2.6.38.6/arch/powerpc/lib/usercopy_64.c
2809 --- linux-2.6.38.6/arch/powerpc/lib/usercopy_64.c 2011-03-14 21:20:32.000000000 -0400
2810 +++ linux-2.6.38.6/arch/powerpc/lib/usercopy_64.c 2011-04-28 19:34:14.000000000 -0400
2812 #include <linux/module.h>
2813 #include <asm/uaccess.h>
2815 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2817 - if (likely(access_ok(VERIFY_READ, from, n)))
2818 - n = __copy_from_user(to, from, n);
2824 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2826 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2827 - n = __copy_to_user(to, from, n);
2831 unsigned long copy_in_user(void __user *to, const void __user *from,
2834 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2838 -EXPORT_SYMBOL(copy_from_user);
2839 -EXPORT_SYMBOL(copy_to_user);
2840 EXPORT_SYMBOL(copy_in_user);
2842 diff -urNp linux-2.6.38.6/arch/powerpc/mm/fault.c linux-2.6.38.6/arch/powerpc/mm/fault.c
2843 --- linux-2.6.38.6/arch/powerpc/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
2844 +++ linux-2.6.38.6/arch/powerpc/mm/fault.c 2011-04-28 19:34:14.000000000 -0400
2846 #include <linux/kdebug.h>
2847 #include <linux/perf_event.h>
2848 #include <linux/magic.h>
2849 +#include <linux/slab.h>
2850 +#include <linux/pagemap.h>
2851 +#include <linux/compiler.h>
2852 +#include <linux/unistd.h>
2854 #include <asm/firmware.h>
2855 #include <asm/page.h>
2857 #include <asm/tlbflush.h>
2858 #include <asm/siginfo.h>
2859 #include <mm/mmu_decl.h>
2860 +#include <asm/ptrace.h>
2862 #ifdef CONFIG_KPROBES
2863 static inline int notify_page_fault(struct pt_regs *regs)
2864 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
2868 +#ifdef CONFIG_PAX_PAGEEXEC
2870 + * PaX: decide what to do with offenders (regs->nip = fault address)
2872 + * returns 1 when task should be killed
2874 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2879 +void pax_report_insns(void *pc, void *sp)
2883 + printk(KERN_ERR "PAX: bytes at PC: ");
2884 + for (i = 0; i < 5; i++) {
2886 + if (get_user(c, (unsigned int __user *)pc+i))
2887 + printk(KERN_CONT "???????? ");
2889 + printk(KERN_CONT "%08x ", c);
2896 * Check whether the instruction at regs->nip is a store using
2897 * an update addressing form which will update r1.
2898 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
2899 * indicate errors in DSISR but can validly be set in SRR1.
2902 - error_code &= 0x48200000;
2903 + error_code &= 0x58200000;
2905 is_write = error_code & DSISR_ISSTORE;
2907 @@ -258,7 +290,7 @@ good_area:
2908 * "undefined". Of those that can be set, this is the only
2909 * one which seems bad.
2911 - if (error_code & 0x10000000)
2912 + if (error_code & DSISR_GUARDED)
2913 /* Guarded storage error. */
2915 #endif /* CONFIG_8xx */
2916 @@ -273,7 +305,7 @@ good_area:
2917 * processors use the same I/D cache coherency mechanism
2920 - if (error_code & DSISR_PROTFAULT)
2921 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2923 #endif /* CONFIG_PPC_STD_MMU */
2925 @@ -342,6 +374,23 @@ bad_area:
2926 bad_area_nosemaphore:
2927 /* User mode accesses cause a SIGSEGV */
2928 if (user_mode(regs)) {
2930 +#ifdef CONFIG_PAX_PAGEEXEC
2931 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2932 +#ifdef CONFIG_PPC_STD_MMU
2933 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2935 + if (is_exec && regs->nip == address) {
2937 + switch (pax_handle_fetch_fault(regs)) {
2940 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2941 + do_group_exit(SIGKILL);
2946 _exception(SIGSEGV, regs, code, address);
2949 diff -urNp linux-2.6.38.6/arch/powerpc/mm/mmap_64.c linux-2.6.38.6/arch/powerpc/mm/mmap_64.c
2950 --- linux-2.6.38.6/arch/powerpc/mm/mmap_64.c 2011-03-14 21:20:32.000000000 -0400
2951 +++ linux-2.6.38.6/arch/powerpc/mm/mmap_64.c 2011-04-28 19:34:14.000000000 -0400
2952 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2954 if (mmap_is_legacy()) {
2955 mm->mmap_base = TASK_UNMAPPED_BASE;
2957 +#ifdef CONFIG_PAX_RANDMMAP
2958 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2959 + mm->mmap_base += mm->delta_mmap;
2962 mm->get_unmapped_area = arch_get_unmapped_area;
2963 mm->unmap_area = arch_unmap_area;
2965 mm->mmap_base = mmap_base();
2967 +#ifdef CONFIG_PAX_RANDMMAP
2968 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2969 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2972 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2973 mm->unmap_area = arch_unmap_area_topdown;
2975 diff -urNp linux-2.6.38.6/arch/powerpc/mm/slice.c linux-2.6.38.6/arch/powerpc/mm/slice.c
2976 --- linux-2.6.38.6/arch/powerpc/mm/slice.c 2011-03-14 21:20:32.000000000 -0400
2977 +++ linux-2.6.38.6/arch/powerpc/mm/slice.c 2011-04-28 19:34:14.000000000 -0400
2978 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2979 if ((mm->task_size - len) < addr)
2981 vma = find_vma(mm, addr);
2982 - return (!vma || (addr + len) <= vma->vm_start);
2983 + return check_heap_stack_gap(vma, addr, len);
2986 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2987 @@ -256,7 +256,7 @@ full_search:
2988 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2991 - if (!vma || addr + len <= vma->vm_start) {
2992 + if (check_heap_stack_gap(vma, addr, len)) {
2994 * Remember the place where we stopped the search:
2996 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
3000 - addr = mm->mmap_base;
3001 - while (addr > len) {
3002 + if (mm->mmap_base < len)
3005 + addr = mm->mmap_base - len;
3007 + while (!IS_ERR_VALUE(addr)) {
3008 /* Go down by chunk size */
3009 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
3010 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
3012 /* Check for hit with different page size */
3013 mask = slice_range_to_mask(addr, len);
3014 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3015 * return with success:
3017 vma = find_vma(mm, addr);
3018 - if (!vma || (addr + len) <= vma->vm_start) {
3019 + if (check_heap_stack_gap(vma, addr, len)) {
3020 /* remember the address as a hint for next time */
3022 mm->free_area_cache = addr;
3023 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3024 mm->cached_hole_size = vma->vm_start - addr;
3026 /* try just below the current vma->vm_start */
3027 - addr = vma->vm_start;
3028 + addr = skip_heap_stack_gap(vma, len);
3032 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3033 if (fixed && addr > (mm->task_size - len))
3036 +#ifdef CONFIG_PAX_RANDMMAP
3037 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3041 /* If hint, make sure it matches our alignment restrictions */
3042 if (!fixed && addr) {
3043 addr = _ALIGN_UP(addr, 1ul << pshift);
3044 diff -urNp linux-2.6.38.6/arch/powerpc/platforms/cell/iommu.c linux-2.6.38.6/arch/powerpc/platforms/cell/iommu.c
3045 --- linux-2.6.38.6/arch/powerpc/platforms/cell/iommu.c 2011-03-14 21:20:32.000000000 -0400
3046 +++ linux-2.6.38.6/arch/powerpc/platforms/cell/iommu.c 2011-04-28 19:34:14.000000000 -0400
3047 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3049 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3051 -struct dma_map_ops dma_iommu_fixed_ops = {
3052 +const struct dma_map_ops dma_iommu_fixed_ops = {
3053 .alloc_coherent = dma_fixed_alloc_coherent,
3054 .free_coherent = dma_fixed_free_coherent,
3055 .map_sg = dma_fixed_map_sg,
3056 diff -urNp linux-2.6.38.6/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.38.6/arch/powerpc/platforms/ps3/system-bus.c
3057 --- linux-2.6.38.6/arch/powerpc/platforms/ps3/system-bus.c 2011-03-14 21:20:32.000000000 -0400
3058 +++ linux-2.6.38.6/arch/powerpc/platforms/ps3/system-bus.c 2011-04-28 19:34:14.000000000 -0400
3059 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
3060 return mask >= DMA_BIT_MASK(32);
3063 -static struct dma_map_ops ps3_sb_dma_ops = {
3064 +static const struct dma_map_ops ps3_sb_dma_ops = {
3065 .alloc_coherent = ps3_alloc_coherent,
3066 .free_coherent = ps3_free_coherent,
3067 .map_sg = ps3_sb_map_sg,
3068 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3069 .unmap_page = ps3_unmap_page,
3072 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3073 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3074 .alloc_coherent = ps3_alloc_coherent,
3075 .free_coherent = ps3_free_coherent,
3076 .map_sg = ps3_ioc0_map_sg,
3077 diff -urNp linux-2.6.38.6/arch/powerpc/sysdev/ppc4xx_cpm.c linux-2.6.38.6/arch/powerpc/sysdev/ppc4xx_cpm.c
3078 --- linux-2.6.38.6/arch/powerpc/sysdev/ppc4xx_cpm.c 2011-03-14 21:20:32.000000000 -0400
3079 +++ linux-2.6.38.6/arch/powerpc/sysdev/ppc4xx_cpm.c 2011-04-28 19:34:14.000000000 -0400
3080 @@ -240,7 +240,7 @@ static int cpm_suspend_enter(suspend_sta
3084 -static struct platform_suspend_ops cpm_suspend_ops = {
3085 +static const struct platform_suspend_ops cpm_suspend_ops = {
3086 .valid = cpm_suspend_valid,
3087 .enter = cpm_suspend_enter,
3089 diff -urNp linux-2.6.38.6/arch/s390/include/asm/elf.h linux-2.6.38.6/arch/s390/include/asm/elf.h
3090 --- linux-2.6.38.6/arch/s390/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
3091 +++ linux-2.6.38.6/arch/s390/include/asm/elf.h 2011-04-28 19:34:14.000000000 -0400
3092 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
3093 the loader. We need to make sure that it is out of the way of the program
3094 that it will "exec", and that there is sufficient room for the brk. */
3096 -extern unsigned long randomize_et_dyn(unsigned long base);
3097 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
3098 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3100 +#ifdef CONFIG_PAX_ASLR
3101 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3103 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3104 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3107 /* This yields a mask that user programs can use to figure out what
3108 instruction set this CPU supports. */
3109 @@ -222,7 +228,4 @@ struct linux_binprm;
3110 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
3111 int arch_setup_additional_pages(struct linux_binprm *, int);
3113 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
3114 -#define arch_randomize_brk arch_randomize_brk
3117 diff -urNp linux-2.6.38.6/arch/s390/include/asm/system.h linux-2.6.38.6/arch/s390/include/asm/system.h
3118 --- linux-2.6.38.6/arch/s390/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
3119 +++ linux-2.6.38.6/arch/s390/include/asm/system.h 2011-04-28 19:34:14.000000000 -0400
3120 @@ -449,7 +449,7 @@ extern void (*_machine_restart)(char *co
3121 extern void (*_machine_halt)(void);
3122 extern void (*_machine_power_off)(void);
3124 -extern unsigned long arch_align_stack(unsigned long sp);
3125 +#define arch_align_stack(x) ((x) & ~0xfUL)
3127 static inline int tprot(unsigned long addr)
3129 diff -urNp linux-2.6.38.6/arch/s390/include/asm/uaccess.h linux-2.6.38.6/arch/s390/include/asm/uaccess.h
3130 --- linux-2.6.38.6/arch/s390/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
3131 +++ linux-2.6.38.6/arch/s390/include/asm/uaccess.h 2011-04-28 19:34:14.000000000 -0400
3132 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3133 copy_to_user(void __user *to, const void *from, unsigned long n)
3140 if (access_ok(VERIFY_WRITE, to, n))
3141 n = __copy_to_user(to, from, n);
3143 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3144 static inline unsigned long __must_check
3145 __copy_from_user(void *to, const void __user *from, unsigned long n)
3150 if (__builtin_constant_p(n) && (n <= 256))
3151 return uaccess.copy_from_user_small(n, from, to);
3153 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3154 unsigned int sz = __compiletime_object_size(to);
3161 if (unlikely(sz != -1 && sz < n)) {
3162 copy_from_user_overflow();
3164 diff -urNp linux-2.6.38.6/arch/s390/Kconfig linux-2.6.38.6/arch/s390/Kconfig
3165 --- linux-2.6.38.6/arch/s390/Kconfig 2011-03-14 21:20:32.000000000 -0400
3166 +++ linux-2.6.38.6/arch/s390/Kconfig 2011-04-28 19:34:14.000000000 -0400
3167 @@ -233,11 +233,9 @@ config S390_EXEC_PROTECT
3168 prompt "Data execute protection"
3170 This option allows to enable a buffer overflow protection for user
3171 - space programs and it also selects the addressing mode option above.
3172 - The kernel parameter noexec=on will enable this feature and also
3173 - switch the addressing modes, default is disabled. Enabling this (via
3174 - kernel parameter) on machines earlier than IBM System z9 this will
3175 - reduce system performance.
3177 + Enabling this (via kernel parameter) on machines earlier than IBM
3178 + System z9 this will reduce system performance.
3180 comment "Code generation options"
3182 diff -urNp linux-2.6.38.6/arch/s390/kernel/module.c linux-2.6.38.6/arch/s390/kernel/module.c
3183 --- linux-2.6.38.6/arch/s390/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
3184 +++ linux-2.6.38.6/arch/s390/kernel/module.c 2011-04-28 19:34:14.000000000 -0400
3185 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3187 /* Increase core size by size of got & plt and set start
3188 offsets for got and plt. */
3189 - me->core_size = ALIGN(me->core_size, 4);
3190 - me->arch.got_offset = me->core_size;
3191 - me->core_size += me->arch.got_size;
3192 - me->arch.plt_offset = me->core_size;
3193 - me->core_size += me->arch.plt_size;
3194 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3195 + me->arch.got_offset = me->core_size_rw;
3196 + me->core_size_rw += me->arch.got_size;
3197 + me->arch.plt_offset = me->core_size_rx;
3198 + me->core_size_rx += me->arch.plt_size;
3202 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3203 if (info->got_initialized == 0) {
3206 - gotent = me->module_core + me->arch.got_offset +
3207 + gotent = me->module_core_rw + me->arch.got_offset +
3210 info->got_initialized = 1;
3211 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3212 else if (r_type == R_390_GOTENT ||
3213 r_type == R_390_GOTPLTENT)
3214 *(unsigned int *) loc =
3215 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3216 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3217 else if (r_type == R_390_GOT64 ||
3218 r_type == R_390_GOTPLT64)
3219 *(unsigned long *) loc = val;
3220 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3221 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3222 if (info->plt_initialized == 0) {
3224 - ip = me->module_core + me->arch.plt_offset +
3225 + ip = me->module_core_rx + me->arch.plt_offset +
3227 #ifndef CONFIG_64BIT
3228 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3229 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3230 val - loc + 0xffffUL < 0x1ffffeUL) ||
3231 (r_type == R_390_PLT32DBL &&
3232 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3233 - val = (Elf_Addr) me->module_core +
3234 + val = (Elf_Addr) me->module_core_rx +
3235 me->arch.plt_offset +
3237 val += rela->r_addend - loc;
3238 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3239 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3240 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3241 val = val + rela->r_addend -
3242 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3243 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3244 if (r_type == R_390_GOTOFF16)
3245 *(unsigned short *) loc = val;
3246 else if (r_type == R_390_GOTOFF32)
3247 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3249 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3250 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3251 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3252 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3253 rela->r_addend - loc;
3254 if (r_type == R_390_GOTPC)
3255 *(unsigned int *) loc = val;
3256 diff -urNp linux-2.6.38.6/arch/s390/kernel/process.c linux-2.6.38.6/arch/s390/kernel/process.c
3257 --- linux-2.6.38.6/arch/s390/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
3258 +++ linux-2.6.38.6/arch/s390/kernel/process.c 2011-04-28 19:34:14.000000000 -0400
3259 @@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru
3264 -unsigned long arch_align_stack(unsigned long sp)
3266 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
3267 - sp -= get_random_int() & ~PAGE_MASK;
3271 -static inline unsigned long brk_rnd(void)
3273 - /* 8MB for 32bit, 1GB for 64bit */
3274 - if (is_32bit_task())
3275 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
3277 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
3280 -unsigned long arch_randomize_brk(struct mm_struct *mm)
3282 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
3284 - if (ret < mm->brk)
3289 -unsigned long randomize_et_dyn(unsigned long base)
3291 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
3293 - if (!(current->flags & PF_RANDOMIZE))
3299 diff -urNp linux-2.6.38.6/arch/s390/kernel/setup.c linux-2.6.38.6/arch/s390/kernel/setup.c
3300 --- linux-2.6.38.6/arch/s390/kernel/setup.c 2011-03-14 21:20:32.000000000 -0400
3301 +++ linux-2.6.38.6/arch/s390/kernel/setup.c 2011-04-28 19:34:14.000000000 -0400
3302 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3304 early_param("mem", early_parse_mem);
3306 -unsigned int user_mode = HOME_SPACE_MODE;
3307 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3308 EXPORT_SYMBOL_GPL(user_mode);
3310 static int set_amode_and_uaccess(unsigned long user_amode,
3311 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3316 - * Switch kernel/user addressing modes?
3318 -static int __init early_parse_switch_amode(char *p)
3320 - if (user_mode != SECONDARY_SPACE_MODE)
3321 - user_mode = PRIMARY_SPACE_MODE;
3324 -early_param("switch_amode", early_parse_switch_amode);
3326 static int __init early_parse_user_mode(char *p)
3328 if (p && strcmp(p, "primary") == 0)
3329 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3331 early_param("user_mode", early_parse_user_mode);
3333 -#ifdef CONFIG_S390_EXEC_PROTECT
3335 - * Enable execute protection?
3337 -static int __init early_parse_noexec(char *p)
3339 - if (!strncmp(p, "off", 3))
3341 - user_mode = SECONDARY_SPACE_MODE;
3344 -early_param("noexec", early_parse_noexec);
3345 -#endif /* CONFIG_S390_EXEC_PROTECT */
3347 static void setup_addressing_mode(void)
3349 if (user_mode == SECONDARY_SPACE_MODE) {
3350 diff -urNp linux-2.6.38.6/arch/s390/mm/maccess.c linux-2.6.38.6/arch/s390/mm/maccess.c
3351 --- linux-2.6.38.6/arch/s390/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
3352 +++ linux-2.6.38.6/arch/s390/mm/maccess.c 2011-04-28 19:34:14.000000000 -0400
3353 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3354 return rc ? rc : count;
3357 -long probe_kernel_write(void *dst, void *src, size_t size)
3358 +long probe_kernel_write(void *dst, const void *src, size_t size)
3362 diff -urNp linux-2.6.38.6/arch/s390/mm/mmap.c linux-2.6.38.6/arch/s390/mm/mmap.c
3363 --- linux-2.6.38.6/arch/s390/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
3364 +++ linux-2.6.38.6/arch/s390/mm/mmap.c 2011-04-28 19:34:14.000000000 -0400
3365 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
3367 if (mmap_is_legacy()) {
3368 mm->mmap_base = TASK_UNMAPPED_BASE;
3370 +#ifdef CONFIG_PAX_RANDMMAP
3371 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3372 + mm->mmap_base += mm->delta_mmap;
3375 mm->get_unmapped_area = arch_get_unmapped_area;
3376 mm->unmap_area = arch_unmap_area;
3378 mm->mmap_base = mmap_base();
3380 +#ifdef CONFIG_PAX_RANDMMAP
3381 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3382 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3385 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3386 mm->unmap_area = arch_unmap_area_topdown;
3388 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
3390 if (mmap_is_legacy()) {
3391 mm->mmap_base = TASK_UNMAPPED_BASE;
3393 +#ifdef CONFIG_PAX_RANDMMAP
3394 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3395 + mm->mmap_base += mm->delta_mmap;
3398 mm->get_unmapped_area = s390_get_unmapped_area;
3399 mm->unmap_area = arch_unmap_area;
3401 mm->mmap_base = mmap_base();
3403 +#ifdef CONFIG_PAX_RANDMMAP
3404 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3405 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3408 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3409 mm->unmap_area = arch_unmap_area_topdown;
3411 diff -urNp linux-2.6.38.6/arch/score/include/asm/system.h linux-2.6.38.6/arch/score/include/asm/system.h
3412 --- linux-2.6.38.6/arch/score/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
3413 +++ linux-2.6.38.6/arch/score/include/asm/system.h 2011-04-28 19:34:14.000000000 -0400
3414 @@ -17,7 +17,7 @@ do { \
3415 #define finish_arch_switch(prev) do {} while (0)
3417 typedef void (*vi_handler_t)(void);
3418 -extern unsigned long arch_align_stack(unsigned long sp);
3419 +#define arch_align_stack(x) (x)
3421 #define mb() barrier()
3422 #define rmb() barrier()
3423 diff -urNp linux-2.6.38.6/arch/score/kernel/process.c linux-2.6.38.6/arch/score/kernel/process.c
3424 --- linux-2.6.38.6/arch/score/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
3425 +++ linux-2.6.38.6/arch/score/kernel/process.c 2011-04-28 19:34:14.000000000 -0400
3426 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3428 return task_pt_regs(task)->cp0_epc;
3431 -unsigned long arch_align_stack(unsigned long sp)
3435 diff -urNp linux-2.6.38.6/arch/sh/include/asm/dma-mapping.h linux-2.6.38.6/arch/sh/include/asm/dma-mapping.h
3436 --- linux-2.6.38.6/arch/sh/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3437 +++ linux-2.6.38.6/arch/sh/include/asm/dma-mapping.h 2011-04-28 19:34:14.000000000 -0400
3439 #ifndef __ASM_SH_DMA_MAPPING_H
3440 #define __ASM_SH_DMA_MAPPING_H
3442 -extern struct dma_map_ops *dma_ops;
3443 +extern const struct dma_map_ops *dma_ops;
3444 extern void no_iommu_init(void);
3446 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3447 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3451 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3453 static inline int dma_supported(struct device *dev, u64 mask)
3455 - struct dma_map_ops *ops = get_dma_ops(dev);
3456 + const struct dma_map_ops *ops = get_dma_ops(dev);
3458 if (ops->dma_supported)
3459 return ops->dma_supported(dev, mask);
3460 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3462 static inline int dma_set_mask(struct device *dev, u64 mask)
3464 - struct dma_map_ops *ops = get_dma_ops(dev);
3465 + const struct dma_map_ops *ops = get_dma_ops(dev);
3467 if (!dev->dma_mask || !dma_supported(dev, mask))
3469 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
3471 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3473 - struct dma_map_ops *ops = get_dma_ops(dev);
3474 + const struct dma_map_ops *ops = get_dma_ops(dev);
3476 if (ops->mapping_error)
3477 return ops->mapping_error(dev, dma_addr);
3478 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
3479 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3480 dma_addr_t *dma_handle, gfp_t gfp)
3482 - struct dma_map_ops *ops = get_dma_ops(dev);
3483 + const struct dma_map_ops *ops = get_dma_ops(dev);
3486 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3487 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
3488 static inline void dma_free_coherent(struct device *dev, size_t size,
3489 void *vaddr, dma_addr_t dma_handle)
3491 - struct dma_map_ops *ops = get_dma_ops(dev);
3492 + const struct dma_map_ops *ops = get_dma_ops(dev);
3494 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3496 diff -urNp linux-2.6.38.6/arch/sh/kernel/dma-nommu.c linux-2.6.38.6/arch/sh/kernel/dma-nommu.c
3497 --- linux-2.6.38.6/arch/sh/kernel/dma-nommu.c 2011-03-14 21:20:32.000000000 -0400
3498 +++ linux-2.6.38.6/arch/sh/kernel/dma-nommu.c 2011-04-28 19:34:14.000000000 -0400
3499 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3503 -struct dma_map_ops nommu_dma_ops = {
3504 +const struct dma_map_ops nommu_dma_ops = {
3505 .alloc_coherent = dma_generic_alloc_coherent,
3506 .free_coherent = dma_generic_free_coherent,
3507 .map_page = nommu_map_page,
3508 diff -urNp linux-2.6.38.6/arch/sh/kernel/kgdb.c linux-2.6.38.6/arch/sh/kernel/kgdb.c
3509 --- linux-2.6.38.6/arch/sh/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
3510 +++ linux-2.6.38.6/arch/sh/kernel/kgdb.c 2011-04-28 19:34:14.000000000 -0400
3511 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3512 unregister_die_notifier(&kgdb_notifier);
3515 -struct kgdb_arch arch_kgdb_ops = {
3516 +const struct kgdb_arch arch_kgdb_ops = {
3517 /* Breakpoint instruction: trapa #0x3c */
3518 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3519 .gdb_bpt_instr = { 0x3c, 0xc3 },
3520 diff -urNp linux-2.6.38.6/arch/sh/mm/consistent.c linux-2.6.38.6/arch/sh/mm/consistent.c
3521 --- linux-2.6.38.6/arch/sh/mm/consistent.c 2011-03-14 21:20:32.000000000 -0400
3522 +++ linux-2.6.38.6/arch/sh/mm/consistent.c 2011-04-28 19:34:14.000000000 -0400
3525 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3527 -struct dma_map_ops *dma_ops;
3528 +const struct dma_map_ops *dma_ops;
3529 EXPORT_SYMBOL(dma_ops);
3531 static int __init dma_init(void)
3532 diff -urNp linux-2.6.38.6/arch/sh/mm/mmap.c linux-2.6.38.6/arch/sh/mm/mmap.c
3533 --- linux-2.6.38.6/arch/sh/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
3534 +++ linux-2.6.38.6/arch/sh/mm/mmap.c 2011-04-28 19:34:14.000000000 -0400
3535 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3536 addr = PAGE_ALIGN(addr);
3538 vma = find_vma(mm, addr);
3539 - if (TASK_SIZE - len >= addr &&
3540 - (!vma || addr + len <= vma->vm_start))
3541 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3545 @@ -106,7 +105,7 @@ full_search:
3549 - if (likely(!vma || addr + len <= vma->vm_start)) {
3550 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3552 * Remember the place where we stopped the search:
3554 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3555 addr = PAGE_ALIGN(addr);
3557 vma = find_vma(mm, addr);
3558 - if (TASK_SIZE - len >= addr &&
3559 - (!vma || addr + len <= vma->vm_start))
3560 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3564 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3565 /* make sure it can fit in the remaining address space */
3566 if (likely(addr > len)) {
3567 vma = find_vma(mm, addr-len);
3568 - if (!vma || addr <= vma->vm_start) {
3569 + if (check_heap_stack_gap(vma, addr - len, len)) {
3570 /* remember the address as a hint for next time */
3571 return (mm->free_area_cache = addr-len);
3573 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3574 if (unlikely(mm->mmap_base < len))
3577 - addr = mm->mmap_base-len;
3578 - if (do_colour_align)
3579 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3580 + addr = mm->mmap_base - len;
3583 + if (do_colour_align)
3584 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3586 * Lookup failure means no vma is above this address,
3587 * else if new region fits below vma->vm_start,
3588 * return with success:
3590 vma = find_vma(mm, addr);
3591 - if (likely(!vma || addr+len <= vma->vm_start)) {
3592 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3593 /* remember the address as a hint for next time */
3594 return (mm->free_area_cache = addr);
3596 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3597 mm->cached_hole_size = vma->vm_start - addr;
3599 /* try just below the current vma->vm_start */
3600 - addr = vma->vm_start-len;
3601 - if (do_colour_align)
3602 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3603 - } while (likely(len < vma->vm_start));
3604 + addr = skip_heap_stack_gap(vma, len);
3605 + } while (!IS_ERR_VALUE(addr));
3609 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/atomic_64.h linux-2.6.38.6/arch/sparc/include/asm/atomic_64.h
3610 --- linux-2.6.38.6/arch/sparc/include/asm/atomic_64.h 2011-03-14 21:20:32.000000000 -0400
3611 +++ linux-2.6.38.6/arch/sparc/include/asm/atomic_64.h 2011-04-28 19:57:25.000000000 -0400
3613 #define ATOMIC64_INIT(i) { (i) }
3615 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3616 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3618 + return v->counter;
3620 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3621 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3623 + return v->counter;
3626 #define atomic_set(v, i) (((v)->counter) = i)
3627 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3631 #define atomic64_set(v, i) (((v)->counter) = i)
3632 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3637 extern void atomic_add(int, atomic_t *);
3638 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3639 extern void atomic64_add(long, atomic64_t *);
3640 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3641 extern void atomic_sub(int, atomic_t *);
3642 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3643 extern void atomic64_sub(long, atomic64_t *);
3644 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3646 extern int atomic_add_ret(int, atomic_t *);
3647 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3648 extern long atomic64_add_ret(long, atomic64_t *);
3649 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3650 extern int atomic_sub_ret(int, atomic_t *);
3651 extern long atomic64_sub_ret(long, atomic64_t *);
3653 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
3654 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3656 #define atomic_inc_return(v) atomic_add_ret(1, v)
3657 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3659 + return atomic_add_ret_unchecked(1, v);
3661 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3662 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3664 + return atomic64_add_ret_unchecked(1, v);
3667 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3668 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3670 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3671 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3673 + return atomic_add_ret_unchecked(i, v);
3675 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3678 @@ -50,6 +84,7 @@ extern long atomic64_sub_ret(long, atomi
3681 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
3682 +#define atomic_inc_and_test_unchecked(v) (atomic_inc_return_unchecked(v) == 0)
3683 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
3685 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
3686 @@ -59,30 +94,59 @@ extern long atomic64_sub_ret(long, atomi
3687 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3689 #define atomic_inc(v) atomic_add(1, v)
3690 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3692 + atomic_add_unchecked(1, v);
3694 #define atomic64_inc(v) atomic64_add(1, v)
3695 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3697 + atomic64_add_unchecked(1, v);
3700 #define atomic_dec(v) atomic_sub(1, v)
3701 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3703 + atomic_sub_unchecked(1, v);
3705 #define atomic64_dec(v) atomic64_sub(1, v)
3706 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3708 + atomic64_sub_unchecked(1, v);
3711 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3712 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3714 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3715 +#define atomic_cmpxchg_unchecked(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3716 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
3717 +#define atomic_xchg_unchecked(v, new) (xchg(&((v)->counter), new))
3719 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3725 - if (unlikely(c == (u)))
3726 + if (unlikely(c == u))
3728 - old = atomic_cmpxchg((v), c, c + (a));
3730 + asm volatile("addcc %2, %0, %0\n"
3732 +#ifdef CONFIG_PAX_REFCOUNT
3737 + : "0" (c), "ir" (a)
3740 + old = atomic_cmpxchg(v, c, new);
3741 if (likely(old == c))
3749 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3750 @@ -93,17 +157,28 @@ static inline int atomic_add_unless(atom
3752 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3756 c = atomic64_read(v);
3758 - if (unlikely(c == (u)))
3759 + if (unlikely(c == u))
3761 - old = atomic64_cmpxchg((v), c, c + (a));
3763 + asm volatile("addcc %2, %0, %0\n"
3765 +#ifdef CONFIG_PAX_REFCOUNT
3770 + : "0" (c), "ir" (a)
3773 + old = atomic64_cmpxchg(v, c, new);
3774 if (likely(old == c))
3782 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3783 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/cache.h linux-2.6.38.6/arch/sparc/include/asm/cache.h
3784 --- linux-2.6.38.6/arch/sparc/include/asm/cache.h 2011-03-14 21:20:32.000000000 -0400
3785 +++ linux-2.6.38.6/arch/sparc/include/asm/cache.h 2011-05-17 19:31:43.000000000 -0400
3787 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
3789 #define L1_CACHE_SHIFT 5
3790 -#define L1_CACHE_BYTES 32
3791 +#define L1_CACHE_BYTES 32U
3793 #ifdef CONFIG_SPARC32
3794 #define SMP_CACHE_BYTES_SHIFT 5
3795 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/dma-mapping.h linux-2.6.38.6/arch/sparc/include/asm/dma-mapping.h
3796 --- linux-2.6.38.6/arch/sparc/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3797 +++ linux-2.6.38.6/arch/sparc/include/asm/dma-mapping.h 2011-04-28 19:34:14.000000000 -0400
3798 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
3799 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
3800 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3802 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3803 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3804 extern struct bus_type pci_bus_type;
3806 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3807 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3809 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3810 if (dev->bus == &pci_bus_type)
3811 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
3812 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3813 dma_addr_t *dma_handle, gfp_t flag)
3815 - struct dma_map_ops *ops = get_dma_ops(dev);
3816 + const struct dma_map_ops *ops = get_dma_ops(dev);
3819 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3820 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
3821 static inline void dma_free_coherent(struct device *dev, size_t size,
3822 void *cpu_addr, dma_addr_t dma_handle)
3824 - struct dma_map_ops *ops = get_dma_ops(dev);
3825 + const struct dma_map_ops *ops = get_dma_ops(dev);
3827 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3828 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3829 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/elf_32.h linux-2.6.38.6/arch/sparc/include/asm/elf_32.h
3830 --- linux-2.6.38.6/arch/sparc/include/asm/elf_32.h 2011-03-14 21:20:32.000000000 -0400
3831 +++ linux-2.6.38.6/arch/sparc/include/asm/elf_32.h 2011-04-28 19:34:14.000000000 -0400
3832 @@ -114,6 +114,13 @@ typedef struct {
3834 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3836 +#ifdef CONFIG_PAX_ASLR
3837 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3839 +#define PAX_DELTA_MMAP_LEN 16
3840 +#define PAX_DELTA_STACK_LEN 16
3843 /* This yields a mask that user programs can use to figure out what
3844 instruction set this cpu supports. This can NOT be done in userspace
3846 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/elf_64.h linux-2.6.38.6/arch/sparc/include/asm/elf_64.h
3847 --- linux-2.6.38.6/arch/sparc/include/asm/elf_64.h 2011-03-14 21:20:32.000000000 -0400
3848 +++ linux-2.6.38.6/arch/sparc/include/asm/elf_64.h 2011-04-28 19:34:14.000000000 -0400
3849 @@ -162,6 +162,12 @@ typedef struct {
3850 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3851 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3853 +#ifdef CONFIG_PAX_ASLR
3854 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3856 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3857 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3860 /* This yields a mask that user programs can use to figure out what
3861 instruction set this cpu supports. */
3862 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/pgtable_32.h linux-2.6.38.6/arch/sparc/include/asm/pgtable_32.h
3863 --- linux-2.6.38.6/arch/sparc/include/asm/pgtable_32.h 2011-03-14 21:20:32.000000000 -0400
3864 +++ linux-2.6.38.6/arch/sparc/include/asm/pgtable_32.h 2011-04-28 19:34:14.000000000 -0400
3865 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3866 BTFIXUPDEF_INT(page_none)
3867 BTFIXUPDEF_INT(page_copy)
3868 BTFIXUPDEF_INT(page_readonly)
3870 +#ifdef CONFIG_PAX_PAGEEXEC
3871 +BTFIXUPDEF_INT(page_shared_noexec)
3872 +BTFIXUPDEF_INT(page_copy_noexec)
3873 +BTFIXUPDEF_INT(page_readonly_noexec)
3876 BTFIXUPDEF_INT(page_kernel)
3878 #define PMD_SHIFT SUN4C_PMD_SHIFT
3879 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3880 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3881 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3883 +#ifdef CONFIG_PAX_PAGEEXEC
3884 +extern pgprot_t PAGE_SHARED_NOEXEC;
3885 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3886 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3888 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3889 +# define PAGE_COPY_NOEXEC PAGE_COPY
3890 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3893 extern unsigned long page_kernel;
3896 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.38.6/arch/sparc/include/asm/pgtsrmmu.h
3897 --- linux-2.6.38.6/arch/sparc/include/asm/pgtsrmmu.h 2011-03-14 21:20:32.000000000 -0400
3898 +++ linux-2.6.38.6/arch/sparc/include/asm/pgtsrmmu.h 2011-04-28 19:34:14.000000000 -0400
3899 @@ -115,6 +115,13 @@
3900 SRMMU_EXEC | SRMMU_REF)
3901 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3902 SRMMU_EXEC | SRMMU_REF)
3904 +#ifdef CONFIG_PAX_PAGEEXEC
3905 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3906 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3907 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3910 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3911 SRMMU_DIRTY | SRMMU_REF)
3913 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/spinlock_64.h linux-2.6.38.6/arch/sparc/include/asm/spinlock_64.h
3914 --- linux-2.6.38.6/arch/sparc/include/asm/spinlock_64.h 2011-03-14 21:20:32.000000000 -0400
3915 +++ linux-2.6.38.6/arch/sparc/include/asm/spinlock_64.h 2011-04-28 19:57:25.000000000 -0400
3916 @@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(
3918 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
3920 -static void inline arch_read_lock(arch_rwlock_t *lock)
3921 +static inline void arch_read_lock(arch_rwlock_t *lock)
3923 unsigned long tmp1, tmp2;
3925 __asm__ __volatile__ (
3926 "1: ldsw [%2], %0\n"
3928 -"4: add %0, 1, %1\n"
3929 +"4: addcc %0, 1, %1\n"
3931 +#ifdef CONFIG_PAX_REFCOUNT
3935 " cas [%2], %0, %1\n"
3937 " bne,pn %%icc, 1b\n"
3938 @@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r
3940 : "=&r" (tmp1), "=&r" (tmp2)
3943 + : "memory", "cc");
3946 -static int inline arch_read_trylock(arch_rwlock_t *lock)
3947 +static inline int arch_read_trylock(arch_rwlock_t *lock)
3951 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3952 "1: ldsw [%2], %0\n"
3953 " brlz,a,pn %0, 2f\n"
3956 +" addcc %0, 1, %1\n"
3958 +#ifdef CONFIG_PAX_REFCOUNT
3962 " cas [%2], %0, %1\n"
3964 " bne,pn %%icc, 1b\n"
3965 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch
3969 -static void inline arch_read_unlock(arch_rwlock_t *lock)
3970 +static inline void arch_read_unlock(arch_rwlock_t *lock)
3972 unsigned long tmp1, tmp2;
3974 __asm__ __volatile__(
3975 "1: lduw [%2], %0\n"
3977 +" subcc %0, 1, %1\n"
3979 +#ifdef CONFIG_PAX_REFCOUNT
3983 " cas [%2], %0, %1\n"
3985 " bne,pn %%xcc, 1b\n"
3986 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch
3990 -static void inline arch_write_lock(arch_rwlock_t *lock)
3991 +static inline void arch_write_lock(arch_rwlock_t *lock)
3993 unsigned long mask, tmp1, tmp2;
3995 @@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_
3999 -static void inline arch_write_unlock(arch_rwlock_t *lock)
4000 +static inline void arch_write_unlock(arch_rwlock_t *lock)
4002 __asm__ __volatile__(
4004 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc
4008 -static int inline arch_write_trylock(arch_rwlock_t *lock)
4009 +static inline int arch_write_trylock(arch_rwlock_t *lock)
4011 unsigned long mask, tmp1, tmp2, result;
4013 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/uaccess_32.h linux-2.6.38.6/arch/sparc/include/asm/uaccess_32.h
4014 --- linux-2.6.38.6/arch/sparc/include/asm/uaccess_32.h 2011-03-14 21:20:32.000000000 -0400
4015 +++ linux-2.6.38.6/arch/sparc/include/asm/uaccess_32.h 2011-04-28 19:34:14.000000000 -0400
4016 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
4018 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4020 - if (n && __access_ok((unsigned long) to, n))
4024 + if (n && __access_ok((unsigned long) to, n)) {
4025 + if (!__builtin_constant_p(n))
4026 + check_object_size(from, n, true);
4027 return __copy_user(to, (__force void __user *) from, n);
4033 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
4038 + if (!__builtin_constant_p(n))
4039 + check_object_size(from, n, true);
4041 return __copy_user(to, (__force void __user *) from, n);
4044 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4046 - if (n && __access_ok((unsigned long) from, n))
4050 + if (n && __access_ok((unsigned long) from, n)) {
4051 + if (!__builtin_constant_p(n))
4052 + check_object_size(to, n, false);
4053 return __copy_user((__force void __user *) to, from, n);
4059 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
4064 return __copy_user((__force void __user *) to, from, n);
4067 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/uaccess_64.h linux-2.6.38.6/arch/sparc/include/asm/uaccess_64.h
4068 --- linux-2.6.38.6/arch/sparc/include/asm/uaccess_64.h 2011-03-14 21:20:32.000000000 -0400
4069 +++ linux-2.6.38.6/arch/sparc/include/asm/uaccess_64.h 2011-04-28 19:34:14.000000000 -0400
4071 #include <linux/compiler.h>
4072 #include <linux/string.h>
4073 #include <linux/thread_info.h>
4074 +#include <linux/kernel.h>
4075 #include <asm/asi.h>
4076 #include <asm/system.h>
4077 #include <asm/spitfire.h>
4078 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
4079 static inline unsigned long __must_check
4080 copy_from_user(void *to, const void __user *from, unsigned long size)
4082 - unsigned long ret = ___copy_from_user(to, from, size);
4083 + unsigned long ret;
4085 + if ((long)size < 0 || size > INT_MAX)
4088 + if (!__builtin_constant_p(size))
4089 + check_object_size(to, size, false);
4091 + ret = ___copy_from_user(to, from, size);
4093 ret = copy_from_user_fixup(to, from, size);
4095 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
4096 static inline unsigned long __must_check
4097 copy_to_user(void __user *to, const void *from, unsigned long size)
4099 - unsigned long ret = ___copy_to_user(to, from, size);
4100 + unsigned long ret;
4102 + if ((long)size < 0 || size > INT_MAX)
4105 + if (!__builtin_constant_p(size))
4106 + check_object_size(from, size, true);
4108 + ret = ___copy_to_user(to, from, size);
4110 ret = copy_to_user_fixup(to, from, size);
4112 diff -urNp linux-2.6.38.6/arch/sparc/include/asm/uaccess.h linux-2.6.38.6/arch/sparc/include/asm/uaccess.h
4113 --- linux-2.6.38.6/arch/sparc/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
4114 +++ linux-2.6.38.6/arch/sparc/include/asm/uaccess.h 2011-04-28 19:34:14.000000000 -0400
4116 #ifndef ___ASM_SPARC_UACCESS_H
4117 #define ___ASM_SPARC_UACCESS_H
4120 +#ifndef __ASSEMBLY__
4121 +#include <linux/types.h>
4122 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4126 #if defined(__sparc__) && defined(__arch64__)
4127 #include <asm/uaccess_64.h>
4129 diff -urNp linux-2.6.38.6/arch/sparc/kernel/iommu.c linux-2.6.38.6/arch/sparc/kernel/iommu.c
4130 --- linux-2.6.38.6/arch/sparc/kernel/iommu.c 2011-04-22 19:20:59.000000000 -0400
4131 +++ linux-2.6.38.6/arch/sparc/kernel/iommu.c 2011-04-28 19:34:14.000000000 -0400
4132 @@ -824,7 +824,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4133 spin_unlock_irqrestore(&iommu->lock, flags);
4136 -static struct dma_map_ops sun4u_dma_ops = {
4137 +static const struct dma_map_ops sun4u_dma_ops = {
4138 .alloc_coherent = dma_4u_alloc_coherent,
4139 .free_coherent = dma_4u_free_coherent,
4140 .map_page = dma_4u_map_page,
4141 @@ -835,7 +835,7 @@ static struct dma_map_ops sun4u_dma_ops
4142 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4145 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4146 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4147 EXPORT_SYMBOL(dma_ops);
4149 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4150 diff -urNp linux-2.6.38.6/arch/sparc/kernel/ioport.c linux-2.6.38.6/arch/sparc/kernel/ioport.c
4151 --- linux-2.6.38.6/arch/sparc/kernel/ioport.c 2011-03-14 21:20:32.000000000 -0400
4152 +++ linux-2.6.38.6/arch/sparc/kernel/ioport.c 2011-04-28 19:34:14.000000000 -0400
4153 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
4157 -struct dma_map_ops sbus_dma_ops = {
4158 +const struct dma_map_ops sbus_dma_ops = {
4159 .alloc_coherent = sbus_alloc_coherent,
4160 .free_coherent = sbus_free_coherent,
4161 .map_page = sbus_map_page,
4162 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
4163 .sync_sg_for_device = sbus_sync_sg_for_device,
4166 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4167 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4168 EXPORT_SYMBOL(dma_ops);
4170 static int __init sparc_register_ioport(void)
4171 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
4175 -struct dma_map_ops pci32_dma_ops = {
4176 +const struct dma_map_ops pci32_dma_ops = {
4177 .alloc_coherent = pci32_alloc_coherent,
4178 .free_coherent = pci32_free_coherent,
4179 .map_page = pci32_map_page,
4180 diff -urNp linux-2.6.38.6/arch/sparc/kernel/kgdb_32.c linux-2.6.38.6/arch/sparc/kernel/kgdb_32.c
4181 --- linux-2.6.38.6/arch/sparc/kernel/kgdb_32.c 2011-03-14 21:20:32.000000000 -0400
4182 +++ linux-2.6.38.6/arch/sparc/kernel/kgdb_32.c 2011-04-28 19:34:14.000000000 -0400
4183 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4184 regs->npc = regs->pc + 4;
4187 -struct kgdb_arch arch_kgdb_ops = {
4188 +const struct kgdb_arch arch_kgdb_ops = {
4189 /* Breakpoint instruction: ta 0x7d */
4190 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4192 diff -urNp linux-2.6.38.6/arch/sparc/kernel/kgdb_64.c linux-2.6.38.6/arch/sparc/kernel/kgdb_64.c
4193 --- linux-2.6.38.6/arch/sparc/kernel/kgdb_64.c 2011-03-14 21:20:32.000000000 -0400
4194 +++ linux-2.6.38.6/arch/sparc/kernel/kgdb_64.c 2011-04-28 19:34:14.000000000 -0400
4195 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4196 regs->tnpc = regs->tpc + 4;
4199 -struct kgdb_arch arch_kgdb_ops = {
4200 +const struct kgdb_arch arch_kgdb_ops = {
4201 /* Breakpoint instruction: ta 0x72 */
4202 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4204 diff -urNp linux-2.6.38.6/arch/sparc/kernel/Makefile linux-2.6.38.6/arch/sparc/kernel/Makefile
4205 --- linux-2.6.38.6/arch/sparc/kernel/Makefile 2011-03-14 21:20:32.000000000 -0400
4206 +++ linux-2.6.38.6/arch/sparc/kernel/Makefile 2011-04-28 19:34:14.000000000 -0400
4211 -ccflags-y := -Werror
4212 +#ccflags-y := -Werror
4214 extra-y := head_$(BITS).o
4215 extra-y += init_task.o
4216 diff -urNp linux-2.6.38.6/arch/sparc/kernel/pci_sun4v.c linux-2.6.38.6/arch/sparc/kernel/pci_sun4v.c
4217 --- linux-2.6.38.6/arch/sparc/kernel/pci_sun4v.c 2011-04-22 19:20:59.000000000 -0400
4218 +++ linux-2.6.38.6/arch/sparc/kernel/pci_sun4v.c 2011-04-28 19:34:14.000000000 -0400
4219 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4220 spin_unlock_irqrestore(&iommu->lock, flags);
4223 -static struct dma_map_ops sun4v_dma_ops = {
4224 +static const struct dma_map_ops sun4v_dma_ops = {
4225 .alloc_coherent = dma_4v_alloc_coherent,
4226 .free_coherent = dma_4v_free_coherent,
4227 .map_page = dma_4v_map_page,
4228 diff -urNp linux-2.6.38.6/arch/sparc/kernel/process_32.c linux-2.6.38.6/arch/sparc/kernel/process_32.c
4229 --- linux-2.6.38.6/arch/sparc/kernel/process_32.c 2011-03-14 21:20:32.000000000 -0400
4230 +++ linux-2.6.38.6/arch/sparc/kernel/process_32.c 2011-04-28 19:34:14.000000000 -0400
4231 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4232 rw->ins[4], rw->ins[5],
4235 - printk("%pS\n", (void *) rw->ins[7]);
4236 + printk("%pA\n", (void *) rw->ins[7]);
4237 rw = (struct reg_window32 *) rw->ins[6];
4239 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4240 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4242 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4243 r->psr, r->pc, r->npc, r->y, print_tainted());
4244 - printk("PC: <%pS>\n", (void *) r->pc);
4245 + printk("PC: <%pA>\n", (void *) r->pc);
4246 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4247 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4248 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4249 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4250 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4251 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4252 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4253 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4255 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4256 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4257 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4258 rw = (struct reg_window32 *) fp;
4260 printk("[%08lx : ", pc);
4261 - printk("%pS ] ", (void *) pc);
4262 + printk("%pA ] ", (void *) pc);
4264 } while (++count < 16);
4266 diff -urNp linux-2.6.38.6/arch/sparc/kernel/process_64.c linux-2.6.38.6/arch/sparc/kernel/process_64.c
4267 --- linux-2.6.38.6/arch/sparc/kernel/process_64.c 2011-03-14 21:20:32.000000000 -0400
4268 +++ linux-2.6.38.6/arch/sparc/kernel/process_64.c 2011-04-28 19:34:14.000000000 -0400
4269 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4270 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4271 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4272 if (regs->tstate & TSTATE_PRIV)
4273 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4274 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4277 void show_regs(struct pt_regs *regs)
4279 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4280 regs->tpc, regs->tnpc, regs->y, print_tainted());
4281 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4282 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4283 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4284 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4286 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4287 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4288 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4290 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4291 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4292 show_regwindow(regs);
4293 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
4295 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
4296 ((tp && tp->task) ? tp->task->pid : -1));
4298 if (gp->tstate & TSTATE_PRIV) {
4299 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4300 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4304 diff -urNp linux-2.6.38.6/arch/sparc/kernel/sys_sparc_32.c linux-2.6.38.6/arch/sparc/kernel/sys_sparc_32.c
4305 --- linux-2.6.38.6/arch/sparc/kernel/sys_sparc_32.c 2011-03-14 21:20:32.000000000 -0400
4306 +++ linux-2.6.38.6/arch/sparc/kernel/sys_sparc_32.c 2011-04-28 19:34:14.000000000 -0400
4307 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
4308 if (ARCH_SUN4C && len > 0x20000000)
4311 - addr = TASK_UNMAPPED_BASE;
4312 + addr = current->mm->mmap_base;
4314 if (flags & MAP_SHARED)
4315 addr = COLOUR_ALIGN(addr);
4316 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
4318 if (TASK_SIZE - PAGE_SIZE - len < addr)
4320 - if (!vmm || addr + len <= vmm->vm_start)
4321 + if (check_heap_stack_gap(vmm, addr, len))
4324 if (flags & MAP_SHARED)
4325 diff -urNp linux-2.6.38.6/arch/sparc/kernel/sys_sparc_64.c linux-2.6.38.6/arch/sparc/kernel/sys_sparc_64.c
4326 --- linux-2.6.38.6/arch/sparc/kernel/sys_sparc_64.c 2011-03-14 21:20:32.000000000 -0400
4327 +++ linux-2.6.38.6/arch/sparc/kernel/sys_sparc_64.c 2011-04-28 19:34:14.000000000 -0400
4328 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
4329 /* We do not accept a shared mapping if it would violate
4330 * cache aliasing constraints.
4332 - if ((flags & MAP_SHARED) &&
4333 + if ((filp || (flags & MAP_SHARED)) &&
4334 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4337 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4338 if (filp || (flags & MAP_SHARED))
4341 +#ifdef CONFIG_PAX_RANDMMAP
4342 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4347 addr = COLOUR_ALIGN(addr, pgoff);
4348 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4349 addr = PAGE_ALIGN(addr);
4351 vma = find_vma(mm, addr);
4352 - if (task_size - len >= addr &&
4353 - (!vma || addr + len <= vma->vm_start))
4354 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4358 if (len > mm->cached_hole_size) {
4359 - start_addr = addr = mm->free_area_cache;
4360 + start_addr = addr = mm->free_area_cache;
4362 - start_addr = addr = TASK_UNMAPPED_BASE;
4363 + start_addr = addr = mm->mmap_base;
4364 mm->cached_hole_size = 0;
4367 @@ -174,14 +177,14 @@ full_search:
4368 vma = find_vma(mm, VA_EXCLUDE_END);
4370 if (unlikely(task_size < addr)) {
4371 - if (start_addr != TASK_UNMAPPED_BASE) {
4372 - start_addr = addr = TASK_UNMAPPED_BASE;
4373 + if (start_addr != mm->mmap_base) {
4374 + start_addr = addr = mm->mmap_base;
4375 mm->cached_hole_size = 0;
4380 - if (likely(!vma || addr + len <= vma->vm_start)) {
4381 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4383 * Remember the place where we stopped the search:
4385 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4386 /* We do not accept a shared mapping if it would violate
4387 * cache aliasing constraints.
4389 - if ((flags & MAP_SHARED) &&
4390 + if ((filp || (flags & MAP_SHARED)) &&
4391 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4394 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4395 addr = PAGE_ALIGN(addr);
4397 vma = find_vma(mm, addr);
4398 - if (task_size - len >= addr &&
4399 - (!vma || addr + len <= vma->vm_start))
4400 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4404 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4405 /* make sure it can fit in the remaining address space */
4406 if (likely(addr > len)) {
4407 vma = find_vma(mm, addr-len);
4408 - if (!vma || addr <= vma->vm_start) {
4409 + if (check_heap_stack_gap(vma, addr - len, len)) {
4410 /* remember the address as a hint for next time */
4411 return (mm->free_area_cache = addr-len);
4413 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
4414 if (unlikely(mm->mmap_base < len))
4417 - addr = mm->mmap_base-len;
4418 - if (do_color_align)
4419 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4420 + addr = mm->mmap_base - len;
4423 + if (do_color_align)
4424 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4426 * Lookup failure means no vma is above this address,
4427 * else if new region fits below vma->vm_start,
4428 * return with success:
4430 vma = find_vma(mm, addr);
4431 - if (likely(!vma || addr+len <= vma->vm_start)) {
4432 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4433 /* remember the address as a hint for next time */
4434 return (mm->free_area_cache = addr);
4436 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
4437 mm->cached_hole_size = vma->vm_start - addr;
4439 /* try just below the current vma->vm_start */
4440 - addr = vma->vm_start-len;
4441 - if (do_color_align)
4442 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4443 - } while (likely(len < vma->vm_start));
4444 + addr = skip_heap_stack_gap(vma, len);
4445 + } while (!IS_ERR_VALUE(addr));
4449 @@ -385,6 +385,12 @@ void arch_pick_mmap_layout(struct mm_str
4450 gap == RLIM_INFINITY ||
4451 sysctl_legacy_va_layout) {
4452 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4454 +#ifdef CONFIG_PAX_RANDMMAP
4455 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4456 + mm->mmap_base += mm->delta_mmap;
4459 mm->get_unmapped_area = arch_get_unmapped_area;
4460 mm->unmap_area = arch_unmap_area;
4462 @@ -397,6 +403,12 @@ void arch_pick_mmap_layout(struct mm_str
4463 gap = (task_size / 6 * 5);
4465 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4467 +#ifdef CONFIG_PAX_RANDMMAP
4468 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4469 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4472 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4473 mm->unmap_area = arch_unmap_area_topdown;
4475 diff -urNp linux-2.6.38.6/arch/sparc/kernel/traps_32.c linux-2.6.38.6/arch/sparc/kernel/traps_32.c
4476 --- linux-2.6.38.6/arch/sparc/kernel/traps_32.c 2011-03-14 21:20:32.000000000 -0400
4477 +++ linux-2.6.38.6/arch/sparc/kernel/traps_32.c 2011-04-28 19:34:14.000000000 -0400
4478 @@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
4480 (((unsigned long) rw) >= PAGE_OFFSET) &&
4481 !(((unsigned long) rw) & 0x7)) {
4482 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4483 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4484 (void *) rw->ins[7]);
4485 rw = (struct reg_window32 *)rw->ins[6];
4487 diff -urNp linux-2.6.38.6/arch/sparc/kernel/traps_64.c linux-2.6.38.6/arch/sparc/kernel/traps_64.c
4488 --- linux-2.6.38.6/arch/sparc/kernel/traps_64.c 2011-04-22 19:20:59.000000000 -0400
4489 +++ linux-2.6.38.6/arch/sparc/kernel/traps_64.c 2011-04-28 19:34:14.000000000 -0400
4490 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
4492 p->trapstack[i].tstate, p->trapstack[i].tpc,
4493 p->trapstack[i].tnpc, p->trapstack[i].tt);
4494 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4495 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4499 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4502 if (regs->tstate & TSTATE_PRIV) {
4504 +#ifdef CONFIG_PAX_REFCOUNT
4506 + pax_report_refcount_overflow(regs);
4509 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4510 die_if_kernel(buffer, regs);
4512 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4513 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4518 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4519 0, lvl, SIGTRAP) == NOTIFY_STOP)
4522 +#ifdef CONFIG_PAX_REFCOUNT
4524 + pax_report_refcount_overflow(regs);
4527 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4529 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4530 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
4531 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4532 printk("%s" "ERROR(%d): ",
4533 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4534 - printk("TPC<%pS>\n", (void *) regs->tpc);
4535 + printk("TPC<%pA>\n", (void *) regs->tpc);
4536 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4537 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4538 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4539 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
4541 (type & 0x1) ? 'I' : 'D',
4543 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4544 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4545 panic("Irrecoverable Cheetah+ parity error.");
4548 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
4550 (type & 0x1) ? 'I' : 'D',
4552 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4553 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4556 struct sun4v_error_entry {
4557 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
4559 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4561 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4562 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4563 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4564 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4565 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4566 (void *) regs->u_regs[UREG_I7]);
4567 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4568 "pte[%lx] error[%lx]\n",
4569 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
4571 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4573 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4574 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4575 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4576 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4577 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4578 (void *) regs->u_regs[UREG_I7]);
4579 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4580 "pte[%lx] error[%lx]\n",
4581 @@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
4582 fp = (unsigned long)sf->fp + STACK_BIAS;
4585 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4586 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4587 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4588 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
4589 int index = tsk->curr_ret_stack;
4590 if (tsk->ret_stack && index >= graph) {
4591 pc = tsk->ret_stack[index - graph].ret;
4592 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4593 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4597 @@ -2254,7 +2265,7 @@ void die_if_kernel(char *str, struct pt_
4600 kstack_valid(tp, (unsigned long) rw)) {
4601 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4602 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4603 (void *) rw->ins[7]);
4605 rw = kernel_stack_up(rw);
4606 diff -urNp linux-2.6.38.6/arch/sparc/kernel/unaligned_64.c linux-2.6.38.6/arch/sparc/kernel/unaligned_64.c
4607 --- linux-2.6.38.6/arch/sparc/kernel/unaligned_64.c 2011-03-14 21:20:32.000000000 -0400
4608 +++ linux-2.6.38.6/arch/sparc/kernel/unaligned_64.c 2011-04-28 19:34:14.000000000 -0400
4609 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
4610 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
4612 if (__ratelimit(&ratelimit)) {
4613 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4614 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4615 regs->tpc, (void *) regs->tpc);
4618 diff -urNp linux-2.6.38.6/arch/sparc/lib/atomic_64.S linux-2.6.38.6/arch/sparc/lib/atomic_64.S
4619 --- linux-2.6.38.6/arch/sparc/lib/atomic_64.S 2011-03-14 21:20:32.000000000 -0400
4620 +++ linux-2.6.38.6/arch/sparc/lib/atomic_64.S 2011-04-28 19:34:14.000000000 -0400
4622 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4626 + addcc %g1, %o0, %g7
4628 +#ifdef CONFIG_PAX_REFCOUNT
4634 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4635 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4636 2: BACKOFF_SPIN(%o2, %o3, 1b)
4637 .size atomic_add, .-atomic_add
4639 + .globl atomic_add_unchecked
4640 + .type atomic_add_unchecked,#function
4641 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4642 + BACKOFF_SETUP(%o2)
4645 + cas [%o1], %g1, %g7
4651 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4652 + .size atomic_add_unchecked, .-atomic_add_unchecked
4655 .type atomic_sub,#function
4656 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4660 + subcc %g1, %o0, %g7
4662 +#ifdef CONFIG_PAX_REFCOUNT
4668 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4669 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4670 2: BACKOFF_SPIN(%o2, %o3, 1b)
4671 .size atomic_sub, .-atomic_sub
4673 + .globl atomic_sub_unchecked
4674 + .type atomic_sub_unchecked,#function
4675 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4676 + BACKOFF_SETUP(%o2)
4679 + cas [%o1], %g1, %g7
4685 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4686 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4688 .globl atomic_add_ret
4689 .type atomic_add_ret,#function
4690 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4694 + addcc %g1, %o0, %g7
4696 +#ifdef CONFIG_PAX_REFCOUNT
4702 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4703 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4704 2: BACKOFF_SPIN(%o2, %o3, 1b)
4705 .size atomic_add_ret, .-atomic_add_ret
4707 + .globl atomic_add_ret_unchecked
4708 + .type atomic_add_ret_unchecked,#function
4709 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4710 + BACKOFF_SETUP(%o2)
4712 + addcc %g1, %o0, %g7
4713 + cas [%o1], %g1, %g7
4720 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4721 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4723 .globl atomic_sub_ret
4724 .type atomic_sub_ret,#function
4725 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4729 + subcc %g1, %o0, %g7
4731 +#ifdef CONFIG_PAX_REFCOUNT
4737 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4738 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4739 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4743 + addcc %g1, %o0, %g7
4745 +#ifdef CONFIG_PAX_REFCOUNT
4749 casx [%o1], %g1, %g7
4751 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4752 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4753 2: BACKOFF_SPIN(%o2, %o3, 1b)
4754 .size atomic64_add, .-atomic64_add
4756 + .globl atomic64_add_unchecked
4757 + .type atomic64_add_unchecked,#function
4758 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4759 + BACKOFF_SETUP(%o2)
4761 + addcc %g1, %o0, %g7
4762 + casx [%o1], %g1, %g7
4768 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4769 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4772 .type atomic64_sub,#function
4773 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4777 + subcc %g1, %o0, %g7
4779 +#ifdef CONFIG_PAX_REFCOUNT
4783 casx [%o1], %g1, %g7
4785 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4786 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4787 2: BACKOFF_SPIN(%o2, %o3, 1b)
4788 .size atomic64_sub, .-atomic64_sub
4790 + .globl atomic64_sub_unchecked
4791 + .type atomic64_sub_unchecked,#function
4792 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4793 + BACKOFF_SETUP(%o2)
4795 + subcc %g1, %o0, %g7
4796 + casx [%o1], %g1, %g7
4802 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4803 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4805 .globl atomic64_add_ret
4806 .type atomic64_add_ret,#function
4807 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4811 + addcc %g1, %o0, %g7
4813 +#ifdef CONFIG_PAX_REFCOUNT
4817 casx [%o1], %g1, %g7
4819 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4820 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4821 2: BACKOFF_SPIN(%o2, %o3, 1b)
4822 .size atomic64_add_ret, .-atomic64_add_ret
4824 + .globl atomic64_add_ret_unchecked
4825 + .type atomic64_add_ret_unchecked,#function
4826 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4827 + BACKOFF_SETUP(%o2)
4829 + addcc %g1, %o0, %g7
4830 + casx [%o1], %g1, %g7
4837 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4838 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4840 .globl atomic64_sub_ret
4841 .type atomic64_sub_ret,#function
4842 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4846 + subcc %g1, %o0, %g7
4848 +#ifdef CONFIG_PAX_REFCOUNT
4852 casx [%o1], %g1, %g7
4854 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4855 diff -urNp linux-2.6.38.6/arch/sparc/lib/ksyms.c linux-2.6.38.6/arch/sparc/lib/ksyms.c
4856 --- linux-2.6.38.6/arch/sparc/lib/ksyms.c 2011-03-14 21:20:32.000000000 -0400
4857 +++ linux-2.6.38.6/arch/sparc/lib/ksyms.c 2011-04-28 19:34:14.000000000 -0400
4858 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4860 /* Atomic counter implementation. */
4861 EXPORT_SYMBOL(atomic_add);
4862 +EXPORT_SYMBOL(atomic_add_unchecked);
4863 EXPORT_SYMBOL(atomic_add_ret);
4864 EXPORT_SYMBOL(atomic_sub);
4865 +EXPORT_SYMBOL(atomic_sub_unchecked);
4866 EXPORT_SYMBOL(atomic_sub_ret);
4867 EXPORT_SYMBOL(atomic64_add);
4868 +EXPORT_SYMBOL(atomic64_add_unchecked);
4869 EXPORT_SYMBOL(atomic64_add_ret);
4870 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4871 EXPORT_SYMBOL(atomic64_sub);
4872 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4873 EXPORT_SYMBOL(atomic64_sub_ret);
4875 /* Atomic bit operations. */
4876 diff -urNp linux-2.6.38.6/arch/sparc/lib/Makefile linux-2.6.38.6/arch/sparc/lib/Makefile
4877 --- linux-2.6.38.6/arch/sparc/lib/Makefile 2011-03-14 21:20:32.000000000 -0400
4878 +++ linux-2.6.38.6/arch/sparc/lib/Makefile 2011-05-17 19:31:43.000000000 -0400
4882 asflags-y := -ansi -DST_DIV0=0x02
4883 -ccflags-y := -Werror
4884 +#ccflags-y := -Werror
4886 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
4887 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
4888 diff -urNp linux-2.6.38.6/arch/sparc/Makefile linux-2.6.38.6/arch/sparc/Makefile
4889 --- linux-2.6.38.6/arch/sparc/Makefile 2011-03-14 21:20:32.000000000 -0400
4890 +++ linux-2.6.38.6/arch/sparc/Makefile 2011-04-28 19:34:14.000000000 -0400
4891 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4892 # Export what is needed by arch/sparc/boot/Makefile
4893 export VMLINUX_INIT VMLINUX_MAIN
4894 VMLINUX_INIT := $(head-y) $(init-y)
4895 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4896 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4897 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4898 VMLINUX_MAIN += $(drivers-y) $(net-y)
4900 diff -urNp linux-2.6.38.6/arch/sparc/mm/fault_32.c linux-2.6.38.6/arch/sparc/mm/fault_32.c
4901 --- linux-2.6.38.6/arch/sparc/mm/fault_32.c 2011-04-22 19:20:59.000000000 -0400
4902 +++ linux-2.6.38.6/arch/sparc/mm/fault_32.c 2011-04-28 19:34:14.000000000 -0400
4904 #include <linux/interrupt.h>
4905 #include <linux/module.h>
4906 #include <linux/kdebug.h>
4907 +#include <linux/slab.h>
4908 +#include <linux/pagemap.h>
4909 +#include <linux/compiler.h>
4911 #include <asm/system.h>
4912 #include <asm/page.h>
4913 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4914 return safe_compute_effective_address(regs, insn);
4917 +#ifdef CONFIG_PAX_PAGEEXEC
4918 +#ifdef CONFIG_PAX_DLRESOLVE
4919 +static void pax_emuplt_close(struct vm_area_struct *vma)
4921 + vma->vm_mm->call_dl_resolve = 0UL;
4924 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4926 + unsigned int *kaddr;
4928 + vmf->page = alloc_page(GFP_HIGHUSER);
4930 + return VM_FAULT_OOM;
4932 + kaddr = kmap(vmf->page);
4933 + memset(kaddr, 0, PAGE_SIZE);
4934 + kaddr[0] = 0x9DE3BFA8U; /* save */
4935 + flush_dcache_page(vmf->page);
4936 + kunmap(vmf->page);
4937 + return VM_FAULT_MAJOR;
4940 +static const struct vm_operations_struct pax_vm_ops = {
4941 + .close = pax_emuplt_close,
4942 + .fault = pax_emuplt_fault
4945 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4949 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4950 + vma->vm_mm = current->mm;
4951 + vma->vm_start = addr;
4952 + vma->vm_end = addr + PAGE_SIZE;
4953 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4954 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4955 + vma->vm_ops = &pax_vm_ops;
4957 + ret = insert_vm_struct(current->mm, vma);
4961 + ++current->mm->total_vm;
4967 + * PaX: decide what to do with offenders (regs->pc = fault address)
4969 + * returns 1 when task should be killed
4970 + * 2 when patched PLT trampoline was detected
4971 + * 3 when unpatched PLT trampoline was detected
4973 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4976 +#ifdef CONFIG_PAX_EMUPLT
4979 + do { /* PaX: patched PLT emulation #1 */
4980 + unsigned int sethi1, sethi2, jmpl;
4982 + err = get_user(sethi1, (unsigned int *)regs->pc);
4983 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4984 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4989 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4990 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4991 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4993 + unsigned int addr;
4995 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4996 + addr = regs->u_regs[UREG_G1];
4997 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4999 + regs->npc = addr+4;
5004 + { /* PaX: patched PLT emulation #2 */
5007 + err = get_user(ba, (unsigned int *)regs->pc);
5009 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5010 + unsigned int addr;
5012 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5014 + regs->npc = addr+4;
5019 + do { /* PaX: patched PLT emulation #3 */
5020 + unsigned int sethi, jmpl, nop;
5022 + err = get_user(sethi, (unsigned int *)regs->pc);
5023 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
5024 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5029 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5030 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5031 + nop == 0x01000000U)
5033 + unsigned int addr;
5035 + addr = (sethi & 0x003FFFFFU) << 10;
5036 + regs->u_regs[UREG_G1] = addr;
5037 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5039 + regs->npc = addr+4;
5044 + do { /* PaX: unpatched PLT emulation step 1 */
5045 + unsigned int sethi, ba, nop;
5047 + err = get_user(sethi, (unsigned int *)regs->pc);
5048 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
5049 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5054 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5055 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5056 + nop == 0x01000000U)
5058 + unsigned int addr, save, call;
5060 + if ((ba & 0xFFC00000U) == 0x30800000U)
5061 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5063 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
5065 + err = get_user(save, (unsigned int *)addr);
5066 + err |= get_user(call, (unsigned int *)(addr+4));
5067 + err |= get_user(nop, (unsigned int *)(addr+8));
5071 +#ifdef CONFIG_PAX_DLRESOLVE
5072 + if (save == 0x9DE3BFA8U &&
5073 + (call & 0xC0000000U) == 0x40000000U &&
5074 + nop == 0x01000000U)
5076 + struct vm_area_struct *vma;
5077 + unsigned long call_dl_resolve;
5079 + down_read(¤t->mm->mmap_sem);
5080 + call_dl_resolve = current->mm->call_dl_resolve;
5081 + up_read(¤t->mm->mmap_sem);
5082 + if (likely(call_dl_resolve))
5085 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5087 + down_write(¤t->mm->mmap_sem);
5088 + if (current->mm->call_dl_resolve) {
5089 + call_dl_resolve = current->mm->call_dl_resolve;
5090 + up_write(¤t->mm->mmap_sem);
5092 + kmem_cache_free(vm_area_cachep, vma);
5096 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5097 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5098 + up_write(¤t->mm->mmap_sem);
5100 + kmem_cache_free(vm_area_cachep, vma);
5104 + if (pax_insert_vma(vma, call_dl_resolve)) {
5105 + up_write(¤t->mm->mmap_sem);
5106 + kmem_cache_free(vm_area_cachep, vma);
5110 + current->mm->call_dl_resolve = call_dl_resolve;
5111 + up_write(¤t->mm->mmap_sem);
5114 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5115 + regs->pc = call_dl_resolve;
5116 + regs->npc = addr+4;
5121 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5122 + if ((save & 0xFFC00000U) == 0x05000000U &&
5123 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5124 + nop == 0x01000000U)
5126 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5127 + regs->u_regs[UREG_G2] = addr + 4;
5128 + addr = (save & 0x003FFFFFU) << 10;
5129 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5131 + regs->npc = addr+4;
5137 + do { /* PaX: unpatched PLT emulation step 2 */
5138 + unsigned int save, call, nop;
5140 + err = get_user(save, (unsigned int *)(regs->pc-4));
5141 + err |= get_user(call, (unsigned int *)regs->pc);
5142 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5146 + if (save == 0x9DE3BFA8U &&
5147 + (call & 0xC0000000U) == 0x40000000U &&
5148 + nop == 0x01000000U)
5150 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5152 + regs->u_regs[UREG_RETPC] = regs->pc;
5153 + regs->pc = dl_resolve;
5154 + regs->npc = dl_resolve+4;
5163 +void pax_report_insns(void *pc, void *sp)
5167 + printk(KERN_ERR "PAX: bytes at PC: ");
5168 + for (i = 0; i < 8; i++) {
5170 + if (get_user(c, (unsigned int *)pc+i))
5171 + printk(KERN_CONT "???????? ");
5173 + printk(KERN_CONT "%08x ", c);
5179 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
5182 @@ -281,6 +546,24 @@ good_area:
5183 if(!(vma->vm_flags & VM_WRITE))
5187 +#ifdef CONFIG_PAX_PAGEEXEC
5188 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5189 + up_read(&mm->mmap_sem);
5190 + switch (pax_handle_fetch_fault(regs)) {
5192 +#ifdef CONFIG_PAX_EMUPLT
5199 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5200 + do_group_exit(SIGKILL);
5204 /* Allow reads even for write-only mappings */
5205 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5207 diff -urNp linux-2.6.38.6/arch/sparc/mm/fault_64.c linux-2.6.38.6/arch/sparc/mm/fault_64.c
5208 --- linux-2.6.38.6/arch/sparc/mm/fault_64.c 2011-03-14 21:20:32.000000000 -0400
5209 +++ linux-2.6.38.6/arch/sparc/mm/fault_64.c 2011-04-28 19:34:14.000000000 -0400
5211 #include <linux/kprobes.h>
5212 #include <linux/kdebug.h>
5213 #include <linux/percpu.h>
5214 +#include <linux/slab.h>
5215 +#include <linux/pagemap.h>
5216 +#include <linux/compiler.h>
5218 #include <asm/page.h>
5219 #include <asm/pgtable.h>
5220 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
5221 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5223 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5224 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5225 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5226 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5228 unhandled_fault(regs->tpc, current, regs);
5229 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
5233 +#ifdef CONFIG_PAX_PAGEEXEC
5234 +#ifdef CONFIG_PAX_DLRESOLVE
5235 +static void pax_emuplt_close(struct vm_area_struct *vma)
5237 + vma->vm_mm->call_dl_resolve = 0UL;
5240 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5242 + unsigned int *kaddr;
5244 + vmf->page = alloc_page(GFP_HIGHUSER);
5246 + return VM_FAULT_OOM;
5248 + kaddr = kmap(vmf->page);
5249 + memset(kaddr, 0, PAGE_SIZE);
5250 + kaddr[0] = 0x9DE3BFA8U; /* save */
5251 + flush_dcache_page(vmf->page);
5252 + kunmap(vmf->page);
5253 + return VM_FAULT_MAJOR;
5256 +static const struct vm_operations_struct pax_vm_ops = {
5257 + .close = pax_emuplt_close,
5258 + .fault = pax_emuplt_fault
5261 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5265 + INIT_LIST_HEAD(&vma->anon_vma_chain);
5266 + vma->vm_mm = current->mm;
5267 + vma->vm_start = addr;
5268 + vma->vm_end = addr + PAGE_SIZE;
5269 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5270 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5271 + vma->vm_ops = &pax_vm_ops;
5273 + ret = insert_vm_struct(current->mm, vma);
5277 + ++current->mm->total_vm;
5283 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5285 + * returns 1 when task should be killed
5286 + * 2 when patched PLT trampoline was detected
5287 + * 3 when unpatched PLT trampoline was detected
5289 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5292 +#ifdef CONFIG_PAX_EMUPLT
5295 + do { /* PaX: patched PLT emulation #1 */
5296 + unsigned int sethi1, sethi2, jmpl;
5298 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5299 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5300 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5305 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5306 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5307 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5309 + unsigned long addr;
5311 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5312 + addr = regs->u_regs[UREG_G1];
5313 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5315 + if (test_thread_flag(TIF_32BIT))
5316 + addr &= 0xFFFFFFFFUL;
5319 + regs->tnpc = addr+4;
5324 + { /* PaX: patched PLT emulation #2 */
5327 + err = get_user(ba, (unsigned int *)regs->tpc);
5329 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5330 + unsigned long addr;
5332 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5334 + if (test_thread_flag(TIF_32BIT))
5335 + addr &= 0xFFFFFFFFUL;
5338 + regs->tnpc = addr+4;
5343 + do { /* PaX: patched PLT emulation #3 */
5344 + unsigned int sethi, jmpl, nop;
5346 + err = get_user(sethi, (unsigned int *)regs->tpc);
5347 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5348 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5353 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5354 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5355 + nop == 0x01000000U)
5357 + unsigned long addr;
5359 + addr = (sethi & 0x003FFFFFU) << 10;
5360 + regs->u_regs[UREG_G1] = addr;
5361 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5363 + if (test_thread_flag(TIF_32BIT))
5364 + addr &= 0xFFFFFFFFUL;
5367 + regs->tnpc = addr+4;
5372 + do { /* PaX: patched PLT emulation #4 */
5373 + unsigned int sethi, mov1, call, mov2;
5375 + err = get_user(sethi, (unsigned int *)regs->tpc);
5376 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5377 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5378 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5383 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5384 + mov1 == 0x8210000FU &&
5385 + (call & 0xC0000000U) == 0x40000000U &&
5386 + mov2 == 0x9E100001U)
5388 + unsigned long addr;
5390 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5391 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5393 + if (test_thread_flag(TIF_32BIT))
5394 + addr &= 0xFFFFFFFFUL;
5397 + regs->tnpc = addr+4;
5402 + do { /* PaX: patched PLT emulation #5 */
5403 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5405 + err = get_user(sethi, (unsigned int *)regs->tpc);
5406 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5407 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5408 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5409 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5410 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5411 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5412 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5417 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5418 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5419 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5420 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5421 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5422 + sllx == 0x83287020U &&
5423 + jmpl == 0x81C04005U &&
5424 + nop == 0x01000000U)
5426 + unsigned long addr;
5428 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5429 + regs->u_regs[UREG_G1] <<= 32;
5430 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5431 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5433 + regs->tnpc = addr+4;
5438 + do { /* PaX: patched PLT emulation #6 */
5439 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5441 + err = get_user(sethi, (unsigned int *)regs->tpc);
5442 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5443 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5444 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5445 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5446 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5447 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5452 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5453 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5454 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5455 + sllx == 0x83287020U &&
5456 + (or & 0xFFFFE000U) == 0x8A116000U &&
5457 + jmpl == 0x81C04005U &&
5458 + nop == 0x01000000U)
5460 + unsigned long addr;
5462 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5463 + regs->u_regs[UREG_G1] <<= 32;
5464 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5465 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5467 + regs->tnpc = addr+4;
5472 + do { /* PaX: unpatched PLT emulation step 1 */
5473 + unsigned int sethi, ba, nop;
5475 + err = get_user(sethi, (unsigned int *)regs->tpc);
5476 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5477 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5482 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5483 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5484 + nop == 0x01000000U)
5486 + unsigned long addr;
5487 + unsigned int save, call;
5488 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5490 + if ((ba & 0xFFC00000U) == 0x30800000U)
5491 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5493 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5495 + if (test_thread_flag(TIF_32BIT))
5496 + addr &= 0xFFFFFFFFUL;
5498 + err = get_user(save, (unsigned int *)addr);
5499 + err |= get_user(call, (unsigned int *)(addr+4));
5500 + err |= get_user(nop, (unsigned int *)(addr+8));
5504 +#ifdef CONFIG_PAX_DLRESOLVE
5505 + if (save == 0x9DE3BFA8U &&
5506 + (call & 0xC0000000U) == 0x40000000U &&
5507 + nop == 0x01000000U)
5509 + struct vm_area_struct *vma;
5510 + unsigned long call_dl_resolve;
5512 + down_read(¤t->mm->mmap_sem);
5513 + call_dl_resolve = current->mm->call_dl_resolve;
5514 + up_read(¤t->mm->mmap_sem);
5515 + if (likely(call_dl_resolve))
5518 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5520 + down_write(¤t->mm->mmap_sem);
5521 + if (current->mm->call_dl_resolve) {
5522 + call_dl_resolve = current->mm->call_dl_resolve;
5523 + up_write(¤t->mm->mmap_sem);
5525 + kmem_cache_free(vm_area_cachep, vma);
5529 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5530 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5531 + up_write(¤t->mm->mmap_sem);
5533 + kmem_cache_free(vm_area_cachep, vma);
5537 + if (pax_insert_vma(vma, call_dl_resolve)) {
5538 + up_write(¤t->mm->mmap_sem);
5539 + kmem_cache_free(vm_area_cachep, vma);
5543 + current->mm->call_dl_resolve = call_dl_resolve;
5544 + up_write(¤t->mm->mmap_sem);
5547 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5548 + regs->tpc = call_dl_resolve;
5549 + regs->tnpc = addr+4;
5554 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5555 + if ((save & 0xFFC00000U) == 0x05000000U &&
5556 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5557 + nop == 0x01000000U)
5559 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5560 + regs->u_regs[UREG_G2] = addr + 4;
5561 + addr = (save & 0x003FFFFFU) << 10;
5562 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5564 + if (test_thread_flag(TIF_32BIT))
5565 + addr &= 0xFFFFFFFFUL;
5568 + regs->tnpc = addr+4;
5572 + /* PaX: 64-bit PLT stub */
5573 + err = get_user(sethi1, (unsigned int *)addr);
5574 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5575 + err |= get_user(or1, (unsigned int *)(addr+8));
5576 + err |= get_user(or2, (unsigned int *)(addr+12));
5577 + err |= get_user(sllx, (unsigned int *)(addr+16));
5578 + err |= get_user(add, (unsigned int *)(addr+20));
5579 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5580 + err |= get_user(nop, (unsigned int *)(addr+28));
5584 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5585 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5586 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5587 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5588 + sllx == 0x89293020U &&
5589 + add == 0x8A010005U &&
5590 + jmpl == 0x89C14000U &&
5591 + nop == 0x01000000U)
5593 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5594 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5595 + regs->u_regs[UREG_G4] <<= 32;
5596 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5597 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5598 + regs->u_regs[UREG_G4] = addr + 24;
5599 + addr = regs->u_regs[UREG_G5];
5601 + regs->tnpc = addr+4;
5607 +#ifdef CONFIG_PAX_DLRESOLVE
5608 + do { /* PaX: unpatched PLT emulation step 2 */
5609 + unsigned int save, call, nop;
5611 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5612 + err |= get_user(call, (unsigned int *)regs->tpc);
5613 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5617 + if (save == 0x9DE3BFA8U &&
5618 + (call & 0xC0000000U) == 0x40000000U &&
5619 + nop == 0x01000000U)
5621 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5623 + if (test_thread_flag(TIF_32BIT))
5624 + dl_resolve &= 0xFFFFFFFFUL;
5626 + regs->u_regs[UREG_RETPC] = regs->tpc;
5627 + regs->tpc = dl_resolve;
5628 + regs->tnpc = dl_resolve+4;
5634 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5635 + unsigned int sethi, ba, nop;
5637 + err = get_user(sethi, (unsigned int *)regs->tpc);
5638 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5639 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5644 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5645 + (ba & 0xFFF00000U) == 0x30600000U &&
5646 + nop == 0x01000000U)
5648 + unsigned long addr;
5650 + addr = (sethi & 0x003FFFFFU) << 10;
5651 + regs->u_regs[UREG_G1] = addr;
5652 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5654 + if (test_thread_flag(TIF_32BIT))
5655 + addr &= 0xFFFFFFFFUL;
5658 + regs->tnpc = addr+4;
5668 +void pax_report_insns(void *pc, void *sp)
5672 + printk(KERN_ERR "PAX: bytes at PC: ");
5673 + for (i = 0; i < 8; i++) {
5675 + if (get_user(c, (unsigned int *)pc+i))
5676 + printk(KERN_CONT "???????? ");
5678 + printk(KERN_CONT "%08x ", c);
5684 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5686 struct mm_struct *mm = current->mm;
5687 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5691 +#ifdef CONFIG_PAX_PAGEEXEC
5692 + /* PaX: detect ITLB misses on non-exec pages */
5693 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5694 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5696 + if (address != regs->tpc)
5699 + up_read(&mm->mmap_sem);
5700 + switch (pax_handle_fetch_fault(regs)) {
5702 +#ifdef CONFIG_PAX_EMUPLT
5709 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5710 + do_group_exit(SIGKILL);
5714 /* Pure DTLB misses do not tell us whether the fault causing
5715 * load/store/atomic was a write or not, it only says that there
5716 * was no match. So in such a case we (carefully) read the
5717 diff -urNp linux-2.6.38.6/arch/sparc/mm/hugetlbpage.c linux-2.6.38.6/arch/sparc/mm/hugetlbpage.c
5718 --- linux-2.6.38.6/arch/sparc/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
5719 +++ linux-2.6.38.6/arch/sparc/mm/hugetlbpage.c 2011-04-28 19:34:14.000000000 -0400
5720 @@ -68,7 +68,7 @@ full_search:
5724 - if (likely(!vma || addr + len <= vma->vm_start)) {
5725 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5727 * Remember the place where we stopped the search:
5729 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5730 /* make sure it can fit in the remaining address space */
5731 if (likely(addr > len)) {
5732 vma = find_vma(mm, addr-len);
5733 - if (!vma || addr <= vma->vm_start) {
5734 + if (check_heap_stack_gap(vma, addr - len, len)) {
5735 /* remember the address as a hint for next time */
5736 return (mm->free_area_cache = addr-len);
5738 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
5739 if (unlikely(mm->mmap_base < len))
5742 - addr = (mm->mmap_base-len) & HPAGE_MASK;
5743 + addr = mm->mmap_base - len;
5746 + addr &= HPAGE_MASK;
5748 * Lookup failure means no vma is above this address,
5749 * else if new region fits below vma->vm_start,
5750 * return with success:
5752 vma = find_vma(mm, addr);
5753 - if (likely(!vma || addr+len <= vma->vm_start)) {
5754 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5755 /* remember the address as a hint for next time */
5756 return (mm->free_area_cache = addr);
5758 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
5759 mm->cached_hole_size = vma->vm_start - addr;
5761 /* try just below the current vma->vm_start */
5762 - addr = (vma->vm_start-len) & HPAGE_MASK;
5763 - } while (likely(len < vma->vm_start));
5764 + addr = skip_heap_stack_gap(vma, len);
5765 + } while (!IS_ERR_VALUE(addr));
5769 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
5771 addr = ALIGN(addr, HPAGE_SIZE);
5772 vma = find_vma(mm, addr);
5773 - if (task_size - len >= addr &&
5774 - (!vma || addr + len <= vma->vm_start))
5775 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5778 if (mm->get_unmapped_area == arch_get_unmapped_area)
5779 diff -urNp linux-2.6.38.6/arch/sparc/mm/init_32.c linux-2.6.38.6/arch/sparc/mm/init_32.c
5780 --- linux-2.6.38.6/arch/sparc/mm/init_32.c 2011-03-14 21:20:32.000000000 -0400
5781 +++ linux-2.6.38.6/arch/sparc/mm/init_32.c 2011-04-28 19:34:14.000000000 -0400
5782 @@ -318,6 +318,9 @@ extern void device_scan(void);
5783 pgprot_t PAGE_SHARED __read_mostly;
5784 EXPORT_SYMBOL(PAGE_SHARED);
5786 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5787 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5789 void __init paging_init(void)
5791 switch(sparc_cpu_model) {
5792 @@ -346,17 +349,17 @@ void __init paging_init(void)
5794 /* Initialize the protection map with non-constant, MMU dependent values. */
5795 protection_map[0] = PAGE_NONE;
5796 - protection_map[1] = PAGE_READONLY;
5797 - protection_map[2] = PAGE_COPY;
5798 - protection_map[3] = PAGE_COPY;
5799 + protection_map[1] = PAGE_READONLY_NOEXEC;
5800 + protection_map[2] = PAGE_COPY_NOEXEC;
5801 + protection_map[3] = PAGE_COPY_NOEXEC;
5802 protection_map[4] = PAGE_READONLY;
5803 protection_map[5] = PAGE_READONLY;
5804 protection_map[6] = PAGE_COPY;
5805 protection_map[7] = PAGE_COPY;
5806 protection_map[8] = PAGE_NONE;
5807 - protection_map[9] = PAGE_READONLY;
5808 - protection_map[10] = PAGE_SHARED;
5809 - protection_map[11] = PAGE_SHARED;
5810 + protection_map[9] = PAGE_READONLY_NOEXEC;
5811 + protection_map[10] = PAGE_SHARED_NOEXEC;
5812 + protection_map[11] = PAGE_SHARED_NOEXEC;
5813 protection_map[12] = PAGE_READONLY;
5814 protection_map[13] = PAGE_READONLY;
5815 protection_map[14] = PAGE_SHARED;
5816 diff -urNp linux-2.6.38.6/arch/sparc/mm/Makefile linux-2.6.38.6/arch/sparc/mm/Makefile
5817 --- linux-2.6.38.6/arch/sparc/mm/Makefile 2011-03-14 21:20:32.000000000 -0400
5818 +++ linux-2.6.38.6/arch/sparc/mm/Makefile 2011-04-28 19:34:14.000000000 -0400
5823 -ccflags-y := -Werror
5824 +#ccflags-y := -Werror
5826 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5827 obj-y += fault_$(BITS).o
5828 diff -urNp linux-2.6.38.6/arch/sparc/mm/srmmu.c linux-2.6.38.6/arch/sparc/mm/srmmu.c
5829 --- linux-2.6.38.6/arch/sparc/mm/srmmu.c 2011-03-14 21:20:32.000000000 -0400
5830 +++ linux-2.6.38.6/arch/sparc/mm/srmmu.c 2011-04-28 19:34:14.000000000 -0400
5831 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
5832 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5833 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5834 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5836 +#ifdef CONFIG_PAX_PAGEEXEC
5837 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5838 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5839 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5842 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5843 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5845 diff -urNp linux-2.6.38.6/arch/um/include/asm/kmap_types.h linux-2.6.38.6/arch/um/include/asm/kmap_types.h
5846 --- linux-2.6.38.6/arch/um/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
5847 +++ linux-2.6.38.6/arch/um/include/asm/kmap_types.h 2011-04-28 19:34:14.000000000 -0400
5848 @@ -23,6 +23,7 @@ enum km_type {
5856 diff -urNp linux-2.6.38.6/arch/um/include/asm/page.h linux-2.6.38.6/arch/um/include/asm/page.h
5857 --- linux-2.6.38.6/arch/um/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
5858 +++ linux-2.6.38.6/arch/um/include/asm/page.h 2011-04-28 19:34:14.000000000 -0400
5860 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5861 #define PAGE_MASK (~(PAGE_SIZE-1))
5863 +#define ktla_ktva(addr) (addr)
5864 +#define ktva_ktla(addr) (addr)
5866 #ifndef __ASSEMBLY__
5869 diff -urNp linux-2.6.38.6/arch/um/kernel/process.c linux-2.6.38.6/arch/um/kernel/process.c
5870 --- linux-2.6.38.6/arch/um/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
5871 +++ linux-2.6.38.6/arch/um/kernel/process.c 2011-04-28 19:34:14.000000000 -0400
5872 @@ -404,22 +404,6 @@ int singlestepping(void * t)
5877 - * Only x86 and x86_64 have an arch_align_stack().
5878 - * All other arches have "#define arch_align_stack(x) (x)"
5879 - * in their asm/system.h
5880 - * As this is included in UML from asm-um/system-generic.h,
5881 - * we can use it to behave as the subarch does.
5883 -#ifndef arch_align_stack
5884 -unsigned long arch_align_stack(unsigned long sp)
5886 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5887 - sp -= get_random_int() % 8192;
5892 unsigned long get_wchan(struct task_struct *p)
5894 unsigned long stack_page, sp, ip;
5895 diff -urNp linux-2.6.38.6/arch/um/sys-i386/syscalls.c linux-2.6.38.6/arch/um/sys-i386/syscalls.c
5896 --- linux-2.6.38.6/arch/um/sys-i386/syscalls.c 2011-03-14 21:20:32.000000000 -0400
5897 +++ linux-2.6.38.6/arch/um/sys-i386/syscalls.c 2011-04-28 19:34:14.000000000 -0400
5899 #include "asm/uaccess.h"
5900 #include "asm/unistd.h"
5902 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5904 + unsigned long pax_task_size = TASK_SIZE;
5906 +#ifdef CONFIG_PAX_SEGMEXEC
5907 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5908 + pax_task_size = SEGMEXEC_TASK_SIZE;
5911 + if (len > pax_task_size || addr > pax_task_size - len)
5918 * The prototype on i386 is:
5920 diff -urNp linux-2.6.38.6/arch/x86/boot/bitops.h linux-2.6.38.6/arch/x86/boot/bitops.h
5921 --- linux-2.6.38.6/arch/x86/boot/bitops.h 2011-03-14 21:20:32.000000000 -0400
5922 +++ linux-2.6.38.6/arch/x86/boot/bitops.h 2011-04-28 19:34:14.000000000 -0400
5923 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5925 const u32 *p = (const u32 *)addr;
5927 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5928 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5932 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5934 static inline void set_bit(int nr, void *addr)
5936 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5937 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5940 #endif /* BOOT_BITOPS_H */
5941 diff -urNp linux-2.6.38.6/arch/x86/boot/boot.h linux-2.6.38.6/arch/x86/boot/boot.h
5942 --- linux-2.6.38.6/arch/x86/boot/boot.h 2011-03-14 21:20:32.000000000 -0400
5943 +++ linux-2.6.38.6/arch/x86/boot/boot.h 2011-04-28 19:34:14.000000000 -0400
5944 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5945 static inline u16 ds(void)
5948 - asm("movw %%ds,%0" : "=rm" (seg));
5949 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5953 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5954 static inline int memcmp(const void *s1, const void *s2, size_t len)
5957 - asm("repe; cmpsb; setnz %0"
5958 + asm volatile("repe; cmpsb; setnz %0"
5959 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5962 diff -urNp linux-2.6.38.6/arch/x86/boot/compressed/head_32.S linux-2.6.38.6/arch/x86/boot/compressed/head_32.S
5963 --- linux-2.6.38.6/arch/x86/boot/compressed/head_32.S 2011-03-14 21:20:32.000000000 -0400
5964 +++ linux-2.6.38.6/arch/x86/boot/compressed/head_32.S 2011-04-28 19:34:14.000000000 -0400
5965 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5969 - movl $LOAD_PHYSICAL_ADDR, %ebx
5970 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5973 /* Target address to relocate to for decompression */
5974 @@ -162,7 +162,7 @@ relocated:
5975 * and where it was actually loaded.
5978 - subl $LOAD_PHYSICAL_ADDR, %ebx
5979 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5980 jz 2f /* Nothing to be done if loaded at compiled addr. */
5982 * Process relocations.
5983 @@ -170,8 +170,7 @@ relocated:
5990 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5993 diff -urNp linux-2.6.38.6/arch/x86/boot/compressed/head_64.S linux-2.6.38.6/arch/x86/boot/compressed/head_64.S
5994 --- linux-2.6.38.6/arch/x86/boot/compressed/head_64.S 2011-03-14 21:20:32.000000000 -0400
5995 +++ linux-2.6.38.6/arch/x86/boot/compressed/head_64.S 2011-04-28 19:34:14.000000000 -0400
5996 @@ -91,7 +91,7 @@ ENTRY(startup_32)
6000 - movl $LOAD_PHYSICAL_ADDR, %ebx
6001 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6004 /* Target address to relocate to for decompression */
6005 @@ -233,7 +233,7 @@ ENTRY(startup_64)
6009 - movq $LOAD_PHYSICAL_ADDR, %rbp
6010 + movq $____LOAD_PHYSICAL_ADDR, %rbp
6013 /* Target address to relocate to for decompression */
6014 diff -urNp linux-2.6.38.6/arch/x86/boot/compressed/misc.c linux-2.6.38.6/arch/x86/boot/compressed/misc.c
6015 --- linux-2.6.38.6/arch/x86/boot/compressed/misc.c 2011-03-14 21:20:32.000000000 -0400
6016 +++ linux-2.6.38.6/arch/x86/boot/compressed/misc.c 2011-04-28 19:34:14.000000000 -0400
6017 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
6019 #ifdef CONFIG_RELOCATABLE
6021 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
6022 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
6024 dest = (void *)(phdr->p_paddr);
6026 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
6027 error("Destination address too large");
6029 #ifndef CONFIG_RELOCATABLE
6030 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
6031 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
6032 error("Wrong destination address");
6035 diff -urNp linux-2.6.38.6/arch/x86/boot/compressed/relocs.c linux-2.6.38.6/arch/x86/boot/compressed/relocs.c
6036 --- linux-2.6.38.6/arch/x86/boot/compressed/relocs.c 2011-03-14 21:20:32.000000000 -0400
6037 +++ linux-2.6.38.6/arch/x86/boot/compressed/relocs.c 2011-04-28 19:34:14.000000000 -0400
6040 static void die(char *fmt, ...);
6042 +#include "../../../../include/generated/autoconf.h"
6044 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
6045 static Elf32_Ehdr ehdr;
6046 +static Elf32_Phdr *phdr;
6047 static unsigned long reloc_count, reloc_idx;
6048 static unsigned long *relocs;
6050 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
6054 +static void read_phdrs(FILE *fp)
6058 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
6060 + die("Unable to allocate %d program headers\n",
6063 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
6064 + die("Seek to %d failed: %s\n",
6065 + ehdr.e_phoff, strerror(errno));
6067 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
6068 + die("Cannot read ELF program headers: %s\n",
6071 + for(i = 0; i < ehdr.e_phnum; i++) {
6072 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
6073 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
6074 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
6075 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
6076 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
6077 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
6078 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
6079 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
6084 static void read_shdrs(FILE *fp)
6090 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6091 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
6093 static void read_strtabs(FILE *fp)
6097 for (i = 0; i < ehdr.e_shnum; i++) {
6098 struct section *sec = &secs[i];
6099 if (sec->shdr.sh_type != SHT_STRTAB) {
6100 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
6102 static void read_symtabs(FILE *fp)
6106 for (i = 0; i < ehdr.e_shnum; i++) {
6107 struct section *sec = &secs[i];
6108 if (sec->shdr.sh_type != SHT_SYMTAB) {
6109 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
6111 static void read_relocs(FILE *fp)
6117 for (i = 0; i < ehdr.e_shnum; i++) {
6118 struct section *sec = &secs[i];
6119 if (sec->shdr.sh_type != SHT_REL) {
6120 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
6121 die("Cannot read symbol table: %s\n",
6125 + for (j = 0; j < ehdr.e_phnum; j++) {
6126 + if (phdr[j].p_type != PT_LOAD )
6128 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6130 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6133 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6134 Elf32_Rel *rel = &sec->reltab[j];
6135 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6136 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6137 rel->r_info = elf32_to_cpu(rel->r_info);
6140 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
6142 static void print_absolute_symbols(void)
6146 printf("Absolute symbols\n");
6147 printf(" Num: Value Size Type Bind Visibility Name\n");
6148 for (i = 0; i < ehdr.e_shnum; i++) {
6149 struct section *sec = &secs[i];
6151 Elf32_Sym *sh_symtab;
6155 if (sec->shdr.sh_type != SHT_SYMTAB) {
6157 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
6159 static void print_absolute_relocs(void)
6161 - int i, printed = 0;
6162 + unsigned int i, printed = 0;
6164 for (i = 0; i < ehdr.e_shnum; i++) {
6165 struct section *sec = &secs[i];
6166 struct section *sec_applies, *sec_symtab;
6168 Elf32_Sym *sh_symtab;
6171 if (sec->shdr.sh_type != SHT_REL) {
6174 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
6176 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6180 /* Walk through the relocations */
6181 for (i = 0; i < ehdr.e_shnum; i++) {
6183 Elf32_Sym *sh_symtab;
6184 struct section *sec_applies, *sec_symtab;
6187 struct section *sec = &secs[i];
6189 if (sec->shdr.sh_type != SHT_REL) {
6190 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
6191 !is_rel_reloc(sym_name(sym_strtab, sym))) {
6194 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6195 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6198 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6199 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6200 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6202 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6204 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6206 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6213 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
6215 static void emit_relocs(int as_text)
6219 /* Count how many relocations I have and allocate space for them. */
6221 walk_relocs(count_reloc);
6222 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
6223 fname, strerror(errno));
6230 diff -urNp linux-2.6.38.6/arch/x86/boot/cpucheck.c linux-2.6.38.6/arch/x86/boot/cpucheck.c
6231 --- linux-2.6.38.6/arch/x86/boot/cpucheck.c 2011-03-14 21:20:32.000000000 -0400
6232 +++ linux-2.6.38.6/arch/x86/boot/cpucheck.c 2011-04-28 19:34:14.000000000 -0400
6233 @@ -74,7 +74,7 @@ static int has_fpu(void)
6234 u16 fcw = -1, fsw = -1;
6237 - asm("movl %%cr0,%0" : "=r" (cr0));
6238 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6239 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6240 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6241 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6242 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6247 + asm volatile("pushfl ; "
6251 @@ -115,7 +115,7 @@ static void get_flags(void)
6252 set_bit(X86_FEATURE_FPU, cpu.flags);
6254 if (has_eflag(X86_EFLAGS_ID)) {
6256 + asm volatile("cpuid"
6257 : "=a" (max_intel_level),
6258 "=b" (cpu_vendor[0]),
6259 "=d" (cpu_vendor[1]),
6260 @@ -124,7 +124,7 @@ static void get_flags(void)
6262 if (max_intel_level >= 0x00000001 &&
6263 max_intel_level <= 0x0000ffff) {
6265 + asm volatile("cpuid"
6267 "=c" (cpu.flags[4]),
6269 @@ -136,7 +136,7 @@ static void get_flags(void)
6270 cpu.model += ((tfms >> 16) & 0xf) << 4;
6274 + asm volatile("cpuid"
6275 : "=a" (max_amd_level)
6277 : "ebx", "ecx", "edx");
6278 @@ -144,7 +144,7 @@ static void get_flags(void)
6279 if (max_amd_level >= 0x80000001 &&
6280 max_amd_level <= 0x8000ffff) {
6281 u32 eax = 0x80000001;
6283 + asm volatile("cpuid"
6285 "=c" (cpu.flags[6]),
6287 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6288 u32 ecx = MSR_K7_HWCR;
6291 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6292 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6294 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6295 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6297 get_flags(); /* Make sure it really did something */
6298 err = check_flags();
6299 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6300 u32 ecx = MSR_VIA_FCR;
6303 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6304 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6305 eax |= (1<<1)|(1<<7);
6306 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6307 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6309 set_bit(X86_FEATURE_CX8, cpu.flags);
6310 err = check_flags();
6311 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6315 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6316 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6318 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6319 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6320 + asm volatile("cpuid"
6321 : "+a" (level), "=d" (cpu.flags[0])
6323 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6324 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6326 err = check_flags();
6328 diff -urNp linux-2.6.38.6/arch/x86/boot/header.S linux-2.6.38.6/arch/x86/boot/header.S
6329 --- linux-2.6.38.6/arch/x86/boot/header.S 2011-03-14 21:20:32.000000000 -0400
6330 +++ linux-2.6.38.6/arch/x86/boot/header.S 2011-04-28 19:34:14.000000000 -0400
6331 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6332 # single linked list of
6335 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6336 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6338 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6339 #define VO_INIT_SIZE (VO__end - VO__text)
6340 diff -urNp linux-2.6.38.6/arch/x86/boot/memory.c linux-2.6.38.6/arch/x86/boot/memory.c
6341 --- linux-2.6.38.6/arch/x86/boot/memory.c 2011-03-14 21:20:32.000000000 -0400
6342 +++ linux-2.6.38.6/arch/x86/boot/memory.c 2011-04-28 19:34:14.000000000 -0400
6345 static int detect_memory_e820(void)
6348 + unsigned int count = 0;
6349 struct biosregs ireg, oreg;
6350 struct e820entry *desc = boot_params.e820_map;
6351 static struct e820entry buf; /* static so it is zeroed */
6352 diff -urNp linux-2.6.38.6/arch/x86/boot/video.c linux-2.6.38.6/arch/x86/boot/video.c
6353 --- linux-2.6.38.6/arch/x86/boot/video.c 2011-03-14 21:20:32.000000000 -0400
6354 +++ linux-2.6.38.6/arch/x86/boot/video.c 2011-04-28 19:34:14.000000000 -0400
6355 @@ -96,7 +96,7 @@ static void store_mode_params(void)
6356 static unsigned int get_entry(void)
6360 + unsigned int i, len = 0;
6364 diff -urNp linux-2.6.38.6/arch/x86/boot/video-vesa.c linux-2.6.38.6/arch/x86/boot/video-vesa.c
6365 --- linux-2.6.38.6/arch/x86/boot/video-vesa.c 2011-03-14 21:20:32.000000000 -0400
6366 +++ linux-2.6.38.6/arch/x86/boot/video-vesa.c 2011-04-28 19:34:14.000000000 -0400
6367 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6369 boot_params.screen_info.vesapm_seg = oreg.es;
6370 boot_params.screen_info.vesapm_off = oreg.di;
6371 + boot_params.screen_info.vesapm_size = oreg.cx;
6375 diff -urNp linux-2.6.38.6/arch/x86/ia32/ia32_aout.c linux-2.6.38.6/arch/x86/ia32/ia32_aout.c
6376 --- linux-2.6.38.6/arch/x86/ia32/ia32_aout.c 2011-03-14 21:20:32.000000000 -0400
6377 +++ linux-2.6.38.6/arch/x86/ia32/ia32_aout.c 2011-04-28 19:34:14.000000000 -0400
6378 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
6379 unsigned long dump_start, dump_size;
6382 + memset(&dump, 0, sizeof(dump));
6387 diff -urNp linux-2.6.38.6/arch/x86/ia32/ia32entry.S linux-2.6.38.6/arch/x86/ia32/ia32entry.S
6388 --- linux-2.6.38.6/arch/x86/ia32/ia32entry.S 2011-03-14 21:20:32.000000000 -0400
6389 +++ linux-2.6.38.6/arch/x86/ia32/ia32entry.S 2011-05-16 21:47:08.000000000 -0400
6391 #include <asm/thread_info.h>
6392 #include <asm/segment.h>
6393 #include <asm/irqflags.h>
6394 +#include <asm/pgtable.h>
6395 #include <linux/linkage.h>
6397 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6398 @@ -93,6 +94,26 @@ ENTRY(native_irq_enable_sysexit)
6399 ENDPROC(native_irq_enable_sysexit)
6402 + .macro pax_enter_kernel_user
6403 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6404 + call pax_enter_kernel_user
6408 + .macro pax_exit_kernel_user
6409 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6410 + call pax_exit_kernel_user
6412 +#ifdef CONFIG_PAX_RANDKSTACK
6414 + call pax_randomize_kstack
6417 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
6418 + call pax_erase_kstack
6423 * 32bit SYSENTER instruction entry.
6425 @@ -119,7 +140,7 @@ ENTRY(ia32_sysenter_target)
6426 CFI_REGISTER rsp,rbp
6428 movq PER_CPU_VAR(kernel_stack), %rsp
6429 - addq $(KERNEL_STACK_OFFSET),%rsp
6430 + pax_enter_kernel_user
6432 * No need to follow this irqs on/off section: the syscall
6433 * disabled irqs, here we enable it straight after entry:
6434 @@ -135,7 +156,8 @@ ENTRY(ia32_sysenter_target)
6436 CFI_ADJUST_CFA_OFFSET 8
6437 /*CFI_REL_OFFSET rflags,0*/
6438 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
6439 + GET_THREAD_INFO(%r10)
6440 + movl TI_sysenter_return(%r10), %r10d
6441 CFI_REGISTER rip,r10
6443 CFI_ADJUST_CFA_OFFSET 8
6444 @@ -150,6 +172,12 @@ ENTRY(ia32_sysenter_target)
6446 /* no need to do an access_ok check here because rbp has been
6447 32bit zero extended */
6449 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6450 + mov $PAX_USER_SHADOW_BASE,%r10
6455 .section __ex_table,"a"
6456 .quad 1b,ia32_badarg
6457 @@ -172,6 +200,7 @@ sysenter_dispatch:
6458 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6460 sysexit_from_sys_call:
6461 + pax_exit_kernel_user
6462 andl $~TS_COMPAT,TI_status(%r10)
6463 /* clear IF, that popfq doesn't enable interrupts early */
6464 andl $~0x200,EFLAGS-R11(%rsp)
6465 @@ -283,19 +312,24 @@ ENDPROC(ia32_sysenter_target)
6466 ENTRY(ia32_cstar_target)
6467 CFI_STARTPROC32 simple
6469 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
6471 CFI_REGISTER rip,rcx
6472 /*CFI_REGISTER rflags,r11*/
6476 movq PER_CPU_VAR(kernel_stack),%rsp
6478 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6479 + pax_enter_kernel_user
6483 * No need to follow this irqs on/off section: the syscall
6484 * disabled irqs and here we enable it straight after entry:
6486 ENABLE_INTERRUPTS(CLBR_NONE)
6489 movl %eax,%eax /* zero extension */
6490 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
6491 movq %rcx,RIP-ARGOFFSET(%rsp)
6492 @@ -311,6 +345,12 @@ ENTRY(ia32_cstar_target)
6493 /* no need to do an access_ok check here because r8 has been
6494 32bit zero extended */
6495 /* hardware stack frame is complete now */
6497 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6498 + mov $PAX_USER_SHADOW_BASE,%r10
6503 .section __ex_table,"a"
6504 .quad 1b,ia32_badarg
6505 @@ -333,6 +373,7 @@ cstar_dispatch:
6506 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6508 sysretl_from_sys_call:
6509 + pax_exit_kernel_user
6510 andl $~TS_COMPAT,TI_status(%r10)
6511 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6512 movl RIP-ARGOFFSET(%rsp),%ecx
6513 @@ -415,6 +456,7 @@ ENTRY(ia32_syscall)
6514 CFI_REL_OFFSET rip,RIP-RIP
6515 PARAVIRT_ADJUST_EXCEPTION_FRAME
6517 + pax_enter_kernel_user
6519 * No need to follow this irqs on/off section: the syscall
6520 * disabled irqs and here we enable it straight after entry:
6521 diff -urNp linux-2.6.38.6/arch/x86/ia32/ia32_signal.c linux-2.6.38.6/arch/x86/ia32/ia32_signal.c
6522 --- linux-2.6.38.6/arch/x86/ia32/ia32_signal.c 2011-03-14 21:20:32.000000000 -0400
6523 +++ linux-2.6.38.6/arch/x86/ia32/ia32_signal.c 2011-04-28 19:34:14.000000000 -0400
6524 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6526 /* Align the stack pointer according to the i386 ABI,
6527 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6528 - sp = ((sp + 4) & -16ul) - 4;
6529 + sp = ((sp - 12) & -16ul) - 4;
6530 return (void __user *) sp;
6533 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6534 * These are actually not used anymore, but left because some
6535 * gdb versions depend on them as a marker.
6537 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6538 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6539 } put_user_catch(err);
6542 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6544 __NR_ia32_rt_sigreturn,
6550 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6551 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6553 if (ka->sa.sa_flags & SA_RESTORER)
6554 restorer = ka->sa.sa_restorer;
6555 + else if (current->mm->context.vdso)
6556 + /* Return stub is in 32bit vsyscall page */
6557 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6559 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6561 + restorer = &frame->retcode;
6562 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6565 * Not actually used anymore, but left because some gdb
6568 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6569 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6570 } put_user_catch(err);
6573 diff -urNp linux-2.6.38.6/arch/x86/include/asm/alternative.h linux-2.6.38.6/arch/x86/include/asm/alternative.h
6574 --- linux-2.6.38.6/arch/x86/include/asm/alternative.h 2011-03-14 21:20:32.000000000 -0400
6575 +++ linux-2.6.38.6/arch/x86/include/asm/alternative.h 2011-04-28 19:34:14.000000000 -0400
6576 @@ -94,7 +94,7 @@ static inline int alternatives_text_rese
6577 ".section .discard,\"aw\",@progbits\n" \
6578 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6580 - ".section .altinstr_replacement, \"ax\"\n" \
6581 + ".section .altinstr_replacement, \"a\"\n" \
6582 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6585 diff -urNp linux-2.6.38.6/arch/x86/include/asm/apm.h linux-2.6.38.6/arch/x86/include/asm/apm.h
6586 --- linux-2.6.38.6/arch/x86/include/asm/apm.h 2011-03-14 21:20:32.000000000 -0400
6587 +++ linux-2.6.38.6/arch/x86/include/asm/apm.h 2011-04-28 19:34:14.000000000 -0400
6588 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6589 __asm__ __volatile__(APM_DO_ZERO_SEGS
6592 - "lcall *%%cs:apm_bios_entry\n\t"
6593 + "lcall *%%ss:apm_bios_entry\n\t"
6597 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6598 __asm__ __volatile__(APM_DO_ZERO_SEGS
6601 - "lcall *%%cs:apm_bios_entry\n\t"
6602 + "lcall *%%ss:apm_bios_entry\n\t"
6606 diff -urNp linux-2.6.38.6/arch/x86/include/asm/atomic64_32.h linux-2.6.38.6/arch/x86/include/asm/atomic64_32.h
6607 --- linux-2.6.38.6/arch/x86/include/asm/atomic64_32.h 2011-03-14 21:20:32.000000000 -0400
6608 +++ linux-2.6.38.6/arch/x86/include/asm/atomic64_32.h 2011-05-11 18:35:16.000000000 -0400
6609 @@ -12,6 +12,14 @@ typedef struct {
6610 u64 __aligned(8) counter;
6613 +#ifdef CONFIG_PAX_REFCOUNT
6615 + u64 __aligned(8) counter;
6616 +} atomic64_unchecked_t;
6618 +typedef atomic64_t atomic64_unchecked_t;
6621 #define ATOMIC64_INIT(val) { (val) }
6623 #ifdef CONFIG_X86_CMPXCHG64
6624 @@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg
6628 + * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
6629 + * @p: pointer to type atomic64_unchecked_t
6630 + * @o: expected value
6633 + * Atomically sets @v to @n if it was equal to @o and returns
6637 +static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
6639 + return cmpxchg64(&v->counter, o, n);
6643 * atomic64_xchg - xchg atomic64 variable
6644 * @v: pointer to type atomic64_t
6645 * @n: value to assign
6646 @@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64
6650 + * atomic64_set_unchecked - set atomic64 variable
6651 + * @v: pointer to type atomic64_unchecked_t
6652 + * @n: value to assign
6654 + * Atomically sets the value of @v to @n.
6656 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
6658 + unsigned high = (unsigned)(i >> 32);
6659 + unsigned low = (unsigned)i;
6660 + asm volatile(ATOMIC64_ALTERNATIVE(set)
6661 + : "+b" (low), "+c" (high)
6663 + : "eax", "edx", "memory"
6668 * atomic64_read - read atomic64 variable
6669 * @v: pointer to type atomic64_t
6671 @@ -93,6 +134,22 @@ static inline long long atomic64_read(at
6675 + * atomic64_read_unchecked - read atomic64 variable
6676 + * @v: pointer to type atomic64_unchecked_t
6678 + * Atomically reads the value of @v and returns it.
6680 +static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
6683 + asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked)
6684 + : "=A" (r), "+c" (v)
6691 * atomic64_add_return - add and return
6692 * @i: integer value to add
6693 * @v: pointer to type atomic64_t
6694 @@ -108,6 +165,22 @@ static inline long long atomic64_add_ret
6699 + * atomic64_add_return_unchecked - add and return
6700 + * @i: integer value to add
6701 + * @v: pointer to type atomic64_unchecked_t
6703 + * Atomically adds @i to @v and returns @i + *@v
6705 +static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
6707 + asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked)
6708 + : "+A" (i), "+c" (v)
6715 * Other variants with different arithmetic operators:
6717 @@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret
6721 +static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6724 + asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked)
6732 static inline long long atomic64_dec_return(atomic64_t *v)
6735 @@ -159,6 +243,22 @@ static inline long long atomic64_add(lon
6739 + * atomic64_add_unchecked - add integer to atomic64 variable
6740 + * @i: integer value to add
6741 + * @v: pointer to type atomic64_unchecked_t
6743 + * Atomically adds @i to @v.
6745 +static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
6747 + asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked)
6748 + : "+A" (i), "+c" (v)
6755 * atomic64_sub - subtract the atomic64 variable
6756 * @i: integer value to subtract
6757 * @v: pointer to type atomic64_t
6758 diff -urNp linux-2.6.38.6/arch/x86/include/asm/atomic64_64.h linux-2.6.38.6/arch/x86/include/asm/atomic64_64.h
6759 --- linux-2.6.38.6/arch/x86/include/asm/atomic64_64.h 2011-03-14 21:20:32.000000000 -0400
6760 +++ linux-2.6.38.6/arch/x86/include/asm/atomic64_64.h 2011-05-16 21:47:08.000000000 -0400
6763 static inline long atomic64_read(const atomic64_t *v)
6765 - return (*(volatile long *)&(v)->counter);
6766 + return (*(volatile const long *)&(v)->counter);
6770 + * atomic64_read_unchecked - read atomic64 variable
6771 + * @v: pointer of type atomic64_unchecked_t
6773 + * Atomically reads the value of @v.
6774 + * Doesn't imply a read memory barrier.
6776 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6778 + return (*(volatile const long *)&(v)->counter);
6782 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6786 + * atomic64_set_unchecked - set atomic64 variable
6787 + * @v: pointer to type atomic64_unchecked_t
6788 + * @i: required value
6790 + * Atomically sets the value of @v to @i.
6792 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6798 * atomic64_add - add integer to atomic64 variable
6799 * @i: integer value to add
6800 * @v: pointer to type atomic64_t
6801 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6803 static inline void atomic64_add(long i, atomic64_t *v)
6805 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6807 +#ifdef CONFIG_PAX_REFCOUNT
6809 + LOCK_PREFIX "subq %1,%0\n"
6811 + _ASM_EXTABLE(0b, 0b)
6814 + : "=m" (v->counter)
6815 + : "er" (i), "m" (v->counter));
6819 + * atomic64_add_unchecked - add integer to atomic64 variable
6820 + * @i: integer value to add
6821 + * @v: pointer to type atomic64_unchecked_t
6823 + * Atomically adds @i to @v.
6825 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6827 asm volatile(LOCK_PREFIX "addq %1,%0"
6829 : "er" (i), "m" (v->counter));
6830 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6832 static inline void atomic64_sub(long i, atomic64_t *v)
6834 - asm volatile(LOCK_PREFIX "subq %1,%0"
6835 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6837 +#ifdef CONFIG_PAX_REFCOUNT
6839 + LOCK_PREFIX "addq %1,%0\n"
6841 + _ASM_EXTABLE(0b, 0b)
6844 + : "=m" (v->counter)
6845 + : "er" (i), "m" (v->counter));
6849 + * atomic64_sub_unchecked - subtract the atomic64 variable
6850 + * @i: integer value to subtract
6851 + * @v: pointer to type atomic64_unchecked_t
6853 + * Atomically subtracts @i from @v.
6855 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6857 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6859 : "er" (i), "m" (v->counter));
6861 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6865 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6866 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6868 +#ifdef CONFIG_PAX_REFCOUNT
6870 + LOCK_PREFIX "addq %2,%0\n"
6872 + _ASM_EXTABLE(0b, 0b)
6876 : "=m" (v->counter), "=qm" (c)
6877 : "er" (i), "m" (v->counter) : "memory");
6879 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6881 static inline void atomic64_inc(atomic64_t *v)
6883 + asm volatile(LOCK_PREFIX "incq %0\n"
6885 +#ifdef CONFIG_PAX_REFCOUNT
6887 + LOCK_PREFIX "decq %0\n"
6889 + _ASM_EXTABLE(0b, 0b)
6892 + : "=m" (v->counter)
6893 + : "m" (v->counter));
6897 + * atomic64_inc_unchecked - increment atomic64 variable
6898 + * @v: pointer to type atomic64_unchecked_t
6900 + * Atomically increments @v by 1.
6902 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6904 asm volatile(LOCK_PREFIX "incq %0"
6906 : "m" (v->counter));
6907 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6909 static inline void atomic64_dec(atomic64_t *v)
6911 - asm volatile(LOCK_PREFIX "decq %0"
6912 + asm volatile(LOCK_PREFIX "decq %0\n"
6914 +#ifdef CONFIG_PAX_REFCOUNT
6916 + LOCK_PREFIX "incq %0\n"
6918 + _ASM_EXTABLE(0b, 0b)
6921 + : "=m" (v->counter)
6922 + : "m" (v->counter));
6926 + * atomic64_dec_unchecked - decrement atomic64 variable
6927 + * @v: pointer to type atomic64_t
6929 + * Atomically decrements @v by 1.
6931 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6933 + asm volatile(LOCK_PREFIX "decq %0\n"
6935 : "m" (v->counter));
6937 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6941 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6942 + asm volatile(LOCK_PREFIX "decq %0\n"
6944 +#ifdef CONFIG_PAX_REFCOUNT
6946 + LOCK_PREFIX "incq %0\n"
6948 + _ASM_EXTABLE(0b, 0b)
6952 : "=m" (v->counter), "=qm" (c)
6953 : "m" (v->counter) : "memory");
6955 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6959 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6960 + asm volatile(LOCK_PREFIX "incq %0\n"
6962 +#ifdef CONFIG_PAX_REFCOUNT
6964 + LOCK_PREFIX "decq %0\n"
6966 + _ASM_EXTABLE(0b, 0b)
6970 : "=m" (v->counter), "=qm" (c)
6971 : "m" (v->counter) : "memory");
6973 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6977 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6978 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6980 +#ifdef CONFIG_PAX_REFCOUNT
6982 + LOCK_PREFIX "subq %2,%0\n"
6984 + _ASM_EXTABLE(0b, 0b)
6988 : "=m" (v->counter), "=qm" (c)
6989 : "er" (i), "m" (v->counter) : "memory");
6991 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6992 static inline long atomic64_add_return(long i, atomic64_t *v)
6995 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6996 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6998 +#ifdef CONFIG_PAX_REFCOUNT
7002 + _ASM_EXTABLE(0b, 0b)
7005 + : "+r" (i), "+m" (v->counter)
7011 + * atomic64_add_return_unchecked - add and return
7012 + * @i: integer value to add
7013 + * @v: pointer to type atomic64_unchecked_t
7015 + * Atomically adds @i to @v and returns @i + @v
7017 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
7020 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
7021 : "+r" (i), "+m" (v->counter)
7024 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
7027 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
7028 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
7030 + return atomic64_add_return_unchecked(1, v);
7032 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
7034 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
7035 @@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom
7036 return cmpxchg(&v->counter, old, new);
7039 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
7041 + return cmpxchg(&v->counter, old, new);
7044 static inline long atomic64_xchg(atomic64_t *v, long new)
7046 return xchg(&v->counter, new);
7047 @@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6
7049 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
7053 c = atomic64_read(v);
7055 - if (unlikely(c == (u)))
7056 + if (unlikely(c == u))
7058 - old = atomic64_cmpxchg((v), c, c + (a));
7060 + asm volatile("add %2,%0\n"
7062 +#ifdef CONFIG_PAX_REFCOUNT
7066 + _ASM_EXTABLE(0b, 0b)
7070 + : "0" (c), "ir" (a));
7072 + old = atomic64_cmpxchg(v, c, new);
7073 if (likely(old == c))
7081 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
7082 diff -urNp linux-2.6.38.6/arch/x86/include/asm/atomic.h linux-2.6.38.6/arch/x86/include/asm/atomic.h
7083 --- linux-2.6.38.6/arch/x86/include/asm/atomic.h 2011-03-14 21:20:32.000000000 -0400
7084 +++ linux-2.6.38.6/arch/x86/include/asm/atomic.h 2011-04-28 19:57:25.000000000 -0400
7087 static inline int atomic_read(const atomic_t *v)
7089 - return (*(volatile int *)&(v)->counter);
7090 + return (*(volatile const int *)&(v)->counter);
7094 + * atomic_read_unchecked - read atomic variable
7095 + * @v: pointer of type atomic_unchecked_t
7097 + * Atomically reads the value of @v.
7099 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7101 + return (*(volatile const int *)&(v)->counter);
7105 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
7109 + * atomic_set_unchecked - set atomic variable
7110 + * @v: pointer of type atomic_unchecked_t
7111 + * @i: required value
7113 + * Atomically sets the value of @v to @i.
7115 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7121 * atomic_add - add integer to atomic variable
7122 * @i: integer value to add
7123 * @v: pointer of type atomic_t
7124 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
7126 static inline void atomic_add(int i, atomic_t *v)
7128 - asm volatile(LOCK_PREFIX "addl %1,%0"
7129 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7131 +#ifdef CONFIG_PAX_REFCOUNT
7133 + LOCK_PREFIX "subl %1,%0\n"
7135 + _ASM_EXTABLE(0b, 0b)
7138 + : "+m" (v->counter)
7143 + * atomic_add_unchecked - add integer to atomic variable
7144 + * @i: integer value to add
7145 + * @v: pointer of type atomic_unchecked_t
7147 + * Atomically adds @i to @v.
7149 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7151 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7155 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
7157 static inline void atomic_sub(int i, atomic_t *v)
7159 - asm volatile(LOCK_PREFIX "subl %1,%0"
7160 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7162 +#ifdef CONFIG_PAX_REFCOUNT
7164 + LOCK_PREFIX "addl %1,%0\n"
7166 + _ASM_EXTABLE(0b, 0b)
7169 + : "+m" (v->counter)
7174 + * atomic_sub_unchecked - subtract integer from atomic variable
7175 + * @i: integer value to subtract
7176 + * @v: pointer of type atomic_unchecked_t
7178 + * Atomically subtracts @i from @v.
7180 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7182 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7186 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
7190 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7191 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7193 +#ifdef CONFIG_PAX_REFCOUNT
7195 + LOCK_PREFIX "addl %2,%0\n"
7197 + _ASM_EXTABLE(0b, 0b)
7201 : "+m" (v->counter), "=qm" (c)
7202 : "ir" (i) : "memory");
7204 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
7206 static inline void atomic_inc(atomic_t *v)
7208 - asm volatile(LOCK_PREFIX "incl %0"
7209 + asm volatile(LOCK_PREFIX "incl %0\n"
7211 +#ifdef CONFIG_PAX_REFCOUNT
7213 + LOCK_PREFIX "decl %0\n"
7215 + _ASM_EXTABLE(0b, 0b)
7218 + : "+m" (v->counter));
7222 + * atomic_inc_unchecked - increment atomic variable
7223 + * @v: pointer of type atomic_unchecked_t
7225 + * Atomically increments @v by 1.
7227 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7229 + asm volatile(LOCK_PREFIX "incl %0\n"
7230 : "+m" (v->counter));
7233 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
7235 static inline void atomic_dec(atomic_t *v)
7237 - asm volatile(LOCK_PREFIX "decl %0"
7238 + asm volatile(LOCK_PREFIX "decl %0\n"
7240 +#ifdef CONFIG_PAX_REFCOUNT
7242 + LOCK_PREFIX "incl %0\n"
7244 + _ASM_EXTABLE(0b, 0b)
7247 + : "+m" (v->counter));
7251 + * atomic_dec_unchecked - decrement atomic variable
7252 + * @v: pointer of type atomic_unchecked_t
7254 + * Atomically decrements @v by 1.
7256 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7258 + asm volatile(LOCK_PREFIX "decl %0\n"
7259 : "+m" (v->counter));
7262 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
7266 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7267 + asm volatile(LOCK_PREFIX "decl %0\n"
7269 +#ifdef CONFIG_PAX_REFCOUNT
7271 + LOCK_PREFIX "incl %0\n"
7273 + _ASM_EXTABLE(0b, 0b)
7277 : "+m" (v->counter), "=qm" (c)
7280 @@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at
7284 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7285 + asm volatile(LOCK_PREFIX "incl %0\n"
7287 +#ifdef CONFIG_PAX_REFCOUNT
7289 + LOCK_PREFIX "decl %0\n"
7291 + _ASM_EXTABLE(0b, 0b)
7295 + : "+m" (v->counter), "=qm" (c)
7301 + * atomic_inc_and_test_unchecked - increment and test
7302 + * @v: pointer of type atomic_unchecked_t
7304 + * Atomically increments @v by 1
7305 + * and returns true if the result is zero, or false for all
7308 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7312 + asm volatile(LOCK_PREFIX "incl %0\n"
7314 : "+m" (v->counter), "=qm" (c)
7317 @@ -157,7 +310,16 @@ static inline int atomic_add_negative(in
7321 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7322 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7324 +#ifdef CONFIG_PAX_REFCOUNT
7326 + LOCK_PREFIX "subl %2,%0\n"
7328 + _ASM_EXTABLE(0b, 0b)
7332 : "+m" (v->counter), "=qm" (c)
7333 : "ir" (i) : "memory");
7335 @@ -180,6 +342,46 @@ static inline int atomic_add_return(int
7337 /* Modern 486+ processor */
7339 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7341 +#ifdef CONFIG_PAX_REFCOUNT
7345 + _ASM_EXTABLE(0b, 0b)
7348 + : "+r" (i), "+m" (v->counter)
7353 +no_xadd: /* Legacy 386 processor */
7354 + local_irq_save(flags);
7355 + __i = atomic_read(v);
7356 + atomic_set(v, i + __i);
7357 + local_irq_restore(flags);
7363 + * atomic_add_return_unchecked - add integer and return
7364 + * @v: pointer of type atomic_unchecked_t
7365 + * @i: integer value to add
7367 + * Atomically adds @i to @v and returns @i + @v
7369 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7373 + unsigned long flags;
7374 + if (unlikely(boot_cpu_data.x86 <= 3))
7377 + /* Modern 486+ processor */
7379 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7380 : "+r" (i), "+m" (v->counter)
7382 @@ -208,6 +410,10 @@ static inline int atomic_sub_return(int
7385 #define atomic_inc_return(v) (atomic_add_return(1, v))
7386 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7388 + return atomic_add_return_unchecked(1, v);
7390 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7392 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
7393 @@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_
7394 return cmpxchg(&v->counter, old, new);
7397 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
7399 + return cmpxchg(&v->counter, old, new);
7402 static inline int atomic_xchg(atomic_t *v, int new)
7404 return xchg(&v->counter, new);
7407 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
7409 + return xchg(&v->counter, new);
7413 * atomic_add_unless - add unless the number is already a given value
7414 * @v: pointer of type atomic_t
7415 @@ -231,21 +447,77 @@ static inline int atomic_xchg(atomic_t *
7417 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7423 - if (unlikely(c == (u)))
7424 + if (unlikely(c == u))
7426 - old = atomic_cmpxchg((v), c, c + (a));
7428 + asm volatile("addl %2,%0\n"
7430 +#ifdef CONFIG_PAX_REFCOUNT
7434 + _ASM_EXTABLE(0b, 0b)
7438 + : "0" (c), "ir" (a));
7440 + old = atomic_cmpxchg(v, c, new);
7441 if (likely(old == c))
7449 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7452 + * atomic_inc_not_zero_hint - increment if not null
7453 + * @v: pointer of type atomic_t
7454 + * @hint: probable value of the atomic before the increment
7456 + * This version of atomic_inc_not_zero() gives a hint of probable
7457 + * value of the atomic. This helps processor to not read the memory
7458 + * before doing the atomic read/modify/write cycle, lowering
7459 + * number of bus transactions on some arches.
7461 + * Returns: 0 if increment was not done, 1 otherwise.
7463 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
7464 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
7466 + int val, c = hint, new;
7468 + /* sanity test, should be removed by compiler if hint is a constant */
7470 + return atomic_inc_not_zero(v);
7473 + asm volatile("incl %0\n"
7475 +#ifdef CONFIG_PAX_REFCOUNT
7479 + _ASM_EXTABLE(0b, 0b)
7485 + val = atomic_cmpxchg(v, c, new);
7495 * atomic_dec_if_positive - decrement by 1 if old value positive
7496 * @v: pointer of type atomic_t
7497 diff -urNp linux-2.6.38.6/arch/x86/include/asm/bitops.h linux-2.6.38.6/arch/x86/include/asm/bitops.h
7498 --- linux-2.6.38.6/arch/x86/include/asm/bitops.h 2011-03-14 21:20:32.000000000 -0400
7499 +++ linux-2.6.38.6/arch/x86/include/asm/bitops.h 2011-04-28 19:34:14.000000000 -0400
7501 * a mask operation on a byte.
7503 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7504 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7505 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7506 #define CONST_MASK(nr) (1 << ((nr) & 7))
7509 diff -urNp linux-2.6.38.6/arch/x86/include/asm/boot.h linux-2.6.38.6/arch/x86/include/asm/boot.h
7510 --- linux-2.6.38.6/arch/x86/include/asm/boot.h 2011-03-14 21:20:32.000000000 -0400
7511 +++ linux-2.6.38.6/arch/x86/include/asm/boot.h 2011-04-28 19:34:14.000000000 -0400
7513 #include <asm/pgtable_types.h>
7515 /* Physical address where kernel should be loaded. */
7516 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7517 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7518 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7519 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7521 +#ifndef __ASSEMBLY__
7522 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7523 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7526 /* Minimum kernel alignment, as a power of two */
7527 #ifdef CONFIG_X86_64
7528 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7529 diff -urNp linux-2.6.38.6/arch/x86/include/asm/cacheflush.h linux-2.6.38.6/arch/x86/include/asm/cacheflush.h
7530 --- linux-2.6.38.6/arch/x86/include/asm/cacheflush.h 2011-03-14 21:20:32.000000000 -0400
7531 +++ linux-2.6.38.6/arch/x86/include/asm/cacheflush.h 2011-04-28 19:34:14.000000000 -0400
7532 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
7533 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7535 if (pg_flags == _PGMT_DEFAULT)
7538 else if (pg_flags == _PGMT_WC)
7539 return _PAGE_CACHE_WC;
7540 else if (pg_flags == _PGMT_UC_MINUS)
7541 diff -urNp linux-2.6.38.6/arch/x86/include/asm/cache.h linux-2.6.38.6/arch/x86/include/asm/cache.h
7542 --- linux-2.6.38.6/arch/x86/include/asm/cache.h 2011-03-14 21:20:32.000000000 -0400
7543 +++ linux-2.6.38.6/arch/x86/include/asm/cache.h 2011-04-28 19:57:25.000000000 -0400
7546 /* L1 cache line size */
7547 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
7548 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7549 +#define L1_CACHE_BYTES (_AC(1,U) << L1_CACHE_SHIFT)
7551 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7552 +#define __read_only __attribute__((__section__(".data..read_only")))
7554 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7555 -#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7556 +#define INTERNODE_CACHE_BYTES (_AC(1,U) << INTERNODE_CACHE_SHIFT)
7558 #ifdef CONFIG_X86_VSMP
7560 diff -urNp linux-2.6.38.6/arch/x86/include/asm/checksum_32.h linux-2.6.38.6/arch/x86/include/asm/checksum_32.h
7561 --- linux-2.6.38.6/arch/x86/include/asm/checksum_32.h 2011-03-14 21:20:32.000000000 -0400
7562 +++ linux-2.6.38.6/arch/x86/include/asm/checksum_32.h 2011-04-28 19:34:14.000000000 -0400
7563 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7564 int len, __wsum sum,
7565 int *src_err_ptr, int *dst_err_ptr);
7567 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7568 + int len, __wsum sum,
7569 + int *src_err_ptr, int *dst_err_ptr);
7571 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7572 + int len, __wsum sum,
7573 + int *src_err_ptr, int *dst_err_ptr);
7576 * Note: when you get a NULL pointer exception here this means someone
7577 * passed in an incorrect kernel address to one of these functions.
7578 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7582 - return csum_partial_copy_generic((__force void *)src, dst,
7583 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7584 len, sum, err_ptr, NULL);
7587 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7590 if (access_ok(VERIFY_WRITE, dst, len))
7591 - return csum_partial_copy_generic(src, (__force void *)dst,
7592 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7593 len, sum, NULL, err_ptr);
7596 diff -urNp linux-2.6.38.6/arch/x86/include/asm/cpufeature.h linux-2.6.38.6/arch/x86/include/asm/cpufeature.h
7597 --- linux-2.6.38.6/arch/x86/include/asm/cpufeature.h 2011-03-14 21:20:32.000000000 -0400
7598 +++ linux-2.6.38.6/arch/x86/include/asm/cpufeature.h 2011-04-28 19:34:14.000000000 -0400
7599 @@ -349,7 +349,7 @@ static __always_inline __pure bool __sta
7600 ".section .discard,\"aw\",@progbits\n"
7601 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7603 - ".section .altinstr_replacement,\"ax\"\n"
7604 + ".section .altinstr_replacement,\"a\"\n"
7608 diff -urNp linux-2.6.38.6/arch/x86/include/asm/desc_defs.h linux-2.6.38.6/arch/x86/include/asm/desc_defs.h
7609 --- linux-2.6.38.6/arch/x86/include/asm/desc_defs.h 2011-03-14 21:20:32.000000000 -0400
7610 +++ linux-2.6.38.6/arch/x86/include/asm/desc_defs.h 2011-04-28 19:34:14.000000000 -0400
7611 @@ -31,6 +31,12 @@ struct desc_struct {
7612 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
7613 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
7618 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
7619 + unsigned offset_high: 16;
7622 } __attribute__((packed));
7624 diff -urNp linux-2.6.38.6/arch/x86/include/asm/desc.h linux-2.6.38.6/arch/x86/include/asm/desc.h
7625 --- linux-2.6.38.6/arch/x86/include/asm/desc.h 2011-03-14 21:20:32.000000000 -0400
7626 +++ linux-2.6.38.6/arch/x86/include/asm/desc.h 2011-04-28 19:34:14.000000000 -0400
7628 #include <asm/desc_defs.h>
7629 #include <asm/ldt.h>
7630 #include <asm/mmu.h>
7631 +#include <asm/pgtable.h>
7632 #include <linux/smp.h>
7634 static inline void fill_ldt(struct desc_struct *desc,
7635 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
7636 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7637 desc->type = (info->read_exec_only ^ 1) << 1;
7638 desc->type |= info->contents << 2;
7639 + desc->type |= info->seg_not_present ^ 1;
7642 desc->p = info->seg_not_present ^ 1;
7643 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
7646 extern struct desc_ptr idt_descr;
7647 -extern gate_desc idt_table[];
7650 - struct desc_struct gdt[GDT_ENTRIES];
7651 -} __attribute__((aligned(PAGE_SIZE)));
7652 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7653 +extern gate_desc idt_table[256];
7655 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7656 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7658 - return per_cpu(gdt_page, cpu).gdt;
7659 + return cpu_gdt_table[cpu];
7662 #ifdef CONFIG_X86_64
7663 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
7664 unsigned long base, unsigned dpl, unsigned flags,
7667 - gate->a = (seg << 16) | (base & 0xffff);
7668 - gate->b = (base & 0xffff0000) |
7669 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
7670 + gate->gate.offset_low = base;
7671 + gate->gate.seg = seg;
7672 + gate->gate.reserved = 0;
7673 + gate->gate.type = type;
7675 + gate->gate.dpl = dpl;
7677 + gate->gate.offset_high = base >> 16;
7681 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
7682 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7683 const gate_desc *gate)
7685 + pax_open_kernel();
7686 memcpy(&idt[entry], gate, sizeof(*gate));
7687 + pax_close_kernel();
7690 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7693 + pax_open_kernel();
7694 memcpy(&ldt[entry], desc, 8);
7695 + pax_close_kernel();
7698 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7699 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
7700 size = sizeof(struct desc_struct);
7704 + pax_open_kernel();
7705 memcpy(&gdt[entry], desc, size);
7706 + pax_close_kernel();
7709 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7710 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
7712 static inline void native_load_tr_desc(void)
7714 + pax_open_kernel();
7715 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7716 + pax_close_kernel();
7719 static inline void native_load_gdt(const struct desc_ptr *dtr)
7720 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
7722 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7724 + pax_open_kernel();
7725 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7726 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7727 + pax_close_kernel();
7730 #define _LDT_empty(info) \
7731 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
7732 desc->limit = (limit >> 16) & 0xf;
7735 -static inline void _set_gate(int gate, unsigned type, void *addr,
7736 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7737 unsigned dpl, unsigned ist, unsigned seg)
7740 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
7741 * Pentium F0 0F bugfix can have resulted in the mapped
7742 * IDT being write-protected.
7744 -static inline void set_intr_gate(unsigned int n, void *addr)
7745 +static inline void set_intr_gate(unsigned int n, const void *addr)
7747 BUG_ON((unsigned)n > 0xFF);
7748 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7749 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
7751 * This routine sets up an interrupt gate at directory privilege level 3.
7753 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7754 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7756 BUG_ON((unsigned)n > 0xFF);
7757 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7760 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7761 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7763 BUG_ON((unsigned)n > 0xFF);
7764 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7767 -static inline void set_trap_gate(unsigned int n, void *addr)
7768 +static inline void set_trap_gate(unsigned int n, const void *addr)
7770 BUG_ON((unsigned)n > 0xFF);
7771 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7772 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
7773 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7775 BUG_ON((unsigned)n > 0xFF);
7776 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7777 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7780 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7781 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7783 BUG_ON((unsigned)n > 0xFF);
7784 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7787 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7788 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7790 BUG_ON((unsigned)n > 0xFF);
7791 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7794 +#ifdef CONFIG_X86_32
7795 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7797 + struct desc_struct d;
7799 + if (likely(limit))
7800 + limit = (limit - 1UL) >> PAGE_SHIFT;
7801 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7802 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7806 #endif /* _ASM_X86_DESC_H */
7807 diff -urNp linux-2.6.38.6/arch/x86/include/asm/device.h linux-2.6.38.6/arch/x86/include/asm/device.h
7808 --- linux-2.6.38.6/arch/x86/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
7809 +++ linux-2.6.38.6/arch/x86/include/asm/device.h 2011-04-28 19:34:14.000000000 -0400
7810 @@ -6,7 +6,7 @@ struct dev_archdata {
7813 #ifdef CONFIG_X86_64
7814 -struct dma_map_ops *dma_ops;
7815 + const struct dma_map_ops *dma_ops;
7817 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7818 void *iommu; /* hook for IOMMU specific extension */
7819 diff -urNp linux-2.6.38.6/arch/x86/include/asm/dma-mapping.h linux-2.6.38.6/arch/x86/include/asm/dma-mapping.h
7820 --- linux-2.6.38.6/arch/x86/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
7821 +++ linux-2.6.38.6/arch/x86/include/asm/dma-mapping.h 2011-04-28 19:34:14.000000000 -0400
7822 @@ -26,9 +26,9 @@ extern int iommu_merge;
7823 extern struct device x86_dma_fallback_dev;
7824 extern int panic_on_overflow;
7826 -extern struct dma_map_ops *dma_ops;
7827 +extern const struct dma_map_ops *dma_ops;
7829 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7830 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7832 #ifdef CONFIG_X86_32
7834 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7835 /* Make sure we keep the same behaviour */
7836 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7838 - struct dma_map_ops *ops = get_dma_ops(dev);
7839 + const struct dma_map_ops *ops = get_dma_ops(dev);
7840 if (ops->mapping_error)
7841 return ops->mapping_error(dev, dma_addr);
7843 @@ -115,7 +115,7 @@ static inline void *
7844 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7847 - struct dma_map_ops *ops = get_dma_ops(dev);
7848 + const struct dma_map_ops *ops = get_dma_ops(dev);
7851 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7852 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
7853 static inline void dma_free_coherent(struct device *dev, size_t size,
7854 void *vaddr, dma_addr_t bus)
7856 - struct dma_map_ops *ops = get_dma_ops(dev);
7857 + const struct dma_map_ops *ops = get_dma_ops(dev);
7859 WARN_ON(irqs_disabled()); /* for portability */
7861 diff -urNp linux-2.6.38.6/arch/x86/include/asm/e820.h linux-2.6.38.6/arch/x86/include/asm/e820.h
7862 --- linux-2.6.38.6/arch/x86/include/asm/e820.h 2011-03-14 21:20:32.000000000 -0400
7863 +++ linux-2.6.38.6/arch/x86/include/asm/e820.h 2011-04-28 19:34:14.000000000 -0400
7864 @@ -69,7 +69,7 @@ struct e820map {
7865 #define ISA_START_ADDRESS 0xa0000
7866 #define ISA_END_ADDRESS 0x100000
7868 -#define BIOS_BEGIN 0x000a0000
7869 +#define BIOS_BEGIN 0x000c0000
7870 #define BIOS_END 0x00100000
7872 #define BIOS_ROM_BASE 0xffe00000
7873 diff -urNp linux-2.6.38.6/arch/x86/include/asm/elf.h linux-2.6.38.6/arch/x86/include/asm/elf.h
7874 --- linux-2.6.38.6/arch/x86/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
7875 +++ linux-2.6.38.6/arch/x86/include/asm/elf.h 2011-04-28 19:34:14.000000000 -0400
7876 @@ -237,7 +237,25 @@ extern int force_personality32;
7877 the loader. We need to make sure that it is out of the way of the program
7878 that it will "exec", and that there is sufficient room for the brk. */
7880 +#ifdef CONFIG_PAX_SEGMEXEC
7881 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7883 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7886 +#ifdef CONFIG_PAX_ASLR
7887 +#ifdef CONFIG_X86_32
7888 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7890 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7891 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7893 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7895 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7896 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7900 /* This yields a mask that user programs can use to figure out what
7901 instruction set this CPU supports. This could be done in user space,
7902 @@ -291,8 +309,7 @@ do { \
7903 #define ARCH_DLINFO \
7906 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7907 - (unsigned long)current->mm->context.vdso); \
7908 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7911 #define AT_SYSINFO 32
7912 @@ -303,7 +320,7 @@ do { \
7914 #endif /* !CONFIG_X86_32 */
7916 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7917 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7919 #define VDSO_ENTRY \
7920 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7921 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7922 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7923 #define compat_arch_setup_additional_pages syscall32_setup_pages
7925 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7926 -#define arch_randomize_brk arch_randomize_brk
7928 #endif /* _ASM_X86_ELF_H */
7929 diff -urNp linux-2.6.38.6/arch/x86/include/asm/futex.h linux-2.6.38.6/arch/x86/include/asm/futex.h
7930 --- linux-2.6.38.6/arch/x86/include/asm/futex.h 2011-03-14 21:20:32.000000000 -0400
7931 +++ linux-2.6.38.6/arch/x86/include/asm/futex.h 2011-04-28 19:34:14.000000000 -0400
7933 #include <asm/system.h>
7935 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7936 + typecheck(u32 *, uaddr); \
7937 asm volatile("1:\t" insn "\n" \
7938 "2:\t.section .fixup,\"ax\"\n" \
7939 "3:\tmov\t%3, %1\n" \
7942 _ASM_EXTABLE(1b, 3b) \
7943 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7944 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
7945 : "i" (-EFAULT), "0" (oparg), "1" (0))
7947 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7948 + typecheck(u32 *, uaddr); \
7949 asm volatile("1:\tmovl %2, %0\n" \
7950 "\tmovl\t%0, %3\n" \
7953 _ASM_EXTABLE(1b, 4b) \
7954 _ASM_EXTABLE(2b, 4b) \
7955 : "=&a" (oldval), "=&r" (ret), \
7956 - "+m" (*uaddr), "=&r" (tem) \
7957 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
7958 : "r" (oparg), "i" (-EFAULT), "1" (0))
7960 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7961 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7963 int op = (encoded_op >> 28) & 7;
7964 int cmp = (encoded_op >> 24) & 15;
7965 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7969 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7970 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
7973 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7974 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
7978 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
7982 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7983 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7987 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
7991 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7992 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7995 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7996 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
7997 "2:\t.section .fixup, \"ax\"\n"
8001 _ASM_EXTABLE(1b, 3b)
8002 - : "=a" (oldval), "+m" (*uaddr)
8003 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
8004 : "i" (-EFAULT), "r" (newval), "0" (oldval)
8007 diff -urNp linux-2.6.38.6/arch/x86/include/asm/hw_irq.h linux-2.6.38.6/arch/x86/include/asm/hw_irq.h
8008 --- linux-2.6.38.6/arch/x86/include/asm/hw_irq.h 2011-03-14 21:20:32.000000000 -0400
8009 +++ linux-2.6.38.6/arch/x86/include/asm/hw_irq.h 2011-04-28 19:57:25.000000000 -0400
8010 @@ -113,8 +113,8 @@ extern void setup_ioapic_dest(void);
8011 extern void enable_IO_APIC(void);
8014 -extern atomic_t irq_err_count;
8015 -extern atomic_t irq_mis_count;
8016 +extern atomic_unchecked_t irq_err_count;
8017 +extern atomic_unchecked_t irq_mis_count;
8020 extern void eisa_set_level_irq(unsigned int irq);
8021 diff -urNp linux-2.6.38.6/arch/x86/include/asm/i387.h linux-2.6.38.6/arch/x86/include/asm/i387.h
8022 --- linux-2.6.38.6/arch/x86/include/asm/i387.h 2011-03-14 21:20:32.000000000 -0400
8023 +++ linux-2.6.38.6/arch/x86/include/asm/i387.h 2011-04-28 19:34:14.000000000 -0400
8024 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
8028 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8029 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
8030 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
8033 /* See comment in fxsave() below. */
8034 #ifdef CONFIG_AS_FXSAVEQ
8035 asm volatile("1: fxrstorq %[fx]\n\t"
8036 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
8040 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8041 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
8042 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
8046 * Clear the bytes not touched by the fxsave and reserved
8048 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
8049 #endif /* CONFIG_X86_64 */
8051 /* We need a safe address that is cheap to find and that is already
8052 - in L1 during context switch. The best choices are unfortunately
8053 - different for UP and SMP */
8055 -#define safe_address (__per_cpu_offset[0])
8057 -#define safe_address (kstat_cpu(0).cpustat.user)
8059 + in L1 during context switch. */
8060 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
8063 * These must be called with preempt disabled
8064 @@ -237,7 +242,7 @@ static inline void fpu_save_init(struct
8065 } else if (use_fxsr()) {
8068 - asm volatile("fsave %[fx]; fwait"
8069 + asm volatile("fnsave %[fx]; fwait"
8070 : [fx] "=m" (fpu->state->fsave));
8073 @@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
8074 struct thread_info *me = current_thread_info();
8076 if (me->status & TS_USEDFPU)
8077 - __save_init_fpu(me->task);
8078 + __save_init_fpu(current);
8082 diff -urNp linux-2.6.38.6/arch/x86/include/asm/io.h linux-2.6.38.6/arch/x86/include/asm/io.h
8083 --- linux-2.6.38.6/arch/x86/include/asm/io.h 2011-03-14 21:20:32.000000000 -0400
8084 +++ linux-2.6.38.6/arch/x86/include/asm/io.h 2011-04-28 19:34:14.000000000 -0400
8085 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
8087 #include <linux/vmalloc.h>
8089 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
8090 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
8092 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8095 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
8097 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8101 * Convert a virtual cached pointer to an uncached pointer
8103 diff -urNp linux-2.6.38.6/arch/x86/include/asm/iommu.h linux-2.6.38.6/arch/x86/include/asm/iommu.h
8104 --- linux-2.6.38.6/arch/x86/include/asm/iommu.h 2011-03-14 21:20:32.000000000 -0400
8105 +++ linux-2.6.38.6/arch/x86/include/asm/iommu.h 2011-04-28 19:34:14.000000000 -0400
8107 #ifndef _ASM_X86_IOMMU_H
8108 #define _ASM_X86_IOMMU_H
8110 -extern struct dma_map_ops nommu_dma_ops;
8111 +extern const struct dma_map_ops nommu_dma_ops;
8112 extern int force_iommu, no_iommu;
8113 extern int iommu_detected;
8114 extern int iommu_pass_through;
8115 diff -urNp linux-2.6.38.6/arch/x86/include/asm/irqflags.h linux-2.6.38.6/arch/x86/include/asm/irqflags.h
8116 --- linux-2.6.38.6/arch/x86/include/asm/irqflags.h 2011-03-14 21:20:32.000000000 -0400
8117 +++ linux-2.6.38.6/arch/x86/include/asm/irqflags.h 2011-04-28 19:34:14.000000000 -0400
8118 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
8122 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
8123 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
8124 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
8125 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
8128 #define INTERRUPT_RETURN iret
8129 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
8130 diff -urNp linux-2.6.38.6/arch/x86/include/asm/kprobes.h linux-2.6.38.6/arch/x86/include/asm/kprobes.h
8131 --- linux-2.6.38.6/arch/x86/include/asm/kprobes.h 2011-03-14 21:20:32.000000000 -0400
8132 +++ linux-2.6.38.6/arch/x86/include/asm/kprobes.h 2011-04-28 19:34:14.000000000 -0400
8133 @@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
8134 #define RELATIVEJUMP_SIZE 5
8135 #define RELATIVECALL_OPCODE 0xe8
8136 #define RELATIVE_ADDR_SIZE 4
8137 -#define MAX_STACK_SIZE 64
8138 -#define MIN_STACK_SIZE(ADDR) \
8139 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
8140 - THREAD_SIZE - (unsigned long)(ADDR))) \
8141 - ? (MAX_STACK_SIZE) \
8142 - : (((unsigned long)current_thread_info()) + \
8143 - THREAD_SIZE - (unsigned long)(ADDR)))
8144 +#define MAX_STACK_SIZE 64UL
8145 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
8147 #define flush_insn_slot(p) do { } while (0)
8149 diff -urNp linux-2.6.38.6/arch/x86/include/asm/kvm_host.h linux-2.6.38.6/arch/x86/include/asm/kvm_host.h
8150 --- linux-2.6.38.6/arch/x86/include/asm/kvm_host.h 2011-03-14 21:20:32.000000000 -0400
8151 +++ linux-2.6.38.6/arch/x86/include/asm/kvm_host.h 2011-04-28 19:57:25.000000000 -0400
8152 @@ -423,7 +423,7 @@ struct kvm_arch {
8153 unsigned int n_used_mmu_pages;
8154 unsigned int n_requested_mmu_pages;
8155 unsigned int n_max_mmu_pages;
8156 - atomic_t invlpg_counter;
8157 + atomic_unchecked_t invlpg_counter;
8158 struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
8160 * Hash table of struct kvm_mmu_page.
8161 @@ -603,7 +603,7 @@ struct kvm_arch_async_pf {
8165 -extern struct kvm_x86_ops *kvm_x86_ops;
8166 +extern const struct kvm_x86_ops *kvm_x86_ops;
8168 int kvm_mmu_module_init(void);
8169 void kvm_mmu_module_exit(void);
8170 diff -urNp linux-2.6.38.6/arch/x86/include/asm/local.h linux-2.6.38.6/arch/x86/include/asm/local.h
8171 --- linux-2.6.38.6/arch/x86/include/asm/local.h 2011-03-14 21:20:32.000000000 -0400
8172 +++ linux-2.6.38.6/arch/x86/include/asm/local.h 2011-04-28 19:34:14.000000000 -0400
8173 @@ -18,26 +18,58 @@ typedef struct {
8175 static inline void local_inc(local_t *l)
8177 - asm volatile(_ASM_INC "%0"
8178 + asm volatile(_ASM_INC "%0\n"
8180 +#ifdef CONFIG_PAX_REFCOUNT
8184 + _ASM_EXTABLE(0b, 0b)
8187 : "+m" (l->a.counter));
8190 static inline void local_dec(local_t *l)
8192 - asm volatile(_ASM_DEC "%0"
8193 + asm volatile(_ASM_DEC "%0\n"
8195 +#ifdef CONFIG_PAX_REFCOUNT
8199 + _ASM_EXTABLE(0b, 0b)
8202 : "+m" (l->a.counter));
8205 static inline void local_add(long i, local_t *l)
8207 - asm volatile(_ASM_ADD "%1,%0"
8208 + asm volatile(_ASM_ADD "%1,%0\n"
8210 +#ifdef CONFIG_PAX_REFCOUNT
8212 + _ASM_SUB "%1,%0\n"
8214 + _ASM_EXTABLE(0b, 0b)
8217 : "+m" (l->a.counter)
8221 static inline void local_sub(long i, local_t *l)
8223 - asm volatile(_ASM_SUB "%1,%0"
8224 + asm volatile(_ASM_SUB "%1,%0\n"
8226 +#ifdef CONFIG_PAX_REFCOUNT
8228 + _ASM_ADD "%1,%0\n"
8230 + _ASM_EXTABLE(0b, 0b)
8233 : "+m" (l->a.counter)
8236 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
8240 - asm volatile(_ASM_SUB "%2,%0; sete %1"
8241 + asm volatile(_ASM_SUB "%2,%0\n"
8243 +#ifdef CONFIG_PAX_REFCOUNT
8245 + _ASM_ADD "%2,%0\n"
8247 + _ASM_EXTABLE(0b, 0b)
8251 : "+m" (l->a.counter), "=qm" (c)
8252 : "ir" (i) : "memory");
8254 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
8258 - asm volatile(_ASM_DEC "%0; sete %1"
8259 + asm volatile(_ASM_DEC "%0\n"
8261 +#ifdef CONFIG_PAX_REFCOUNT
8265 + _ASM_EXTABLE(0b, 0b)
8269 : "+m" (l->a.counter), "=qm" (c)
8272 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
8276 - asm volatile(_ASM_INC "%0; sete %1"
8277 + asm volatile(_ASM_INC "%0\n"
8279 +#ifdef CONFIG_PAX_REFCOUNT
8283 + _ASM_EXTABLE(0b, 0b)
8287 : "+m" (l->a.counter), "=qm" (c)
8290 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
8294 - asm volatile(_ASM_ADD "%2,%0; sets %1"
8295 + asm volatile(_ASM_ADD "%2,%0\n"
8297 +#ifdef CONFIG_PAX_REFCOUNT
8299 + _ASM_SUB "%2,%0\n"
8301 + _ASM_EXTABLE(0b, 0b)
8305 : "+m" (l->a.counter), "=qm" (c)
8306 : "ir" (i) : "memory");
8308 @@ -133,7 +201,15 @@ static inline long local_add_return(long
8310 /* Modern 486+ processor */
8312 - asm volatile(_ASM_XADD "%0, %1;"
8313 + asm volatile(_ASM_XADD "%0, %1\n"
8315 +#ifdef CONFIG_PAX_REFCOUNT
8317 + _ASM_MOV "%0,%1\n"
8319 + _ASM_EXTABLE(0b, 0b)
8322 : "+r" (i), "+m" (l->a.counter)
8325 diff -urNp linux-2.6.38.6/arch/x86/include/asm/mce.h linux-2.6.38.6/arch/x86/include/asm/mce.h
8326 --- linux-2.6.38.6/arch/x86/include/asm/mce.h 2011-03-14 21:20:32.000000000 -0400
8327 +++ linux-2.6.38.6/arch/x86/include/asm/mce.h 2011-04-28 19:34:14.000000000 -0400
8328 @@ -198,7 +198,7 @@ int mce_notify_irq(void);
8329 void mce_notify_process(void);
8331 DECLARE_PER_CPU(struct mce, injectm);
8332 -extern struct file_operations mce_chrdev_ops;
8333 +extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */
8337 diff -urNp linux-2.6.38.6/arch/x86/include/asm/microcode.h linux-2.6.38.6/arch/x86/include/asm/microcode.h
8338 --- linux-2.6.38.6/arch/x86/include/asm/microcode.h 2011-03-14 21:20:32.000000000 -0400
8339 +++ linux-2.6.38.6/arch/x86/include/asm/microcode.h 2011-04-28 19:34:14.000000000 -0400
8340 @@ -12,13 +12,13 @@ struct device;
8341 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
8343 struct microcode_ops {
8344 - enum ucode_state (*request_microcode_user) (int cpu,
8345 + enum ucode_state (* const request_microcode_user) (int cpu,
8346 const void __user *buf, size_t size);
8348 - enum ucode_state (*request_microcode_fw) (int cpu,
8349 + enum ucode_state (* const request_microcode_fw) (int cpu,
8350 struct device *device);
8352 - void (*microcode_fini_cpu) (int cpu);
8353 + void (* const microcode_fini_cpu) (int cpu);
8356 * The generic 'microcode_core' part guarantees that
8357 @@ -38,16 +38,16 @@ struct ucode_cpu_info {
8358 extern struct ucode_cpu_info ucode_cpu_info[];
8360 #ifdef CONFIG_MICROCODE_INTEL
8361 -extern struct microcode_ops * __init init_intel_microcode(void);
8362 +extern const struct microcode_ops * __init init_intel_microcode(void);
8364 -static inline struct microcode_ops * __init init_intel_microcode(void)
8365 +static inline const struct microcode_ops * __init init_intel_microcode(void)
8369 #endif /* CONFIG_MICROCODE_INTEL */
8371 #ifdef CONFIG_MICROCODE_AMD
8372 -extern struct microcode_ops * __init init_amd_microcode(void);
8373 +extern const struct microcode_ops * __init init_amd_microcode(void);
8375 static inline void get_ucode_data(void *to, const u8 *from, size_t n)
8377 @@ -55,7 +55,7 @@ static inline void get_ucode_data(void *
8381 -static inline struct microcode_ops * __init init_amd_microcode(void)
8382 +static inline const struct microcode_ops * __init init_amd_microcode(void)
8386 diff -urNp linux-2.6.38.6/arch/x86/include/asm/mman.h linux-2.6.38.6/arch/x86/include/asm/mman.h
8387 --- linux-2.6.38.6/arch/x86/include/asm/mman.h 2011-03-14 21:20:32.000000000 -0400
8388 +++ linux-2.6.38.6/arch/x86/include/asm/mman.h 2011-04-28 19:34:14.000000000 -0400
8391 #include <asm-generic/mman.h>
8394 +#ifndef __ASSEMBLY__
8395 +#ifdef CONFIG_X86_32
8396 +#define arch_mmap_check i386_mmap_check
8397 +int i386_mmap_check(unsigned long addr, unsigned long len,
8398 + unsigned long flags);
8403 #endif /* _ASM_X86_MMAN_H */
8404 diff -urNp linux-2.6.38.6/arch/x86/include/asm/mmu_context.h linux-2.6.38.6/arch/x86/include/asm/mmu_context.h
8405 --- linux-2.6.38.6/arch/x86/include/asm/mmu_context.h 2011-03-14 21:20:32.000000000 -0400
8406 +++ linux-2.6.38.6/arch/x86/include/asm/mmu_context.h 2011-04-28 19:34:14.000000000 -0400
8407 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
8409 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
8412 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8416 + pax_open_kernel();
8417 + pgd = get_cpu_pgd(smp_processor_id());
8418 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
8419 + if (paravirt_enabled())
8420 + set_pgd(pgd+i, native_make_pgd(0));
8422 + pgd[i] = native_make_pgd(0);
8423 + pax_close_kernel();
8427 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
8428 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
8429 @@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s
8430 struct task_struct *tsk)
8432 unsigned cpu = smp_processor_id();
8433 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
8434 + int tlbstate = TLBSTATE_OK;
8437 if (likely(prev != next)) {
8439 +#ifdef CONFIG_X86_32
8440 + tlbstate = percpu_read(cpu_tlbstate.state);
8442 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8443 percpu_write(cpu_tlbstate.active_mm, next);
8445 cpumask_set_cpu(cpu, mm_cpumask(next));
8447 /* Re-load page tables */
8448 +#ifdef CONFIG_PAX_PER_CPU_PGD
8449 + pax_open_kernel();
8450 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8451 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8452 + pax_close_kernel();
8453 + load_cr3(get_cpu_pgd(cpu));
8455 load_cr3(next->pgd);
8458 /* stop flush ipis for the previous mm */
8459 cpumask_clear_cpu(cpu, mm_cpumask(prev));
8460 @@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s
8462 if (unlikely(prev->context.ldt != next->context.ldt))
8463 load_LDT_nolock(&next->context);
8466 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8467 + if (!(__supported_pte_mask & _PAGE_NX)) {
8468 + smp_mb__before_clear_bit();
8469 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
8470 + smp_mb__after_clear_bit();
8471 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8475 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8476 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
8477 + prev->context.user_cs_limit != next->context.user_cs_limit))
8478 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8480 + else if (unlikely(tlbstate != TLBSTATE_OK))
8481 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8488 +#ifdef CONFIG_PAX_PER_CPU_PGD
8489 + pax_open_kernel();
8490 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8491 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8492 + pax_close_kernel();
8493 + load_cr3(get_cpu_pgd(cpu));
8497 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8498 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8500 @@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s
8501 * tlb flush IPI delivery. We must reload CR3
8502 * to make sure to use no freed page tables.
8505 +#ifndef CONFIG_PAX_PER_CPU_PGD
8506 load_cr3(next->pgd);
8509 load_LDT_nolock(&next->context);
8511 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8512 + if (!(__supported_pte_mask & _PAGE_NX))
8513 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8516 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8517 +#ifdef CONFIG_PAX_PAGEEXEC
8518 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
8520 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8529 #define activate_mm(prev, next) \
8530 diff -urNp linux-2.6.38.6/arch/x86/include/asm/mmu.h linux-2.6.38.6/arch/x86/include/asm/mmu.h
8531 --- linux-2.6.38.6/arch/x86/include/asm/mmu.h 2011-03-14 21:20:32.000000000 -0400
8532 +++ linux-2.6.38.6/arch/x86/include/asm/mmu.h 2011-04-28 19:34:14.000000000 -0400
8534 * we put the segment information here.
8538 + struct desc_struct *ldt;
8542 + unsigned long vdso;
8544 +#ifdef CONFIG_X86_32
8545 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8546 + unsigned long user_cs_base;
8547 + unsigned long user_cs_limit;
8549 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8550 + cpumask_t cpu_user_cs_mask;
8559 diff -urNp linux-2.6.38.6/arch/x86/include/asm/module.h linux-2.6.38.6/arch/x86/include/asm/module.h
8560 --- linux-2.6.38.6/arch/x86/include/asm/module.h 2011-03-14 21:20:32.000000000 -0400
8561 +++ linux-2.6.38.6/arch/x86/include/asm/module.h 2011-04-28 19:34:14.000000000 -0400
8564 #ifdef CONFIG_X86_64
8565 /* X86_64 does not define MODULE_PROC_FAMILY */
8566 +#define MODULE_PROC_FAMILY ""
8567 #elif defined CONFIG_M386
8568 #define MODULE_PROC_FAMILY "386 "
8569 #elif defined CONFIG_M486
8571 #error unknown processor family
8574 -#ifdef CONFIG_X86_32
8575 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
8576 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8577 +#define MODULE_PAX_UDEREF "UDEREF "
8579 +#define MODULE_PAX_UDEREF ""
8582 +#ifdef CONFIG_PAX_KERNEXEC
8583 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
8585 +#define MODULE_PAX_KERNEXEC ""
8588 +#ifdef CONFIG_PAX_REFCOUNT
8589 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
8591 +#define MODULE_PAX_REFCOUNT ""
8594 +#ifdef CONFIG_GRKERNSEC
8595 +#define MODULE_GRSEC "GRSECURITY "
8597 +#define MODULE_GRSEC ""
8600 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT
8602 #endif /* _ASM_X86_MODULE_H */
8603 diff -urNp linux-2.6.38.6/arch/x86/include/asm/page_64_types.h linux-2.6.38.6/arch/x86/include/asm/page_64_types.h
8604 --- linux-2.6.38.6/arch/x86/include/asm/page_64_types.h 2011-03-14 21:20:32.000000000 -0400
8605 +++ linux-2.6.38.6/arch/x86/include/asm/page_64_types.h 2011-04-28 19:34:14.000000000 -0400
8606 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8608 /* duplicated to the one in bootmem.h */
8609 extern unsigned long max_pfn;
8610 -extern unsigned long phys_base;
8611 +extern const unsigned long phys_base;
8613 extern unsigned long __phys_addr(unsigned long);
8614 #define __phys_reloc_hide(x) (x)
8615 diff -urNp linux-2.6.38.6/arch/x86/include/asm/paravirt.h linux-2.6.38.6/arch/x86/include/asm/paravirt.h
8616 --- linux-2.6.38.6/arch/x86/include/asm/paravirt.h 2011-03-14 21:20:32.000000000 -0400
8617 +++ linux-2.6.38.6/arch/x86/include/asm/paravirt.h 2011-04-28 19:34:14.000000000 -0400
8618 @@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned
8619 pv_mmu_ops.set_fixmap(idx, phys, flags);
8622 +#ifdef CONFIG_PAX_KERNEXEC
8623 +static inline unsigned long pax_open_kernel(void)
8625 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8628 +static inline unsigned long pax_close_kernel(void)
8630 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8633 +static inline unsigned long pax_open_kernel(void) { return 0; }
8634 +static inline unsigned long pax_close_kernel(void) { return 0; }
8637 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8639 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8640 @@ -955,7 +970,7 @@ extern void default_banner(void);
8642 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8643 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8644 -#define PARA_INDIRECT(addr) *%cs:addr
8645 +#define PARA_INDIRECT(addr) *%ss:addr
8648 #define INTERRUPT_RETURN \
8649 @@ -1032,6 +1047,21 @@ extern void default_banner(void);
8650 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8652 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8654 +#define GET_CR0_INTO_RDI \
8655 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8658 +#define SET_RDI_INTO_CR0 \
8659 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8661 +#define GET_CR3_INTO_RDI \
8662 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8665 +#define SET_RDI_INTO_CR3 \
8666 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8668 #endif /* CONFIG_X86_32 */
8670 #endif /* __ASSEMBLY__ */
8671 diff -urNp linux-2.6.38.6/arch/x86/include/asm/paravirt_types.h linux-2.6.38.6/arch/x86/include/asm/paravirt_types.h
8672 --- linux-2.6.38.6/arch/x86/include/asm/paravirt_types.h 2011-03-14 21:20:32.000000000 -0400
8673 +++ linux-2.6.38.6/arch/x86/include/asm/paravirt_types.h 2011-04-28 19:34:14.000000000 -0400
8674 @@ -317,6 +317,12 @@ struct pv_mmu_ops {
8675 an mfn. We can tell which is which from the index. */
8676 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8677 phys_addr_t phys, pgprot_t flags);
8679 +#ifdef CONFIG_PAX_KERNEXEC
8680 + unsigned long (*pax_open_kernel)(void);
8681 + unsigned long (*pax_close_kernel)(void);
8686 struct arch_spinlock;
8687 diff -urNp linux-2.6.38.6/arch/x86/include/asm/pci_x86.h linux-2.6.38.6/arch/x86/include/asm/pci_x86.h
8688 --- linux-2.6.38.6/arch/x86/include/asm/pci_x86.h 2011-03-14 21:20:32.000000000 -0400
8689 +++ linux-2.6.38.6/arch/x86/include/asm/pci_x86.h 2011-04-28 19:34:14.000000000 -0400
8690 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
8691 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8693 struct pci_raw_ops {
8694 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8695 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8696 int reg, int len, u32 *val);
8697 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8698 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8699 int reg, int len, u32 val);
8702 -extern struct pci_raw_ops *raw_pci_ops;
8703 -extern struct pci_raw_ops *raw_pci_ext_ops;
8704 +extern const struct pci_raw_ops *raw_pci_ops;
8705 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8707 -extern struct pci_raw_ops pci_direct_conf1;
8708 +extern const struct pci_raw_ops pci_direct_conf1;
8709 extern bool port_cf9_safe;
8711 /* arch_initcall level */
8712 diff -urNp linux-2.6.38.6/arch/x86/include/asm/pgalloc.h linux-2.6.38.6/arch/x86/include/asm/pgalloc.h
8713 --- linux-2.6.38.6/arch/x86/include/asm/pgalloc.h 2011-03-14 21:20:32.000000000 -0400
8714 +++ linux-2.6.38.6/arch/x86/include/asm/pgalloc.h 2011-04-28 19:34:14.000000000 -0400
8715 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8716 pmd_t *pmd, pte_t *pte)
8718 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8719 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8722 +static inline void pmd_populate_user(struct mm_struct *mm,
8723 + pmd_t *pmd, pte_t *pte)
8725 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8726 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8729 diff -urNp linux-2.6.38.6/arch/x86/include/asm/pgtable-2level.h linux-2.6.38.6/arch/x86/include/asm/pgtable-2level.h
8730 --- linux-2.6.38.6/arch/x86/include/asm/pgtable-2level.h 2011-03-14 21:20:32.000000000 -0400
8731 +++ linux-2.6.38.6/arch/x86/include/asm/pgtable-2level.h 2011-04-28 19:34:14.000000000 -0400
8732 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8734 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8736 + pax_open_kernel();
8738 + pax_close_kernel();
8741 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8742 diff -urNp linux-2.6.38.6/arch/x86/include/asm/pgtable_32.h linux-2.6.38.6/arch/x86/include/asm/pgtable_32.h
8743 --- linux-2.6.38.6/arch/x86/include/asm/pgtable_32.h 2011-03-14 21:20:32.000000000 -0400
8744 +++ linux-2.6.38.6/arch/x86/include/asm/pgtable_32.h 2011-04-28 19:34:14.000000000 -0400
8747 struct vm_area_struct;
8749 -extern pgd_t swapper_pg_dir[1024];
8750 -extern pgd_t initial_page_table[1024];
8752 static inline void pgtable_cache_init(void) { }
8753 static inline void check_pgt_cache(void) { }
8754 void paging_init(void);
8755 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8756 # include <asm/pgtable-2level.h>
8759 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8760 +extern pgd_t initial_page_table[PTRS_PER_PGD];
8761 +#ifdef CONFIG_X86_PAE
8762 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8765 #if defined(CONFIG_HIGHPTE)
8766 #define pte_offset_map(dir, address) \
8767 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8768 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8769 /* Clear a kernel PTE and flush it from the TLB */
8770 #define kpte_clear_flush(ptep, vaddr) \
8772 + pax_open_kernel(); \
8773 pte_clear(&init_mm, (vaddr), (ptep)); \
8774 + pax_close_kernel(); \
8775 __flush_tlb_one((vaddr)); \
8778 @@ -74,6 +79,9 @@ do { \
8780 #endif /* !__ASSEMBLY__ */
8782 +#define HAVE_ARCH_UNMAPPED_AREA
8783 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8786 * kern_addr_valid() is (1) for FLATMEM and (0) for
8787 * SPARSEMEM and DISCONTIGMEM
8788 diff -urNp linux-2.6.38.6/arch/x86/include/asm/pgtable_32_types.h linux-2.6.38.6/arch/x86/include/asm/pgtable_32_types.h
8789 --- linux-2.6.38.6/arch/x86/include/asm/pgtable_32_types.h 2011-03-14 21:20:32.000000000 -0400
8790 +++ linux-2.6.38.6/arch/x86/include/asm/pgtable_32_types.h 2011-04-28 19:34:14.000000000 -0400
8793 #ifdef CONFIG_X86_PAE
8794 # include <asm/pgtable-3level_types.h>
8795 -# define PMD_SIZE (1UL << PMD_SHIFT)
8796 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8797 # define PMD_MASK (~(PMD_SIZE - 1))
8799 # include <asm/pgtable-2level_types.h>
8800 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8801 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8804 +#ifdef CONFIG_PAX_KERNEXEC
8805 +#ifndef __ASSEMBLY__
8806 +extern unsigned char MODULES_EXEC_VADDR[];
8807 +extern unsigned char MODULES_EXEC_END[];
8809 +#include <asm/boot.h>
8810 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8811 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8813 +#define ktla_ktva(addr) (addr)
8814 +#define ktva_ktla(addr) (addr)
8817 #define MODULES_VADDR VMALLOC_START
8818 #define MODULES_END VMALLOC_END
8819 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8820 diff -urNp linux-2.6.38.6/arch/x86/include/asm/pgtable-3level.h linux-2.6.38.6/arch/x86/include/asm/pgtable-3level.h
8821 --- linux-2.6.38.6/arch/x86/include/asm/pgtable-3level.h 2011-04-18 17:27:13.000000000 -0400
8822 +++ linux-2.6.38.6/arch/x86/include/asm/pgtable-3level.h 2011-04-28 19:34:14.000000000 -0400
8823 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8825 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8827 + pax_open_kernel();
8828 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8829 + pax_close_kernel();
8832 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8834 + pax_open_kernel();
8835 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8836 + pax_close_kernel();
8840 diff -urNp linux-2.6.38.6/arch/x86/include/asm/pgtable_64.h linux-2.6.38.6/arch/x86/include/asm/pgtable_64.h
8841 --- linux-2.6.38.6/arch/x86/include/asm/pgtable_64.h 2011-03-14 21:20:32.000000000 -0400
8842 +++ linux-2.6.38.6/arch/x86/include/asm/pgtable_64.h 2011-04-28 19:34:14.000000000 -0400
8845 extern pud_t level3_kernel_pgt[512];
8846 extern pud_t level3_ident_pgt[512];
8847 +extern pud_t level3_vmalloc_pgt[512];
8848 +extern pud_t level3_vmemmap_pgt[512];
8849 +extern pud_t level2_vmemmap_pgt[512];
8850 extern pmd_t level2_kernel_pgt[512];
8851 extern pmd_t level2_fixmap_pgt[512];
8852 -extern pmd_t level2_ident_pgt[512];
8853 -extern pgd_t init_level4_pgt[];
8854 +extern pmd_t level2_ident_pgt[512*2];
8855 +extern pgd_t init_level4_pgt[512];
8857 #define swapper_pg_dir init_level4_pgt
8859 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
8861 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8863 + pax_open_kernel();
8865 + pax_close_kernel();
8868 static inline void native_pmd_clear(pmd_t *pmd)
8869 @@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_
8871 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8873 + pax_open_kernel();
8875 + pax_close_kernel();
8878 static inline void native_pgd_clear(pgd_t *pgd)
8879 diff -urNp linux-2.6.38.6/arch/x86/include/asm/pgtable_64_types.h linux-2.6.38.6/arch/x86/include/asm/pgtable_64_types.h
8880 --- linux-2.6.38.6/arch/x86/include/asm/pgtable_64_types.h 2011-03-14 21:20:32.000000000 -0400
8881 +++ linux-2.6.38.6/arch/x86/include/asm/pgtable_64_types.h 2011-04-28 19:34:14.000000000 -0400
8882 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8883 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8884 #define MODULES_END _AC(0xffffffffff000000, UL)
8885 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8886 +#define MODULES_EXEC_VADDR MODULES_VADDR
8887 +#define MODULES_EXEC_END MODULES_END
8889 +#define ktla_ktva(addr) (addr)
8890 +#define ktva_ktla(addr) (addr)
8892 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8893 diff -urNp linux-2.6.38.6/arch/x86/include/asm/pgtable.h linux-2.6.38.6/arch/x86/include/asm/pgtable.h
8894 --- linux-2.6.38.6/arch/x86/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
8895 +++ linux-2.6.38.6/arch/x86/include/asm/pgtable.h 2011-04-28 19:34:14.000000000 -0400
8896 @@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm
8898 #define arch_end_context_switch(prev) do {} while(0)
8900 +#define pax_open_kernel() native_pax_open_kernel()
8901 +#define pax_close_kernel() native_pax_close_kernel()
8902 #endif /* CONFIG_PARAVIRT */
8904 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8905 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8907 +#ifdef CONFIG_PAX_KERNEXEC
8908 +static inline unsigned long native_pax_open_kernel(void)
8910 + unsigned long cr0;
8912 + preempt_disable();
8914 + cr0 = read_cr0() ^ X86_CR0_WP;
8915 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8917 + return cr0 ^ X86_CR0_WP;
8920 +static inline unsigned long native_pax_close_kernel(void)
8922 + unsigned long cr0;
8924 + cr0 = read_cr0() ^ X86_CR0_WP;
8925 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8928 + preempt_enable_no_resched();
8929 + return cr0 ^ X86_CR0_WP;
8932 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8933 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8937 * The following only work if pte_present() is true.
8938 * Undefined behaviour if not..
8940 +static inline int pte_user(pte_t pte)
8942 + return pte_val(pte) & _PAGE_USER;
8945 static inline int pte_dirty(pte_t pte)
8947 return pte_flags(pte) & _PAGE_DIRTY;
8948 @@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t
8949 return pte_clear_flags(pte, _PAGE_RW);
8952 +static inline pte_t pte_mkread(pte_t pte)
8954 + return __pte(pte_val(pte) | _PAGE_USER);
8957 static inline pte_t pte_mkexec(pte_t pte)
8959 - return pte_clear_flags(pte, _PAGE_NX);
8960 +#ifdef CONFIG_X86_PAE
8961 + if (__supported_pte_mask & _PAGE_NX)
8962 + return pte_clear_flags(pte, _PAGE_NX);
8965 + return pte_set_flags(pte, _PAGE_USER);
8968 +static inline pte_t pte_exprotect(pte_t pte)
8970 +#ifdef CONFIG_X86_PAE
8971 + if (__supported_pte_mask & _PAGE_NX)
8972 + return pte_set_flags(pte, _PAGE_NX);
8975 + return pte_clear_flags(pte, _PAGE_USER);
8978 static inline pte_t pte_mkdirty(pte_t pte)
8979 @@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long
8982 #ifndef __ASSEMBLY__
8984 +#ifdef CONFIG_PAX_PER_CPU_PGD
8985 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8986 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8988 + return cpu_pgd[cpu];
8992 #include <linux/mm_types.h>
8994 static inline int pte_none(pte_t pte)
8995 @@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p
8997 static inline int pgd_bad(pgd_t pgd)
8999 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
9000 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
9003 static inline int pgd_none(pgd_t pgd)
9004 @@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd)
9005 * pgd_offset() returns a (pgd_t *)
9006 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
9008 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
9009 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
9011 +#ifdef CONFIG_PAX_PER_CPU_PGD
9012 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
9016 * a shortcut which implies the use of the kernel's pgd, instead
9018 @@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd)
9019 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
9020 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
9022 +#ifdef CONFIG_X86_32
9023 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
9025 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
9026 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
9028 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9029 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
9031 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
9036 #ifndef __ASSEMBLY__
9038 extern int direct_gbpages;
9039 @@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st
9040 * dst and src can be on the same page, but the range must not overlap,
9041 * and must not cross a page boundary.
9043 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
9044 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
9046 - memcpy(dst, src, count * sizeof(pgd_t));
9047 + pax_open_kernel();
9050 + pax_close_kernel();
9053 +#ifdef CONFIG_PAX_PER_CPU_PGD
9054 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
9057 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9058 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
9060 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
9063 #include <asm-generic/pgtable.h>
9064 #endif /* __ASSEMBLY__ */
9065 diff -urNp linux-2.6.38.6/arch/x86/include/asm/pgtable_types.h linux-2.6.38.6/arch/x86/include/asm/pgtable_types.h
9066 --- linux-2.6.38.6/arch/x86/include/asm/pgtable_types.h 2011-03-14 21:20:32.000000000 -0400
9067 +++ linux-2.6.38.6/arch/x86/include/asm/pgtable_types.h 2011-04-28 19:34:14.000000000 -0400
9069 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
9070 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
9071 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
9072 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
9073 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
9074 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
9075 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
9076 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
9077 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
9078 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
9079 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
9080 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
9081 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
9082 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
9084 /* If _PAGE_BIT_PRESENT is clear, we use these: */
9086 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
9087 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
9088 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
9089 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
9090 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
9091 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
9092 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
9095 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
9096 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
9098 +#elif defined(CONFIG_KMEMCHECK)
9099 #define _PAGE_NX (_AT(pteval_t, 0))
9101 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
9104 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
9106 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
9109 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
9110 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
9112 #define __PAGE_KERNEL_EXEC \
9113 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
9114 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
9116 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
9117 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
9118 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
9119 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
9120 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
9121 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
9122 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
9123 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
9124 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
9125 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
9127 * bits are combined, this will alow user to access the high address mapped
9128 * VDSO in the presence of CONFIG_COMPAT_VDSO
9130 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
9131 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
9132 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
9133 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
9134 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
9137 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
9139 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
9143 +#if PAGETABLE_LEVELS == 3
9144 +#include <asm-generic/pgtable-nopud.h>
9147 +#if PAGETABLE_LEVELS == 2
9148 +#include <asm-generic/pgtable-nopmd.h>
9151 +#ifndef __ASSEMBLY__
9152 #if PAGETABLE_LEVELS > 3
9153 typedef struct { pudval_t pud; } pud_t;
9155 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
9159 -#include <asm-generic/pgtable-nopud.h>
9161 static inline pudval_t native_pud_val(pud_t pud)
9163 return native_pgd_val(pud.pgd);
9164 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
9168 -#include <asm-generic/pgtable-nopmd.h>
9170 static inline pmdval_t native_pmd_val(pmd_t pmd)
9172 return native_pgd_val(pmd.pud.pgd);
9173 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
9175 extern pteval_t __supported_pte_mask;
9176 extern void set_nx(void);
9177 -extern int nx_enabled;
9179 #define pgprot_writecombine pgprot_writecombine
9180 extern pgprot_t pgprot_writecombine(pgprot_t prot);
9181 diff -urNp linux-2.6.38.6/arch/x86/include/asm/processor.h linux-2.6.38.6/arch/x86/include/asm/processor.h
9182 --- linux-2.6.38.6/arch/x86/include/asm/processor.h 2011-03-14 21:20:32.000000000 -0400
9183 +++ linux-2.6.38.6/arch/x86/include/asm/processor.h 2011-05-11 18:34:57.000000000 -0400
9184 @@ -270,7 +270,7 @@ struct tss_struct {
9186 } ____cacheline_aligned;
9188 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
9189 +extern struct tss_struct init_tss[NR_CPUS];
9192 * Save the original ist values for checking stack pointers during debugging
9193 @@ -864,11 +864,18 @@ static inline void spin_lock_prefetch(co
9195 #define TASK_SIZE PAGE_OFFSET
9196 #define TASK_SIZE_MAX TASK_SIZE
9198 +#ifdef CONFIG_PAX_SEGMEXEC
9199 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
9200 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
9202 #define STACK_TOP TASK_SIZE
9203 -#define STACK_TOP_MAX STACK_TOP
9206 +#define STACK_TOP_MAX TASK_SIZE
9208 #define INIT_THREAD { \
9209 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
9210 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
9211 .vm86_info = NULL, \
9212 .sysenter_cs = __KERNEL_CS, \
9213 .io_bitmap_ptr = NULL, \
9214 @@ -882,7 +889,7 @@ static inline void spin_lock_prefetch(co
9216 #define INIT_TSS { \
9218 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
9219 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
9220 .ss0 = __KERNEL_DS, \
9221 .ss1 = __KERNEL_CS, \
9222 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
9223 @@ -893,11 +900,7 @@ static inline void spin_lock_prefetch(co
9224 extern unsigned long thread_saved_pc(struct task_struct *tsk);
9226 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
9227 -#define KSTK_TOP(info) \
9229 - unsigned long *__ptr = (unsigned long *)(info); \
9230 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
9232 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
9235 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
9236 @@ -912,7 +915,7 @@ extern unsigned long thread_saved_pc(str
9237 #define task_pt_regs(task) \
9239 struct pt_regs *__regs__; \
9240 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
9241 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
9245 @@ -922,13 +925,13 @@ extern unsigned long thread_saved_pc(str
9247 * User space process size. 47bits minus one guard page.
9249 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
9250 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
9252 /* This decides where the kernel will search for a free chunk of vm
9253 * space during mmap's.
9255 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
9256 - 0xc0000000 : 0xFFFFe000)
9257 + 0xc0000000 : 0xFFFFf000)
9259 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
9260 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
9261 @@ -939,11 +942,11 @@ extern unsigned long thread_saved_pc(str
9262 #define STACK_TOP_MAX TASK_SIZE_MAX
9264 #define INIT_THREAD { \
9265 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
9266 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
9269 #define INIT_TSS { \
9270 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
9271 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
9275 @@ -965,6 +968,10 @@ extern void start_thread(struct pt_regs
9277 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
9279 +#ifdef CONFIG_PAX_SEGMEXEC
9280 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
9283 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
9285 /* Get/set a process' ability to use the timestamp counter instruction */
9286 diff -urNp linux-2.6.38.6/arch/x86/include/asm/ptrace.h linux-2.6.38.6/arch/x86/include/asm/ptrace.h
9287 --- linux-2.6.38.6/arch/x86/include/asm/ptrace.h 2011-03-14 21:20:32.000000000 -0400
9288 +++ linux-2.6.38.6/arch/x86/include/asm/ptrace.h 2011-04-28 19:34:14.000000000 -0400
9289 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
9293 - * user_mode_vm(regs) determines whether a register set came from user mode.
9294 + * user_mode(regs) determines whether a register set came from user mode.
9295 * This is true if V8086 mode was enabled OR if the register set was from
9296 * protected mode with RPL-3 CS value. This tricky test checks that with
9297 * one comparison. Many places in the kernel can bypass this full check
9298 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
9299 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
9302 -static inline int user_mode(struct pt_regs *regs)
9303 +static inline int user_mode_novm(struct pt_regs *regs)
9305 #ifdef CONFIG_X86_32
9306 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
9308 - return !!(regs->cs & 3);
9309 + return !!(regs->cs & SEGMENT_RPL_MASK);
9313 -static inline int user_mode_vm(struct pt_regs *regs)
9314 +static inline int user_mode(struct pt_regs *regs)
9316 #ifdef CONFIG_X86_32
9317 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
9320 - return user_mode(regs);
9321 + return user_mode_novm(regs);
9325 diff -urNp linux-2.6.38.6/arch/x86/include/asm/reboot.h linux-2.6.38.6/arch/x86/include/asm/reboot.h
9326 --- linux-2.6.38.6/arch/x86/include/asm/reboot.h 2011-03-14 21:20:32.000000000 -0400
9327 +++ linux-2.6.38.6/arch/x86/include/asm/reboot.h 2011-04-28 19:34:14.000000000 -0400
9328 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
9330 void native_machine_crash_shutdown(struct pt_regs *regs);
9331 void native_machine_shutdown(void);
9332 -void machine_real_restart(const unsigned char *code, int length);
9333 +void machine_real_restart(const unsigned char *code, unsigned int length);
9335 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
9336 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
9337 diff -urNp linux-2.6.38.6/arch/x86/include/asm/rwsem.h linux-2.6.38.6/arch/x86/include/asm/rwsem.h
9338 --- linux-2.6.38.6/arch/x86/include/asm/rwsem.h 2011-03-14 21:20:32.000000000 -0400
9339 +++ linux-2.6.38.6/arch/x86/include/asm/rwsem.h 2011-04-28 19:34:14.000000000 -0400
9340 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
9342 asm volatile("# beginning down_read\n\t"
9343 LOCK_PREFIX _ASM_INC "(%1)\n\t"
9345 +#ifdef CONFIG_PAX_REFCOUNT
9347 + LOCK_PREFIX _ASM_DEC "(%1)\n"
9349 + _ASM_EXTABLE(0b, 0b)
9352 /* adds 0x00000001 */
9354 " call call_rwsem_down_read_failed\n"
9355 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
9360 +#ifdef CONFIG_PAX_REFCOUNT
9364 + _ASM_EXTABLE(0b, 0b)
9368 LOCK_PREFIX " cmpxchg %2,%0\n\t"
9370 @@ -158,6 +174,14 @@ static inline void __down_write_nested(s
9372 asm volatile("# beginning down_write\n\t"
9373 LOCK_PREFIX " xadd %1,(%2)\n\t"
9375 +#ifdef CONFIG_PAX_REFCOUNT
9379 + _ASM_EXTABLE(0b, 0b)
9382 /* adds 0xffff0001, returns the old value */
9384 /* was the count 0 before? */
9385 @@ -196,6 +220,14 @@ static inline void __up_read(struct rw_s
9387 asm volatile("# beginning __up_read\n\t"
9388 LOCK_PREFIX " xadd %1,(%2)\n\t"
9390 +#ifdef CONFIG_PAX_REFCOUNT
9394 + _ASM_EXTABLE(0b, 0b)
9397 /* subtracts 1, returns the old value */
9399 " call call_rwsem_wake\n" /* expects old value in %edx */
9400 @@ -214,6 +246,14 @@ static inline void __up_write(struct rw_
9402 asm volatile("# beginning __up_write\n\t"
9403 LOCK_PREFIX " xadd %1,(%2)\n\t"
9405 +#ifdef CONFIG_PAX_REFCOUNT
9409 + _ASM_EXTABLE(0b, 0b)
9412 /* subtracts 0xffff0001, returns the old value */
9414 " call call_rwsem_wake\n" /* expects old value in %edx */
9415 @@ -231,6 +271,14 @@ static inline void __downgrade_write(str
9417 asm volatile("# beginning __downgrade_write\n\t"
9418 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
9420 +#ifdef CONFIG_PAX_REFCOUNT
9422 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9424 + _ASM_EXTABLE(0b, 0b)
9428 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9429 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9430 @@ -250,7 +298,15 @@ static inline void __downgrade_write(str
9431 static inline void rwsem_atomic_add(rwsem_count_t delta,
9432 struct rw_semaphore *sem)
9434 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9435 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9437 +#ifdef CONFIG_PAX_REFCOUNT
9439 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
9441 + _ASM_EXTABLE(0b, 0b)
9447 @@ -263,7 +319,15 @@ static inline rwsem_count_t rwsem_atomic
9449 rwsem_count_t tmp = delta;
9451 - asm volatile(LOCK_PREFIX "xadd %0,%1"
9452 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9454 +#ifdef CONFIG_PAX_REFCOUNT
9458 + _ASM_EXTABLE(0b, 0b)
9461 : "+r" (tmp), "+m" (sem->count)
9464 diff -urNp linux-2.6.38.6/arch/x86/include/asm/segment.h linux-2.6.38.6/arch/x86/include/asm/segment.h
9465 --- linux-2.6.38.6/arch/x86/include/asm/segment.h 2011-03-14 21:20:32.000000000 -0400
9466 +++ linux-2.6.38.6/arch/x86/include/asm/segment.h 2011-04-28 19:34:14.000000000 -0400
9468 * 26 - ESPFIX small SS
9469 * 27 - per-cpu [ offset to per-cpu data area ]
9470 * 28 - stack_canary-20 [ for stack protector ]
9473 + * 29 - PCI BIOS CS
9474 + * 30 - PCI BIOS DS
9475 * 31 - TSS for double fault handler
9477 #define GDT_ENTRY_TLS_MIN 6
9480 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
9482 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9484 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
9486 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
9487 @@ -102,6 +104,12 @@
9488 #define __KERNEL_STACK_CANARY 0
9491 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
9492 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9494 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
9495 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9497 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9503 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9504 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9505 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9510 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9511 #define __USER32_DS __USER_DS
9513 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9515 #define GDT_ENTRY_TSS 8 /* needs two entries */
9516 #define GDT_ENTRY_LDT 10 /* needs two entries */
9517 #define GDT_ENTRY_TLS_MIN 12
9521 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
9522 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
9523 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
9524 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
9525 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
9526 diff -urNp linux-2.6.38.6/arch/x86/include/asm/smp.h linux-2.6.38.6/arch/x86/include/asm/smp.h
9527 --- linux-2.6.38.6/arch/x86/include/asm/smp.h 2011-03-14 21:20:32.000000000 -0400
9528 +++ linux-2.6.38.6/arch/x86/include/asm/smp.h 2011-04-28 19:34:14.000000000 -0400
9529 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
9530 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
9531 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
9532 DECLARE_PER_CPU(u16, cpu_llc_id);
9533 -DECLARE_PER_CPU(int, cpu_number);
9534 +DECLARE_PER_CPU(unsigned int, cpu_number);
9536 static inline struct cpumask *cpu_sibling_mask(int cpu)
9538 @@ -172,14 +172,8 @@ extern unsigned disabled_cpus __cpuinitd
9539 extern int safe_smp_processor_id(void);
9541 #elif defined(CONFIG_X86_64_SMP)
9542 -#define raw_smp_processor_id() (percpu_read(cpu_number))
9544 -#define stack_smp_processor_id() \
9546 - struct thread_info *ti; \
9547 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
9550 +#define raw_smp_processor_id() (percpu_read(cpu_number))
9551 +#define stack_smp_processor_id() raw_smp_processor_id()
9552 #define safe_smp_processor_id() smp_processor_id()
9555 diff -urNp linux-2.6.38.6/arch/x86/include/asm/spinlock.h linux-2.6.38.6/arch/x86/include/asm/spinlock.h
9556 --- linux-2.6.38.6/arch/x86/include/asm/spinlock.h 2011-03-14 21:20:32.000000000 -0400
9557 +++ linux-2.6.38.6/arch/x86/include/asm/spinlock.h 2011-04-28 19:34:14.000000000 -0400
9558 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
9559 static inline void arch_read_lock(arch_rwlock_t *rw)
9561 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9563 +#ifdef CONFIG_PAX_REFCOUNT
9565 + LOCK_PREFIX " addl $1,(%0)\n"
9567 + _ASM_EXTABLE(0b, 0b)
9571 "call __read_lock_failed\n\t"
9573 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
9574 static inline void arch_write_lock(arch_rwlock_t *rw)
9576 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9578 +#ifdef CONFIG_PAX_REFCOUNT
9580 + LOCK_PREFIX " addl %1,(%0)\n"
9582 + _ASM_EXTABLE(0b, 0b)
9586 "call __write_lock_failed\n\t"
9588 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
9590 static inline void arch_read_unlock(arch_rwlock_t *rw)
9592 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9593 + asm volatile(LOCK_PREFIX "incl %0\n"
9595 +#ifdef CONFIG_PAX_REFCOUNT
9597 + LOCK_PREFIX "decl %0\n"
9599 + _ASM_EXTABLE(0b, 0b)
9602 + :"+m" (rw->lock) : : "memory");
9605 static inline void arch_write_unlock(arch_rwlock_t *rw)
9607 - asm volatile(LOCK_PREFIX "addl %1, %0"
9608 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9610 +#ifdef CONFIG_PAX_REFCOUNT
9612 + LOCK_PREFIX "subl %1, %0\n"
9614 + _ASM_EXTABLE(0b, 0b)
9617 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9620 diff -urNp linux-2.6.38.6/arch/x86/include/asm/stackprotector.h linux-2.6.38.6/arch/x86/include/asm/stackprotector.h
9621 --- linux-2.6.38.6/arch/x86/include/asm/stackprotector.h 2011-03-14 21:20:32.000000000 -0400
9622 +++ linux-2.6.38.6/arch/x86/include/asm/stackprotector.h 2011-04-28 19:34:14.000000000 -0400
9623 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9625 static inline void load_stack_canary_segment(void)
9627 -#ifdef CONFIG_X86_32
9628 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9629 asm volatile ("mov %0, %%gs" : : "r" (0));
9632 diff -urNp linux-2.6.38.6/arch/x86/include/asm/stacktrace.h linux-2.6.38.6/arch/x86/include/asm/stacktrace.h
9633 --- linux-2.6.38.6/arch/x86/include/asm/stacktrace.h 2011-03-14 21:20:32.000000000 -0400
9634 +++ linux-2.6.38.6/arch/x86/include/asm/stacktrace.h 2011-04-28 19:34:14.000000000 -0400
9637 extern int kstack_depth_to_print;
9639 -struct thread_info;
9640 +struct task_struct;
9641 struct stacktrace_ops;
9643 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
9644 - unsigned long *stack,
9646 - const struct stacktrace_ops *ops,
9648 - unsigned long *end,
9651 -extern unsigned long
9652 -print_context_stack(struct thread_info *tinfo,
9653 - unsigned long *stack, unsigned long bp,
9654 - const struct stacktrace_ops *ops, void *data,
9655 - unsigned long *end, int *graph);
9657 -extern unsigned long
9658 -print_context_stack_bp(struct thread_info *tinfo,
9659 - unsigned long *stack, unsigned long bp,
9660 - const struct stacktrace_ops *ops, void *data,
9661 - unsigned long *end, int *graph);
9662 +typedef unsigned long walk_stack_t(struct task_struct *task,
9663 + void *stack_start,
9664 + unsigned long *stack,
9666 + const struct stacktrace_ops *ops,
9668 + unsigned long *end,
9671 +extern walk_stack_t print_context_stack;
9672 +extern walk_stack_t print_context_stack_bp;
9674 /* Generic stack tracer with callbacks */
9676 @@ -43,7 +35,7 @@ struct stacktrace_ops {
9677 void (*address)(void *data, unsigned long address, int reliable);
9678 /* On negative return stop dumping */
9679 int (*stack)(void *data, char *name);
9680 - walk_stack_t walk_stack;
9681 + walk_stack_t *walk_stack;
9684 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
9685 diff -urNp linux-2.6.38.6/arch/x86/include/asm/system.h linux-2.6.38.6/arch/x86/include/asm/system.h
9686 --- linux-2.6.38.6/arch/x86/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
9687 +++ linux-2.6.38.6/arch/x86/include/asm/system.h 2011-04-28 19:34:14.000000000 -0400
9688 @@ -131,7 +131,7 @@ do { \
9689 "call __switch_to\n\t" \
9690 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
9692 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
9693 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
9694 "movq %%rax,%%rdi\n\t" \
9695 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
9696 "jnz ret_from_fork\n\t" \
9697 @@ -142,7 +142,7 @@ do { \
9698 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
9699 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
9700 [_tif_fork] "i" (_TIF_FORK), \
9701 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
9702 + [thread_info] "m" (current_tinfo), \
9703 [current_task] "m" (current_task) \
9704 __switch_canary_iparam \
9705 : "memory", "cc" __EXTRA_CLOBBER)
9706 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9708 unsigned long __limit;
9709 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9710 - return __limit + 1;
9714 static inline void native_clts(void)
9715 @@ -342,7 +342,7 @@ void enable_hlt(void);
9717 void cpu_idle_wait(void);
9719 -extern unsigned long arch_align_stack(unsigned long sp);
9720 +#define arch_align_stack(x) ((x) & ~0xfUL)
9721 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9723 void default_idle(void);
9724 diff -urNp linux-2.6.38.6/arch/x86/include/asm/thread_info.h linux-2.6.38.6/arch/x86/include/asm/thread_info.h
9725 --- linux-2.6.38.6/arch/x86/include/asm/thread_info.h 2011-03-14 21:20:32.000000000 -0400
9726 +++ linux-2.6.38.6/arch/x86/include/asm/thread_info.h 2011-05-17 19:31:43.000000000 -0400
9728 #include <linux/compiler.h>
9729 #include <asm/page.h>
9730 #include <asm/types.h>
9731 +#include <asm/percpu.h>
9734 * low level task data that entry.S needs immediate access to
9735 @@ -24,7 +25,6 @@ struct exec_domain;
9736 #include <asm/atomic.h>
9738 struct thread_info {
9739 - struct task_struct *task; /* main task structure */
9740 struct exec_domain *exec_domain; /* execution domain */
9741 __u32 flags; /* low level flags */
9742 __u32 status; /* thread synchronous flags */
9743 @@ -34,18 +34,12 @@ struct thread_info {
9744 mm_segment_t addr_limit;
9745 struct restart_block restart_block;
9746 void __user *sysenter_return;
9747 -#ifdef CONFIG_X86_32
9748 - unsigned long previous_esp; /* ESP of the previous stack in
9749 - case of nested (IRQ) stacks
9751 - __u8 supervisor_stack[0];
9753 + unsigned long lowest_stack;
9757 -#define INIT_THREAD_INFO(tsk) \
9758 +#define INIT_THREAD_INFO \
9761 .exec_domain = &default_exec_domain, \
9764 @@ -56,7 +50,7 @@ struct thread_info {
9768 -#define init_thread_info (init_thread_union.thread_info)
9769 +#define init_thread_info (init_thread_union.stack)
9770 #define init_stack (init_thread_union.stack)
9772 #else /* !__ASSEMBLY__ */
9773 @@ -164,6 +158,23 @@ struct thread_info {
9774 #define alloc_thread_info(tsk) \
9775 ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
9777 +#ifdef __ASSEMBLY__
9778 +/* how to get the thread information struct from ASM */
9779 +#define GET_THREAD_INFO(reg) \
9780 + mov PER_CPU_VAR(current_tinfo), reg
9782 +/* use this one if reg already contains %esp */
9783 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
9785 +/* how to get the thread information struct from C */
9786 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
9788 +static __always_inline struct thread_info *current_thread_info(void)
9790 + return percpu_read_stable(current_tinfo);
9794 #ifdef CONFIG_X86_32
9796 #define STACK_WARN (THREAD_SIZE/8)
9797 @@ -174,35 +185,13 @@ struct thread_info {
9799 #ifndef __ASSEMBLY__
9802 /* how to get the current stack pointer from C */
9803 register unsigned long current_stack_pointer asm("esp") __used;
9805 -/* how to get the thread information struct from C */
9806 -static inline struct thread_info *current_thread_info(void)
9808 - return (struct thread_info *)
9809 - (current_stack_pointer & ~(THREAD_SIZE - 1));
9812 -#else /* !__ASSEMBLY__ */
9814 -/* how to get the thread information struct from ASM */
9815 -#define GET_THREAD_INFO(reg) \
9816 - movl $-THREAD_SIZE, reg; \
9819 -/* use this one if reg already contains %esp */
9820 -#define GET_THREAD_INFO_WITH_ESP(reg) \
9821 - andl $-THREAD_SIZE, reg
9827 -#include <asm/percpu.h>
9828 -#define KERNEL_STACK_OFFSET (5*8)
9831 * macros/functions for gaining access to the thread information structure
9832 * preempt_count needs to be 1 initially, until the scheduler is functional.
9833 @@ -210,21 +199,8 @@ static inline struct thread_info *curren
9834 #ifndef __ASSEMBLY__
9835 DECLARE_PER_CPU(unsigned long, kernel_stack);
9837 -static inline struct thread_info *current_thread_info(void)
9839 - struct thread_info *ti;
9840 - ti = (void *)(percpu_read_stable(kernel_stack) +
9841 - KERNEL_STACK_OFFSET - THREAD_SIZE);
9845 -#else /* !__ASSEMBLY__ */
9847 -/* how to get the thread information struct from ASM */
9848 -#define GET_THREAD_INFO(reg) \
9849 - movq PER_CPU_VAR(kernel_stack),reg ; \
9850 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
9852 +/* how to get the current stack pointer from C */
9853 +register unsigned long current_stack_pointer asm("rsp") __used;
9856 #endif /* !X86_32 */
9857 @@ -260,5 +236,16 @@ extern void arch_task_cache_init(void);
9858 extern void free_thread_info(struct thread_info *ti);
9859 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
9860 #define arch_task_cache_init arch_task_cache_init
9862 +#define __HAVE_THREAD_FUNCTIONS
9863 +#define task_thread_info(task) (&(task)->tinfo)
9864 +#define task_stack_page(task) ((task)->stack)
9865 +#define setup_thread_stack(p, org) do {} while (0)
9866 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
9868 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
9869 +extern struct task_struct *alloc_task_struct(void);
9870 +extern void free_task_struct(struct task_struct *);
9873 #endif /* _ASM_X86_THREAD_INFO_H */
9874 diff -urNp linux-2.6.38.6/arch/x86/include/asm/uaccess_32.h linux-2.6.38.6/arch/x86/include/asm/uaccess_32.h
9875 --- linux-2.6.38.6/arch/x86/include/asm/uaccess_32.h 2011-03-14 21:20:32.000000000 -0400
9876 +++ linux-2.6.38.6/arch/x86/include/asm/uaccess_32.h 2011-05-16 21:47:08.000000000 -0400
9877 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
9878 static __always_inline unsigned long __must_check
9879 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9881 + pax_track_stack();
9886 if (__builtin_constant_p(n)) {
9889 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
9893 + if (!__builtin_constant_p(n))
9894 + check_object_size(from, n, true);
9895 return __copy_to_user_ll(to, from, n);
9898 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
9899 __copy_to_user(void __user *to, const void *from, unsigned long n)
9903 return __copy_to_user_inatomic(to, from, n);
9906 static __always_inline unsigned long
9907 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9912 /* Avoid zeroing the tail if the copy fails..
9913 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9914 * but as the zeroing behaviour is only significant when n is not
9915 @@ -138,6 +149,12 @@ static __always_inline unsigned long
9916 __copy_from_user(void *to, const void __user *from, unsigned long n)
9920 + pax_track_stack();
9925 if (__builtin_constant_p(n)) {
9928 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
9932 + if (!__builtin_constant_p(n))
9933 + check_object_size(to, n, false);
9934 return __copy_from_user_ll(to, from, n);
9937 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
9938 const void __user *from, unsigned long n)
9945 if (__builtin_constant_p(n)) {
9948 @@ -182,15 +205,19 @@ static __always_inline unsigned long
9949 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9952 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9957 -unsigned long __must_check copy_to_user(void __user *to,
9958 - const void *from, unsigned long n);
9959 -unsigned long __must_check _copy_from_user(void *to,
9960 - const void __user *from,
9962 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9965 +extern void copy_to_user_overflow(void)
9966 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9967 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9969 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9973 extern void copy_from_user_overflow(void)
9974 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9975 @@ -200,17 +227,61 @@ extern void copy_from_user_overflow(void
9979 -static inline unsigned long __must_check copy_from_user(void *to,
9980 - const void __user *from,
9983 + * copy_to_user: - Copy a block of data into user space.
9984 + * @to: Destination address, in user space.
9985 + * @from: Source address, in kernel space.
9986 + * @n: Number of bytes to copy.
9988 + * Context: User context only. This function may sleep.
9990 + * Copy data from kernel space to user space.
9992 + * Returns number of bytes that could not be copied.
9993 + * On success, this will be zero.
9995 +static inline unsigned long __must_check
9996 +copy_to_user(void __user *to, const void *from, unsigned long n)
9998 + int sz = __compiletime_object_size(from);
10000 + if (unlikely(sz != -1 && sz < n))
10001 + copy_to_user_overflow();
10002 + else if (access_ok(VERIFY_WRITE, to, n))
10003 + n = __copy_to_user(to, from, n);
10008 + * copy_from_user: - Copy a block of data from user space.
10009 + * @to: Destination address, in kernel space.
10010 + * @from: Source address, in user space.
10011 + * @n: Number of bytes to copy.
10013 + * Context: User context only. This function may sleep.
10015 + * Copy data from user space to kernel space.
10017 + * Returns number of bytes that could not be copied.
10018 + * On success, this will be zero.
10020 + * If some data could not be copied, this function will pad the copied
10021 + * data to the requested size using zero bytes.
10023 +static inline unsigned long __must_check
10024 +copy_from_user(void *to, const void __user *from, unsigned long n)
10026 int sz = __compiletime_object_size(to);
10028 - if (likely(sz == -1 || sz >= n))
10029 - n = _copy_from_user(to, from, n);
10031 + if (unlikely(sz != -1 && sz < n))
10032 copy_from_user_overflow();
10034 + else if (access_ok(VERIFY_READ, from, n))
10035 + n = __copy_from_user(to, from, n);
10036 + else if ((long)n > 0) {
10037 + if (!__builtin_constant_p(n))
10038 + check_object_size(to, n, false);
10039 + memset(to, 0, n);
10044 diff -urNp linux-2.6.38.6/arch/x86/include/asm/uaccess_64.h linux-2.6.38.6/arch/x86/include/asm/uaccess_64.h
10045 --- linux-2.6.38.6/arch/x86/include/asm/uaccess_64.h 2011-03-14 21:20:32.000000000 -0400
10046 +++ linux-2.6.38.6/arch/x86/include/asm/uaccess_64.h 2011-05-16 21:47:08.000000000 -0400
10048 #include <asm/alternative.h>
10049 #include <asm/cpufeature.h>
10050 #include <asm/page.h>
10051 +#include <asm/pgtable.h>
10053 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
10056 * Copy To/From Userspace
10057 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
10061 -__must_check unsigned long
10062 -_copy_to_user(void __user *to, const void *from, unsigned len);
10063 -__must_check unsigned long
10064 -_copy_from_user(void *to, const void __user *from, unsigned len);
10065 +static __always_inline __must_check unsigned long
10066 +__copy_to_user(void __user *to, const void *from, unsigned len);
10067 +static __always_inline __must_check unsigned long
10068 +__copy_from_user(void *to, const void __user *from, unsigned len);
10069 __must_check unsigned long
10070 copy_in_user(void __user *to, const void __user *from, unsigned len);
10072 static inline unsigned long __must_check copy_from_user(void *to,
10073 const void __user *from,
10077 - int sz = __compiletime_object_size(to);
10080 - if (likely(sz == -1 || sz >= n))
10081 - n = _copy_from_user(to, from, n);
10082 -#ifdef CONFIG_DEBUG_VM
10084 - WARN(1, "Buffer overflow detected!\n");
10087 + if (access_ok(VERIFY_READ, from, n))
10088 + n = __copy_from_user(to, from, n);
10089 + else if ((int)n > 0) {
10090 + if (!__builtin_constant_p(n))
10091 + check_object_size(to, n, false);
10092 + memset(to, 0, n);
10097 @@ -65,110 +68,198 @@ int copy_to_user(void __user *dst, const
10101 - return _copy_to_user(dst, src, size);
10102 + if (access_ok(VERIFY_WRITE, dst, size))
10103 + size = __copy_to_user(dst, src, size);
10107 static __always_inline __must_check
10108 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
10109 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
10112 + int sz = __compiletime_object_size(dst);
10113 + unsigned ret = 0;
10116 - if (!__builtin_constant_p(size))
10117 - return copy_user_generic(dst, (__force void *)src, size);
10119 + pax_track_stack();
10121 + if ((int)size < 0)
10124 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10125 + if (!__access_ok(VERIFY_READ, src, size))
10129 + if (unlikely(sz != -1 && sz < size)) {
10130 +#ifdef CONFIG_DEBUG_VM
10131 + WARN(1, "Buffer overflow detected!\n");
10136 + if (!__builtin_constant_p(size)) {
10137 + check_object_size(dst, size, false);
10139 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10140 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10141 + src += PAX_USER_SHADOW_BASE;
10144 + return copy_user_generic(dst, (__force const void *)src, size);
10147 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
10148 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
10149 ret, "b", "b", "=q", 1);
10151 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
10152 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
10153 ret, "w", "w", "=r", 2);
10155 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
10156 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
10157 ret, "l", "k", "=r", 4);
10159 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
10160 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10161 ret, "q", "", "=r", 8);
10164 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
10165 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10166 ret, "q", "", "=r", 10);
10169 __get_user_asm(*(u16 *)(8 + (char *)dst),
10170 - (u16 __user *)(8 + (char __user *)src),
10171 + (const u16 __user *)(8 + (const char __user *)src),
10172 ret, "w", "w", "=r", 2);
10175 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
10176 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10177 ret, "q", "", "=r", 16);
10180 __get_user_asm(*(u64 *)(8 + (char *)dst),
10181 - (u64 __user *)(8 + (char __user *)src),
10182 + (const u64 __user *)(8 + (const char __user *)src),
10183 ret, "q", "", "=r", 8);
10186 - return copy_user_generic(dst, (__force void *)src, size);
10188 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10189 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10190 + src += PAX_USER_SHADOW_BASE;
10193 + return copy_user_generic(dst, (__force const void *)src, size);
10197 static __always_inline __must_check
10198 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
10199 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
10202 + int sz = __compiletime_object_size(src);
10203 + unsigned ret = 0;
10206 - if (!__builtin_constant_p(size))
10208 + pax_track_stack();
10210 + if ((int)size < 0)
10213 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10214 + if (!__access_ok(VERIFY_WRITE, dst, size))
10218 + if (unlikely(sz != -1 && sz < size)) {
10219 +#ifdef CONFIG_DEBUG_VM
10220 + WARN(1, "Buffer overflow detected!\n");
10225 + if (!__builtin_constant_p(size)) {
10226 + check_object_size(src, size, true);
10228 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10229 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10230 + dst += PAX_USER_SHADOW_BASE;
10233 return copy_user_generic((__force void *)dst, src, size);
10236 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
10237 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
10238 ret, "b", "b", "iq", 1);
10240 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
10241 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
10242 ret, "w", "w", "ir", 2);
10244 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
10245 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
10246 ret, "l", "k", "ir", 4);
10248 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
10249 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10250 ret, "q", "", "er", 8);
10253 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
10254 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10255 ret, "q", "", "er", 10);
10258 asm("":::"memory");
10259 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
10260 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
10261 ret, "w", "w", "ir", 2);
10264 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
10265 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10266 ret, "q", "", "er", 16);
10269 asm("":::"memory");
10270 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
10271 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
10272 ret, "q", "", "er", 8);
10276 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10277 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10278 + dst += PAX_USER_SHADOW_BASE;
10281 return copy_user_generic((__force void *)dst, src, size);
10285 static __always_inline __must_check
10286 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
10287 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
10290 + unsigned ret = 0;
10293 - if (!__builtin_constant_p(size))
10295 + if ((int)size < 0)
10298 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10299 + if (!__access_ok(VERIFY_READ, src, size))
10301 + if (!__access_ok(VERIFY_WRITE, dst, size))
10305 + if (!__builtin_constant_p(size)) {
10307 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10308 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10309 + src += PAX_USER_SHADOW_BASE;
10310 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10311 + dst += PAX_USER_SHADOW_BASE;
10314 return copy_user_generic((__force void *)dst,
10315 - (__force void *)src, size);
10316 + (__force const void *)src, size);
10321 - __get_user_asm(tmp, (u8 __user *)src,
10322 + __get_user_asm(tmp, (const u8 __user *)src,
10323 ret, "b", "b", "=q", 1);
10325 __put_user_asm(tmp, (u8 __user *)dst,
10326 @@ -177,7 +268,7 @@ int __copy_in_user(void __user *dst, con
10330 - __get_user_asm(tmp, (u16 __user *)src,
10331 + __get_user_asm(tmp, (const u16 __user *)src,
10332 ret, "w", "w", "=r", 2);
10334 __put_user_asm(tmp, (u16 __user *)dst,
10335 @@ -187,7 +278,7 @@ int __copy_in_user(void __user *dst, con
10339 - __get_user_asm(tmp, (u32 __user *)src,
10340 + __get_user_asm(tmp, (const u32 __user *)src,
10341 ret, "l", "k", "=r", 4);
10343 __put_user_asm(tmp, (u32 __user *)dst,
10344 @@ -196,7 +287,7 @@ int __copy_in_user(void __user *dst, con
10348 - __get_user_asm(tmp, (u64 __user *)src,
10349 + __get_user_asm(tmp, (const u64 __user *)src,
10350 ret, "q", "", "=r", 8);
10352 __put_user_asm(tmp, (u64 __user *)dst,
10353 @@ -204,8 +295,16 @@ int __copy_in_user(void __user *dst, con
10358 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10359 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10360 + src += PAX_USER_SHADOW_BASE;
10361 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10362 + dst += PAX_USER_SHADOW_BASE;
10365 return copy_user_generic((__force void *)dst,
10366 - (__force void *)src, size);
10367 + (__force const void *)src, size);
10371 @@ -222,33 +321,72 @@ __must_check unsigned long __clear_user(
10372 static __must_check __always_inline int
10373 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
10375 + pax_track_stack();
10377 + if ((int)size < 0)
10380 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10381 + if (!__access_ok(VERIFY_READ, src, size))
10384 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10385 + src += PAX_USER_SHADOW_BASE;
10388 return copy_user_generic(dst, (__force const void *)src, size);
10391 -static __must_check __always_inline int
10392 +static __must_check __always_inline unsigned long
10393 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
10395 + if ((int)size < 0)
10398 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10399 + if (!__access_ok(VERIFY_WRITE, dst, size))
10402 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10403 + dst += PAX_USER_SHADOW_BASE;
10406 return copy_user_generic((__force void *)dst, src, size);
10409 -extern long __copy_user_nocache(void *dst, const void __user *src,
10410 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
10411 unsigned size, int zerorest);
10414 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
10415 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
10419 + if ((int)size < 0)
10422 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10423 + if (!__access_ok(VERIFY_READ, src, size))
10427 return __copy_user_nocache(dst, src, size, 1);
10431 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
10432 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
10435 + if ((int)size < 0)
10438 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10439 + if (!__access_ok(VERIFY_READ, src, size))
10443 return __copy_user_nocache(dst, src, size, 0);
10447 +extern unsigned long
10448 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
10450 #endif /* _ASM_X86_UACCESS_64_H */
10451 diff -urNp linux-2.6.38.6/arch/x86/include/asm/uaccess.h linux-2.6.38.6/arch/x86/include/asm/uaccess.h
10452 --- linux-2.6.38.6/arch/x86/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
10453 +++ linux-2.6.38.6/arch/x86/include/asm/uaccess.h 2011-04-28 19:34:14.000000000 -0400
10455 #include <linux/thread_info.h>
10456 #include <linux/prefetch.h>
10457 #include <linux/string.h>
10458 +#include <linux/sched.h>
10459 #include <asm/asm.h>
10460 #include <asm/page.h>
10462 #define VERIFY_READ 0
10463 #define VERIFY_WRITE 1
10465 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
10468 * The fs value determines whether argument validity checking should be
10469 * performed or not. If get_fs() == USER_DS, checking is performed, with
10472 #define get_ds() (KERNEL_DS)
10473 #define get_fs() (current_thread_info()->addr_limit)
10474 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10475 +void __set_fs(mm_segment_t x);
10476 +void set_fs(mm_segment_t x);
10478 #define set_fs(x) (current_thread_info()->addr_limit = (x))
10481 #define segment_eq(a, b) ((a).seg == (b).seg)
10484 * checks that the pointer is in the user space range - after calling
10485 * this function, memory access functions may still return -EFAULT.
10487 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
10488 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
10489 +#define access_ok(type, addr, size) \
10491 + long __size = size; \
10492 + unsigned long __addr = (unsigned long)addr; \
10493 + unsigned long __addr_ao = __addr & PAGE_MASK; \
10494 + unsigned long __end_ao = __addr + __size - 1; \
10495 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
10496 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
10497 + while(__addr_ao <= __end_ao) { \
10499 + __addr_ao += PAGE_SIZE; \
10500 + if (__size > PAGE_SIZE) \
10501 + cond_resched(); \
10502 + if (__get_user(__c_ao, (char __user *)__addr)) \
10504 + if (type != VERIFY_WRITE) { \
10505 + __addr = __addr_ao; \
10508 + if (__put_user(__c_ao, (char __user *)__addr)) \
10510 + __addr = __addr_ao; \
10517 * The exception table consists of pairs of addresses: the first is the
10518 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
10519 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
10520 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
10523 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10524 +#define __copyuser_seg "gs;"
10525 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
10526 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
10528 +#define __copyuser_seg
10529 +#define __COPYUSER_SET_ES
10530 +#define __COPYUSER_RESTORE_ES
10533 #ifdef CONFIG_X86_32
10534 #define __put_user_asm_u64(x, addr, err, errret) \
10535 - asm volatile("1: movl %%eax,0(%2)\n" \
10536 - "2: movl %%edx,4(%2)\n" \
10537 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
10538 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
10540 ".section .fixup,\"ax\"\n" \
10541 "4: movl %3,%0\n" \
10542 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
10543 : "A" (x), "r" (addr), "i" (errret), "0" (err))
10545 #define __put_user_asm_ex_u64(x, addr) \
10546 - asm volatile("1: movl %%eax,0(%1)\n" \
10547 - "2: movl %%edx,4(%1)\n" \
10548 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
10549 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
10551 _ASM_EXTABLE(1b, 2b - 1b) \
10552 _ASM_EXTABLE(2b, 3b - 2b) \
10553 @@ -374,7 +416,7 @@ do { \
10556 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10557 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
10558 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
10560 ".section .fixup,\"ax\"\n" \
10562 @@ -382,7 +424,7 @@ do { \
10565 _ASM_EXTABLE(1b, 3b) \
10566 - : "=r" (err), ltype(x) \
10567 + : "=r" (err), ltype (x) \
10568 : "m" (__m(addr)), "i" (errret), "0" (err))
10570 #define __get_user_size_ex(x, ptr, size) \
10571 @@ -407,7 +449,7 @@ do { \
10574 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
10575 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
10576 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
10578 _ASM_EXTABLE(1b, 2b - 1b) \
10579 : ltype(x) : "m" (__m(addr)))
10580 @@ -424,13 +466,24 @@ do { \
10582 unsigned long __gu_val; \
10583 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
10584 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
10585 + (x) = (__typeof__(*(ptr)))__gu_val; \
10589 /* FIXME: this hack is definitely wrong -AK */
10590 struct __large_struct { unsigned long buf[100]; };
10591 -#define __m(x) (*(struct __large_struct __user *)(x))
10592 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10593 +#define ____m(x) \
10595 + unsigned long ____x = (unsigned long)(x); \
10596 + if (____x < PAX_USER_SHADOW_BASE) \
10597 + ____x += PAX_USER_SHADOW_BASE; \
10598 + (void __user *)____x; \
10601 +#define ____m(x) (x)
10603 +#define __m(x) (*(struct __large_struct __user *)____m(x))
10606 * Tell gcc we read from memory instead of writing: this is because
10607 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
10610 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10611 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
10612 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
10614 ".section .fixup,\"ax\"\n" \
10616 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
10618 _ASM_EXTABLE(1b, 3b) \
10620 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
10621 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
10623 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
10624 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
10625 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
10627 _ASM_EXTABLE(1b, 2b - 1b) \
10628 : : ltype(x), "m" (__m(addr)))
10629 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
10630 * On error, the variable @x is set to zero.
10633 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10634 +#define __get_user(x, ptr) get_user((x), (ptr))
10636 #define __get_user(x, ptr) \
10637 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
10641 * __put_user: - Write a simple value into user space, with less checking.
10642 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
10643 * Returns zero on success, or -EFAULT on error.
10646 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10647 +#define __put_user(x, ptr) put_user((x), (ptr))
10649 #define __put_user(x, ptr) \
10650 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
10653 #define __get_user_unaligned __get_user
10654 #define __put_user_unaligned __put_user
10655 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
10656 #define get_user_ex(x, ptr) do { \
10657 unsigned long __gue_val; \
10658 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
10659 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
10660 + (x) = (__typeof__(*(ptr)))__gue_val; \
10663 #ifdef CONFIG_X86_WP_WORKS_OK
10664 @@ -567,6 +628,7 @@ extern struct movsl_mask {
10666 #define ARCH_HAS_NOCACHE_UACCESS 1
10668 +#define ARCH_HAS_SORT_EXTABLE
10669 #ifdef CONFIG_X86_32
10670 # include "uaccess_32.h"
10672 diff -urNp linux-2.6.38.6/arch/x86/include/asm/vgtod.h linux-2.6.38.6/arch/x86/include/asm/vgtod.h
10673 --- linux-2.6.38.6/arch/x86/include/asm/vgtod.h 2011-03-14 21:20:32.000000000 -0400
10674 +++ linux-2.6.38.6/arch/x86/include/asm/vgtod.h 2011-04-28 19:34:14.000000000 -0400
10675 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
10676 int sysctl_enabled;
10677 struct timezone sys_tz;
10678 struct { /* extract of a clocksource struct */
10680 cycle_t (*vread)(void);
10681 cycle_t cycle_last;
10683 diff -urNp linux-2.6.38.6/arch/x86/include/asm/vsyscall.h linux-2.6.38.6/arch/x86/include/asm/vsyscall.h
10684 --- linux-2.6.38.6/arch/x86/include/asm/vsyscall.h 2011-03-14 21:20:32.000000000 -0400
10685 +++ linux-2.6.38.6/arch/x86/include/asm/vsyscall.h 2011-04-28 19:34:14.000000000 -0400
10686 @@ -15,9 +15,10 @@ enum vsyscall_num {
10689 #include <linux/seqlock.h>
10690 +#include <linux/getcpu.h>
10691 +#include <linux/time.h>
10693 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
10694 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
10696 /* Definitions for CONFIG_GENERIC_TIME definitions */
10697 #define __section_vsyscall_gtod_data __attribute__ \
10698 @@ -31,7 +32,6 @@ enum vsyscall_num {
10699 #define VGETCPU_LSL 2
10701 extern int __vgetcpu_mode;
10702 -extern volatile unsigned long __jiffies;
10704 /* kernel space (writeable) */
10705 extern int vgetcpu_mode;
10706 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
10708 extern void map_vsyscall(void);
10710 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
10711 +extern time_t vtime(time_t *t);
10712 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
10713 #endif /* __KERNEL__ */
10715 #endif /* _ASM_X86_VSYSCALL_H */
10716 diff -urNp linux-2.6.38.6/arch/x86/include/asm/xsave.h linux-2.6.38.6/arch/x86/include/asm/xsave.h
10717 --- linux-2.6.38.6/arch/x86/include/asm/xsave.h 2011-03-14 21:20:32.000000000 -0400
10718 +++ linux-2.6.38.6/arch/x86/include/asm/xsave.h 2011-04-28 19:34:14.000000000 -0400
10719 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10723 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10724 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10725 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10729 * Clear the xsave header first, so that reserved fields are
10730 * initialized to zero.
10731 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
10733 u32 hmask = mask >> 32;
10735 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10736 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10737 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10740 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10742 ".section .fixup,\"ax\"\n"
10743 diff -urNp linux-2.6.38.6/arch/x86/Kconfig linux-2.6.38.6/arch/x86/Kconfig
10744 --- linux-2.6.38.6/arch/x86/Kconfig 2011-03-14 21:20:32.000000000 -0400
10745 +++ linux-2.6.38.6/arch/x86/Kconfig 2011-04-28 19:34:14.000000000 -0400
10746 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
10748 config X86_32_LAZY_GS
10750 - depends on X86_32 && !CC_STACKPROTECTOR
10751 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10753 config ARCH_HWEIGHT_CFLAGS
10755 @@ -1019,7 +1019,7 @@ choice
10759 - depends on !X86_NUMAQ
10760 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10762 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10763 However, the address space of 32-bit x86 processors is only 4
10764 @@ -1056,7 +1056,7 @@ config NOHIGHMEM
10768 - depends on !X86_NUMAQ
10769 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10771 Select this if you have a 32-bit processor and between 1 and 4
10772 gigabytes of physical RAM.
10773 @@ -1110,7 +1110,7 @@ config PAGE_OFFSET
10775 default 0xB0000000 if VMSPLIT_3G_OPT
10776 default 0x80000000 if VMSPLIT_2G
10777 - default 0x78000000 if VMSPLIT_2G_OPT
10778 + default 0x70000000 if VMSPLIT_2G_OPT
10779 default 0x40000000 if VMSPLIT_1G
10782 @@ -1454,7 +1454,7 @@ config ARCH_USES_PG_UNCACHED
10785 bool "EFI runtime service support"
10787 + depends on ACPI && !PAX_KERNEXEC
10789 This enables the kernel to use EFI runtime services that are
10790 available (such as the EFI variable services).
10791 @@ -1484,6 +1484,7 @@ config SECCOMP
10793 config CC_STACKPROTECTOR
10794 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
10795 + depends on X86_64 || !PAX_MEMORY_UDEREF
10797 This option turns on the -fstack-protector GCC feature. This
10798 feature puts, at the beginning of functions, a canary value on
10799 @@ -1541,6 +1542,7 @@ config KEXEC_JUMP
10800 config PHYSICAL_START
10801 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
10802 default "0x1000000"
10803 + range 0x400000 0x40000000
10805 This gives the physical address where the kernel is loaded.
10807 @@ -1604,6 +1606,7 @@ config X86_NEED_RELOCS
10808 config PHYSICAL_ALIGN
10809 hex "Alignment value to which kernel should be aligned" if X86_32
10810 default "0x1000000"
10811 + range 0x400000 0x1000000 if PAX_KERNEXEC
10812 range 0x2000 0x1000000
10814 This value puts the alignment restrictions on physical address
10815 @@ -1635,9 +1638,10 @@ config HOTPLUG_CPU
10816 Say N if you want to disable CPU hotplug.
10821 prompt "Compat VDSO support"
10822 depends on X86_32 || IA32_EMULATION
10823 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10825 Map the 32-bit VDSO to the predictable old-style address too.
10827 diff -urNp linux-2.6.38.6/arch/x86/Kconfig.cpu linux-2.6.38.6/arch/x86/Kconfig.cpu
10828 --- linux-2.6.38.6/arch/x86/Kconfig.cpu 2011-03-14 21:20:32.000000000 -0400
10829 +++ linux-2.6.38.6/arch/x86/Kconfig.cpu 2011-04-28 19:34:14.000000000 -0400
10830 @@ -339,7 +339,7 @@ config X86_PPRO_FENCE
10832 config X86_F00F_BUG
10834 - depends on M586MMX || M586TSC || M586 || M486 || M386
10835 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10837 config X86_INVD_BUG
10839 @@ -363,7 +363,7 @@ config X86_POPAD_OK
10841 config X86_ALIGNMENT_16
10843 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10844 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10846 config X86_INTEL_USERCOPY
10848 @@ -409,7 +409,7 @@ config X86_CMPXCHG64
10852 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10853 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10855 config X86_MINIMUM_CPU_FAMILY
10857 diff -urNp linux-2.6.38.6/arch/x86/Kconfig.debug linux-2.6.38.6/arch/x86/Kconfig.debug
10858 --- linux-2.6.38.6/arch/x86/Kconfig.debug 2011-03-14 21:20:32.000000000 -0400
10859 +++ linux-2.6.38.6/arch/x86/Kconfig.debug 2011-04-28 19:34:14.000000000 -0400
10860 @@ -101,7 +101,7 @@ config X86_PTDUMP
10861 config DEBUG_RODATA
10862 bool "Write protect kernel read-only data structures"
10864 - depends on DEBUG_KERNEL
10865 + depends on DEBUG_KERNEL && BROKEN
10867 Mark the kernel read-only data as write-protected in the pagetables,
10868 in order to catch accidental (and incorrect) writes to such const
10869 @@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST
10871 config DEBUG_SET_MODULE_RONX
10872 bool "Set loadable kernel module data as NX and text as RO"
10873 - depends on MODULES
10874 + depends on MODULES && BROKEN
10876 This option helps catch unintended modifications to loadable
10877 kernel module's text and read-only data. It also prevents execution
10878 diff -urNp linux-2.6.38.6/arch/x86/kernel/acpi/sleep.c linux-2.6.38.6/arch/x86/kernel/acpi/sleep.c
10879 --- linux-2.6.38.6/arch/x86/kernel/acpi/sleep.c 2011-03-14 21:20:32.000000000 -0400
10880 +++ linux-2.6.38.6/arch/x86/kernel/acpi/sleep.c 2011-04-28 19:34:14.000000000 -0400
10882 #include "realmode/wakeup.h"
10885 -unsigned long acpi_wakeup_address;
10886 +unsigned long acpi_wakeup_address = 0x2000;
10887 unsigned long acpi_realmode_flags;
10889 /* address in low memory of the wakeup routine. */
10890 @@ -99,8 +99,12 @@ int acpi_save_state_mem(void)
10891 header->trampoline_segment = setup_trampoline() >> 4;
10893 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
10895 + pax_open_kernel();
10896 early_gdt_descr.address =
10897 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10898 + pax_close_kernel();
10900 initial_gs = per_cpu_offset(smp_processor_id());
10902 initial_code = (unsigned long)wakeup_long64;
10903 diff -urNp linux-2.6.38.6/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.38.6/arch/x86/kernel/acpi/wakeup_32.S
10904 --- linux-2.6.38.6/arch/x86/kernel/acpi/wakeup_32.S 2011-03-14 21:20:32.000000000 -0400
10905 +++ linux-2.6.38.6/arch/x86/kernel/acpi/wakeup_32.S 2011-04-28 19:34:14.000000000 -0400
10906 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10907 # and restore the stack ... but you need gdt for this to work
10908 movl saved_context_esp, %esp
10910 - movl %cs:saved_magic, %eax
10911 - cmpl $0x12345678, %eax
10912 + cmpl $0x12345678, saved_magic
10915 # jump to place where we left off
10916 - movl saved_eip, %eax
10922 diff -urNp linux-2.6.38.6/arch/x86/kernel/alternative.c linux-2.6.38.6/arch/x86/kernel/alternative.c
10923 --- linux-2.6.38.6/arch/x86/kernel/alternative.c 2011-04-18 17:27:13.000000000 -0400
10924 +++ linux-2.6.38.6/arch/x86/kernel/alternative.c 2011-04-28 19:34:14.000000000 -0400
10925 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
10926 if (!*poff || ptr < text || ptr >= text_end)
10928 /* turn DS segment override prefix into lock prefix */
10929 - if (*ptr == 0x3e)
10930 + if (*ktla_ktva(ptr) == 0x3e)
10931 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10933 mutex_unlock(&text_mutex);
10934 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
10935 if (!*poff || ptr < text || ptr >= text_end)
10937 /* turn lock prefix into DS segment override prefix */
10938 - if (*ptr == 0xf0)
10939 + if (*ktla_ktva(ptr) == 0xf0)
10940 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10942 mutex_unlock(&text_mutex);
10943 @@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str
10945 BUG_ON(p->len > MAX_PATCH_LEN);
10946 /* prep the buffer with the original instructions */
10947 - memcpy(insnbuf, p->instr, p->len);
10948 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10949 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10950 (unsigned long)p->instr, p->len);
10952 @@ -506,7 +506,7 @@ void __init alternative_instructions(voi
10954 free_init_pages("SMP alternatives",
10955 (unsigned long)__smp_locks,
10956 - (unsigned long)__smp_locks_end);
10957 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10961 @@ -523,13 +523,17 @@ void __init alternative_instructions(voi
10962 * instructions. And on the local CPU you need to be protected again NMI or MCE
10963 * handlers seeing an inconsistent instruction while you patch.
10965 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
10966 +void *__kprobes text_poke_early(void *addr, const void *opcode,
10969 unsigned long flags;
10970 local_irq_save(flags);
10971 - memcpy(addr, opcode, len);
10973 + pax_open_kernel();
10974 + memcpy(ktla_ktva(addr), opcode, len);
10976 + pax_close_kernel();
10978 local_irq_restore(flags);
10979 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10980 that causes hangs on some VIA CPUs. */
10981 @@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v
10983 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10985 - unsigned long flags;
10987 + unsigned char *vaddr = ktla_ktva(addr);
10988 struct page *pages[2];
10992 if (!core_kernel_text((unsigned long)addr)) {
10993 - pages[0] = vmalloc_to_page(addr);
10994 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10995 + pages[0] = vmalloc_to_page(vaddr);
10996 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10998 - pages[0] = virt_to_page(addr);
10999 + pages[0] = virt_to_page(vaddr);
11000 WARN_ON(!PageReserved(pages[0]));
11001 - pages[1] = virt_to_page(addr + PAGE_SIZE);
11002 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
11005 - local_irq_save(flags);
11006 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
11008 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
11009 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
11010 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
11011 - clear_fixmap(FIX_TEXT_POKE0);
11013 - clear_fixmap(FIX_TEXT_POKE1);
11014 - local_flush_tlb();
11016 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
11017 - that causes hangs on some VIA CPUs. */
11018 + text_poke_early(addr, opcode, len);
11019 for (i = 0; i < len; i++)
11020 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
11021 - local_irq_restore(flags);
11022 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
11026 @@ -682,9 +672,9 @@ void __kprobes text_poke_smp_batch(struc
11027 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
11029 #ifdef CONFIG_X86_64
11030 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
11031 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
11033 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
11034 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
11037 void __init arch_init_ideal_nop5(void)
11038 diff -urNp linux-2.6.38.6/arch/x86/kernel/amd_iommu.c linux-2.6.38.6/arch/x86/kernel/amd_iommu.c
11039 --- linux-2.6.38.6/arch/x86/kernel/amd_iommu.c 2011-03-14 21:20:32.000000000 -0400
11040 +++ linux-2.6.38.6/arch/x86/kernel/amd_iommu.c 2011-04-28 19:34:14.000000000 -0400
11041 @@ -2286,7 +2286,7 @@ static void prealloc_protection_domains(
11045 -static struct dma_map_ops amd_iommu_dma_ops = {
11046 +static const struct dma_map_ops amd_iommu_dma_ops = {
11047 .alloc_coherent = alloc_coherent,
11048 .free_coherent = free_coherent,
11049 .map_page = map_page,
11050 diff -urNp linux-2.6.38.6/arch/x86/kernel/apic/apic.c linux-2.6.38.6/arch/x86/kernel/apic/apic.c
11051 --- linux-2.6.38.6/arch/x86/kernel/apic/apic.c 2011-03-14 21:20:32.000000000 -0400
11052 +++ linux-2.6.38.6/arch/x86/kernel/apic/apic.c 2011-05-16 21:47:08.000000000 -0400
11053 @@ -1819,7 +1819,7 @@ void smp_error_interrupt(struct pt_regs
11054 apic_write(APIC_ESR, 0);
11055 v1 = apic_read(APIC_ESR);
11057 - atomic_inc(&irq_err_count);
11058 + atomic_inc_unchecked(&irq_err_count);
11061 * Here is what the APIC error bits mean:
11062 @@ -2209,6 +2209,8 @@ static int __cpuinit apic_cluster_num(vo
11063 u16 *bios_cpu_apicid;
11064 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
11066 + pax_track_stack();
11068 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
11069 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
11071 diff -urNp linux-2.6.38.6/arch/x86/kernel/apic/io_apic.c linux-2.6.38.6/arch/x86/kernel/apic/io_apic.c
11072 --- linux-2.6.38.6/arch/x86/kernel/apic/io_apic.c 2011-03-14 21:20:32.000000000 -0400
11073 +++ linux-2.6.38.6/arch/x86/kernel/apic/io_apic.c 2011-04-28 19:57:25.000000000 -0400
11074 @@ -617,7 +617,7 @@ struct IO_APIC_route_entry **alloc_ioapi
11075 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
11077 if (!ioapic_entries)
11081 for (apic = 0; apic < nr_ioapics; apic++) {
11082 ioapic_entries[apic] =
11083 @@ -634,7 +634,7 @@ nomem:
11084 kfree(ioapic_entries[apic]);
11085 kfree(ioapic_entries);
11092 @@ -1044,7 +1044,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
11094 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
11096 -void lock_vector_lock(void)
11097 +void lock_vector_lock(void) __acquires(vector_lock)
11099 /* Used to the online set of cpus does not change
11100 * during assign_irq_vector.
11101 @@ -1052,7 +1052,7 @@ void lock_vector_lock(void)
11102 raw_spin_lock(&vector_lock);
11105 -void unlock_vector_lock(void)
11106 +void unlock_vector_lock(void) __releases(vector_lock)
11108 raw_spin_unlock(&vector_lock);
11110 @@ -2409,7 +2409,7 @@ static void ack_apic_edge(struct irq_dat
11114 -atomic_t irq_mis_count;
11115 +atomic_unchecked_t irq_mis_count;
11118 * IO-APIC versions below 0x20 don't support EOI register.
11119 @@ -2517,7 +2517,7 @@ static void ack_apic_level(struct irq_da
11122 if (!(v & (1 << (i & 0x1f)))) {
11123 - atomic_inc(&irq_mis_count);
11124 + atomic_inc_unchecked(&irq_mis_count);
11126 eoi_ioapic_irq(irq, cfg);
11128 diff -urNp linux-2.6.38.6/arch/x86/kernel/apm_32.c linux-2.6.38.6/arch/x86/kernel/apm_32.c
11129 --- linux-2.6.38.6/arch/x86/kernel/apm_32.c 2011-03-14 21:20:32.000000000 -0400
11130 +++ linux-2.6.38.6/arch/x86/kernel/apm_32.c 2011-04-28 19:34:14.000000000 -0400
11131 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
11132 * This is for buggy BIOS's that refer to (real mode) segment 0x40
11133 * even though they are called in protected mode.
11135 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
11136 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
11137 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
11139 static const char driver_version[] = "1.16ac"; /* no spaces */
11140 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
11142 gdt = get_cpu_gdt_table(cpu);
11143 save_desc_40 = gdt[0x40 / 8];
11145 + pax_open_kernel();
11146 gdt[0x40 / 8] = bad_bios_desc;
11147 + pax_close_kernel();
11149 apm_irq_save(flags);
11151 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
11153 APM_DO_RESTORE_SEGS;
11154 apm_irq_restore(flags);
11156 + pax_open_kernel();
11157 gdt[0x40 / 8] = save_desc_40;
11158 + pax_close_kernel();
11162 return call->eax & 0xff;
11163 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
11165 gdt = get_cpu_gdt_table(cpu);
11166 save_desc_40 = gdt[0x40 / 8];
11168 + pax_open_kernel();
11169 gdt[0x40 / 8] = bad_bios_desc;
11170 + pax_close_kernel();
11172 apm_irq_save(flags);
11174 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
11176 APM_DO_RESTORE_SEGS;
11177 apm_irq_restore(flags);
11179 + pax_open_kernel();
11180 gdt[0x40 / 8] = save_desc_40;
11181 + pax_close_kernel();
11186 @@ -975,7 +989,7 @@ recalc:
11188 static void apm_power_off(void)
11190 - unsigned char po_bios_call[] = {
11191 + const unsigned char po_bios_call[] = {
11192 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
11193 0x8e, 0xd0, /* movw ax,ss */
11194 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
11195 @@ -2356,12 +2370,15 @@ static int __init apm_init(void)
11196 * code to that CPU.
11198 gdt = get_cpu_gdt_table(0);
11200 + pax_open_kernel();
11201 set_desc_base(&gdt[APM_CS >> 3],
11202 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
11203 set_desc_base(&gdt[APM_CS_16 >> 3],
11204 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
11205 set_desc_base(&gdt[APM_DS >> 3],
11206 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
11207 + pax_close_kernel();
11209 proc_create("apm", 0, NULL, &apm_file_ops);
11211 diff -urNp linux-2.6.38.6/arch/x86/kernel/asm-offsets_32.c linux-2.6.38.6/arch/x86/kernel/asm-offsets_32.c
11212 --- linux-2.6.38.6/arch/x86/kernel/asm-offsets_32.c 2011-03-14 21:20:32.000000000 -0400
11213 +++ linux-2.6.38.6/arch/x86/kernel/asm-offsets_32.c 2011-05-16 21:47:08.000000000 -0400
11214 @@ -51,7 +51,6 @@ void foo(void)
11215 OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
11218 - OFFSET(TI_task, thread_info, task);
11219 OFFSET(TI_exec_domain, thread_info, exec_domain);
11220 OFFSET(TI_flags, thread_info, flags);
11221 OFFSET(TI_status, thread_info, status);
11222 @@ -60,6 +59,8 @@ void foo(void)
11223 OFFSET(TI_restart_block, thread_info, restart_block);
11224 OFFSET(TI_sysenter_return, thread_info, sysenter_return);
11225 OFFSET(TI_cpu, thread_info, cpu);
11226 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
11227 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
11230 OFFSET(GDS_size, desc_ptr, size);
11231 @@ -113,6 +114,11 @@ void foo(void)
11232 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
11233 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
11234 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
11236 +#ifdef CONFIG_PAX_KERNEXEC
11237 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
11243 diff -urNp linux-2.6.38.6/arch/x86/kernel/asm-offsets_64.c linux-2.6.38.6/arch/x86/kernel/asm-offsets_64.c
11244 --- linux-2.6.38.6/arch/x86/kernel/asm-offsets_64.c 2011-03-14 21:20:32.000000000 -0400
11245 +++ linux-2.6.38.6/arch/x86/kernel/asm-offsets_64.c 2011-05-16 21:47:08.000000000 -0400
11246 @@ -44,6 +44,8 @@ int main(void)
11248 ENTRY(preempt_count);
11250 + ENTRY(lowest_stack);
11251 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
11252 #ifdef CONFIG_IA32_EMULATION
11253 ENTRY(sysenter_return);
11255 @@ -63,6 +65,18 @@ int main(void)
11256 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
11257 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
11258 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
11260 +#ifdef CONFIG_PAX_KERNEXEC
11261 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
11262 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
11265 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11266 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
11267 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
11268 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
11274 @@ -115,6 +129,7 @@ int main(void)
11278 + DEFINE(TSS_size, sizeof(struct tss_struct));
11279 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
11281 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
11282 @@ -130,6 +145,7 @@ int main(void)
11285 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
11286 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
11289 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
11290 diff -urNp linux-2.6.38.6/arch/x86/kernel/cpu/amd.c linux-2.6.38.6/arch/x86/kernel/cpu/amd.c
11291 --- linux-2.6.38.6/arch/x86/kernel/cpu/amd.c 2011-05-10 22:06:29.000000000 -0400
11292 +++ linux-2.6.38.6/arch/x86/kernel/cpu/amd.c 2011-05-10 22:08:57.000000000 -0400
11293 @@ -624,7 +624,7 @@ static unsigned int __cpuinit amd_size_c
11296 /* AMD errata T13 (order #21922) */
11297 - if ((c->x86 == 6)) {
11298 + if (c->x86 == 6) {
11300 if (c->x86_model == 3 && c->x86_mask == 0)
11302 diff -urNp linux-2.6.38.6/arch/x86/kernel/cpu/common.c linux-2.6.38.6/arch/x86/kernel/cpu/common.c
11303 --- linux-2.6.38.6/arch/x86/kernel/cpu/common.c 2011-03-14 21:20:32.000000000 -0400
11304 +++ linux-2.6.38.6/arch/x86/kernel/cpu/common.c 2011-05-11 18:34:57.000000000 -0400
11305 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
11307 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
11309 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
11310 -#ifdef CONFIG_X86_64
11312 - * We need valid kernel segments for data and code in long mode too
11313 - * IRET will check the segment types kkeil 2000/10/28
11314 - * Also sysret mandates a special GDT layout
11316 - * TLS descriptors are currently at a different place compared to i386.
11317 - * Hopefully nobody expects them at a fixed place (Wine?)
11319 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
11320 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
11321 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
11322 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
11323 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
11324 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
11326 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
11327 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
11328 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
11329 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
11331 - * Segments used for calling PnP BIOS have byte granularity.
11332 - * They code segments and data segments have fixed 64k limits,
11333 - * the transfer segment sizes are set at run time.
11335 - /* 32-bit code */
11336 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
11337 - /* 16-bit code */
11338 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
11339 - /* 16-bit data */
11340 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
11341 - /* 16-bit data */
11342 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
11343 - /* 16-bit data */
11344 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
11346 - * The APM segments have byte granularity and their bases
11347 - * are set at run time. All have 64k limits.
11349 - /* 32-bit code */
11350 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
11351 - /* 16-bit code */
11352 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
11354 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
11356 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
11357 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
11358 - GDT_STACK_CANARY_INIT
11361 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
11363 static int __init x86_xsave_setup(char *s)
11365 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
11366 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
11368 struct desc_ptr gdt_descr;
11370 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
11371 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
11372 gdt_descr.size = GDT_SIZE - 1;
11373 load_gdt(&gdt_descr);
11374 /* Reload the per-cpu base */
11375 @@ -825,6 +771,10 @@ static void __cpuinit identify_cpu(struc
11376 /* Filter out anything that depends on CPUID levels we don't have */
11377 filter_cpuid_features(c, true);
11379 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
11380 + setup_clear_cpu_cap(X86_FEATURE_SEP);
11383 /* If the model name is still unset, do table lookup. */
11384 if (!c->x86_model_id[0]) {
11386 @@ -1004,6 +954,9 @@ static __init int setup_disablecpuid(cha
11388 __setup("clearcpuid=", setup_disablecpuid);
11390 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
11391 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
11393 #ifdef CONFIG_X86_64
11394 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
11396 @@ -1019,7 +972,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
11397 EXPORT_PER_CPU_SYMBOL(current_task);
11399 DEFINE_PER_CPU(unsigned long, kernel_stack) =
11400 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
11401 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
11402 EXPORT_PER_CPU_SYMBOL(kernel_stack);
11404 DEFINE_PER_CPU(char *, irq_stack_ptr) =
11405 @@ -1084,7 +1037,7 @@ struct pt_regs * __cpuinit idle_regs(str
11407 memset(regs, 0, sizeof(struct pt_regs));
11408 regs->fs = __KERNEL_PERCPU;
11409 - regs->gs = __KERNEL_STACK_CANARY;
11410 + savesegment(gs, regs->gs);
11414 @@ -1139,7 +1092,7 @@ void __cpuinit cpu_init(void)
11417 cpu = stack_smp_processor_id();
11418 - t = &per_cpu(init_tss, cpu);
11419 + t = init_tss + cpu;
11420 oist = &per_cpu(orig_ist, cpu);
11423 @@ -1165,7 +1118,7 @@ void __cpuinit cpu_init(void)
11424 switch_to_new_gdt(cpu);
11425 loadsegment(fs, 0);
11427 - load_idt((const struct desc_ptr *)&idt_descr);
11428 + load_idt(&idt_descr);
11430 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
11432 @@ -1174,7 +1127,6 @@ void __cpuinit cpu_init(void)
11433 wrmsrl(MSR_KERNEL_GS_BASE, 0);
11436 - x86_configure_nx();
11440 @@ -1228,7 +1180,7 @@ void __cpuinit cpu_init(void)
11442 int cpu = smp_processor_id();
11443 struct task_struct *curr = current;
11444 - struct tss_struct *t = &per_cpu(init_tss, cpu);
11445 + struct tss_struct *t = init_tss + cpu;
11446 struct thread_struct *thread = &curr->thread;
11448 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
11449 diff -urNp linux-2.6.38.6/arch/x86/kernel/cpu/intel.c linux-2.6.38.6/arch/x86/kernel/cpu/intel.c
11450 --- linux-2.6.38.6/arch/x86/kernel/cpu/intel.c 2011-03-14 21:20:32.000000000 -0400
11451 +++ linux-2.6.38.6/arch/x86/kernel/cpu/intel.c 2011-04-28 19:34:14.000000000 -0400
11452 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
11453 * Update the IDT descriptor and reload the IDT so that
11454 * it uses the read-only mapped virtual address.
11456 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
11457 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
11458 load_idt(&idt_descr);
11461 diff -urNp linux-2.6.38.6/arch/x86/kernel/cpu/Makefile linux-2.6.38.6/arch/x86/kernel/cpu/Makefile
11462 --- linux-2.6.38.6/arch/x86/kernel/cpu/Makefile 2011-03-14 21:20:32.000000000 -0400
11463 +++ linux-2.6.38.6/arch/x86/kernel/cpu/Makefile 2011-04-28 19:34:14.000000000 -0400
11464 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
11465 CFLAGS_REMOVE_perf_event.o = -pg
11468 -# Make sure load_percpu_segment has no stackprotector
11469 -nostackp := $(call cc-option, -fno-stack-protector)
11470 -CFLAGS_common.o := $(nostackp)
11472 obj-y := intel_cacheinfo.o scattered.o topology.o
11473 obj-y += proc.o capflags.o powerflags.o common.o
11474 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
11475 diff -urNp linux-2.6.38.6/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.38.6/arch/x86/kernel/cpu/mcheck/mce.c
11476 --- linux-2.6.38.6/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-14 21:20:32.000000000 -0400
11477 +++ linux-2.6.38.6/arch/x86/kernel/cpu/mcheck/mce.c 2011-04-28 19:57:25.000000000 -0400
11479 #include <asm/ipi.h>
11480 #include <asm/mce.h>
11481 #include <asm/msr.h>
11482 +#include <asm/local.h>
11484 #include "mce-internal.h"
11486 @@ -219,7 +220,7 @@ static void print_mce(struct mce *m)
11487 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
11490 - if (m->cs == __KERNEL_CS)
11491 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
11492 print_symbol("{%s}", m->ip);
11495 @@ -243,10 +244,10 @@ static void print_mce(struct mce *m)
11497 #define PANIC_TIMEOUT 5 /* 5 seconds */
11499 -static atomic_t mce_paniced;
11500 +static atomic_unchecked_t mce_paniced;
11502 static int fake_panic;
11503 -static atomic_t mce_fake_paniced;
11504 +static atomic_unchecked_t mce_fake_paniced;
11506 /* Panic in progress. Enable interrupts and wait for final IPI */
11507 static void wait_for_panic(void)
11508 @@ -270,7 +271,7 @@ static void mce_panic(char *msg, struct
11510 * Make sure only one CPU runs in machine check panic
11512 - if (atomic_inc_return(&mce_paniced) > 1)
11513 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
11517 @@ -278,7 +279,7 @@ static void mce_panic(char *msg, struct
11520 /* Don't log too much for fake panic */
11521 - if (atomic_inc_return(&mce_fake_paniced) > 1)
11522 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
11525 /* First print corrected ones that are still unlogged */
11526 @@ -646,7 +647,7 @@ static int mce_timed_out(u64 *t)
11527 * might have been modified by someone else.
11530 - if (atomic_read(&mce_paniced))
11531 + if (atomic_read_unchecked(&mce_paniced))
11533 if (!monarch_timeout)
11535 @@ -1460,14 +1461,14 @@ void __cpuinit mcheck_cpu_init(struct cp
11538 static DEFINE_SPINLOCK(mce_state_lock);
11539 -static int open_count; /* #times opened */
11540 +static local_t open_count; /* #times opened */
11541 static int open_exclu; /* already open exclusive? */
11543 static int mce_open(struct inode *inode, struct file *file)
11545 spin_lock(&mce_state_lock);
11547 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
11548 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
11549 spin_unlock(&mce_state_lock);
11552 @@ -1475,7 +1476,7 @@ static int mce_open(struct inode *inode,
11554 if (file->f_flags & O_EXCL)
11557 + local_inc(&open_count);
11559 spin_unlock(&mce_state_lock);
11561 @@ -1486,7 +1487,7 @@ static int mce_release(struct inode *ino
11563 spin_lock(&mce_state_lock);
11566 + local_dec(&open_count);
11569 spin_unlock(&mce_state_lock);
11570 @@ -1658,8 +1659,7 @@ static long mce_ioctl(struct file *f, un
11574 -/* Modified in mce-inject.c, so not static or const */
11575 -struct file_operations mce_chrdev_ops = {
11576 +struct file_operations mce_chrdev_ops = { /* Modified in mce-inject.c, so not static or const */
11578 .release = mce_release,
11580 @@ -2171,7 +2171,7 @@ struct dentry *mce_get_debugfs_dir(void)
11581 static void mce_reset(void)
11584 - atomic_set(&mce_fake_paniced, 0);
11585 + atomic_set_unchecked(&mce_fake_paniced, 0);
11586 atomic_set(&mce_executing, 0);
11587 atomic_set(&mce_callin, 0);
11588 atomic_set(&global_nwo, 0);
11589 diff -urNp linux-2.6.38.6/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.38.6/arch/x86/kernel/cpu/mtrr/main.c
11590 --- linux-2.6.38.6/arch/x86/kernel/cpu/mtrr/main.c 2011-04-18 17:27:18.000000000 -0400
11591 +++ linux-2.6.38.6/arch/x86/kernel/cpu/mtrr/main.c 2011-04-28 19:34:14.000000000 -0400
11592 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
11593 u64 size_or_mask, size_and_mask;
11594 static bool mtrr_aps_delayed_init;
11596 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
11597 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
11599 const struct mtrr_ops *mtrr_if;
11601 diff -urNp linux-2.6.38.6/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.38.6/arch/x86/kernel/cpu/mtrr/mtrr.h
11602 --- linux-2.6.38.6/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-14 21:20:32.000000000 -0400
11603 +++ linux-2.6.38.6/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-04-28 19:34:14.000000000 -0400
11604 @@ -12,19 +12,19 @@
11605 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
11609 - u32 use_intel_if;
11610 - void (*set)(unsigned int reg, unsigned long base,
11611 + const u32 vendor;
11612 + const u32 use_intel_if;
11613 + void (* const set)(unsigned int reg, unsigned long base,
11614 unsigned long size, mtrr_type type);
11615 - void (*set_all)(void);
11616 + void (* const set_all)(void);
11618 - void (*get)(unsigned int reg, unsigned long *base,
11619 + void (* const get)(unsigned int reg, unsigned long *base,
11620 unsigned long *size, mtrr_type *type);
11621 - int (*get_free_region)(unsigned long base, unsigned long size,
11622 + int (* const get_free_region)(unsigned long base, unsigned long size,
11624 - int (*validate_add_page)(unsigned long base, unsigned long size,
11625 + int (* const validate_add_page)(unsigned long base, unsigned long size,
11626 unsigned int type);
11627 - int (*have_wrcomb)(void);
11628 + int (* const have_wrcomb)(void);
11631 extern int generic_get_free_region(unsigned long base, unsigned long size,
11632 diff -urNp linux-2.6.38.6/arch/x86/kernel/cpu/perf_event.c linux-2.6.38.6/arch/x86/kernel/cpu/perf_event.c
11633 --- linux-2.6.38.6/arch/x86/kernel/cpu/perf_event.c 2011-03-14 21:20:32.000000000 -0400
11634 +++ linux-2.6.38.6/arch/x86/kernel/cpu/perf_event.c 2011-05-16 21:47:08.000000000 -0400
11635 @@ -674,6 +674,8 @@ static int x86_schedule_events(struct cp
11636 int i, j, w, wmax, num = 0;
11637 struct hw_perf_event *hwc;
11639 + pax_track_stack();
11641 bitmap_zero(used_mask, X86_PMC_IDX_MAX);
11643 for (i = 0; i < n; i++) {
11644 @@ -1781,7 +1783,7 @@ perf_callchain_user(struct perf_callchai
11647 perf_callchain_store(entry, frame.return_address);
11648 - fp = frame.next_frame;
11649 + fp = (__force const void __user *)frame.next_frame;
11653 diff -urNp linux-2.6.38.6/arch/x86/kernel/crash.c linux-2.6.38.6/arch/x86/kernel/crash.c
11654 --- linux-2.6.38.6/arch/x86/kernel/crash.c 2011-03-14 21:20:32.000000000 -0400
11655 +++ linux-2.6.38.6/arch/x86/kernel/crash.c 2011-04-28 19:34:14.000000000 -0400
11656 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
11659 #ifdef CONFIG_X86_32
11660 - if (!user_mode_vm(regs)) {
11661 + if (!user_mode(regs)) {
11662 crash_fixup_ss_esp(&fixed_regs, regs);
11663 regs = &fixed_regs;
11665 diff -urNp linux-2.6.38.6/arch/x86/kernel/doublefault_32.c linux-2.6.38.6/arch/x86/kernel/doublefault_32.c
11666 --- linux-2.6.38.6/arch/x86/kernel/doublefault_32.c 2011-03-14 21:20:32.000000000 -0400
11667 +++ linux-2.6.38.6/arch/x86/kernel/doublefault_32.c 2011-04-28 19:34:14.000000000 -0400
11670 #define DOUBLEFAULT_STACKSIZE (1024)
11671 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
11672 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
11673 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
11675 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
11677 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
11678 unsigned long gdt, tss;
11680 store_gdt(&gdt_desc);
11681 - gdt = gdt_desc.address;
11682 + gdt = (unsigned long)gdt_desc.address;
11684 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
11686 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
11687 /* 0x2 bit is always set */
11688 .flags = X86_EFLAGS_SF | 0x2,
11691 + .es = __KERNEL_DS,
11695 + .ds = __KERNEL_DS,
11696 .fs = __KERNEL_PERCPU,
11698 .__cr3 = __pa_nodebug(swapper_pg_dir),
11699 diff -urNp linux-2.6.38.6/arch/x86/kernel/dumpstack_32.c linux-2.6.38.6/arch/x86/kernel/dumpstack_32.c
11700 --- linux-2.6.38.6/arch/x86/kernel/dumpstack_32.c 2011-03-14 21:20:32.000000000 -0400
11701 +++ linux-2.6.38.6/arch/x86/kernel/dumpstack_32.c 2011-04-28 19:34:14.000000000 -0400
11702 @@ -37,15 +37,12 @@ void dump_trace(struct task_struct *task
11704 bp = stack_frame(task, regs);
11706 - struct thread_info *context;
11707 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11708 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11710 - context = (struct thread_info *)
11711 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
11712 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
11714 - stack = (unsigned long *)context->previous_esp;
11716 + if (stack_start == task_stack_page(task))
11718 + stack = *(unsigned long **)stack_start;
11719 if (ops->stack(data, "IRQ") < 0)
11721 touch_nmi_watchdog();
11722 @@ -95,21 +92,22 @@ void show_registers(struct pt_regs *regs
11723 * When in-kernel, we also print out the stack and code at the
11724 * time of the fault..
11726 - if (!user_mode_vm(regs)) {
11727 + if (!user_mode(regs)) {
11728 unsigned int code_prologue = code_bytes * 43 / 64;
11729 unsigned int code_len = code_bytes;
11732 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
11734 printk(KERN_EMERG "Stack:\n");
11735 show_stack_log_lvl(NULL, regs, ®s->sp, KERN_EMERG);
11737 printk(KERN_EMERG "Code: ");
11739 - ip = (u8 *)regs->ip - code_prologue;
11740 + ip = (u8 *)regs->ip - code_prologue + cs_base;
11741 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
11742 /* try starting at IP */
11743 - ip = (u8 *)regs->ip;
11744 + ip = (u8 *)regs->ip + cs_base;
11745 code_len = code_len - code_prologue + 1;
11747 for (i = 0; i < code_len; i++, ip++) {
11748 @@ -118,7 +116,7 @@ void show_registers(struct pt_regs *regs
11749 printk(" Bad EIP value.");
11752 - if (ip == (u8 *)regs->ip)
11753 + if (ip == (u8 *)regs->ip + cs_base)
11754 printk("<%02x> ", c);
11756 printk("%02x ", c);
11757 @@ -131,6 +129,7 @@ int is_valid_bugaddr(unsigned long ip)
11759 unsigned short ud2;
11761 + ip = ktla_ktva(ip);
11762 if (ip < PAGE_OFFSET)
11764 if (probe_kernel_address((unsigned short *)ip, ud2))
11765 diff -urNp linux-2.6.38.6/arch/x86/kernel/dumpstack_64.c linux-2.6.38.6/arch/x86/kernel/dumpstack_64.c
11766 --- linux-2.6.38.6/arch/x86/kernel/dumpstack_64.c 2011-03-14 21:20:32.000000000 -0400
11767 +++ linux-2.6.38.6/arch/x86/kernel/dumpstack_64.c 2011-04-28 19:34:14.000000000 -0400
11768 @@ -147,10 +147,10 @@ void dump_trace(struct task_struct *task
11769 unsigned long *irq_stack_end =
11770 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
11772 - struct thread_info *tinfo;
11774 unsigned long dummy;
11776 + void *stack_start;
11780 @@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task
11781 * current stack address. If the stacks consist of nested
11784 - tinfo = task_thread_info(task);
11787 unsigned long *estack_end;
11789 estack_end = in_exception_stack(cpu, (unsigned long)stack,
11792 @@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task
11793 if (ops->stack(data, id) < 0)
11796 - bp = ops->walk_stack(tinfo, stack, bp, ops,
11797 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
11798 data, estack_end, &graph);
11799 ops->stack(data, "<EOE>");
11801 @@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task
11802 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
11803 if (ops->stack(data, "IRQ") < 0)
11805 - bp = ops->walk_stack(tinfo, stack, bp,
11806 + bp = ops->walk_stack(task, irq_stack, stack, bp,
11807 ops, data, irq_stack_end, &graph);
11809 * We link to the next stack (which would be
11810 @@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task
11812 * This handles the process stack:
11814 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
11815 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11816 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11819 EXPORT_SYMBOL(dump_trace);
11820 diff -urNp linux-2.6.38.6/arch/x86/kernel/dumpstack.c linux-2.6.38.6/arch/x86/kernel/dumpstack.c
11821 --- linux-2.6.38.6/arch/x86/kernel/dumpstack.c 2011-03-14 21:20:32.000000000 -0400
11822 +++ linux-2.6.38.6/arch/x86/kernel/dumpstack.c 2011-04-28 19:34:14.000000000 -0400
11824 * Copyright (C) 1991, 1992 Linus Torvalds
11825 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11827 +#ifdef CONFIG_GRKERNSEC_HIDESYM
11828 +#define __INCLUDED_BY_HIDESYM 1
11830 #include <linux/kallsyms.h>
11831 #include <linux/kprobes.h>
11832 #include <linux/uaccess.h>
11833 @@ -27,7 +30,7 @@ static int die_counter;
11835 void printk_address(unsigned long address, int reliable)
11837 - printk(" [<%p>] %s%pS\n", (void *) address,
11838 + printk(" [<%p>] %s%pA\n", (void *) address,
11839 reliable ? "" : "? ", (void *) address);
11842 @@ -35,9 +38,8 @@ void printk_address(unsigned long addres
11844 print_ftrace_graph_addr(unsigned long addr, void *data,
11845 const struct stacktrace_ops *ops,
11846 - struct thread_info *tinfo, int *graph)
11847 + struct task_struct *task, int *graph)
11849 - struct task_struct *task = tinfo->task;
11850 unsigned long ret_addr;
11851 int index = task->curr_ret_stack;
11853 @@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
11855 print_ftrace_graph_addr(unsigned long addr, void *data,
11856 const struct stacktrace_ops *ops,
11857 - struct thread_info *tinfo, int *graph)
11858 + struct task_struct *task, int *graph)
11862 @@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
11863 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
11866 -static inline int valid_stack_ptr(struct thread_info *tinfo,
11867 - void *p, unsigned int size, void *end)
11868 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
11872 if (p < end && p >= (end-THREAD_SIZE))
11874 @@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
11878 -print_context_stack(struct thread_info *tinfo,
11879 +print_context_stack(struct task_struct *task, void *stack_start,
11880 unsigned long *stack, unsigned long bp,
11881 const struct stacktrace_ops *ops, void *data,
11882 unsigned long *end, int *graph)
11884 struct stack_frame *frame = (struct stack_frame *)bp;
11886 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
11887 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
11888 unsigned long addr;
11891 @@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
11893 ops->address(data, addr, 0);
11895 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11896 + print_ftrace_graph_addr(addr, data, ops, task, graph);
11900 @@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
11901 EXPORT_SYMBOL_GPL(print_context_stack);
11904 -print_context_stack_bp(struct thread_info *tinfo,
11905 +print_context_stack_bp(struct task_struct *task, void *stack_start,
11906 unsigned long *stack, unsigned long bp,
11907 const struct stacktrace_ops *ops, void *data,
11908 unsigned long *end, int *graph)
11909 @@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
11910 struct stack_frame *frame = (struct stack_frame *)bp;
11911 unsigned long *ret_addr = &frame->return_address;
11913 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
11914 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
11915 unsigned long addr = *ret_addr;
11917 if (!__kernel_text_address(addr))
11918 @@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
11919 ops->address(data, addr, 1);
11920 frame = frame->next_frame;
11921 ret_addr = &frame->return_address;
11922 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11923 + print_ftrace_graph_addr(addr, data, ops, task, graph);
11926 return (unsigned long)frame;
11927 @@ -200,7 +200,7 @@ void dump_stack(void)
11928 unsigned long stack;
11930 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
11931 - current->pid, current->comm, current->xid, print_tainted(),
11932 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
11933 init_utsname()->release,
11934 (int)strcspn(init_utsname()->version, " "),
11935 init_utsname()->version);
11936 @@ -236,6 +236,8 @@ unsigned __kprobes long oops_begin(void)
11938 EXPORT_SYMBOL_GPL(oops_begin);
11940 +extern void gr_handle_kernel_exploit(void);
11942 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
11944 if (regs && kexec_should_crash(current))
11945 @@ -257,7 +259,10 @@ void __kprobes oops_end(unsigned long fl
11946 panic("Fatal exception in interrupt");
11948 panic("Fatal exception");
11951 + gr_handle_kernel_exploit();
11953 + do_group_exit(signr);
11956 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11957 @@ -284,7 +289,7 @@ int __kprobes __die(const char *str, str
11959 show_registers(regs);
11960 #ifdef CONFIG_X86_32
11961 - if (user_mode_vm(regs)) {
11962 + if (user_mode(regs)) {
11964 ss = regs->ss & 0xffff;
11966 @@ -312,7 +317,7 @@ void die(const char *str, struct pt_regs
11967 unsigned long flags = oops_begin();
11970 - if (!user_mode_vm(regs))
11971 + if (!user_mode(regs))
11972 report_bug(regs->ip, regs);
11974 if (__die(str, regs, err))
11975 diff -urNp linux-2.6.38.6/arch/x86/kernel/early_printk.c linux-2.6.38.6/arch/x86/kernel/early_printk.c
11976 --- linux-2.6.38.6/arch/x86/kernel/early_printk.c 2011-03-14 21:20:32.000000000 -0400
11977 +++ linux-2.6.38.6/arch/x86/kernel/early_printk.c 2011-05-16 21:47:08.000000000 -0400
11979 #include <linux/pci_regs.h>
11980 #include <linux/pci_ids.h>
11981 #include <linux/errno.h>
11982 +#include <linux/sched.h>
11983 #include <asm/io.h>
11984 #include <asm/processor.h>
11985 #include <asm/fcntl.h>
11986 @@ -179,6 +180,8 @@ asmlinkage void early_printk(const char
11990 + pax_track_stack();
11993 n = vscnprintf(buf, sizeof(buf), fmt, ap);
11994 early_console->write(early_console, buf, n);
11995 diff -urNp linux-2.6.38.6/arch/x86/kernel/entry_32.S linux-2.6.38.6/arch/x86/kernel/entry_32.S
11996 --- linux-2.6.38.6/arch/x86/kernel/entry_32.S 2011-04-18 17:27:16.000000000 -0400
11997 +++ linux-2.6.38.6/arch/x86/kernel/entry_32.S 2011-05-16 21:55:51.000000000 -0400
11998 @@ -183,13 +183,154 @@
11999 /*CFI_REL_OFFSET gs, PT_GS*/
12001 .macro SET_KERNEL_GS reg
12003 +#ifdef CONFIG_CC_STACKPROTECTOR
12004 movl $(__KERNEL_STACK_CANARY), \reg
12005 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
12006 + movl $(__USER_DS), \reg
12014 #endif /* CONFIG_X86_32_LAZY_GS */
12017 +.macro pax_enter_kernel
12018 +#ifdef CONFIG_PAX_KERNEXEC
12019 + call pax_enter_kernel
12023 +.macro pax_exit_kernel
12024 +#ifdef CONFIG_PAX_KERNEXEC
12025 + call pax_exit_kernel
12029 +#ifdef CONFIG_PAX_KERNEXEC
12030 +ENTRY(pax_enter_kernel)
12031 +#ifdef CONFIG_PARAVIRT
12033 + CFI_REL_OFFSET eax, 0
12035 + CFI_REL_OFFSET ecx, 0
12036 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
12044 + cmp $__KERNEL_CS, %esi
12046 + ljmp $__KERNEL_CS, $3f
12047 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
12049 +#ifdef CONFIG_PARAVIRT
12051 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
12056 +#ifdef CONFIG_PARAVIRT
12063 +ENDPROC(pax_enter_kernel)
12065 +ENTRY(pax_exit_kernel)
12066 +#ifdef CONFIG_PARAVIRT
12068 + CFI_REL_OFFSET eax, 0
12070 + CFI_REL_OFFSET ecx, 0
12073 + cmp $__KERNEXEC_KERNEL_CS, %esi
12075 +#ifdef CONFIG_PARAVIRT
12076 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
12082 + ljmp $__KERNEL_CS, $1f
12084 +#ifdef CONFIG_PARAVIRT
12086 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
12091 +#ifdef CONFIG_PARAVIRT
12098 +ENDPROC(pax_exit_kernel)
12101 +.macro pax_erase_kstack
12102 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12103 + call pax_erase_kstack
12107 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12109 + * ebp: thread_info
12110 + * ecx, edx: can be clobbered
12112 +ENTRY(pax_erase_kstack)
12116 + mov TI_lowest_stack(%ebp), %edi
12117 + mov $-0xBEEF, %eax
12121 + and $THREAD_SIZE_asm - 1, %ecx
12140 + mov TI_task_thread_sp0(%ebp), %edi
12142 + mov %edi, TI_lowest_stack(%ebp)
12147 +ENDPROC(pax_erase_kstack)
12150 +.macro __SAVE_ALL _DS
12154 @@ -212,7 +353,7 @@
12155 CFI_REL_OFFSET ecx, 0
12157 CFI_REL_OFFSET ebx, 0
12158 - movl $(__USER_DS), %edx
12162 movl $(__KERNEL_PERCPU), %edx
12163 @@ -220,6 +361,15 @@
12168 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
12169 + __SAVE_ALL __KERNEL_DS
12172 + __SAVE_ALL __USER_DS
12176 .macro RESTORE_INT_REGS
12179 @@ -330,7 +480,15 @@ check_userspace:
12180 movb PT_CS(%esp), %al
12181 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
12182 cmpl $USER_RPL, %eax
12184 +#ifdef CONFIG_PAX_KERNEXEC
12185 + jae resume_userspace
12188 + jmp resume_kernel
12190 jb resume_kernel # not returning to v8086 or userspace
12193 ENTRY(resume_userspace)
12195 @@ -392,23 +550,34 @@ sysenter_past_esp:
12196 /*CFI_REL_OFFSET cs, 0*/
12198 * Push current_thread_info()->sysenter_return to the stack.
12199 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
12200 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
12202 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE_asm+8+4*4)(%esp)
12204 CFI_REL_OFFSET eip, 0
12208 + GET_THREAD_INFO(%ebp)
12209 + movl TI_sysenter_return(%ebp),%ebp
12210 + movl %ebp,PT_EIP(%esp)
12211 ENABLE_INTERRUPTS(CLBR_NONE)
12214 * Load the potential sixth argument from user stack.
12215 * Careful about security.
12217 + movl PT_OLDESP(%esp),%ebp
12219 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12220 + mov PT_OLDSS(%esp),%ds
12221 +1: movl %ds:(%ebp),%ebp
12225 cmpl $__PAGE_OFFSET-3,%ebp
12227 1: movl (%ebp),%ebp
12230 movl %ebp,PT_EBP(%esp)
12231 .section __ex_table,"a"
12233 @@ -431,12 +600,23 @@ sysenter_do_call:
12234 testl $_TIF_ALLWORK_MASK, %ecx
12238 +#ifdef CONFIG_PAX_RANDKSTACK
12240 + call pax_randomize_kstack
12246 /* if something modifies registers it must also disable sysexit */
12247 movl PT_EIP(%esp), %edx
12248 movl PT_OLDESP(%esp), %ecx
12251 1: mov PT_FS(%esp), %fs
12252 +2: mov PT_DS(%esp), %ds
12253 +3: mov PT_ES(%esp), %es
12255 ENABLE_INTERRUPTS_SYSEXIT
12257 @@ -479,11 +659,17 @@ sysexit_audit:
12260 .pushsection .fixup,"ax"
12261 -2: movl $0,PT_FS(%esp)
12262 +4: movl $0,PT_FS(%esp)
12264 +5: movl $0,PT_DS(%esp)
12266 +6: movl $0,PT_ES(%esp)
12268 .section __ex_table,"a"
12276 ENDPROC(ia32_sysenter_target)
12277 @@ -516,6 +702,12 @@ syscall_exit:
12278 testl $_TIF_ALLWORK_MASK, %ecx # current->work
12279 jne syscall_exit_work
12281 +#ifdef CONFIG_PAX_RANDKSTACK
12282 + call pax_randomize_kstack
12289 restore_all_notrace:
12290 @@ -575,14 +767,21 @@ ldt_ss:
12291 * compensating for the offset by changing to the ESPFIX segment with
12292 * a base address that matches for the difference.
12294 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
12295 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
12296 mov %esp, %edx /* load kernel esp */
12297 mov PT_OLDESP(%esp), %eax /* load userspace esp */
12298 mov %dx, %ax /* eax: new kernel esp */
12299 sub %eax, %edx /* offset (low word is 0) */
12301 + movl PER_CPU_VAR(cpu_number), %ebx
12302 + shll $PAGE_SHIFT_asm, %ebx
12303 + addl $cpu_gdt_table, %ebx
12305 + movl $cpu_gdt_table, %ebx
12308 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
12309 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
12310 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
12311 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
12312 pushl_cfi $__ESPFIX_SS
12313 pushl_cfi %eax /* new kernel esp */
12314 /* Disable interrupts, but do not irqtrace this section: we
12315 @@ -617,23 +816,17 @@ work_resched:
12317 work_notifysig: # deal with pending signals and
12318 # notify-resume requests
12321 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
12323 - jne work_notifysig_v86 # returning to kernel-space or
12324 + jz 1f # returning to kernel-space or
12327 - call do_notify_resume
12328 - jmp resume_userspace_sig
12331 -work_notifysig_v86:
12332 pushl_cfi %ecx # save ti_flags for do_notify_resume
12333 call save_v86_state # %eax contains pt_regs pointer
12341 call do_notify_resume
12342 @@ -668,6 +861,10 @@ END(syscall_exit_work)
12344 RING0_INT_FRAME # can't unwind into user space anyway
12346 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12350 GET_THREAD_INFO(%ebp)
12351 movl $-EFAULT,PT_EAX(%esp)
12352 jmp resume_userspace
12353 @@ -750,6 +947,36 @@ ptregs_clone:
12355 ENDPROC(ptregs_clone)
12358 +ENTRY(kernel_execve)
12361 + sub $PT_OLDSS+4,%esp
12365 + lea 3*4(%esp),%edi
12366 + mov $PT_OLDSS/4+1,%ecx
12372 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
12376 + CFI_ADJUST_CFA_OFFSET -4
12377 + GET_THREAD_INFO(%ebp)
12380 + add $PT_OLDSS+4,%esp
12381 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
12385 +ENDPROC(kernel_execve)
12387 .macro FIXUP_ESPFIX_STACK
12389 * Switch back for ESPFIX stack to the normal zerobased stack
12390 @@ -759,8 +986,15 @@ ENDPROC(ptregs_clone)
12391 * normal stack and adjusts ESP with the matching offset.
12393 /* fixup the stack */
12394 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
12395 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
12397 + movl PER_CPU_VAR(cpu_number), %ebx
12398 + shll $PAGE_SHIFT_asm, %ebx
12399 + addl $cpu_gdt_table, %ebx
12401 + movl $cpu_gdt_table, %ebx
12403 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
12404 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
12406 addl %esp, %eax /* the adjusted stack pointer */
12407 pushl_cfi $__KERNEL_DS
12408 @@ -1211,7 +1445,6 @@ return_to_handler:
12412 -.section .rodata,"a"
12413 #include "syscall_table_32.S"
12415 syscall_table_size=(.-sys_call_table)
12416 @@ -1257,9 +1490,12 @@ error_code:
12417 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
12420 - movl $(__USER_DS), %ecx
12421 + movl $(__KERNEL_DS), %ecx
12428 movl %esp,%eax # pt_regs pointer
12430 @@ -1344,6 +1580,9 @@ nmi_stack_correct:
12431 xorl %edx,%edx # zero error code
12432 movl %esp,%eax # pt_regs pointer
12437 jmp restore_all_notrace
12440 @@ -1380,6 +1619,9 @@ nmi_espfix_stack:
12441 FIXUP_ESPFIX_STACK # %eax == %esp
12442 xorl %edx,%edx # zero error code
12448 lss 12+4(%esp), %esp # back to espfix stack
12449 CFI_ADJUST_CFA_OFFSET -24
12450 diff -urNp linux-2.6.38.6/arch/x86/kernel/entry_64.S linux-2.6.38.6/arch/x86/kernel/entry_64.S
12451 --- linux-2.6.38.6/arch/x86/kernel/entry_64.S 2011-04-18 17:27:13.000000000 -0400
12452 +++ linux-2.6.38.6/arch/x86/kernel/entry_64.S 2011-05-16 22:04:15.000000000 -0400
12454 #include <asm/paravirt.h>
12455 #include <asm/ftrace.h>
12456 #include <asm/percpu.h>
12457 +#include <asm/pgtable.h>
12459 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
12460 #include <linux/elf-em.h>
12461 @@ -174,6 +175,252 @@ ENTRY(native_usergs_sysret64)
12462 ENDPROC(native_usergs_sysret64)
12463 #endif /* CONFIG_PARAVIRT */
12465 + .macro ljmpq sel, off
12466 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
12467 + .byte 0x48; ljmp *1234f(%rip)
12468 + .pushsection .rodata
12470 + 1234: .quad \off; .word \sel
12479 + .macro pax_enter_kernel
12480 +#ifdef CONFIG_PAX_KERNEXEC
12481 + call pax_enter_kernel
12485 + .macro pax_exit_kernel
12486 +#ifdef CONFIG_PAX_KERNEXEC
12487 + call pax_exit_kernel
12491 +#ifdef CONFIG_PAX_KERNEXEC
12492 +ENTRY(pax_enter_kernel)
12495 +#ifdef CONFIG_PARAVIRT
12496 + PV_SAVE_REGS(CLBR_RDI)
12503 + cmp $__KERNEL_CS,%edi
12505 + ljmpq __KERNEL_CS,3f
12506 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
12507 +2: SET_RDI_INTO_CR0
12510 +#ifdef CONFIG_PARAVIRT
12511 + PV_RESTORE_REGS(CLBR_RDI)
12516 +ENDPROC(pax_enter_kernel)
12518 +ENTRY(pax_exit_kernel)
12521 +#ifdef CONFIG_PARAVIRT
12522 + PV_SAVE_REGS(CLBR_RDI)
12526 + cmp $__KERNEXEC_KERNEL_CS,%edi
12530 + ljmpq __KERNEL_CS,1f
12531 +1: SET_RDI_INTO_CR0
12534 +#ifdef CONFIG_PARAVIRT
12535 + PV_RESTORE_REGS(CLBR_RDI);
12540 +ENDPROC(pax_exit_kernel)
12543 + .macro pax_enter_kernel_user
12544 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12545 + call pax_enter_kernel_user
12549 + .macro pax_exit_kernel_user
12550 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12551 + call pax_exit_kernel_user
12553 +#ifdef CONFIG_PAX_RANDKSTACK
12555 + call pax_randomize_kstack
12558 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12559 + call pax_erase_kstack
12563 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12564 +ENTRY(pax_enter_kernel_user)
12568 +#ifdef CONFIG_PARAVIRT
12569 + PV_SAVE_REGS(CLBR_RDI)
12574 + add $__START_KERNEL_map,%rbx
12575 + sub phys_base(%rip),%rbx
12577 +#ifdef CONFIG_PARAVIRT
12579 + cmpl $0, pv_info+PARAVIRT_enabled
12582 + .rept USER_PGD_PTRS
12583 + mov i*8(%rbx),%rsi
12585 + lea i*8(%rbx),%rdi
12586 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
12594 + .rept USER_PGD_PTRS
12595 + movb $0,i*8(%rbx)
12599 +#ifdef CONFIG_PARAVIRT
12604 +#ifdef CONFIG_PAX_KERNEXEC
12610 +#ifdef CONFIG_PARAVIRT
12611 + PV_RESTORE_REGS(CLBR_RDI)
12617 +ENDPROC(pax_enter_kernel_user)
12619 +ENTRY(pax_exit_kernel_user)
12622 +#ifdef CONFIG_PARAVIRT
12624 + PV_SAVE_REGS(CLBR_RDI)
12627 +#ifdef CONFIG_PAX_KERNEXEC
12634 + add $__START_KERNEL_map,%rdi
12635 + sub phys_base(%rip),%rdi
12637 +#ifdef CONFIG_PARAVIRT
12638 + cmpl $0, pv_info+PARAVIRT_enabled
12642 + .rept USER_PGD_PTRS
12643 + mov i*8(%rbx),%rsi
12645 + lea i*8(%rbx),%rdi
12646 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
12654 + .rept USER_PGD_PTRS
12655 + movb $0x67,i*8(%rdi)
12659 +#ifdef CONFIG_PARAVIRT
12660 +2: PV_RESTORE_REGS(CLBR_RDI)
12666 +ENDPROC(pax_exit_kernel_user)
12669 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12671 + * r10: thread_info
12672 + * rcx, rdx: can be clobbered
12674 +ENTRY(pax_erase_kstack)
12678 + mov TI_lowest_stack(%r10), %rdi
12679 + mov $-0xBEEF, %rax
12683 + and $THREAD_SIZE_asm - 1, %ecx
12702 + mov TI_task_thread_sp0(%r10), %rdi
12704 + mov %rdi, TI_lowest_stack(%r10)
12709 +ENDPROC(pax_erase_kstack)
12712 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
12713 #ifdef CONFIG_TRACE_IRQFLAGS
12714 @@ -316,7 +563,7 @@ ENTRY(save_args)
12715 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
12716 movq_cfi rbp, 8 /* push %rbp */
12717 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
12718 - testl $3, CS(%rdi)
12719 + testb $3, CS(%rdi)
12723 @@ -407,7 +654,7 @@ ENTRY(ret_from_fork)
12727 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12728 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12729 je int_ret_from_sys_call
12731 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
12732 @@ -453,7 +700,7 @@ END(ret_from_fork)
12734 CFI_STARTPROC simple
12736 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
12737 + CFI_DEF_CFA rsp,0
12738 CFI_REGISTER rip,rcx
12739 /*CFI_REGISTER rflags,r11*/
12740 SWAPGS_UNSAFE_STACK
12741 @@ -466,12 +713,13 @@ ENTRY(system_call_after_swapgs)
12743 movq %rsp,PER_CPU_VAR(old_rsp)
12744 movq PER_CPU_VAR(kernel_stack),%rsp
12745 + pax_enter_kernel_user
12747 * No need to follow this irqs off/on section - it's straight
12750 ENABLE_INTERRUPTS(CLBR_NONE)
12753 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
12754 movq %rcx,RIP-ARGOFFSET(%rsp)
12755 CFI_REL_OFFSET rip,RIP-ARGOFFSET
12756 @@ -500,6 +748,7 @@ sysret_check:
12760 + pax_exit_kernel_user
12762 * sysretq will re-enable interrupts:
12764 @@ -609,7 +858,7 @@ tracesys:
12765 GLOBAL(int_ret_from_sys_call)
12766 DISABLE_INTERRUPTS(CLBR_NONE)
12768 - testl $3,CS-ARGOFFSET(%rsp)
12769 + testb $3,CS-ARGOFFSET(%rsp)
12770 je retint_restore_args
12771 movl $_TIF_ALLWORK_MASK,%edi
12772 /* edi: mask to check */
12773 @@ -791,6 +1040,16 @@ END(interrupt)
12774 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
12777 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12778 + testb $3, CS(%rdi)
12782 +1: pax_enter_kernel_user
12790 @@ -823,7 +1082,7 @@ ret_from_intr:
12791 CFI_ADJUST_CFA_OFFSET -8
12793 GET_THREAD_INFO(%rcx)
12794 - testl $3,CS-ARGOFFSET(%rsp)
12795 + testb $3,CS-ARGOFFSET(%rsp)
12798 /* Interrupt came from user space */
12799 @@ -845,12 +1104,14 @@ retint_swapgs: /* return to user-space
12800 * The iretq could re-enable interrupts:
12802 DISABLE_INTERRUPTS(CLBR_ANY)
12803 + pax_exit_kernel_user
12808 retint_restore_args: /* return to kernel space */
12809 DISABLE_INTERRUPTS(CLBR_ANY)
12812 * The iretq could re-enable interrupts:
12814 @@ -1022,6 +1283,16 @@ ENTRY(\sym)
12815 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12818 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12819 + testb $3, CS(%rsp)
12823 +1: pax_enter_kernel_user
12828 movq %rsp,%rdi /* pt_regs pointer */
12829 xorl %esi,%esi /* no error code */
12831 @@ -1039,6 +1310,16 @@ ENTRY(\sym)
12832 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12835 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12836 + testb $3, CS(%rsp)
12840 +1: pax_enter_kernel_user
12845 movq %rsp,%rdi /* pt_regs pointer */
12846 xorl %esi,%esi /* no error code */
12848 @@ -1047,7 +1328,7 @@ ENTRY(\sym)
12852 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
12853 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
12854 .macro paranoidzeroentry_ist sym do_sym ist
12857 @@ -1057,8 +1338,24 @@ ENTRY(\sym)
12858 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12861 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12862 + testb $3, CS(%rsp)
12866 +1: pax_enter_kernel_user
12871 movq %rsp,%rdi /* pt_regs pointer */
12872 xorl %esi,%esi /* no error code */
12874 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
12875 + lea init_tss(%r12), %r12
12877 + lea init_tss(%rip), %r12
12879 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12881 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12882 @@ -1075,6 +1372,16 @@ ENTRY(\sym)
12883 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12886 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12887 + testb $3, CS(%rsp)
12891 +1: pax_enter_kernel_user
12896 movq %rsp,%rdi /* pt_regs pointer */
12897 movq ORIG_RAX(%rsp),%rsi /* get error code */
12898 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12899 @@ -1094,6 +1401,16 @@ ENTRY(\sym)
12903 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12904 + testb $3, CS(%rsp)
12908 +1: pax_enter_kernel_user
12913 movq %rsp,%rdi /* pt_regs pointer */
12914 movq ORIG_RAX(%rsp),%rsi /* get error code */
12915 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12916 @@ -1356,14 +1673,27 @@ ENTRY(paranoid_exit)
12918 testl %ebx,%ebx /* swapgs needed? */
12919 jnz paranoid_restore
12920 - testl $3,CS(%rsp)
12921 + testb $3,CS(%rsp)
12922 jnz paranoid_userspace
12923 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12925 + TRACE_IRQS_IRETQ 0
12926 + SWAPGS_UNSAFE_STACK
12931 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12932 + pax_exit_kernel_user
12937 SWAPGS_UNSAFE_STACK
12945 @@ -1421,7 +1751,7 @@ ENTRY(error_entry)
12946 movq_cfi r14, R14+8
12947 movq_cfi r15, R15+8
12949 - testl $3,CS+8(%rsp)
12950 + testb $3,CS+8(%rsp)
12951 je error_kernelspace
12954 @@ -1485,6 +1815,16 @@ ENTRY(nmi)
12955 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12958 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12959 + testb $3, CS(%rsp)
12963 +1: pax_enter_kernel_user
12968 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
12971 @@ -1495,11 +1835,25 @@ ENTRY(nmi)
12972 DISABLE_INTERRUPTS(CLBR_NONE)
12973 testl %ebx,%ebx /* swapgs needed? */
12975 - testl $3,CS(%rsp)
12976 + testb $3,CS(%rsp)
12978 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12980 + SWAPGS_UNSAFE_STACK
12985 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12986 + pax_exit_kernel_user
12990 SWAPGS_UNSAFE_STACK
12998 diff -urNp linux-2.6.38.6/arch/x86/kernel/ftrace.c linux-2.6.38.6/arch/x86/kernel/ftrace.c
12999 --- linux-2.6.38.6/arch/x86/kernel/ftrace.c 2011-03-14 21:20:32.000000000 -0400
13000 +++ linux-2.6.38.6/arch/x86/kernel/ftrace.c 2011-04-28 19:57:25.000000000 -0400
13001 @@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the
13002 static void *mod_code_newcode; /* holds the text to write to the IP */
13004 static unsigned nmi_wait_count;
13005 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
13006 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
13008 int ftrace_arch_read_dyn_info(char *buf, int size)
13010 @@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf,
13012 r = snprintf(buf, size, "%u %u",
13014 - atomic_read(&nmi_update_count));
13015 + atomic_read_unchecked(&nmi_update_count));
13019 @@ -177,8 +177,10 @@ void ftrace_nmi_enter(void)
13021 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
13023 + pax_open_kernel();
13025 - atomic_inc(&nmi_update_count);
13026 + pax_close_kernel();
13027 + atomic_inc_unchecked(&nmi_update_count);
13029 /* Must have previous changes seen before executions */
13031 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
13033 unsigned char replaced[MCOUNT_INSN_SIZE];
13035 + ip = ktla_ktva(ip);
13038 * Note: Due to modules and __init, code can
13039 * disappear and change, we need to protect against faulting
13040 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
13041 unsigned char old[MCOUNT_INSN_SIZE], *new;
13044 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
13045 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
13046 new = ftrace_call_replace(ip, (unsigned long)func);
13047 ret = ftrace_modify_code(ip, old, new);
13049 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
13051 unsigned char code[MCOUNT_INSN_SIZE];
13053 + ip = ktla_ktva(ip);
13055 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
13058 diff -urNp linux-2.6.38.6/arch/x86/kernel/head32.c linux-2.6.38.6/arch/x86/kernel/head32.c
13059 --- linux-2.6.38.6/arch/x86/kernel/head32.c 2011-03-14 21:20:32.000000000 -0400
13060 +++ linux-2.6.38.6/arch/x86/kernel/head32.c 2011-04-28 19:34:14.000000000 -0400
13062 #include <asm/io_apic.h>
13063 #include <asm/bios_ebda.h>
13064 #include <asm/tlbflush.h>
13065 +#include <asm/boot.h>
13067 static void __init i386_default_early_setup(void)
13069 @@ -43,7 +44,7 @@ void __init i386_start_kernel(void)
13070 memblock_x86_reserve_range(PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE");
13073 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13074 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13076 #ifdef CONFIG_BLK_DEV_INITRD
13077 /* Reserve INITRD */
13078 diff -urNp linux-2.6.38.6/arch/x86/kernel/head_32.S linux-2.6.38.6/arch/x86/kernel/head_32.S
13079 --- linux-2.6.38.6/arch/x86/kernel/head_32.S 2011-03-14 21:20:32.000000000 -0400
13080 +++ linux-2.6.38.6/arch/x86/kernel/head_32.S 2011-05-11 18:34:57.000000000 -0400
13082 /* Physical address */
13083 #define pa(X) ((X) - __PAGE_OFFSET)
13085 +#ifdef CONFIG_PAX_KERNEXEC
13088 +#define ta(X) ((X) - __PAGE_OFFSET)
13092 * References to members of the new_cpu_data structure.
13095 * and small than max_low_pfn, otherwise will waste some page table entries
13098 -#if PTRS_PER_PMD > 1
13099 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
13101 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
13103 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
13105 /* Number of possible pages in the lowmem region */
13106 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
13107 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
13108 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13111 + * Real beginning of normal "text" segment
13117 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
13118 * %esi points to the real-mode code as a 32-bit pointer.
13119 * CS and DS must be 4 GB flat segments, but we don't depend on
13120 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13125 +#ifdef CONFIG_PAX_KERNEXEC
13127 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
13128 +.fill PAGE_SIZE-5,1,0xcc
13132 movl pa(stack_start),%ecx
13134 @@ -105,6 +120,57 @@ ENTRY(startup_32)
13136 leal -__PAGE_OFFSET(%ecx),%esp
13139 + movl $pa(cpu_gdt_table),%edi
13140 + movl $__per_cpu_load,%eax
13141 + movw %ax,__KERNEL_PERCPU + 2(%edi)
13143 + movb %al,__KERNEL_PERCPU + 4(%edi)
13144 + movb %ah,__KERNEL_PERCPU + 7(%edi)
13145 + movl $__per_cpu_end - 1,%eax
13146 + subl $__per_cpu_start,%eax
13147 + movw %ax,__KERNEL_PERCPU + 0(%edi)
13150 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13151 + movl $NR_CPUS,%ecx
13152 + movl $pa(cpu_gdt_table),%edi
13154 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
13155 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
13156 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
13157 + addl $PAGE_SIZE_asm,%edi
13161 +#ifdef CONFIG_PAX_KERNEXEC
13162 + movl $pa(boot_gdt),%edi
13163 + movl $__LOAD_PHYSICAL_ADDR,%eax
13164 + movw %ax,__BOOT_CS + 2(%edi)
13166 + movb %al,__BOOT_CS + 4(%edi)
13167 + movb %ah,__BOOT_CS + 7(%edi)
13170 + ljmp $(__BOOT_CS),$1f
13173 + movl $NR_CPUS,%ecx
13174 + movl $pa(cpu_gdt_table),%edi
13175 + addl $__PAGE_OFFSET,%eax
13177 + movw %ax,__KERNEL_CS + 2(%edi)
13178 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
13180 + movb %al,__KERNEL_CS + 4(%edi)
13181 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
13182 + movb %ah,__KERNEL_CS + 7(%edi)
13183 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
13185 + addl $PAGE_SIZE_asm,%edi
13190 * Clear BSS first so that there are no surprises...
13192 @@ -195,8 +261,11 @@ ENTRY(startup_32)
13193 movl %eax, pa(max_pfn_mapped)
13195 /* Do early initialization of the fixmap area */
13196 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
13197 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
13198 +#ifdef CONFIG_COMPAT_VDSO
13199 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
13201 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
13203 #else /* Not PAE */
13205 page_pde_offset = (__PAGE_OFFSET >> 20);
13206 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13207 movl %eax, pa(max_pfn_mapped)
13209 /* Do early initialization of the fixmap area */
13210 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
13211 - movl %eax,pa(initial_page_table+0xffc)
13212 +#ifdef CONFIG_COMPAT_VDSO
13213 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
13215 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
13219 #ifdef CONFIG_PARAVIRT
13220 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13221 cmpl $num_subarch_entries, %eax
13224 - movl pa(subarch_entries)(,%eax,4), %eax
13225 - subl $__PAGE_OFFSET, %eax
13227 + jmp *pa(subarch_entries)(,%eax,4)
13231 @@ -255,10 +325,10 @@ WEAK(xen_entry)
13235 - .long default_entry /* normal x86/PC */
13236 - .long lguest_entry /* lguest hypervisor */
13237 - .long xen_entry /* Xen hypervisor */
13238 - .long default_entry /* Moorestown MID */
13239 + .long ta(default_entry) /* normal x86/PC */
13240 + .long ta(lguest_entry) /* lguest hypervisor */
13241 + .long ta(xen_entry) /* Xen hypervisor */
13242 + .long ta(default_entry) /* Moorestown MID */
13243 num_subarch_entries = (. - subarch_entries) / 4
13246 @@ -312,6 +382,7 @@ default_entry:
13250 +#ifdef CONFIG_X86_PAE
13251 testb $X86_CR4_PAE, %al # check if PAE is enabled
13254 @@ -340,6 +411,9 @@ default_entry:
13255 /* Make changes effective */
13258 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
13264 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
13265 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
13266 movl %eax,%ss # after changing gdt.
13268 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
13269 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
13273 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
13277 - movl $gdt_page,%eax
13278 + movl $cpu_gdt_table,%eax
13279 movl $stack_canary,%ecx
13281 + addl $__per_cpu_load,%ecx
13283 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
13285 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
13286 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
13289 movl $(__KERNEL_STACK_CANARY),%eax
13290 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13291 + movl $(__USER_DS),%eax
13297 xorl %eax,%eax # Clear LDT
13298 @@ -558,22 +639,22 @@ early_page_fault:
13303 #ifdef CONFIG_PRINTK
13304 + cmpl $1,%ss:early_recursion_flag
13306 + incl %ss:early_recursion_flag
13309 movl $(__KERNEL_DS),%eax
13312 - cmpl $2,early_recursion_flag
13314 - incl early_recursion_flag
13317 pushl %edx /* trapno */
13326 @@ -581,8 +662,11 @@ hlt_loop:
13327 /* This is the default interrupt "handler" :-) */
13331 #ifdef CONFIG_PRINTK
13332 + cmpl $2,%ss:early_recursion_flag
13334 + incl %ss:early_recursion_flag
13339 @@ -591,9 +675,6 @@ ignore_int:
13340 movl $(__KERNEL_DS),%eax
13343 - cmpl $2,early_recursion_flag
13345 - incl early_recursion_flag
13349 @@ -622,29 +703,43 @@ ENTRY(initial_code)
13353 -__PAGE_ALIGNED_BSS
13354 - .align PAGE_SIZE_asm
13355 #ifdef CONFIG_X86_PAE
13356 +.section .initial_pg_pmd,"a",@progbits
13358 .fill 1024*KPMDS,4,0
13360 +.section .initial_page_table,"a",@progbits
13361 ENTRY(initial_page_table)
13364 +.section .initial_pg_fixmap,"a",@progbits
13367 +.section .empty_zero_page,"a",@progbits
13368 ENTRY(empty_zero_page)
13370 +.section .swapper_pg_dir,"a",@progbits
13371 ENTRY(swapper_pg_dir)
13372 +#ifdef CONFIG_X86_PAE
13379 + * The IDT has to be page-aligned to simplify the Pentium
13380 + * F0 0F bug workaround.. We have a special link segment
13383 +.section .idt,"a",@progbits
13388 * This starts the data section.
13390 #ifdef CONFIG_X86_PAE
13391 -__PAGE_ALIGNED_DATA
13392 - /* Page-aligned for the benefit of paravirt? */
13393 - .align PAGE_SIZE_asm
13394 +.section .initial_page_table,"a",@progbits
13395 ENTRY(initial_page_table)
13396 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
13398 @@ -663,18 +758,27 @@ ENTRY(initial_page_table)
13399 # error "Kernel PMDs should be 1, 2 or 3"
13401 .align PAGE_SIZE_asm /* needs to be page-sized too */
13403 +#ifdef CONFIG_PAX_PER_CPU_PGD
13415 - .long init_thread_union+THREAD_SIZE
13416 + .long init_thread_union+THREAD_SIZE-8
13420 +.section .rodata,"a",@progbits
13421 early_recursion_flag:
13427 .asciz "Unknown interrupt or fault at: %p %p %p\n"
13429 @@ -707,7 +811,7 @@ fault_msg:
13430 .word 0 # 32 bit align gdt_desc.address
13433 - .long boot_gdt - __PAGE_OFFSET
13434 + .long pa(boot_gdt)
13436 .word 0 # 32-bit align idt_desc.address
13438 @@ -718,7 +822,7 @@ idt_descr:
13439 .word 0 # 32 bit align gdt_desc.address
13440 ENTRY(early_gdt_descr)
13441 .word GDT_ENTRIES*8-1
13442 - .long gdt_page /* Overwritten for secondary CPUs */
13443 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
13446 * The boot_gdt must mirror the equivalent in setup.S and is
13447 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
13448 .align L1_CACHE_BYTES
13450 .fill GDT_ENTRY_BOOT_CS,8,0
13451 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
13452 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
13453 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
13454 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
13456 + .align PAGE_SIZE_asm
13457 +ENTRY(cpu_gdt_table)
13459 + .quad 0x0000000000000000 /* NULL descriptor */
13460 + .quad 0x0000000000000000 /* 0x0b reserved */
13461 + .quad 0x0000000000000000 /* 0x13 reserved */
13462 + .quad 0x0000000000000000 /* 0x1b reserved */
13464 +#ifdef CONFIG_PAX_KERNEXEC
13465 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
13467 + .quad 0x0000000000000000 /* 0x20 unused */
13470 + .quad 0x0000000000000000 /* 0x28 unused */
13471 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
13472 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
13473 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
13474 + .quad 0x0000000000000000 /* 0x4b reserved */
13475 + .quad 0x0000000000000000 /* 0x53 reserved */
13476 + .quad 0x0000000000000000 /* 0x5b reserved */
13478 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
13479 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
13480 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
13481 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
13483 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
13484 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
13487 + * Segments used for calling PnP BIOS have byte granularity.
13488 + * The code segments and data segments have fixed 64k limits,
13489 + * the transfer segment sizes are set at run time.
13491 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
13492 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
13493 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
13494 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
13495 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
13498 + * The APM segments have byte granularity and their bases
13499 + * are set at run time. All have 64k limits.
13501 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
13502 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
13503 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
13505 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
13506 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
13507 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
13508 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
13509 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
13510 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
13512 + /* Be sure this is zeroed to avoid false validations in Xen */
13513 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
13515 diff -urNp linux-2.6.38.6/arch/x86/kernel/head_64.S linux-2.6.38.6/arch/x86/kernel/head_64.S
13516 --- linux-2.6.38.6/arch/x86/kernel/head_64.S 2011-03-14 21:20:32.000000000 -0400
13517 +++ linux-2.6.38.6/arch/x86/kernel/head_64.S 2011-04-28 19:34:14.000000000 -0400
13519 #include <asm/cache.h>
13520 #include <asm/processor-flags.h>
13521 #include <asm/percpu.h>
13522 +#include <asm/cpufeature.h>
13524 #ifdef CONFIG_PARAVIRT
13525 #include <asm/asm-offsets.h>
13526 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
13527 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
13528 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
13529 L3_START_KERNEL = pud_index(__START_KERNEL_map)
13530 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
13531 +L3_VMALLOC_START = pud_index(VMALLOC_START)
13532 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
13533 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
13537 @@ -85,35 +90,22 @@ startup_64:
13539 addq %rbp, init_level4_pgt + 0(%rip)
13540 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
13541 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
13542 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
13543 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
13545 addq %rbp, level3_ident_pgt + 0(%rip)
13546 +#ifndef CONFIG_XEN
13547 + addq %rbp, level3_ident_pgt + 8(%rip)
13550 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
13551 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
13552 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
13554 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
13555 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
13556 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
13558 - /* Add an Identity mapping if I am above 1G */
13559 - leaq _text(%rip), %rdi
13560 - andq $PMD_PAGE_MASK, %rdi
13563 - shrq $PUD_SHIFT, %rax
13564 - andq $(PTRS_PER_PUD - 1), %rax
13565 - jz ident_complete
13567 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
13568 - leaq level3_ident_pgt(%rip), %rbx
13569 - movq %rdx, 0(%rbx, %rax, 8)
13572 - shrq $PMD_SHIFT, %rax
13573 - andq $(PTRS_PER_PMD - 1), %rax
13574 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
13575 - leaq level2_spare_pgt(%rip), %rbx
13576 - movq %rdx, 0(%rbx, %rax, 8)
13578 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
13579 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
13582 * Fixup the kernel text+data virtual addresses. Note that
13583 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
13584 * after the boot processor executes this code.
13587 - /* Enable PAE mode and PGE */
13588 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
13589 + /* Enable PAE mode and PSE/PGE */
13590 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
13593 /* Setup early boot stage 4 level pagetables. */
13594 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
13595 movl $MSR_EFER, %ecx
13597 btsl $_EFER_SCE, %eax /* Enable System Call */
13598 - btl $20,%edi /* No Execute supported? */
13599 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
13601 btsl $_EFER_NX, %eax
13602 + leaq init_level4_pgt(%rip), %rdi
13603 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
13604 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
13605 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
13606 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
13607 1: wrmsr /* Make changes effective */
13610 @@ -270,7 +267,7 @@ ENTRY(secondary_startup_64)
13614 - .section ".init.text","ax"
13616 #ifdef CONFIG_EARLY_PRINTK
13617 .globl early_idt_handlers
13618 early_idt_handlers:
13619 @@ -315,18 +312,23 @@ ENTRY(early_idt_handler)
13620 #endif /* EARLY_PRINTK */
13625 #ifdef CONFIG_EARLY_PRINTK
13627 early_recursion_flag:
13631 + .section .rodata,"a",@progbits
13633 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
13636 -#endif /* CONFIG_EARLY_PRINTK */
13638 +#endif /* CONFIG_EARLY_PRINTK */
13640 + .section .rodata,"a",@progbits
13641 #define NEXT_PAGE(name) \
13642 .balign PAGE_SIZE; \
13644 @@ -339,7 +341,6 @@ ENTRY(name)
13650 * This default setting generates an ident mapping at address 0x100000
13651 * and a mapping for the kernel that precisely maps virtual address
13652 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
13653 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13654 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
13655 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13656 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
13657 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
13658 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
13659 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13660 .org init_level4_pgt + L4_START_KERNEL*8, 0
13661 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
13662 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
13664 +#ifdef CONFIG_PAX_PER_CPU_PGD
13665 +NEXT_PAGE(cpu_pgd)
13671 NEXT_PAGE(level3_ident_pgt)
13672 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13676 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
13680 +NEXT_PAGE(level3_vmalloc_pgt)
13683 +NEXT_PAGE(level3_vmemmap_pgt)
13684 + .fill L3_VMEMMAP_START,8,0
13685 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13687 NEXT_PAGE(level3_kernel_pgt)
13688 .fill L3_START_KERNEL,8,0
13689 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
13690 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
13691 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13693 +NEXT_PAGE(level2_vmemmap_pgt)
13696 NEXT_PAGE(level2_fixmap_pgt)
13698 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13699 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
13702 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
13703 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
13706 -NEXT_PAGE(level1_fixmap_pgt)
13707 +NEXT_PAGE(level1_vsyscall_pgt)
13710 -NEXT_PAGE(level2_ident_pgt)
13711 - /* Since I easily can, map the first 1G.
13712 + /* Since I easily can, map the first 2G.
13713 * Don't set NX because code runs from these pages.
13715 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
13716 +NEXT_PAGE(level2_ident_pgt)
13717 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
13719 NEXT_PAGE(level2_kernel_pgt)
13721 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
13722 * If you want to increase this then increase MODULES_VADDR
13725 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
13726 - KERNEL_IMAGE_SIZE/PMD_SIZE)
13728 -NEXT_PAGE(level2_spare_pgt)
13730 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
13737 +ENTRY(cpu_gdt_table)
13739 + .quad 0x0000000000000000 /* NULL descriptor */
13740 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
13741 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
13742 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
13743 + .quad 0x00cffb000000ffff /* __USER32_CS */
13744 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
13745 + .quad 0x00affb000000ffff /* __USER_CS */
13747 +#ifdef CONFIG_PAX_KERNEXEC
13748 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
13750 + .quad 0x0 /* unused */
13753 + .quad 0,0 /* TSS */
13754 + .quad 0,0 /* LDT */
13755 + .quad 0,0,0 /* three TLS descriptors */
13756 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
13757 + /* asm/segment.h:GDT_ENTRIES must match this */
13759 + /* zero the remaining page */
13760 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
13764 .globl early_gdt_descr
13766 .word GDT_ENTRIES*8-1
13767 early_gdt_descr_base:
13768 - .quad INIT_PER_CPU_VAR(gdt_page)
13769 + .quad cpu_gdt_table
13772 /* This must match the first entry in level2_kernel_pgt */
13773 .quad 0x0000000000000000
13775 #include "../../x86/xen/xen-head.S"
13777 - .section .bss, "aw", @nobits
13779 + .section .rodata,"a",@progbits
13780 .align L1_CACHE_BYTES
13782 - .skip IDT_ENTRIES * 16
13787 diff -urNp linux-2.6.38.6/arch/x86/kernel/i386_ksyms_32.c linux-2.6.38.6/arch/x86/kernel/i386_ksyms_32.c
13788 --- linux-2.6.38.6/arch/x86/kernel/i386_ksyms_32.c 2011-03-14 21:20:32.000000000 -0400
13789 +++ linux-2.6.38.6/arch/x86/kernel/i386_ksyms_32.c 2011-04-28 19:34:14.000000000 -0400
13790 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
13791 EXPORT_SYMBOL(cmpxchg8b_emu);
13794 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
13796 /* Networking helper routines. */
13797 EXPORT_SYMBOL(csum_partial_copy_generic);
13798 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
13799 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
13801 EXPORT_SYMBOL(__get_user_1);
13802 EXPORT_SYMBOL(__get_user_2);
13803 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
13805 EXPORT_SYMBOL(csum_partial);
13806 EXPORT_SYMBOL(empty_zero_page);
13808 +#ifdef CONFIG_PAX_KERNEXEC
13809 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
13811 diff -urNp linux-2.6.38.6/arch/x86/kernel/i8259.c linux-2.6.38.6/arch/x86/kernel/i8259.c
13812 --- linux-2.6.38.6/arch/x86/kernel/i8259.c 2011-03-14 21:20:32.000000000 -0400
13813 +++ linux-2.6.38.6/arch/x86/kernel/i8259.c 2011-04-28 19:57:25.000000000 -0400
13814 @@ -210,7 +210,7 @@ spurious_8259A_irq:
13815 "spurious 8259A interrupt: IRQ%d.\n", irq);
13816 spurious_irq_mask |= irqmask;
13818 - atomic_inc(&irq_err_count);
13819 + atomic_inc_unchecked(&irq_err_count);
13821 * Theoretically we do not have to handle this IRQ,
13822 * but in Linux this does not cause problems and is
13823 diff -urNp linux-2.6.38.6/arch/x86/kernel/init_task.c linux-2.6.38.6/arch/x86/kernel/init_task.c
13824 --- linux-2.6.38.6/arch/x86/kernel/init_task.c 2011-03-14 21:20:32.000000000 -0400
13825 +++ linux-2.6.38.6/arch/x86/kernel/init_task.c 2011-04-28 19:34:14.000000000 -0400
13826 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
13827 * way process stacks are handled. This is done by having a special
13828 * "init_task" linker map entry..
13830 -union thread_union init_thread_union __init_task_data =
13831 - { INIT_THREAD_INFO(init_task) };
13832 +union thread_union init_thread_union __init_task_data;
13835 * Initial task structure.
13836 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
13837 * section. Since TSS's are completely CPU-local, we want them
13838 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
13840 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
13842 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
13843 +EXPORT_SYMBOL(init_tss);
13844 diff -urNp linux-2.6.38.6/arch/x86/kernel/ioport.c linux-2.6.38.6/arch/x86/kernel/ioport.c
13845 --- linux-2.6.38.6/arch/x86/kernel/ioport.c 2011-03-14 21:20:32.000000000 -0400
13846 +++ linux-2.6.38.6/arch/x86/kernel/ioport.c 2011-04-28 19:34:14.000000000 -0400
13848 #include <linux/sched.h>
13849 #include <linux/kernel.h>
13850 #include <linux/capability.h>
13851 +#include <linux/security.h>
13852 #include <linux/errno.h>
13853 #include <linux/types.h>
13854 #include <linux/ioport.h>
13855 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
13857 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
13859 +#ifdef CONFIG_GRKERNSEC_IO
13860 + if (turn_on && grsec_disable_privio) {
13861 + gr_handle_ioperm();
13865 if (turn_on && !capable(CAP_SYS_RAWIO))
13868 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
13869 * because the ->io_bitmap_max value must match the bitmap
13872 - tss = &per_cpu(init_tss, get_cpu());
13873 + tss = init_tss + get_cpu();
13875 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
13877 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
13879 /* Trying to gain more privileges? */
13881 +#ifdef CONFIG_GRKERNSEC_IO
13882 + if (grsec_disable_privio) {
13883 + gr_handle_iopl();
13887 if (!capable(CAP_SYS_RAWIO))
13890 diff -urNp linux-2.6.38.6/arch/x86/kernel/irq_32.c linux-2.6.38.6/arch/x86/kernel/irq_32.c
13891 --- linux-2.6.38.6/arch/x86/kernel/irq_32.c 2011-03-14 21:20:32.000000000 -0400
13892 +++ linux-2.6.38.6/arch/x86/kernel/irq_32.c 2011-04-28 19:34:14.000000000 -0400
13893 @@ -36,7 +36,7 @@ static int check_stack_overflow(void)
13894 __asm__ __volatile__("andl %%esp,%0" :
13895 "=r" (sp) : "0" (THREAD_SIZE - 1));
13897 - return sp < (sizeof(struct thread_info) + STACK_WARN);
13898 + return sp < STACK_WARN;
13901 static void print_stack_overflow(void)
13902 @@ -54,8 +54,8 @@ static inline void print_stack_overflow(
13903 * per-CPU IRQ handling contexts (thread information and stack)
13906 - struct thread_info tinfo;
13907 - u32 stack[THREAD_SIZE/sizeof(u32)];
13908 + unsigned long previous_esp;
13909 + u32 stack[THREAD_SIZE/sizeof(u32)];
13910 } __attribute__((aligned(THREAD_SIZE)));
13912 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
13913 @@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
13915 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
13917 - union irq_ctx *curctx, *irqctx;
13918 + union irq_ctx *irqctx;
13919 u32 *isp, arg1, arg2;
13921 - curctx = (union irq_ctx *) current_thread_info();
13922 irqctx = __this_cpu_read(hardirq_ctx);
13925 @@ -87,21 +86,17 @@ execute_on_irq_stack(int overflow, struc
13926 * handler) we can't do that and just have to keep using the
13927 * current stack (which is the irq stack already after all)
13929 - if (unlikely(curctx == irqctx))
13930 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
13933 /* build the stack frame on the IRQ stack */
13934 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
13935 - irqctx->tinfo.task = curctx->tinfo.task;
13936 - irqctx->tinfo.previous_esp = current_stack_pointer;
13937 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
13938 + irqctx->previous_esp = current_stack_pointer;
13939 + add_preempt_count(HARDIRQ_OFFSET);
13942 - * Copy the softirq bits in preempt_count so that the
13943 - * softirq checks work in the hardirq context.
13945 - irqctx->tinfo.preempt_count =
13946 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
13947 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
13948 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13949 + __set_fs(MAKE_MM_SEG(0));
13952 if (unlikely(overflow))
13953 call_on_stack(print_stack_overflow, isp);
13954 @@ -113,6 +108,12 @@ execute_on_irq_stack(int overflow, struc
13955 : "0" (irq), "1" (desc), "2" (isp),
13956 "D" (desc->handle_irq)
13957 : "memory", "cc", "ecx");
13959 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13960 + __set_fs(current_thread_info()->addr_limit);
13963 + sub_preempt_count(HARDIRQ_OFFSET);
13967 @@ -121,29 +122,11 @@ execute_on_irq_stack(int overflow, struc
13969 void __cpuinit irq_ctx_init(int cpu)
13971 - union irq_ctx *irqctx;
13973 if (per_cpu(hardirq_ctx, cpu))
13976 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
13979 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
13980 - irqctx->tinfo.cpu = cpu;
13981 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
13982 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
13984 - per_cpu(hardirq_ctx, cpu) = irqctx;
13986 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
13989 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
13990 - irqctx->tinfo.cpu = cpu;
13991 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
13993 - per_cpu(softirq_ctx, cpu) = irqctx;
13994 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
13995 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
13997 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
13998 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
13999 @@ -152,7 +135,6 @@ void __cpuinit irq_ctx_init(int cpu)
14000 asmlinkage void do_softirq(void)
14002 unsigned long flags;
14003 - struct thread_info *curctx;
14004 union irq_ctx *irqctx;
14007 @@ -162,15 +144,22 @@ asmlinkage void do_softirq(void)
14008 local_irq_save(flags);
14010 if (local_softirq_pending()) {
14011 - curctx = current_thread_info();
14012 irqctx = __this_cpu_read(softirq_ctx);
14013 - irqctx->tinfo.task = curctx->task;
14014 - irqctx->tinfo.previous_esp = current_stack_pointer;
14015 + irqctx->previous_esp = current_stack_pointer;
14017 /* build the stack frame on the softirq stack */
14018 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14019 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14021 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14022 + __set_fs(MAKE_MM_SEG(0));
14025 call_on_stack(__do_softirq, isp);
14027 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14028 + __set_fs(current_thread_info()->addr_limit);
14032 * Shouldnt happen, we returned above if in_interrupt():
14034 diff -urNp linux-2.6.38.6/arch/x86/kernel/irq.c linux-2.6.38.6/arch/x86/kernel/irq.c
14035 --- linux-2.6.38.6/arch/x86/kernel/irq.c 2011-03-14 21:20:32.000000000 -0400
14036 +++ linux-2.6.38.6/arch/x86/kernel/irq.c 2011-04-28 19:57:25.000000000 -0400
14038 #include <asm/mce.h>
14039 #include <asm/hw_irq.h>
14041 -atomic_t irq_err_count;
14042 +atomic_unchecked_t irq_err_count;
14044 /* Function pointer for generic interrupt vector handling */
14045 void (*x86_platform_ipi_callback)(void) = NULL;
14046 @@ -115,9 +115,9 @@ static int show_other_interrupts(struct
14047 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
14048 seq_printf(p, " Machine check polls\n");
14050 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
14051 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
14052 #if defined(CONFIG_X86_IO_APIC)
14053 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
14054 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
14058 @@ -210,10 +210,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
14060 u64 arch_irq_stat(void)
14062 - u64 sum = atomic_read(&irq_err_count);
14063 + u64 sum = atomic_read_unchecked(&irq_err_count);
14065 #ifdef CONFIG_X86_IO_APIC
14066 - sum += atomic_read(&irq_mis_count);
14067 + sum += atomic_read_unchecked(&irq_mis_count);
14071 diff -urNp linux-2.6.38.6/arch/x86/kernel/kgdb.c linux-2.6.38.6/arch/x86/kernel/kgdb.c
14072 --- linux-2.6.38.6/arch/x86/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
14073 +++ linux-2.6.38.6/arch/x86/kernel/kgdb.c 2011-04-28 19:57:25.000000000 -0400
14074 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
14076 #ifdef CONFIG_X86_32
14078 - if (!user_mode_vm(regs))
14079 + if (!user_mode(regs))
14080 *(unsigned long *)mem = __KERNEL_DS;
14083 - if (!user_mode_vm(regs))
14084 + if (!user_mode(regs))
14085 *(unsigned long *)mem = kernel_stack_pointer(regs);
14088 @@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec
14090 /* clear the trace bit */
14091 linux_regs->flags &= ~X86_EFLAGS_TF;
14092 - atomic_set(&kgdb_cpu_doing_single_step, -1);
14093 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
14095 /* set the trace bit if we're stepping */
14096 if (remcomInBuffer[0] == 's') {
14097 linux_regs->flags |= X86_EFLAGS_TF;
14098 - atomic_set(&kgdb_cpu_doing_single_step,
14099 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
14100 raw_smp_processor_id());
14103 @@ -543,7 +543,7 @@ static int __kgdb_notify(struct die_args
14107 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
14108 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
14109 if (user_mode(regs))
14110 return single_step_cont(regs, args);
14112 @@ -719,7 +719,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
14116 -struct kgdb_arch arch_kgdb_ops = {
14117 +const struct kgdb_arch arch_kgdb_ops = {
14118 /* Breakpoint instruction: */
14119 .gdb_bpt_instr = { 0xcc },
14120 .flags = KGDB_HW_BREAKPOINT,
14121 diff -urNp linux-2.6.38.6/arch/x86/kernel/kprobes.c linux-2.6.38.6/arch/x86/kernel/kprobes.c
14122 --- linux-2.6.38.6/arch/x86/kernel/kprobes.c 2011-03-14 21:20:32.000000000 -0400
14123 +++ linux-2.6.38.6/arch/x86/kernel/kprobes.c 2011-04-28 19:34:14.000000000 -0400
14124 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
14125 } __attribute__((packed)) *insn;
14127 insn = (struct __arch_relative_insn *)from;
14129 + pax_open_kernel();
14130 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
14132 + pax_close_kernel();
14135 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
14136 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
14137 kprobe_opcode_t opcode;
14138 kprobe_opcode_t *orig_opcodes = opcodes;
14140 - if (search_exception_tables((unsigned long)opcodes))
14141 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
14142 return 0; /* Page fault may occur on this address. */
14145 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
14148 insn_get_length(&insn);
14149 + pax_open_kernel();
14150 memcpy(dest, insn.kaddr, insn.length);
14151 + pax_close_kernel();
14153 #ifdef CONFIG_X86_64
14154 if (insn_rip_relative(&insn)) {
14155 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
14157 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
14158 disp = (u8 *) dest + insn_offset_displacement(&insn);
14159 + pax_open_kernel();
14160 *(s32 *) disp = (s32) newdisp;
14161 + pax_close_kernel();
14164 return insn.length;
14165 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
14167 __copy_instruction(p->ainsn.insn, p->addr, 0);
14169 - if (can_boost(p->addr))
14170 + if (can_boost(ktla_ktva(p->addr)))
14171 p->ainsn.boostable = 0;
14173 p->ainsn.boostable = -1;
14175 - p->opcode = *p->addr;
14176 + p->opcode = *(ktla_ktva(p->addr));
14179 int __kprobes arch_prepare_kprobe(struct kprobe *p)
14180 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
14181 * nor set current_kprobe, because it doesn't use single
14184 - regs->ip = (unsigned long)p->ainsn.insn;
14185 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14186 preempt_enable_no_resched();
14189 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
14190 if (p->opcode == BREAKPOINT_INSTRUCTION)
14191 regs->ip = (unsigned long)p->addr;
14193 - regs->ip = (unsigned long)p->ainsn.insn;
14194 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14198 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
14199 setup_singlestep(p, regs, kcb, 0);
14202 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
14203 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
14205 * The breakpoint instruction was removed right
14206 * after we hit it. Another cpu has removed
14207 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
14208 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
14210 unsigned long *tos = stack_addr(regs);
14211 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
14212 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
14213 unsigned long orig_ip = (unsigned long)p->addr;
14214 kprobe_opcode_t *insn = p->ainsn.insn;
14216 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
14217 struct die_args *args = data;
14218 int ret = NOTIFY_DONE;
14220 - if (args->regs && user_mode_vm(args->regs))
14221 + if (args->regs && user_mode(args->regs))
14225 @@ -1372,7 +1379,7 @@ int __kprobes arch_prepare_optimized_kpr
14226 * Verify if the address gap is in 2GB range, because this uses
14229 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
14230 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
14231 if (abs(rel) > 0x7fffffff)
14234 @@ -1393,11 +1400,11 @@ int __kprobes arch_prepare_optimized_kpr
14235 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
14237 /* Set probe function call */
14238 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
14239 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
14241 /* Set returning jmp instruction at the tail of out-of-line buffer */
14242 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
14243 - (u8 *)op->kp.addr + op->optinsn.size);
14244 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
14246 flush_icache_range((unsigned long) buf,
14247 (unsigned long) buf + TMPL_END_IDX +
14248 @@ -1419,7 +1426,7 @@ static void __kprobes setup_optimize_kpr
14249 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
14251 /* Backup instructions which will be replaced by jump address */
14252 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
14253 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
14254 RELATIVE_ADDR_SIZE);
14256 insn_buf[0] = RELATIVEJUMP_OPCODE;
14257 diff -urNp linux-2.6.38.6/arch/x86/kernel/ldt.c linux-2.6.38.6/arch/x86/kernel/ldt.c
14258 --- linux-2.6.38.6/arch/x86/kernel/ldt.c 2011-03-14 21:20:32.000000000 -0400
14259 +++ linux-2.6.38.6/arch/x86/kernel/ldt.c 2011-04-28 19:34:14.000000000 -0400
14260 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
14265 + load_LDT_nolock(pc);
14266 if (!cpumask_equal(mm_cpumask(current->mm),
14267 cpumask_of(smp_processor_id())))
14268 smp_call_function(flush_ldt, current->mm, 1);
14272 + load_LDT_nolock(pc);
14276 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
14279 for (i = 0; i < old->size; i++)
14280 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
14281 + write_ldt_entry(new->ldt, i, old->ldt + i);
14285 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
14286 retval = copy_ldt(&mm->context, &old_mm->context);
14287 mutex_unlock(&old_mm->context.lock);
14290 + if (tsk == current) {
14291 + mm->context.vdso = 0;
14293 +#ifdef CONFIG_X86_32
14294 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14295 + mm->context.user_cs_base = 0UL;
14296 + mm->context.user_cs_limit = ~0UL;
14298 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
14299 + cpus_clear(mm->context.cpu_user_cs_mask);
14310 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
14314 +#ifdef CONFIG_PAX_SEGMEXEC
14315 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
14321 fill_ldt(&ldt, &ldt_info);
14324 diff -urNp linux-2.6.38.6/arch/x86/kernel/machine_kexec_32.c linux-2.6.38.6/arch/x86/kernel/machine_kexec_32.c
14325 --- linux-2.6.38.6/arch/x86/kernel/machine_kexec_32.c 2011-03-14 21:20:32.000000000 -0400
14326 +++ linux-2.6.38.6/arch/x86/kernel/machine_kexec_32.c 2011-04-28 19:34:14.000000000 -0400
14328 #include <asm/cacheflush.h>
14329 #include <asm/debugreg.h>
14331 -static void set_idt(void *newidt, __u16 limit)
14332 +static void set_idt(struct desc_struct *newidt, __u16 limit)
14334 struct desc_ptr curidt;
14336 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
14340 -static void set_gdt(void *newgdt, __u16 limit)
14341 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
14343 struct desc_ptr curgdt;
14345 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
14348 control_page = page_address(image->control_code_page);
14349 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
14350 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
14352 relocate_kernel_ptr = control_page;
14353 page_list[PA_CONTROL_PAGE] = __pa(control_page);
14354 diff -urNp linux-2.6.38.6/arch/x86/kernel/microcode_amd.c linux-2.6.38.6/arch/x86/kernel/microcode_amd.c
14355 --- linux-2.6.38.6/arch/x86/kernel/microcode_amd.c 2011-03-14 21:20:32.000000000 -0400
14356 +++ linux-2.6.38.6/arch/x86/kernel/microcode_amd.c 2011-04-28 19:34:14.000000000 -0400
14357 @@ -317,7 +317,7 @@ static void microcode_fini_cpu_amd(int c
14361 -static struct microcode_ops microcode_amd_ops = {
14362 +static const struct microcode_ops microcode_amd_ops = {
14363 .request_microcode_user = request_microcode_user,
14364 .request_microcode_fw = request_microcode_fw,
14365 .collect_cpu_info = collect_cpu_info_amd,
14366 @@ -325,7 +325,7 @@ static struct microcode_ops microcode_am
14367 .microcode_fini_cpu = microcode_fini_cpu_amd,
14370 -struct microcode_ops * __init init_amd_microcode(void)
14371 +const struct microcode_ops * __init init_amd_microcode(void)
14373 return µcode_amd_ops;
14375 diff -urNp linux-2.6.38.6/arch/x86/kernel/microcode_core.c linux-2.6.38.6/arch/x86/kernel/microcode_core.c
14376 --- linux-2.6.38.6/arch/x86/kernel/microcode_core.c 2011-03-14 21:20:32.000000000 -0400
14377 +++ linux-2.6.38.6/arch/x86/kernel/microcode_core.c 2011-04-28 19:34:14.000000000 -0400
14378 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
14380 #define MICROCODE_VERSION "2.00"
14382 -static struct microcode_ops *microcode_ops;
14383 +static const struct microcode_ops *microcode_ops;
14387 diff -urNp linux-2.6.38.6/arch/x86/kernel/microcode_intel.c linux-2.6.38.6/arch/x86/kernel/microcode_intel.c
14388 --- linux-2.6.38.6/arch/x86/kernel/microcode_intel.c 2011-03-14 21:20:32.000000000 -0400
14389 +++ linux-2.6.38.6/arch/x86/kernel/microcode_intel.c 2011-04-28 19:34:14.000000000 -0400
14390 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
14392 static int get_ucode_user(void *to, const void *from, size_t n)
14394 - return copy_from_user(to, from, n);
14395 + return copy_from_user(to, (__force const void __user *)from, n);
14398 static enum ucode_state
14399 request_microcode_user(int cpu, const void __user *buf, size_t size)
14401 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
14402 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
14405 static void microcode_fini_cpu(int cpu)
14406 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
14410 -static struct microcode_ops microcode_intel_ops = {
14411 +static const struct microcode_ops microcode_intel_ops = {
14412 .request_microcode_user = request_microcode_user,
14413 .request_microcode_fw = request_microcode_fw,
14414 .collect_cpu_info = collect_cpu_info,
14415 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
14416 .microcode_fini_cpu = microcode_fini_cpu,
14419 -struct microcode_ops * __init init_intel_microcode(void)
14420 +const struct microcode_ops * __init init_intel_microcode(void)
14422 return µcode_intel_ops;
14424 diff -urNp linux-2.6.38.6/arch/x86/kernel/module.c linux-2.6.38.6/arch/x86/kernel/module.c
14425 --- linux-2.6.38.6/arch/x86/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
14426 +++ linux-2.6.38.6/arch/x86/kernel/module.c 2011-04-28 19:34:14.000000000 -0400
14427 @@ -35,21 +35,66 @@
14428 #define DEBUGP(fmt...)
14431 -void *module_alloc(unsigned long size)
14432 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
14434 if (PAGE_ALIGN(size) > MODULES_LEN)
14436 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
14437 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
14438 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
14439 -1, __builtin_return_address(0));
14442 +void *module_alloc(unsigned long size)
14445 +#ifdef CONFIG_PAX_KERNEXEC
14446 + return __module_alloc(size, PAGE_KERNEL);
14448 + return __module_alloc(size, PAGE_KERNEL_EXEC);
14453 /* Free memory returned from module_alloc */
14454 void module_free(struct module *mod, void *module_region)
14456 vfree(module_region);
14459 +#ifdef CONFIG_PAX_KERNEXEC
14460 +#ifdef CONFIG_X86_32
14461 +void *module_alloc_exec(unsigned long size)
14463 + struct vm_struct *area;
14468 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
14469 + return area ? area->addr : NULL;
14471 +EXPORT_SYMBOL(module_alloc_exec);
14473 +void module_free_exec(struct module *mod, void *module_region)
14475 + vunmap(module_region);
14477 +EXPORT_SYMBOL(module_free_exec);
14479 +void module_free_exec(struct module *mod, void *module_region)
14481 + module_free(mod, module_region);
14483 +EXPORT_SYMBOL(module_free_exec);
14485 +void *module_alloc_exec(unsigned long size)
14487 + return __module_alloc(size, PAGE_KERNEL_RX);
14489 +EXPORT_SYMBOL(module_alloc_exec);
14493 /* We don't need anything special. */
14494 int module_frob_arch_sections(Elf_Ehdr *hdr,
14496 @@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
14498 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
14500 - uint32_t *location;
14501 + uint32_t *plocation, location;
14503 DEBUGP("Applying relocate section %u to %u\n", relsec,
14504 sechdrs[relsec].sh_info);
14505 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
14506 /* This is where to make the change */
14507 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
14508 - + rel[i].r_offset;
14509 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
14510 + location = (uint32_t)plocation;
14511 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
14512 + plocation = ktla_ktva((void *)plocation);
14513 /* This is the symbol it is referring to. Note that all
14514 undefined symbols have been resolved. */
14515 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
14516 @@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
14517 switch (ELF32_R_TYPE(rel[i].r_info)) {
14519 /* We add the value into the location given */
14520 - *location += sym->st_value;
14521 + pax_open_kernel();
14522 + *plocation += sym->st_value;
14523 + pax_close_kernel();
14526 /* Add the value, subtract its postition */
14527 - *location += sym->st_value - (uint32_t)location;
14528 + pax_open_kernel();
14529 + *plocation += sym->st_value - location;
14530 + pax_close_kernel();
14533 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
14534 @@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
14535 case R_X86_64_NONE:
14538 + pax_open_kernel();
14540 + pax_close_kernel();
14543 + pax_open_kernel();
14545 + pax_close_kernel();
14546 if (val != *(u32 *)loc)
14550 + pax_open_kernel();
14552 + pax_close_kernel();
14553 if ((s64)val != *(s32 *)loc)
14556 case R_X86_64_PC32:
14558 + pax_open_kernel();
14560 + pax_close_kernel();
14563 if ((s64)val != *(s32 *)loc)
14565 diff -urNp linux-2.6.38.6/arch/x86/kernel/paravirt.c linux-2.6.38.6/arch/x86/kernel/paravirt.c
14566 --- linux-2.6.38.6/arch/x86/kernel/paravirt.c 2011-03-14 21:20:32.000000000 -0400
14567 +++ linux-2.6.38.6/arch/x86/kernel/paravirt.c 2011-05-16 21:47:08.000000000 -0400
14568 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
14569 * corresponding structure. */
14570 static void *get_call_destination(u8 type)
14572 - struct paravirt_patch_template tmpl = {
14573 + const struct paravirt_patch_template tmpl = {
14574 .pv_init_ops = pv_init_ops,
14575 .pv_time_ops = pv_time_ops,
14576 .pv_cpu_ops = pv_cpu_ops,
14577 @@ -133,6 +133,9 @@ static void *get_call_destination(u8 typ
14578 .pv_lock_ops = pv_lock_ops,
14582 + pax_track_stack();
14584 return *((void **)&tmpl + type);
14587 @@ -145,14 +148,14 @@ unsigned paravirt_patch_default(u8 type,
14588 if (opfunc == NULL)
14589 /* If there's no function, patch it with a ud2a (BUG) */
14590 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
14591 - else if (opfunc == _paravirt_nop)
14592 + else if (opfunc == (void *)_paravirt_nop)
14593 /* If the operation is a nop, then nop the callsite */
14594 ret = paravirt_patch_nop();
14596 /* identity functions just return their single argument */
14597 - else if (opfunc == _paravirt_ident_32)
14598 + else if (opfunc == (void *)_paravirt_ident_32)
14599 ret = paravirt_patch_ident_32(insnbuf, len);
14600 - else if (opfunc == _paravirt_ident_64)
14601 + else if (opfunc == (void *)_paravirt_ident_64)
14602 ret = paravirt_patch_ident_64(insnbuf, len);
14604 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
14605 @@ -178,7 +181,7 @@ unsigned paravirt_patch_insns(void *insn
14606 if (insn_len > len || start == NULL)
14609 - memcpy(insnbuf, start, insn_len);
14610 + memcpy(insnbuf, ktla_ktva(start), insn_len);
14614 @@ -294,22 +297,22 @@ void arch_flush_lazy_mmu_mode(void)
14618 -struct pv_info pv_info = {
14619 +struct pv_info pv_info __read_only = {
14620 .name = "bare hardware",
14621 .paravirt_enabled = 0,
14623 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
14626 -struct pv_init_ops pv_init_ops = {
14627 +struct pv_init_ops pv_init_ops __read_only = {
14628 .patch = native_patch,
14631 -struct pv_time_ops pv_time_ops = {
14632 +struct pv_time_ops pv_time_ops __read_only = {
14633 .sched_clock = native_sched_clock,
14636 -struct pv_irq_ops pv_irq_ops = {
14637 +struct pv_irq_ops pv_irq_ops __read_only = {
14638 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
14639 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
14640 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
14641 @@ -321,7 +324,7 @@ struct pv_irq_ops pv_irq_ops = {
14645 -struct pv_cpu_ops pv_cpu_ops = {
14646 +struct pv_cpu_ops pv_cpu_ops __read_only = {
14647 .cpuid = native_cpuid,
14648 .get_debugreg = native_get_debugreg,
14649 .set_debugreg = native_set_debugreg,
14650 @@ -382,7 +385,7 @@ struct pv_cpu_ops pv_cpu_ops = {
14651 .end_context_switch = paravirt_nop,
14654 -struct pv_apic_ops pv_apic_ops = {
14655 +struct pv_apic_ops pv_apic_ops __read_only = {
14656 #ifdef CONFIG_X86_LOCAL_APIC
14657 .startup_ipi_hook = paravirt_nop,
14659 @@ -396,7 +399,7 @@ struct pv_apic_ops pv_apic_ops = {
14660 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
14663 -struct pv_mmu_ops pv_mmu_ops = {
14664 +struct pv_mmu_ops pv_mmu_ops __read_only = {
14666 .read_cr2 = native_read_cr2,
14667 .write_cr2 = native_write_cr2,
14668 @@ -465,6 +468,12 @@ struct pv_mmu_ops pv_mmu_ops = {
14671 .set_fixmap = native_set_fixmap,
14673 +#ifdef CONFIG_PAX_KERNEXEC
14674 + .pax_open_kernel = native_pax_open_kernel,
14675 + .pax_close_kernel = native_pax_close_kernel,
14680 EXPORT_SYMBOL_GPL(pv_time_ops);
14681 diff -urNp linux-2.6.38.6/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.38.6/arch/x86/kernel/paravirt-spinlocks.c
14682 --- linux-2.6.38.6/arch/x86/kernel/paravirt-spinlocks.c 2011-03-14 21:20:32.000000000 -0400
14683 +++ linux-2.6.38.6/arch/x86/kernel/paravirt-spinlocks.c 2011-04-28 19:34:14.000000000 -0400
14684 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
14685 arch_spin_lock(lock);
14688 -struct pv_lock_ops pv_lock_ops = {
14689 +struct pv_lock_ops pv_lock_ops __read_only = {
14691 .spin_is_locked = __ticket_spin_is_locked,
14692 .spin_is_contended = __ticket_spin_is_contended,
14693 diff -urNp linux-2.6.38.6/arch/x86/kernel/pci-calgary_64.c linux-2.6.38.6/arch/x86/kernel/pci-calgary_64.c
14694 --- linux-2.6.38.6/arch/x86/kernel/pci-calgary_64.c 2011-03-14 21:20:32.000000000 -0400
14695 +++ linux-2.6.38.6/arch/x86/kernel/pci-calgary_64.c 2011-04-28 19:34:14.000000000 -0400
14696 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
14697 free_pages((unsigned long)vaddr, get_order(size));
14700 -static struct dma_map_ops calgary_dma_ops = {
14701 +static const struct dma_map_ops calgary_dma_ops = {
14702 .alloc_coherent = calgary_alloc_coherent,
14703 .free_coherent = calgary_free_coherent,
14704 .map_sg = calgary_map_sg,
14705 diff -urNp linux-2.6.38.6/arch/x86/kernel/pci-dma.c linux-2.6.38.6/arch/x86/kernel/pci-dma.c
14706 --- linux-2.6.38.6/arch/x86/kernel/pci-dma.c 2011-03-14 21:20:32.000000000 -0400
14707 +++ linux-2.6.38.6/arch/x86/kernel/pci-dma.c 2011-04-28 19:34:14.000000000 -0400
14710 static int forbid_dac __read_mostly;
14712 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
14713 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
14714 EXPORT_SYMBOL(dma_ops);
14716 static int iommu_sac_force __read_mostly;
14717 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
14719 int dma_supported(struct device *dev, u64 mask)
14721 - struct dma_map_ops *ops = get_dma_ops(dev);
14722 + const struct dma_map_ops *ops = get_dma_ops(dev);
14725 if (mask > 0xffffffff && forbid_dac > 0) {
14726 diff -urNp linux-2.6.38.6/arch/x86/kernel/pci-gart_64.c linux-2.6.38.6/arch/x86/kernel/pci-gart_64.c
14727 --- linux-2.6.38.6/arch/x86/kernel/pci-gart_64.c 2011-05-10 22:06:27.000000000 -0400
14728 +++ linux-2.6.38.6/arch/x86/kernel/pci-gart_64.c 2011-05-10 22:06:52.000000000 -0400
14729 @@ -713,7 +713,7 @@ static __init int init_amd_gatt(struct a
14733 -static struct dma_map_ops gart_dma_ops = {
14734 +static const struct dma_map_ops gart_dma_ops = {
14735 .map_sg = gart_map_sg,
14736 .unmap_sg = gart_unmap_sg,
14737 .map_page = gart_map_page,
14738 diff -urNp linux-2.6.38.6/arch/x86/kernel/pci-iommu_table.c linux-2.6.38.6/arch/x86/kernel/pci-iommu_table.c
14739 --- linux-2.6.38.6/arch/x86/kernel/pci-iommu_table.c 2011-03-14 21:20:32.000000000 -0400
14740 +++ linux-2.6.38.6/arch/x86/kernel/pci-iommu_table.c 2011-05-16 21:47:08.000000000 -0400
14742 #include <asm/iommu_table.h>
14743 #include <linux/string.h>
14744 #include <linux/kallsyms.h>
14746 +#include <linux/sched.h>
14750 @@ -53,6 +53,8 @@ void __init check_iommu_entries(struct i
14751 char sym_p[KSYM_SYMBOL_LEN];
14752 char sym_q[KSYM_SYMBOL_LEN];
14754 + pax_track_stack();
14756 /* Simple cyclic dependency checker. */
14757 for (p = start; p < finish; p++) {
14758 q = find_dependents_of(start, finish, p);
14759 diff -urNp linux-2.6.38.6/arch/x86/kernel/pci-nommu.c linux-2.6.38.6/arch/x86/kernel/pci-nommu.c
14760 --- linux-2.6.38.6/arch/x86/kernel/pci-nommu.c 2011-03-14 21:20:32.000000000 -0400
14761 +++ linux-2.6.38.6/arch/x86/kernel/pci-nommu.c 2011-04-28 19:34:14.000000000 -0400
14762 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
14763 flush_write_buffers();
14766 -struct dma_map_ops nommu_dma_ops = {
14767 +const struct dma_map_ops nommu_dma_ops = {
14768 .alloc_coherent = dma_generic_alloc_coherent,
14769 .free_coherent = nommu_free_coherent,
14770 .map_sg = nommu_map_sg,
14771 diff -urNp linux-2.6.38.6/arch/x86/kernel/pci-swiotlb.c linux-2.6.38.6/arch/x86/kernel/pci-swiotlb.c
14772 --- linux-2.6.38.6/arch/x86/kernel/pci-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
14773 +++ linux-2.6.38.6/arch/x86/kernel/pci-swiotlb.c 2011-04-28 19:34:14.000000000 -0400
14774 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
14775 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
14778 -static struct dma_map_ops swiotlb_dma_ops = {
14779 +static const struct dma_map_ops swiotlb_dma_ops = {
14780 .mapping_error = swiotlb_dma_mapping_error,
14781 .alloc_coherent = x86_swiotlb_alloc_coherent,
14782 .free_coherent = swiotlb_free_coherent,
14783 diff -urNp linux-2.6.38.6/arch/x86/kernel/process_32.c linux-2.6.38.6/arch/x86/kernel/process_32.c
14784 --- linux-2.6.38.6/arch/x86/kernel/process_32.c 2011-03-14 21:20:32.000000000 -0400
14785 +++ linux-2.6.38.6/arch/x86/kernel/process_32.c 2011-05-16 21:47:08.000000000 -0400
14786 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
14787 unsigned long thread_saved_pc(struct task_struct *tsk)
14789 return ((unsigned long *)tsk->thread.sp)[3];
14790 +//XXX return tsk->thread.eip;
14794 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
14796 unsigned short ss, gs;
14798 - if (user_mode_vm(regs)) {
14799 + if (user_mode(regs)) {
14801 ss = regs->ss & 0xffff;
14802 - gs = get_user_gs(regs);
14804 sp = kernel_stack_pointer(regs);
14805 savesegment(ss, ss);
14806 - savesegment(gs, gs);
14808 + gs = get_user_gs(regs);
14810 show_regs_common();
14812 @@ -196,13 +196,14 @@ int copy_thread(unsigned long clone_flag
14813 struct task_struct *tsk;
14816 - childregs = task_pt_regs(p);
14817 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
14818 *childregs = *regs;
14820 childregs->sp = sp;
14822 p->thread.sp = (unsigned long) childregs;
14823 p->thread.sp0 = (unsigned long) (childregs+1);
14824 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
14826 p->thread.ip = (unsigned long) ret_from_fork;
14828 @@ -293,7 +294,7 @@ __switch_to(struct task_struct *prev_p,
14829 struct thread_struct *prev = &prev_p->thread,
14830 *next = &next_p->thread;
14831 int cpu = smp_processor_id();
14832 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
14833 + struct tss_struct *tss = init_tss + cpu;
14836 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
14837 @@ -328,6 +329,10 @@ __switch_to(struct task_struct *prev_p,
14839 lazy_save_gs(prev->gs);
14841 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14842 + __set_fs(task_thread_info(next_p)->addr_limit);
14846 * Load the per-thread Thread-Local Storage descriptor.
14848 @@ -363,6 +368,9 @@ __switch_to(struct task_struct *prev_p,
14850 arch_end_context_switch(next_p);
14852 + percpu_write(current_task, next_p);
14853 + percpu_write(current_tinfo, &next_p->tinfo);
14856 __math_state_restore();
14858 @@ -372,8 +380,6 @@ __switch_to(struct task_struct *prev_p,
14859 if (prev->gs | next->gs)
14860 lazy_load_gs(next->gs);
14862 - percpu_write(current_task, next_p);
14867 @@ -403,4 +409,3 @@ unsigned long get_wchan(struct task_stru
14868 } while (count++ < 16);
14872 diff -urNp linux-2.6.38.6/arch/x86/kernel/process_64.c linux-2.6.38.6/arch/x86/kernel/process_64.c
14873 --- linux-2.6.38.6/arch/x86/kernel/process_64.c 2011-03-14 21:20:32.000000000 -0400
14874 +++ linux-2.6.38.6/arch/x86/kernel/process_64.c 2011-05-16 21:47:08.000000000 -0400
14875 @@ -87,7 +87,7 @@ static void __exit_idle(void)
14876 void exit_idle(void)
14878 /* idle loop has pid 0 */
14879 - if (current->pid)
14880 + if (task_pid_nr(current))
14884 @@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag
14885 struct pt_regs *childregs;
14886 struct task_struct *me = current;
14888 - childregs = ((struct pt_regs *)
14889 - (THREAD_SIZE + task_stack_page(p))) - 1;
14890 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
14891 *childregs = *regs;
14894 @@ -273,6 +272,7 @@ int copy_thread(unsigned long clone_flag
14895 p->thread.sp = (unsigned long) childregs;
14896 p->thread.sp0 = (unsigned long) (childregs+1);
14897 p->thread.usersp = me->thread.usersp;
14898 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
14900 set_tsk_thread_flag(p, TIF_FORK);
14902 @@ -376,7 +376,7 @@ __switch_to(struct task_struct *prev_p,
14903 struct thread_struct *prev = &prev_p->thread;
14904 struct thread_struct *next = &next_p->thread;
14905 int cpu = smp_processor_id();
14906 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
14907 + struct tss_struct *tss = init_tss + cpu;
14908 unsigned fsindex, gsindex;
14911 @@ -472,10 +472,9 @@ __switch_to(struct task_struct *prev_p,
14912 prev->usersp = percpu_read(old_rsp);
14913 percpu_write(old_rsp, next->usersp);
14914 percpu_write(current_task, next_p);
14915 + percpu_write(current_tinfo, &next_p->tinfo);
14917 - percpu_write(kernel_stack,
14918 - (unsigned long)task_stack_page(next_p) +
14919 - THREAD_SIZE - KERNEL_STACK_OFFSET);
14920 + percpu_write(kernel_stack, next->sp0);
14923 * Now maybe reload the debug registers and handle I/O bitmaps
14924 @@ -529,12 +528,11 @@ unsigned long get_wchan(struct task_stru
14925 if (!p || p == current || p->state == TASK_RUNNING)
14927 stack = (unsigned long)task_stack_page(p);
14928 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
14929 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
14931 fp = *(u64 *)(p->thread.sp);
14933 - if (fp < (unsigned long)stack ||
14934 - fp >= (unsigned long)stack+THREAD_SIZE)
14935 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
14937 ip = *(u64 *)(fp+8);
14938 if (!in_sched_functions(ip))
14939 diff -urNp linux-2.6.38.6/arch/x86/kernel/process.c linux-2.6.38.6/arch/x86/kernel/process.c
14940 --- linux-2.6.38.6/arch/x86/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
14941 +++ linux-2.6.38.6/arch/x86/kernel/process.c 2011-05-11 18:34:57.000000000 -0400
14942 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
14944 void free_thread_info(struct thread_info *ti)
14946 - free_thread_xstate(ti->task);
14947 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
14950 +static struct kmem_cache *task_struct_cachep;
14952 void arch_task_cache_init(void)
14954 - task_xstate_cachep =
14955 - kmem_cache_create("task_xstate", xstate_size,
14956 + /* create a slab on which task_structs can be allocated */
14957 + task_struct_cachep =
14958 + kmem_cache_create("task_struct", sizeof(struct task_struct),
14959 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
14961 + task_xstate_cachep =
14962 + kmem_cache_create("task_xstate", xstate_size,
14963 __alignof__(union thread_xstate),
14964 - SLAB_PANIC | SLAB_NOTRACK, NULL);
14965 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
14968 +struct task_struct *alloc_task_struct(void)
14970 + return kmem_cache_alloc(task_struct_cachep, GFP_KERNEL);
14973 +void free_task_struct(struct task_struct *task)
14975 + free_thread_xstate(task);
14976 + kmem_cache_free(task_struct_cachep, task);
14980 @@ -70,7 +87,7 @@ void exit_thread(void)
14981 unsigned long *bp = t->io_bitmap_ptr;
14984 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
14985 + struct tss_struct *tss = init_tss + get_cpu();
14987 t->io_bitmap_ptr = NULL;
14988 clear_thread_flag(TIF_IO_BITMAP);
14989 @@ -106,7 +123,7 @@ void show_regs_common(void)
14991 printk(KERN_CONT "\n");
14992 printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
14993 - current->pid, current->xid, current->comm, print_tainted(),
14994 + task_pid_nr(current), current->xid, current->comm, print_tainted(),
14995 init_utsname()->release,
14996 (int)strcspn(init_utsname()->version, " "),
14997 init_utsname()->version);
14998 @@ -123,6 +140,9 @@ void flush_thread(void)
15000 struct task_struct *tsk = current;
15002 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
15003 + loadsegment(gs, 0);
15005 flush_ptrace_hw_breakpoint(tsk);
15006 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
15008 @@ -285,10 +305,10 @@ int kernel_thread(int (*fn)(void *), voi
15009 regs.di = (unsigned long) arg;
15011 #ifdef CONFIG_X86_32
15012 - regs.ds = __USER_DS;
15013 - regs.es = __USER_DS;
15014 + regs.ds = __KERNEL_DS;
15015 + regs.es = __KERNEL_DS;
15016 regs.fs = __KERNEL_PERCPU;
15017 - regs.gs = __KERNEL_STACK_CANARY;
15018 + savesegment(gs, regs.gs);
15020 regs.ss = __KERNEL_DS;
15022 @@ -668,16 +688,34 @@ static int __init idle_setup(char *str)
15024 early_param("idle", idle_setup);
15026 -unsigned long arch_align_stack(unsigned long sp)
15027 +#ifdef CONFIG_PAX_RANDKSTACK
15028 +asmlinkage void pax_randomize_kstack(void)
15030 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
15031 - sp -= get_random_int() % 8192;
15032 - return sp & ~0xf;
15034 + struct thread_struct *thread = ¤t->thread;
15035 + unsigned long time;
15037 -unsigned long arch_randomize_brk(struct mm_struct *mm)
15039 - unsigned long range_end = mm->brk + 0x02000000;
15040 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
15042 + if (!randomize_va_space)
15047 + /* P4 seems to return a 0 LSB, ignore it */
15048 +#ifdef CONFIG_MPENTIUM4
15051 +#elif defined(CONFIG_X86_64)
15059 + thread->sp0 ^= time;
15060 + load_sp0(init_tss + smp_processor_id(), thread);
15062 +#ifdef CONFIG_X86_64
15063 + percpu_write(kernel_stack, thread->sp0);
15067 diff -urNp linux-2.6.38.6/arch/x86/kernel/ptrace.c linux-2.6.38.6/arch/x86/kernel/ptrace.c
15068 --- linux-2.6.38.6/arch/x86/kernel/ptrace.c 2011-03-14 21:20:32.000000000 -0400
15069 +++ linux-2.6.38.6/arch/x86/kernel/ptrace.c 2011-04-28 19:34:14.000000000 -0400
15070 @@ -805,7 +805,7 @@ long arch_ptrace(struct task_struct *chi
15071 unsigned long addr, unsigned long data)
15074 - unsigned long __user *datap = (unsigned long __user *)data;
15075 + unsigned long __user *datap = (__force unsigned long __user *)data;
15078 /* read the word at location addr in the USER area. */
15079 @@ -890,14 +890,14 @@ long arch_ptrace(struct task_struct *chi
15080 if ((int) addr < 0)
15082 ret = do_get_thread_area(child, addr,
15083 - (struct user_desc __user *)data);
15084 + (__force struct user_desc __user *) data);
15087 case PTRACE_SET_THREAD_AREA:
15088 if ((int) addr < 0)
15090 ret = do_set_thread_area(child, addr,
15091 - (struct user_desc __user *)data, 0);
15092 + (__force struct user_desc __user *) data, 0);
15096 @@ -1314,7 +1314,7 @@ static void fill_sigtrap_info(struct tas
15097 memset(info, 0, sizeof(*info));
15098 info->si_signo = SIGTRAP;
15099 info->si_code = si_code;
15100 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
15101 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
15104 void user_single_step_siginfo(struct task_struct *tsk,
15105 @@ -1347,7 +1347,7 @@ void send_sigtrap(struct task_struct *ts
15106 * We must return the syscall number to actually look up in the table.
15107 * This can be -1L to skip running any syscall at all.
15109 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
15110 +long syscall_trace_enter(struct pt_regs *regs)
15114 @@ -1392,7 +1392,7 @@ asmregparm long syscall_trace_enter(stru
15115 return ret ?: regs->orig_ax;
15118 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
15119 +void syscall_trace_leave(struct pt_regs *regs)
15123 diff -urNp linux-2.6.38.6/arch/x86/kernel/pvclock.c linux-2.6.38.6/arch/x86/kernel/pvclock.c
15124 --- linux-2.6.38.6/arch/x86/kernel/pvclock.c 2011-03-14 21:20:32.000000000 -0400
15125 +++ linux-2.6.38.6/arch/x86/kernel/pvclock.c 2011-05-11 18:35:16.000000000 -0400
15126 @@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc
15130 -static atomic64_t last_value = ATOMIC64_INIT(0);
15131 +static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
15133 void pvclock_resume(void)
15135 - atomic64_set(&last_value, 0);
15136 + atomic64_set_unchecked(&last_value, 0);
15139 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
15140 @@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct
15141 * updating at the same time, and one of them could be slightly behind,
15142 * making the assumption that last_value always go forward fail to hold.
15144 - last = atomic64_read(&last_value);
15145 + last = atomic64_read_unchecked(&last_value);
15149 - last = atomic64_cmpxchg(&last_value, last, ret);
15150 + last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
15151 } while (unlikely(last != ret));
15154 diff -urNp linux-2.6.38.6/arch/x86/kernel/reboot.c linux-2.6.38.6/arch/x86/kernel/reboot.c
15155 --- linux-2.6.38.6/arch/x86/kernel/reboot.c 2011-03-14 21:20:32.000000000 -0400
15156 +++ linux-2.6.38.6/arch/x86/kernel/reboot.c 2011-04-28 19:34:14.000000000 -0400
15157 @@ -34,7 +34,7 @@ void (*pm_power_off)(void);
15158 EXPORT_SYMBOL(pm_power_off);
15160 static const struct desc_ptr no_idt = {};
15161 -static int reboot_mode;
15162 +static unsigned short reboot_mode;
15163 enum reboot_type reboot_type = BOOT_KBD;
15166 @@ -309,12 +309,12 @@ core_initcall(reboot_init);
15167 controller to pulse the CPU reset line, which is more thorough, but
15168 doesn't work with at least one type of 486 motherboard. It is easy
15169 to stop this code working; hence the copious comments. */
15170 -static const unsigned long long
15171 -real_mode_gdt_entries [3] =
15172 +static struct desc_struct
15173 +real_mode_gdt_entries [3] __read_only =
15175 - 0x0000000000000000ULL, /* Null descriptor */
15176 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
15177 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
15178 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
15179 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
15180 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
15183 static const struct desc_ptr
15184 @@ -363,7 +363,7 @@ static const unsigned char jump_to_bios
15185 * specified by the code and length parameters.
15186 * We assume that length will aways be less that 100!
15188 -void machine_real_restart(const unsigned char *code, int length)
15189 +void machine_real_restart(const unsigned char *code, unsigned int length)
15191 local_irq_disable();
15193 @@ -390,16 +390,15 @@ void machine_real_restart(const unsigned
15194 boot)". This seems like a fairly standard thing that gets set by
15195 REBOOT.COM programs, and the previous reset routine did this
15197 - *((unsigned short *)0x472) = reboot_mode;
15198 + *(unsigned short *)(__va(0x472)) = reboot_mode;
15200 /* For the switch to real mode, copy some code to low memory. It has
15201 to be in the first 64k because it is running in 16-bit mode, and it
15202 has to have the same physical and virtual address, because it turns
15203 off paging. Copy it near the end of the first page, out of the way
15204 of BIOS variables. */
15205 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
15206 - real_mode_switch, sizeof (real_mode_switch));
15207 - memcpy((void *)(0x1000 - 100), code, length);
15208 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
15209 + memcpy(__va(0x1000 - 100), code, length);
15211 /* Set up the IDT for real mode. */
15212 load_idt(&real_mode_idt);
15213 diff -urNp linux-2.6.38.6/arch/x86/kernel/setup.c linux-2.6.38.6/arch/x86/kernel/setup.c
15214 --- linux-2.6.38.6/arch/x86/kernel/setup.c 2011-04-18 17:27:18.000000000 -0400
15215 +++ linux-2.6.38.6/arch/x86/kernel/setup.c 2011-04-28 19:34:14.000000000 -0400
15216 @@ -654,7 +654,7 @@ static void __init trim_bios_range(void)
15217 * area (640->1Mb) as ram even though it is not.
15220 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
15221 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
15222 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
15225 @@ -790,14 +790,14 @@ void __init setup_arch(char **cmdline_p)
15227 if (!boot_params.hdr.root_flags)
15228 root_mountflags &= ~MS_RDONLY;
15229 - init_mm.start_code = (unsigned long) _text;
15230 - init_mm.end_code = (unsigned long) _etext;
15231 + init_mm.start_code = ktla_ktva((unsigned long) _text);
15232 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
15233 init_mm.end_data = (unsigned long) _edata;
15234 init_mm.brk = _brk_end;
15236 - code_resource.start = virt_to_phys(_text);
15237 - code_resource.end = virt_to_phys(_etext)-1;
15238 - data_resource.start = virt_to_phys(_etext);
15239 + code_resource.start = virt_to_phys(ktla_ktva(_text));
15240 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
15241 + data_resource.start = virt_to_phys(_sdata);
15242 data_resource.end = virt_to_phys(_edata)-1;
15243 bss_resource.start = virt_to_phys(&__bss_start);
15244 bss_resource.end = virt_to_phys(&__bss_stop)-1;
15245 diff -urNp linux-2.6.38.6/arch/x86/kernel/setup_percpu.c linux-2.6.38.6/arch/x86/kernel/setup_percpu.c
15246 --- linux-2.6.38.6/arch/x86/kernel/setup_percpu.c 2011-03-14 21:20:32.000000000 -0400
15247 +++ linux-2.6.38.6/arch/x86/kernel/setup_percpu.c 2011-04-28 19:34:14.000000000 -0400
15248 @@ -21,19 +21,17 @@
15249 #include <asm/cpu.h>
15250 #include <asm/stackprotector.h>
15252 -DEFINE_PER_CPU(int, cpu_number);
15254 +DEFINE_PER_CPU(unsigned int, cpu_number);
15255 EXPORT_PER_CPU_SYMBOL(cpu_number);
15258 -#ifdef CONFIG_X86_64
15259 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
15261 -#define BOOT_PERCPU_OFFSET 0
15264 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
15265 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
15267 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
15268 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
15269 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
15271 EXPORT_SYMBOL(__per_cpu_offset);
15272 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
15274 #ifdef CONFIG_X86_32
15275 struct desc_struct gdt;
15276 + unsigned long base = per_cpu_offset(cpu);
15278 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
15279 - 0x2 | DESCTYPE_S, 0x8);
15281 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
15282 + 0x83 | DESCTYPE_S, 0xC);
15283 write_gdt_entry(get_cpu_gdt_table(cpu),
15284 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
15286 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
15287 /* alrighty, percpu areas up and running */
15288 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
15289 for_each_possible_cpu(cpu) {
15290 +#ifdef CONFIG_CC_STACKPROTECTOR
15291 +#ifdef CONFIG_x86_32
15292 + unsigned long canary = per_cpu(stack_canary, cpu);
15295 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
15296 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
15297 per_cpu(cpu_number, cpu) = cpu;
15298 @@ -243,6 +246,12 @@ void __init setup_per_cpu_areas(void)
15299 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
15302 +#ifdef CONFIG_CC_STACKPROTECTOR
15303 +#ifdef CONFIG_x86_32
15304 + if (cpu == boot_cpu_id)
15305 + per_cpu(stack_canary, cpu) = canary;
15309 * Up to this point, the boot CPU has been using .init.data
15310 * area. Reload any changed state for the boot CPU.
15311 diff -urNp linux-2.6.38.6/arch/x86/kernel/signal.c linux-2.6.38.6/arch/x86/kernel/signal.c
15312 --- linux-2.6.38.6/arch/x86/kernel/signal.c 2011-03-14 21:20:32.000000000 -0400
15313 +++ linux-2.6.38.6/arch/x86/kernel/signal.c 2011-04-28 19:34:14.000000000 -0400
15314 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
15315 * Align the stack pointer according to the i386 ABI,
15316 * i.e. so that on function entry ((sp + 4) & 15) == 0.
15318 - sp = ((sp + 4) & -16ul) - 4;
15319 + sp = ((sp - 12) & -16ul) - 4;
15320 #else /* !CONFIG_X86_32 */
15321 sp = round_down(sp, 16) - 8;
15323 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
15324 * Return an always-bogus address instead so we will die with SIGSEGV.
15326 if (onsigstack && !likely(on_sig_stack(sp)))
15327 - return (void __user *)-1L;
15328 + return (__force void __user *)-1L;
15330 /* save i387 state */
15331 if (used_math() && save_i387_xstate(*fpstate) < 0)
15332 - return (void __user *)-1L;
15333 + return (__force void __user *)-1L;
15335 return (void __user *)sp;
15337 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
15340 if (current->mm->context.vdso)
15341 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
15342 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
15344 - restorer = &frame->retcode;
15345 + restorer = (void __user *)&frame->retcode;
15346 if (ka->sa.sa_flags & SA_RESTORER)
15347 restorer = ka->sa.sa_restorer;
15349 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
15350 * reasons and because gdb uses it as a signature to notice
15351 * signal handler stack frames.
15353 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
15354 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
15358 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
15359 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
15361 /* Set up to return from userspace. */
15362 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
15363 + if (current->mm->context.vdso)
15364 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
15366 + restorer = (void __user *)&frame->retcode;
15367 if (ka->sa.sa_flags & SA_RESTORER)
15368 restorer = ka->sa.sa_restorer;
15369 put_user_ex(restorer, &frame->pretcode);
15370 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
15371 * reasons and because gdb uses it as a signature to notice
15372 * signal handler stack frames.
15374 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
15375 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
15376 } put_user_catch(err);
15379 @@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re
15380 * X86_32: vm86 regs switched out by assembly code before reaching
15381 * here, so testing against kernel CS suffices.
15383 - if (!user_mode(regs))
15384 + if (!user_mode_novm(regs))
15387 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
15388 diff -urNp linux-2.6.38.6/arch/x86/kernel/smpboot.c linux-2.6.38.6/arch/x86/kernel/smpboot.c
15389 --- linux-2.6.38.6/arch/x86/kernel/smpboot.c 2011-03-14 21:20:32.000000000 -0400
15390 +++ linux-2.6.38.6/arch/x86/kernel/smpboot.c 2011-05-11 18:34:57.000000000 -0400
15391 @@ -773,17 +773,20 @@ static int __cpuinit do_boot_cpu(int api
15392 set_idle_for_cpu(cpu, c_idle.idle);
15394 per_cpu(current_task, cpu) = c_idle.idle;
15395 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
15396 #ifdef CONFIG_X86_32
15397 /* Stack for startup_32 can be just as for start_secondary onwards */
15400 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
15401 initial_gs = per_cpu_offset(cpu);
15402 - per_cpu(kernel_stack, cpu) =
15403 - (unsigned long)task_stack_page(c_idle.idle) -
15404 - KERNEL_STACK_OFFSET + THREAD_SIZE;
15405 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
15408 + pax_open_kernel();
15409 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
15410 + pax_close_kernel();
15412 initial_code = (unsigned long)start_secondary;
15413 stack_start = c_idle.idle->thread.sp;
15415 @@ -923,6 +926,12 @@ int __cpuinit native_cpu_up(unsigned int
15417 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
15419 +#ifdef CONFIG_PAX_PER_CPU_PGD
15420 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
15421 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
15422 + KERNEL_PGD_PTRS);
15425 err = do_boot_cpu(apicid, cpu);
15427 pr_debug("do_boot_cpu failed %d\n", err);
15428 diff -urNp linux-2.6.38.6/arch/x86/kernel/step.c linux-2.6.38.6/arch/x86/kernel/step.c
15429 --- linux-2.6.38.6/arch/x86/kernel/step.c 2011-03-14 21:20:32.000000000 -0400
15430 +++ linux-2.6.38.6/arch/x86/kernel/step.c 2011-04-28 19:34:14.000000000 -0400
15431 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
15432 struct desc_struct *desc;
15433 unsigned long base;
15438 mutex_lock(&child->mm->context.lock);
15439 - if (unlikely((seg >> 3) >= child->mm->context.size))
15440 + if (unlikely(seg >= child->mm->context.size))
15441 addr = -1L; /* bogus selector, access would fault */
15443 desc = child->mm->context.ldt + seg;
15444 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
15447 mutex_unlock(&child->mm->context.lock);
15449 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
15450 + addr = ktla_ktva(addr);
15454 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
15455 unsigned char opcode[15];
15456 unsigned long addr = convert_ip_to_linear(child, regs);
15458 + if (addr == -EINVAL)
15461 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
15462 for (i = 0; i < copied; i++) {
15463 switch (opcode[i]) {
15464 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
15466 #ifdef CONFIG_X86_64
15467 case 0x40 ... 0x4f:
15468 - if (regs->cs != __USER_CS)
15469 + if ((regs->cs & 0xffff) != __USER_CS)
15470 /* 32-bit mode: register increment */
15472 /* 64-bit mode: REX prefix */
15473 diff -urNp linux-2.6.38.6/arch/x86/kernel/syscall_table_32.S linux-2.6.38.6/arch/x86/kernel/syscall_table_32.S
15474 --- linux-2.6.38.6/arch/x86/kernel/syscall_table_32.S 2011-03-14 21:20:32.000000000 -0400
15475 +++ linux-2.6.38.6/arch/x86/kernel/syscall_table_32.S 2011-04-28 19:34:14.000000000 -0400
15477 +.section .rodata,"a",@progbits
15478 ENTRY(sys_call_table)
15479 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
15481 diff -urNp linux-2.6.38.6/arch/x86/kernel/sys_i386_32.c linux-2.6.38.6/arch/x86/kernel/sys_i386_32.c
15482 --- linux-2.6.38.6/arch/x86/kernel/sys_i386_32.c 2011-03-14 21:20:32.000000000 -0400
15483 +++ linux-2.6.38.6/arch/x86/kernel/sys_i386_32.c 2011-04-28 19:34:14.000000000 -0400
15484 @@ -24,17 +24,224 @@
15486 #include <asm/syscalls.h>
15489 - * Do a system call from kernel instead of calling sys_execve so we
15490 - * end up with proper pt_regs.
15492 -int kernel_execve(const char *filename,
15493 - const char *const argv[],
15494 - const char *const envp[])
15495 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
15498 - asm volatile ("int $0x80"
15500 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
15502 + unsigned long pax_task_size = TASK_SIZE;
15504 +#ifdef CONFIG_PAX_SEGMEXEC
15505 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
15506 + pax_task_size = SEGMEXEC_TASK_SIZE;
15509 + if (len > pax_task_size || addr > pax_task_size - len)
15516 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
15517 + unsigned long len, unsigned long pgoff, unsigned long flags)
15519 + struct mm_struct *mm = current->mm;
15520 + struct vm_area_struct *vma;
15521 + unsigned long start_addr, pax_task_size = TASK_SIZE;
15523 +#ifdef CONFIG_PAX_SEGMEXEC
15524 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15525 + pax_task_size = SEGMEXEC_TASK_SIZE;
15528 + pax_task_size -= PAGE_SIZE;
15530 + if (len > pax_task_size)
15533 + if (flags & MAP_FIXED)
15536 +#ifdef CONFIG_PAX_RANDMMAP
15537 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15541 + addr = PAGE_ALIGN(addr);
15542 + if (pax_task_size - len >= addr) {
15543 + vma = find_vma(mm, addr);
15544 + if (check_heap_stack_gap(vma, addr, len))
15548 + if (len > mm->cached_hole_size) {
15549 + start_addr = addr = mm->free_area_cache;
15551 + start_addr = addr = mm->mmap_base;
15552 + mm->cached_hole_size = 0;
15555 +#ifdef CONFIG_PAX_PAGEEXEC
15556 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
15557 + start_addr = 0x00110000UL;
15559 +#ifdef CONFIG_PAX_RANDMMAP
15560 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15561 + start_addr += mm->delta_mmap & 0x03FFF000UL;
15564 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
15565 + start_addr = addr = mm->mmap_base;
15567 + addr = start_addr;
15572 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
15573 + /* At this point: (!vma || addr < vma->vm_end). */
15574 + if (pax_task_size - len < addr) {
15576 + * Start a new search - just in case we missed
15579 + if (start_addr != mm->mmap_base) {
15580 + start_addr = addr = mm->mmap_base;
15581 + mm->cached_hole_size = 0;
15582 + goto full_search;
15586 + if (check_heap_stack_gap(vma, addr, len))
15588 + if (addr + mm->cached_hole_size < vma->vm_start)
15589 + mm->cached_hole_size = vma->vm_start - addr;
15590 + addr = vma->vm_end;
15591 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
15592 + start_addr = addr = mm->mmap_base;
15593 + mm->cached_hole_size = 0;
15594 + goto full_search;
15599 + * Remember the place where we stopped the search:
15601 + mm->free_area_cache = addr + len;
15606 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
15607 + const unsigned long len, const unsigned long pgoff,
15608 + const unsigned long flags)
15610 + struct vm_area_struct *vma;
15611 + struct mm_struct *mm = current->mm;
15612 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
15614 +#ifdef CONFIG_PAX_SEGMEXEC
15615 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15616 + pax_task_size = SEGMEXEC_TASK_SIZE;
15619 + pax_task_size -= PAGE_SIZE;
15621 + /* requested length too big for entire address space */
15622 + if (len > pax_task_size)
15625 + if (flags & MAP_FIXED)
15628 +#ifdef CONFIG_PAX_PAGEEXEC
15629 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
15633 +#ifdef CONFIG_PAX_RANDMMAP
15634 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15637 + /* requesting a specific address */
15639 + addr = PAGE_ALIGN(addr);
15640 + if (pax_task_size - len >= addr) {
15641 + vma = find_vma(mm, addr);
15642 + if (check_heap_stack_gap(vma, addr, len))
15647 + /* check if free_area_cache is useful for us */
15648 + if (len <= mm->cached_hole_size) {
15649 + mm->cached_hole_size = 0;
15650 + mm->free_area_cache = mm->mmap_base;
15653 + /* either no address requested or can't fit in requested address hole */
15654 + addr = mm->free_area_cache;
15656 + /* make sure it can fit in the remaining address space */
15657 + if (addr > len) {
15658 + vma = find_vma(mm, addr-len);
15659 + if (check_heap_stack_gap(vma, addr - len, len))
15660 + /* remember the address as a hint for next time */
15661 + return (mm->free_area_cache = addr-len);
15664 + if (mm->mmap_base < len)
15667 + addr = mm->mmap_base-len;
15671 + * Lookup failure means no vma is above this address,
15672 + * else if new region fits below vma->vm_start,
15673 + * return with success:
15675 + vma = find_vma(mm, addr);
15676 + if (check_heap_stack_gap(vma, addr, len))
15677 + /* remember the address as a hint for next time */
15678 + return (mm->free_area_cache = addr);
15680 + /* remember the largest hole we saw so far */
15681 + if (addr + mm->cached_hole_size < vma->vm_start)
15682 + mm->cached_hole_size = vma->vm_start - addr;
15684 + /* try just below the current vma->vm_start */
15685 + addr = skip_heap_stack_gap(vma, len);
15686 + } while (!IS_ERR_VALUE(addr));
15690 + * A failed mmap() very likely causes application failure,
15691 + * so fall back to the bottom-up function here. This scenario
15692 + * can happen with large stack limits and large mmap()
15696 +#ifdef CONFIG_PAX_SEGMEXEC
15697 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
15698 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
15702 + mm->mmap_base = TASK_UNMAPPED_BASE;
15704 +#ifdef CONFIG_PAX_RANDMMAP
15705 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15706 + mm->mmap_base += mm->delta_mmap;
15709 + mm->free_area_cache = mm->mmap_base;
15710 + mm->cached_hole_size = ~0UL;
15711 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
15713 + * Restore the topdown base:
15715 + mm->mmap_base = base;
15716 + mm->free_area_cache = base;
15717 + mm->cached_hole_size = ~0UL;
15721 diff -urNp linux-2.6.38.6/arch/x86/kernel/sys_x86_64.c linux-2.6.38.6/arch/x86/kernel/sys_x86_64.c
15722 --- linux-2.6.38.6/arch/x86/kernel/sys_x86_64.c 2011-03-14 21:20:32.000000000 -0400
15723 +++ linux-2.6.38.6/arch/x86/kernel/sys_x86_64.c 2011-04-28 19:34:14.000000000 -0400
15724 @@ -32,8 +32,8 @@ out:
15728 -static void find_start_end(unsigned long flags, unsigned long *begin,
15729 - unsigned long *end)
15730 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
15731 + unsigned long *begin, unsigned long *end)
15733 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
15734 unsigned long new_begin;
15735 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
15736 *begin = new_begin;
15739 - *begin = TASK_UNMAPPED_BASE;
15740 + *begin = mm->mmap_base;
15744 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
15745 if (flags & MAP_FIXED)
15748 - find_start_end(flags, &begin, &end);
15749 + find_start_end(mm, flags, &begin, &end);
15754 +#ifdef CONFIG_PAX_RANDMMAP
15755 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15759 addr = PAGE_ALIGN(addr);
15760 vma = find_vma(mm, addr);
15761 - if (end - len >= addr &&
15762 - (!vma || addr + len <= vma->vm_start))
15763 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
15766 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
15767 @@ -106,7 +109,7 @@ full_search:
15771 - if (!vma || addr + len <= vma->vm_start) {
15772 + if (check_heap_stack_gap(vma, addr, len)) {
15774 * Remember the place where we stopped the search:
15776 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
15778 struct vm_area_struct *vma;
15779 struct mm_struct *mm = current->mm;
15780 - unsigned long addr = addr0;
15781 + unsigned long base = mm->mmap_base, addr = addr0;
15783 /* requested length too big for entire address space */
15784 if (len > TASK_SIZE)
15785 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
15786 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
15789 +#ifdef CONFIG_PAX_RANDMMAP
15790 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15793 /* requesting a specific address */
15795 addr = PAGE_ALIGN(addr);
15796 - vma = find_vma(mm, addr);
15797 - if (TASK_SIZE - len >= addr &&
15798 - (!vma || addr + len <= vma->vm_start))
15800 + if (TASK_SIZE - len >= addr) {
15801 + vma = find_vma(mm, addr);
15802 + if (check_heap_stack_gap(vma, addr, len))
15807 /* check if free_area_cache is useful for us */
15808 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
15809 /* make sure it can fit in the remaining address space */
15811 vma = find_vma(mm, addr-len);
15812 - if (!vma || addr <= vma->vm_start)
15813 + if (check_heap_stack_gap(vma, addr - len, len))
15814 /* remember the address as a hint for next time */
15815 return mm->free_area_cache = addr-len;
15817 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
15818 * return with success:
15820 vma = find_vma(mm, addr);
15821 - if (!vma || addr+len <= vma->vm_start)
15822 + if (check_heap_stack_gap(vma, addr, len))
15823 /* remember the address as a hint for next time */
15824 return mm->free_area_cache = addr;
15826 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
15827 mm->cached_hole_size = vma->vm_start - addr;
15829 /* try just below the current vma->vm_start */
15830 - addr = vma->vm_start-len;
15831 - } while (len < vma->vm_start);
15832 + addr = skip_heap_stack_gap(vma, len);
15833 + } while (!IS_ERR_VALUE(addr));
15837 @@ -198,13 +206,21 @@ bottomup:
15838 * can happen with large stack limits and large mmap()
15841 + mm->mmap_base = TASK_UNMAPPED_BASE;
15843 +#ifdef CONFIG_PAX_RANDMMAP
15844 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15845 + mm->mmap_base += mm->delta_mmap;
15848 + mm->free_area_cache = mm->mmap_base;
15849 mm->cached_hole_size = ~0UL;
15850 - mm->free_area_cache = TASK_UNMAPPED_BASE;
15851 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
15853 * Restore the topdown base:
15855 - mm->free_area_cache = mm->mmap_base;
15856 + mm->mmap_base = base;
15857 + mm->free_area_cache = base;
15858 mm->cached_hole_size = ~0UL;
15861 diff -urNp linux-2.6.38.6/arch/x86/kernel/tboot.c linux-2.6.38.6/arch/x86/kernel/tboot.c
15862 --- linux-2.6.38.6/arch/x86/kernel/tboot.c 2011-03-14 21:20:32.000000000 -0400
15863 +++ linux-2.6.38.6/arch/x86/kernel/tboot.c 2011-04-28 19:57:25.000000000 -0400
15864 @@ -297,7 +297,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
15865 tboot_shutdown(acpi_shutdown_map[sleep_state]);
15868 -static atomic_t ap_wfs_count;
15869 +static atomic_unchecked_t ap_wfs_count;
15871 static int tboot_wait_for_aps(int num_aps)
15873 @@ -321,9 +321,9 @@ static int __cpuinit tboot_cpu_callback(
15877 - atomic_inc(&ap_wfs_count);
15878 + atomic_inc_unchecked(&ap_wfs_count);
15879 if (num_online_cpus() == 1)
15880 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
15881 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
15885 @@ -342,7 +342,7 @@ static __init int tboot_late_init(void)
15887 tboot_create_trampoline();
15889 - atomic_set(&ap_wfs_count, 0);
15890 + atomic_set_unchecked(&ap_wfs_count, 0);
15891 register_hotcpu_notifier(&tboot_cpu_notifier);
15894 diff -urNp linux-2.6.38.6/arch/x86/kernel/time.c linux-2.6.38.6/arch/x86/kernel/time.c
15895 --- linux-2.6.38.6/arch/x86/kernel/time.c 2011-03-14 21:20:32.000000000 -0400
15896 +++ linux-2.6.38.6/arch/x86/kernel/time.c 2011-04-28 19:34:14.000000000 -0400
15897 @@ -22,17 +22,13 @@
15898 #include <asm/hpet.h>
15899 #include <asm/time.h>
15901 -#ifdef CONFIG_X86_64
15902 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
15905 unsigned long profile_pc(struct pt_regs *regs)
15907 unsigned long pc = instruction_pointer(regs);
15909 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
15910 + if (!user_mode(regs) && in_lock_functions(pc)) {
15911 #ifdef CONFIG_FRAME_POINTER
15912 - return *(unsigned long *)(regs->bp + sizeof(long));
15913 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
15915 unsigned long *sp =
15916 (unsigned long *)kernel_stack_pointer(regs);
15917 @@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs
15918 * or above a saved flags. Eflags has bits 22-31 zero,
15919 * kernel addresses don't.
15922 +#ifdef CONFIG_PAX_KERNEXEC
15923 + return ktla_ktva(sp[0]);
15935 diff -urNp linux-2.6.38.6/arch/x86/kernel/tls.c linux-2.6.38.6/arch/x86/kernel/tls.c
15936 --- linux-2.6.38.6/arch/x86/kernel/tls.c 2011-03-14 21:20:32.000000000 -0400
15937 +++ linux-2.6.38.6/arch/x86/kernel/tls.c 2011-04-28 19:34:14.000000000 -0400
15938 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
15939 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
15942 +#ifdef CONFIG_PAX_SEGMEXEC
15943 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
15947 set_tls_desc(p, idx, &info, 1);
15950 diff -urNp linux-2.6.38.6/arch/x86/kernel/trampoline_32.S linux-2.6.38.6/arch/x86/kernel/trampoline_32.S
15951 --- linux-2.6.38.6/arch/x86/kernel/trampoline_32.S 2011-03-14 21:20:32.000000000 -0400
15952 +++ linux-2.6.38.6/arch/x86/kernel/trampoline_32.S 2011-04-28 19:34:14.000000000 -0400
15954 #include <asm/segment.h>
15955 #include <asm/page_types.h>
15957 +#ifdef CONFIG_PAX_KERNEXEC
15960 +#define ta(X) ((X) - __PAGE_OFFSET)
15963 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
15966 @@ -60,7 +66,7 @@ r_base = .
15967 inc %ax # protected mode (PE) bit
15968 lmsw %ax # into protected mode
15969 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
15970 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
15971 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
15973 # These need to be in the same 64K segment as the above;
15974 # hence we don't use the boot_gdt_descr defined in head.S
15975 diff -urNp linux-2.6.38.6/arch/x86/kernel/trampoline_64.S linux-2.6.38.6/arch/x86/kernel/trampoline_64.S
15976 --- linux-2.6.38.6/arch/x86/kernel/trampoline_64.S 2011-03-14 21:20:32.000000000 -0400
15977 +++ linux-2.6.38.6/arch/x86/kernel/trampoline_64.S 2011-04-28 19:34:14.000000000 -0400
15978 @@ -91,7 +91,7 @@ startup_32:
15979 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
15982 - movl $X86_CR4_PAE, %eax
15983 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
15984 movl %eax, %cr4 # Enable PAE mode
15986 # Setup trampoline 4 level pagetables
15987 @@ -138,7 +138,7 @@ tidt:
15988 # so the kernel can live anywhere
15991 - .short tgdt_end - tgdt # gdt limit
15992 + .short tgdt_end - tgdt - 1 # gdt limit
15993 .long tgdt - r_base
15995 .quad 0x00cf9b000000ffff # __KERNEL32_CS
15996 diff -urNp linux-2.6.38.6/arch/x86/kernel/traps.c linux-2.6.38.6/arch/x86/kernel/traps.c
15997 --- linux-2.6.38.6/arch/x86/kernel/traps.c 2011-03-14 21:20:32.000000000 -0400
15998 +++ linux-2.6.38.6/arch/x86/kernel/traps.c 2011-04-28 19:34:14.000000000 -0400
15999 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
16001 /* Do we ignore FPU interrupts ? */
16002 char ignore_fpu_irq;
16005 - * The IDT has to be page-aligned to simplify the Pentium
16006 - * F0 0F bug workaround.
16008 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
16011 DECLARE_BITMAP(used_vectors, NR_VECTORS);
16012 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
16015 static void __kprobes
16016 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
16017 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
16018 long error_code, siginfo_t *info)
16020 struct task_struct *tsk = current;
16022 #ifdef CONFIG_X86_32
16023 - if (regs->flags & X86_VM_MASK) {
16024 + if (v8086_mode(regs)) {
16026 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
16027 * On nmi (interrupt 2), do_trap should not be called.
16028 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
16032 - if (!user_mode(regs))
16033 + if (!user_mode_novm(regs))
16036 #ifdef CONFIG_X86_32
16037 @@ -157,7 +151,7 @@ trap_signal:
16038 printk_ratelimit()) {
16040 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
16041 - tsk->comm, tsk->pid, str,
16042 + tsk->comm, task_pid_nr(tsk), str,
16043 regs->ip, regs->sp, error_code);
16044 print_vma_addr(" in ", regs->ip);
16046 @@ -174,8 +168,20 @@ kernel_trap:
16047 if (!fixup_exception(regs)) {
16048 tsk->thread.error_code = error_code;
16049 tsk->thread.trap_no = trapnr;
16051 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16052 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
16053 + str = "PAX: suspicious stack segment fault";
16056 die(str, regs, error_code);
16059 +#ifdef CONFIG_PAX_REFCOUNT
16061 + pax_report_refcount_overflow(regs);
16066 #ifdef CONFIG_X86_32
16067 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
16068 conditional_sti(regs);
16070 #ifdef CONFIG_X86_32
16071 - if (regs->flags & X86_VM_MASK)
16072 + if (v8086_mode(regs))
16077 - if (!user_mode(regs))
16078 + if (!user_mode_novm(regs))
16081 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16082 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
16083 + struct mm_struct *mm = tsk->mm;
16084 + unsigned long limit;
16086 + down_write(&mm->mmap_sem);
16087 + limit = mm->context.user_cs_limit;
16088 + if (limit < TASK_SIZE) {
16089 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
16090 + up_write(&mm->mmap_sem);
16093 + up_write(&mm->mmap_sem);
16097 tsk->thread.error_code = error_code;
16098 tsk->thread.trap_no = 13;
16100 @@ -304,6 +326,13 @@ gp_in_kernel:
16101 if (notify_die(DIE_GPF, "general protection fault", regs,
16102 error_code, 13, SIGSEGV) == NOTIFY_STOP)
16105 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16106 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
16107 + die("PAX: suspicious general protection fault", regs, error_code);
16111 die("general protection fault", regs, error_code);
16114 @@ -569,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
16115 /* It's safe to allow irq's after DR6 has been saved */
16116 preempt_conditional_sti(regs);
16118 - if (regs->flags & X86_VM_MASK) {
16119 + if (v8086_mode(regs)) {
16120 handle_vm86_trap((struct kernel_vm86_regs *) regs,
16122 preempt_conditional_cli(regs);
16123 @@ -583,7 +612,7 @@ dotraplinkage void __kprobes do_debug(st
16124 * We already checked v86 mode above, so we can check for kernel mode
16125 * by just checking the CPL of CS.
16127 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
16128 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
16129 tsk->thread.debugreg6 &= ~DR_STEP;
16130 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
16131 regs->flags &= ~X86_EFLAGS_TF;
16132 @@ -612,7 +641,7 @@ void math_error(struct pt_regs *regs, in
16134 conditional_sti(regs);
16136 - if (!user_mode_vm(regs))
16137 + if (!user_mode(regs))
16139 if (!fixup_exception(regs)) {
16140 task->thread.error_code = error_code;
16141 @@ -723,7 +752,7 @@ asmlinkage void __attribute__((weak)) sm
16142 void __math_state_restore(void)
16144 struct thread_info *thread = current_thread_info();
16145 - struct task_struct *tsk = thread->task;
16146 + struct task_struct *tsk = current;
16149 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
16150 @@ -750,8 +779,7 @@ void __math_state_restore(void)
16152 asmlinkage void math_state_restore(void)
16154 - struct thread_info *thread = current_thread_info();
16155 - struct task_struct *tsk = thread->task;
16156 + struct task_struct *tsk = current;
16158 if (!tsk_used_math(tsk)) {
16159 local_irq_enable();
16160 diff -urNp linux-2.6.38.6/arch/x86/kernel/vm86_32.c linux-2.6.38.6/arch/x86/kernel/vm86_32.c
16161 --- linux-2.6.38.6/arch/x86/kernel/vm86_32.c 2011-03-14 21:20:32.000000000 -0400
16162 +++ linux-2.6.38.6/arch/x86/kernel/vm86_32.c 2011-04-28 19:34:14.000000000 -0400
16164 #include <linux/ptrace.h>
16165 #include <linux/audit.h>
16166 #include <linux/stddef.h>
16167 +#include <linux/grsecurity.h>
16169 #include <asm/uaccess.h>
16170 #include <asm/io.h>
16171 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
16175 - tss = &per_cpu(init_tss, get_cpu());
16176 + tss = init_tss + get_cpu();
16177 current->thread.sp0 = current->thread.saved_sp0;
16178 current->thread.sysenter_cs = __KERNEL_CS;
16179 load_sp0(tss, ¤t->thread);
16180 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
16181 struct task_struct *tsk;
16182 int tmp, ret = -EPERM;
16184 +#ifdef CONFIG_GRKERNSEC_VM86
16185 + if (!capable(CAP_SYS_RAWIO)) {
16186 + gr_handle_vm86();
16192 if (tsk->thread.saved_sp0)
16194 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
16196 struct vm86plus_struct __user *v86;
16198 +#ifdef CONFIG_GRKERNSEC_VM86
16199 + if (!capable(CAP_SYS_RAWIO)) {
16200 + gr_handle_vm86();
16208 case VM86_REQUEST_IRQ:
16209 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
16210 tsk->thread.saved_fs = info->regs32->fs;
16211 tsk->thread.saved_gs = get_user_gs(info->regs32);
16213 - tss = &per_cpu(init_tss, get_cpu());
16214 + tss = init_tss + get_cpu();
16215 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
16217 tsk->thread.sysenter_cs = 0;
16218 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
16219 goto cannot_handle;
16220 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
16221 goto cannot_handle;
16222 - intr_ptr = (unsigned long __user *) (i << 2);
16223 + intr_ptr = (__force unsigned long __user *) (i << 2);
16224 if (get_user(segoffs, intr_ptr))
16225 goto cannot_handle;
16226 if ((segoffs >> 16) == BIOSSEG)
16227 diff -urNp linux-2.6.38.6/arch/x86/kernel/vmlinux.lds.S linux-2.6.38.6/arch/x86/kernel/vmlinux.lds.S
16228 --- linux-2.6.38.6/arch/x86/kernel/vmlinux.lds.S 2011-03-14 21:20:32.000000000 -0400
16229 +++ linux-2.6.38.6/arch/x86/kernel/vmlinux.lds.S 2011-04-28 19:34:14.000000000 -0400
16231 #include <asm/page_types.h>
16232 #include <asm/cache.h>
16233 #include <asm/boot.h>
16234 +#include <asm/segment.h>
16236 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16237 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
16239 +#define __KERNEL_TEXT_OFFSET 0
16242 #undef i386 /* in case the preprocessor is a 32bit one */
16244 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
16245 #ifdef CONFIG_X86_32
16247 ENTRY(phys_startup_32)
16248 -jiffies = jiffies_64;
16250 OUTPUT_ARCH(i386:x86-64)
16251 ENTRY(phys_startup_64)
16252 -jiffies_64 = jiffies;
16255 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
16256 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
16259 text PT_LOAD FLAGS(5); /* R_E */
16260 +#ifdef CONFIG_X86_32
16261 + module PT_LOAD FLAGS(5); /* R_E */
16264 + rodata PT_LOAD FLAGS(5); /* R_E */
16266 + rodata PT_LOAD FLAGS(4); /* R__ */
16268 data PT_LOAD FLAGS(6); /* RW_ */
16269 #ifdef CONFIG_X86_64
16270 user PT_LOAD FLAGS(5); /* R_E */
16272 + init.begin PT_LOAD FLAGS(6); /* RW_ */
16274 percpu PT_LOAD FLAGS(6); /* RW_ */
16276 + text.init PT_LOAD FLAGS(5); /* R_E */
16277 + text.exit PT_LOAD FLAGS(5); /* R_E */
16278 init PT_LOAD FLAGS(7); /* RWE */
16280 note PT_NOTE FLAGS(0); /* ___ */
16285 #ifdef CONFIG_X86_32
16286 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
16287 - phys_startup_32 = startup_32 - LOAD_OFFSET;
16288 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
16290 - . = __START_KERNEL;
16291 - phys_startup_64 = startup_64 - LOAD_OFFSET;
16292 + . = __START_KERNEL;
16295 /* Text and read-only data */
16296 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
16298 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
16299 /* bootstrapping code */
16300 +#ifdef CONFIG_X86_32
16301 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16303 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16305 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16308 #ifdef CONFIG_X86_32
16309 . = ALIGN(PAGE_SIZE);
16310 @@ -108,13 +128,47 @@ SECTIONS
16314 - /* End of text section */
16318 - NOTES :text :note
16319 + . += __KERNEL_TEXT_OFFSET;
16321 +#ifdef CONFIG_X86_32
16322 + . = ALIGN(PAGE_SIZE);
16323 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
16325 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
16326 + MODULES_EXEC_VADDR = .;
16328 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
16329 + . = ALIGN(HPAGE_SIZE);
16330 + MODULES_EXEC_END = . - 1;
16336 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
16337 + /* End of text section */
16338 + _etext = . - __KERNEL_TEXT_OFFSET;
16341 - EXCEPTION_TABLE(16) :text = 0x9090
16342 +#ifdef CONFIG_X86_32
16343 + . = ALIGN(PAGE_SIZE);
16344 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
16346 + . = ALIGN(PAGE_SIZE);
16347 + *(.empty_zero_page)
16348 + *(.initial_pg_fixmap)
16349 + *(.initial_pg_pmd)
16350 + *(.initial_page_table)
16351 + *(.swapper_pg_dir)
16355 + . = ALIGN(PAGE_SIZE);
16356 + NOTES :rodata :note
16358 + EXCEPTION_TABLE(16) :rodata
16360 #if defined(CONFIG_DEBUG_RODATA)
16361 /* .text should occupy whole number of pages */
16362 @@ -126,16 +180,20 @@ SECTIONS
16365 .data : AT(ADDR(.data) - LOAD_OFFSET) {
16367 +#ifdef CONFIG_PAX_KERNEXEC
16368 + . = ALIGN(HPAGE_SIZE);
16370 + . = ALIGN(PAGE_SIZE);
16373 /* Start of data section */
16377 INIT_TASK_DATA(THREAD_SIZE)
16379 -#ifdef CONFIG_X86_32
16380 - /* 32 bit has nosave before _edata */
16384 PAGE_ALIGNED_DATA(PAGE_SIZE)
16386 @@ -144,6 +202,8 @@ SECTIONS
16390 + jiffies = jiffies_64;
16392 /* rarely changed data like cpu maps */
16393 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
16395 @@ -198,12 +258,6 @@ SECTIONS
16397 vgetcpu_mode = VVIRT(.vgetcpu_mode);
16399 - . = ALIGN(L1_CACHE_BYTES);
16400 - .jiffies : AT(VLOAD(.jiffies)) {
16403 - jiffies = VVIRT(.jiffies);
16405 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
16408 @@ -219,12 +273,19 @@ SECTIONS
16409 #endif /* CONFIG_X86_64 */
16411 /* Init code and data - will be freed after init */
16412 - . = ALIGN(PAGE_SIZE);
16413 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
16416 +#ifdef CONFIG_PAX_KERNEXEC
16417 + . = ALIGN(HPAGE_SIZE);
16419 + . = ALIGN(PAGE_SIZE);
16422 __init_begin = .; /* paired with __init_end */
16426 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
16429 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
16430 * output PHDR, so the next output section - .init.text - should
16431 @@ -233,12 +294,27 @@ SECTIONS
16432 PERCPU_VADDR(0, :percpu)
16435 - INIT_TEXT_SECTION(PAGE_SIZE)
16436 -#ifdef CONFIG_X86_64
16439 + . = ALIGN(PAGE_SIZE);
16441 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
16442 + VMLINUX_SYMBOL(_sinittext) = .;
16444 + VMLINUX_SYMBOL(_einittext) = .;
16445 + . = ALIGN(PAGE_SIZE);
16448 - INIT_DATA_SECTION(16)
16450 + * .exit.text is discard at runtime, not link time, to deal with
16451 + * references from .altinstructions and .eh_frame
16453 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
16457 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
16459 + . = ALIGN(PAGE_SIZE);
16460 + INIT_DATA_SECTION(16) :init
16462 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
16463 __x86_cpu_dev_start = .;
16464 @@ -292,19 +368,12 @@ SECTIONS
16465 __iommu_table_end = .;
16469 - * .exit.text is discard at runtime, not link time, to deal with
16470 - * references from .altinstructions and .eh_frame
16472 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
16476 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
16480 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
16481 +#ifndef CONFIG_SMP
16482 PERCPU(THREAD_SIZE)
16485 @@ -323,16 +392,10 @@ SECTIONS
16486 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
16489 - . = ALIGN(PAGE_SIZE);
16490 __smp_locks_end = .;
16491 + . = ALIGN(PAGE_SIZE);
16494 -#ifdef CONFIG_X86_64
16495 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
16501 . = ALIGN(PAGE_SIZE);
16502 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
16503 @@ -348,6 +411,7 @@ SECTIONS
16505 . += 64 * 1024; /* 64k alignment slop space */
16506 *(.brk_reservation) /* areas brk users have reserved */
16507 + . = ALIGN(HPAGE_SIZE);
16511 @@ -374,13 +438,12 @@ SECTIONS
16512 * for the boot processor.
16514 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
16515 -INIT_PER_CPU(gdt_page);
16516 INIT_PER_CPU(irq_stack_union);
16519 * Build-time check on the image size:
16521 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
16522 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
16523 "kernel image bigger than KERNEL_IMAGE_SIZE");
16526 diff -urNp linux-2.6.38.6/arch/x86/kernel/vsyscall_64.c linux-2.6.38.6/arch/x86/kernel/vsyscall_64.c
16527 --- linux-2.6.38.6/arch/x86/kernel/vsyscall_64.c 2011-03-14 21:20:32.000000000 -0400
16528 +++ linux-2.6.38.6/arch/x86/kernel/vsyscall_64.c 2011-04-28 19:34:14.000000000 -0400
16529 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
16531 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
16532 /* copy vsyscall data */
16533 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
16534 vsyscall_gtod_data.clock.vread = clock->vread;
16535 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
16536 vsyscall_gtod_data.clock.mask = clock->mask;
16537 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
16538 We do this here because otherwise user space would do it on
16539 its own in a likely inferior way (no access to jiffies).
16540 If you don't like it pass NULL. */
16541 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
16542 + if (tcache && tcache->blob[0] == (j = jiffies)) {
16543 p = tcache->blob[1];
16544 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
16545 /* Load per CPU data from RDTSCP */
16546 diff -urNp linux-2.6.38.6/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.38.6/arch/x86/kernel/x8664_ksyms_64.c
16547 --- linux-2.6.38.6/arch/x86/kernel/x8664_ksyms_64.c 2011-03-14 21:20:32.000000000 -0400
16548 +++ linux-2.6.38.6/arch/x86/kernel/x8664_ksyms_64.c 2011-04-28 19:34:14.000000000 -0400
16549 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
16550 EXPORT_SYMBOL(copy_user_generic_string);
16551 EXPORT_SYMBOL(copy_user_generic_unrolled);
16552 EXPORT_SYMBOL(__copy_user_nocache);
16553 -EXPORT_SYMBOL(_copy_from_user);
16554 -EXPORT_SYMBOL(_copy_to_user);
16556 EXPORT_SYMBOL(copy_page);
16557 EXPORT_SYMBOL(clear_page);
16558 diff -urNp linux-2.6.38.6/arch/x86/kernel/xsave.c linux-2.6.38.6/arch/x86/kernel/xsave.c
16559 --- linux-2.6.38.6/arch/x86/kernel/xsave.c 2011-03-14 21:20:32.000000000 -0400
16560 +++ linux-2.6.38.6/arch/x86/kernel/xsave.c 2011-04-28 19:34:14.000000000 -0400
16561 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
16562 fx_sw_user->xstate_size > fx_sw_user->extended_size)
16565 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
16566 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
16567 fx_sw_user->extended_size -
16568 FP_XSTATE_MAGIC2_SIZE));
16570 @@ -267,7 +267,7 @@ fx_only:
16571 * the other extended state.
16573 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
16574 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
16575 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
16579 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
16581 err = restore_user_xstate(buf);
16583 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
16584 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
16586 if (unlikely(err)) {
16588 diff -urNp linux-2.6.38.6/arch/x86/kvm/emulate.c linux-2.6.38.6/arch/x86/kvm/emulate.c
16589 --- linux-2.6.38.6/arch/x86/kvm/emulate.c 2011-03-14 21:20:32.000000000 -0400
16590 +++ linux-2.6.38.6/arch/x86/kvm/emulate.c 2011-04-28 19:34:14.000000000 -0400
16592 #define Src2ImmByte (2<<29)
16593 #define Src2One (3<<29)
16594 #define Src2Imm (4<<29)
16595 -#define Src2Mask (7<<29)
16596 +#define Src2Mask (7U<<29)
16598 #define X2(x...) x, x
16599 #define X3(x...) X2(x), x
16600 @@ -189,6 +189,7 @@ struct group_dual {
16602 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
16604 + unsigned long _tmp; \
16605 __asm__ __volatile__ ( \
16606 _PRE_EFLAGS("0", "4", "2") \
16607 _op _suffix " %"_x"3,%1; " \
16608 @@ -202,8 +203,6 @@ struct group_dual {
16609 /* Raw emulation: instruction has two explicit operands. */
16610 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
16612 - unsigned long _tmp; \
16614 switch ((_dst).bytes) { \
16616 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
16617 @@ -219,7 +218,6 @@ struct group_dual {
16619 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
16621 - unsigned long _tmp; \
16622 switch ((_dst).bytes) { \
16624 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
16625 diff -urNp linux-2.6.38.6/arch/x86/kvm/lapic.c linux-2.6.38.6/arch/x86/kvm/lapic.c
16626 --- linux-2.6.38.6/arch/x86/kvm/lapic.c 2011-03-14 21:20:32.000000000 -0400
16627 +++ linux-2.6.38.6/arch/x86/kvm/lapic.c 2011-04-28 19:34:14.000000000 -0400
16629 #define APIC_BUS_CYCLE_NS 1
16631 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
16632 -#define apic_debug(fmt, arg...)
16633 +#define apic_debug(fmt, arg...) do {} while (0)
16635 #define APIC_LVT_NUM 6
16636 /* 14 is the version for Xeon and Pentium 8.4.8*/
16637 diff -urNp linux-2.6.38.6/arch/x86/kvm/mmu.c linux-2.6.38.6/arch/x86/kvm/mmu.c
16638 --- linux-2.6.38.6/arch/x86/kvm/mmu.c 2011-03-14 21:20:32.000000000 -0400
16639 +++ linux-2.6.38.6/arch/x86/kvm/mmu.c 2011-04-28 19:57:25.000000000 -0400
16640 @@ -3271,7 +3271,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
16642 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
16644 - invlpg_counter = atomic_read(&vcpu->kvm->arch.invlpg_counter);
16645 + invlpg_counter = atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter);
16648 * Assume that the pte write on a page table of the same type
16649 @@ -3305,7 +3305,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
16651 mmu_guess_page_from_pte_write(vcpu, gpa, gentry);
16652 spin_lock(&vcpu->kvm->mmu_lock);
16653 - if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
16654 + if (atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
16656 kvm_mmu_access_page(vcpu, gfn);
16657 kvm_mmu_free_some_pages(vcpu);
16658 diff -urNp linux-2.6.38.6/arch/x86/kvm/paging_tmpl.h linux-2.6.38.6/arch/x86/kvm/paging_tmpl.h
16659 --- linux-2.6.38.6/arch/x86/kvm/paging_tmpl.h 2011-03-14 21:20:32.000000000 -0400
16660 +++ linux-2.6.38.6/arch/x86/kvm/paging_tmpl.h 2011-05-16 21:47:08.000000000 -0400
16661 @@ -554,6 +554,8 @@ static int FNAME(page_fault)(struct kvm_
16662 unsigned long mmu_seq;
16665 + pax_track_stack();
16667 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
16669 r = mmu_topup_memory_caches(vcpu);
16670 @@ -674,7 +676,7 @@ static void FNAME(invlpg)(struct kvm_vcp
16672 kvm_flush_remote_tlbs(vcpu->kvm);
16674 - atomic_inc(&vcpu->kvm->arch.invlpg_counter);
16675 + atomic_inc_unchecked(&vcpu->kvm->arch.invlpg_counter);
16677 spin_unlock(&vcpu->kvm->mmu_lock);
16679 diff -urNp linux-2.6.38.6/arch/x86/kvm/svm.c linux-2.6.38.6/arch/x86/kvm/svm.c
16680 --- linux-2.6.38.6/arch/x86/kvm/svm.c 2011-05-10 22:06:29.000000000 -0400
16681 +++ linux-2.6.38.6/arch/x86/kvm/svm.c 2011-05-10 22:08:57.000000000 -0400
16682 @@ -3276,7 +3276,11 @@ static void reload_tss(struct kvm_vcpu *
16683 int cpu = raw_smp_processor_id();
16685 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
16687 + pax_open_kernel();
16688 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
16689 + pax_close_kernel();
16694 @@ -3651,6 +3655,10 @@ static void svm_vcpu_run(struct kvm_vcpu
16695 loadsegment(fs, svm->host.fs);
16698 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16699 + __set_fs(current_thread_info()->addr_limit);
16704 local_irq_disable();
16705 @@ -3858,7 +3866,7 @@ static void svm_fpu_deactivate(struct kv
16706 update_cr0_intercept(svm);
16709 -static struct kvm_x86_ops svm_x86_ops = {
16710 +static const struct kvm_x86_ops svm_x86_ops = {
16711 .cpu_has_kvm_support = has_svm,
16712 .disabled_by_bios = is_disabled,
16713 .hardware_setup = svm_hardware_setup,
16714 diff -urNp linux-2.6.38.6/arch/x86/kvm/vmx.c linux-2.6.38.6/arch/x86/kvm/vmx.c
16715 --- linux-2.6.38.6/arch/x86/kvm/vmx.c 2011-03-14 21:20:32.000000000 -0400
16716 +++ linux-2.6.38.6/arch/x86/kvm/vmx.c 2011-04-28 19:57:25.000000000 -0400
16717 @@ -725,7 +725,11 @@ static void reload_tss(void)
16718 struct desc_struct *descs;
16720 descs = (void *)gdt->address;
16722 + pax_open_kernel();
16723 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
16724 + pax_close_kernel();
16729 @@ -1642,8 +1646,11 @@ static __init int hardware_setup(void)
16730 if (!cpu_has_vmx_flexpriority())
16731 flexpriority_enabled = 0;
16733 - if (!cpu_has_vmx_tpr_shadow())
16734 - kvm_x86_ops->update_cr8_intercept = NULL;
16735 + if (!cpu_has_vmx_tpr_shadow()) {
16736 + pax_open_kernel();
16737 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
16738 + pax_close_kernel();
16741 if (enable_ept && !cpu_has_vmx_ept_2m_page())
16742 kvm_disable_largepages();
16743 @@ -2640,7 +2647,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
16744 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
16746 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
16747 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
16748 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
16749 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
16750 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
16751 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
16752 @@ -4031,6 +4038,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
16753 "jmp .Lkvm_vmx_return \n\t"
16754 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
16755 ".Lkvm_vmx_return: "
16757 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16758 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
16759 + ".Lkvm_vmx_return2: "
16762 /* Save guest registers, load host registers, keep flags */
16763 "xchg %0, (%%"R"sp) \n\t"
16764 "mov %%"R"ax, %c[rax](%0) \n\t"
16765 @@ -4077,6 +4090,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
16766 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
16768 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
16770 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16771 + ,[cs]"i"(__KERNEL_CS)
16775 , R"ax", R"bx", R"di", R"si"
16776 #ifdef CONFIG_X86_64
16777 @@ -4091,7 +4109,16 @@ static void vmx_vcpu_run(struct kvm_vcpu
16779 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
16781 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
16782 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
16784 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16785 + loadsegment(fs, __KERNEL_PERCPU);
16788 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16789 + __set_fs(current_thread_info()->addr_limit);
16794 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
16795 @@ -4326,7 +4353,7 @@ static void vmx_set_supported_cpuid(u32
16799 -static struct kvm_x86_ops vmx_x86_ops = {
16800 +static const struct kvm_x86_ops vmx_x86_ops = {
16801 .cpu_has_kvm_support = cpu_has_kvm_support,
16802 .disabled_by_bios = vmx_disabled_by_bios,
16803 .hardware_setup = hardware_setup,
16804 diff -urNp linux-2.6.38.6/arch/x86/kvm/x86.c linux-2.6.38.6/arch/x86/kvm/x86.c
16805 --- linux-2.6.38.6/arch/x86/kvm/x86.c 2011-03-14 21:20:32.000000000 -0400
16806 +++ linux-2.6.38.6/arch/x86/kvm/x86.c 2011-04-28 19:34:14.000000000 -0400
16807 @@ -93,7 +93,7 @@ static void update_cr8_intercept(struct
16808 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
16809 struct kvm_cpuid_entry2 __user *entries);
16811 -struct kvm_x86_ops *kvm_x86_ops;
16812 +const struct kvm_x86_ops *kvm_x86_ops;
16813 EXPORT_SYMBOL_GPL(kvm_x86_ops);
16815 int ignore_msrs = 0;
16816 @@ -2023,6 +2023,8 @@ long kvm_arch_dev_ioctl(struct file *fil
16817 if (n < msr_list.nmsrs)
16820 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
16822 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
16823 num_msrs_to_save * sizeof(u32)))
16825 @@ -2190,15 +2192,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
16826 struct kvm_cpuid2 *cpuid,
16827 struct kvm_cpuid_entry2 __user *entries)
16833 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
16836 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
16837 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
16838 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
16840 + for (i = 0; i < cpuid->nent; ++i) {
16841 + struct kvm_cpuid_entry2 cpuid_entry;
16842 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
16844 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
16846 vcpu->arch.cpuid_nent = cpuid->nent;
16847 kvm_apic_set_version(vcpu);
16848 kvm_x86_ops->cpuid_update(vcpu);
16849 @@ -2213,15 +2220,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
16850 struct kvm_cpuid2 *cpuid,
16851 struct kvm_cpuid_entry2 __user *entries)
16857 if (cpuid->nent < vcpu->arch.cpuid_nent)
16860 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
16861 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
16862 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
16864 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
16865 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
16866 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
16872 @@ -2499,7 +2510,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
16873 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
16874 struct kvm_interrupt *irq)
16876 - if (irq->irq < 0 || irq->irq >= 256)
16877 + if (irq->irq >= 256)
16879 if (irqchip_in_kernel(vcpu->kvm))
16881 @@ -4687,10 +4698,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
16883 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
16885 -int kvm_arch_init(void *opaque)
16886 +int kvm_arch_init(const void *opaque)
16889 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
16890 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
16893 printk(KERN_ERR "kvm: already loaded the other module\n");
16894 diff -urNp linux-2.6.38.6/arch/x86/lib/atomic64_32.c linux-2.6.38.6/arch/x86/lib/atomic64_32.c
16895 --- linux-2.6.38.6/arch/x86/lib/atomic64_32.c 2011-03-14 21:20:32.000000000 -0400
16896 +++ linux-2.6.38.6/arch/x86/lib/atomic64_32.c 2011-05-02 19:07:09.000000000 -0400
16899 long long atomic64_read_cx8(long long, const atomic64_t *v);
16900 EXPORT_SYMBOL(atomic64_read_cx8);
16901 +long long atomic64_read_unchecked_cx8(long long, const atomic64_unchecked_t *v);
16902 +EXPORT_SYMBOL(atomic64_read_unchecked_cx8);
16903 long long atomic64_set_cx8(long long, const atomic64_t *v);
16904 EXPORT_SYMBOL(atomic64_set_cx8);
16905 +long long atomic64_set_unchecked_cx8(long long, const atomic64_unchecked_t *v);
16906 +EXPORT_SYMBOL(atomic64_set_unchecked_cx8);
16907 long long atomic64_xchg_cx8(long long, unsigned high);
16908 EXPORT_SYMBOL(atomic64_xchg_cx8);
16909 long long atomic64_add_return_cx8(long long a, atomic64_t *v);
16910 EXPORT_SYMBOL(atomic64_add_return_cx8);
16911 +long long atomic64_add_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
16912 +EXPORT_SYMBOL(atomic64_add_return_unchecked_cx8);
16913 long long atomic64_sub_return_cx8(long long a, atomic64_t *v);
16914 EXPORT_SYMBOL(atomic64_sub_return_cx8);
16915 +long long atomic64_sub_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
16916 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_cx8);
16917 long long atomic64_inc_return_cx8(long long a, atomic64_t *v);
16918 EXPORT_SYMBOL(atomic64_inc_return_cx8);
16919 +long long atomic64_inc_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
16920 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_cx8);
16921 long long atomic64_dec_return_cx8(long long a, atomic64_t *v);
16922 EXPORT_SYMBOL(atomic64_dec_return_cx8);
16923 +long long atomic64_dec_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
16924 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_cx8);
16925 long long atomic64_dec_if_positive_cx8(atomic64_t *v);
16926 EXPORT_SYMBOL(atomic64_dec_if_positive_cx8);
16927 int atomic64_inc_not_zero_cx8(atomic64_t *v);
16928 @@ -30,26 +42,46 @@ EXPORT_SYMBOL(atomic64_add_unless_cx8);
16929 #ifndef CONFIG_X86_CMPXCHG64
16930 long long atomic64_read_386(long long, const atomic64_t *v);
16931 EXPORT_SYMBOL(atomic64_read_386);
16932 +long long atomic64_read_unchecked_386(long long, const atomic64_unchecked_t *v);
16933 +EXPORT_SYMBOL(atomic64_read_unchecked_386);
16934 long long atomic64_set_386(long long, const atomic64_t *v);
16935 EXPORT_SYMBOL(atomic64_set_386);
16936 +long long atomic64_set_unchecked_386(long long, const atomic64_unchecked_t *v);
16937 +EXPORT_SYMBOL(atomic64_set_unchecked_386);
16938 long long atomic64_xchg_386(long long, unsigned high);
16939 EXPORT_SYMBOL(atomic64_xchg_386);
16940 long long atomic64_add_return_386(long long a, atomic64_t *v);
16941 EXPORT_SYMBOL(atomic64_add_return_386);
16942 +long long atomic64_add_return_unchecked_386(long long a, atomic64_unchecked_t *v);
16943 +EXPORT_SYMBOL(atomic64_add_return_unchecked_386);
16944 long long atomic64_sub_return_386(long long a, atomic64_t *v);
16945 EXPORT_SYMBOL(atomic64_sub_return_386);
16946 +long long atomic64_sub_return_unchecked_386(long long a, atomic64_unchecked_t *v);
16947 +EXPORT_SYMBOL(atomic64_sub_return_unchecked_386);
16948 long long atomic64_inc_return_386(long long a, atomic64_t *v);
16949 EXPORT_SYMBOL(atomic64_inc_return_386);
16950 +long long atomic64_inc_return_unchecked_386(long long a, atomic64_unchecked_t *v);
16951 +EXPORT_SYMBOL(atomic64_inc_return_unchecked_386);
16952 long long atomic64_dec_return_386(long long a, atomic64_t *v);
16953 EXPORT_SYMBOL(atomic64_dec_return_386);
16954 +long long atomic64_dec_return_unchecked_386(long long a, atomic64_unchecked_t *v);
16955 +EXPORT_SYMBOL(atomic64_dec_return_unchecked_386);
16956 long long atomic64_add_386(long long a, atomic64_t *v);
16957 EXPORT_SYMBOL(atomic64_add_386);
16958 +long long atomic64_add_unchecked_386(long long a, atomic64_unchecked_t *v);
16959 +EXPORT_SYMBOL(atomic64_add_unchecked_386);
16960 long long atomic64_sub_386(long long a, atomic64_t *v);
16961 EXPORT_SYMBOL(atomic64_sub_386);
16962 +long long atomic64_sub_unchecked_386(long long a, atomic64_unchecked_t *v);
16963 +EXPORT_SYMBOL(atomic64_sub_unchecked_386);
16964 long long atomic64_inc_386(long long a, atomic64_t *v);
16965 EXPORT_SYMBOL(atomic64_inc_386);
16966 +long long atomic64_inc_unchecked_386(long long a, atomic64_unchecked_t *v);
16967 +EXPORT_SYMBOL(atomic64_inc_unchecked_386);
16968 long long atomic64_dec_386(long long a, atomic64_t *v);
16969 EXPORT_SYMBOL(atomic64_dec_386);
16970 +long long atomic64_dec_unchecked_386(long long a, atomic64_unchecked_t *v);
16971 +EXPORT_SYMBOL(atomic64_dec_unchecked_386);
16972 long long atomic64_dec_if_positive_386(atomic64_t *v);
16973 EXPORT_SYMBOL(atomic64_dec_if_positive_386);
16974 int atomic64_inc_not_zero_386(atomic64_t *v);
16975 diff -urNp linux-2.6.38.6/arch/x86/lib/atomic64_386_32.S linux-2.6.38.6/arch/x86/lib/atomic64_386_32.S
16976 --- linux-2.6.38.6/arch/x86/lib/atomic64_386_32.S 2011-03-14 21:20:32.000000000 -0400
16977 +++ linux-2.6.38.6/arch/x86/lib/atomic64_386_32.S 2011-05-02 19:07:09.000000000 -0400
16978 @@ -50,6 +50,10 @@ BEGIN(read)
16982 +BEGIN(read_unchecked)
16989 @@ -57,6 +61,10 @@ BEGIN(set)
16993 +BEGIN(set_unchecked)
17000 @@ -72,6 +80,20 @@ RET_ENDP
17005 +#ifdef CONFIG_PAX_REFCOUNT
17011 + _ASM_EXTABLE(0b, 0b)
17015 +BEGIN(add_unchecked)
17021 @@ -79,6 +101,24 @@ RET_ENDP
17026 +#ifdef CONFIG_PAX_REFCOUNT
17029 + _ASM_EXTABLE(1234b, 2f)
17035 +#ifdef CONFIG_PAX_REFCOUNT
17040 +BEGIN(add_return_unchecked)
17046 @@ -88,6 +128,20 @@ RET_ENDP
17051 +#ifdef CONFIG_PAX_REFCOUNT
17057 + _ASM_EXTABLE(0b, 0b)
17061 +BEGIN(sub_unchecked)
17067 @@ -98,6 +152,27 @@ BEGIN(sub_return)
17072 +#ifdef CONFIG_PAX_REFCOUNT
17075 + _ASM_EXTABLE(1234b, 2f)
17081 +#ifdef CONFIG_PAX_REFCOUNT
17086 +BEGIN(sub_return_unchecked)
17095 @@ -107,6 +182,20 @@ RET_ENDP
17100 +#ifdef CONFIG_PAX_REFCOUNT
17106 + _ASM_EXTABLE(0b, 0b)
17110 +BEGIN(inc_unchecked)
17116 @@ -116,6 +205,26 @@ BEGIN(inc_return)
17121 +#ifdef CONFIG_PAX_REFCOUNT
17124 + _ASM_EXTABLE(1234b, 2f)
17130 +#ifdef CONFIG_PAX_REFCOUNT
17135 +BEGIN(inc_return_unchecked)
17143 @@ -125,6 +234,20 @@ RET_ENDP
17148 +#ifdef CONFIG_PAX_REFCOUNT
17154 + _ASM_EXTABLE(0b, 0b)
17158 +BEGIN(dec_unchecked)
17164 @@ -134,6 +257,26 @@ BEGIN(dec_return)
17169 +#ifdef CONFIG_PAX_REFCOUNT
17172 + _ASM_EXTABLE(1234b, 2f)
17178 +#ifdef CONFIG_PAX_REFCOUNT
17183 +BEGIN(dec_return_unchecked)
17191 @@ -145,6 +288,13 @@ BEGIN(add_unless)
17196 +#ifdef CONFIG_PAX_REFCOUNT
17199 + _ASM_EXTABLE(1234b, 2f)
17205 @@ -170,6 +320,13 @@ BEGIN(inc_not_zero)
17210 +#ifdef CONFIG_PAX_REFCOUNT
17213 + _ASM_EXTABLE(1234b, 2f)
17219 @@ -188,6 +345,13 @@ BEGIN(dec_if_positive)
17224 +#ifdef CONFIG_PAX_REFCOUNT
17227 + _ASM_EXTABLE(1234b, 1f)
17233 diff -urNp linux-2.6.38.6/arch/x86/lib/atomic64_cx8_32.S linux-2.6.38.6/arch/x86/lib/atomic64_cx8_32.S
17234 --- linux-2.6.38.6/arch/x86/lib/atomic64_cx8_32.S 2011-03-14 21:20:32.000000000 -0400
17235 +++ linux-2.6.38.6/arch/x86/lib/atomic64_cx8_32.S 2011-05-02 19:07:09.000000000 -0400
17236 @@ -41,6 +41,14 @@ ENTRY(atomic64_read_cx8)
17238 ENDPROC(atomic64_read_cx8)
17240 +ENTRY(atomic64_read_unchecked_cx8)
17246 +ENDPROC(atomic64_read_unchecked_cx8)
17248 ENTRY(atomic64_set_cx8)
17251 @@ -54,6 +62,19 @@ ENTRY(atomic64_set_cx8)
17253 ENDPROC(atomic64_set_cx8)
17255 +ENTRY(atomic64_set_unchecked_cx8)
17259 +/* we don't need LOCK_PREFIX since aligned 64-bit writes
17260 + * are atomic on 586 and newer */
17266 +ENDPROC(atomic64_set_unchecked_cx8)
17268 ENTRY(atomic64_xchg_cx8)
17271 @@ -68,8 +89,8 @@ ENTRY(atomic64_xchg_cx8)
17273 ENDPROC(atomic64_xchg_cx8)
17275 -.macro addsub_return func ins insc
17276 -ENTRY(atomic64_\func\()_return_cx8)
17277 +.macro addsub_return func ins insc unchecked=""
17278 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
17282 @@ -86,27 +107,43 @@ ENTRY(atomic64_\func\()_return_cx8)
17284 \ins\()l %esi, %ebx
17285 \insc\()l %edi, %ecx
17288 +#ifdef CONFIG_PAX_REFCOUNT
17291 + _ASM_EXTABLE(2b, 3f)
17304 +#ifdef CONFIG_PAX_REFCOUNT
17315 -ENDPROC(atomic64_\func\()_return_cx8)
17316 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
17319 addsub_return add add adc
17320 addsub_return sub sub sbb
17321 +addsub_return add add adc _unchecked
17322 +addsub_return sub sub sbb _unchecked
17324 -.macro incdec_return func ins insc
17325 -ENTRY(atomic64_\func\()_return_cx8)
17326 +.macro incdec_return func ins insc unchecked
17327 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
17331 @@ -116,21 +153,38 @@ ENTRY(atomic64_\func\()_return_cx8)
17337 +#ifdef CONFIG_PAX_REFCOUNT
17340 + _ASM_EXTABLE(2b, 3f)
17353 +#ifdef CONFIG_PAX_REFCOUNT
17361 -ENDPROC(atomic64_\func\()_return_cx8)
17362 +ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
17365 incdec_return inc add adc
17366 incdec_return dec sub sbb
17367 +incdec_return inc add adc _unchecked
17368 +incdec_return dec sub sbb _unchecked
17370 ENTRY(atomic64_dec_if_positive_cx8)
17372 @@ -142,6 +196,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
17377 +#ifdef CONFIG_PAX_REFCOUNT
17380 + _ASM_EXTABLE(1234b, 2f)
17386 @@ -176,6 +237,13 @@ ENTRY(atomic64_add_unless_cx8)
17391 +#ifdef CONFIG_PAX_REFCOUNT
17394 + _ASM_EXTABLE(1234b, 3f)
17400 @@ -208,6 +276,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
17405 +#ifdef CONFIG_PAX_REFCOUNT
17408 + _ASM_EXTABLE(1234b, 3f)
17414 diff -urNp linux-2.6.38.6/arch/x86/lib/checksum_32.S linux-2.6.38.6/arch/x86/lib/checksum_32.S
17415 --- linux-2.6.38.6/arch/x86/lib/checksum_32.S 2011-03-14 21:20:32.000000000 -0400
17416 +++ linux-2.6.38.6/arch/x86/lib/checksum_32.S 2011-04-28 19:34:14.000000000 -0400
17418 #include <linux/linkage.h>
17419 #include <asm/dwarf2.h>
17420 #include <asm/errno.h>
17422 +#include <asm/segment.h>
17425 * computes a partial checksum, e.g. for TCP/UDP fragments
17427 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
17432 -ENTRY(csum_partial_copy_generic)
17434 +ENTRY(csum_partial_copy_generic_to_user)
17437 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17439 + CFI_ADJUST_CFA_OFFSET 4
17441 + CFI_ADJUST_CFA_OFFSET -4
17442 + jmp csum_partial_copy_generic
17445 +ENTRY(csum_partial_copy_generic_from_user)
17447 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17449 + CFI_ADJUST_CFA_OFFSET 4
17451 + CFI_ADJUST_CFA_OFFSET -4
17454 +ENTRY(csum_partial_copy_generic)
17456 CFI_ADJUST_CFA_OFFSET 4
17458 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
17460 SRC(1: movw (%esi), %bx )
17462 -DST( movw %bx, (%edi) )
17463 +DST( movw %bx, %es:(%edi) )
17467 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
17468 SRC(1: movl (%esi), %ebx )
17469 SRC( movl 4(%esi), %edx )
17471 -DST( movl %ebx, (%edi) )
17472 +DST( movl %ebx, %es:(%edi) )
17474 -DST( movl %edx, 4(%edi) )
17475 +DST( movl %edx, %es:4(%edi) )
17477 SRC( movl 8(%esi), %ebx )
17478 SRC( movl 12(%esi), %edx )
17480 -DST( movl %ebx, 8(%edi) )
17481 +DST( movl %ebx, %es:8(%edi) )
17483 -DST( movl %edx, 12(%edi) )
17484 +DST( movl %edx, %es:12(%edi) )
17486 SRC( movl 16(%esi), %ebx )
17487 SRC( movl 20(%esi), %edx )
17489 -DST( movl %ebx, 16(%edi) )
17490 +DST( movl %ebx, %es:16(%edi) )
17492 -DST( movl %edx, 20(%edi) )
17493 +DST( movl %edx, %es:20(%edi) )
17495 SRC( movl 24(%esi), %ebx )
17496 SRC( movl 28(%esi), %edx )
17498 -DST( movl %ebx, 24(%edi) )
17499 +DST( movl %ebx, %es:24(%edi) )
17501 -DST( movl %edx, 28(%edi) )
17502 +DST( movl %edx, %es:28(%edi) )
17506 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
17507 shrl $2, %edx # This clears CF
17508 SRC(3: movl (%esi), %ebx )
17510 -DST( movl %ebx, (%edi) )
17511 +DST( movl %ebx, %es:(%edi) )
17515 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
17517 SRC( movw (%esi), %cx )
17519 -DST( movw %cx, (%edi) )
17520 +DST( movw %cx, %es:(%edi) )
17524 SRC(5: movb (%esi), %cl )
17525 -DST( movb %cl, (%edi) )
17526 +DST( movb %cl, %es:(%edi) )
17530 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
17533 movl ARGBASE+20(%esp), %ebx # src_err_ptr
17534 - movl $-EFAULT, (%ebx)
17535 + movl $-EFAULT, %ss:(%ebx)
17537 # zero the complete destination - computing the rest
17539 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
17542 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
17543 - movl $-EFAULT,(%ebx)
17544 + movl $-EFAULT,%ss:(%ebx)
17550 + CFI_ADJUST_CFA_OFFSET 4
17552 + CFI_ADJUST_CFA_OFFSET -4
17554 + CFI_ADJUST_CFA_OFFSET 4
17556 + CFI_ADJUST_CFA_OFFSET -4
17558 CFI_ADJUST_CFA_OFFSET -4
17560 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
17561 CFI_ADJUST_CFA_OFFSET -4
17564 -ENDPROC(csum_partial_copy_generic)
17565 +ENDPROC(csum_partial_copy_generic_to_user)
17569 /* Version for PentiumII/PPro */
17571 #define ROUND1(x) \
17573 SRC(movl x(%esi), %ebx ) ; \
17574 addl %ebx, %eax ; \
17575 - DST(movl %ebx, x(%edi) ) ;
17576 + DST(movl %ebx, %es:x(%edi)) ;
17580 SRC(movl x(%esi), %ebx ) ; \
17581 adcl %ebx, %eax ; \
17582 - DST(movl %ebx, x(%edi) ) ;
17583 + DST(movl %ebx, %es:x(%edi)) ;
17587 -ENTRY(csum_partial_copy_generic)
17589 +ENTRY(csum_partial_copy_generic_to_user)
17592 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17594 + CFI_ADJUST_CFA_OFFSET 4
17596 + CFI_ADJUST_CFA_OFFSET -4
17597 + jmp csum_partial_copy_generic
17600 +ENTRY(csum_partial_copy_generic_from_user)
17602 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17604 + CFI_ADJUST_CFA_OFFSET 4
17606 + CFI_ADJUST_CFA_OFFSET -4
17609 +ENTRY(csum_partial_copy_generic)
17611 CFI_ADJUST_CFA_OFFSET 4
17612 CFI_REL_OFFSET ebx, 0
17613 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
17617 - lea 3f(%ebx,%ebx), %ebx
17618 + lea 3f(%ebx,%ebx,2), %ebx
17622 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
17624 SRC( movw (%esi), %dx )
17626 -DST( movw %dx, (%edi) )
17627 +DST( movw %dx, %es:(%edi) )
17632 SRC( movb (%esi), %dl )
17633 -DST( movb %dl, (%edi) )
17634 +DST( movb %dl, %es:(%edi) )
17638 .section .fixup, "ax"
17639 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
17640 - movl $-EFAULT, (%ebx)
17641 + movl $-EFAULT, %ss:(%ebx)
17642 # zero the complete destination (computing the rest is too much work)
17643 movl ARGBASE+8(%esp),%edi # dst
17644 movl ARGBASE+12(%esp),%ecx # len
17645 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
17648 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
17649 - movl $-EFAULT, (%ebx)
17650 + movl $-EFAULT, %ss:(%ebx)
17654 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17656 + CFI_ADJUST_CFA_OFFSET 4
17658 + CFI_ADJUST_CFA_OFFSET -4
17660 + CFI_ADJUST_CFA_OFFSET 4
17662 + CFI_ADJUST_CFA_OFFSET -4
17666 CFI_ADJUST_CFA_OFFSET -4
17668 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
17672 -ENDPROC(csum_partial_copy_generic)
17673 +ENDPROC(csum_partial_copy_generic_to_user)
17677 diff -urNp linux-2.6.38.6/arch/x86/lib/clear_page_64.S linux-2.6.38.6/arch/x86/lib/clear_page_64.S
17678 --- linux-2.6.38.6/arch/x86/lib/clear_page_64.S 2011-03-14 21:20:32.000000000 -0400
17679 +++ linux-2.6.38.6/arch/x86/lib/clear_page_64.S 2011-04-28 19:34:14.000000000 -0400
17680 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
17682 #include <asm/cpufeature.h>
17684 - .section .altinstr_replacement,"ax"
17685 + .section .altinstr_replacement,"a"
17686 1: .byte 0xeb /* jmp <disp8> */
17687 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
17689 diff -urNp linux-2.6.38.6/arch/x86/lib/copy_page_64.S linux-2.6.38.6/arch/x86/lib/copy_page_64.S
17690 --- linux-2.6.38.6/arch/x86/lib/copy_page_64.S 2011-03-14 21:20:32.000000000 -0400
17691 +++ linux-2.6.38.6/arch/x86/lib/copy_page_64.S 2011-04-28 19:34:14.000000000 -0400
17692 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
17694 #include <asm/cpufeature.h>
17696 - .section .altinstr_replacement,"ax"
17697 + .section .altinstr_replacement,"a"
17698 1: .byte 0xeb /* jmp <disp8> */
17699 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
17701 diff -urNp linux-2.6.38.6/arch/x86/lib/copy_user_64.S linux-2.6.38.6/arch/x86/lib/copy_user_64.S
17702 --- linux-2.6.38.6/arch/x86/lib/copy_user_64.S 2011-03-14 21:20:32.000000000 -0400
17703 +++ linux-2.6.38.6/arch/x86/lib/copy_user_64.S 2011-04-28 19:34:14.000000000 -0400
17704 @@ -15,13 +15,14 @@
17705 #include <asm/asm-offsets.h>
17706 #include <asm/thread_info.h>
17707 #include <asm/cpufeature.h>
17708 +#include <asm/pgtable.h>
17710 .macro ALTERNATIVE_JUMP feature,orig,alt
17712 .byte 0xe9 /* 32bit jump */
17713 .long \orig-1f /* by default jump to orig */
17715 - .section .altinstr_replacement,"ax"
17716 + .section .altinstr_replacement,"a"
17717 2: .byte 0xe9 /* near jump with 32bit immediate */
17718 .long \alt-1b /* offset */ /* or alternatively to alt */
17720 @@ -64,37 +65,13 @@
17724 -/* Standard copy_to_user with segment limit checking */
17725 -ENTRY(_copy_to_user)
17727 - GET_THREAD_INFO(%rax)
17731 - cmpq TI_addr_limit(%rax),%rcx
17733 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
17735 -ENDPROC(_copy_to_user)
17737 -/* Standard copy_from_user with segment limit checking */
17738 -ENTRY(_copy_from_user)
17740 - GET_THREAD_INFO(%rax)
17744 - cmpq TI_addr_limit(%rax),%rcx
17745 - jae bad_from_user
17746 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
17748 -ENDPROC(_copy_from_user)
17750 .section .fixup,"ax"
17751 /* must zero dest */
17752 ENTRY(bad_from_user)
17760 diff -urNp linux-2.6.38.6/arch/x86/lib/copy_user_nocache_64.S linux-2.6.38.6/arch/x86/lib/copy_user_nocache_64.S
17761 --- linux-2.6.38.6/arch/x86/lib/copy_user_nocache_64.S 2011-03-14 21:20:32.000000000 -0400
17762 +++ linux-2.6.38.6/arch/x86/lib/copy_user_nocache_64.S 2011-04-28 19:34:14.000000000 -0400
17764 #include <asm/current.h>
17765 #include <asm/asm-offsets.h>
17766 #include <asm/thread_info.h>
17767 +#include <asm/pgtable.h>
17769 .macro ALIGN_DESTINATION
17770 #ifdef FIX_ALIGNMENT
17773 ENTRY(__copy_user_nocache)
17776 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17777 + mov $PAX_USER_SHADOW_BASE,%rcx
17785 jb 20f /* less then 8 bytes, go to byte copy loop */
17787 diff -urNp linux-2.6.38.6/arch/x86/lib/csum-wrappers_64.c linux-2.6.38.6/arch/x86/lib/csum-wrappers_64.c
17788 --- linux-2.6.38.6/arch/x86/lib/csum-wrappers_64.c 2011-03-14 21:20:32.000000000 -0400
17789 +++ linux-2.6.38.6/arch/x86/lib/csum-wrappers_64.c 2011-04-28 19:57:25.000000000 -0400
17790 @@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _
17795 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17796 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17797 + src += PAX_USER_SHADOW_BASE;
17800 isum = csum_partial_copy_generic((__force const void *)src,
17801 dst, len, isum, errp, NULL);
17802 if (unlikely(*errp))
17803 @@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr
17808 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17809 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
17810 + dst += PAX_USER_SHADOW_BASE;
17813 return csum_partial_copy_generic(src, (void __force *)dst,
17814 len, isum, NULL, errp);
17816 diff -urNp linux-2.6.38.6/arch/x86/lib/getuser.S linux-2.6.38.6/arch/x86/lib/getuser.S
17817 --- linux-2.6.38.6/arch/x86/lib/getuser.S 2011-03-14 21:20:32.000000000 -0400
17818 +++ linux-2.6.38.6/arch/x86/lib/getuser.S 2011-04-28 19:34:14.000000000 -0400
17819 @@ -33,14 +33,35 @@
17820 #include <asm/asm-offsets.h>
17821 #include <asm/thread_info.h>
17822 #include <asm/asm.h>
17823 +#include <asm/segment.h>
17824 +#include <asm/pgtable.h>
17826 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
17827 +#define __copyuser_seg gs;
17829 +#define __copyuser_seg
17833 ENTRY(__get_user_1)
17836 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17837 GET_THREAD_INFO(%_ASM_DX)
17838 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
17840 -1: movzb (%_ASM_AX),%edx
17842 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17843 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
17844 + cmp %_ASM_DX,%_ASM_AX
17846 + add %_ASM_DX,%_ASM_AX
17852 +1: __copyuser_seg movzb (%_ASM_AX),%edx
17856 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
17857 ENTRY(__get_user_2)
17861 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17863 GET_THREAD_INFO(%_ASM_DX)
17864 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
17866 -2: movzwl -1(%_ASM_AX),%edx
17868 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17869 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
17870 + cmp %_ASM_DX,%_ASM_AX
17872 + add %_ASM_DX,%_ASM_AX
17878 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
17882 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
17883 ENTRY(__get_user_4)
17887 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17889 GET_THREAD_INFO(%_ASM_DX)
17890 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
17892 -3: mov -3(%_ASM_AX),%edx
17894 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17895 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
17896 + cmp %_ASM_DX,%_ASM_AX
17898 + add %_ASM_DX,%_ASM_AX
17904 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
17908 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
17909 GET_THREAD_INFO(%_ASM_DX)
17910 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
17913 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17914 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
17915 + cmp %_ASM_DX,%_ASM_AX
17917 + add %_ASM_DX,%_ASM_AX
17921 4: movq -7(%_ASM_AX),%_ASM_DX
17924 diff -urNp linux-2.6.38.6/arch/x86/lib/insn.c linux-2.6.38.6/arch/x86/lib/insn.c
17925 --- linux-2.6.38.6/arch/x86/lib/insn.c 2011-03-14 21:20:32.000000000 -0400
17926 +++ linux-2.6.38.6/arch/x86/lib/insn.c 2011-04-28 19:34:14.000000000 -0400
17928 #include <linux/string.h>
17929 #include <asm/inat.h>
17930 #include <asm/insn.h>
17932 +#include <asm/pgtable_types.h>
17934 +#define ktla_ktva(addr) addr
17937 #define get_next(t, insn) \
17938 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
17940 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
17942 memset(insn, 0, sizeof(*insn));
17943 - insn->kaddr = kaddr;
17944 - insn->next_byte = kaddr;
17945 + insn->kaddr = ktla_ktva(kaddr);
17946 + insn->next_byte = ktla_ktva(kaddr);
17947 insn->x86_64 = x86_64 ? 1 : 0;
17948 insn->opnd_bytes = 4;
17950 diff -urNp linux-2.6.38.6/arch/x86/lib/mmx_32.c linux-2.6.38.6/arch/x86/lib/mmx_32.c
17951 --- linux-2.6.38.6/arch/x86/lib/mmx_32.c 2011-03-14 21:20:32.000000000 -0400
17952 +++ linux-2.6.38.6/arch/x86/lib/mmx_32.c 2011-04-28 19:34:14.000000000 -0400
17953 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
17957 + unsigned long cr0;
17959 if (unlikely(in_interrupt()))
17960 return __memcpy(to, from, len);
17961 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
17962 kernel_fpu_begin();
17964 __asm__ __volatile__ (
17965 - "1: prefetch (%0)\n" /* This set is 28 bytes */
17966 - " prefetch 64(%0)\n"
17967 - " prefetch 128(%0)\n"
17968 - " prefetch 192(%0)\n"
17969 - " prefetch 256(%0)\n"
17970 + "1: prefetch (%1)\n" /* This set is 28 bytes */
17971 + " prefetch 64(%1)\n"
17972 + " prefetch 128(%1)\n"
17973 + " prefetch 192(%1)\n"
17974 + " prefetch 256(%1)\n"
17976 ".section .fixup, \"ax\"\n"
17977 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
17980 +#ifdef CONFIG_PAX_KERNEXEC
17981 + " movl %%cr0, %0\n"
17982 + " movl %0, %%eax\n"
17983 + " andl $0xFFFEFFFF, %%eax\n"
17984 + " movl %%eax, %%cr0\n"
17987 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
17989 +#ifdef CONFIG_PAX_KERNEXEC
17990 + " movl %0, %%cr0\n"
17995 _ASM_EXTABLE(1b, 3b)
17997 + : "=&r" (cr0) : "r" (from) : "ax");
17999 for ( ; i > 5; i--) {
18000 __asm__ __volatile__ (
18001 - "1: prefetch 320(%0)\n"
18002 - "2: movq (%0), %%mm0\n"
18003 - " movq 8(%0), %%mm1\n"
18004 - " movq 16(%0), %%mm2\n"
18005 - " movq 24(%0), %%mm3\n"
18006 - " movq %%mm0, (%1)\n"
18007 - " movq %%mm1, 8(%1)\n"
18008 - " movq %%mm2, 16(%1)\n"
18009 - " movq %%mm3, 24(%1)\n"
18010 - " movq 32(%0), %%mm0\n"
18011 - " movq 40(%0), %%mm1\n"
18012 - " movq 48(%0), %%mm2\n"
18013 - " movq 56(%0), %%mm3\n"
18014 - " movq %%mm0, 32(%1)\n"
18015 - " movq %%mm1, 40(%1)\n"
18016 - " movq %%mm2, 48(%1)\n"
18017 - " movq %%mm3, 56(%1)\n"
18018 + "1: prefetch 320(%1)\n"
18019 + "2: movq (%1), %%mm0\n"
18020 + " movq 8(%1), %%mm1\n"
18021 + " movq 16(%1), %%mm2\n"
18022 + " movq 24(%1), %%mm3\n"
18023 + " movq %%mm0, (%2)\n"
18024 + " movq %%mm1, 8(%2)\n"
18025 + " movq %%mm2, 16(%2)\n"
18026 + " movq %%mm3, 24(%2)\n"
18027 + " movq 32(%1), %%mm0\n"
18028 + " movq 40(%1), %%mm1\n"
18029 + " movq 48(%1), %%mm2\n"
18030 + " movq 56(%1), %%mm3\n"
18031 + " movq %%mm0, 32(%2)\n"
18032 + " movq %%mm1, 40(%2)\n"
18033 + " movq %%mm2, 48(%2)\n"
18034 + " movq %%mm3, 56(%2)\n"
18035 ".section .fixup, \"ax\"\n"
18036 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18039 +#ifdef CONFIG_PAX_KERNEXEC
18040 + " movl %%cr0, %0\n"
18041 + " movl %0, %%eax\n"
18042 + " andl $0xFFFEFFFF, %%eax\n"
18043 + " movl %%eax, %%cr0\n"
18046 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18048 +#ifdef CONFIG_PAX_KERNEXEC
18049 + " movl %0, %%cr0\n"
18054 _ASM_EXTABLE(1b, 3b)
18055 - : : "r" (from), "r" (to) : "memory");
18056 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18060 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
18061 static void fast_copy_page(void *to, void *from)
18064 + unsigned long cr0;
18066 kernel_fpu_begin();
18068 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
18069 * but that is for later. -AV
18071 __asm__ __volatile__(
18072 - "1: prefetch (%0)\n"
18073 - " prefetch 64(%0)\n"
18074 - " prefetch 128(%0)\n"
18075 - " prefetch 192(%0)\n"
18076 - " prefetch 256(%0)\n"
18077 + "1: prefetch (%1)\n"
18078 + " prefetch 64(%1)\n"
18079 + " prefetch 128(%1)\n"
18080 + " prefetch 192(%1)\n"
18081 + " prefetch 256(%1)\n"
18083 ".section .fixup, \"ax\"\n"
18084 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18087 +#ifdef CONFIG_PAX_KERNEXEC
18088 + " movl %%cr0, %0\n"
18089 + " movl %0, %%eax\n"
18090 + " andl $0xFFFEFFFF, %%eax\n"
18091 + " movl %%eax, %%cr0\n"
18094 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18096 +#ifdef CONFIG_PAX_KERNEXEC
18097 + " movl %0, %%cr0\n"
18102 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
18103 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18105 for (i = 0; i < (4096-320)/64; i++) {
18106 __asm__ __volatile__ (
18107 - "1: prefetch 320(%0)\n"
18108 - "2: movq (%0), %%mm0\n"
18109 - " movntq %%mm0, (%1)\n"
18110 - " movq 8(%0), %%mm1\n"
18111 - " movntq %%mm1, 8(%1)\n"
18112 - " movq 16(%0), %%mm2\n"
18113 - " movntq %%mm2, 16(%1)\n"
18114 - " movq 24(%0), %%mm3\n"
18115 - " movntq %%mm3, 24(%1)\n"
18116 - " movq 32(%0), %%mm4\n"
18117 - " movntq %%mm4, 32(%1)\n"
18118 - " movq 40(%0), %%mm5\n"
18119 - " movntq %%mm5, 40(%1)\n"
18120 - " movq 48(%0), %%mm6\n"
18121 - " movntq %%mm6, 48(%1)\n"
18122 - " movq 56(%0), %%mm7\n"
18123 - " movntq %%mm7, 56(%1)\n"
18124 + "1: prefetch 320(%1)\n"
18125 + "2: movq (%1), %%mm0\n"
18126 + " movntq %%mm0, (%2)\n"
18127 + " movq 8(%1), %%mm1\n"
18128 + " movntq %%mm1, 8(%2)\n"
18129 + " movq 16(%1), %%mm2\n"
18130 + " movntq %%mm2, 16(%2)\n"
18131 + " movq 24(%1), %%mm3\n"
18132 + " movntq %%mm3, 24(%2)\n"
18133 + " movq 32(%1), %%mm4\n"
18134 + " movntq %%mm4, 32(%2)\n"
18135 + " movq 40(%1), %%mm5\n"
18136 + " movntq %%mm5, 40(%2)\n"
18137 + " movq 48(%1), %%mm6\n"
18138 + " movntq %%mm6, 48(%2)\n"
18139 + " movq 56(%1), %%mm7\n"
18140 + " movntq %%mm7, 56(%2)\n"
18141 ".section .fixup, \"ax\"\n"
18142 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18145 +#ifdef CONFIG_PAX_KERNEXEC
18146 + " movl %%cr0, %0\n"
18147 + " movl %0, %%eax\n"
18148 + " andl $0xFFFEFFFF, %%eax\n"
18149 + " movl %%eax, %%cr0\n"
18152 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18154 +#ifdef CONFIG_PAX_KERNEXEC
18155 + " movl %0, %%cr0\n"
18160 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
18161 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18165 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
18166 static void fast_copy_page(void *to, void *from)
18169 + unsigned long cr0;
18171 kernel_fpu_begin();
18173 __asm__ __volatile__ (
18174 - "1: prefetch (%0)\n"
18175 - " prefetch 64(%0)\n"
18176 - " prefetch 128(%0)\n"
18177 - " prefetch 192(%0)\n"
18178 - " prefetch 256(%0)\n"
18179 + "1: prefetch (%1)\n"
18180 + " prefetch 64(%1)\n"
18181 + " prefetch 128(%1)\n"
18182 + " prefetch 192(%1)\n"
18183 + " prefetch 256(%1)\n"
18185 ".section .fixup, \"ax\"\n"
18186 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18189 +#ifdef CONFIG_PAX_KERNEXEC
18190 + " movl %%cr0, %0\n"
18191 + " movl %0, %%eax\n"
18192 + " andl $0xFFFEFFFF, %%eax\n"
18193 + " movl %%eax, %%cr0\n"
18196 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18198 +#ifdef CONFIG_PAX_KERNEXEC
18199 + " movl %0, %%cr0\n"
18204 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
18205 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18207 for (i = 0; i < 4096/64; i++) {
18208 __asm__ __volatile__ (
18209 - "1: prefetch 320(%0)\n"
18210 - "2: movq (%0), %%mm0\n"
18211 - " movq 8(%0), %%mm1\n"
18212 - " movq 16(%0), %%mm2\n"
18213 - " movq 24(%0), %%mm3\n"
18214 - " movq %%mm0, (%1)\n"
18215 - " movq %%mm1, 8(%1)\n"
18216 - " movq %%mm2, 16(%1)\n"
18217 - " movq %%mm3, 24(%1)\n"
18218 - " movq 32(%0), %%mm0\n"
18219 - " movq 40(%0), %%mm1\n"
18220 - " movq 48(%0), %%mm2\n"
18221 - " movq 56(%0), %%mm3\n"
18222 - " movq %%mm0, 32(%1)\n"
18223 - " movq %%mm1, 40(%1)\n"
18224 - " movq %%mm2, 48(%1)\n"
18225 - " movq %%mm3, 56(%1)\n"
18226 + "1: prefetch 320(%1)\n"
18227 + "2: movq (%1), %%mm0\n"
18228 + " movq 8(%1), %%mm1\n"
18229 + " movq 16(%1), %%mm2\n"
18230 + " movq 24(%1), %%mm3\n"
18231 + " movq %%mm0, (%2)\n"
18232 + " movq %%mm1, 8(%2)\n"
18233 + " movq %%mm2, 16(%2)\n"
18234 + " movq %%mm3, 24(%2)\n"
18235 + " movq 32(%1), %%mm0\n"
18236 + " movq 40(%1), %%mm1\n"
18237 + " movq 48(%1), %%mm2\n"
18238 + " movq 56(%1), %%mm3\n"
18239 + " movq %%mm0, 32(%2)\n"
18240 + " movq %%mm1, 40(%2)\n"
18241 + " movq %%mm2, 48(%2)\n"
18242 + " movq %%mm3, 56(%2)\n"
18243 ".section .fixup, \"ax\"\n"
18244 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18247 +#ifdef CONFIG_PAX_KERNEXEC
18248 + " movl %%cr0, %0\n"
18249 + " movl %0, %%eax\n"
18250 + " andl $0xFFFEFFFF, %%eax\n"
18251 + " movl %%eax, %%cr0\n"
18254 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18256 +#ifdef CONFIG_PAX_KERNEXEC
18257 + " movl %0, %%cr0\n"
18262 _ASM_EXTABLE(1b, 3b)
18263 - : : "r" (from), "r" (to) : "memory");
18264 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18268 diff -urNp linux-2.6.38.6/arch/x86/lib/putuser.S linux-2.6.38.6/arch/x86/lib/putuser.S
18269 --- linux-2.6.38.6/arch/x86/lib/putuser.S 2011-03-14 21:20:32.000000000 -0400
18270 +++ linux-2.6.38.6/arch/x86/lib/putuser.S 2011-04-28 19:34:14.000000000 -0400
18272 #include <asm/thread_info.h>
18273 #include <asm/errno.h>
18274 #include <asm/asm.h>
18276 +#include <asm/segment.h>
18277 +#include <asm/pgtable.h>
18281 @@ -29,52 +30,119 @@
18282 * as they get called from within inline assembly.
18285 -#define ENTER CFI_STARTPROC ; \
18286 - GET_THREAD_INFO(%_ASM_BX)
18287 +#define ENTER CFI_STARTPROC
18288 #define EXIT ret ; \
18291 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18292 +#define _DEST %_ASM_CX,%_ASM_BX
18294 +#define _DEST %_ASM_CX
18297 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18298 +#define __copyuser_seg gs;
18300 +#define __copyuser_seg
18304 ENTRY(__put_user_1)
18307 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18308 + GET_THREAD_INFO(%_ASM_BX)
18309 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
18311 -1: movb %al,(%_ASM_CX)
18313 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18314 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18315 + cmp %_ASM_BX,%_ASM_CX
18323 +1: __copyuser_seg movb %al,(_DEST)
18326 ENDPROC(__put_user_1)
18328 ENTRY(__put_user_2)
18331 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18332 + GET_THREAD_INFO(%_ASM_BX)
18333 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18335 cmp %_ASM_BX,%_ASM_CX
18337 -2: movw %ax,(%_ASM_CX)
18339 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18340 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18341 + cmp %_ASM_BX,%_ASM_CX
18349 +2: __copyuser_seg movw %ax,(_DEST)
18352 ENDPROC(__put_user_2)
18354 ENTRY(__put_user_4)
18357 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18358 + GET_THREAD_INFO(%_ASM_BX)
18359 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18361 cmp %_ASM_BX,%_ASM_CX
18363 -3: movl %eax,(%_ASM_CX)
18365 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18366 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18367 + cmp %_ASM_BX,%_ASM_CX
18375 +3: __copyuser_seg movl %eax,(_DEST)
18378 ENDPROC(__put_user_4)
18380 ENTRY(__put_user_8)
18383 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18384 + GET_THREAD_INFO(%_ASM_BX)
18385 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18387 cmp %_ASM_BX,%_ASM_CX
18389 -4: mov %_ASM_AX,(%_ASM_CX)
18391 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18392 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18393 + cmp %_ASM_BX,%_ASM_CX
18401 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
18402 #ifdef CONFIG_X86_32
18403 -5: movl %edx,4(%_ASM_CX)
18404 +5: __copyuser_seg movl %edx,4(_DEST)
18408 diff -urNp linux-2.6.38.6/arch/x86/lib/usercopy_32.c linux-2.6.38.6/arch/x86/lib/usercopy_32.c
18409 --- linux-2.6.38.6/arch/x86/lib/usercopy_32.c 2011-03-14 21:20:32.000000000 -0400
18410 +++ linux-2.6.38.6/arch/x86/lib/usercopy_32.c 2011-04-28 19:34:14.000000000 -0400
18411 @@ -43,7 +43,7 @@ do { \
18412 __asm__ __volatile__( \
18416 + "0: "__copyuser_seg"lodsb\n" \
18418 " testb %%al,%%al\n" \
18420 @@ -128,10 +128,12 @@ do { \
18423 __asm__ __volatile__( \
18424 + __COPYUSER_SET_ES \
18425 "0: rep; stosl\n" \
18427 "1: rep; stosb\n" \
18429 + __COPYUSER_RESTORE_ES \
18430 ".section .fixup,\"ax\"\n" \
18431 "3: lea 0(%2,%0,4),%0\n" \
18433 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
18436 __asm__ __volatile__(
18437 + __COPYUSER_SET_ES
18441 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
18445 + __COPYUSER_RESTORE_ES
18446 ".section .fixup,\"ax\"\n"
18447 "2: xorl %%eax,%%eax\n"
18449 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
18451 #ifdef CONFIG_X86_INTEL_USERCOPY
18452 static unsigned long
18453 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
18454 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
18457 __asm__ __volatile__(
18458 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
18460 "3: movl 0(%4), %%eax\n"
18461 "4: movl 4(%4), %%edx\n"
18462 - "5: movl %%eax, 0(%3)\n"
18463 - "6: movl %%edx, 4(%3)\n"
18464 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
18465 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
18466 "7: movl 8(%4), %%eax\n"
18467 "8: movl 12(%4),%%edx\n"
18468 - "9: movl %%eax, 8(%3)\n"
18469 - "10: movl %%edx, 12(%3)\n"
18470 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
18471 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
18472 "11: movl 16(%4), %%eax\n"
18473 "12: movl 20(%4), %%edx\n"
18474 - "13: movl %%eax, 16(%3)\n"
18475 - "14: movl %%edx, 20(%3)\n"
18476 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
18477 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
18478 "15: movl 24(%4), %%eax\n"
18479 "16: movl 28(%4), %%edx\n"
18480 - "17: movl %%eax, 24(%3)\n"
18481 - "18: movl %%edx, 28(%3)\n"
18482 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
18483 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
18484 "19: movl 32(%4), %%eax\n"
18485 "20: movl 36(%4), %%edx\n"
18486 - "21: movl %%eax, 32(%3)\n"
18487 - "22: movl %%edx, 36(%3)\n"
18488 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
18489 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
18490 "23: movl 40(%4), %%eax\n"
18491 "24: movl 44(%4), %%edx\n"
18492 - "25: movl %%eax, 40(%3)\n"
18493 - "26: movl %%edx, 44(%3)\n"
18494 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
18495 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
18496 "27: movl 48(%4), %%eax\n"
18497 "28: movl 52(%4), %%edx\n"
18498 - "29: movl %%eax, 48(%3)\n"
18499 - "30: movl %%edx, 52(%3)\n"
18500 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
18501 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
18502 "31: movl 56(%4), %%eax\n"
18503 "32: movl 60(%4), %%edx\n"
18504 - "33: movl %%eax, 56(%3)\n"
18505 - "34: movl %%edx, 60(%3)\n"
18506 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
18507 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
18511 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
18513 " andl $3, %%eax\n"
18515 + __COPYUSER_SET_ES
18517 "36: movl %%eax, %0\n"
18520 + __COPYUSER_RESTORE_ES
18521 + ".section .fixup,\"ax\"\n"
18522 + "101: lea 0(%%eax,%0,4),%0\n"
18525 + ".section __ex_table,\"a\"\n"
18527 + " .long 1b,100b\n"
18528 + " .long 2b,100b\n"
18529 + " .long 3b,100b\n"
18530 + " .long 4b,100b\n"
18531 + " .long 5b,100b\n"
18532 + " .long 6b,100b\n"
18533 + " .long 7b,100b\n"
18534 + " .long 8b,100b\n"
18535 + " .long 9b,100b\n"
18536 + " .long 10b,100b\n"
18537 + " .long 11b,100b\n"
18538 + " .long 12b,100b\n"
18539 + " .long 13b,100b\n"
18540 + " .long 14b,100b\n"
18541 + " .long 15b,100b\n"
18542 + " .long 16b,100b\n"
18543 + " .long 17b,100b\n"
18544 + " .long 18b,100b\n"
18545 + " .long 19b,100b\n"
18546 + " .long 20b,100b\n"
18547 + " .long 21b,100b\n"
18548 + " .long 22b,100b\n"
18549 + " .long 23b,100b\n"
18550 + " .long 24b,100b\n"
18551 + " .long 25b,100b\n"
18552 + " .long 26b,100b\n"
18553 + " .long 27b,100b\n"
18554 + " .long 28b,100b\n"
18555 + " .long 29b,100b\n"
18556 + " .long 30b,100b\n"
18557 + " .long 31b,100b\n"
18558 + " .long 32b,100b\n"
18559 + " .long 33b,100b\n"
18560 + " .long 34b,100b\n"
18561 + " .long 35b,100b\n"
18562 + " .long 36b,100b\n"
18563 + " .long 37b,100b\n"
18564 + " .long 99b,101b\n"
18566 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
18567 + : "1"(to), "2"(from), "0"(size)
18568 + : "eax", "edx", "memory");
18572 +static unsigned long
18573 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
18576 + __asm__ __volatile__(
18577 + " .align 2,0x90\n"
18578 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
18579 + " cmpl $67, %0\n"
18581 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
18582 + " .align 2,0x90\n"
18583 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
18584 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
18585 + "5: movl %%eax, 0(%3)\n"
18586 + "6: movl %%edx, 4(%3)\n"
18587 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
18588 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
18589 + "9: movl %%eax, 8(%3)\n"
18590 + "10: movl %%edx, 12(%3)\n"
18591 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
18592 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
18593 + "13: movl %%eax, 16(%3)\n"
18594 + "14: movl %%edx, 20(%3)\n"
18595 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
18596 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
18597 + "17: movl %%eax, 24(%3)\n"
18598 + "18: movl %%edx, 28(%3)\n"
18599 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
18600 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
18601 + "21: movl %%eax, 32(%3)\n"
18602 + "22: movl %%edx, 36(%3)\n"
18603 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
18604 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
18605 + "25: movl %%eax, 40(%3)\n"
18606 + "26: movl %%edx, 44(%3)\n"
18607 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
18608 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
18609 + "29: movl %%eax, 48(%3)\n"
18610 + "30: movl %%edx, 52(%3)\n"
18611 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
18612 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
18613 + "33: movl %%eax, 56(%3)\n"
18614 + "34: movl %%edx, 60(%3)\n"
18615 + " addl $-64, %0\n"
18616 + " addl $64, %4\n"
18617 + " addl $64, %3\n"
18618 + " cmpl $63, %0\n"
18620 + "35: movl %0, %%eax\n"
18622 + " andl $3, %%eax\n"
18624 + "99: rep; "__copyuser_seg" movsl\n"
18625 + "36: movl %%eax, %0\n"
18626 + "37: rep; "__copyuser_seg" movsb\n"
18628 ".section .fixup,\"ax\"\n"
18629 "101: lea 0(%%eax,%0,4),%0\n"
18631 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
18633 __asm__ __volatile__(
18635 - "0: movl 32(%4), %%eax\n"
18636 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
18639 - "1: movl 64(%4), %%eax\n"
18640 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
18642 - "2: movl 0(%4), %%eax\n"
18643 - "21: movl 4(%4), %%edx\n"
18644 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
18645 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
18646 " movl %%eax, 0(%3)\n"
18647 " movl %%edx, 4(%3)\n"
18648 - "3: movl 8(%4), %%eax\n"
18649 - "31: movl 12(%4),%%edx\n"
18650 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
18651 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
18652 " movl %%eax, 8(%3)\n"
18653 " movl %%edx, 12(%3)\n"
18654 - "4: movl 16(%4), %%eax\n"
18655 - "41: movl 20(%4), %%edx\n"
18656 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
18657 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
18658 " movl %%eax, 16(%3)\n"
18659 " movl %%edx, 20(%3)\n"
18660 - "10: movl 24(%4), %%eax\n"
18661 - "51: movl 28(%4), %%edx\n"
18662 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
18663 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
18664 " movl %%eax, 24(%3)\n"
18665 " movl %%edx, 28(%3)\n"
18666 - "11: movl 32(%4), %%eax\n"
18667 - "61: movl 36(%4), %%edx\n"
18668 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
18669 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
18670 " movl %%eax, 32(%3)\n"
18671 " movl %%edx, 36(%3)\n"
18672 - "12: movl 40(%4), %%eax\n"
18673 - "71: movl 44(%4), %%edx\n"
18674 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
18675 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
18676 " movl %%eax, 40(%3)\n"
18677 " movl %%edx, 44(%3)\n"
18678 - "13: movl 48(%4), %%eax\n"
18679 - "81: movl 52(%4), %%edx\n"
18680 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
18681 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
18682 " movl %%eax, 48(%3)\n"
18683 " movl %%edx, 52(%3)\n"
18684 - "14: movl 56(%4), %%eax\n"
18685 - "91: movl 60(%4), %%edx\n"
18686 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
18687 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
18688 " movl %%eax, 56(%3)\n"
18689 " movl %%edx, 60(%3)\n"
18691 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
18693 " andl $3, %%eax\n"
18695 - "6: rep; movsl\n"
18696 + "6: rep; "__copyuser_seg" movsl\n"
18698 - "7: rep; movsb\n"
18699 + "7: rep; "__copyuser_seg" movsb\n"
18701 ".section .fixup,\"ax\"\n"
18702 "9: lea 0(%%eax,%0,4),%0\n"
18703 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
18705 __asm__ __volatile__(
18707 - "0: movl 32(%4), %%eax\n"
18708 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
18711 - "1: movl 64(%4), %%eax\n"
18712 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
18714 - "2: movl 0(%4), %%eax\n"
18715 - "21: movl 4(%4), %%edx\n"
18716 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
18717 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
18718 " movnti %%eax, 0(%3)\n"
18719 " movnti %%edx, 4(%3)\n"
18720 - "3: movl 8(%4), %%eax\n"
18721 - "31: movl 12(%4),%%edx\n"
18722 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
18723 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
18724 " movnti %%eax, 8(%3)\n"
18725 " movnti %%edx, 12(%3)\n"
18726 - "4: movl 16(%4), %%eax\n"
18727 - "41: movl 20(%4), %%edx\n"
18728 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
18729 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
18730 " movnti %%eax, 16(%3)\n"
18731 " movnti %%edx, 20(%3)\n"
18732 - "10: movl 24(%4), %%eax\n"
18733 - "51: movl 28(%4), %%edx\n"
18734 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
18735 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
18736 " movnti %%eax, 24(%3)\n"
18737 " movnti %%edx, 28(%3)\n"
18738 - "11: movl 32(%4), %%eax\n"
18739 - "61: movl 36(%4), %%edx\n"
18740 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
18741 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
18742 " movnti %%eax, 32(%3)\n"
18743 " movnti %%edx, 36(%3)\n"
18744 - "12: movl 40(%4), %%eax\n"
18745 - "71: movl 44(%4), %%edx\n"
18746 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
18747 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
18748 " movnti %%eax, 40(%3)\n"
18749 " movnti %%edx, 44(%3)\n"
18750 - "13: movl 48(%4), %%eax\n"
18751 - "81: movl 52(%4), %%edx\n"
18752 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
18753 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
18754 " movnti %%eax, 48(%3)\n"
18755 " movnti %%edx, 52(%3)\n"
18756 - "14: movl 56(%4), %%eax\n"
18757 - "91: movl 60(%4), %%edx\n"
18758 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
18759 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
18760 " movnti %%eax, 56(%3)\n"
18761 " movnti %%edx, 60(%3)\n"
18763 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
18765 " andl $3, %%eax\n"
18767 - "6: rep; movsl\n"
18768 + "6: rep; "__copyuser_seg" movsl\n"
18770 - "7: rep; movsb\n"
18771 + "7: rep; "__copyuser_seg" movsb\n"
18773 ".section .fixup,\"ax\"\n"
18774 "9: lea 0(%%eax,%0,4),%0\n"
18775 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
18777 __asm__ __volatile__(
18779 - "0: movl 32(%4), %%eax\n"
18780 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
18783 - "1: movl 64(%4), %%eax\n"
18784 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
18786 - "2: movl 0(%4), %%eax\n"
18787 - "21: movl 4(%4), %%edx\n"
18788 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
18789 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
18790 " movnti %%eax, 0(%3)\n"
18791 " movnti %%edx, 4(%3)\n"
18792 - "3: movl 8(%4), %%eax\n"
18793 - "31: movl 12(%4),%%edx\n"
18794 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
18795 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
18796 " movnti %%eax, 8(%3)\n"
18797 " movnti %%edx, 12(%3)\n"
18798 - "4: movl 16(%4), %%eax\n"
18799 - "41: movl 20(%4), %%edx\n"
18800 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
18801 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
18802 " movnti %%eax, 16(%3)\n"
18803 " movnti %%edx, 20(%3)\n"
18804 - "10: movl 24(%4), %%eax\n"
18805 - "51: movl 28(%4), %%edx\n"
18806 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
18807 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
18808 " movnti %%eax, 24(%3)\n"
18809 " movnti %%edx, 28(%3)\n"
18810 - "11: movl 32(%4), %%eax\n"
18811 - "61: movl 36(%4), %%edx\n"
18812 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
18813 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
18814 " movnti %%eax, 32(%3)\n"
18815 " movnti %%edx, 36(%3)\n"
18816 - "12: movl 40(%4), %%eax\n"
18817 - "71: movl 44(%4), %%edx\n"
18818 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
18819 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
18820 " movnti %%eax, 40(%3)\n"
18821 " movnti %%edx, 44(%3)\n"
18822 - "13: movl 48(%4), %%eax\n"
18823 - "81: movl 52(%4), %%edx\n"
18824 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
18825 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
18826 " movnti %%eax, 48(%3)\n"
18827 " movnti %%edx, 52(%3)\n"
18828 - "14: movl 56(%4), %%eax\n"
18829 - "91: movl 60(%4), %%edx\n"
18830 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
18831 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
18832 " movnti %%eax, 56(%3)\n"
18833 " movnti %%edx, 60(%3)\n"
18835 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
18837 " andl $3, %%eax\n"
18839 - "6: rep; movsl\n"
18840 + "6: rep; "__copyuser_seg" movsl\n"
18842 - "7: rep; movsb\n"
18843 + "7: rep; "__copyuser_seg" movsb\n"
18845 ".section .fixup,\"ax\"\n"
18846 "9: lea 0(%%eax,%0,4),%0\n"
18847 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
18849 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
18850 unsigned long size);
18851 -unsigned long __copy_user_intel(void __user *to, const void *from,
18852 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
18853 + unsigned long size);
18854 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
18855 unsigned long size);
18856 unsigned long __copy_user_zeroing_intel_nocache(void *to,
18857 const void __user *from, unsigned long size);
18858 #endif /* CONFIG_X86_INTEL_USERCOPY */
18860 /* Generic arbitrary sized copy. */
18861 -#define __copy_user(to, from, size) \
18862 +#define __copy_user(to, from, size, prefix, set, restore) \
18864 int __d0, __d1, __d2; \
18865 __asm__ __volatile__( \
18873 - "4: rep; movsb\n" \
18874 + "4: rep; "prefix"movsb\n" \
18878 " .align 2,0x90\n" \
18879 - "0: rep; movsl\n" \
18880 + "0: rep; "prefix"movsl\n" \
18882 - "1: rep; movsb\n" \
18883 + "1: rep; "prefix"movsb\n" \
18886 ".section .fixup,\"ax\"\n" \
18887 "5: addl %3,%0\n" \
18889 @@ -682,14 +799,14 @@ do { \
18893 - "4: rep; movsb\n" \
18894 + "4: rep; "__copyuser_seg"movsb\n" \
18898 " .align 2,0x90\n" \
18899 - "0: rep; movsl\n" \
18900 + "0: rep; "__copyuser_seg"movsl\n" \
18902 - "1: rep; movsb\n" \
18903 + "1: rep; "__copyuser_seg"movsb\n" \
18905 ".section .fixup,\"ax\"\n" \
18906 "5: addl %3,%0\n" \
18907 @@ -775,9 +892,9 @@ survive:
18910 if (movsl_is_ok(to, from, n))
18911 - __copy_user(to, from, n);
18912 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
18914 - n = __copy_user_intel(to, from, n);
18915 + n = __generic_copy_to_user_intel(to, from, n);
18918 EXPORT_SYMBOL(__copy_to_user_ll);
18919 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
18922 if (movsl_is_ok(to, from, n))
18923 - __copy_user(to, from, n);
18924 + __copy_user(to, from, n, __copyuser_seg, "", "");
18926 - n = __copy_user_intel((void __user *)to,
18927 - (const void *)from, n);
18928 + n = __generic_copy_from_user_intel(to, from, n);
18931 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
18932 @@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocach
18933 if (n > 64 && cpu_has_xmm2)
18934 n = __copy_user_intel_nocache(to, from, n);
18936 - __copy_user(to, from, n);
18937 + __copy_user(to, from, n, __copyuser_seg, "", "");
18939 - __copy_user(to, from, n);
18940 + __copy_user(to, from, n, __copyuser_seg, "", "");
18944 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
18947 - * copy_to_user: - Copy a block of data into user space.
18948 - * @to: Destination address, in user space.
18949 - * @from: Source address, in kernel space.
18950 - * @n: Number of bytes to copy.
18952 - * Context: User context only. This function may sleep.
18954 - * Copy data from kernel space to user space.
18956 - * Returns number of bytes that could not be copied.
18957 - * On success, this will be zero.
18960 -copy_to_user(void __user *to, const void *from, unsigned long n)
18961 +void copy_from_user_overflow(void)
18963 - if (access_ok(VERIFY_WRITE, to, n))
18964 - n = __copy_to_user(to, from, n);
18966 + WARN(1, "Buffer overflow detected!\n");
18968 -EXPORT_SYMBOL(copy_to_user);
18969 +EXPORT_SYMBOL(copy_from_user_overflow);
18972 - * copy_from_user: - Copy a block of data from user space.
18973 - * @to: Destination address, in kernel space.
18974 - * @from: Source address, in user space.
18975 - * @n: Number of bytes to copy.
18977 - * Context: User context only. This function may sleep.
18979 - * Copy data from user space to kernel space.
18981 - * Returns number of bytes that could not be copied.
18982 - * On success, this will be zero.
18984 - * If some data could not be copied, this function will pad the copied
18985 - * data to the requested size using zero bytes.
18988 -_copy_from_user(void *to, const void __user *from, unsigned long n)
18989 +void copy_to_user_overflow(void)
18991 - if (access_ok(VERIFY_READ, from, n))
18992 - n = __copy_from_user(to, from, n);
18994 - memset(to, 0, n);
18996 + WARN(1, "Buffer overflow detected!\n");
18998 -EXPORT_SYMBOL(_copy_from_user);
18999 +EXPORT_SYMBOL(copy_to_user_overflow);
19001 -void copy_from_user_overflow(void)
19002 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19003 +void __set_fs(mm_segment_t x)
19005 - WARN(1, "Buffer overflow detected!\n");
19008 + loadsegment(gs, 0);
19010 + case TASK_SIZE_MAX:
19011 + loadsegment(gs, __USER_DS);
19014 + loadsegment(gs, __KERNEL_DS);
19021 -EXPORT_SYMBOL(copy_from_user_overflow);
19022 +EXPORT_SYMBOL(__set_fs);
19024 +void set_fs(mm_segment_t x)
19026 + current_thread_info()->addr_limit = x;
19029 +EXPORT_SYMBOL(set_fs);
19031 diff -urNp linux-2.6.38.6/arch/x86/lib/usercopy_64.c linux-2.6.38.6/arch/x86/lib/usercopy_64.c
19032 --- linux-2.6.38.6/arch/x86/lib/usercopy_64.c 2011-03-14 21:20:32.000000000 -0400
19033 +++ linux-2.6.38.6/arch/x86/lib/usercopy_64.c 2011-04-28 19:57:25.000000000 -0400
19034 @@ -42,6 +42,12 @@ long
19035 __strncpy_from_user(char *dst, const char __user *src, long count)
19039 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19040 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19041 + src += PAX_USER_SHADOW_BASE;
19044 __do_strncpy_from_user(dst, src, count, res);
19047 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
19052 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19053 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
19054 + addr += PAX_USER_SHADOW_BASE;
19057 /* no memory constraint because it doesn't change any memory gcc knows
19060 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
19062 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
19064 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19065 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19067 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19068 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
19069 + to += PAX_USER_SHADOW_BASE;
19070 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
19071 + from += PAX_USER_SHADOW_BASE;
19074 return copy_user_generic((__force void *)to, (__force void *)from, len);
19080 EXPORT_SYMBOL(copy_in_user);
19082 diff -urNp linux-2.6.38.6/arch/x86/Makefile linux-2.6.38.6/arch/x86/Makefile
19083 --- linux-2.6.38.6/arch/x86/Makefile 2011-03-14 21:20:32.000000000 -0400
19084 +++ linux-2.6.38.6/arch/x86/Makefile 2011-04-28 19:34:14.000000000 -0400
19085 @@ -195,3 +195,12 @@ define archhelp
19086 echo ' FDARGS="..." arguments for the booted kernel'
19087 echo ' FDINITRD=file initrd for the booted kernel'
19092 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
19093 +*** Please upgrade your binutils to 2.18 or newer
19097 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
19098 diff -urNp linux-2.6.38.6/arch/x86/mm/extable.c linux-2.6.38.6/arch/x86/mm/extable.c
19099 --- linux-2.6.38.6/arch/x86/mm/extable.c 2011-03-14 21:20:32.000000000 -0400
19100 +++ linux-2.6.38.6/arch/x86/mm/extable.c 2011-04-28 19:34:14.000000000 -0400
19102 #include <linux/module.h>
19103 #include <linux/spinlock.h>
19104 +#include <linux/sort.h>
19105 #include <asm/uaccess.h>
19106 +#include <asm/pgtable.h>
19109 + * The exception table needs to be sorted so that the binary
19110 + * search that we use to find entries in it works properly.
19111 + * This is used both for the kernel exception table and for
19112 + * the exception tables of modules that get loaded.
19114 +static int cmp_ex(const void *a, const void *b)
19116 + const struct exception_table_entry *x = a, *y = b;
19118 + /* avoid overflow */
19119 + if (x->insn > y->insn)
19121 + if (x->insn < y->insn)
19126 +static void swap_ex(void *a, void *b, int size)
19128 + struct exception_table_entry t, *x = a, *y = b;
19132 + pax_open_kernel();
19135 + pax_close_kernel();
19138 +void sort_extable(struct exception_table_entry *start,
19139 + struct exception_table_entry *finish)
19141 + sort(start, finish - start, sizeof(struct exception_table_entry),
19142 + cmp_ex, swap_ex);
19145 +#ifdef CONFIG_MODULES
19147 + * If the exception table is sorted, any referring to the module init
19148 + * will be at the beginning or the end.
19150 +void trim_init_extable(struct module *m)
19152 + /*trim the beginning*/
19153 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
19155 + m->num_exentries--;
19158 + while (m->num_exentries &&
19159 + within_module_init(m->extable[m->num_exentries-1].insn, m))
19160 + m->num_exentries--;
19162 +#endif /* CONFIG_MODULES */
19164 int fixup_exception(struct pt_regs *regs)
19166 const struct exception_table_entry *fixup;
19168 #ifdef CONFIG_PNPBIOS
19169 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
19170 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
19171 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
19172 extern u32 pnp_bios_is_utter_crap;
19173 pnp_bios_is_utter_crap = 1;
19174 diff -urNp linux-2.6.38.6/arch/x86/mm/fault.c linux-2.6.38.6/arch/x86/mm/fault.c
19175 --- linux-2.6.38.6/arch/x86/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
19176 +++ linux-2.6.38.6/arch/x86/mm/fault.c 2011-04-28 19:34:14.000000000 -0400
19177 @@ -12,10 +12,18 @@
19178 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
19179 #include <linux/perf_event.h> /* perf_sw_event */
19180 #include <linux/hugetlb.h> /* hstate_index_to_shift */
19181 +#include <linux/unistd.h>
19182 +#include <linux/compiler.h>
19184 #include <asm/traps.h> /* dotraplinkage, ... */
19185 #include <asm/pgalloc.h> /* pgd_*(), ... */
19186 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
19187 +#include <asm/vsyscall.h>
19188 +#include <asm/tlbflush.h>
19190 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19191 +#include <asm/stacktrace.h>
19195 * Page fault error code bits:
19196 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
19199 /* kprobe_running() needs smp_processor_id() */
19200 - if (kprobes_built_in() && !user_mode_vm(regs)) {
19201 + if (kprobes_built_in() && !user_mode(regs)) {
19203 if (kprobe_running() && kprobe_fault_handler(regs, 14))
19205 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
19206 return !instr_lo || (instr_lo>>1) == 1;
19208 /* Prefetch instruction is 0x0F0D or 0x0F18 */
19209 - if (probe_kernel_address(instr, opcode))
19210 + if (user_mode(regs)) {
19211 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
19213 + } else if (probe_kernel_address(instr, opcode))
19216 *prefetch = (instr_lo == 0xF) &&
19217 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
19218 while (instr < max_instr) {
19219 unsigned char opcode;
19221 - if (probe_kernel_address(instr, opcode))
19222 + if (user_mode(regs)) {
19223 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
19225 + } else if (probe_kernel_address(instr, opcode))
19229 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
19230 force_sig_info(si_signo, &info, tsk);
19233 +#ifdef CONFIG_PAX_EMUTRAMP
19234 +static int pax_handle_fetch_fault(struct pt_regs *regs);
19237 +#ifdef CONFIG_PAX_PAGEEXEC
19238 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
19244 + pgd = pgd_offset(mm, address);
19245 + if (!pgd_present(*pgd))
19247 + pud = pud_offset(pgd, address);
19248 + if (!pud_present(*pud))
19250 + pmd = pmd_offset(pud, address);
19251 + if (!pmd_present(*pmd))
19257 DEFINE_SPINLOCK(pgd_lock);
19258 LIST_HEAD(pgd_list);
19260 @@ -229,10 +267,22 @@ void vmalloc_sync_all(void)
19261 for (address = VMALLOC_START & PMD_MASK;
19262 address >= TASK_SIZE && address < FIXADDR_TOP;
19263 address += PMD_SIZE) {
19265 +#ifdef CONFIG_PAX_PER_CPU_PGD
19266 + unsigned long cpu;
19271 spin_lock(&pgd_lock);
19273 +#ifdef CONFIG_PAX_PER_CPU_PGD
19274 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19275 + pgd_t *pgd = get_cpu_pgd(cpu);
19278 list_for_each_entry(page, &pgd_list, lru) {
19279 + pgd_t *pgd = page_address(page);
19280 spinlock_t *pgt_lock;
19283 @@ -240,8 +290,13 @@ void vmalloc_sync_all(void)
19284 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
19286 spin_lock(pgt_lock);
19287 - ret = vmalloc_sync_one(page_address(page), address);
19290 + ret = vmalloc_sync_one(pgd, address);
19292 +#ifndef CONFIG_PAX_PER_CPU_PGD
19293 spin_unlock(pgt_lock);
19298 @@ -275,6 +330,11 @@ static noinline __kprobes int vmalloc_fa
19299 * an interrupt in the middle of a task switch..
19301 pgd_paddr = read_cr3();
19303 +#ifdef CONFIG_PAX_PER_CPU_PGD
19304 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
19307 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
19310 @@ -370,7 +430,14 @@ static noinline __kprobes int vmalloc_fa
19311 * happen within a race in page table update. In the later
19315 +#ifdef CONFIG_PAX_PER_CPU_PGD
19316 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
19317 + pgd = pgd_offset_cpu(smp_processor_id(), address);
19319 pgd = pgd_offset(current->active_mm, address);
19322 pgd_ref = pgd_offset_k(address);
19323 if (pgd_none(*pgd_ref))
19325 @@ -532,7 +599,7 @@ static int is_errata93(struct pt_regs *r
19326 static int is_errata100(struct pt_regs *regs, unsigned long address)
19328 #ifdef CONFIG_X86_64
19329 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
19330 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
19334 @@ -559,7 +626,7 @@ static int is_f00f_bug(struct pt_regs *r
19337 static const char nx_warning[] = KERN_CRIT
19338 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
19339 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
19342 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
19343 @@ -568,15 +635,26 @@ show_fault_oops(struct pt_regs *regs, un
19344 if (!oops_may_print())
19347 - if (error_code & PF_INSTR) {
19348 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
19349 unsigned int level;
19351 pte_t *pte = lookup_address(address, &level);
19353 if (pte && pte_present(*pte) && !pte_exec(*pte))
19354 - printk(nx_warning, current_uid());
19355 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
19358 +#ifdef CONFIG_PAX_KERNEXEC
19359 + if (init_mm.start_code <= address && address < init_mm.end_code) {
19360 + if (current->signal->curr_ip)
19361 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
19362 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
19364 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
19365 + current->comm, task_pid_nr(current), current_uid(), current_euid());
19369 printk(KERN_ALERT "BUG: unable to handle kernel ");
19370 if (address < PAGE_SIZE)
19371 printk(KERN_CONT "NULL pointer dereference");
19372 @@ -701,6 +779,68 @@ __bad_area_nosemaphore(struct pt_regs *r
19373 unsigned long address, int si_code)
19375 struct task_struct *tsk = current;
19376 + struct mm_struct *mm = tsk->mm;
19378 +#ifdef CONFIG_X86_64
19379 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
19380 + if (regs->ip == (unsigned long)vgettimeofday) {
19381 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
19383 + } else if (regs->ip == (unsigned long)vtime) {
19384 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
19386 + } else if (regs->ip == (unsigned long)vgetcpu) {
19387 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
19393 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19394 + if (mm && (error_code & PF_USER)) {
19395 + unsigned long ip = regs->ip;
19397 + if (v8086_mode(regs))
19398 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
19401 + * It's possible to have interrupts off here:
19403 + local_irq_enable();
19405 +#ifdef CONFIG_PAX_PAGEEXEC
19406 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
19407 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
19409 +#ifdef CONFIG_PAX_EMUTRAMP
19410 + switch (pax_handle_fetch_fault(regs)) {
19416 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
19417 + do_group_exit(SIGKILL);
19421 +#ifdef CONFIG_PAX_SEGMEXEC
19422 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
19424 +#ifdef CONFIG_PAX_EMUTRAMP
19425 + switch (pax_handle_fetch_fault(regs)) {
19431 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
19432 + do_group_exit(SIGKILL);
19439 /* User mode accesses just cause a SIGSEGV */
19440 if (error_code & PF_USER) {
19441 @@ -855,6 +995,99 @@ static int spurious_fault_check(unsigned
19445 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
19446 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
19451 + unsigned char pte_mask;
19453 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
19454 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
19457 + /* PaX: it's our fault, let's handle it if we can */
19459 + /* PaX: take a look at read faults before acquiring any locks */
19460 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
19461 + /* instruction fetch attempt from a protected page in user mode */
19462 + up_read(&mm->mmap_sem);
19464 +#ifdef CONFIG_PAX_EMUTRAMP
19465 + switch (pax_handle_fetch_fault(regs)) {
19471 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
19472 + do_group_exit(SIGKILL);
19475 + pmd = pax_get_pmd(mm, address);
19476 + if (unlikely(!pmd))
19479 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
19480 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
19481 + pte_unmap_unlock(pte, ptl);
19485 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
19486 + /* write attempt to a protected page in user mode */
19487 + pte_unmap_unlock(pte, ptl);
19492 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
19494 + if (likely(address > get_limit(regs->cs)))
19497 + set_pte(pte, pte_mkread(*pte));
19498 + __flush_tlb_one(address);
19499 + pte_unmap_unlock(pte, ptl);
19500 + up_read(&mm->mmap_sem);
19504 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
19507 + * PaX: fill DTLB with user rights and retry
19509 + __asm__ __volatile__ (
19511 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
19513 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
19514 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
19515 + * page fault when examined during a TLB load attempt. this is true not only
19516 + * for PTEs holding a non-present entry but also present entries that will
19517 + * raise a page fault (such as those set up by PaX, or the copy-on-write
19518 + * mechanism). in effect it means that we do *not* need to flush the TLBs
19519 + * for our target pages since their PTEs are simply not in the TLBs at all.
19521 + * the best thing in omitting it is that we gain around 15-20% speed in the
19522 + * fast path of the page fault handler and can get rid of tracing since we
19523 + * can no longer flush unintended entries.
19527 + __copyuser_seg"testb $0,(%0)\n"
19530 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
19531 + : "memory", "cc");
19532 + pte_unmap_unlock(pte, ptl);
19533 + up_read(&mm->mmap_sem);
19539 * Handle a spurious fault caused by a stale TLB entry.
19541 @@ -927,6 +1160,9 @@ int show_unhandled_signals = 1;
19543 access_error(unsigned long error_code, struct vm_area_struct *vma)
19545 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
19548 if (error_code & PF_WRITE) {
19549 /* write, present and write, not present: */
19550 if (unlikely(!(vma->vm_flags & VM_WRITE)))
19551 @@ -960,19 +1196,33 @@ do_page_fault(struct pt_regs *regs, unsi
19553 struct vm_area_struct *vma;
19554 struct task_struct *tsk;
19555 - unsigned long address;
19556 struct mm_struct *mm;
19558 int write = error_code & PF_WRITE;
19559 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
19560 (write ? FAULT_FLAG_WRITE : 0);
19562 + /* Get the faulting address: */
19563 + unsigned long address = read_cr2();
19565 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19566 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
19567 + if (!search_exception_tables(regs->ip)) {
19568 + bad_area_nosemaphore(regs, error_code, address);
19571 + if (address < PAX_USER_SHADOW_BASE) {
19572 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
19573 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
19574 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, KERN_ERR);
19576 + address -= PAX_USER_SHADOW_BASE;
19583 - /* Get the faulting address: */
19584 - address = read_cr2();
19587 * Detect and handle instructions that would cause a page fault for
19588 * both a tracked kernel page and a userspace page.
19589 @@ -1032,7 +1282,7 @@ do_page_fault(struct pt_regs *regs, unsi
19590 * User-mode registers count as a user access even for any
19591 * potential system fault or CPU buglet:
19593 - if (user_mode_vm(regs)) {
19594 + if (user_mode(regs)) {
19595 local_irq_enable();
19596 error_code |= PF_USER;
19598 @@ -1087,6 +1337,11 @@ retry:
19602 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
19603 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
19607 vma = find_vma(mm, address);
19608 if (unlikely(!vma)) {
19609 bad_area(regs, error_code, address);
19610 @@ -1098,18 +1353,24 @@ retry:
19611 bad_area(regs, error_code, address);
19614 - if (error_code & PF_USER) {
19616 - * Accessing the stack below %sp is always a bug.
19617 - * The large cushion allows instructions like enter
19618 - * and pusha to work. ("enter $65535, $31" pushes
19619 - * 32 pointers and then decrements %sp by 65535.)
19621 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
19622 - bad_area(regs, error_code, address);
19626 + * Accessing the stack below %sp is always a bug.
19627 + * The large cushion allows instructions like enter
19628 + * and pusha to work. ("enter $65535, $31" pushes
19629 + * 32 pointers and then decrements %sp by 65535.)
19631 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
19632 + bad_area(regs, error_code, address);
19636 +#ifdef CONFIG_PAX_SEGMEXEC
19637 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
19638 + bad_area(regs, error_code, address);
19643 if (unlikely(expand_stack(vma, address))) {
19644 bad_area(regs, error_code, address);
19646 @@ -1164,3 +1425,199 @@ good_area:
19648 up_read(&mm->mmap_sem);
19651 +#ifdef CONFIG_PAX_EMUTRAMP
19652 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
19656 + do { /* PaX: gcc trampoline emulation #1 */
19657 + unsigned char mov1, mov2;
19658 + unsigned short jmp;
19659 + unsigned int addr1, addr2;
19661 +#ifdef CONFIG_X86_64
19662 + if ((regs->ip + 11) >> 32)
19666 + err = get_user(mov1, (unsigned char __user *)regs->ip);
19667 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
19668 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
19669 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
19670 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
19675 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
19676 + regs->cx = addr1;
19677 + regs->ax = addr2;
19678 + regs->ip = addr2;
19683 + do { /* PaX: gcc trampoline emulation #2 */
19684 + unsigned char mov, jmp;
19685 + unsigned int addr1, addr2;
19687 +#ifdef CONFIG_X86_64
19688 + if ((regs->ip + 9) >> 32)
19692 + err = get_user(mov, (unsigned char __user *)regs->ip);
19693 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
19694 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
19695 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
19700 + if (mov == 0xB9 && jmp == 0xE9) {
19701 + regs->cx = addr1;
19702 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
19707 + return 1; /* PaX in action */
19710 +#ifdef CONFIG_X86_64
19711 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
19715 + do { /* PaX: gcc trampoline emulation #1 */
19716 + unsigned short mov1, mov2, jmp1;
19717 + unsigned char jmp2;
19718 + unsigned int addr1;
19719 + unsigned long addr2;
19721 + err = get_user(mov1, (unsigned short __user *)regs->ip);
19722 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
19723 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
19724 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
19725 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
19726 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
19731 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
19732 + regs->r11 = addr1;
19733 + regs->r10 = addr2;
19734 + regs->ip = addr1;
19739 + do { /* PaX: gcc trampoline emulation #2 */
19740 + unsigned short mov1, mov2, jmp1;
19741 + unsigned char jmp2;
19742 + unsigned long addr1, addr2;
19744 + err = get_user(mov1, (unsigned short __user *)regs->ip);
19745 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
19746 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
19747 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
19748 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
19749 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
19754 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
19755 + regs->r11 = addr1;
19756 + regs->r10 = addr2;
19757 + regs->ip = addr1;
19762 + return 1; /* PaX in action */
19767 + * PaX: decide what to do with offenders (regs->ip = fault address)
19769 + * returns 1 when task should be killed
19770 + * 2 when gcc trampoline was detected
19772 +static int pax_handle_fetch_fault(struct pt_regs *regs)
19774 + if (v8086_mode(regs))
19777 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
19780 +#ifdef CONFIG_X86_32
19781 + return pax_handle_fetch_fault_32(regs);
19783 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
19784 + return pax_handle_fetch_fault_32(regs);
19786 + return pax_handle_fetch_fault_64(regs);
19791 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19792 +void pax_report_insns(void *pc, void *sp)
19796 + printk(KERN_ERR "PAX: bytes at PC: ");
19797 + for (i = 0; i < 20; i++) {
19799 + if (get_user(c, (__force unsigned char __user *)pc+i))
19800 + printk(KERN_CONT "?? ");
19802 + printk(KERN_CONT "%02x ", c);
19806 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
19807 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
19809 + if (get_user(c, (__force unsigned long __user *)sp+i))
19810 +#ifdef CONFIG_X86_32
19811 + printk(KERN_CONT "???????? ");
19813 + printk(KERN_CONT "???????????????? ");
19816 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
19823 + * probe_kernel_write(): safely attempt to write to a location
19824 + * @dst: address to write to
19825 + * @src: pointer to the data that shall be written
19826 + * @size: size of the data chunk
19828 + * Safely write to address @dst from the buffer at @src. If a kernel fault
19829 + * happens, handle that and return -EFAULT.
19831 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
19834 + mm_segment_t old_fs = get_fs();
19836 + set_fs(KERNEL_DS);
19837 + pagefault_disable();
19838 + pax_open_kernel();
19839 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
19840 + pax_close_kernel();
19841 + pagefault_enable();
19844 + return ret ? -EFAULT : 0;
19846 diff -urNp linux-2.6.38.6/arch/x86/mm/gup.c linux-2.6.38.6/arch/x86/mm/gup.c
19847 --- linux-2.6.38.6/arch/x86/mm/gup.c 2011-03-14 21:20:32.000000000 -0400
19848 +++ linux-2.6.38.6/arch/x86/mm/gup.c 2011-04-28 19:34:14.000000000 -0400
19849 @@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
19851 len = (unsigned long) nr_pages << PAGE_SHIFT;
19853 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
19854 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
19855 (void __user *)start, len)))
19858 diff -urNp linux-2.6.38.6/arch/x86/mm/highmem_32.c linux-2.6.38.6/arch/x86/mm/highmem_32.c
19859 --- linux-2.6.38.6/arch/x86/mm/highmem_32.c 2011-03-14 21:20:32.000000000 -0400
19860 +++ linux-2.6.38.6/arch/x86/mm/highmem_32.c 2011-04-28 19:34:15.000000000 -0400
19861 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
19862 idx = type + KM_TYPE_NR*smp_processor_id();
19863 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
19864 BUG_ON(!pte_none(*(kmap_pte-idx)));
19866 + pax_open_kernel();
19867 set_pte(kmap_pte-idx, mk_pte(page, prot));
19868 + pax_close_kernel();
19870 return (void *)vaddr;
19872 diff -urNp linux-2.6.38.6/arch/x86/mm/hugetlbpage.c linux-2.6.38.6/arch/x86/mm/hugetlbpage.c
19873 --- linux-2.6.38.6/arch/x86/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
19874 +++ linux-2.6.38.6/arch/x86/mm/hugetlbpage.c 2011-04-28 19:34:15.000000000 -0400
19875 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
19876 struct hstate *h = hstate_file(file);
19877 struct mm_struct *mm = current->mm;
19878 struct vm_area_struct *vma;
19879 - unsigned long start_addr;
19880 + unsigned long start_addr, pax_task_size = TASK_SIZE;
19882 +#ifdef CONFIG_PAX_SEGMEXEC
19883 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
19884 + pax_task_size = SEGMEXEC_TASK_SIZE;
19887 + pax_task_size -= PAGE_SIZE;
19889 if (len > mm->cached_hole_size) {
19890 - start_addr = mm->free_area_cache;
19891 + start_addr = mm->free_area_cache;
19893 - start_addr = TASK_UNMAPPED_BASE;
19894 - mm->cached_hole_size = 0;
19895 + start_addr = mm->mmap_base;
19896 + mm->cached_hole_size = 0;
19900 @@ -280,26 +287,27 @@ full_search:
19902 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
19903 /* At this point: (!vma || addr < vma->vm_end). */
19904 - if (TASK_SIZE - len < addr) {
19905 + if (pax_task_size - len < addr) {
19907 * Start a new search - just in case we missed
19910 - if (start_addr != TASK_UNMAPPED_BASE) {
19911 - start_addr = TASK_UNMAPPED_BASE;
19912 + if (start_addr != mm->mmap_base) {
19913 + start_addr = mm->mmap_base;
19914 mm->cached_hole_size = 0;
19919 - if (!vma || addr + len <= vma->vm_start) {
19920 - mm->free_area_cache = addr + len;
19923 + if (check_heap_stack_gap(vma, addr, len))
19925 if (addr + mm->cached_hole_size < vma->vm_start)
19926 mm->cached_hole_size = vma->vm_start - addr;
19927 addr = ALIGN(vma->vm_end, huge_page_size(h));
19930 + mm->free_area_cache = addr + len;
19934 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
19935 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
19937 struct hstate *h = hstate_file(file);
19938 struct mm_struct *mm = current->mm;
19939 - struct vm_area_struct *vma, *prev_vma;
19940 - unsigned long base = mm->mmap_base, addr = addr0;
19941 + struct vm_area_struct *vma;
19942 + unsigned long base = mm->mmap_base, addr;
19943 unsigned long largest_hole = mm->cached_hole_size;
19944 - int first_time = 1;
19946 /* don't allow allocations above current base */
19947 if (mm->free_area_cache > base)
19948 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
19950 mm->free_area_cache = base;
19954 /* make sure it can fit in the remaining address space */
19955 if (mm->free_area_cache < len)
19958 /* either no address requested or cant fit in requested address hole */
19959 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
19960 + addr = (mm->free_area_cache - len);
19962 + addr &= huge_page_mask(h);
19963 + vma = find_vma(mm, addr);
19965 * Lookup failure means no vma is above this address,
19966 * i.e. return with success:
19968 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
19972 * new region fits between prev_vma->vm_end and
19973 * vma->vm_start, use it:
19975 - if (addr + len <= vma->vm_start &&
19976 - (!prev_vma || (addr >= prev_vma->vm_end))) {
19977 + if (check_heap_stack_gap(vma, addr, len)) {
19978 /* remember the address as a hint for next time */
19979 - mm->cached_hole_size = largest_hole;
19980 - return (mm->free_area_cache = addr);
19982 - /* pull free_area_cache down to the first hole */
19983 - if (mm->free_area_cache == vma->vm_end) {
19984 - mm->free_area_cache = vma->vm_start;
19985 - mm->cached_hole_size = largest_hole;
19987 + mm->cached_hole_size = largest_hole;
19988 + return (mm->free_area_cache = addr);
19990 + /* pull free_area_cache down to the first hole */
19991 + if (mm->free_area_cache == vma->vm_end) {
19992 + mm->free_area_cache = vma->vm_start;
19993 + mm->cached_hole_size = largest_hole;
19996 /* remember the largest hole we saw so far */
19997 if (addr + largest_hole < vma->vm_start)
19998 - largest_hole = vma->vm_start - addr;
19999 + largest_hole = vma->vm_start - addr;
20001 /* try just below the current vma->vm_start */
20002 - addr = (vma->vm_start - len) & huge_page_mask(h);
20003 - } while (len <= vma->vm_start);
20004 + addr = skip_heap_stack_gap(vma, len);
20005 + } while (!IS_ERR_VALUE(addr));
20009 - * if hint left us with no space for the requested
20010 - * mapping then try again:
20012 - if (first_time) {
20013 - mm->free_area_cache = base;
20014 - largest_hole = 0;
20019 * A failed mmap() very likely causes application failure,
20020 * so fall back to the bottom-up function here. This scenario
20021 * can happen with large stack limits and large mmap()
20024 - mm->free_area_cache = TASK_UNMAPPED_BASE;
20026 +#ifdef CONFIG_PAX_SEGMEXEC
20027 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20028 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
20032 + mm->mmap_base = TASK_UNMAPPED_BASE;
20034 +#ifdef CONFIG_PAX_RANDMMAP
20035 + if (mm->pax_flags & MF_PAX_RANDMMAP)
20036 + mm->mmap_base += mm->delta_mmap;
20039 + mm->free_area_cache = mm->mmap_base;
20040 mm->cached_hole_size = ~0UL;
20041 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
20042 len, pgoff, flags);
20043 @@ -386,6 +392,7 @@ fail:
20045 * Restore the topdown base:
20047 + mm->mmap_base = base;
20048 mm->free_area_cache = base;
20049 mm->cached_hole_size = ~0UL;
20051 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
20052 struct hstate *h = hstate_file(file);
20053 struct mm_struct *mm = current->mm;
20054 struct vm_area_struct *vma;
20055 + unsigned long pax_task_size = TASK_SIZE;
20057 if (len & ~huge_page_mask(h))
20059 - if (len > TASK_SIZE)
20061 +#ifdef CONFIG_PAX_SEGMEXEC
20062 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20063 + pax_task_size = SEGMEXEC_TASK_SIZE;
20066 + pax_task_size -= PAGE_SIZE;
20068 + if (len > pax_task_size)
20071 if (flags & MAP_FIXED) {
20072 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
20074 addr = ALIGN(addr, huge_page_size(h));
20075 vma = find_vma(mm, addr);
20076 - if (TASK_SIZE - len >= addr &&
20077 - (!vma || addr + len <= vma->vm_start))
20078 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
20081 if (mm->get_unmapped_area == arch_get_unmapped_area)
20082 diff -urNp linux-2.6.38.6/arch/x86/mm/init_32.c linux-2.6.38.6/arch/x86/mm/init_32.c
20083 --- linux-2.6.38.6/arch/x86/mm/init_32.c 2011-03-14 21:20:32.000000000 -0400
20084 +++ linux-2.6.38.6/arch/x86/mm/init_32.c 2011-04-28 19:34:15.000000000 -0400
20085 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
20089 - * Creates a middle page table and puts a pointer to it in the
20090 - * given global directory entry. This only returns the gd entry
20091 - * in non-PAE compilation mode, since the middle layer is folded.
20093 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
20096 - pmd_t *pmd_table;
20098 -#ifdef CONFIG_X86_PAE
20099 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
20100 - if (after_bootmem)
20101 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
20103 - pmd_table = (pmd_t *)alloc_low_page();
20104 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
20105 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
20106 - pud = pud_offset(pgd, 0);
20107 - BUG_ON(pmd_table != pmd_offset(pud, 0));
20109 - return pmd_table;
20112 - pud = pud_offset(pgd, 0);
20113 - pmd_table = pmd_offset(pud, 0);
20115 - return pmd_table;
20119 * Create a page table and place a pointer to it in a middle page
20122 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
20123 page_table = (pte_t *)alloc_low_page();
20125 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
20126 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20127 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
20129 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
20131 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
20134 return pte_offset_kernel(pmd, 0);
20137 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
20140 + pmd_t *pmd_table;
20142 + pud = pud_offset(pgd, 0);
20143 + pmd_table = pmd_offset(pud, 0);
20145 + return pmd_table;
20148 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
20150 int pgd_idx = pgd_index(vaddr);
20151 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
20152 int pgd_idx, pmd_idx;
20153 unsigned long vaddr;
20159 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
20160 pgd = pgd_base + pgd_idx;
20162 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
20163 - pmd = one_md_table_init(pgd);
20164 - pmd = pmd + pmd_index(vaddr);
20165 + pud = pud_offset(pgd, vaddr);
20166 + pmd = pmd_offset(pud, vaddr);
20168 +#ifdef CONFIG_X86_PAE
20169 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20172 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
20173 pmd++, pmd_idx++) {
20174 pte = page_table_kmap_check(one_page_table_init(pmd),
20175 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
20179 -static inline int is_kernel_text(unsigned long addr)
20180 +static inline int is_kernel_text(unsigned long start, unsigned long end)
20182 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
20185 + if ((start > ktla_ktva((unsigned long)_etext) ||
20186 + end <= ktla_ktva((unsigned long)_stext)) &&
20187 + (start > ktla_ktva((unsigned long)_einittext) ||
20188 + end <= ktla_ktva((unsigned long)_sinittext)) &&
20190 +#ifdef CONFIG_ACPI_SLEEP
20191 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
20194 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
20200 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
20201 unsigned long last_map_addr = end;
20202 unsigned long start_pfn, end_pfn;
20203 pgd_t *pgd_base = swapper_pg_dir;
20204 - int pgd_idx, pmd_idx, pte_ofs;
20205 + unsigned int pgd_idx, pmd_idx, pte_ofs;
20211 unsigned pages_2m, pages_4k;
20212 @@ -281,8 +282,13 @@ repeat:
20214 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20215 pgd = pgd_base + pgd_idx;
20216 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
20217 - pmd = one_md_table_init(pgd);
20218 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
20219 + pud = pud_offset(pgd, 0);
20220 + pmd = pmd_offset(pud, 0);
20222 +#ifdef CONFIG_X86_PAE
20223 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20226 if (pfn >= end_pfn)
20228 @@ -294,14 +300,13 @@ repeat:
20230 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
20231 pmd++, pmd_idx++) {
20232 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
20233 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
20236 * Map with big pages if possible, otherwise
20237 * create normal page tables:
20240 - unsigned int addr2;
20241 pgprot_t prot = PAGE_KERNEL_LARGE;
20243 * first pass will use the same initial
20244 @@ -311,11 +316,7 @@ repeat:
20245 __pgprot(PTE_IDENT_ATTR |
20248 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
20249 - PAGE_OFFSET + PAGE_SIZE-1;
20251 - if (is_kernel_text(addr) ||
20252 - is_kernel_text(addr2))
20253 + if (is_kernel_text(address, address + PMD_SIZE))
20254 prot = PAGE_KERNEL_LARGE_EXEC;
20257 @@ -332,7 +333,7 @@ repeat:
20258 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20260 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
20261 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
20262 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
20263 pgprot_t prot = PAGE_KERNEL;
20265 * first pass will use the same initial
20266 @@ -340,7 +341,7 @@ repeat:
20268 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
20270 - if (is_kernel_text(addr))
20271 + if (is_kernel_text(address, address + PAGE_SIZE))
20272 prot = PAGE_KERNEL_EXEC;
20275 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
20277 pud = pud_offset(pgd, va);
20278 pmd = pmd_offset(pud, va);
20279 - if (!pmd_present(*pmd))
20280 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
20283 pte = pte_offset_kernel(pmd, va);
20284 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
20286 static void __init pagetable_init(void)
20288 - pgd_t *pgd_base = swapper_pg_dir;
20290 - permanent_kmaps_init(pgd_base);
20291 + permanent_kmaps_init(swapper_pg_dir);
20294 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
20295 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
20296 EXPORT_SYMBOL_GPL(__supported_pte_mask);
20298 /* user-defined highmem size */
20299 @@ -755,6 +754,12 @@ void __init mem_init(void)
20303 +#ifdef CONFIG_PAX_PER_CPU_PGD
20304 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
20305 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
20306 + KERNEL_PGD_PTRS);
20309 #ifdef CONFIG_FLATMEM
20312 @@ -772,7 +777,7 @@ void __init mem_init(void)
20313 set_highmem_pages_init();
20315 codesize = (unsigned long) &_etext - (unsigned long) &_text;
20316 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
20317 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
20318 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
20320 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
20321 @@ -813,10 +818,10 @@ void __init mem_init(void)
20322 ((unsigned long)&__init_end -
20323 (unsigned long)&__init_begin) >> 10,
20325 - (unsigned long)&_etext, (unsigned long)&_edata,
20326 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
20327 + (unsigned long)&_sdata, (unsigned long)&_edata,
20328 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
20330 - (unsigned long)&_text, (unsigned long)&_etext,
20331 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
20332 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
20335 @@ -894,6 +899,7 @@ void set_kernel_text_rw(void)
20336 if (!kernel_set_to_readonly)
20339 + start = ktla_ktva(start);
20340 pr_debug("Set kernel text: %lx - %lx for read write\n",
20341 start, start+size);
20343 @@ -908,6 +914,7 @@ void set_kernel_text_ro(void)
20344 if (!kernel_set_to_readonly)
20347 + start = ktla_ktva(start);
20348 pr_debug("Set kernel text: %lx - %lx for read only\n",
20349 start, start+size);
20351 @@ -936,6 +943,7 @@ void mark_rodata_ro(void)
20352 unsigned long start = PFN_ALIGN(_text);
20353 unsigned long size = PFN_ALIGN(_etext) - start;
20355 + start = ktla_ktva(start);
20356 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
20357 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
20359 diff -urNp linux-2.6.38.6/arch/x86/mm/init_64.c linux-2.6.38.6/arch/x86/mm/init_64.c
20360 --- linux-2.6.38.6/arch/x86/mm/init_64.c 2011-04-18 17:27:18.000000000 -0400
20361 +++ linux-2.6.38.6/arch/x86/mm/init_64.c 2011-04-28 19:34:15.000000000 -0400
20362 @@ -72,7 +72,7 @@ early_param("gbpages", parse_direct_gbpa
20363 * around without checking the pgd every time.
20366 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
20367 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
20368 EXPORT_SYMBOL_GPL(__supported_pte_mask);
20370 int force_personality32;
20371 @@ -105,12 +105,22 @@ void sync_global_pgds(unsigned long star
20373 for (address = start; address <= end; address += PGDIR_SIZE) {
20374 const pgd_t *pgd_ref = pgd_offset_k(address);
20376 +#ifdef CONFIG_PAX_PER_CPU_PGD
20377 + unsigned long cpu;
20382 if (pgd_none(*pgd_ref))
20385 spin_lock(&pgd_lock);
20387 +#ifdef CONFIG_PAX_PER_CPU_PGD
20388 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
20389 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
20391 list_for_each_entry(page, &pgd_list, lru) {
20393 spinlock_t *pgt_lock;
20394 @@ -119,6 +129,7 @@ void sync_global_pgds(unsigned long star
20395 /* the pgt_lock only for Xen */
20396 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
20397 spin_lock(pgt_lock);
20400 if (pgd_none(*pgd))
20401 set_pgd(pgd, *pgd_ref);
20402 @@ -126,7 +137,10 @@ void sync_global_pgds(unsigned long star
20403 BUG_ON(pgd_page_vaddr(*pgd)
20404 != pgd_page_vaddr(*pgd_ref));
20406 +#ifndef CONFIG_PAX_PER_CPU_PGD
20407 spin_unlock(pgt_lock);
20411 spin_unlock(&pgd_lock);
20413 @@ -200,7 +214,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
20414 pmd = fill_pmd(pud, vaddr);
20415 pte = fill_pte(pmd, vaddr);
20417 + pax_open_kernel();
20418 set_pte(pte, new_pte);
20419 + pax_close_kernel();
20422 * It's enough to flush this one mapping.
20423 @@ -259,14 +275,12 @@ static void __init __init_extra_mapping(
20424 pgd = pgd_offset_k((unsigned long)__va(phys));
20425 if (pgd_none(*pgd)) {
20426 pud = (pud_t *) spp_getpage();
20427 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
20429 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
20431 pud = pud_offset(pgd, (unsigned long)__va(phys));
20432 if (pud_none(*pud)) {
20433 pmd = (pmd_t *) spp_getpage();
20434 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
20436 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
20438 pmd = pmd_offset(pud, phys);
20439 BUG_ON(!pmd_none(*pmd));
20440 @@ -706,6 +720,12 @@ void __init mem_init(void)
20444 +#ifdef CONFIG_PAX_PER_CPU_PGD
20445 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
20446 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
20447 + KERNEL_PGD_PTRS);
20450 /* clear_bss() already clear the empty_zero_page */
20453 @@ -866,8 +886,8 @@ int kern_addr_valid(unsigned long addr)
20454 static struct vm_area_struct gate_vma = {
20455 .vm_start = VSYSCALL_START,
20456 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
20457 - .vm_page_prot = PAGE_READONLY_EXEC,
20458 - .vm_flags = VM_READ | VM_EXEC
20459 + .vm_page_prot = PAGE_READONLY,
20460 + .vm_flags = VM_READ
20463 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
20464 @@ -901,7 +921,7 @@ int in_gate_area_no_task(unsigned long a
20466 const char *arch_vma_name(struct vm_area_struct *vma)
20468 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20469 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20471 if (vma == &gate_vma)
20472 return "[vsyscall]";
20473 diff -urNp linux-2.6.38.6/arch/x86/mm/init.c linux-2.6.38.6/arch/x86/mm/init.c
20474 --- linux-2.6.38.6/arch/x86/mm/init.c 2011-04-18 17:27:18.000000000 -0400
20475 +++ linux-2.6.38.6/arch/x86/mm/init.c 2011-04-28 19:34:15.000000000 -0400
20476 @@ -72,11 +72,7 @@ static void __init find_early_table_spac
20477 * cause a hotspot and fill up ZONE_DMA. The page tables
20478 * need roughly 0.5KB per GB.
20480 -#ifdef CONFIG_X86_32
20485 + start = 0x100000;
20486 base = memblock_find_in_range(start, max_pfn_mapped<<PAGE_SHIFT,
20487 tables, PAGE_SIZE);
20488 if (base == MEMBLOCK_ERROR)
20489 @@ -323,7 +319,16 @@ unsigned long __init_refok init_memory_m
20491 int devmem_is_allowed(unsigned long pagenr)
20493 - if (pagenr <= 256)
20494 +#ifndef CONFIG_GRKERNSEC_KMEM
20497 +#ifdef CONFIG_VM86
20498 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
20503 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
20505 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
20507 @@ -383,6 +388,86 @@ void free_init_pages(char *what, unsigne
20509 void free_initmem(void)
20512 +#ifdef CONFIG_PAX_KERNEXEC
20513 +#ifdef CONFIG_X86_32
20514 + /* PaX: limit KERNEL_CS to actual size */
20515 + unsigned long addr, limit;
20516 + struct desc_struct d;
20519 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
20520 + limit = (limit - 1UL) >> PAGE_SHIFT;
20522 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
20523 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
20524 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
20525 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
20528 + /* PaX: make KERNEL_CS read-only */
20529 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
20530 + if (!paravirt_enabled())
20531 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
20533 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
20534 + pgd = pgd_offset_k(addr);
20535 + pud = pud_offset(pgd, addr);
20536 + pmd = pmd_offset(pud, addr);
20537 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
20540 +#ifdef CONFIG_X86_PAE
20541 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
20543 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
20544 + pgd = pgd_offset_k(addr);
20545 + pud = pud_offset(pgd, addr);
20546 + pmd = pmd_offset(pud, addr);
20547 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
20552 +#ifdef CONFIG_MODULES
20553 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
20560 + unsigned long addr, end;
20562 + /* PaX: make kernel code/rodata read-only, rest non-executable */
20563 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
20564 + pgd = pgd_offset_k(addr);
20565 + pud = pud_offset(pgd, addr);
20566 + pmd = pmd_offset(pud, addr);
20567 + if (!pmd_present(*pmd))
20569 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
20570 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
20572 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
20575 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
20576 + end = addr + KERNEL_IMAGE_SIZE;
20577 + for (; addr < end; addr += PMD_SIZE) {
20578 + pgd = pgd_offset_k(addr);
20579 + pud = pud_offset(pgd, addr);
20580 + pmd = pmd_offset(pud, addr);
20581 + if (!pmd_present(*pmd))
20583 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
20584 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
20591 free_init_pages("unused kernel memory",
20592 (unsigned long)(&__init_begin),
20593 (unsigned long)(&__init_end));
20594 diff -urNp linux-2.6.38.6/arch/x86/mm/iomap_32.c linux-2.6.38.6/arch/x86/mm/iomap_32.c
20595 --- linux-2.6.38.6/arch/x86/mm/iomap_32.c 2011-03-14 21:20:32.000000000 -0400
20596 +++ linux-2.6.38.6/arch/x86/mm/iomap_32.c 2011-04-28 19:34:15.000000000 -0400
20597 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
20598 type = kmap_atomic_idx_push();
20599 idx = type + KM_TYPE_NR * smp_processor_id();
20600 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
20602 + pax_open_kernel();
20603 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
20604 + pax_close_kernel();
20606 arch_flush_lazy_mmu_mode();
20608 return (void *)vaddr;
20609 diff -urNp linux-2.6.38.6/arch/x86/mm/ioremap.c linux-2.6.38.6/arch/x86/mm/ioremap.c
20610 --- linux-2.6.38.6/arch/x86/mm/ioremap.c 2011-03-14 21:20:32.000000000 -0400
20611 +++ linux-2.6.38.6/arch/x86/mm/ioremap.c 2011-04-28 19:34:15.000000000 -0400
20612 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
20613 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
20614 int is_ram = page_is_ram(pfn);
20616 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
20617 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
20619 WARN_ON_ONCE(is_ram);
20621 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
20622 early_param("early_ioremap_debug", early_ioremap_debug_setup);
20624 static __initdata int after_paging_init;
20625 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
20626 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
20628 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
20630 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
20631 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
20633 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
20634 - memset(bm_pte, 0, sizeof(bm_pte));
20635 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
20636 + pmd_populate_user(&init_mm, pmd, bm_pte);
20639 * The boot-ioremap range spans multiple pmds, for which
20640 diff -urNp linux-2.6.38.6/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.38.6/arch/x86/mm/kmemcheck/kmemcheck.c
20641 --- linux-2.6.38.6/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-14 21:20:32.000000000 -0400
20642 +++ linux-2.6.38.6/arch/x86/mm/kmemcheck/kmemcheck.c 2011-04-28 19:34:15.000000000 -0400
20643 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
20644 * memory (e.g. tracked pages)? For now, we need this to avoid
20645 * invoking kmemcheck for PnP BIOS calls.
20647 - if (regs->flags & X86_VM_MASK)
20648 + if (v8086_mode(regs))
20650 - if (regs->cs != __KERNEL_CS)
20651 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
20654 pte = kmemcheck_pte_lookup(address);
20655 diff -urNp linux-2.6.38.6/arch/x86/mm/mmap.c linux-2.6.38.6/arch/x86/mm/mmap.c
20656 --- linux-2.6.38.6/arch/x86/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
20657 +++ linux-2.6.38.6/arch/x86/mm/mmap.c 2011-04-28 19:34:15.000000000 -0400
20658 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
20659 * Leave an at least ~128 MB hole with possible stack randomization.
20661 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
20662 -#define MAX_GAP (TASK_SIZE/6*5)
20663 +#define MAX_GAP (pax_task_size/6*5)
20666 * True on X86_32 or when emulating IA32 on X86_64
20667 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
20668 return rnd << PAGE_SHIFT;
20671 -static unsigned long mmap_base(void)
20672 +static unsigned long mmap_base(struct mm_struct *mm)
20674 unsigned long gap = rlimit(RLIMIT_STACK);
20675 + unsigned long pax_task_size = TASK_SIZE;
20677 +#ifdef CONFIG_PAX_SEGMEXEC
20678 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20679 + pax_task_size = SEGMEXEC_TASK_SIZE;
20684 else if (gap > MAX_GAP)
20687 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
20688 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
20692 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
20693 * does, but not when emulating X86_32
20695 -static unsigned long mmap_legacy_base(void)
20696 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
20698 - if (mmap_is_ia32())
20699 + if (mmap_is_ia32()) {
20701 +#ifdef CONFIG_PAX_SEGMEXEC
20702 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20703 + return SEGMEXEC_TASK_UNMAPPED_BASE;
20707 return TASK_UNMAPPED_BASE;
20710 return TASK_UNMAPPED_BASE + mmap_rnd();
20713 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
20714 void arch_pick_mmap_layout(struct mm_struct *mm)
20716 if (mmap_is_legacy()) {
20717 - mm->mmap_base = mmap_legacy_base();
20718 + mm->mmap_base = mmap_legacy_base(mm);
20720 +#ifdef CONFIG_PAX_RANDMMAP
20721 + if (mm->pax_flags & MF_PAX_RANDMMAP)
20722 + mm->mmap_base += mm->delta_mmap;
20725 mm->get_unmapped_area = arch_get_unmapped_area;
20726 mm->unmap_area = arch_unmap_area;
20728 - mm->mmap_base = mmap_base();
20729 + mm->mmap_base = mmap_base(mm);
20731 +#ifdef CONFIG_PAX_RANDMMAP
20732 + if (mm->pax_flags & MF_PAX_RANDMMAP)
20733 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
20736 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
20737 mm->unmap_area = arch_unmap_area_topdown;
20739 diff -urNp linux-2.6.38.6/arch/x86/mm/mmio-mod.c linux-2.6.38.6/arch/x86/mm/mmio-mod.c
20740 --- linux-2.6.38.6/arch/x86/mm/mmio-mod.c 2011-03-14 21:20:32.000000000 -0400
20741 +++ linux-2.6.38.6/arch/x86/mm/mmio-mod.c 2011-04-28 19:57:25.000000000 -0400
20742 @@ -235,7 +235,7 @@ static void post(struct kmmio_probe *p,
20743 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
20744 void __iomem *addr)
20746 - static atomic_t next_id;
20747 + static atomic_unchecked_t next_id;
20748 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
20749 /* These are page-unaligned. */
20750 struct mmiotrace_map map = {
20751 @@ -259,7 +259,7 @@ static void ioremap_trace_core(resource_
20755 - .id = atomic_inc_return(&next_id)
20756 + .id = atomic_inc_return_unchecked(&next_id)
20758 map.map_id = trace->id;
20760 diff -urNp linux-2.6.38.6/arch/x86/mm/numa_32.c linux-2.6.38.6/arch/x86/mm/numa_32.c
20761 --- linux-2.6.38.6/arch/x86/mm/numa_32.c 2011-03-14 21:20:32.000000000 -0400
20762 +++ linux-2.6.38.6/arch/x86/mm/numa_32.c 2011-04-28 19:34:15.000000000 -0400
20763 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
20767 -extern unsigned long find_max_low_pfn(void);
20768 extern unsigned long highend_pfn, highstart_pfn;
20770 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
20771 diff -urNp linux-2.6.38.6/arch/x86/mm/pageattr.c linux-2.6.38.6/arch/x86/mm/pageattr.c
20772 --- linux-2.6.38.6/arch/x86/mm/pageattr.c 2011-03-14 21:20:32.000000000 -0400
20773 +++ linux-2.6.38.6/arch/x86/mm/pageattr.c 2011-04-28 19:34:15.000000000 -0400
20774 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
20776 #ifdef CONFIG_PCI_BIOS
20777 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
20778 - pgprot_val(forbidden) |= _PAGE_NX;
20779 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
20783 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
20784 * Does not cover __inittext since that is gone later on. On
20785 * 64bit we do not enforce !NX on the low mapping
20787 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
20788 - pgprot_val(forbidden) |= _PAGE_NX;
20789 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
20790 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
20792 +#ifdef CONFIG_DEBUG_RODATA
20794 * The .rodata section needs to be read-only. Using the pfn
20795 * catches all aliases.
20796 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
20797 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
20798 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
20799 pgprot_val(forbidden) |= _PAGE_RW;
20802 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
20804 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
20808 +#ifdef CONFIG_PAX_KERNEXEC
20809 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
20810 + pgprot_val(forbidden) |= _PAGE_RW;
20811 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
20815 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
20818 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
20819 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
20821 /* change init_mm */
20822 + pax_open_kernel();
20823 set_pte_atomic(kpte, pte);
20825 #ifdef CONFIG_X86_32
20826 if (!SHARED_KERNEL_PMD) {
20828 +#ifdef CONFIG_PAX_PER_CPU_PGD
20829 + unsigned long cpu;
20834 +#ifdef CONFIG_PAX_PER_CPU_PGD
20835 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
20836 + pgd_t *pgd = get_cpu_pgd(cpu);
20838 list_for_each_entry(page, &pgd_list, lru) {
20840 + pgd_t *pgd = (pgd_t *)page_address(page);
20846 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
20847 + pgd += pgd_index(address);
20848 pud = pud_offset(pgd, address);
20849 pmd = pmd_offset(pud, address);
20850 set_pte_atomic((pte_t *)pmd, pte);
20854 + pax_close_kernel();
20858 diff -urNp linux-2.6.38.6/arch/x86/mm/pageattr-test.c linux-2.6.38.6/arch/x86/mm/pageattr-test.c
20859 --- linux-2.6.38.6/arch/x86/mm/pageattr-test.c 2011-03-14 21:20:32.000000000 -0400
20860 +++ linux-2.6.38.6/arch/x86/mm/pageattr-test.c 2011-04-28 19:34:15.000000000 -0400
20861 @@ -36,7 +36,7 @@ enum {
20863 static int pte_testbit(pte_t pte)
20865 - return pte_flags(pte) & _PAGE_UNUSED1;
20866 + return pte_flags(pte) & _PAGE_CPA_TEST;
20869 struct split_state {
20870 diff -urNp linux-2.6.38.6/arch/x86/mm/pat.c linux-2.6.38.6/arch/x86/mm/pat.c
20871 --- linux-2.6.38.6/arch/x86/mm/pat.c 2011-03-14 21:20:32.000000000 -0400
20872 +++ linux-2.6.38.6/arch/x86/mm/pat.c 2011-04-28 19:34:15.000000000 -0400
20873 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
20876 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
20877 - current->comm, current->pid, start, end);
20878 + current->comm, task_pid_nr(current), start, end);
20882 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
20883 while (cursor < to) {
20884 if (!devmem_is_allowed(pfn)) {
20886 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
20887 - current->comm, from, to);
20888 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
20889 + current->comm, from, to, cursor);
20892 cursor += PAGE_SIZE;
20893 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
20895 "%s:%d ioremap_change_attr failed %s "
20897 - current->comm, current->pid,
20898 + current->comm, task_pid_nr(current),
20900 base, (unsigned long long)(base + size));
20902 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
20903 if (want_flags != flags) {
20904 printk(KERN_WARNING
20905 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
20906 - current->comm, current->pid,
20907 + current->comm, task_pid_nr(current),
20908 cattr_name(want_flags),
20909 (unsigned long long)paddr,
20910 (unsigned long long)(paddr + size),
20911 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
20912 free_memtype(paddr, paddr + size);
20913 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
20914 " for %Lx-%Lx, got %s\n",
20915 - current->comm, current->pid,
20916 + current->comm, task_pid_nr(current),
20917 cattr_name(want_flags),
20918 (unsigned long long)paddr,
20919 (unsigned long long)(paddr + size),
20920 diff -urNp linux-2.6.38.6/arch/x86/mm/pgtable_32.c linux-2.6.38.6/arch/x86/mm/pgtable_32.c
20921 --- linux-2.6.38.6/arch/x86/mm/pgtable_32.c 2011-03-14 21:20:32.000000000 -0400
20922 +++ linux-2.6.38.6/arch/x86/mm/pgtable_32.c 2011-04-28 19:34:15.000000000 -0400
20923 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
20926 pte = pte_offset_kernel(pmd, vaddr);
20928 + pax_open_kernel();
20929 if (pte_val(pteval))
20930 set_pte_at(&init_mm, vaddr, pte, pteval);
20932 pte_clear(&init_mm, vaddr, pte);
20933 + pax_close_kernel();
20936 * It's enough to flush this one mapping.
20937 diff -urNp linux-2.6.38.6/arch/x86/mm/pgtable.c linux-2.6.38.6/arch/x86/mm/pgtable.c
20938 --- linux-2.6.38.6/arch/x86/mm/pgtable.c 2011-04-18 17:27:13.000000000 -0400
20939 +++ linux-2.6.38.6/arch/x86/mm/pgtable.c 2011-05-11 18:34:57.000000000 -0400
20940 @@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *p
20941 list_del(&page->lru);
20944 -#define UNSHARED_PTRS_PER_PGD \
20945 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
20946 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20947 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
20949 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
20952 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
20956 +#ifdef CONFIG_PAX_PER_CPU_PGD
20957 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
20961 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20962 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
20970 +#ifdef CONFIG_X86_64
20971 +#define pxd_t pud_t
20972 +#define pyd_t pgd_t
20973 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
20974 +#define pxd_free(mm, pud) pud_free((mm), (pud))
20975 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
20976 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
20977 +#define PYD_SIZE PGDIR_SIZE
20979 +#define pxd_t pmd_t
20980 +#define pyd_t pud_t
20981 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
20982 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
20983 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
20984 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
20985 +#define PYD_SIZE PUD_SIZE
20988 +#ifdef CONFIG_PAX_PER_CPU_PGD
20989 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
20990 +static inline void pgd_dtor(pgd_t *pgd) {}
20992 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
20994 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
20995 @@ -128,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
20997 spin_unlock(&pgd_lock);
21002 * List of all pgd's needed for non-PAE so it can invalidate entries
21003 @@ -140,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
21007 -#ifdef CONFIG_X86_PAE
21008 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
21010 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
21011 * updating the top-level pagetable entries to guarantee the
21012 @@ -152,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
21013 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
21014 * and initialize the kernel pmds here.
21016 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
21017 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21019 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
21021 @@ -170,36 +213,38 @@ void pud_populate(struct mm_struct *mm,
21025 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
21026 +#define PREALLOCATED_PXDS USER_PGD_PTRS
21027 #else /* !CONFIG_X86_PAE */
21029 /* No need to prepopulate any pagetable entries in non-PAE modes. */
21030 -#define PREALLOCATED_PMDS 0
21031 +#define PREALLOCATED_PXDS 0
21033 #endif /* CONFIG_X86_PAE */
21035 -static void free_pmds(pmd_t *pmds[])
21036 +static void free_pxds(pxd_t *pxds[])
21040 - for(i = 0; i < PREALLOCATED_PMDS; i++)
21042 - free_page((unsigned long)pmds[i]);
21043 + for(i = 0; i < PREALLOCATED_PXDS; i++)
21045 + free_page((unsigned long)pxds[i]);
21048 -static int preallocate_pmds(pmd_t *pmds[])
21049 +static int preallocate_pxds(pxd_t *pxds[])
21052 bool failed = false;
21054 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
21055 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
21057 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
21058 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
21071 @@ -212,51 +257,55 @@ static int preallocate_pmds(pmd_t *pmds[
21072 * preallocate which never got a corresponding vma will need to be
21075 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
21076 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
21080 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
21081 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
21082 pgd_t pgd = pgdp[i];
21084 if (pgd_val(pgd) != 0) {
21085 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
21086 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
21088 - pgdp[i] = native_make_pgd(0);
21089 + set_pgd(pgdp + i, native_make_pgd(0));
21091 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
21092 - pmd_free(mm, pmd);
21093 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
21094 + pxd_free(mm, pxd);
21099 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
21100 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
21104 unsigned long addr;
21107 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
21108 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
21111 - pud = pud_offset(pgd, 0);
21112 +#ifdef CONFIG_X86_64
21113 + pyd = pyd_offset(mm, 0L);
21115 + pyd = pyd_offset(pgd, 0L);
21118 - for (addr = i = 0; i < PREALLOCATED_PMDS;
21119 - i++, pud++, addr += PUD_SIZE) {
21120 - pmd_t *pmd = pmds[i];
21121 + for (addr = i = 0; i < PREALLOCATED_PXDS;
21122 + i++, pyd++, addr += PYD_SIZE) {
21123 + pxd_t *pxd = pxds[i];
21125 if (i >= KERNEL_PGD_BOUNDARY)
21126 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21127 - sizeof(pmd_t) * PTRS_PER_PMD);
21128 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21129 + sizeof(pxd_t) * PTRS_PER_PMD);
21131 - pud_populate(mm, pud, pmd);
21132 + pyd_populate(mm, pyd, pxd);
21136 pgd_t *pgd_alloc(struct mm_struct *mm)
21139 - pmd_t *pmds[PREALLOCATED_PMDS];
21140 + pxd_t *pxds[PREALLOCATED_PXDS];
21142 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
21144 @@ -265,11 +314,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21148 - if (preallocate_pmds(pmds) != 0)
21149 + if (preallocate_pxds(pxds) != 0)
21152 if (paravirt_pgd_alloc(mm) != 0)
21153 - goto out_free_pmds;
21154 + goto out_free_pxds;
21157 * Make sure that pre-populating the pmds is atomic with
21158 @@ -279,14 +328,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21159 spin_lock(&pgd_lock);
21162 - pgd_prepopulate_pmd(mm, pgd, pmds);
21163 + pgd_prepopulate_pxd(mm, pgd, pxds);
21165 spin_unlock(&pgd_lock);
21174 free_page((unsigned long)pgd);
21176 @@ -295,7 +344,7 @@ out:
21178 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
21180 - pgd_mop_up_pmds(mm, pgd);
21181 + pgd_mop_up_pxds(mm, pgd);
21183 paravirt_pgd_free(mm, pgd);
21184 free_page((unsigned long)pgd);
21185 diff -urNp linux-2.6.38.6/arch/x86/mm/setup_nx.c linux-2.6.38.6/arch/x86/mm/setup_nx.c
21186 --- linux-2.6.38.6/arch/x86/mm/setup_nx.c 2011-03-14 21:20:32.000000000 -0400
21187 +++ linux-2.6.38.6/arch/x86/mm/setup_nx.c 2011-04-28 19:34:15.000000000 -0400
21189 #include <asm/pgtable.h>
21190 #include <asm/proto.h>
21192 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21193 static int disable_nx __cpuinitdata;
21195 +#ifndef CONFIG_PAX_PAGEEXEC
21199 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
21202 early_param("noexec", noexec_setup);
21207 void __cpuinit x86_configure_nx(void)
21209 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21210 if (cpu_has_nx && !disable_nx)
21211 __supported_pte_mask |= _PAGE_NX;
21214 __supported_pte_mask &= ~_PAGE_NX;
21217 diff -urNp linux-2.6.38.6/arch/x86/mm/tlb.c linux-2.6.38.6/arch/x86/mm/tlb.c
21218 --- linux-2.6.38.6/arch/x86/mm/tlb.c 2011-03-14 21:20:32.000000000 -0400
21219 +++ linux-2.6.38.6/arch/x86/mm/tlb.c 2011-04-28 19:34:15.000000000 -0400
21220 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
21222 cpumask_clear_cpu(cpu,
21223 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
21225 +#ifndef CONFIG_PAX_PER_CPU_PGD
21226 load_cr3(swapper_pg_dir);
21230 EXPORT_SYMBOL_GPL(leave_mm);
21232 diff -urNp linux-2.6.38.6/arch/x86/oprofile/backtrace.c linux-2.6.38.6/arch/x86/oprofile/backtrace.c
21233 --- linux-2.6.38.6/arch/x86/oprofile/backtrace.c 2011-03-14 21:20:32.000000000 -0400
21234 +++ linux-2.6.38.6/arch/x86/oprofile/backtrace.c 2011-04-28 19:34:15.000000000 -0400
21235 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
21236 struct stack_frame_ia32 *fp;
21238 /* Also check accessibility of one struct frame_head beyond */
21239 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
21240 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
21242 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
21244 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
21246 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
21248 - if (!user_mode_vm(regs)) {
21249 + if (!user_mode(regs)) {
21250 unsigned long stack = kernel_stack_pointer(regs);
21252 dump_trace(NULL, regs, (unsigned long *)stack,
21253 diff -urNp linux-2.6.38.6/arch/x86/oprofile/op_model_p4.c linux-2.6.38.6/arch/x86/oprofile/op_model_p4.c
21254 --- linux-2.6.38.6/arch/x86/oprofile/op_model_p4.c 2011-03-14 21:20:32.000000000 -0400
21255 +++ linux-2.6.38.6/arch/x86/oprofile/op_model_p4.c 2011-04-28 19:34:15.000000000 -0400
21256 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
21260 -static int inline addr_increment(void)
21261 +static inline int addr_increment(void)
21264 return smp_num_siblings == 2 ? 2 : 1;
21265 diff -urNp linux-2.6.38.6/arch/x86/pci/ce4100.c linux-2.6.38.6/arch/x86/pci/ce4100.c
21266 --- linux-2.6.38.6/arch/x86/pci/ce4100.c 2011-03-14 21:20:32.000000000 -0400
21267 +++ linux-2.6.38.6/arch/x86/pci/ce4100.c 2011-04-28 19:34:15.000000000 -0400
21268 @@ -302,7 +302,7 @@ static int ce4100_conf_write(unsigned in
21269 return pci_direct_conf1.write(seg, bus, devfn, reg, len, value);
21272 -struct pci_raw_ops ce4100_pci_conf = {
21273 +const struct pci_raw_ops ce4100_pci_conf = {
21274 .read = ce4100_conf_read,
21275 .write = ce4100_conf_write,
21277 diff -urNp linux-2.6.38.6/arch/x86/pci/common.c linux-2.6.38.6/arch/x86/pci/common.c
21278 --- linux-2.6.38.6/arch/x86/pci/common.c 2011-03-14 21:20:32.000000000 -0400
21279 +++ linux-2.6.38.6/arch/x86/pci/common.c 2011-04-28 19:34:15.000000000 -0400
21280 @@ -33,8 +33,8 @@ int noioapicreroute = 1;
21281 int pcibios_last_bus = -1;
21282 unsigned long pirq_table_addr;
21283 struct pci_bus *pci_root_bus;
21284 -struct pci_raw_ops *raw_pci_ops;
21285 -struct pci_raw_ops *raw_pci_ext_ops;
21286 +const struct pci_raw_ops *raw_pci_ops;
21287 +const struct pci_raw_ops *raw_pci_ext_ops;
21289 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
21290 int reg, int len, u32 *val)
21291 diff -urNp linux-2.6.38.6/arch/x86/pci/direct.c linux-2.6.38.6/arch/x86/pci/direct.c
21292 --- linux-2.6.38.6/arch/x86/pci/direct.c 2011-03-14 21:20:32.000000000 -0400
21293 +++ linux-2.6.38.6/arch/x86/pci/direct.c 2011-04-28 19:34:15.000000000 -0400
21294 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
21296 #undef PCI_CONF1_ADDRESS
21298 -struct pci_raw_ops pci_direct_conf1 = {
21299 +const struct pci_raw_ops pci_direct_conf1 = {
21300 .read = pci_conf1_read,
21301 .write = pci_conf1_write,
21303 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
21305 #undef PCI_CONF2_ADDRESS
21307 -struct pci_raw_ops pci_direct_conf2 = {
21308 +const struct pci_raw_ops pci_direct_conf2 = {
21309 .read = pci_conf2_read,
21310 .write = pci_conf2_write,
21312 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
21313 * This should be close to trivial, but it isn't, because there are buggy
21314 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
21316 -static int __init pci_sanity_check(struct pci_raw_ops *o)
21317 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
21321 diff -urNp linux-2.6.38.6/arch/x86/pci/fixup.c linux-2.6.38.6/arch/x86/pci/fixup.c
21322 --- linux-2.6.38.6/arch/x86/pci/fixup.c 2011-03-14 21:20:32.000000000 -0400
21323 +++ linux-2.6.38.6/arch/x86/pci/fixup.c 2011-04-28 19:34:15.000000000 -0400
21324 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
21325 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
21332 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
21333 diff -urNp linux-2.6.38.6/arch/x86/pci/mmconfig_32.c linux-2.6.38.6/arch/x86/pci/mmconfig_32.c
21334 --- linux-2.6.38.6/arch/x86/pci/mmconfig_32.c 2011-03-14 21:20:32.000000000 -0400
21335 +++ linux-2.6.38.6/arch/x86/pci/mmconfig_32.c 2011-04-28 19:34:15.000000000 -0400
21336 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
21340 -static struct pci_raw_ops pci_mmcfg = {
21341 +static const struct pci_raw_ops pci_mmcfg = {
21342 .read = pci_mmcfg_read,
21343 .write = pci_mmcfg_write,
21345 diff -urNp linux-2.6.38.6/arch/x86/pci/mmconfig_64.c linux-2.6.38.6/arch/x86/pci/mmconfig_64.c
21346 --- linux-2.6.38.6/arch/x86/pci/mmconfig_64.c 2011-03-14 21:20:32.000000000 -0400
21347 +++ linux-2.6.38.6/arch/x86/pci/mmconfig_64.c 2011-04-28 19:34:15.000000000 -0400
21348 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
21352 -static struct pci_raw_ops pci_mmcfg = {
21353 +static const struct pci_raw_ops pci_mmcfg = {
21354 .read = pci_mmcfg_read,
21355 .write = pci_mmcfg_write,
21357 diff -urNp linux-2.6.38.6/arch/x86/pci/numaq_32.c linux-2.6.38.6/arch/x86/pci/numaq_32.c
21358 --- linux-2.6.38.6/arch/x86/pci/numaq_32.c 2011-03-14 21:20:32.000000000 -0400
21359 +++ linux-2.6.38.6/arch/x86/pci/numaq_32.c 2011-04-28 19:34:15.000000000 -0400
21360 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
21362 #undef PCI_CONF1_MQ_ADDRESS
21364 -static struct pci_raw_ops pci_direct_conf1_mq = {
21365 +static const struct pci_raw_ops pci_direct_conf1_mq = {
21366 .read = pci_conf1_mq_read,
21367 .write = pci_conf1_mq_write
21369 diff -urNp linux-2.6.38.6/arch/x86/pci/olpc.c linux-2.6.38.6/arch/x86/pci/olpc.c
21370 --- linux-2.6.38.6/arch/x86/pci/olpc.c 2011-03-14 21:20:32.000000000 -0400
21371 +++ linux-2.6.38.6/arch/x86/pci/olpc.c 2011-04-28 19:34:15.000000000 -0400
21372 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
21376 -static struct pci_raw_ops pci_olpc_conf = {
21377 +static const struct pci_raw_ops pci_olpc_conf = {
21378 .read = pci_olpc_read,
21379 .write = pci_olpc_write,
21381 diff -urNp linux-2.6.38.6/arch/x86/pci/pcbios.c linux-2.6.38.6/arch/x86/pci/pcbios.c
21382 --- linux-2.6.38.6/arch/x86/pci/pcbios.c 2011-03-14 21:20:32.000000000 -0400
21383 +++ linux-2.6.38.6/arch/x86/pci/pcbios.c 2011-04-28 19:34:15.000000000 -0400
21384 @@ -79,50 +79,93 @@ union bios32 {
21386 unsigned long address;
21387 unsigned short segment;
21388 -} bios32_indirect = { 0, __KERNEL_CS };
21389 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
21392 * Returns the entry point for the given service, NULL on error
21395 -static unsigned long bios32_service(unsigned long service)
21396 +static unsigned long __devinit bios32_service(unsigned long service)
21398 unsigned char return_code; /* %al */
21399 unsigned long address; /* %ebx */
21400 unsigned long length; /* %ecx */
21401 unsigned long entry; /* %edx */
21402 unsigned long flags;
21403 + struct desc_struct d, *gdt;
21405 local_irq_save(flags);
21406 - __asm__("lcall *(%%edi); cld"
21408 + gdt = get_cpu_gdt_table(smp_processor_id());
21410 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
21411 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
21412 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
21413 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
21415 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
21416 : "=a" (return_code),
21422 - "D" (&bios32_indirect));
21423 + "D" (&bios32_indirect),
21424 + "r"(__PCIBIOS_DS)
21427 + pax_open_kernel();
21428 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
21429 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
21430 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
21431 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
21432 + pax_close_kernel();
21434 local_irq_restore(flags);
21436 switch (return_code) {
21438 - return address + entry;
21439 - case 0x80: /* Not present */
21440 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
21442 - default: /* Shouldn't happen */
21443 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
21444 - service, return_code);
21447 + unsigned char flags;
21449 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
21450 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
21451 + printk(KERN_WARNING "bios32_service: not valid\n");
21454 + address = address + PAGE_OFFSET;
21455 + length += 16UL; /* some BIOSs underreport this... */
21457 + if (length >= 64*1024*1024) {
21458 + length >>= PAGE_SHIFT;
21462 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
21463 + gdt = get_cpu_gdt_table(cpu);
21464 + pack_descriptor(&d, address, length, 0x9b, flags);
21465 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
21466 + pack_descriptor(&d, address, length, 0x93, flags);
21467 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
21471 + case 0x80: /* Not present */
21472 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
21474 + default: /* Shouldn't happen */
21475 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
21476 + service, return_code);
21482 unsigned long address;
21483 unsigned short segment;
21484 -} pci_indirect = { 0, __KERNEL_CS };
21485 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
21487 -static int pci_bios_present;
21488 +static int pci_bios_present __read_only;
21490 static int __devinit check_pcibios(void)
21492 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
21493 unsigned long flags, pcibios_entry;
21495 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
21496 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
21497 + pci_indirect.address = pcibios_entry;
21499 local_irq_save(flags);
21501 - "lcall *(%%edi); cld\n\t"
21502 + __asm__("movw %w6, %%ds\n\t"
21503 + "lcall *%%ss:(%%edi); cld\n\t"
21509 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
21512 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
21513 - "D" (&pci_indirect)
21514 + "D" (&pci_indirect),
21515 + "r" (__PCIBIOS_DS)
21517 local_irq_restore(flags);
21519 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
21523 - __asm__("lcall *(%%esi); cld\n\t"
21524 + __asm__("movw %w6, %%ds\n\t"
21525 + "lcall *%%ss:(%%esi); cld\n\t"
21531 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
21532 : "1" (PCIBIOS_READ_CONFIG_BYTE),
21535 - "S" (&pci_indirect));
21536 + "S" (&pci_indirect),
21537 + "r" (__PCIBIOS_DS));
21539 * Zero-extend the result beyond 8 bits, do not trust the
21540 * BIOS having done it:
21541 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
21545 - __asm__("lcall *(%%esi); cld\n\t"
21546 + __asm__("movw %w6, %%ds\n\t"
21547 + "lcall *%%ss:(%%esi); cld\n\t"
21553 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
21554 : "1" (PCIBIOS_READ_CONFIG_WORD),
21557 - "S" (&pci_indirect));
21558 + "S" (&pci_indirect),
21559 + "r" (__PCIBIOS_DS));
21561 * Zero-extend the result beyond 16 bits, do not trust the
21562 * BIOS having done it:
21563 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
21567 - __asm__("lcall *(%%esi); cld\n\t"
21568 + __asm__("movw %w6, %%ds\n\t"
21569 + "lcall *%%ss:(%%esi); cld\n\t"
21575 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
21576 : "1" (PCIBIOS_READ_CONFIG_DWORD),
21579 - "S" (&pci_indirect));
21580 + "S" (&pci_indirect),
21581 + "r" (__PCIBIOS_DS));
21585 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
21589 - __asm__("lcall *(%%esi); cld\n\t"
21590 + __asm__("movw %w6, %%ds\n\t"
21591 + "lcall *%%ss:(%%esi); cld\n\t"
21597 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
21601 - "S" (&pci_indirect));
21602 + "S" (&pci_indirect),
21603 + "r" (__PCIBIOS_DS));
21606 - __asm__("lcall *(%%esi); cld\n\t"
21607 + __asm__("movw %w6, %%ds\n\t"
21608 + "lcall *%%ss:(%%esi); cld\n\t"
21614 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
21618 - "S" (&pci_indirect));
21619 + "S" (&pci_indirect),
21620 + "r" (__PCIBIOS_DS));
21623 - __asm__("lcall *(%%esi); cld\n\t"
21624 + __asm__("movw %w6, %%ds\n\t"
21625 + "lcall *%%ss:(%%esi); cld\n\t"
21631 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
21635 - "S" (&pci_indirect));
21636 + "S" (&pci_indirect),
21637 + "r" (__PCIBIOS_DS));
21641 @@ -301,7 +371,7 @@ static int pci_bios_write(unsigned int s
21642 * Function table for BIOS32 access
21645 -static struct pci_raw_ops pci_bios_access = {
21646 +static const struct pci_raw_ops pci_bios_access = {
21647 .read = pci_bios_read,
21648 .write = pci_bios_write
21650 @@ -310,7 +380,7 @@ static struct pci_raw_ops pci_bios_acces
21651 * Try to find PCI BIOS.
21654 -static struct pci_raw_ops * __devinit pci_find_bios(void)
21655 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
21657 union bios32 *check;
21659 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
21661 DBG("PCI: Fetching IRQ routing table... ");
21662 __asm__("push %%es\n\t"
21663 + "movw %w8, %%ds\n\t"
21666 - "lcall *(%%esi); cld\n\t"
21667 + "lcall *%%ss:(%%esi); cld\n\t"
21674 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
21677 "S" (&pci_indirect),
21680 + "r" (__PCIBIOS_DS)
21682 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
21684 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
21688 - __asm__("lcall *(%%esi); cld\n\t"
21689 + __asm__("movw %w5, %%ds\n\t"
21690 + "lcall *%%ss:(%%esi); cld\n\t"
21696 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
21697 : "0" (PCIBIOS_SET_PCI_HW_INT),
21698 "b" ((dev->bus->number << 8) | dev->devfn),
21699 "c" ((irq << 8) | (pin + 10)),
21700 - "S" (&pci_indirect));
21701 + "S" (&pci_indirect),
21702 + "r" (__PCIBIOS_DS));
21703 return !(ret & 0xff00);
21705 EXPORT_SYMBOL(pcibios_set_irq_routing);
21706 diff -urNp linux-2.6.38.6/arch/x86/platform/efi/efi_32.c linux-2.6.38.6/arch/x86/platform/efi/efi_32.c
21707 --- linux-2.6.38.6/arch/x86/platform/efi/efi_32.c 2011-03-14 21:20:32.000000000 -0400
21708 +++ linux-2.6.38.6/arch/x86/platform/efi/efi_32.c 2011-04-28 19:34:15.000000000 -0400
21709 @@ -38,70 +38,37 @@
21712 static unsigned long efi_rt_eflags;
21713 -static pgd_t efi_bak_pg_dir_pointer[2];
21714 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
21716 -void efi_call_phys_prelog(void)
21717 +void __init efi_call_phys_prelog(void)
21719 - unsigned long cr4;
21720 - unsigned long temp;
21721 struct desc_ptr gdt_descr;
21723 local_irq_save(efi_rt_eflags);
21726 - * If I don't have PAE, I should just duplicate two entries in page
21727 - * directory. If I have PAE, I just need to duplicate one entry in
21728 - * page directory.
21730 - cr4 = read_cr4_safe();
21732 - if (cr4 & X86_CR4_PAE) {
21733 - efi_bak_pg_dir_pointer[0].pgd =
21734 - swapper_pg_dir[pgd_index(0)].pgd;
21735 - swapper_pg_dir[0].pgd =
21736 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
21738 - efi_bak_pg_dir_pointer[0].pgd =
21739 - swapper_pg_dir[pgd_index(0)].pgd;
21740 - efi_bak_pg_dir_pointer[1].pgd =
21741 - swapper_pg_dir[pgd_index(0x400000)].pgd;
21742 - swapper_pg_dir[pgd_index(0)].pgd =
21743 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
21744 - temp = PAGE_OFFSET + 0x400000;
21745 - swapper_pg_dir[pgd_index(0x400000)].pgd =
21746 - swapper_pg_dir[pgd_index(temp)].pgd;
21748 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
21749 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
21750 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
21753 * After the lock is released, the original page table is restored.
21757 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
21758 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
21759 gdt_descr.size = GDT_SIZE - 1;
21760 load_gdt(&gdt_descr);
21763 -void efi_call_phys_epilog(void)
21764 +void __init efi_call_phys_epilog(void)
21766 - unsigned long cr4;
21767 struct desc_ptr gdt_descr;
21769 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
21770 + gdt_descr.address = get_cpu_gdt_table(0);
21771 gdt_descr.size = GDT_SIZE - 1;
21772 load_gdt(&gdt_descr);
21774 - cr4 = read_cr4_safe();
21776 - if (cr4 & X86_CR4_PAE) {
21777 - swapper_pg_dir[pgd_index(0)].pgd =
21778 - efi_bak_pg_dir_pointer[0].pgd;
21780 - swapper_pg_dir[pgd_index(0)].pgd =
21781 - efi_bak_pg_dir_pointer[0].pgd;
21782 - swapper_pg_dir[pgd_index(0x400000)].pgd =
21783 - efi_bak_pg_dir_pointer[1].pgd;
21785 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
21788 * After the lock is released, the original page table is restored.
21789 diff -urNp linux-2.6.38.6/arch/x86/platform/efi/efi_stub_32.S linux-2.6.38.6/arch/x86/platform/efi/efi_stub_32.S
21790 --- linux-2.6.38.6/arch/x86/platform/efi/efi_stub_32.S 2011-03-14 21:20:32.000000000 -0400
21791 +++ linux-2.6.38.6/arch/x86/platform/efi/efi_stub_32.S 2011-04-28 19:34:15.000000000 -0400
21795 #include <linux/linkage.h>
21796 +#include <linux/init.h>
21797 #include <asm/page_types.h>
21801 * service functions will comply with gcc calling convention, too.
21806 ENTRY(efi_call_phys)
21808 * 0. The function can only be called in Linux kernel. So CS has been
21809 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
21810 * The mapping of lower virtual memory has been created in prelog and
21814 - subl $__PAGE_OFFSET, %edx
21816 + jmp 1f-__PAGE_OFFSET
21820 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
21821 * parameter 2, ..., param n. To make things easy, we save the return
21822 * address of efi_call_phys in a global variable.
21825 - movl %edx, saved_return_addr
21826 - /* get the function pointer into ECX*/
21828 - movl %ecx, efi_rt_function_ptr
21830 - subl $__PAGE_OFFSET, %edx
21832 + popl (saved_return_addr)
21833 + popl (efi_rt_function_ptr)
21836 * 3. Clear PG bit in %CR0.
21837 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
21839 * 5. Call the physical function.
21842 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
21846 * 6. After EFI runtime service returns, control will return to
21847 * following instruction. We'd better readjust stack pointer first.
21848 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
21850 orl $0x80000000, %edx
21856 * 8. Now restore the virtual mode from flat mode by
21857 * adding EIP with PAGE_OFFSET.
21861 + jmp 1f+__PAGE_OFFSET
21865 * 9. Balance the stack. And because EAX contain the return value,
21866 * we'd better not clobber it.
21868 - leal efi_rt_function_ptr, %edx
21869 - movl (%edx), %ecx
21871 + pushl (efi_rt_function_ptr)
21874 - * 10. Push the saved return address onto the stack and return.
21875 + * 10. Return to the saved return address.
21877 - leal saved_return_addr, %edx
21878 - movl (%edx), %ecx
21881 + jmpl *(saved_return_addr)
21882 ENDPROC(efi_call_phys)
21889 efi_rt_function_ptr:
21890 diff -urNp linux-2.6.38.6/arch/x86/platform/uv/tlb_uv.c linux-2.6.38.6/arch/x86/platform/uv/tlb_uv.c
21891 --- linux-2.6.38.6/arch/x86/platform/uv/tlb_uv.c 2011-03-14 21:20:32.000000000 -0400
21892 +++ linux-2.6.38.6/arch/x86/platform/uv/tlb_uv.c 2011-05-16 21:47:08.000000000 -0400
21893 @@ -341,6 +341,8 @@ static void uv_reset_with_ipi(struct bau
21895 struct reset_args reset_args;
21897 + pax_track_stack();
21899 reset_args.sender = sender;
21902 diff -urNp linux-2.6.38.6/arch/x86/power/cpu.c linux-2.6.38.6/arch/x86/power/cpu.c
21903 --- linux-2.6.38.6/arch/x86/power/cpu.c 2011-03-14 21:20:32.000000000 -0400
21904 +++ linux-2.6.38.6/arch/x86/power/cpu.c 2011-04-28 19:34:15.000000000 -0400
21905 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
21906 static void fix_processor_context(void)
21908 int cpu = smp_processor_id();
21909 - struct tss_struct *t = &per_cpu(init_tss, cpu);
21910 + struct tss_struct *t = init_tss + cpu;
21912 set_tss_desc(cpu, t); /*
21913 * This just modifies memory; should not be
21914 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
21917 #ifdef CONFIG_X86_64
21918 + pax_open_kernel();
21919 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
21920 + pax_close_kernel();
21922 syscall_init(); /* This sets MSR_*STAR and related */
21924 diff -urNp linux-2.6.38.6/arch/x86/vdso/Makefile linux-2.6.38.6/arch/x86/vdso/Makefile
21925 --- linux-2.6.38.6/arch/x86/vdso/Makefile 2011-03-14 21:20:32.000000000 -0400
21926 +++ linux-2.6.38.6/arch/x86/vdso/Makefile 2011-04-28 19:34:15.000000000 -0400
21927 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
21928 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
21929 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
21931 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
21932 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
21936 diff -urNp linux-2.6.38.6/arch/x86/vdso/vclock_gettime.c linux-2.6.38.6/arch/x86/vdso/vclock_gettime.c
21937 --- linux-2.6.38.6/arch/x86/vdso/vclock_gettime.c 2011-03-14 21:20:32.000000000 -0400
21938 +++ linux-2.6.38.6/arch/x86/vdso/vclock_gettime.c 2011-04-28 19:34:15.000000000 -0400
21939 @@ -22,24 +22,48 @@
21940 #include <asm/hpet.h>
21941 #include <asm/unistd.h>
21942 #include <asm/io.h>
21943 +#include <asm/fixmap.h>
21944 #include "vextern.h"
21946 #define gtod vdso_vsyscall_gtod_data
21948 +notrace noinline long __vdso_fallback_time(long *t)
21951 + asm volatile("syscall"
21953 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
21957 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
21960 asm("syscall" : "=a" (ret) :
21961 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
21962 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
21966 +notrace static inline cycle_t __vdso_vread_hpet(void)
21968 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
21971 +notrace static inline cycle_t __vdso_vread_tsc(void)
21973 + cycle_t ret = (cycle_t)vget_cycles();
21975 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
21978 notrace static inline long vgetns(void)
21981 - cycles_t (*vread)(void);
21982 - vread = gtod->clock.vread;
21983 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
21984 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
21985 + v = __vdso_vread_tsc();
21987 + v = __vdso_vread_hpet();
21988 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
21989 return (v * gtod->clock.mult) >> gtod->clock.shift;
21992 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
21994 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
21996 - if (likely(gtod->sysctl_enabled))
21997 + if (likely(gtod->sysctl_enabled &&
21998 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
21999 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
22001 case CLOCK_REALTIME:
22002 if (likely(gtod->clock.vread))
22003 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
22004 int clock_gettime(clockid_t, struct timespec *)
22005 __attribute__((weak, alias("__vdso_clock_gettime")));
22007 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
22008 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
22011 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
22012 + asm("syscall" : "=a" (ret) :
22013 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
22017 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
22019 + if (likely(gtod->sysctl_enabled &&
22020 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
22021 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
22023 if (likely(tv != NULL)) {
22024 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
22025 offsetof(struct timespec, tv_nsec) ||
22026 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
22030 - asm("syscall" : "=a" (ret) :
22031 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
22033 + return __vdso_fallback_gettimeofday(tv, tz);
22035 int gettimeofday(struct timeval *, struct timezone *)
22036 __attribute__((weak, alias("__vdso_gettimeofday")));
22037 diff -urNp linux-2.6.38.6/arch/x86/vdso/vdso32-setup.c linux-2.6.38.6/arch/x86/vdso/vdso32-setup.c
22038 --- linux-2.6.38.6/arch/x86/vdso/vdso32-setup.c 2011-03-14 21:20:32.000000000 -0400
22039 +++ linux-2.6.38.6/arch/x86/vdso/vdso32-setup.c 2011-04-28 19:34:15.000000000 -0400
22041 #include <asm/tlbflush.h>
22042 #include <asm/vdso.h>
22043 #include <asm/proto.h>
22044 +#include <asm/mman.h>
22048 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
22049 void enable_sep_cpu(void)
22051 int cpu = get_cpu();
22052 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
22053 + struct tss_struct *tss = init_tss + cpu;
22055 if (!boot_cpu_has(X86_FEATURE_SEP)) {
22057 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
22058 gate_vma.vm_start = FIXADDR_USER_START;
22059 gate_vma.vm_end = FIXADDR_USER_END;
22060 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
22061 - gate_vma.vm_page_prot = __P101;
22062 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
22064 * Make sure the vDSO gets into every core dump.
22065 * Dumping its contents makes post-mortem fully interpretable later
22066 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
22068 addr = VDSO_HIGH_BASE;
22070 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
22071 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
22072 if (IS_ERR_VALUE(addr)) {
22078 - current->mm->context.vdso = (void *)addr;
22079 + current->mm->context.vdso = addr;
22081 if (compat_uses_vma || !compat) {
22083 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
22086 current_thread_info()->sysenter_return =
22087 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22088 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22092 - current->mm->context.vdso = NULL;
22093 + current->mm->context.vdso = 0;
22095 up_write(&mm->mmap_sem);
22097 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
22099 const char *arch_vma_name(struct vm_area_struct *vma)
22101 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22102 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22105 +#ifdef CONFIG_PAX_SEGMEXEC
22106 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
22113 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
22114 struct mm_struct *mm = tsk->mm;
22116 /* Check to see if this task was created in compat vdso mode */
22117 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
22118 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
22122 diff -urNp linux-2.6.38.6/arch/x86/vdso/vdso.lds.S linux-2.6.38.6/arch/x86/vdso/vdso.lds.S
22123 --- linux-2.6.38.6/arch/x86/vdso/vdso.lds.S 2011-03-14 21:20:32.000000000 -0400
22124 +++ linux-2.6.38.6/arch/x86/vdso/vdso.lds.S 2011-04-28 19:34:15.000000000 -0400
22125 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
22126 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
22127 #include "vextern.h"
22130 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
22131 +VEXTERN(fallback_gettimeofday)
22132 +VEXTERN(fallback_time)
22135 diff -urNp linux-2.6.38.6/arch/x86/vdso/vextern.h linux-2.6.38.6/arch/x86/vdso/vextern.h
22136 --- linux-2.6.38.6/arch/x86/vdso/vextern.h 2011-03-14 21:20:32.000000000 -0400
22137 +++ linux-2.6.38.6/arch/x86/vdso/vextern.h 2011-04-28 19:34:15.000000000 -0400
22139 put into vextern.h and be referenced as a pointer with vdso prefix.
22140 The main kernel later fills in the values. */
22143 VEXTERN(vgetcpu_mode)
22144 VEXTERN(vsyscall_gtod_data)
22145 diff -urNp linux-2.6.38.6/arch/x86/vdso/vma.c linux-2.6.38.6/arch/x86/vdso/vma.c
22146 --- linux-2.6.38.6/arch/x86/vdso/vma.c 2011-03-14 21:20:32.000000000 -0400
22147 +++ linux-2.6.38.6/arch/x86/vdso/vma.c 2011-04-28 19:34:15.000000000 -0400
22148 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
22152 - if (memcmp(vbase, "\177ELF", 4)) {
22153 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
22154 printk("VDSO: I'm broken; not ELF\n");
22157 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
22161 - current->mm->context.vdso = (void *)addr;
22162 + current->mm->context.vdso = addr;
22164 ret = install_special_mapping(mm, addr, vdso_size,
22166 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
22170 - current->mm->context.vdso = NULL;
22171 + current->mm->context.vdso = 0;
22175 @@ -134,10 +134,3 @@ up_fail:
22176 up_write(&mm->mmap_sem);
22180 -static __init int vdso_setup(char *s)
22182 - vdso_enabled = simple_strtoul(s, NULL, 0);
22185 -__setup("vdso=", vdso_setup);
22186 diff -urNp linux-2.6.38.6/arch/x86/xen/enlighten.c linux-2.6.38.6/arch/x86/xen/enlighten.c
22187 --- linux-2.6.38.6/arch/x86/xen/enlighten.c 2011-03-14 21:20:32.000000000 -0400
22188 +++ linux-2.6.38.6/arch/x86/xen/enlighten.c 2011-04-28 19:34:15.000000000 -0400
22189 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
22191 struct shared_info xen_dummy_shared_info;
22193 -void *xen_initial_gdt;
22195 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
22196 __read_mostly int xen_have_vector_callback;
22197 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
22198 @@ -1134,7 +1132,17 @@ asmlinkage void __init xen_start_kernel(
22199 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
22201 /* Work out if we support NX */
22202 - x86_configure_nx();
22203 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
22204 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
22205 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
22208 + __supported_pte_mask |= _PAGE_NX;
22209 + rdmsr(MSR_EFER, l, h);
22211 + wrmsr(MSR_EFER, l, h);
22215 xen_setup_features();
22217 @@ -1165,13 +1173,6 @@ asmlinkage void __init xen_start_kernel(
22219 machine_ops = xen_machine_ops;
22222 - * The only reliable way to retain the initial address of the
22223 - * percpu gdt_page is to remember it here, so we can go and
22224 - * mark it RW later, when the initial percpu area is freed.
22226 - xen_initial_gdt = &per_cpu(gdt_page, 0);
22230 #ifdef CONFIG_ACPI_NUMA
22231 diff -urNp linux-2.6.38.6/arch/x86/xen/mmu.c linux-2.6.38.6/arch/x86/xen/mmu.c
22232 --- linux-2.6.38.6/arch/x86/xen/mmu.c 2011-04-18 17:27:16.000000000 -0400
22233 +++ linux-2.6.38.6/arch/x86/xen/mmu.c 2011-04-28 19:34:15.000000000 -0400
22234 @@ -1721,6 +1721,8 @@ __init pgd_t *xen_setup_kernel_pagetable
22235 convert_pfn_mfn(init_level4_pgt);
22236 convert_pfn_mfn(level3_ident_pgt);
22237 convert_pfn_mfn(level3_kernel_pgt);
22238 + convert_pfn_mfn(level3_vmalloc_pgt);
22239 + convert_pfn_mfn(level3_vmemmap_pgt);
22241 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
22242 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
22243 @@ -1739,7 +1741,10 @@ __init pgd_t *xen_setup_kernel_pagetable
22244 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
22245 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
22246 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
22247 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
22248 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
22249 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
22250 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
22251 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
22252 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
22254 diff -urNp linux-2.6.38.6/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.38.6/arch/x86/xen/pci-swiotlb-xen.c
22255 --- linux-2.6.38.6/arch/x86/xen/pci-swiotlb-xen.c 2011-03-14 21:20:32.000000000 -0400
22256 +++ linux-2.6.38.6/arch/x86/xen/pci-swiotlb-xen.c 2011-04-28 19:34:15.000000000 -0400
22259 int xen_swiotlb __read_mostly;
22261 -static struct dma_map_ops xen_swiotlb_dma_ops = {
22262 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
22263 .mapping_error = xen_swiotlb_dma_mapping_error,
22264 .alloc_coherent = xen_swiotlb_alloc_coherent,
22265 .free_coherent = xen_swiotlb_free_coherent,
22266 diff -urNp linux-2.6.38.6/arch/x86/xen/smp.c linux-2.6.38.6/arch/x86/xen/smp.c
22267 --- linux-2.6.38.6/arch/x86/xen/smp.c 2011-03-14 21:20:32.000000000 -0400
22268 +++ linux-2.6.38.6/arch/x86/xen/smp.c 2011-05-11 18:34:57.000000000 -0400
22269 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
22271 BUG_ON(smp_processor_id() != 0);
22272 native_smp_prepare_boot_cpu();
22274 - /* We've switched to the "real" per-cpu gdt, so make sure the
22275 - old memory can be recycled */
22276 - make_lowmem_page_readwrite(xen_initial_gdt);
22278 xen_filter_cpu_maps();
22279 xen_setup_vcpu_info_placement();
22281 @@ -259,12 +254,12 @@ cpu_initialize_context(unsigned int cpu,
22282 gdt = get_cpu_gdt_table(cpu);
22284 ctxt->flags = VGCF_IN_KERNEL;
22285 - ctxt->user_regs.ds = __USER_DS;
22286 - ctxt->user_regs.es = __USER_DS;
22287 + ctxt->user_regs.ds = __KERNEL_DS;
22288 + ctxt->user_regs.es = __KERNEL_DS;
22289 ctxt->user_regs.ss = __KERNEL_DS;
22290 #ifdef CONFIG_X86_32
22291 ctxt->user_regs.fs = __KERNEL_PERCPU;
22292 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
22293 + savesegment(gs, ctxt->user_regs.gs);
22295 ctxt->gs_base_kernel = per_cpu_offset(cpu);
22297 @@ -315,13 +310,12 @@ static int __cpuinit xen_cpu_up(unsigned
22300 per_cpu(current_task, cpu) = idle;
22301 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
22302 #ifdef CONFIG_X86_32
22305 clear_tsk_thread_flag(idle, TIF_FORK);
22306 - per_cpu(kernel_stack, cpu) =
22307 - (unsigned long)task_stack_page(idle) -
22308 - KERNEL_STACK_OFFSET + THREAD_SIZE;
22309 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
22311 xen_setup_runstate_info(cpu);
22312 xen_setup_timer(cpu);
22313 diff -urNp linux-2.6.38.6/arch/x86/xen/xen-asm_32.S linux-2.6.38.6/arch/x86/xen/xen-asm_32.S
22314 --- linux-2.6.38.6/arch/x86/xen/xen-asm_32.S 2011-03-14 21:20:32.000000000 -0400
22315 +++ linux-2.6.38.6/arch/x86/xen/xen-asm_32.S 2011-04-28 19:34:15.000000000 -0400
22316 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
22317 ESP_OFFSET=4 # bytes pushed onto stack
22320 - * Store vcpu_info pointer for easy access. Do it this way to
22321 - * avoid having to reload %fs
22322 + * Store vcpu_info pointer for easy access.
22325 - GET_THREAD_INFO(%eax)
22326 - movl TI_cpu(%eax), %eax
22327 - movl __per_cpu_offset(,%eax,4), %eax
22328 - mov xen_vcpu(%eax), %eax
22330 + mov $(__KERNEL_PERCPU), %eax
22332 + mov PER_CPU_VAR(xen_vcpu), %eax
22335 movl xen_vcpu, %eax
22337 diff -urNp linux-2.6.38.6/arch/x86/xen/xen-head.S linux-2.6.38.6/arch/x86/xen/xen-head.S
22338 --- linux-2.6.38.6/arch/x86/xen/xen-head.S 2011-03-14 21:20:32.000000000 -0400
22339 +++ linux-2.6.38.6/arch/x86/xen/xen-head.S 2011-04-28 19:34:15.000000000 -0400
22340 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
22341 #ifdef CONFIG_X86_32
22342 mov %esi,xen_start_info
22343 mov $init_thread_union+THREAD_SIZE,%esp
22345 + movl $cpu_gdt_table,%edi
22346 + movl $__per_cpu_load,%eax
22347 + movw %ax,__KERNEL_PERCPU + 2(%edi)
22349 + movb %al,__KERNEL_PERCPU + 4(%edi)
22350 + movb %ah,__KERNEL_PERCPU + 7(%edi)
22351 + movl $__per_cpu_end - 1,%eax
22352 + subl $__per_cpu_start,%eax
22353 + movw %ax,__KERNEL_PERCPU + 0(%edi)
22356 mov %rsi,xen_start_info
22357 mov $init_thread_union+THREAD_SIZE,%rsp
22358 diff -urNp linux-2.6.38.6/arch/x86/xen/xen-ops.h linux-2.6.38.6/arch/x86/xen/xen-ops.h
22359 --- linux-2.6.38.6/arch/x86/xen/xen-ops.h 2011-03-14 21:20:32.000000000 -0400
22360 +++ linux-2.6.38.6/arch/x86/xen/xen-ops.h 2011-04-28 19:34:15.000000000 -0400
22362 extern const char xen_hypervisor_callback[];
22363 extern const char xen_failsafe_callback[];
22365 -extern void *xen_initial_gdt;
22368 void xen_copy_trap_info(struct trap_info *traps);
22370 diff -urNp linux-2.6.38.6/block/blk-iopoll.c linux-2.6.38.6/block/blk-iopoll.c
22371 --- linux-2.6.38.6/block/blk-iopoll.c 2011-03-14 21:20:32.000000000 -0400
22372 +++ linux-2.6.38.6/block/blk-iopoll.c 2011-04-28 19:34:15.000000000 -0400
22373 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
22375 EXPORT_SYMBOL(blk_iopoll_complete);
22377 -static void blk_iopoll_softirq(struct softirq_action *h)
22378 +static void blk_iopoll_softirq(void)
22380 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
22381 int rearm = 0, budget = blk_iopoll_budget;
22382 diff -urNp linux-2.6.38.6/block/blk-map.c linux-2.6.38.6/block/blk-map.c
22383 --- linux-2.6.38.6/block/blk-map.c 2011-03-14 21:20:32.000000000 -0400
22384 +++ linux-2.6.38.6/block/blk-map.c 2011-04-28 19:34:15.000000000 -0400
22385 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
22389 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
22390 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
22392 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
22394 diff -urNp linux-2.6.38.6/block/blk-softirq.c linux-2.6.38.6/block/blk-softirq.c
22395 --- linux-2.6.38.6/block/blk-softirq.c 2011-03-14 21:20:32.000000000 -0400
22396 +++ linux-2.6.38.6/block/blk-softirq.c 2011-04-28 19:34:15.000000000 -0400
22397 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
22398 * Softirq action handler - move entries to local list and loop over them
22399 * while passing them to the queue registered handler.
22401 -static void blk_done_softirq(struct softirq_action *h)
22402 +static void blk_done_softirq(void)
22404 struct list_head *cpu_list, local_list;
22406 diff -urNp linux-2.6.38.6/block/bsg.c linux-2.6.38.6/block/bsg.c
22407 --- linux-2.6.38.6/block/bsg.c 2011-03-14 21:20:32.000000000 -0400
22408 +++ linux-2.6.38.6/block/bsg.c 2011-04-28 19:34:15.000000000 -0400
22409 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
22410 struct sg_io_v4 *hdr, struct bsg_device *bd,
22411 fmode_t has_write_perm)
22413 + unsigned char tmpcmd[sizeof(rq->__cmd)];
22414 + unsigned char *cmdptr;
22416 if (hdr->request_len > BLK_MAX_CDB) {
22417 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
22421 + cmdptr = rq->cmd;
22425 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
22426 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
22430 + if (cmdptr != rq->cmd)
22431 + memcpy(rq->cmd, cmdptr, hdr->request_len);
22433 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
22434 if (blk_verify_command(rq->cmd, has_write_perm))
22436 diff -urNp linux-2.6.38.6/block/scsi_ioctl.c linux-2.6.38.6/block/scsi_ioctl.c
22437 --- linux-2.6.38.6/block/scsi_ioctl.c 2011-03-14 21:20:32.000000000 -0400
22438 +++ linux-2.6.38.6/block/scsi_ioctl.c 2011-04-28 19:34:15.000000000 -0400
22439 @@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
22440 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
22441 struct sg_io_hdr *hdr, fmode_t mode)
22443 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
22444 + unsigned char tmpcmd[sizeof(rq->__cmd)];
22445 + unsigned char *cmdptr;
22447 + if (rq->cmd != rq->__cmd)
22448 + cmdptr = rq->cmd;
22452 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
22455 + if (cmdptr != rq->cmd)
22456 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
22458 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
22461 @@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
22463 unsigned int in_len, out_len, bytes, opcode, cmdlen;
22464 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
22465 + unsigned char tmpcmd[sizeof(rq->__cmd)];
22466 + unsigned char *cmdptr;
22470 @@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
22473 rq->cmd_len = cmdlen;
22474 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
22476 + if (rq->cmd != rq->__cmd)
22477 + cmdptr = rq->cmd;
22481 + if (copy_from_user(cmdptr, sic->data, cmdlen))
22484 + if (rq->cmd != cmdptr)
22485 + memcpy(rq->cmd, cmdptr, cmdlen);
22487 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
22490 diff -urNp linux-2.6.38.6/crypto/serpent.c linux-2.6.38.6/crypto/serpent.c
22491 --- linux-2.6.38.6/crypto/serpent.c 2011-03-14 21:20:32.000000000 -0400
22492 +++ linux-2.6.38.6/crypto/serpent.c 2011-05-16 21:47:08.000000000 -0400
22493 @@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
22494 u32 r0,r1,r2,r3,r4;
22497 + pax_track_stack();
22499 /* Copy key, add padding */
22501 for (i = 0; i < keylen; ++i)
22502 diff -urNp linux-2.6.38.6/Documentation/dontdiff linux-2.6.38.6/Documentation/dontdiff
22503 --- linux-2.6.38.6/Documentation/dontdiff 2011-03-14 21:20:32.000000000 -0400
22504 +++ linux-2.6.38.6/Documentation/dontdiff 2011-04-28 19:34:15.000000000 -0400
22524 @@ -49,11 +52,16 @@
22541 @@ -82,6 +90,8 @@ bvmlinux
22550 @@ -106,16 +116,19 @@ fore200e_mkfirm
22565 initramfs_data.cpio
22566 +initramfs_data.cpio.bz2
22567 initramfs_data.cpio.gz
22570 @@ -125,7 +138,6 @@ int32.c
22578 @@ -149,7 +161,9 @@ mkboot
22588 @@ -165,6 +179,7 @@ parse.h
22596 @@ -180,6 +195,7 @@ r600_reg_safe.h
22604 @@ -189,6 +205,7 @@ setup
22612 @@ -213,13 +230,17 @@ version.h*
22630 diff -urNp linux-2.6.38.6/Documentation/filesystems/sysfs.txt linux-2.6.38.6/Documentation/filesystems/sysfs.txt
22631 --- linux-2.6.38.6/Documentation/filesystems/sysfs.txt 2011-03-14 21:20:32.000000000 -0400
22632 +++ linux-2.6.38.6/Documentation/filesystems/sysfs.txt 2011-04-28 19:34:15.000000000 -0400
22633 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
22634 show and store methods of the attribute owners.
22637 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
22638 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
22639 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
22640 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
22643 [ Subsystems should have already defined a struct kobj_type as a
22644 diff -urNp linux-2.6.38.6/Documentation/kernel-parameters.txt linux-2.6.38.6/Documentation/kernel-parameters.txt
22645 --- linux-2.6.38.6/Documentation/kernel-parameters.txt 2011-03-14 21:20:32.000000000 -0400
22646 +++ linux-2.6.38.6/Documentation/kernel-parameters.txt 2011-04-28 19:34:15.000000000 -0400
22647 @@ -1853,6 +1853,13 @@ bytes respectively. Such letter suffixes
22648 the specified number of seconds. This is to be used if
22649 your oopses keep scrolling off the screen.
22651 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
22652 + virtualization environments that don't cope well with the
22653 + expand down segment used by UDEREF on X86-32 or the frequent
22654 + page table updates on X86-64.
22656 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
22661 diff -urNp linux-2.6.38.6/drivers/acpi/apei/cper.c linux-2.6.38.6/drivers/acpi/apei/cper.c
22662 --- linux-2.6.38.6/drivers/acpi/apei/cper.c 2011-03-14 21:20:32.000000000 -0400
22663 +++ linux-2.6.38.6/drivers/acpi/apei/cper.c 2011-04-28 19:57:25.000000000 -0400
22664 @@ -37,12 +37,12 @@
22666 u64 cper_next_record_id(void)
22668 - static atomic64_t seq;
22669 + static atomic64_unchecked_t seq;
22671 - if (!atomic64_read(&seq))
22672 - atomic64_set(&seq, ((u64)get_seconds()) << 32);
22673 + if (!atomic64_read_unchecked(&seq))
22674 + atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
22676 - return atomic64_inc_return(&seq);
22677 + return atomic64_inc_return_unchecked(&seq);
22679 EXPORT_SYMBOL_GPL(cper_next_record_id);
22681 diff -urNp linux-2.6.38.6/drivers/acpi/battery.c linux-2.6.38.6/drivers/acpi/battery.c
22682 --- linux-2.6.38.6/drivers/acpi/battery.c 2011-05-10 22:06:27.000000000 -0400
22683 +++ linux-2.6.38.6/drivers/acpi/battery.c 2011-05-10 22:06:52.000000000 -0400
22684 @@ -864,7 +864,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
22687 static struct battery_file {
22688 - struct file_operations ops;
22689 + const struct file_operations ops;
22692 } acpi_battery_file[] = {
22693 diff -urNp linux-2.6.38.6/drivers/acpi/dock.c linux-2.6.38.6/drivers/acpi/dock.c
22694 --- linux-2.6.38.6/drivers/acpi/dock.c 2011-03-14 21:20:32.000000000 -0400
22695 +++ linux-2.6.38.6/drivers/acpi/dock.c 2011-04-28 19:34:15.000000000 -0400
22696 @@ -77,7 +77,7 @@ struct dock_dependent_device {
22697 struct list_head list;
22698 struct list_head hotplug_list;
22699 acpi_handle handle;
22700 - struct acpi_dock_ops *ops;
22701 + const struct acpi_dock_ops *ops;
22705 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
22706 * the dock driver after _DCK is executed.
22709 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
22710 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
22713 struct dock_dependent_device *dd;
22714 diff -urNp linux-2.6.38.6/drivers/acpi/ec_sys.c linux-2.6.38.6/drivers/acpi/ec_sys.c
22715 --- linux-2.6.38.6/drivers/acpi/ec_sys.c 2011-03-14 21:20:32.000000000 -0400
22716 +++ linux-2.6.38.6/drivers/acpi/ec_sys.c 2011-04-28 19:34:15.000000000 -0400
22717 @@ -96,7 +96,7 @@ static ssize_t acpi_ec_write_io(struct f
22721 -static struct file_operations acpi_ec_io_ops = {
22722 +static const struct file_operations acpi_ec_io_ops = {
22723 .owner = THIS_MODULE,
22724 .open = acpi_ec_open_io,
22725 .read = acpi_ec_read_io,
22726 diff -urNp linux-2.6.38.6/drivers/acpi/power_meter.c linux-2.6.38.6/drivers/acpi/power_meter.c
22727 --- linux-2.6.38.6/drivers/acpi/power_meter.c 2011-03-14 21:20:32.000000000 -0400
22728 +++ linux-2.6.38.6/drivers/acpi/power_meter.c 2011-04-28 19:34:15.000000000 -0400
22729 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
22736 mutex_lock(&resource->lock);
22737 resource->trip[attr->index - 7] = temp;
22738 diff -urNp linux-2.6.38.6/drivers/acpi/proc.c linux-2.6.38.6/drivers/acpi/proc.c
22739 --- linux-2.6.38.6/drivers/acpi/proc.c 2011-03-14 21:20:32.000000000 -0400
22740 +++ linux-2.6.38.6/drivers/acpi/proc.c 2011-04-28 19:34:15.000000000 -0400
22741 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
22742 size_t count, loff_t * ppos)
22744 struct list_head *node, *next;
22746 - char str[5] = "";
22747 - unsigned int len = count;
22753 + char strbuf[5] = {0};
22755 - if (copy_from_user(strbuf, buffer, len))
22758 + if (copy_from_user(strbuf, buffer, count))
22760 - strbuf[len] = '\0';
22761 - sscanf(strbuf, "%s", str);
22762 + strbuf[count] = '\0';
22764 mutex_lock(&acpi_device_lock);
22765 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
22766 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
22767 if (!dev->wakeup.flags.valid)
22770 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
22771 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
22772 if (device_can_wakeup(&dev->dev)) {
22773 bool enable = !device_may_wakeup(&dev->dev);
22774 device_set_wakeup_enable(&dev->dev, enable);
22775 diff -urNp linux-2.6.38.6/drivers/acpi/processor_driver.c linux-2.6.38.6/drivers/acpi/processor_driver.c
22776 --- linux-2.6.38.6/drivers/acpi/processor_driver.c 2011-03-14 21:20:32.000000000 -0400
22777 +++ linux-2.6.38.6/drivers/acpi/processor_driver.c 2011-04-28 19:34:15.000000000 -0400
22778 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
22782 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
22783 + BUG_ON(pr->id >= nr_cpu_ids);
22787 diff -urNp linux-2.6.38.6/drivers/acpi/processor_idle.c linux-2.6.38.6/drivers/acpi/processor_idle.c
22788 --- linux-2.6.38.6/drivers/acpi/processor_idle.c 2011-03-14 21:20:32.000000000 -0400
22789 +++ linux-2.6.38.6/drivers/acpi/processor_idle.c 2011-04-28 19:34:15.000000000 -0400
22790 @@ -121,7 +121,7 @@ static struct dmi_system_id __cpuinitdat
22791 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
22792 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
22799 diff -urNp linux-2.6.38.6/drivers/ata/acard-ahci.c linux-2.6.38.6/drivers/ata/acard-ahci.c
22800 --- linux-2.6.38.6/drivers/ata/acard-ahci.c 2011-03-14 21:20:32.000000000 -0400
22801 +++ linux-2.6.38.6/drivers/ata/acard-ahci.c 2011-04-28 19:34:15.000000000 -0400
22802 @@ -87,7 +87,7 @@ static struct scsi_host_template acard_a
22803 AHCI_SHT("acard-ahci"),
22806 -static struct ata_port_operations acard_ops = {
22807 +static const struct ata_port_operations acard_ops = {
22808 .inherits = &ahci_ops,
22809 .qc_prep = acard_ahci_qc_prep,
22810 .qc_fill_rtf = acard_ahci_qc_fill_rtf,
22811 diff -urNp linux-2.6.38.6/drivers/ata/ahci.c linux-2.6.38.6/drivers/ata/ahci.c
22812 --- linux-2.6.38.6/drivers/ata/ahci.c 2011-05-10 22:06:27.000000000 -0400
22813 +++ linux-2.6.38.6/drivers/ata/ahci.c 2011-05-10 22:06:52.000000000 -0400
22814 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
22818 -static struct ata_port_operations ahci_vt8251_ops = {
22819 +static const struct ata_port_operations ahci_vt8251_ops = {
22820 .inherits = &ahci_ops,
22821 .hardreset = ahci_vt8251_hardreset,
22824 -static struct ata_port_operations ahci_p5wdh_ops = {
22825 +static const struct ata_port_operations ahci_p5wdh_ops = {
22826 .inherits = &ahci_ops,
22827 .hardreset = ahci_p5wdh_hardreset,
22830 -static struct ata_port_operations ahci_sb600_ops = {
22831 +static const struct ata_port_operations ahci_sb600_ops = {
22832 .inherits = &ahci_ops,
22833 .softreset = ahci_sb600_softreset,
22834 .pmp_softreset = ahci_sb600_softreset,
22835 diff -urNp linux-2.6.38.6/drivers/ata/ahci.h linux-2.6.38.6/drivers/ata/ahci.h
22836 --- linux-2.6.38.6/drivers/ata/ahci.h 2011-03-14 21:20:32.000000000 -0400
22837 +++ linux-2.6.38.6/drivers/ata/ahci.h 2011-04-28 19:34:15.000000000 -0400
22838 @@ -309,7 +309,7 @@ extern struct device_attribute *ahci_sde
22839 .shost_attrs = ahci_shost_attrs, \
22840 .sdev_attrs = ahci_sdev_attrs
22842 -extern struct ata_port_operations ahci_ops;
22843 +extern const struct ata_port_operations ahci_ops;
22845 void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
22847 diff -urNp linux-2.6.38.6/drivers/ata/ata_generic.c linux-2.6.38.6/drivers/ata/ata_generic.c
22848 --- linux-2.6.38.6/drivers/ata/ata_generic.c 2011-03-14 21:20:32.000000000 -0400
22849 +++ linux-2.6.38.6/drivers/ata/ata_generic.c 2011-04-28 19:34:15.000000000 -0400
22850 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
22851 ATA_BMDMA_SHT(DRV_NAME),
22854 -static struct ata_port_operations generic_port_ops = {
22855 +static const struct ata_port_operations generic_port_ops = {
22856 .inherits = &ata_bmdma_port_ops,
22857 .cable_detect = ata_cable_unknown,
22858 .set_mode = generic_set_mode,
22859 diff -urNp linux-2.6.38.6/drivers/ata/ata_piix.c linux-2.6.38.6/drivers/ata/ata_piix.c
22860 --- linux-2.6.38.6/drivers/ata/ata_piix.c 2011-03-14 21:20:32.000000000 -0400
22861 +++ linux-2.6.38.6/drivers/ata/ata_piix.c 2011-04-28 19:34:15.000000000 -0400
22862 @@ -327,12 +327,12 @@ static struct scsi_host_template piix_sh
22863 ATA_BMDMA_SHT(DRV_NAME),
22866 -static struct ata_port_operations piix_sata_ops = {
22867 +static const struct ata_port_operations piix_sata_ops = {
22868 .inherits = &ata_bmdma32_port_ops,
22869 .sff_irq_check = piix_irq_check,
22872 -static struct ata_port_operations piix_pata_ops = {
22873 +static const struct ata_port_operations piix_pata_ops = {
22874 .inherits = &piix_sata_ops,
22875 .cable_detect = ata_cable_40wire,
22876 .set_piomode = piix_set_piomode,
22877 @@ -340,12 +340,12 @@ static struct ata_port_operations piix_p
22878 .prereset = piix_pata_prereset,
22881 -static struct ata_port_operations piix_vmw_ops = {
22882 +static const struct ata_port_operations piix_vmw_ops = {
22883 .inherits = &piix_pata_ops,
22884 .bmdma_status = piix_vmw_bmdma_status,
22887 -static struct ata_port_operations ich_pata_ops = {
22888 +static const struct ata_port_operations ich_pata_ops = {
22889 .inherits = &piix_pata_ops,
22890 .cable_detect = ich_pata_cable_detect,
22891 .set_dmamode = ich_set_dmamode,
22892 @@ -361,7 +361,7 @@ static struct scsi_host_template piix_si
22893 .shost_attrs = piix_sidpr_shost_attrs,
22896 -static struct ata_port_operations piix_sidpr_sata_ops = {
22897 +static const struct ata_port_operations piix_sidpr_sata_ops = {
22898 .inherits = &piix_sata_ops,
22899 .hardreset = sata_std_hardreset,
22900 .scr_read = piix_sidpr_scr_read,
22901 diff -urNp linux-2.6.38.6/drivers/ata/libahci.c linux-2.6.38.6/drivers/ata/libahci.c
22902 --- linux-2.6.38.6/drivers/ata/libahci.c 2011-05-10 22:06:27.000000000 -0400
22903 +++ linux-2.6.38.6/drivers/ata/libahci.c 2011-05-10 22:06:52.000000000 -0400
22904 @@ -137,7 +137,7 @@ struct device_attribute *ahci_sdev_attrs
22906 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
22908 -struct ata_port_operations ahci_ops = {
22909 +const struct ata_port_operations ahci_ops = {
22910 .inherits = &sata_pmp_port_ops,
22912 .qc_defer = ahci_pmp_qc_defer,
22913 diff -urNp linux-2.6.38.6/drivers/ata/libata-acpi.c linux-2.6.38.6/drivers/ata/libata-acpi.c
22914 --- linux-2.6.38.6/drivers/ata/libata-acpi.c 2011-03-14 21:20:32.000000000 -0400
22915 +++ linux-2.6.38.6/drivers/ata/libata-acpi.c 2011-04-28 19:34:15.000000000 -0400
22916 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
22917 ata_acpi_uevent(dev->link->ap, dev, event);
22920 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
22921 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
22922 .handler = ata_acpi_dev_notify_dock,
22923 .uevent = ata_acpi_dev_uevent,
22926 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
22927 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
22928 .handler = ata_acpi_ap_notify_dock,
22929 .uevent = ata_acpi_ap_uevent,
22931 diff -urNp linux-2.6.38.6/drivers/ata/libata-core.c linux-2.6.38.6/drivers/ata/libata-core.c
22932 --- linux-2.6.38.6/drivers/ata/libata-core.c 2011-05-10 22:06:27.000000000 -0400
22933 +++ linux-2.6.38.6/drivers/ata/libata-core.c 2011-05-10 22:06:52.000000000 -0400
22934 @@ -4746,7 +4746,7 @@ void ata_qc_free(struct ata_queued_cmd *
22935 struct ata_port *ap;
22938 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
22939 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
22943 @@ -4762,7 +4762,7 @@ void __ata_qc_complete(struct ata_queued
22944 struct ata_port *ap;
22945 struct ata_link *link;
22947 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
22948 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
22949 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
22951 link = qc->dev->link;
22952 @@ -5755,7 +5755,7 @@ static void ata_host_stop(struct device
22956 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
22957 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
22959 static DEFINE_SPINLOCK(lock);
22960 const struct ata_port_operations *cur;
22961 @@ -5767,6 +5767,7 @@ static void ata_finalize_port_ops(struct
22965 + pax_open_kernel();
22967 for (cur = ops->inherits; cur; cur = cur->inherits) {
22968 void **inherit = (void **)cur;
22969 @@ -5780,8 +5781,9 @@ static void ata_finalize_port_ops(struct
22973 - ops->inherits = NULL;
22974 + ((struct ata_port_operations *)ops)->inherits = NULL;
22976 + pax_close_kernel();
22977 spin_unlock(&lock);
22980 @@ -5878,7 +5880,7 @@ int ata_host_start(struct ata_host *host
22982 /* KILLME - the only user left is ipr */
22983 void ata_host_init(struct ata_host *host, struct device *dev,
22984 - unsigned long flags, struct ata_port_operations *ops)
22985 + unsigned long flags, const struct ata_port_operations *ops)
22987 spin_lock_init(&host->lock);
22988 mutex_init(&host->eh_mutex);
22989 @@ -6584,7 +6586,7 @@ static void ata_dummy_error_handler(stru
22993 -struct ata_port_operations ata_dummy_port_ops = {
22994 +const struct ata_port_operations ata_dummy_port_ops = {
22995 .qc_prep = ata_noop_qc_prep,
22996 .qc_issue = ata_dummy_qc_issue,
22997 .error_handler = ata_dummy_error_handler,
22998 diff -urNp linux-2.6.38.6/drivers/ata/libata-eh.c linux-2.6.38.6/drivers/ata/libata-eh.c
22999 --- linux-2.6.38.6/drivers/ata/libata-eh.c 2011-05-10 22:06:27.000000000 -0400
23000 +++ linux-2.6.38.6/drivers/ata/libata-eh.c 2011-05-17 19:31:43.000000000 -0400
23001 @@ -2478,6 +2478,8 @@ void ata_eh_report(struct ata_port *ap)
23003 struct ata_link *link;
23005 + pax_track_stack();
23007 ata_for_each_link(link, ap, HOST_FIRST)
23008 ata_eh_link_report(link);
23010 @@ -3276,7 +3278,7 @@ static int ata_eh_set_lpm(struct ata_lin
23011 struct ata_eh_context *ehc = &link->eh_context;
23012 struct ata_device *dev, *link_dev = NULL, *lpm_dev = NULL;
23013 enum ata_lpm_policy old_policy = link->lpm_policy;
23014 - bool no_dipm = ap->flags & ATA_FLAG_NO_DIPM;
23015 + bool no_dipm = link->ap->flags & ATA_FLAG_NO_DIPM;
23016 unsigned int hints = ATA_LPM_EMPTY | ATA_LPM_HIPM;
23017 unsigned int err_mask;
23019 @@ -3882,7 +3884,7 @@ void ata_do_eh(struct ata_port *ap, ata_
23021 void ata_std_error_handler(struct ata_port *ap)
23023 - struct ata_port_operations *ops = ap->ops;
23024 + const struct ata_port_operations *ops = ap->ops;
23025 ata_reset_fn_t hardreset = ops->hardreset;
23027 /* ignore built-in hardreset if SCR access is not available */
23028 diff -urNp linux-2.6.38.6/drivers/ata/libata-pmp.c linux-2.6.38.6/drivers/ata/libata-pmp.c
23029 --- linux-2.6.38.6/drivers/ata/libata-pmp.c 2011-03-14 21:20:32.000000000 -0400
23030 +++ linux-2.6.38.6/drivers/ata/libata-pmp.c 2011-04-28 19:34:15.000000000 -0400
23031 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
23033 static int sata_pmp_eh_recover(struct ata_port *ap)
23035 - struct ata_port_operations *ops = ap->ops;
23036 + const struct ata_port_operations *ops = ap->ops;
23037 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
23038 struct ata_link *pmp_link = &ap->link;
23039 struct ata_device *pmp_dev = pmp_link->device;
23040 diff -urNp linux-2.6.38.6/drivers/ata/pata_acpi.c linux-2.6.38.6/drivers/ata/pata_acpi.c
23041 --- linux-2.6.38.6/drivers/ata/pata_acpi.c 2011-03-14 21:20:32.000000000 -0400
23042 +++ linux-2.6.38.6/drivers/ata/pata_acpi.c 2011-04-28 19:34:15.000000000 -0400
23043 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
23044 ATA_BMDMA_SHT(DRV_NAME),
23047 -static struct ata_port_operations pacpi_ops = {
23048 +static const struct ata_port_operations pacpi_ops = {
23049 .inherits = &ata_bmdma_port_ops,
23050 .qc_issue = pacpi_qc_issue,
23051 .cable_detect = pacpi_cable_detect,
23052 diff -urNp linux-2.6.38.6/drivers/ata/pata_ali.c linux-2.6.38.6/drivers/ata/pata_ali.c
23053 --- linux-2.6.38.6/drivers/ata/pata_ali.c 2011-03-14 21:20:32.000000000 -0400
23054 +++ linux-2.6.38.6/drivers/ata/pata_ali.c 2011-04-28 19:34:15.000000000 -0400
23055 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
23056 * Port operations for PIO only ALi
23059 -static struct ata_port_operations ali_early_port_ops = {
23060 +static const struct ata_port_operations ali_early_port_ops = {
23061 .inherits = &ata_sff_port_ops,
23062 .cable_detect = ata_cable_40wire,
23063 .set_piomode = ali_set_piomode,
23064 @@ -380,7 +380,7 @@ static const struct ata_port_operations
23065 * Port operations for DMA capable ALi without cable
23068 -static struct ata_port_operations ali_20_port_ops = {
23069 +static const struct ata_port_operations ali_20_port_ops = {
23070 .inherits = &ali_dma_base_ops,
23071 .cable_detect = ata_cable_40wire,
23072 .mode_filter = ali_20_filter,
23073 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
23075 * Port operations for DMA capable ALi with cable detect
23077 -static struct ata_port_operations ali_c2_port_ops = {
23078 +static const struct ata_port_operations ali_c2_port_ops = {
23079 .inherits = &ali_dma_base_ops,
23080 .check_atapi_dma = ali_check_atapi_dma,
23081 .cable_detect = ali_c2_cable_detect,
23082 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
23084 * Port operations for DMA capable ALi with cable detect
23086 -static struct ata_port_operations ali_c4_port_ops = {
23087 +static const struct ata_port_operations ali_c4_port_ops = {
23088 .inherits = &ali_dma_base_ops,
23089 .check_atapi_dma = ali_check_atapi_dma,
23090 .cable_detect = ali_c2_cable_detect,
23091 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
23093 * Port operations for DMA capable ALi with cable detect and LBA48
23095 -static struct ata_port_operations ali_c5_port_ops = {
23096 +static const struct ata_port_operations ali_c5_port_ops = {
23097 .inherits = &ali_dma_base_ops,
23098 .check_atapi_dma = ali_check_atapi_dma,
23099 .dev_config = ali_warn_atapi_dma,
23100 diff -urNp linux-2.6.38.6/drivers/ata/pata_amd.c linux-2.6.38.6/drivers/ata/pata_amd.c
23101 --- linux-2.6.38.6/drivers/ata/pata_amd.c 2011-03-14 21:20:32.000000000 -0400
23102 +++ linux-2.6.38.6/drivers/ata/pata_amd.c 2011-04-28 19:34:15.000000000 -0400
23103 @@ -397,28 +397,28 @@ static const struct ata_port_operations
23104 .prereset = amd_pre_reset,
23107 -static struct ata_port_operations amd33_port_ops = {
23108 +static const struct ata_port_operations amd33_port_ops = {
23109 .inherits = &amd_base_port_ops,
23110 .cable_detect = ata_cable_40wire,
23111 .set_piomode = amd33_set_piomode,
23112 .set_dmamode = amd33_set_dmamode,
23115 -static struct ata_port_operations amd66_port_ops = {
23116 +static const struct ata_port_operations amd66_port_ops = {
23117 .inherits = &amd_base_port_ops,
23118 .cable_detect = ata_cable_unknown,
23119 .set_piomode = amd66_set_piomode,
23120 .set_dmamode = amd66_set_dmamode,
23123 -static struct ata_port_operations amd100_port_ops = {
23124 +static const struct ata_port_operations amd100_port_ops = {
23125 .inherits = &amd_base_port_ops,
23126 .cable_detect = ata_cable_unknown,
23127 .set_piomode = amd100_set_piomode,
23128 .set_dmamode = amd100_set_dmamode,
23131 -static struct ata_port_operations amd133_port_ops = {
23132 +static const struct ata_port_operations amd133_port_ops = {
23133 .inherits = &amd_base_port_ops,
23134 .cable_detect = amd_cable_detect,
23135 .set_piomode = amd133_set_piomode,
23136 @@ -433,13 +433,13 @@ static const struct ata_port_operations
23137 .host_stop = nv_host_stop,
23140 -static struct ata_port_operations nv100_port_ops = {
23141 +static const struct ata_port_operations nv100_port_ops = {
23142 .inherits = &nv_base_port_ops,
23143 .set_piomode = nv100_set_piomode,
23144 .set_dmamode = nv100_set_dmamode,
23147 -static struct ata_port_operations nv133_port_ops = {
23148 +static const struct ata_port_operations nv133_port_ops = {
23149 .inherits = &nv_base_port_ops,
23150 .set_piomode = nv133_set_piomode,
23151 .set_dmamode = nv133_set_dmamode,
23152 diff -urNp linux-2.6.38.6/drivers/ata/pata_artop.c linux-2.6.38.6/drivers/ata/pata_artop.c
23153 --- linux-2.6.38.6/drivers/ata/pata_artop.c 2011-03-14 21:20:32.000000000 -0400
23154 +++ linux-2.6.38.6/drivers/ata/pata_artop.c 2011-04-28 19:34:15.000000000 -0400
23155 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
23156 ATA_BMDMA_SHT(DRV_NAME),
23159 -static struct ata_port_operations artop6210_ops = {
23160 +static const struct ata_port_operations artop6210_ops = {
23161 .inherits = &ata_bmdma_port_ops,
23162 .cable_detect = ata_cable_40wire,
23163 .set_piomode = artop6210_set_piomode,
23164 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
23165 .qc_defer = artop6210_qc_defer,
23168 -static struct ata_port_operations artop6260_ops = {
23169 +static const struct ata_port_operations artop6260_ops = {
23170 .inherits = &ata_bmdma_port_ops,
23171 .cable_detect = artop6260_cable_detect,
23172 .set_piomode = artop6260_set_piomode,
23173 diff -urNp linux-2.6.38.6/drivers/ata/pata_at32.c linux-2.6.38.6/drivers/ata/pata_at32.c
23174 --- linux-2.6.38.6/drivers/ata/pata_at32.c 2011-03-14 21:20:32.000000000 -0400
23175 +++ linux-2.6.38.6/drivers/ata/pata_at32.c 2011-04-28 19:34:15.000000000 -0400
23176 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
23177 ATA_PIO_SHT(DRV_NAME),
23180 -static struct ata_port_operations at32_port_ops = {
23181 +static const struct ata_port_operations at32_port_ops = {
23182 .inherits = &ata_sff_port_ops,
23183 .cable_detect = ata_cable_40wire,
23184 .set_piomode = pata_at32_set_piomode,
23185 diff -urNp linux-2.6.38.6/drivers/ata/pata_at91.c linux-2.6.38.6/drivers/ata/pata_at91.c
23186 --- linux-2.6.38.6/drivers/ata/pata_at91.c 2011-03-14 21:20:32.000000000 -0400
23187 +++ linux-2.6.38.6/drivers/ata/pata_at91.c 2011-04-28 19:34:15.000000000 -0400
23188 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
23189 ATA_PIO_SHT(DRV_NAME),
23192 -static struct ata_port_operations pata_at91_port_ops = {
23193 +static const struct ata_port_operations pata_at91_port_ops = {
23194 .inherits = &ata_sff_port_ops,
23196 .sff_data_xfer = pata_at91_data_xfer_noirq,
23197 diff -urNp linux-2.6.38.6/drivers/ata/pata_atiixp.c linux-2.6.38.6/drivers/ata/pata_atiixp.c
23198 --- linux-2.6.38.6/drivers/ata/pata_atiixp.c 2011-03-14 21:20:32.000000000 -0400
23199 +++ linux-2.6.38.6/drivers/ata/pata_atiixp.c 2011-04-28 19:34:15.000000000 -0400
23200 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
23201 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
23204 -static struct ata_port_operations atiixp_port_ops = {
23205 +static const struct ata_port_operations atiixp_port_ops = {
23206 .inherits = &ata_bmdma_port_ops,
23208 .qc_prep = ata_bmdma_dumb_qc_prep,
23209 diff -urNp linux-2.6.38.6/drivers/ata/pata_atp867x.c linux-2.6.38.6/drivers/ata/pata_atp867x.c
23210 --- linux-2.6.38.6/drivers/ata/pata_atp867x.c 2011-03-14 21:20:32.000000000 -0400
23211 +++ linux-2.6.38.6/drivers/ata/pata_atp867x.c 2011-04-28 19:34:15.000000000 -0400
23212 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
23213 ATA_BMDMA_SHT(DRV_NAME),
23216 -static struct ata_port_operations atp867x_ops = {
23217 +static const struct ata_port_operations atp867x_ops = {
23218 .inherits = &ata_bmdma_port_ops,
23219 .cable_detect = atp867x_cable_detect,
23220 .set_piomode = atp867x_set_piomode,
23221 diff -urNp linux-2.6.38.6/drivers/ata/pata_bf54x.c linux-2.6.38.6/drivers/ata/pata_bf54x.c
23222 --- linux-2.6.38.6/drivers/ata/pata_bf54x.c 2011-03-14 21:20:32.000000000 -0400
23223 +++ linux-2.6.38.6/drivers/ata/pata_bf54x.c 2011-04-28 19:34:15.000000000 -0400
23224 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
23225 .dma_boundary = ATA_DMA_BOUNDARY,
23228 -static struct ata_port_operations bfin_pata_ops = {
23229 +static const struct ata_port_operations bfin_pata_ops = {
23230 .inherits = &ata_bmdma_port_ops,
23232 .set_piomode = bfin_set_piomode,
23233 diff -urNp linux-2.6.38.6/drivers/ata/pata_cmd640.c linux-2.6.38.6/drivers/ata/pata_cmd640.c
23234 --- linux-2.6.38.6/drivers/ata/pata_cmd640.c 2011-03-14 21:20:32.000000000 -0400
23235 +++ linux-2.6.38.6/drivers/ata/pata_cmd640.c 2011-04-28 19:34:15.000000000 -0400
23236 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
23237 ATA_PIO_SHT(DRV_NAME),
23240 -static struct ata_port_operations cmd640_port_ops = {
23241 +static const struct ata_port_operations cmd640_port_ops = {
23242 .inherits = &ata_sff_port_ops,
23243 /* In theory xfer_noirq is not needed once we kill the prefetcher */
23244 .sff_data_xfer = ata_sff_data_xfer_noirq,
23245 diff -urNp linux-2.6.38.6/drivers/ata/pata_cmd64x.c linux-2.6.38.6/drivers/ata/pata_cmd64x.c
23246 --- linux-2.6.38.6/drivers/ata/pata_cmd64x.c 2011-03-14 21:20:32.000000000 -0400
23247 +++ linux-2.6.38.6/drivers/ata/pata_cmd64x.c 2011-04-28 19:34:15.000000000 -0400
23248 @@ -268,18 +268,18 @@ static const struct ata_port_operations
23249 .set_dmamode = cmd64x_set_dmamode,
23252 -static struct ata_port_operations cmd64x_port_ops = {
23253 +static const struct ata_port_operations cmd64x_port_ops = {
23254 .inherits = &cmd64x_base_ops,
23255 .cable_detect = ata_cable_40wire,
23258 -static struct ata_port_operations cmd646r1_port_ops = {
23259 +static const struct ata_port_operations cmd646r1_port_ops = {
23260 .inherits = &cmd64x_base_ops,
23261 .bmdma_stop = cmd646r1_bmdma_stop,
23262 .cable_detect = ata_cable_40wire,
23265 -static struct ata_port_operations cmd648_port_ops = {
23266 +static const struct ata_port_operations cmd648_port_ops = {
23267 .inherits = &cmd64x_base_ops,
23268 .bmdma_stop = cmd648_bmdma_stop,
23269 .cable_detect = cmd648_cable_detect,
23270 diff -urNp linux-2.6.38.6/drivers/ata/pata_cs5520.c linux-2.6.38.6/drivers/ata/pata_cs5520.c
23271 --- linux-2.6.38.6/drivers/ata/pata_cs5520.c 2011-03-14 21:20:32.000000000 -0400
23272 +++ linux-2.6.38.6/drivers/ata/pata_cs5520.c 2011-04-28 19:34:15.000000000 -0400
23273 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
23274 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
23277 -static struct ata_port_operations cs5520_port_ops = {
23278 +static const struct ata_port_operations cs5520_port_ops = {
23279 .inherits = &ata_bmdma_port_ops,
23280 .qc_prep = ata_bmdma_dumb_qc_prep,
23281 .cable_detect = ata_cable_40wire,
23282 diff -urNp linux-2.6.38.6/drivers/ata/pata_cs5530.c linux-2.6.38.6/drivers/ata/pata_cs5530.c
23283 --- linux-2.6.38.6/drivers/ata/pata_cs5530.c 2011-03-14 21:20:32.000000000 -0400
23284 +++ linux-2.6.38.6/drivers/ata/pata_cs5530.c 2011-04-28 19:34:15.000000000 -0400
23285 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
23286 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
23289 -static struct ata_port_operations cs5530_port_ops = {
23290 +static const struct ata_port_operations cs5530_port_ops = {
23291 .inherits = &ata_bmdma_port_ops,
23293 .qc_prep = ata_bmdma_dumb_qc_prep,
23294 diff -urNp linux-2.6.38.6/drivers/ata/pata_cs5535.c linux-2.6.38.6/drivers/ata/pata_cs5535.c
23295 --- linux-2.6.38.6/drivers/ata/pata_cs5535.c 2011-03-14 21:20:32.000000000 -0400
23296 +++ linux-2.6.38.6/drivers/ata/pata_cs5535.c 2011-04-28 19:34:15.000000000 -0400
23297 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
23298 ATA_BMDMA_SHT(DRV_NAME),
23301 -static struct ata_port_operations cs5535_port_ops = {
23302 +static const struct ata_port_operations cs5535_port_ops = {
23303 .inherits = &ata_bmdma_port_ops,
23304 .cable_detect = cs5535_cable_detect,
23305 .set_piomode = cs5535_set_piomode,
23306 diff -urNp linux-2.6.38.6/drivers/ata/pata_cs5536.c linux-2.6.38.6/drivers/ata/pata_cs5536.c
23307 --- linux-2.6.38.6/drivers/ata/pata_cs5536.c 2011-03-14 21:20:32.000000000 -0400
23308 +++ linux-2.6.38.6/drivers/ata/pata_cs5536.c 2011-04-28 19:34:15.000000000 -0400
23309 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
23310 ATA_BMDMA_SHT(DRV_NAME),
23313 -static struct ata_port_operations cs5536_port_ops = {
23314 +static const struct ata_port_operations cs5536_port_ops = {
23315 .inherits = &ata_bmdma32_port_ops,
23316 .cable_detect = cs5536_cable_detect,
23317 .set_piomode = cs5536_set_piomode,
23318 diff -urNp linux-2.6.38.6/drivers/ata/pata_cypress.c linux-2.6.38.6/drivers/ata/pata_cypress.c
23319 --- linux-2.6.38.6/drivers/ata/pata_cypress.c 2011-03-14 21:20:32.000000000 -0400
23320 +++ linux-2.6.38.6/drivers/ata/pata_cypress.c 2011-04-28 19:34:15.000000000 -0400
23321 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
23322 ATA_BMDMA_SHT(DRV_NAME),
23325 -static struct ata_port_operations cy82c693_port_ops = {
23326 +static const struct ata_port_operations cy82c693_port_ops = {
23327 .inherits = &ata_bmdma_port_ops,
23328 .cable_detect = ata_cable_40wire,
23329 .set_piomode = cy82c693_set_piomode,
23330 diff -urNp linux-2.6.38.6/drivers/ata/pata_efar.c linux-2.6.38.6/drivers/ata/pata_efar.c
23331 --- linux-2.6.38.6/drivers/ata/pata_efar.c 2011-03-14 21:20:32.000000000 -0400
23332 +++ linux-2.6.38.6/drivers/ata/pata_efar.c 2011-04-28 19:34:15.000000000 -0400
23333 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
23334 ATA_BMDMA_SHT(DRV_NAME),
23337 -static struct ata_port_operations efar_ops = {
23338 +static const struct ata_port_operations efar_ops = {
23339 .inherits = &ata_bmdma_port_ops,
23340 .cable_detect = efar_cable_detect,
23341 .set_piomode = efar_set_piomode,
23342 diff -urNp linux-2.6.38.6/drivers/ata/pata_hpt366.c linux-2.6.38.6/drivers/ata/pata_hpt366.c
23343 --- linux-2.6.38.6/drivers/ata/pata_hpt366.c 2011-03-14 21:20:32.000000000 -0400
23344 +++ linux-2.6.38.6/drivers/ata/pata_hpt366.c 2011-04-28 19:34:15.000000000 -0400
23345 @@ -275,7 +275,7 @@ static struct scsi_host_template hpt36x_
23346 * Configuration for HPT366/68
23349 -static struct ata_port_operations hpt366_port_ops = {
23350 +static const struct ata_port_operations hpt366_port_ops = {
23351 .inherits = &ata_bmdma_port_ops,
23352 .cable_detect = hpt36x_cable_detect,
23353 .mode_filter = hpt366_filter,
23354 diff -urNp linux-2.6.38.6/drivers/ata/pata_hpt37x.c linux-2.6.38.6/drivers/ata/pata_hpt37x.c
23355 --- linux-2.6.38.6/drivers/ata/pata_hpt37x.c 2011-03-14 21:20:32.000000000 -0400
23356 +++ linux-2.6.38.6/drivers/ata/pata_hpt37x.c 2011-04-28 19:34:15.000000000 -0400
23357 @@ -587,7 +587,7 @@ static struct scsi_host_template hpt37x_
23358 * Configuration for HPT370
23361 -static struct ata_port_operations hpt370_port_ops = {
23362 +static const struct ata_port_operations hpt370_port_ops = {
23363 .inherits = &ata_bmdma_port_ops,
23365 .bmdma_stop = hpt370_bmdma_stop,
23366 @@ -603,7 +603,7 @@ static struct ata_port_operations hpt370
23367 * Configuration for HPT370A. Close to 370 but less filters
23370 -static struct ata_port_operations hpt370a_port_ops = {
23371 +static const struct ata_port_operations hpt370a_port_ops = {
23372 .inherits = &hpt370_port_ops,
23373 .mode_filter = hpt370a_filter,
23375 @@ -613,7 +613,7 @@ static struct ata_port_operations hpt370
23376 * mode setting functionality.
23379 -static struct ata_port_operations hpt302_port_ops = {
23380 +static const struct ata_port_operations hpt302_port_ops = {
23381 .inherits = &ata_bmdma_port_ops,
23383 .bmdma_stop = hpt37x_bmdma_stop,
23384 @@ -629,7 +629,7 @@ static struct ata_port_operations hpt302
23385 * but we have a mode filter.
23388 -static struct ata_port_operations hpt372_port_ops = {
23389 +static const struct ata_port_operations hpt372_port_ops = {
23390 .inherits = &hpt302_port_ops,
23391 .mode_filter = hpt372_filter,
23393 @@ -639,7 +639,7 @@ static struct ata_port_operations hpt372
23394 * but we have a different cable detection procedure for function 1.
23397 -static struct ata_port_operations hpt374_fn1_port_ops = {
23398 +static const struct ata_port_operations hpt374_fn1_port_ops = {
23399 .inherits = &hpt372_port_ops,
23400 .cable_detect = hpt374_fn1_cable_detect,
23402 diff -urNp linux-2.6.38.6/drivers/ata/pata_hpt3x2n.c linux-2.6.38.6/drivers/ata/pata_hpt3x2n.c
23403 --- linux-2.6.38.6/drivers/ata/pata_hpt3x2n.c 2011-03-14 21:20:32.000000000 -0400
23404 +++ linux-2.6.38.6/drivers/ata/pata_hpt3x2n.c 2011-04-28 19:34:15.000000000 -0400
23405 @@ -348,7 +348,7 @@ static struct scsi_host_template hpt3x2n
23406 * Configuration for HPT302N/371N.
23409 -static struct ata_port_operations hpt3xxn_port_ops = {
23410 +static const struct ata_port_operations hpt3xxn_port_ops = {
23411 .inherits = &ata_bmdma_port_ops,
23413 .bmdma_stop = hpt3x2n_bmdma_stop,
23414 @@ -366,7 +366,7 @@ static struct ata_port_operations hpt3xx
23415 * Configuration for HPT372N. Same as 302N/371N but we have a mode filter.
23418 -static struct ata_port_operations hpt372n_port_ops = {
23419 +static const struct ata_port_operations hpt372n_port_ops = {
23420 .inherits = &hpt3xxn_port_ops,
23421 .mode_filter = &hpt372n_filter,
23423 diff -urNp linux-2.6.38.6/drivers/ata/pata_hpt3x3.c linux-2.6.38.6/drivers/ata/pata_hpt3x3.c
23424 --- linux-2.6.38.6/drivers/ata/pata_hpt3x3.c 2011-03-14 21:20:32.000000000 -0400
23425 +++ linux-2.6.38.6/drivers/ata/pata_hpt3x3.c 2011-04-28 19:34:15.000000000 -0400
23426 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
23427 ATA_BMDMA_SHT(DRV_NAME),
23430 -static struct ata_port_operations hpt3x3_port_ops = {
23431 +static const struct ata_port_operations hpt3x3_port_ops = {
23432 .inherits = &ata_bmdma_port_ops,
23433 .cable_detect = ata_cable_40wire,
23434 .set_piomode = hpt3x3_set_piomode,
23435 diff -urNp linux-2.6.38.6/drivers/ata/pata_icside.c linux-2.6.38.6/drivers/ata/pata_icside.c
23436 --- linux-2.6.38.6/drivers/ata/pata_icside.c 2011-03-14 21:20:32.000000000 -0400
23437 +++ linux-2.6.38.6/drivers/ata/pata_icside.c 2011-04-28 19:34:15.000000000 -0400
23438 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
23442 -static struct ata_port_operations pata_icside_port_ops = {
23443 +static const struct ata_port_operations pata_icside_port_ops = {
23444 .inherits = &ata_bmdma_port_ops,
23445 /* no need to build any PRD tables for DMA */
23446 .qc_prep = ata_noop_qc_prep,
23447 diff -urNp linux-2.6.38.6/drivers/ata/pata_isapnp.c linux-2.6.38.6/drivers/ata/pata_isapnp.c
23448 --- linux-2.6.38.6/drivers/ata/pata_isapnp.c 2011-03-14 21:20:32.000000000 -0400
23449 +++ linux-2.6.38.6/drivers/ata/pata_isapnp.c 2011-04-28 19:34:15.000000000 -0400
23450 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
23451 ATA_PIO_SHT(DRV_NAME),
23454 -static struct ata_port_operations isapnp_port_ops = {
23455 +static const struct ata_port_operations isapnp_port_ops = {
23456 .inherits = &ata_sff_port_ops,
23457 .cable_detect = ata_cable_40wire,
23460 -static struct ata_port_operations isapnp_noalt_port_ops = {
23461 +static const struct ata_port_operations isapnp_noalt_port_ops = {
23462 .inherits = &ata_sff_port_ops,
23463 .cable_detect = ata_cable_40wire,
23464 /* No altstatus so we don't want to use the lost interrupt poll */
23465 diff -urNp linux-2.6.38.6/drivers/ata/pata_it8213.c linux-2.6.38.6/drivers/ata/pata_it8213.c
23466 --- linux-2.6.38.6/drivers/ata/pata_it8213.c 2011-03-14 21:20:32.000000000 -0400
23467 +++ linux-2.6.38.6/drivers/ata/pata_it8213.c 2011-04-28 19:34:15.000000000 -0400
23468 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
23472 -static struct ata_port_operations it8213_ops = {
23473 +static const struct ata_port_operations it8213_ops = {
23474 .inherits = &ata_bmdma_port_ops,
23475 .cable_detect = it8213_cable_detect,
23476 .set_piomode = it8213_set_piomode,
23477 diff -urNp linux-2.6.38.6/drivers/ata/pata_it821x.c linux-2.6.38.6/drivers/ata/pata_it821x.c
23478 --- linux-2.6.38.6/drivers/ata/pata_it821x.c 2011-03-14 21:20:32.000000000 -0400
23479 +++ linux-2.6.38.6/drivers/ata/pata_it821x.c 2011-04-28 19:34:15.000000000 -0400
23480 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
23481 ATA_BMDMA_SHT(DRV_NAME),
23484 -static struct ata_port_operations it821x_smart_port_ops = {
23485 +static const struct ata_port_operations it821x_smart_port_ops = {
23486 .inherits = &ata_bmdma_port_ops,
23488 .check_atapi_dma= it821x_check_atapi_dma,
23489 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
23490 .port_start = it821x_port_start,
23493 -static struct ata_port_operations it821x_passthru_port_ops = {
23494 +static const struct ata_port_operations it821x_passthru_port_ops = {
23495 .inherits = &ata_bmdma_port_ops,
23497 .check_atapi_dma= it821x_check_atapi_dma,
23498 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
23499 .port_start = it821x_port_start,
23502 -static struct ata_port_operations it821x_rdc_port_ops = {
23503 +static const struct ata_port_operations it821x_rdc_port_ops = {
23504 .inherits = &ata_bmdma_port_ops,
23506 .check_atapi_dma= it821x_check_atapi_dma,
23507 diff -urNp linux-2.6.38.6/drivers/ata/pata_ixp4xx_cf.c linux-2.6.38.6/drivers/ata/pata_ixp4xx_cf.c
23508 --- linux-2.6.38.6/drivers/ata/pata_ixp4xx_cf.c 2011-03-14 21:20:32.000000000 -0400
23509 +++ linux-2.6.38.6/drivers/ata/pata_ixp4xx_cf.c 2011-04-28 19:34:15.000000000 -0400
23510 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
23511 ATA_PIO_SHT(DRV_NAME),
23514 -static struct ata_port_operations ixp4xx_port_ops = {
23515 +static const struct ata_port_operations ixp4xx_port_ops = {
23516 .inherits = &ata_sff_port_ops,
23517 .sff_data_xfer = ixp4xx_mmio_data_xfer,
23518 .cable_detect = ata_cable_40wire,
23519 diff -urNp linux-2.6.38.6/drivers/ata/pata_jmicron.c linux-2.6.38.6/drivers/ata/pata_jmicron.c
23520 --- linux-2.6.38.6/drivers/ata/pata_jmicron.c 2011-03-14 21:20:32.000000000 -0400
23521 +++ linux-2.6.38.6/drivers/ata/pata_jmicron.c 2011-04-28 19:34:15.000000000 -0400
23522 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
23523 ATA_BMDMA_SHT(DRV_NAME),
23526 -static struct ata_port_operations jmicron_ops = {
23527 +static const struct ata_port_operations jmicron_ops = {
23528 .inherits = &ata_bmdma_port_ops,
23529 .prereset = jmicron_pre_reset,
23531 diff -urNp linux-2.6.38.6/drivers/ata/pata_legacy.c linux-2.6.38.6/drivers/ata/pata_legacy.c
23532 --- linux-2.6.38.6/drivers/ata/pata_legacy.c 2011-03-14 21:20:32.000000000 -0400
23533 +++ linux-2.6.38.6/drivers/ata/pata_legacy.c 2011-04-28 19:34:15.000000000 -0400
23534 @@ -116,7 +116,7 @@ struct legacy_probe {
23536 struct legacy_controller {
23538 - struct ata_port_operations *ops;
23539 + const struct ata_port_operations *ops;
23540 unsigned int pio_mask;
23541 unsigned int flags;
23542 unsigned int pflags;
23543 @@ -239,12 +239,12 @@ static const struct ata_port_operations
23544 * pio_mask as well.
23547 -static struct ata_port_operations simple_port_ops = {
23548 +static const struct ata_port_operations simple_port_ops = {
23549 .inherits = &legacy_base_port_ops,
23550 .sff_data_xfer = ata_sff_data_xfer_noirq,
23553 -static struct ata_port_operations legacy_port_ops = {
23554 +static const struct ata_port_operations legacy_port_ops = {
23555 .inherits = &legacy_base_port_ops,
23556 .sff_data_xfer = ata_sff_data_xfer_noirq,
23557 .set_mode = legacy_set_mode,
23558 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
23562 -static struct ata_port_operations pdc20230_port_ops = {
23563 +static const struct ata_port_operations pdc20230_port_ops = {
23564 .inherits = &legacy_base_port_ops,
23565 .set_piomode = pdc20230_set_piomode,
23566 .sff_data_xfer = pdc_data_xfer_vlb,
23567 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
23568 ioread8(ap->ioaddr.status_addr);
23571 -static struct ata_port_operations ht6560a_port_ops = {
23572 +static const struct ata_port_operations ht6560a_port_ops = {
23573 .inherits = &legacy_base_port_ops,
23574 .set_piomode = ht6560a_set_piomode,
23576 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
23577 ioread8(ap->ioaddr.status_addr);
23580 -static struct ata_port_operations ht6560b_port_ops = {
23581 +static const struct ata_port_operations ht6560b_port_ops = {
23582 .inherits = &legacy_base_port_ops,
23583 .set_piomode = ht6560b_set_piomode,
23585 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
23589 -static struct ata_port_operations opti82c611a_port_ops = {
23590 +static const struct ata_port_operations opti82c611a_port_ops = {
23591 .inherits = &legacy_base_port_ops,
23592 .set_piomode = opti82c611a_set_piomode,
23594 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
23595 return ata_sff_qc_issue(qc);
23598 -static struct ata_port_operations opti82c46x_port_ops = {
23599 +static const struct ata_port_operations opti82c46x_port_ops = {
23600 .inherits = &legacy_base_port_ops,
23601 .set_piomode = opti82c46x_set_piomode,
23602 .qc_issue = opti82c46x_qc_issue,
23603 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
23607 -static struct ata_port_operations qdi6500_port_ops = {
23608 +static const struct ata_port_operations qdi6500_port_ops = {
23609 .inherits = &legacy_base_port_ops,
23610 .set_piomode = qdi6500_set_piomode,
23611 .qc_issue = qdi_qc_issue,
23612 .sff_data_xfer = vlb32_data_xfer,
23615 -static struct ata_port_operations qdi6580_port_ops = {
23616 +static const struct ata_port_operations qdi6580_port_ops = {
23617 .inherits = &legacy_base_port_ops,
23618 .set_piomode = qdi6580_set_piomode,
23619 .sff_data_xfer = vlb32_data_xfer,
23622 -static struct ata_port_operations qdi6580dp_port_ops = {
23623 +static const struct ata_port_operations qdi6580dp_port_ops = {
23624 .inherits = &legacy_base_port_ops,
23625 .set_piomode = qdi6580dp_set_piomode,
23626 .qc_issue = qdi_qc_issue,
23627 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
23631 -static struct ata_port_operations winbond_port_ops = {
23632 +static const struct ata_port_operations winbond_port_ops = {
23633 .inherits = &legacy_base_port_ops,
23634 .set_piomode = winbond_set_piomode,
23635 .sff_data_xfer = vlb32_data_xfer,
23636 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
23637 int pio_modes = controller->pio_mask;
23638 unsigned long io = probe->port;
23639 u32 mask = (1 << probe->slot);
23640 - struct ata_port_operations *ops = controller->ops;
23641 + const struct ata_port_operations *ops = controller->ops;
23642 struct legacy_data *ld = &legacy_data[probe->slot];
23643 struct ata_host *host = NULL;
23644 struct ata_port *ap;
23645 diff -urNp linux-2.6.38.6/drivers/ata/pata_macio.c linux-2.6.38.6/drivers/ata/pata_macio.c
23646 --- linux-2.6.38.6/drivers/ata/pata_macio.c 2011-03-14 21:20:32.000000000 -0400
23647 +++ linux-2.6.38.6/drivers/ata/pata_macio.c 2011-04-28 19:34:15.000000000 -0400
23648 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
23649 .slave_configure = pata_macio_slave_config,
23652 -static struct ata_port_operations pata_macio_ops = {
23653 +static const struct ata_port_operations pata_macio_ops = {
23654 .inherits = &ata_bmdma_port_ops,
23656 .freeze = pata_macio_freeze,
23657 .set_piomode = pata_macio_set_timings,
23658 .set_dmamode = pata_macio_set_timings,
23659 diff -urNp linux-2.6.38.6/drivers/ata/pata_marvell.c linux-2.6.38.6/drivers/ata/pata_marvell.c
23660 --- linux-2.6.38.6/drivers/ata/pata_marvell.c 2011-03-14 21:20:32.000000000 -0400
23661 +++ linux-2.6.38.6/drivers/ata/pata_marvell.c 2011-04-28 19:34:15.000000000 -0400
23662 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
23663 ATA_BMDMA_SHT(DRV_NAME),
23666 -static struct ata_port_operations marvell_ops = {
23667 +static const struct ata_port_operations marvell_ops = {
23668 .inherits = &ata_bmdma_port_ops,
23669 .cable_detect = marvell_cable_detect,
23670 .prereset = marvell_pre_reset,
23671 diff -urNp linux-2.6.38.6/drivers/ata/pata_mpc52xx.c linux-2.6.38.6/drivers/ata/pata_mpc52xx.c
23672 --- linux-2.6.38.6/drivers/ata/pata_mpc52xx.c 2011-03-14 21:20:32.000000000 -0400
23673 +++ linux-2.6.38.6/drivers/ata/pata_mpc52xx.c 2011-04-28 19:34:15.000000000 -0400
23674 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
23675 ATA_PIO_SHT(DRV_NAME),
23678 -static struct ata_port_operations mpc52xx_ata_port_ops = {
23679 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
23680 .inherits = &ata_bmdma_port_ops,
23681 .sff_dev_select = mpc52xx_ata_dev_select,
23682 .set_piomode = mpc52xx_ata_set_piomode,
23683 diff -urNp linux-2.6.38.6/drivers/ata/pata_mpiix.c linux-2.6.38.6/drivers/ata/pata_mpiix.c
23684 --- linux-2.6.38.6/drivers/ata/pata_mpiix.c 2011-03-14 21:20:32.000000000 -0400
23685 +++ linux-2.6.38.6/drivers/ata/pata_mpiix.c 2011-04-28 19:34:15.000000000 -0400
23686 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
23687 ATA_PIO_SHT(DRV_NAME),
23690 -static struct ata_port_operations mpiix_port_ops = {
23691 +static const struct ata_port_operations mpiix_port_ops = {
23692 .inherits = &ata_sff_port_ops,
23693 .qc_issue = mpiix_qc_issue,
23694 .cable_detect = ata_cable_40wire,
23695 diff -urNp linux-2.6.38.6/drivers/ata/pata_netcell.c linux-2.6.38.6/drivers/ata/pata_netcell.c
23696 --- linux-2.6.38.6/drivers/ata/pata_netcell.c 2011-03-14 21:20:32.000000000 -0400
23697 +++ linux-2.6.38.6/drivers/ata/pata_netcell.c 2011-04-28 19:34:15.000000000 -0400
23698 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
23699 ATA_BMDMA_SHT(DRV_NAME),
23702 -static struct ata_port_operations netcell_ops = {
23703 +static const struct ata_port_operations netcell_ops = {
23704 .inherits = &ata_bmdma_port_ops,
23705 .cable_detect = ata_cable_80wire,
23706 .read_id = netcell_read_id,
23707 diff -urNp linux-2.6.38.6/drivers/ata/pata_ninja32.c linux-2.6.38.6/drivers/ata/pata_ninja32.c
23708 --- linux-2.6.38.6/drivers/ata/pata_ninja32.c 2011-03-14 21:20:32.000000000 -0400
23709 +++ linux-2.6.38.6/drivers/ata/pata_ninja32.c 2011-04-28 19:34:15.000000000 -0400
23710 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
23711 ATA_BMDMA_SHT(DRV_NAME),
23714 -static struct ata_port_operations ninja32_port_ops = {
23715 +static const struct ata_port_operations ninja32_port_ops = {
23716 .inherits = &ata_bmdma_port_ops,
23717 .sff_dev_select = ninja32_dev_select,
23718 .cable_detect = ata_cable_40wire,
23719 diff -urNp linux-2.6.38.6/drivers/ata/pata_ns87410.c linux-2.6.38.6/drivers/ata/pata_ns87410.c
23720 --- linux-2.6.38.6/drivers/ata/pata_ns87410.c 2011-03-14 21:20:32.000000000 -0400
23721 +++ linux-2.6.38.6/drivers/ata/pata_ns87410.c 2011-04-28 19:34:15.000000000 -0400
23722 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
23723 ATA_PIO_SHT(DRV_NAME),
23726 -static struct ata_port_operations ns87410_port_ops = {
23727 +static const struct ata_port_operations ns87410_port_ops = {
23728 .inherits = &ata_sff_port_ops,
23729 .qc_issue = ns87410_qc_issue,
23730 .cable_detect = ata_cable_40wire,
23731 diff -urNp linux-2.6.38.6/drivers/ata/pata_ns87415.c linux-2.6.38.6/drivers/ata/pata_ns87415.c
23732 --- linux-2.6.38.6/drivers/ata/pata_ns87415.c 2011-03-14 21:20:32.000000000 -0400
23733 +++ linux-2.6.38.6/drivers/ata/pata_ns87415.c 2011-04-28 19:34:15.000000000 -0400
23734 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
23736 #endif /* 87560 SuperIO Support */
23738 -static struct ata_port_operations ns87415_pata_ops = {
23739 +static const struct ata_port_operations ns87415_pata_ops = {
23740 .inherits = &ata_bmdma_port_ops,
23742 .check_atapi_dma = ns87415_check_atapi_dma,
23743 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
23746 #if defined(CONFIG_SUPERIO)
23747 -static struct ata_port_operations ns87560_pata_ops = {
23748 +static const struct ata_port_operations ns87560_pata_ops = {
23749 .inherits = &ns87415_pata_ops,
23750 .sff_tf_read = ns87560_tf_read,
23751 .sff_check_status = ns87560_check_status,
23752 diff -urNp linux-2.6.38.6/drivers/ata/pata_octeon_cf.c linux-2.6.38.6/drivers/ata/pata_octeon_cf.c
23753 --- linux-2.6.38.6/drivers/ata/pata_octeon_cf.c 2011-03-14 21:20:32.000000000 -0400
23754 +++ linux-2.6.38.6/drivers/ata/pata_octeon_cf.c 2011-04-28 19:34:15.000000000 -0400
23755 @@ -780,7 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
23759 -static struct ata_port_operations octeon_cf_ops = {
23760 +static struct ata_port_operations octeon_cf_ops = { /* cannot be const */
23761 .inherits = &ata_sff_port_ops,
23762 .check_atapi_dma = octeon_cf_check_atapi_dma,
23763 .qc_prep = ata_noop_qc_prep,
23764 diff -urNp linux-2.6.38.6/drivers/ata/pata_oldpiix.c linux-2.6.38.6/drivers/ata/pata_oldpiix.c
23765 --- linux-2.6.38.6/drivers/ata/pata_oldpiix.c 2011-03-14 21:20:32.000000000 -0400
23766 +++ linux-2.6.38.6/drivers/ata/pata_oldpiix.c 2011-04-28 19:34:15.000000000 -0400
23767 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
23768 ATA_BMDMA_SHT(DRV_NAME),
23771 -static struct ata_port_operations oldpiix_pata_ops = {
23772 +static const struct ata_port_operations oldpiix_pata_ops = {
23773 .inherits = &ata_bmdma_port_ops,
23774 .qc_issue = oldpiix_qc_issue,
23775 .cable_detect = ata_cable_40wire,
23776 diff -urNp linux-2.6.38.6/drivers/ata/pata_opti.c linux-2.6.38.6/drivers/ata/pata_opti.c
23777 --- linux-2.6.38.6/drivers/ata/pata_opti.c 2011-03-14 21:20:32.000000000 -0400
23778 +++ linux-2.6.38.6/drivers/ata/pata_opti.c 2011-04-28 19:34:15.000000000 -0400
23779 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
23780 ATA_PIO_SHT(DRV_NAME),
23783 -static struct ata_port_operations opti_port_ops = {
23784 +static const struct ata_port_operations opti_port_ops = {
23785 .inherits = &ata_sff_port_ops,
23786 .cable_detect = ata_cable_40wire,
23787 .set_piomode = opti_set_piomode,
23788 diff -urNp linux-2.6.38.6/drivers/ata/pata_optidma.c linux-2.6.38.6/drivers/ata/pata_optidma.c
23789 --- linux-2.6.38.6/drivers/ata/pata_optidma.c 2011-03-14 21:20:32.000000000 -0400
23790 +++ linux-2.6.38.6/drivers/ata/pata_optidma.c 2011-04-28 19:34:15.000000000 -0400
23791 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
23792 ATA_BMDMA_SHT(DRV_NAME),
23795 -static struct ata_port_operations optidma_port_ops = {
23796 +static const struct ata_port_operations optidma_port_ops = {
23797 .inherits = &ata_bmdma_port_ops,
23798 .cable_detect = ata_cable_40wire,
23799 .set_piomode = optidma_set_pio_mode,
23800 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
23801 .prereset = optidma_pre_reset,
23804 -static struct ata_port_operations optiplus_port_ops = {
23805 +static const struct ata_port_operations optiplus_port_ops = {
23806 .inherits = &optidma_port_ops,
23807 .set_piomode = optiplus_set_pio_mode,
23808 .set_dmamode = optiplus_set_dma_mode,
23809 diff -urNp linux-2.6.38.6/drivers/ata/pata_palmld.c linux-2.6.38.6/drivers/ata/pata_palmld.c
23810 --- linux-2.6.38.6/drivers/ata/pata_palmld.c 2011-03-14 21:20:32.000000000 -0400
23811 +++ linux-2.6.38.6/drivers/ata/pata_palmld.c 2011-04-28 19:34:15.000000000 -0400
23812 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
23813 ATA_PIO_SHT(DRV_NAME),
23816 -static struct ata_port_operations palmld_port_ops = {
23817 +static const struct ata_port_operations palmld_port_ops = {
23818 .inherits = &ata_sff_port_ops,
23819 .sff_data_xfer = ata_sff_data_xfer_noirq,
23820 .cable_detect = ata_cable_40wire,
23821 diff -urNp linux-2.6.38.6/drivers/ata/pata_pcmcia.c linux-2.6.38.6/drivers/ata/pata_pcmcia.c
23822 --- linux-2.6.38.6/drivers/ata/pata_pcmcia.c 2011-03-14 21:20:32.000000000 -0400
23823 +++ linux-2.6.38.6/drivers/ata/pata_pcmcia.c 2011-04-28 19:34:15.000000000 -0400
23824 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
23825 ATA_PIO_SHT(DRV_NAME),
23828 -static struct ata_port_operations pcmcia_port_ops = {
23829 +static const struct ata_port_operations pcmcia_port_ops = {
23830 .inherits = &ata_sff_port_ops,
23831 .sff_data_xfer = ata_sff_data_xfer_noirq,
23832 .cable_detect = ata_cable_40wire,
23833 .set_mode = pcmcia_set_mode,
23836 -static struct ata_port_operations pcmcia_8bit_port_ops = {
23837 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
23838 .inherits = &ata_sff_port_ops,
23839 .sff_data_xfer = ata_data_xfer_8bit,
23840 .cable_detect = ata_cable_40wire,
23841 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
23842 unsigned long io_base, ctl_base;
23843 void __iomem *io_addr, *ctl_addr;
23845 - struct ata_port_operations *ops = &pcmcia_port_ops;
23846 + const struct ata_port_operations *ops = &pcmcia_port_ops;
23848 /* Set up attributes in order to probe card and get resources */
23849 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
23850 diff -urNp linux-2.6.38.6/drivers/ata/pata_pdc2027x.c linux-2.6.38.6/drivers/ata/pata_pdc2027x.c
23851 --- linux-2.6.38.6/drivers/ata/pata_pdc2027x.c 2011-03-14 21:20:32.000000000 -0400
23852 +++ linux-2.6.38.6/drivers/ata/pata_pdc2027x.c 2011-04-28 19:34:15.000000000 -0400
23853 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
23854 ATA_BMDMA_SHT(DRV_NAME),
23857 -static struct ata_port_operations pdc2027x_pata100_ops = {
23858 +static const struct ata_port_operations pdc2027x_pata100_ops = {
23859 .inherits = &ata_bmdma_port_ops,
23860 .check_atapi_dma = pdc2027x_check_atapi_dma,
23861 .cable_detect = pdc2027x_cable_detect,
23862 .prereset = pdc2027x_prereset,
23865 -static struct ata_port_operations pdc2027x_pata133_ops = {
23866 +static const struct ata_port_operations pdc2027x_pata133_ops = {
23867 .inherits = &pdc2027x_pata100_ops,
23868 .mode_filter = pdc2027x_mode_filter,
23869 .set_piomode = pdc2027x_set_piomode,
23870 diff -urNp linux-2.6.38.6/drivers/ata/pata_pdc202xx_old.c linux-2.6.38.6/drivers/ata/pata_pdc202xx_old.c
23871 --- linux-2.6.38.6/drivers/ata/pata_pdc202xx_old.c 2011-03-14 21:20:32.000000000 -0400
23872 +++ linux-2.6.38.6/drivers/ata/pata_pdc202xx_old.c 2011-04-28 19:34:15.000000000 -0400
23873 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
23874 ATA_BMDMA_SHT(DRV_NAME),
23877 -static struct ata_port_operations pdc2024x_port_ops = {
23878 +static const struct ata_port_operations pdc2024x_port_ops = {
23879 .inherits = &ata_bmdma_port_ops,
23881 .cable_detect = ata_cable_40wire,
23882 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
23883 .sff_irq_check = pdc202xx_irq_check,
23886 -static struct ata_port_operations pdc2026x_port_ops = {
23887 +static const struct ata_port_operations pdc2026x_port_ops = {
23888 .inherits = &pdc2024x_port_ops,
23890 .check_atapi_dma = pdc2026x_check_atapi_dma,
23891 diff -urNp linux-2.6.38.6/drivers/ata/pata_piccolo.c linux-2.6.38.6/drivers/ata/pata_piccolo.c
23892 --- linux-2.6.38.6/drivers/ata/pata_piccolo.c 2011-03-14 21:20:32.000000000 -0400
23893 +++ linux-2.6.38.6/drivers/ata/pata_piccolo.c 2011-04-28 19:34:15.000000000 -0400
23894 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
23895 ATA_BMDMA_SHT(DRV_NAME),
23898 -static struct ata_port_operations tosh_port_ops = {
23899 +static const struct ata_port_operations tosh_port_ops = {
23900 .inherits = &ata_bmdma_port_ops,
23901 .cable_detect = ata_cable_unknown,
23902 .set_piomode = tosh_set_piomode,
23903 diff -urNp linux-2.6.38.6/drivers/ata/pata_platform.c linux-2.6.38.6/drivers/ata/pata_platform.c
23904 --- linux-2.6.38.6/drivers/ata/pata_platform.c 2011-03-14 21:20:32.000000000 -0400
23905 +++ linux-2.6.38.6/drivers/ata/pata_platform.c 2011-04-28 19:34:15.000000000 -0400
23906 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
23907 ATA_PIO_SHT(DRV_NAME),
23910 -static struct ata_port_operations pata_platform_port_ops = {
23911 +static const struct ata_port_operations pata_platform_port_ops = {
23912 .inherits = &ata_sff_port_ops,
23913 .sff_data_xfer = ata_sff_data_xfer_noirq,
23914 .cable_detect = ata_cable_unknown,
23915 diff -urNp linux-2.6.38.6/drivers/ata/pata_pxa.c linux-2.6.38.6/drivers/ata/pata_pxa.c
23916 --- linux-2.6.38.6/drivers/ata/pata_pxa.c 2011-03-14 21:20:32.000000000 -0400
23917 +++ linux-2.6.38.6/drivers/ata/pata_pxa.c 2011-04-28 19:34:15.000000000 -0400
23918 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
23919 ATA_BMDMA_SHT(DRV_NAME),
23922 -static struct ata_port_operations pxa_ata_port_ops = {
23923 +static const struct ata_port_operations pxa_ata_port_ops = {
23924 .inherits = &ata_bmdma_port_ops,
23925 .cable_detect = ata_cable_40wire,
23927 diff -urNp linux-2.6.38.6/drivers/ata/pata_qdi.c linux-2.6.38.6/drivers/ata/pata_qdi.c
23928 --- linux-2.6.38.6/drivers/ata/pata_qdi.c 2011-03-14 21:20:32.000000000 -0400
23929 +++ linux-2.6.38.6/drivers/ata/pata_qdi.c 2011-04-28 19:34:15.000000000 -0400
23930 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
23931 ATA_PIO_SHT(DRV_NAME),
23934 -static struct ata_port_operations qdi6500_port_ops = {
23935 +static const struct ata_port_operations qdi6500_port_ops = {
23936 .inherits = &ata_sff_port_ops,
23937 .qc_issue = qdi_qc_issue,
23938 .sff_data_xfer = qdi_data_xfer,
23939 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
23940 .set_piomode = qdi6500_set_piomode,
23943 -static struct ata_port_operations qdi6580_port_ops = {
23944 +static const struct ata_port_operations qdi6580_port_ops = {
23945 .inherits = &qdi6500_port_ops,
23946 .set_piomode = qdi6580_set_piomode,
23948 diff -urNp linux-2.6.38.6/drivers/ata/pata_radisys.c linux-2.6.38.6/drivers/ata/pata_radisys.c
23949 --- linux-2.6.38.6/drivers/ata/pata_radisys.c 2011-03-14 21:20:32.000000000 -0400
23950 +++ linux-2.6.38.6/drivers/ata/pata_radisys.c 2011-04-28 19:34:15.000000000 -0400
23951 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
23952 ATA_BMDMA_SHT(DRV_NAME),
23955 -static struct ata_port_operations radisys_pata_ops = {
23956 +static const struct ata_port_operations radisys_pata_ops = {
23957 .inherits = &ata_bmdma_port_ops,
23958 .qc_issue = radisys_qc_issue,
23959 .cable_detect = ata_cable_unknown,
23960 diff -urNp linux-2.6.38.6/drivers/ata/pata_rb532_cf.c linux-2.6.38.6/drivers/ata/pata_rb532_cf.c
23961 --- linux-2.6.38.6/drivers/ata/pata_rb532_cf.c 2011-03-14 21:20:32.000000000 -0400
23962 +++ linux-2.6.38.6/drivers/ata/pata_rb532_cf.c 2011-04-28 19:34:15.000000000 -0400
23963 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
23964 return IRQ_HANDLED;
23967 -static struct ata_port_operations rb532_pata_port_ops = {
23968 +static const struct ata_port_operations rb532_pata_port_ops = {
23969 .inherits = &ata_sff_port_ops,
23970 .sff_data_xfer = ata_sff_data_xfer32,
23972 diff -urNp linux-2.6.38.6/drivers/ata/pata_rdc.c linux-2.6.38.6/drivers/ata/pata_rdc.c
23973 --- linux-2.6.38.6/drivers/ata/pata_rdc.c 2011-03-14 21:20:32.000000000 -0400
23974 +++ linux-2.6.38.6/drivers/ata/pata_rdc.c 2011-04-28 19:34:15.000000000 -0400
23975 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
23976 pci_write_config_byte(dev, 0x48, udma_enable);
23979 -static struct ata_port_operations rdc_pata_ops = {
23980 +static const struct ata_port_operations rdc_pata_ops = {
23981 .inherits = &ata_bmdma32_port_ops,
23982 .cable_detect = rdc_pata_cable_detect,
23983 .set_piomode = rdc_set_piomode,
23984 diff -urNp linux-2.6.38.6/drivers/ata/pata_rz1000.c linux-2.6.38.6/drivers/ata/pata_rz1000.c
23985 --- linux-2.6.38.6/drivers/ata/pata_rz1000.c 2011-03-14 21:20:32.000000000 -0400
23986 +++ linux-2.6.38.6/drivers/ata/pata_rz1000.c 2011-04-28 19:34:15.000000000 -0400
23987 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
23988 ATA_PIO_SHT(DRV_NAME),
23991 -static struct ata_port_operations rz1000_port_ops = {
23992 +static const struct ata_port_operations rz1000_port_ops = {
23993 .inherits = &ata_sff_port_ops,
23994 .cable_detect = ata_cable_40wire,
23995 .set_mode = rz1000_set_mode,
23996 diff -urNp linux-2.6.38.6/drivers/ata/pata_samsung_cf.c linux-2.6.38.6/drivers/ata/pata_samsung_cf.c
23997 --- linux-2.6.38.6/drivers/ata/pata_samsung_cf.c 2011-03-14 21:20:32.000000000 -0400
23998 +++ linux-2.6.38.6/drivers/ata/pata_samsung_cf.c 2011-04-28 19:34:15.000000000 -0400
23999 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
24000 ATA_PIO_SHT(DRV_NAME),
24003 -static struct ata_port_operations pata_s3c_port_ops = {
24004 +static const struct ata_port_operations pata_s3c_port_ops = {
24005 .inherits = &ata_sff_port_ops,
24006 .sff_check_status = pata_s3c_check_status,
24007 .sff_check_altstatus = pata_s3c_check_altstatus,
24008 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
24009 .set_piomode = pata_s3c_set_piomode,
24012 -static struct ata_port_operations pata_s5p_port_ops = {
24013 +static const struct ata_port_operations pata_s5p_port_ops = {
24014 .inherits = &ata_sff_port_ops,
24015 .set_piomode = pata_s3c_set_piomode,
24017 diff -urNp linux-2.6.38.6/drivers/ata/pata_sc1200.c linux-2.6.38.6/drivers/ata/pata_sc1200.c
24018 --- linux-2.6.38.6/drivers/ata/pata_sc1200.c 2011-03-14 21:20:32.000000000 -0400
24019 +++ linux-2.6.38.6/drivers/ata/pata_sc1200.c 2011-04-28 19:34:15.000000000 -0400
24020 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
24021 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
24024 -static struct ata_port_operations sc1200_port_ops = {
24025 +static const struct ata_port_operations sc1200_port_ops = {
24026 .inherits = &ata_bmdma_port_ops,
24027 .qc_prep = ata_bmdma_dumb_qc_prep,
24028 .qc_issue = sc1200_qc_issue,
24029 diff -urNp linux-2.6.38.6/drivers/ata/pata_scc.c linux-2.6.38.6/drivers/ata/pata_scc.c
24030 --- linux-2.6.38.6/drivers/ata/pata_scc.c 2011-03-14 21:20:32.000000000 -0400
24031 +++ linux-2.6.38.6/drivers/ata/pata_scc.c 2011-04-28 19:34:15.000000000 -0400
24032 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
24033 ATA_BMDMA_SHT(DRV_NAME),
24036 -static struct ata_port_operations scc_pata_ops = {
24037 +static const struct ata_port_operations scc_pata_ops = {
24038 .inherits = &ata_bmdma_port_ops,
24040 .set_piomode = scc_set_piomode,
24041 diff -urNp linux-2.6.38.6/drivers/ata/pata_sch.c linux-2.6.38.6/drivers/ata/pata_sch.c
24042 --- linux-2.6.38.6/drivers/ata/pata_sch.c 2011-03-14 21:20:32.000000000 -0400
24043 +++ linux-2.6.38.6/drivers/ata/pata_sch.c 2011-04-28 19:34:15.000000000 -0400
24044 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
24045 ATA_BMDMA_SHT(DRV_NAME),
24048 -static struct ata_port_operations sch_pata_ops = {
24049 +static const struct ata_port_operations sch_pata_ops = {
24050 .inherits = &ata_bmdma_port_ops,
24051 .cable_detect = ata_cable_unknown,
24052 .set_piomode = sch_set_piomode,
24053 diff -urNp linux-2.6.38.6/drivers/ata/pata_serverworks.c linux-2.6.38.6/drivers/ata/pata_serverworks.c
24054 --- linux-2.6.38.6/drivers/ata/pata_serverworks.c 2011-03-14 21:20:32.000000000 -0400
24055 +++ linux-2.6.38.6/drivers/ata/pata_serverworks.c 2011-04-28 19:34:15.000000000 -0400
24056 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
24057 ATA_BMDMA_SHT(DRV_NAME),
24060 -static struct ata_port_operations serverworks_osb4_port_ops = {
24061 +static const struct ata_port_operations serverworks_osb4_port_ops = {
24062 .inherits = &ata_bmdma_port_ops,
24063 .cable_detect = serverworks_cable_detect,
24064 .mode_filter = serverworks_osb4_filter,
24065 @@ -308,7 +308,7 @@ static struct ata_port_operations server
24066 .set_dmamode = serverworks_set_dmamode,
24069 -static struct ata_port_operations serverworks_csb_port_ops = {
24070 +static const struct ata_port_operations serverworks_csb_port_ops = {
24071 .inherits = &serverworks_osb4_port_ops,
24072 .mode_filter = serverworks_csb_filter,
24074 diff -urNp linux-2.6.38.6/drivers/ata/pata_sil680.c linux-2.6.38.6/drivers/ata/pata_sil680.c
24075 --- linux-2.6.38.6/drivers/ata/pata_sil680.c 2011-03-14 21:20:32.000000000 -0400
24076 +++ linux-2.6.38.6/drivers/ata/pata_sil680.c 2011-04-28 19:34:15.000000000 -0400
24077 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
24078 ATA_BMDMA_SHT(DRV_NAME),
24082 -static struct ata_port_operations sil680_port_ops = {
24083 +static const struct ata_port_operations sil680_port_ops = {
24084 .inherits = &ata_bmdma32_port_ops,
24085 .sff_exec_command = sil680_sff_exec_command,
24086 .sff_irq_check = sil680_sff_irq_check,
24087 diff -urNp linux-2.6.38.6/drivers/ata/pata_sis.c linux-2.6.38.6/drivers/ata/pata_sis.c
24088 --- linux-2.6.38.6/drivers/ata/pata_sis.c 2011-03-14 21:20:32.000000000 -0400
24089 +++ linux-2.6.38.6/drivers/ata/pata_sis.c 2011-04-28 19:34:15.000000000 -0400
24090 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
24091 ATA_BMDMA_SHT(DRV_NAME),
24094 -static struct ata_port_operations sis_133_for_sata_ops = {
24095 +static const struct ata_port_operations sis_133_for_sata_ops = {
24096 .inherits = &ata_bmdma_port_ops,
24097 .set_piomode = sis_133_set_piomode,
24098 .set_dmamode = sis_133_set_dmamode,
24099 .cable_detect = sis_133_cable_detect,
24102 -static struct ata_port_operations sis_base_ops = {
24103 +static const struct ata_port_operations sis_base_ops = {
24104 .inherits = &ata_bmdma_port_ops,
24105 .prereset = sis_pre_reset,
24108 -static struct ata_port_operations sis_133_ops = {
24109 +static const struct ata_port_operations sis_133_ops = {
24110 .inherits = &sis_base_ops,
24111 .set_piomode = sis_133_set_piomode,
24112 .set_dmamode = sis_133_set_dmamode,
24113 .cable_detect = sis_133_cable_detect,
24116 -static struct ata_port_operations sis_133_early_ops = {
24117 +static const struct ata_port_operations sis_133_early_ops = {
24118 .inherits = &sis_base_ops,
24119 .set_piomode = sis_100_set_piomode,
24120 .set_dmamode = sis_133_early_set_dmamode,
24121 .cable_detect = sis_66_cable_detect,
24124 -static struct ata_port_operations sis_100_ops = {
24125 +static const struct ata_port_operations sis_100_ops = {
24126 .inherits = &sis_base_ops,
24127 .set_piomode = sis_100_set_piomode,
24128 .set_dmamode = sis_100_set_dmamode,
24129 .cable_detect = sis_66_cable_detect,
24132 -static struct ata_port_operations sis_66_ops = {
24133 +static const struct ata_port_operations sis_66_ops = {
24134 .inherits = &sis_base_ops,
24135 .set_piomode = sis_old_set_piomode,
24136 .set_dmamode = sis_66_set_dmamode,
24137 .cable_detect = sis_66_cable_detect,
24140 -static struct ata_port_operations sis_old_ops = {
24141 +static const struct ata_port_operations sis_old_ops = {
24142 .inherits = &sis_base_ops,
24143 .set_piomode = sis_old_set_piomode,
24144 .set_dmamode = sis_old_set_dmamode,
24145 diff -urNp linux-2.6.38.6/drivers/ata/pata_sl82c105.c linux-2.6.38.6/drivers/ata/pata_sl82c105.c
24146 --- linux-2.6.38.6/drivers/ata/pata_sl82c105.c 2011-03-14 21:20:32.000000000 -0400
24147 +++ linux-2.6.38.6/drivers/ata/pata_sl82c105.c 2011-04-28 19:34:15.000000000 -0400
24148 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
24149 ATA_BMDMA_SHT(DRV_NAME),
24152 -static struct ata_port_operations sl82c105_port_ops = {
24153 +static const struct ata_port_operations sl82c105_port_ops = {
24154 .inherits = &ata_bmdma_port_ops,
24155 .qc_defer = sl82c105_qc_defer,
24156 .bmdma_start = sl82c105_bmdma_start,
24157 diff -urNp linux-2.6.38.6/drivers/ata/pata_triflex.c linux-2.6.38.6/drivers/ata/pata_triflex.c
24158 --- linux-2.6.38.6/drivers/ata/pata_triflex.c 2011-03-14 21:20:32.000000000 -0400
24159 +++ linux-2.6.38.6/drivers/ata/pata_triflex.c 2011-04-28 19:34:15.000000000 -0400
24160 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
24161 ATA_BMDMA_SHT(DRV_NAME),
24164 -static struct ata_port_operations triflex_port_ops = {
24165 +static const struct ata_port_operations triflex_port_ops = {
24166 .inherits = &ata_bmdma_port_ops,
24167 .bmdma_start = triflex_bmdma_start,
24168 .bmdma_stop = triflex_bmdma_stop,
24169 diff -urNp linux-2.6.38.6/drivers/ata/pata_via.c linux-2.6.38.6/drivers/ata/pata_via.c
24170 --- linux-2.6.38.6/drivers/ata/pata_via.c 2011-03-14 21:20:32.000000000 -0400
24171 +++ linux-2.6.38.6/drivers/ata/pata_via.c 2011-04-28 19:34:15.000000000 -0400
24172 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
24173 ATA_BMDMA_SHT(DRV_NAME),
24176 -static struct ata_port_operations via_port_ops = {
24177 +static const struct ata_port_operations via_port_ops = {
24178 .inherits = &ata_bmdma_port_ops,
24179 .cable_detect = via_cable_detect,
24180 .set_piomode = via_set_piomode,
24181 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
24182 .mode_filter = via_mode_filter,
24185 -static struct ata_port_operations via_port_ops_noirq = {
24186 +static const struct ata_port_operations via_port_ops_noirq = {
24187 .inherits = &via_port_ops,
24188 .sff_data_xfer = ata_sff_data_xfer_noirq,
24190 diff -urNp linux-2.6.38.6/drivers/ata/pdc_adma.c linux-2.6.38.6/drivers/ata/pdc_adma.c
24191 --- linux-2.6.38.6/drivers/ata/pdc_adma.c 2011-03-14 21:20:32.000000000 -0400
24192 +++ linux-2.6.38.6/drivers/ata/pdc_adma.c 2011-04-28 19:34:15.000000000 -0400
24193 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
24194 .dma_boundary = ADMA_DMA_BOUNDARY,
24197 -static struct ata_port_operations adma_ata_ops = {
24198 +static const struct ata_port_operations adma_ata_ops = {
24199 .inherits = &ata_sff_port_ops,
24201 .lost_interrupt = ATA_OP_NULL,
24202 diff -urNp linux-2.6.38.6/drivers/ata/sata_dwc_460ex.c linux-2.6.38.6/drivers/ata/sata_dwc_460ex.c
24203 --- linux-2.6.38.6/drivers/ata/sata_dwc_460ex.c 2011-03-14 21:20:32.000000000 -0400
24204 +++ linux-2.6.38.6/drivers/ata/sata_dwc_460ex.c 2011-04-28 19:34:15.000000000 -0400
24205 @@ -1560,7 +1560,7 @@ static struct scsi_host_template sata_dw
24206 .dma_boundary = ATA_DMA_BOUNDARY,
24209 -static struct ata_port_operations sata_dwc_ops = {
24210 +static const struct ata_port_operations sata_dwc_ops = {
24211 .inherits = &ata_sff_port_ops,
24213 .error_handler = sata_dwc_error_handler,
24214 diff -urNp linux-2.6.38.6/drivers/ata/sata_fsl.c linux-2.6.38.6/drivers/ata/sata_fsl.c
24215 --- linux-2.6.38.6/drivers/ata/sata_fsl.c 2011-03-14 21:20:32.000000000 -0400
24216 +++ linux-2.6.38.6/drivers/ata/sata_fsl.c 2011-04-28 19:34:15.000000000 -0400
24217 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
24218 .dma_boundary = ATA_DMA_BOUNDARY,
24221 -static struct ata_port_operations sata_fsl_ops = {
24222 +static const struct ata_port_operations sata_fsl_ops = {
24223 .inherits = &sata_pmp_port_ops,
24225 .qc_defer = ata_std_qc_defer,
24226 diff -urNp linux-2.6.38.6/drivers/ata/sata_inic162x.c linux-2.6.38.6/drivers/ata/sata_inic162x.c
24227 --- linux-2.6.38.6/drivers/ata/sata_inic162x.c 2011-03-14 21:20:32.000000000 -0400
24228 +++ linux-2.6.38.6/drivers/ata/sata_inic162x.c 2011-04-28 19:34:15.000000000 -0400
24229 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
24233 -static struct ata_port_operations inic_port_ops = {
24234 +static const struct ata_port_operations inic_port_ops = {
24235 .inherits = &sata_port_ops,
24237 .check_atapi_dma = inic_check_atapi_dma,
24238 diff -urNp linux-2.6.38.6/drivers/ata/sata_mv.c linux-2.6.38.6/drivers/ata/sata_mv.c
24239 --- linux-2.6.38.6/drivers/ata/sata_mv.c 2011-03-14 21:20:32.000000000 -0400
24240 +++ linux-2.6.38.6/drivers/ata/sata_mv.c 2011-04-28 19:34:15.000000000 -0400
24241 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
24242 .dma_boundary = MV_DMA_BOUNDARY,
24245 -static struct ata_port_operations mv5_ops = {
24246 +static const struct ata_port_operations mv5_ops = {
24247 .inherits = &ata_sff_port_ops,
24249 .lost_interrupt = ATA_OP_NULL,
24250 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
24251 .port_stop = mv_port_stop,
24254 -static struct ata_port_operations mv6_ops = {
24255 +static const struct ata_port_operations mv6_ops = {
24256 .inherits = &ata_bmdma_port_ops,
24258 .lost_interrupt = ATA_OP_NULL,
24259 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
24260 .port_stop = mv_port_stop,
24263 -static struct ata_port_operations mv_iie_ops = {
24264 +static const struct ata_port_operations mv_iie_ops = {
24265 .inherits = &mv6_ops,
24266 .dev_config = ATA_OP_NULL,
24267 .qc_prep = mv_qc_prep_iie,
24268 diff -urNp linux-2.6.38.6/drivers/ata/sata_nv.c linux-2.6.38.6/drivers/ata/sata_nv.c
24269 --- linux-2.6.38.6/drivers/ata/sata_nv.c 2011-03-14 21:20:32.000000000 -0400
24270 +++ linux-2.6.38.6/drivers/ata/sata_nv.c 2011-04-28 19:34:15.000000000 -0400
24271 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
24272 * cases. Define nv_hardreset() which only kicks in for post-boot
24273 * probing and use it for all variants.
24275 -static struct ata_port_operations nv_generic_ops = {
24276 +static const struct ata_port_operations nv_generic_ops = {
24277 .inherits = &ata_bmdma_port_ops,
24278 .lost_interrupt = ATA_OP_NULL,
24279 .scr_read = nv_scr_read,
24280 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
24281 .hardreset = nv_hardreset,
24284 -static struct ata_port_operations nv_nf2_ops = {
24285 +static const struct ata_port_operations nv_nf2_ops = {
24286 .inherits = &nv_generic_ops,
24287 .freeze = nv_nf2_freeze,
24288 .thaw = nv_nf2_thaw,
24291 -static struct ata_port_operations nv_ck804_ops = {
24292 +static const struct ata_port_operations nv_ck804_ops = {
24293 .inherits = &nv_generic_ops,
24294 .freeze = nv_ck804_freeze,
24295 .thaw = nv_ck804_thaw,
24296 .host_stop = nv_ck804_host_stop,
24299 -static struct ata_port_operations nv_adma_ops = {
24300 +static const struct ata_port_operations nv_adma_ops = {
24301 .inherits = &nv_ck804_ops,
24303 .check_atapi_dma = nv_adma_check_atapi_dma,
24304 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
24305 .host_stop = nv_adma_host_stop,
24308 -static struct ata_port_operations nv_swncq_ops = {
24309 +static const struct ata_port_operations nv_swncq_ops = {
24310 .inherits = &nv_generic_ops,
24312 .qc_defer = ata_std_qc_defer,
24313 diff -urNp linux-2.6.38.6/drivers/ata/sata_promise.c linux-2.6.38.6/drivers/ata/sata_promise.c
24314 --- linux-2.6.38.6/drivers/ata/sata_promise.c 2011-03-14 21:20:32.000000000 -0400
24315 +++ linux-2.6.38.6/drivers/ata/sata_promise.c 2011-04-28 19:34:15.000000000 -0400
24316 @@ -196,7 +196,7 @@ static const struct ata_port_operations
24317 .error_handler = pdc_error_handler,
24320 -static struct ata_port_operations pdc_sata_ops = {
24321 +static const struct ata_port_operations pdc_sata_ops = {
24322 .inherits = &pdc_common_ops,
24323 .cable_detect = pdc_sata_cable_detect,
24324 .freeze = pdc_sata_freeze,
24325 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
24327 /* First-generation chips need a more restrictive ->check_atapi_dma op,
24328 and ->freeze/thaw that ignore the hotplug controls. */
24329 -static struct ata_port_operations pdc_old_sata_ops = {
24330 +static const struct ata_port_operations pdc_old_sata_ops = {
24331 .inherits = &pdc_sata_ops,
24332 .freeze = pdc_freeze,
24334 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
24337 -static struct ata_port_operations pdc_pata_ops = {
24338 +static const struct ata_port_operations pdc_pata_ops = {
24339 .inherits = &pdc_common_ops,
24340 .cable_detect = pdc_pata_cable_detect,
24341 .freeze = pdc_freeze,
24342 diff -urNp linux-2.6.38.6/drivers/ata/sata_qstor.c linux-2.6.38.6/drivers/ata/sata_qstor.c
24343 --- linux-2.6.38.6/drivers/ata/sata_qstor.c 2011-03-14 21:20:32.000000000 -0400
24344 +++ linux-2.6.38.6/drivers/ata/sata_qstor.c 2011-04-28 19:34:15.000000000 -0400
24345 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
24346 .dma_boundary = QS_DMA_BOUNDARY,
24349 -static struct ata_port_operations qs_ata_ops = {
24350 +static const struct ata_port_operations qs_ata_ops = {
24351 .inherits = &ata_sff_port_ops,
24353 .check_atapi_dma = qs_check_atapi_dma,
24354 diff -urNp linux-2.6.38.6/drivers/ata/sata_sil24.c linux-2.6.38.6/drivers/ata/sata_sil24.c
24355 --- linux-2.6.38.6/drivers/ata/sata_sil24.c 2011-03-14 21:20:32.000000000 -0400
24356 +++ linux-2.6.38.6/drivers/ata/sata_sil24.c 2011-04-28 19:34:15.000000000 -0400
24357 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
24358 .dma_boundary = ATA_DMA_BOUNDARY,
24361 -static struct ata_port_operations sil24_ops = {
24362 +static const struct ata_port_operations sil24_ops = {
24363 .inherits = &sata_pmp_port_ops,
24365 .qc_defer = sil24_qc_defer,
24366 diff -urNp linux-2.6.38.6/drivers/ata/sata_sil.c linux-2.6.38.6/drivers/ata/sata_sil.c
24367 --- linux-2.6.38.6/drivers/ata/sata_sil.c 2011-03-14 21:20:32.000000000 -0400
24368 +++ linux-2.6.38.6/drivers/ata/sata_sil.c 2011-04-28 19:34:15.000000000 -0400
24369 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
24370 .sg_tablesize = ATA_MAX_PRD
24373 -static struct ata_port_operations sil_ops = {
24374 +static const struct ata_port_operations sil_ops = {
24375 .inherits = &ata_bmdma32_port_ops,
24376 .dev_config = sil_dev_config,
24377 .set_mode = sil_set_mode,
24378 diff -urNp linux-2.6.38.6/drivers/ata/sata_sis.c linux-2.6.38.6/drivers/ata/sata_sis.c
24379 --- linux-2.6.38.6/drivers/ata/sata_sis.c 2011-03-14 21:20:32.000000000 -0400
24380 +++ linux-2.6.38.6/drivers/ata/sata_sis.c 2011-04-28 19:34:15.000000000 -0400
24381 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
24382 ATA_BMDMA_SHT(DRV_NAME),
24385 -static struct ata_port_operations sis_ops = {
24386 +static const struct ata_port_operations sis_ops = {
24387 .inherits = &ata_bmdma_port_ops,
24388 .scr_read = sis_scr_read,
24389 .scr_write = sis_scr_write,
24390 diff -urNp linux-2.6.38.6/drivers/ata/sata_svw.c linux-2.6.38.6/drivers/ata/sata_svw.c
24391 --- linux-2.6.38.6/drivers/ata/sata_svw.c 2011-03-14 21:20:32.000000000 -0400
24392 +++ linux-2.6.38.6/drivers/ata/sata_svw.c 2011-04-28 19:34:15.000000000 -0400
24393 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
24397 -static struct ata_port_operations k2_sata_ops = {
24398 +static const struct ata_port_operations k2_sata_ops = {
24399 .inherits = &ata_bmdma_port_ops,
24400 .sff_tf_load = k2_sata_tf_load,
24401 .sff_tf_read = k2_sata_tf_read,
24402 diff -urNp linux-2.6.38.6/drivers/ata/sata_sx4.c linux-2.6.38.6/drivers/ata/sata_sx4.c
24403 --- linux-2.6.38.6/drivers/ata/sata_sx4.c 2011-03-14 21:20:32.000000000 -0400
24404 +++ linux-2.6.38.6/drivers/ata/sata_sx4.c 2011-04-28 19:34:15.000000000 -0400
24405 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
24408 /* TODO: inherit from base port_ops after converting to new EH */
24409 -static struct ata_port_operations pdc_20621_ops = {
24410 +static const struct ata_port_operations pdc_20621_ops = {
24411 .inherits = &ata_sff_port_ops,
24413 .check_atapi_dma = pdc_check_atapi_dma,
24414 diff -urNp linux-2.6.38.6/drivers/ata/sata_uli.c linux-2.6.38.6/drivers/ata/sata_uli.c
24415 --- linux-2.6.38.6/drivers/ata/sata_uli.c 2011-03-14 21:20:32.000000000 -0400
24416 +++ linux-2.6.38.6/drivers/ata/sata_uli.c 2011-04-28 19:34:15.000000000 -0400
24417 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
24418 ATA_BMDMA_SHT(DRV_NAME),
24421 -static struct ata_port_operations uli_ops = {
24422 +static const struct ata_port_operations uli_ops = {
24423 .inherits = &ata_bmdma_port_ops,
24424 .scr_read = uli_scr_read,
24425 .scr_write = uli_scr_write,
24426 diff -urNp linux-2.6.38.6/drivers/ata/sata_via.c linux-2.6.38.6/drivers/ata/sata_via.c
24427 --- linux-2.6.38.6/drivers/ata/sata_via.c 2011-03-14 21:20:32.000000000 -0400
24428 +++ linux-2.6.38.6/drivers/ata/sata_via.c 2011-04-28 19:34:15.000000000 -0400
24429 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
24430 ATA_BMDMA_SHT(DRV_NAME),
24433 -static struct ata_port_operations svia_base_ops = {
24434 +static const struct ata_port_operations svia_base_ops = {
24435 .inherits = &ata_bmdma_port_ops,
24436 .sff_tf_load = svia_tf_load,
24439 -static struct ata_port_operations vt6420_sata_ops = {
24440 +static const struct ata_port_operations vt6420_sata_ops = {
24441 .inherits = &svia_base_ops,
24442 .freeze = svia_noop_freeze,
24443 .prereset = vt6420_prereset,
24444 .bmdma_start = vt6420_bmdma_start,
24447 -static struct ata_port_operations vt6421_pata_ops = {
24448 +static const struct ata_port_operations vt6421_pata_ops = {
24449 .inherits = &svia_base_ops,
24450 .cable_detect = vt6421_pata_cable_detect,
24451 .set_piomode = vt6421_set_pio_mode,
24452 .set_dmamode = vt6421_set_dma_mode,
24455 -static struct ata_port_operations vt6421_sata_ops = {
24456 +static const struct ata_port_operations vt6421_sata_ops = {
24457 .inherits = &svia_base_ops,
24458 .scr_read = svia_scr_read,
24459 .scr_write = svia_scr_write,
24462 -static struct ata_port_operations vt8251_ops = {
24463 +static const struct ata_port_operations vt8251_ops = {
24464 .inherits = &svia_base_ops,
24465 .hardreset = sata_std_hardreset,
24466 .scr_read = vt8251_scr_read,
24467 diff -urNp linux-2.6.38.6/drivers/ata/sata_vsc.c linux-2.6.38.6/drivers/ata/sata_vsc.c
24468 --- linux-2.6.38.6/drivers/ata/sata_vsc.c 2011-03-14 21:20:32.000000000 -0400
24469 +++ linux-2.6.38.6/drivers/ata/sata_vsc.c 2011-04-28 19:34:15.000000000 -0400
24470 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
24474 -static struct ata_port_operations vsc_sata_ops = {
24475 +static const struct ata_port_operations vsc_sata_ops = {
24476 .inherits = &ata_bmdma_port_ops,
24477 /* The IRQ handling is not quite standard SFF behaviour so we
24478 cannot use the default lost interrupt handler */
24479 diff -urNp linux-2.6.38.6/drivers/atm/adummy.c linux-2.6.38.6/drivers/atm/adummy.c
24480 --- linux-2.6.38.6/drivers/atm/adummy.c 2011-03-14 21:20:32.000000000 -0400
24481 +++ linux-2.6.38.6/drivers/atm/adummy.c 2011-04-28 19:34:15.000000000 -0400
24482 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
24483 vcc->pop(vcc, skb);
24485 dev_kfree_skb_any(skb);
24486 - atomic_inc(&vcc->stats->tx);
24487 + atomic_inc_unchecked(&vcc->stats->tx);
24491 diff -urNp linux-2.6.38.6/drivers/atm/ambassador.c linux-2.6.38.6/drivers/atm/ambassador.c
24492 --- linux-2.6.38.6/drivers/atm/ambassador.c 2011-03-14 21:20:32.000000000 -0400
24493 +++ linux-2.6.38.6/drivers/atm/ambassador.c 2011-04-28 19:34:15.000000000 -0400
24494 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
24495 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
24498 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
24499 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
24501 // free the descriptor
24503 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
24504 dump_skb ("<<<", vc, skb);
24507 - atomic_inc(&atm_vcc->stats->rx);
24508 + atomic_inc_unchecked(&atm_vcc->stats->rx);
24509 __net_timestamp(skb);
24510 // end of our responsability
24511 atm_vcc->push (atm_vcc, skb);
24512 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
24514 PRINTK (KERN_INFO, "dropped over-size frame");
24515 // should we count this?
24516 - atomic_inc(&atm_vcc->stats->rx_drop);
24517 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
24521 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
24524 if (check_area (skb->data, skb->len)) {
24525 - atomic_inc(&atm_vcc->stats->tx_err);
24526 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
24527 return -ENOMEM; // ?
24530 diff -urNp linux-2.6.38.6/drivers/atm/atmtcp.c linux-2.6.38.6/drivers/atm/atmtcp.c
24531 --- linux-2.6.38.6/drivers/atm/atmtcp.c 2011-03-14 21:20:32.000000000 -0400
24532 +++ linux-2.6.38.6/drivers/atm/atmtcp.c 2011-04-28 19:34:15.000000000 -0400
24533 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
24534 if (vcc->pop) vcc->pop(vcc,skb);
24535 else dev_kfree_skb(skb);
24536 if (dev_data) return 0;
24537 - atomic_inc(&vcc->stats->tx_err);
24538 + atomic_inc_unchecked(&vcc->stats->tx_err);
24541 size = skb->len+sizeof(struct atmtcp_hdr);
24542 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
24544 if (vcc->pop) vcc->pop(vcc,skb);
24545 else dev_kfree_skb(skb);
24546 - atomic_inc(&vcc->stats->tx_err);
24547 + atomic_inc_unchecked(&vcc->stats->tx_err);
24550 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
24551 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
24552 if (vcc->pop) vcc->pop(vcc,skb);
24553 else dev_kfree_skb(skb);
24554 out_vcc->push(out_vcc,new_skb);
24555 - atomic_inc(&vcc->stats->tx);
24556 - atomic_inc(&out_vcc->stats->rx);
24557 + atomic_inc_unchecked(&vcc->stats->tx);
24558 + atomic_inc_unchecked(&out_vcc->stats->rx);
24562 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
24563 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
24564 read_unlock(&vcc_sklist_lock);
24566 - atomic_inc(&vcc->stats->tx_err);
24567 + atomic_inc_unchecked(&vcc->stats->tx_err);
24570 skb_pull(skb,sizeof(struct atmtcp_hdr));
24571 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
24572 __net_timestamp(new_skb);
24573 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
24574 out_vcc->push(out_vcc,new_skb);
24575 - atomic_inc(&vcc->stats->tx);
24576 - atomic_inc(&out_vcc->stats->rx);
24577 + atomic_inc_unchecked(&vcc->stats->tx);
24578 + atomic_inc_unchecked(&out_vcc->stats->rx);
24580 if (vcc->pop) vcc->pop(vcc,skb);
24581 else dev_kfree_skb(skb);
24582 diff -urNp linux-2.6.38.6/drivers/atm/eni.c linux-2.6.38.6/drivers/atm/eni.c
24583 --- linux-2.6.38.6/drivers/atm/eni.c 2011-03-14 21:20:32.000000000 -0400
24584 +++ linux-2.6.38.6/drivers/atm/eni.c 2011-04-28 19:34:15.000000000 -0400
24585 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
24586 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
24589 - atomic_inc(&vcc->stats->rx_err);
24590 + atomic_inc_unchecked(&vcc->stats->rx_err);
24593 length = ATM_CELL_SIZE-1; /* no HEC */
24594 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
24598 - atomic_inc(&vcc->stats->rx_err);
24599 + atomic_inc_unchecked(&vcc->stats->rx_err);
24602 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
24603 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
24604 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
24605 vcc->dev->number,vcc->vci,length,size << 2,descr);
24607 - atomic_inc(&vcc->stats->rx_err);
24608 + atomic_inc_unchecked(&vcc->stats->rx_err);
24611 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
24612 @@ -771,7 +771,7 @@ rx_dequeued++;
24613 vcc->push(vcc,skb);
24616 - atomic_inc(&vcc->stats->rx);
24617 + atomic_inc_unchecked(&vcc->stats->rx);
24619 wake_up(&eni_dev->rx_wait);
24621 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
24623 if (vcc->pop) vcc->pop(vcc,skb);
24624 else dev_kfree_skb_irq(skb);
24625 - atomic_inc(&vcc->stats->tx);
24626 + atomic_inc_unchecked(&vcc->stats->tx);
24627 wake_up(&eni_dev->tx_wait);
24630 diff -urNp linux-2.6.38.6/drivers/atm/firestream.c linux-2.6.38.6/drivers/atm/firestream.c
24631 --- linux-2.6.38.6/drivers/atm/firestream.c 2011-03-14 21:20:32.000000000 -0400
24632 +++ linux-2.6.38.6/drivers/atm/firestream.c 2011-04-28 19:34:15.000000000 -0400
24633 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
24637 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
24638 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
24640 fs_dprintk (FS_DEBUG_TXMEM, "i");
24641 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
24642 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
24644 skb_put (skb, qe->p1 & 0xffff);
24645 ATM_SKB(skb)->vcc = atm_vcc;
24646 - atomic_inc(&atm_vcc->stats->rx);
24647 + atomic_inc_unchecked(&atm_vcc->stats->rx);
24648 __net_timestamp(skb);
24649 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
24650 atm_vcc->push (atm_vcc, skb);
24651 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
24655 - atomic_inc(&atm_vcc->stats->rx_drop);
24656 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
24658 case 0x1f: /* Reassembly abort: no buffers. */
24659 /* Silently increment error counter. */
24661 - atomic_inc(&atm_vcc->stats->rx_drop);
24662 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
24664 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
24665 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
24666 diff -urNp linux-2.6.38.6/drivers/atm/fore200e.c linux-2.6.38.6/drivers/atm/fore200e.c
24667 --- linux-2.6.38.6/drivers/atm/fore200e.c 2011-03-14 21:20:32.000000000 -0400
24668 +++ linux-2.6.38.6/drivers/atm/fore200e.c 2011-04-28 19:34:15.000000000 -0400
24669 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
24671 /* check error condition */
24672 if (*entry->status & STATUS_ERROR)
24673 - atomic_inc(&vcc->stats->tx_err);
24674 + atomic_inc_unchecked(&vcc->stats->tx_err);
24676 - atomic_inc(&vcc->stats->tx);
24677 + atomic_inc_unchecked(&vcc->stats->tx);
24681 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
24683 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
24685 - atomic_inc(&vcc->stats->rx_drop);
24686 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24690 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
24692 dev_kfree_skb_any(skb);
24694 - atomic_inc(&vcc->stats->rx_drop);
24695 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24699 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
24701 vcc->push(vcc, skb);
24702 - atomic_inc(&vcc->stats->rx);
24703 + atomic_inc_unchecked(&vcc->stats->rx);
24705 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
24707 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
24708 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
24709 fore200e->atm_dev->number,
24710 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
24711 - atomic_inc(&vcc->stats->rx_err);
24712 + atomic_inc_unchecked(&vcc->stats->rx_err);
24716 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
24720 - atomic_inc(&vcc->stats->tx_err);
24721 + atomic_inc_unchecked(&vcc->stats->tx_err);
24723 fore200e->tx_sat++;
24724 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
24725 diff -urNp linux-2.6.38.6/drivers/atm/he.c linux-2.6.38.6/drivers/atm/he.c
24726 --- linux-2.6.38.6/drivers/atm/he.c 2011-03-14 21:20:32.000000000 -0400
24727 +++ linux-2.6.38.6/drivers/atm/he.c 2011-04-28 19:34:15.000000000 -0400
24728 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
24730 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
24731 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
24732 - atomic_inc(&vcc->stats->rx_drop);
24733 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24734 goto return_host_buffers;
24737 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
24738 RBRQ_LEN_ERR(he_dev->rbrq_head)
24740 vcc->vpi, vcc->vci);
24741 - atomic_inc(&vcc->stats->rx_err);
24742 + atomic_inc_unchecked(&vcc->stats->rx_err);
24743 goto return_host_buffers;
24746 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
24747 vcc->push(vcc, skb);
24748 spin_lock(&he_dev->global_lock);
24750 - atomic_inc(&vcc->stats->rx);
24751 + atomic_inc_unchecked(&vcc->stats->rx);
24753 return_host_buffers:
24755 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
24756 tpd->vcc->pop(tpd->vcc, tpd->skb);
24758 dev_kfree_skb_any(tpd->skb);
24759 - atomic_inc(&tpd->vcc->stats->tx_err);
24760 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
24762 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
24764 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
24765 vcc->pop(vcc, skb);
24767 dev_kfree_skb_any(skb);
24768 - atomic_inc(&vcc->stats->tx_err);
24769 + atomic_inc_unchecked(&vcc->stats->tx_err);
24773 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
24774 vcc->pop(vcc, skb);
24776 dev_kfree_skb_any(skb);
24777 - atomic_inc(&vcc->stats->tx_err);
24778 + atomic_inc_unchecked(&vcc->stats->tx_err);
24782 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
24783 vcc->pop(vcc, skb);
24785 dev_kfree_skb_any(skb);
24786 - atomic_inc(&vcc->stats->tx_err);
24787 + atomic_inc_unchecked(&vcc->stats->tx_err);
24788 spin_unlock_irqrestore(&he_dev->global_lock, flags);
24791 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
24792 vcc->pop(vcc, skb);
24794 dev_kfree_skb_any(skb);
24795 - atomic_inc(&vcc->stats->tx_err);
24796 + atomic_inc_unchecked(&vcc->stats->tx_err);
24797 spin_unlock_irqrestore(&he_dev->global_lock, flags);
24800 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
24801 __enqueue_tpd(he_dev, tpd, cid);
24802 spin_unlock_irqrestore(&he_dev->global_lock, flags);
24804 - atomic_inc(&vcc->stats->tx);
24805 + atomic_inc_unchecked(&vcc->stats->tx);
24809 diff -urNp linux-2.6.38.6/drivers/atm/horizon.c linux-2.6.38.6/drivers/atm/horizon.c
24810 --- linux-2.6.38.6/drivers/atm/horizon.c 2011-03-14 21:20:32.000000000 -0400
24811 +++ linux-2.6.38.6/drivers/atm/horizon.c 2011-04-28 19:34:15.000000000 -0400
24812 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
24814 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
24816 - atomic_inc(&vcc->stats->rx);
24817 + atomic_inc_unchecked(&vcc->stats->rx);
24818 __net_timestamp(skb);
24819 // end of our responsability
24820 vcc->push (vcc, skb);
24821 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
24822 dev->tx_iovec = NULL;
24825 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
24826 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
24829 hrz_kfree_skb (skb);
24830 diff -urNp linux-2.6.38.6/drivers/atm/idt77252.c linux-2.6.38.6/drivers/atm/idt77252.c
24831 --- linux-2.6.38.6/drivers/atm/idt77252.c 2011-03-14 21:20:32.000000000 -0400
24832 +++ linux-2.6.38.6/drivers/atm/idt77252.c 2011-04-28 19:34:15.000000000 -0400
24833 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
24835 dev_kfree_skb(skb);
24837 - atomic_inc(&vcc->stats->tx);
24838 + atomic_inc_unchecked(&vcc->stats->tx);
24841 atomic_dec(&scq->used);
24842 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
24843 if ((sb = dev_alloc_skb(64)) == NULL) {
24844 printk("%s: Can't allocate buffers for aal0.\n",
24846 - atomic_add(i, &vcc->stats->rx_drop);
24847 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
24850 if (!atm_charge(vcc, sb->truesize)) {
24851 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
24853 - atomic_add(i - 1, &vcc->stats->rx_drop);
24854 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
24858 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
24859 ATM_SKB(sb)->vcc = vcc;
24860 __net_timestamp(sb);
24861 vcc->push(vcc, sb);
24862 - atomic_inc(&vcc->stats->rx);
24863 + atomic_inc_unchecked(&vcc->stats->rx);
24865 cell += ATM_CELL_PAYLOAD;
24867 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
24869 card->name, len, rpp->len, readl(SAR_REG_CDC));
24870 recycle_rx_pool_skb(card, rpp);
24871 - atomic_inc(&vcc->stats->rx_err);
24872 + atomic_inc_unchecked(&vcc->stats->rx_err);
24875 if (stat & SAR_RSQE_CRC) {
24876 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
24877 recycle_rx_pool_skb(card, rpp);
24878 - atomic_inc(&vcc->stats->rx_err);
24879 + atomic_inc_unchecked(&vcc->stats->rx_err);
24882 if (skb_queue_len(&rpp->queue) > 1) {
24883 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
24884 RXPRINTK("%s: Can't alloc RX skb.\n",
24886 recycle_rx_pool_skb(card, rpp);
24887 - atomic_inc(&vcc->stats->rx_err);
24888 + atomic_inc_unchecked(&vcc->stats->rx_err);
24891 if (!atm_charge(vcc, skb->truesize)) {
24892 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
24893 __net_timestamp(skb);
24895 vcc->push(vcc, skb);
24896 - atomic_inc(&vcc->stats->rx);
24897 + atomic_inc_unchecked(&vcc->stats->rx);
24901 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
24902 __net_timestamp(skb);
24904 vcc->push(vcc, skb);
24905 - atomic_inc(&vcc->stats->rx);
24906 + atomic_inc_unchecked(&vcc->stats->rx);
24908 if (skb->truesize > SAR_FB_SIZE_3)
24909 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
24910 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
24911 if (vcc->qos.aal != ATM_AAL0) {
24912 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
24913 card->name, vpi, vci);
24914 - atomic_inc(&vcc->stats->rx_drop);
24915 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24919 if ((sb = dev_alloc_skb(64)) == NULL) {
24920 printk("%s: Can't allocate buffers for AAL0.\n",
24922 - atomic_inc(&vcc->stats->rx_err);
24923 + atomic_inc_unchecked(&vcc->stats->rx_err);
24927 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
24928 ATM_SKB(sb)->vcc = vcc;
24929 __net_timestamp(sb);
24930 vcc->push(vcc, sb);
24931 - atomic_inc(&vcc->stats->rx);
24932 + atomic_inc_unchecked(&vcc->stats->rx);
24935 skb_pull(queue, 64);
24936 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24939 printk("%s: NULL connection in send().\n", card->name);
24940 - atomic_inc(&vcc->stats->tx_err);
24941 + atomic_inc_unchecked(&vcc->stats->tx_err);
24942 dev_kfree_skb(skb);
24945 if (!test_bit(VCF_TX, &vc->flags)) {
24946 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
24947 - atomic_inc(&vcc->stats->tx_err);
24948 + atomic_inc_unchecked(&vcc->stats->tx_err);
24949 dev_kfree_skb(skb);
24952 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24955 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
24956 - atomic_inc(&vcc->stats->tx_err);
24957 + atomic_inc_unchecked(&vcc->stats->tx_err);
24958 dev_kfree_skb(skb);
24962 if (skb_shinfo(skb)->nr_frags != 0) {
24963 printk("%s: No scatter-gather yet.\n", card->name);
24964 - atomic_inc(&vcc->stats->tx_err);
24965 + atomic_inc_unchecked(&vcc->stats->tx_err);
24966 dev_kfree_skb(skb);
24969 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24971 err = queue_skb(card, vc, skb, oam);
24973 - atomic_inc(&vcc->stats->tx_err);
24974 + atomic_inc_unchecked(&vcc->stats->tx_err);
24975 dev_kfree_skb(skb);
24978 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
24979 skb = dev_alloc_skb(64);
24981 printk("%s: Out of memory in send_oam().\n", card->name);
24982 - atomic_inc(&vcc->stats->tx_err);
24983 + atomic_inc_unchecked(&vcc->stats->tx_err);
24986 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
24987 diff -urNp linux-2.6.38.6/drivers/atm/iphase.c linux-2.6.38.6/drivers/atm/iphase.c
24988 --- linux-2.6.38.6/drivers/atm/iphase.c 2011-03-14 21:20:32.000000000 -0400
24989 +++ linux-2.6.38.6/drivers/atm/iphase.c 2011-04-28 19:34:15.000000000 -0400
24990 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
24991 status = (u_short) (buf_desc_ptr->desc_mode);
24992 if (status & (RX_CER | RX_PTE | RX_OFL))
24994 - atomic_inc(&vcc->stats->rx_err);
24995 + atomic_inc_unchecked(&vcc->stats->rx_err);
24996 IF_ERR(printk("IA: bad packet, dropping it");)
24997 if (status & RX_CER) {
24998 IF_ERR(printk(" cause: packet CRC error\n");)
24999 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
25000 len = dma_addr - buf_addr;
25001 if (len > iadev->rx_buf_sz) {
25002 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
25003 - atomic_inc(&vcc->stats->rx_err);
25004 + atomic_inc_unchecked(&vcc->stats->rx_err);
25005 goto out_free_desc;
25008 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
25009 ia_vcc = INPH_IA_VCC(vcc);
25010 if (ia_vcc == NULL)
25012 - atomic_inc(&vcc->stats->rx_err);
25013 + atomic_inc_unchecked(&vcc->stats->rx_err);
25014 dev_kfree_skb_any(skb);
25015 atm_return(vcc, atm_guess_pdu2truesize(len));
25017 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
25018 if ((length > iadev->rx_buf_sz) || (length >
25019 (skb->len - sizeof(struct cpcs_trailer))))
25021 - atomic_inc(&vcc->stats->rx_err);
25022 + atomic_inc_unchecked(&vcc->stats->rx_err);
25023 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
25024 length, skb->len);)
25025 dev_kfree_skb_any(skb);
25026 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
25028 IF_RX(printk("rx_dle_intr: skb push");)
25029 vcc->push(vcc,skb);
25030 - atomic_inc(&vcc->stats->rx);
25031 + atomic_inc_unchecked(&vcc->stats->rx);
25032 iadev->rx_pkt_cnt++;
25035 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
25037 struct k_sonet_stats *stats;
25038 stats = &PRIV(_ia_dev[board])->sonet_stats;
25039 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
25040 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
25041 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
25042 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
25043 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
25044 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
25045 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
25046 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
25047 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
25048 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
25049 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
25050 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
25051 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
25052 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
25053 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
25054 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
25055 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
25056 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
25058 ia_cmds.status = 0;
25060 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
25061 if ((desc == 0) || (desc > iadev->num_tx_desc))
25063 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
25064 - atomic_inc(&vcc->stats->tx);
25065 + atomic_inc_unchecked(&vcc->stats->tx);
25067 vcc->pop(vcc, skb);
25069 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
25070 ATM_DESC(skb) = vcc->vci;
25071 skb_queue_tail(&iadev->tx_dma_q, skb);
25073 - atomic_inc(&vcc->stats->tx);
25074 + atomic_inc_unchecked(&vcc->stats->tx);
25075 iadev->tx_pkt_cnt++;
25076 /* Increment transaction counter */
25077 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
25080 /* add flow control logic */
25081 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
25082 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
25083 if (iavcc->vc_desc_cnt > 10) {
25084 vcc->tx_quota = vcc->tx_quota * 3 / 4;
25085 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
25086 diff -urNp linux-2.6.38.6/drivers/atm/lanai.c linux-2.6.38.6/drivers/atm/lanai.c
25087 --- linux-2.6.38.6/drivers/atm/lanai.c 2011-03-14 21:20:32.000000000 -0400
25088 +++ linux-2.6.38.6/drivers/atm/lanai.c 2011-04-28 19:34:15.000000000 -0400
25089 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
25090 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
25091 lanai_endtx(lanai, lvcc);
25092 lanai_free_skb(lvcc->tx.atmvcc, skb);
25093 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
25094 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
25097 /* Try to fill the buffer - don't call unless there is backlog */
25098 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
25099 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
25100 __net_timestamp(skb);
25101 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
25102 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
25103 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
25105 lvcc->rx.buf.ptr = end;
25106 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
25107 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
25108 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
25109 "vcc %d\n", lanai->number, (unsigned int) s, vci);
25110 lanai->stats.service_rxnotaal5++;
25111 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
25112 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
25115 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
25116 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
25118 read_unlock(&vcc_sklist_lock);
25119 DPRINTK("got trashed rx pdu on vci %d\n", vci);
25120 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
25121 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
25122 lvcc->stats.x.aal5.service_trash++;
25123 bytes = (SERVICE_GET_END(s) * 16) -
25124 (((unsigned long) lvcc->rx.buf.ptr) -
25125 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
25127 if (s & SERVICE_STREAM) {
25128 read_unlock(&vcc_sklist_lock);
25129 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
25130 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
25131 lvcc->stats.x.aal5.service_stream++;
25132 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
25133 "PDU on VCI %d!\n", lanai->number, vci);
25134 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
25137 DPRINTK("got rx crc error on vci %d\n", vci);
25138 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
25139 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
25140 lvcc->stats.x.aal5.service_rxcrc++;
25141 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
25142 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
25143 diff -urNp linux-2.6.38.6/drivers/atm/nicstar.c linux-2.6.38.6/drivers/atm/nicstar.c
25144 --- linux-2.6.38.6/drivers/atm/nicstar.c 2011-03-14 21:20:32.000000000 -0400
25145 +++ linux-2.6.38.6/drivers/atm/nicstar.c 2011-04-28 19:34:15.000000000 -0400
25146 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
25147 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
25148 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
25150 - atomic_inc(&vcc->stats->tx_err);
25151 + atomic_inc_unchecked(&vcc->stats->tx_err);
25152 dev_kfree_skb_any(skb);
25155 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
25157 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
25159 - atomic_inc(&vcc->stats->tx_err);
25160 + atomic_inc_unchecked(&vcc->stats->tx_err);
25161 dev_kfree_skb_any(skb);
25164 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
25165 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
25166 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
25168 - atomic_inc(&vcc->stats->tx_err);
25169 + atomic_inc_unchecked(&vcc->stats->tx_err);
25170 dev_kfree_skb_any(skb);
25174 if (skb_shinfo(skb)->nr_frags != 0) {
25175 printk("nicstar%d: No scatter-gather yet.\n", card->index);
25176 - atomic_inc(&vcc->stats->tx_err);
25177 + atomic_inc_unchecked(&vcc->stats->tx_err);
25178 dev_kfree_skb_any(skb);
25181 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
25184 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
25185 - atomic_inc(&vcc->stats->tx_err);
25186 + atomic_inc_unchecked(&vcc->stats->tx_err);
25187 dev_kfree_skb_any(skb);
25190 - atomic_inc(&vcc->stats->tx);
25191 + atomic_inc_unchecked(&vcc->stats->tx);
25195 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
25197 ("nicstar%d: Can't allocate buffers for aal0.\n",
25199 - atomic_add(i, &vcc->stats->rx_drop);
25200 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
25203 if (!atm_charge(vcc, sb->truesize)) {
25205 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
25207 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
25208 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
25209 dev_kfree_skb_any(sb);
25212 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
25213 ATM_SKB(sb)->vcc = vcc;
25214 __net_timestamp(sb);
25215 vcc->push(vcc, sb);
25216 - atomic_inc(&vcc->stats->rx);
25217 + atomic_inc_unchecked(&vcc->stats->rx);
25218 cell += ATM_CELL_PAYLOAD;
25221 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
25222 if (iovb == NULL) {
25223 printk("nicstar%d: Out of iovec buffers.\n",
25225 - atomic_inc(&vcc->stats->rx_drop);
25226 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25227 recycle_rx_buf(card, skb);
25230 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
25231 small or large buffer itself. */
25232 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
25233 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
25234 - atomic_inc(&vcc->stats->rx_err);
25235 + atomic_inc_unchecked(&vcc->stats->rx_err);
25236 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
25238 NS_PRV_IOVCNT(iovb) = 0;
25239 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
25240 ("nicstar%d: Expected a small buffer, and this is not one.\n",
25242 which_list(card, skb);
25243 - atomic_inc(&vcc->stats->rx_err);
25244 + atomic_inc_unchecked(&vcc->stats->rx_err);
25245 recycle_rx_buf(card, skb);
25247 recycle_iov_buf(card, iovb);
25248 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
25249 ("nicstar%d: Expected a large buffer, and this is not one.\n",
25251 which_list(card, skb);
25252 - atomic_inc(&vcc->stats->rx_err);
25253 + atomic_inc_unchecked(&vcc->stats->rx_err);
25254 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
25255 NS_PRV_IOVCNT(iovb));
25257 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
25258 printk(" - PDU size mismatch.\n");
25261 - atomic_inc(&vcc->stats->rx_err);
25262 + atomic_inc_unchecked(&vcc->stats->rx_err);
25263 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
25264 NS_PRV_IOVCNT(iovb));
25266 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
25267 /* skb points to a small buffer */
25268 if (!atm_charge(vcc, skb->truesize)) {
25269 push_rxbufs(card, skb);
25270 - atomic_inc(&vcc->stats->rx_drop);
25271 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25274 dequeue_sm_buf(card, skb);
25275 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
25276 ATM_SKB(skb)->vcc = vcc;
25277 __net_timestamp(skb);
25278 vcc->push(vcc, skb);
25279 - atomic_inc(&vcc->stats->rx);
25280 + atomic_inc_unchecked(&vcc->stats->rx);
25282 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
25283 struct sk_buff *sb;
25284 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
25285 if (len <= NS_SMBUFSIZE) {
25286 if (!atm_charge(vcc, sb->truesize)) {
25287 push_rxbufs(card, sb);
25288 - atomic_inc(&vcc->stats->rx_drop);
25289 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25292 dequeue_sm_buf(card, sb);
25293 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
25294 ATM_SKB(sb)->vcc = vcc;
25295 __net_timestamp(sb);
25296 vcc->push(vcc, sb);
25297 - atomic_inc(&vcc->stats->rx);
25298 + atomic_inc_unchecked(&vcc->stats->rx);
25301 push_rxbufs(card, skb);
25302 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
25304 if (!atm_charge(vcc, skb->truesize)) {
25305 push_rxbufs(card, skb);
25306 - atomic_inc(&vcc->stats->rx_drop);
25307 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25309 dequeue_lg_buf(card, skb);
25310 #ifdef NS_USE_DESTRUCTORS
25311 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
25312 ATM_SKB(skb)->vcc = vcc;
25313 __net_timestamp(skb);
25314 vcc->push(vcc, skb);
25315 - atomic_inc(&vcc->stats->rx);
25316 + atomic_inc_unchecked(&vcc->stats->rx);
25319 push_rxbufs(card, sb);
25320 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
25322 ("nicstar%d: Out of huge buffers.\n",
25324 - atomic_inc(&vcc->stats->rx_drop);
25325 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25326 recycle_iovec_rx_bufs(card,
25329 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
25330 card->hbpool.count++;
25332 dev_kfree_skb_any(hb);
25333 - atomic_inc(&vcc->stats->rx_drop);
25334 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25336 /* Copy the small buffer to the huge buffer */
25337 sb = (struct sk_buff *)iov->iov_base;
25338 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
25339 #endif /* NS_USE_DESTRUCTORS */
25340 __net_timestamp(hb);
25341 vcc->push(vcc, hb);
25342 - atomic_inc(&vcc->stats->rx);
25343 + atomic_inc_unchecked(&vcc->stats->rx);
25347 diff -urNp linux-2.6.38.6/drivers/atm/solos-pci.c linux-2.6.38.6/drivers/atm/solos-pci.c
25348 --- linux-2.6.38.6/drivers/atm/solos-pci.c 2011-04-18 17:27:18.000000000 -0400
25349 +++ linux-2.6.38.6/drivers/atm/solos-pci.c 2011-05-16 21:47:08.000000000 -0400
25350 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
25352 atm_charge(vcc, skb->truesize);
25353 vcc->push(vcc, skb);
25354 - atomic_inc(&vcc->stats->rx);
25355 + atomic_inc_unchecked(&vcc->stats->rx);
25359 @@ -900,6 +900,8 @@ static int print_buffer(struct sk_buff *
25363 + pax_track_stack();
25366 for (i = 0; i < len; i++){
25368 @@ -1009,7 +1011,7 @@ static uint32_t fpga_tx(struct solos_car
25369 vcc = SKB_CB(oldskb)->vcc;
25372 - atomic_inc(&vcc->stats->tx);
25373 + atomic_inc_unchecked(&vcc->stats->tx);
25374 solos_pop(vcc, oldskb);
25376 dev_kfree_skb_irq(oldskb);
25377 diff -urNp linux-2.6.38.6/drivers/atm/suni.c linux-2.6.38.6/drivers/atm/suni.c
25378 --- linux-2.6.38.6/drivers/atm/suni.c 2011-03-14 21:20:32.000000000 -0400
25379 +++ linux-2.6.38.6/drivers/atm/suni.c 2011-04-28 19:34:15.000000000 -0400
25380 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
25383 #define ADD_LIMITED(s,v) \
25384 - atomic_add((v),&stats->s); \
25385 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
25386 + atomic_add_unchecked((v),&stats->s); \
25387 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
25390 static void suni_hz(unsigned long from_timer)
25391 diff -urNp linux-2.6.38.6/drivers/atm/uPD98402.c linux-2.6.38.6/drivers/atm/uPD98402.c
25392 --- linux-2.6.38.6/drivers/atm/uPD98402.c 2011-03-14 21:20:32.000000000 -0400
25393 +++ linux-2.6.38.6/drivers/atm/uPD98402.c 2011-04-28 19:34:15.000000000 -0400
25394 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
25395 struct sonet_stats tmp;
25398 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
25399 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
25400 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
25401 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
25402 if (zero && !error) {
25403 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
25406 #define ADD_LIMITED(s,v) \
25407 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
25408 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
25409 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
25410 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
25411 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
25412 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
25415 static void stat_event(struct atm_dev *dev)
25416 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
25417 if (reason & uPD98402_INT_PFM) stat_event(dev);
25418 if (reason & uPD98402_INT_PCO) {
25419 (void) GET(PCOCR); /* clear interrupt cause */
25420 - atomic_add(GET(HECCT),
25421 + atomic_add_unchecked(GET(HECCT),
25422 &PRIV(dev)->sonet_stats.uncorr_hcs);
25424 if ((reason & uPD98402_INT_RFO) &&
25425 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
25426 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
25427 uPD98402_INT_LOS),PIMR); /* enable them */
25428 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
25429 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
25430 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
25431 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
25432 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
25433 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
25434 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
25438 diff -urNp linux-2.6.38.6/drivers/atm/zatm.c linux-2.6.38.6/drivers/atm/zatm.c
25439 --- linux-2.6.38.6/drivers/atm/zatm.c 2011-03-14 21:20:32.000000000 -0400
25440 +++ linux-2.6.38.6/drivers/atm/zatm.c 2011-04-28 19:34:15.000000000 -0400
25441 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
25444 dev_kfree_skb_irq(skb);
25445 - if (vcc) atomic_inc(&vcc->stats->rx_err);
25446 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
25449 if (!atm_charge(vcc,skb->truesize)) {
25450 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
25452 ATM_SKB(skb)->vcc = vcc;
25453 vcc->push(vcc,skb);
25454 - atomic_inc(&vcc->stats->rx);
25455 + atomic_inc_unchecked(&vcc->stats->rx);
25457 zout(pos & 0xffff,MTA(mbx));
25458 #if 0 /* probably a stupid idea */
25459 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
25460 skb_queue_head(&zatm_vcc->backlog,skb);
25463 - atomic_inc(&vcc->stats->tx);
25464 + atomic_inc_unchecked(&vcc->stats->tx);
25465 wake_up(&zatm_vcc->tx_wait);
25468 diff -urNp linux-2.6.38.6/drivers/base/power/wakeup.c linux-2.6.38.6/drivers/base/power/wakeup.c
25469 --- linux-2.6.38.6/drivers/base/power/wakeup.c 2011-03-14 21:20:32.000000000 -0400
25470 +++ linux-2.6.38.6/drivers/base/power/wakeup.c 2011-04-28 19:57:25.000000000 -0400
25472 bool events_check_enabled;
25474 /* The counter of registered wakeup events. */
25475 -static atomic_t event_count = ATOMIC_INIT(0);
25476 +static atomic_unchecked_t event_count = ATOMIC_INIT(0);
25477 /* A preserved old value of event_count. */
25478 static unsigned int saved_count;
25479 /* The counter of wakeup events being processed. */
25480 @@ -399,7 +399,7 @@ static void wakeup_source_deactivate(str
25481 * pm_save_wakeup_count() don't see the old value of event_count and
25482 * events_in_progress equal to zero at the same time.
25484 - atomic_inc(&event_count);
25485 + atomic_inc_unchecked(&event_count);
25486 smp_mb__before_atomic_dec();
25487 atomic_dec(&events_in_progress);
25489 @@ -556,7 +556,7 @@ bool pm_wakeup_pending(void)
25491 spin_lock_irqsave(&events_lock, flags);
25492 if (events_check_enabled) {
25493 - ret = ((unsigned int)atomic_read(&event_count) != saved_count)
25494 + ret = ((unsigned int)atomic_read_unchecked(&event_count) != saved_count)
25495 || atomic_read(&events_in_progress);
25496 events_check_enabled = !ret;
25498 @@ -590,7 +590,7 @@ bool pm_get_wakeup_count(unsigned int *c
25501 ret = !atomic_read(&events_in_progress);
25502 - *count = atomic_read(&event_count);
25503 + *count = atomic_read_unchecked(&event_count);
25507 @@ -608,7 +608,7 @@ bool pm_save_wakeup_count(unsigned int c
25510 spin_lock_irq(&events_lock);
25511 - if (count == (unsigned int)atomic_read(&event_count)
25512 + if (count == (unsigned int)atomic_read_unchecked(&event_count)
25513 && !atomic_read(&events_in_progress)) {
25514 saved_count = count;
25515 events_check_enabled = true;
25516 diff -urNp linux-2.6.38.6/drivers/block/cciss.c linux-2.6.38.6/drivers/block/cciss.c
25517 --- linux-2.6.38.6/drivers/block/cciss.c 2011-03-14 21:20:32.000000000 -0400
25518 +++ linux-2.6.38.6/drivers/block/cciss.c 2011-04-28 19:34:15.000000000 -0400
25519 @@ -1112,6 +1112,8 @@ static int cciss_ioctl32_passthru(struct
25523 + memset(&arg64, 0, sizeof(arg64));
25527 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
25528 diff -urNp linux-2.6.38.6/drivers/block/cpqarray.c linux-2.6.38.6/drivers/block/cpqarray.c
25529 --- linux-2.6.38.6/drivers/block/cpqarray.c 2011-03-14 21:20:32.000000000 -0400
25530 +++ linux-2.6.38.6/drivers/block/cpqarray.c 2011-05-16 21:47:08.000000000 -0400
25531 @@ -911,6 +911,8 @@ static void do_ida_request(struct reques
25532 struct scatterlist tmp_sg[SG_MAX];
25535 + pax_track_stack();
25537 if (blk_queue_plugged(q))
25540 diff -urNp linux-2.6.38.6/drivers/block/DAC960.c linux-2.6.38.6/drivers/block/DAC960.c
25541 --- linux-2.6.38.6/drivers/block/DAC960.c 2011-03-14 21:20:32.000000000 -0400
25542 +++ linux-2.6.38.6/drivers/block/DAC960.c 2011-05-16 21:47:08.000000000 -0400
25543 @@ -1979,6 +1979,8 @@ static bool DAC960_V1_ReadDeviceConfigur
25544 unsigned long flags;
25545 int Channel, TargetID;
25547 + pax_track_stack();
25549 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
25550 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
25551 sizeof(DAC960_SCSI_Inquiry_T) +
25552 diff -urNp linux-2.6.38.6/drivers/block/drbd/drbd_int.h linux-2.6.38.6/drivers/block/drbd/drbd_int.h
25553 --- linux-2.6.38.6/drivers/block/drbd/drbd_int.h 2011-03-14 21:20:32.000000000 -0400
25554 +++ linux-2.6.38.6/drivers/block/drbd/drbd_int.h 2011-04-28 19:57:25.000000000 -0400
25555 @@ -742,7 +742,7 @@ struct drbd_request;
25556 struct drbd_epoch {
25557 struct list_head list;
25558 unsigned int barrier_nr;
25559 - atomic_t epoch_size; /* increased on every request added. */
25560 + atomic_unchecked_t epoch_size; /* increased on every request added. */
25561 atomic_t active; /* increased on every req. added, and dec on every finished. */
25562 unsigned long flags;
25564 @@ -1083,7 +1083,7 @@ struct drbd_conf {
25567 wait_queue_head_t seq_wait;
25568 - atomic_t packet_seq;
25569 + atomic_unchecked_t packet_seq;
25570 unsigned int peer_seq;
25571 spinlock_t peer_seq_lock;
25572 unsigned int minor;
25573 diff -urNp linux-2.6.38.6/drivers/block/drbd/drbd_main.c linux-2.6.38.6/drivers/block/drbd/drbd_main.c
25574 --- linux-2.6.38.6/drivers/block/drbd/drbd_main.c 2011-03-14 21:20:32.000000000 -0400
25575 +++ linux-2.6.38.6/drivers/block/drbd/drbd_main.c 2011-04-28 19:57:25.000000000 -0400
25576 @@ -2217,7 +2217,7 @@ static int _drbd_send_ack(struct drbd_co
25578 p.block_id = block_id;
25579 p.blksize = blksize;
25580 - p.seq_num = cpu_to_be32(atomic_add_return(1, &mdev->packet_seq));
25581 + p.seq_num = cpu_to_be32(atomic_add_return_unchecked(1, &mdev->packet_seq));
25583 if (!mdev->meta.socket || mdev->state.conn < C_CONNECTED)
25585 @@ -2517,7 +2517,7 @@ int drbd_send_dblock(struct drbd_conf *m
25586 p.sector = cpu_to_be64(req->sector);
25587 p.block_id = (unsigned long)req;
25588 p.seq_num = cpu_to_be32(req->seq_num =
25589 - atomic_add_return(1, &mdev->packet_seq));
25590 + atomic_add_return_unchecked(1, &mdev->packet_seq));
25592 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
25594 @@ -2795,7 +2795,7 @@ void drbd_init_set_defaults(struct drbd_
25595 atomic_set(&mdev->unacked_cnt, 0);
25596 atomic_set(&mdev->local_cnt, 0);
25597 atomic_set(&mdev->net_cnt, 0);
25598 - atomic_set(&mdev->packet_seq, 0);
25599 + atomic_set_unchecked(&mdev->packet_seq, 0);
25600 atomic_set(&mdev->pp_in_use, 0);
25601 atomic_set(&mdev->pp_in_use_by_net, 0);
25602 atomic_set(&mdev->rs_sect_in, 0);
25603 @@ -2866,8 +2866,8 @@ void drbd_mdev_cleanup(struct drbd_conf
25604 mdev->receiver.t_state);
25606 /* no need to lock it, I'm the only thread alive */
25607 - if (atomic_read(&mdev->current_epoch->epoch_size) != 0)
25608 - dev_err(DEV, "epoch_size:%d\n", atomic_read(&mdev->current_epoch->epoch_size));
25609 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size) != 0)
25610 + dev_err(DEV, "epoch_size:%d\n", atomic_read_unchecked(&mdev->current_epoch->epoch_size));
25611 mdev->al_writ_cnt =
25612 mdev->bm_writ_cnt =
25614 diff -urNp linux-2.6.38.6/drivers/block/drbd/drbd_nl.c linux-2.6.38.6/drivers/block/drbd/drbd_nl.c
25615 --- linux-2.6.38.6/drivers/block/drbd/drbd_nl.c 2011-03-14 21:20:32.000000000 -0400
25616 +++ linux-2.6.38.6/drivers/block/drbd/drbd_nl.c 2011-04-28 19:57:25.000000000 -0400
25617 @@ -2238,7 +2238,7 @@ static void drbd_connector_callback(stru
25618 module_put(THIS_MODULE);
25621 -static atomic_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
25622 +static atomic_unchecked_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
25624 static unsigned short *
25625 __tl_add_blob(unsigned short *tl, enum drbd_tags tag, const void *data,
25626 @@ -2309,7 +2309,7 @@ void drbd_bcast_state(struct drbd_conf *
25627 cn_reply->id.idx = CN_IDX_DRBD;
25628 cn_reply->id.val = CN_VAL_DRBD;
25630 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25631 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25632 cn_reply->ack = 0; /* not used here. */
25633 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25634 (int)((char *)tl - (char *)reply->tag_list);
25635 @@ -2341,7 +2341,7 @@ void drbd_bcast_ev_helper(struct drbd_co
25636 cn_reply->id.idx = CN_IDX_DRBD;
25637 cn_reply->id.val = CN_VAL_DRBD;
25639 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25640 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25641 cn_reply->ack = 0; /* not used here. */
25642 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25643 (int)((char *)tl - (char *)reply->tag_list);
25644 @@ -2416,7 +2416,7 @@ void drbd_bcast_ee(struct drbd_conf *mde
25645 cn_reply->id.idx = CN_IDX_DRBD;
25646 cn_reply->id.val = CN_VAL_DRBD;
25648 - cn_reply->seq = atomic_add_return(1,&drbd_nl_seq);
25649 + cn_reply->seq = atomic_add_return_unchecked(1,&drbd_nl_seq);
25650 cn_reply->ack = 0; // not used here.
25651 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25652 (int)((char*)tl - (char*)reply->tag_list);
25653 @@ -2455,7 +2455,7 @@ void drbd_bcast_sync_progress(struct drb
25654 cn_reply->id.idx = CN_IDX_DRBD;
25655 cn_reply->id.val = CN_VAL_DRBD;
25657 - cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25658 + cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25659 cn_reply->ack = 0; /* not used here. */
25660 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25661 (int)((char *)tl - (char *)reply->tag_list);
25662 diff -urNp linux-2.6.38.6/drivers/block/drbd/drbd_receiver.c linux-2.6.38.6/drivers/block/drbd/drbd_receiver.c
25663 --- linux-2.6.38.6/drivers/block/drbd/drbd_receiver.c 2011-03-14 21:20:32.000000000 -0400
25664 +++ linux-2.6.38.6/drivers/block/drbd/drbd_receiver.c 2011-04-28 19:57:25.000000000 -0400
25665 @@ -907,7 +907,7 @@ retry:
25666 sock->sk->sk_sndtimeo = mdev->net_conf->timeout*HZ/10;
25667 sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
25669 - atomic_set(&mdev->packet_seq, 0);
25670 + atomic_set_unchecked(&mdev->packet_seq, 0);
25671 mdev->peer_seq = 0;
25673 drbd_thread_start(&mdev->asender);
25674 @@ -1001,7 +1001,7 @@ static enum finish_epoch drbd_may_finish
25678 - epoch_size = atomic_read(&epoch->epoch_size);
25679 + epoch_size = atomic_read_unchecked(&epoch->epoch_size);
25681 switch (ev & ~EV_CLEANUP) {
25683 @@ -1036,7 +1036,7 @@ static enum finish_epoch drbd_may_finish
25687 - atomic_set(&epoch->epoch_size, 0);
25688 + atomic_set_unchecked(&epoch->epoch_size, 0);
25689 /* atomic_set(&epoch->active, 0); is already zero */
25690 if (rv == FE_STILL_LIVE)
25692 @@ -1197,14 +1197,14 @@ static int receive_Barrier(struct drbd_c
25693 drbd_wait_ee_list_empty(mdev, &mdev->active_ee);
25696 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
25697 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
25698 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
25703 epoch = mdev->current_epoch;
25704 - wait_event(mdev->ee_wait, atomic_read(&epoch->epoch_size) == 0);
25705 + wait_event(mdev->ee_wait, atomic_read_unchecked(&epoch->epoch_size) == 0);
25707 D_ASSERT(atomic_read(&epoch->active) == 0);
25708 D_ASSERT(epoch->flags == 0);
25709 @@ -1216,11 +1216,11 @@ static int receive_Barrier(struct drbd_c
25713 - atomic_set(&epoch->epoch_size, 0);
25714 + atomic_set_unchecked(&epoch->epoch_size, 0);
25715 atomic_set(&epoch->active, 0);
25717 spin_lock(&mdev->epoch_lock);
25718 - if (atomic_read(&mdev->current_epoch->epoch_size)) {
25719 + if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
25720 list_add(&epoch->list, &mdev->current_epoch->list);
25721 mdev->current_epoch = epoch;
25723 @@ -1663,7 +1663,7 @@ static int receive_Data(struct drbd_conf
25724 spin_unlock(&mdev->peer_seq_lock);
25726 drbd_send_ack_dp(mdev, P_NEG_ACK, p, data_size);
25727 - atomic_inc(&mdev->current_epoch->epoch_size);
25728 + atomic_inc_unchecked(&mdev->current_epoch->epoch_size);
25729 return drbd_drain_block(mdev, data_size);
25732 @@ -1683,7 +1683,7 @@ static int receive_Data(struct drbd_conf
25734 spin_lock(&mdev->epoch_lock);
25735 e->epoch = mdev->current_epoch;
25736 - atomic_inc(&e->epoch->epoch_size);
25737 + atomic_inc_unchecked(&e->epoch->epoch_size);
25738 atomic_inc(&e->epoch->active);
25739 spin_unlock(&mdev->epoch_lock);
25741 @@ -1866,7 +1866,7 @@ static int receive_Data(struct drbd_conf
25743 /* yes, the epoch_size now is imbalanced.
25744 * but we drop the connection anyways, so we don't have a chance to
25745 - * receive a barrier... atomic_inc(&mdev->epoch_size); */
25746 + * receive a barrier... atomic_inc_unchecked(&mdev->epoch_size); */
25748 drbd_free_ee(mdev, e);
25750 @@ -3821,7 +3821,7 @@ static void drbd_disconnect(struct drbd_
25751 D_ASSERT(list_empty(&mdev->done_ee));
25753 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
25754 - atomic_set(&mdev->current_epoch->epoch_size, 0);
25755 + atomic_set_unchecked(&mdev->current_epoch->epoch_size, 0);
25756 D_ASSERT(list_empty(&mdev->current_epoch->list));
25759 diff -urNp linux-2.6.38.6/drivers/block/nbd.c linux-2.6.38.6/drivers/block/nbd.c
25760 --- linux-2.6.38.6/drivers/block/nbd.c 2011-03-14 21:20:32.000000000 -0400
25761 +++ linux-2.6.38.6/drivers/block/nbd.c 2011-05-16 21:47:08.000000000 -0400
25762 @@ -157,6 +157,8 @@ static int sock_xmit(struct nbd_device *
25764 sigset_t blocked, oldset;
25766 + pax_track_stack();
25768 if (unlikely(!sock)) {
25769 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
25770 lo->disk->disk_name, (send ? "send" : "recv"));
25771 @@ -571,6 +573,8 @@ static void do_nbd_request(struct reques
25772 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
25773 unsigned int cmd, unsigned long arg)
25775 + pax_track_stack();
25778 case NBD_DISCONNECT: {
25779 struct request sreq;
25780 diff -urNp linux-2.6.38.6/drivers/char/agp/frontend.c linux-2.6.38.6/drivers/char/agp/frontend.c
25781 --- linux-2.6.38.6/drivers/char/agp/frontend.c 2011-03-14 21:20:32.000000000 -0400
25782 +++ linux-2.6.38.6/drivers/char/agp/frontend.c 2011-04-28 19:34:15.000000000 -0400
25783 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
25784 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
25787 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
25788 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
25791 client = agp_find_client_by_pid(reserve.pid);
25792 diff -urNp linux-2.6.38.6/drivers/char/briq_panel.c linux-2.6.38.6/drivers/char/briq_panel.c
25793 --- linux-2.6.38.6/drivers/char/briq_panel.c 2011-03-14 21:20:32.000000000 -0400
25794 +++ linux-2.6.38.6/drivers/char/briq_panel.c 2011-04-28 19:34:15.000000000 -0400
25796 #include <linux/types.h>
25797 #include <linux/errno.h>
25798 #include <linux/tty.h>
25799 +#include <linux/mutex.h>
25800 #include <linux/timer.h>
25801 #include <linux/kernel.h>
25802 #include <linux/wait.h>
25803 @@ -34,6 +35,7 @@ static int vfd_is_open;
25804 static unsigned char vfd[40];
25805 static int vfd_cursor;
25806 static unsigned char ledpb, led;
25807 +static DEFINE_MUTEX(vfd_mutex);
25809 static void update_vfd(void)
25811 @@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
25815 + mutex_lock(&vfd_mutex);
25820 - if (get_user(c, buf))
25821 + if (get_user(c, buf)) {
25822 + mutex_unlock(&vfd_mutex);
25828 @@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
25832 + mutex_unlock(&vfd_mutex);
25836 diff -urNp linux-2.6.38.6/drivers/char/genrtc.c linux-2.6.38.6/drivers/char/genrtc.c
25837 --- linux-2.6.38.6/drivers/char/genrtc.c 2011-03-14 21:20:32.000000000 -0400
25838 +++ linux-2.6.38.6/drivers/char/genrtc.c 2011-04-28 19:34:15.000000000 -0400
25839 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
25843 + memset(&pll, 0, sizeof(pll));
25844 if (get_rtc_pll(&pll))
25847 diff -urNp linux-2.6.38.6/drivers/char/hpet.c linux-2.6.38.6/drivers/char/hpet.c
25848 --- linux-2.6.38.6/drivers/char/hpet.c 2011-03-14 21:20:32.000000000 -0400
25849 +++ linux-2.6.38.6/drivers/char/hpet.c 2011-04-28 19:34:15.000000000 -0400
25850 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
25854 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
25855 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
25856 struct hpet_info *info)
25858 struct hpet_timer __iomem *timer;
25859 diff -urNp linux-2.6.38.6/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.38.6/drivers/char/ipmi/ipmi_msghandler.c
25860 --- linux-2.6.38.6/drivers/char/ipmi/ipmi_msghandler.c 2011-03-14 21:20:32.000000000 -0400
25861 +++ linux-2.6.38.6/drivers/char/ipmi/ipmi_msghandler.c 2011-05-16 21:47:08.000000000 -0400
25862 @@ -414,7 +414,7 @@ struct ipmi_smi {
25863 struct proc_dir_entry *proc_dir;
25864 char proc_dir_name[10];
25866 - atomic_t stats[IPMI_NUM_STATS];
25867 + atomic_unchecked_t stats[IPMI_NUM_STATS];
25870 * run_to_completion duplicate of smb_info, smi_info
25871 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
25874 #define ipmi_inc_stat(intf, stat) \
25875 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
25876 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
25877 #define ipmi_get_stat(intf, stat) \
25878 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
25879 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
25881 static int is_lan_addr(struct ipmi_addr *addr)
25883 @@ -2844,7 +2844,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
25884 INIT_LIST_HEAD(&intf->cmd_rcvrs);
25885 init_waitqueue_head(&intf->waitq);
25886 for (i = 0; i < IPMI_NUM_STATS; i++)
25887 - atomic_set(&intf->stats[i], 0);
25888 + atomic_set_unchecked(&intf->stats[i], 0);
25890 intf->proc_dir = NULL;
25892 @@ -4196,6 +4196,8 @@ static void send_panic_events(char *str)
25893 struct ipmi_smi_msg smi_msg;
25894 struct ipmi_recv_msg recv_msg;
25896 + pax_track_stack();
25898 si = (struct ipmi_system_interface_addr *) &addr;
25899 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
25900 si->channel = IPMI_BMC_CHANNEL;
25901 diff -urNp linux-2.6.38.6/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.38.6/drivers/char/ipmi/ipmi_si_intf.c
25902 --- linux-2.6.38.6/drivers/char/ipmi/ipmi_si_intf.c 2011-03-14 21:20:32.000000000 -0400
25903 +++ linux-2.6.38.6/drivers/char/ipmi/ipmi_si_intf.c 2011-04-28 19:34:15.000000000 -0400
25904 @@ -285,7 +285,7 @@ struct smi_info {
25905 unsigned char slave_addr;
25907 /* Counters and things for the proc filesystem. */
25908 - atomic_t stats[SI_NUM_STATS];
25909 + atomic_unchecked_t stats[SI_NUM_STATS];
25911 struct task_struct *thread;
25913 @@ -294,9 +294,9 @@ struct smi_info {
25916 #define smi_inc_stat(smi, stat) \
25917 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
25918 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
25919 #define smi_get_stat(smi, stat) \
25920 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
25921 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
25923 #define SI_MAX_PARMS 4
25925 @@ -3202,7 +3202,7 @@ static int try_smi_init(struct smi_info
25926 atomic_set(&new_smi->req_events, 0);
25927 new_smi->run_to_completion = 0;
25928 for (i = 0; i < SI_NUM_STATS; i++)
25929 - atomic_set(&new_smi->stats[i], 0);
25930 + atomic_set_unchecked(&new_smi->stats[i], 0);
25932 new_smi->interrupt_disabled = 1;
25933 atomic_set(&new_smi->stop_operation, 0);
25934 diff -urNp linux-2.6.38.6/drivers/char/istallion.c linux-2.6.38.6/drivers/char/istallion.c
25935 --- linux-2.6.38.6/drivers/char/istallion.c 2011-03-14 21:20:32.000000000 -0400
25936 +++ linux-2.6.38.6/drivers/char/istallion.c 2011-05-16 21:47:08.000000000 -0400
25937 @@ -186,7 +186,6 @@ static struct ktermios stli_deftermios
25938 * re-used for each stats call.
25940 static comstats_t stli_comstats;
25941 -static combrd_t stli_brdstats;
25942 static struct asystats stli_cdkstats;
25944 /*****************************************************************************/
25945 @@ -4005,6 +4004,7 @@ static int stli_getbrdstats(combrd_t __u
25947 struct stlibrd *brdp;
25949 + combrd_t stli_brdstats;
25951 if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
25953 @@ -4226,6 +4226,8 @@ static int stli_getportstruct(struct stl
25954 struct stliport stli_dummyport;
25955 struct stliport *portp;
25957 + pax_track_stack();
25959 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
25961 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
25962 @@ -4248,6 +4250,8 @@ static int stli_getbrdstruct(struct stli
25963 struct stlibrd stli_dummybrd;
25964 struct stlibrd *brdp;
25966 + pax_track_stack();
25968 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
25970 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
25971 diff -urNp linux-2.6.38.6/drivers/char/Kconfig linux-2.6.38.6/drivers/char/Kconfig
25972 --- linux-2.6.38.6/drivers/char/Kconfig 2011-03-14 21:20:32.000000000 -0400
25973 +++ linux-2.6.38.6/drivers/char/Kconfig 2011-04-28 19:34:15.000000000 -0400
25974 @@ -90,7 +90,8 @@ config VT_HW_CONSOLE_BINDING
25977 bool "/dev/kmem virtual device support"
25980 + depends on !GRKERNSEC_KMEM
25982 Say Y here if you want to support the /dev/kmem device. The
25983 /dev/kmem device is rarely used, but can be used for certain
25984 @@ -1132,6 +1133,7 @@ config DEVPORT
25987 depends on ISA || PCI
25988 + depends on !GRKERNSEC_KMEM
25991 source "drivers/s390/char/Kconfig"
25992 diff -urNp linux-2.6.38.6/drivers/char/mem.c linux-2.6.38.6/drivers/char/mem.c
25993 --- linux-2.6.38.6/drivers/char/mem.c 2011-03-14 21:20:32.000000000 -0400
25994 +++ linux-2.6.38.6/drivers/char/mem.c 2011-04-28 19:34:15.000000000 -0400
25996 #include <linux/raw.h>
25997 #include <linux/tty.h>
25998 #include <linux/capability.h>
25999 +#include <linux/security.h>
26000 #include <linux/ptrace.h>
26001 #include <linux/device.h>
26002 #include <linux/highmem.h>
26004 # include <linux/efi.h>
26007 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
26008 +extern struct file_operations grsec_fops;
26011 static inline unsigned long size_inside_page(unsigned long start,
26012 unsigned long size)
26014 @@ -68,9 +73,13 @@ static inline int range_is_allowed(unsig
26016 while (cursor < to) {
26017 if (!devmem_is_allowed(pfn)) {
26018 +#ifdef CONFIG_GRKERNSEC_KMEM
26019 + gr_handle_mem_readwrite(from, to);
26022 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
26023 current->comm, from, to);
26027 cursor += PAGE_SIZE;
26028 @@ -78,6 +87,11 @@ static inline int range_is_allowed(unsig
26032 +#elif defined(CONFIG_GRKERNSEC_KMEM)
26033 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
26038 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
26040 @@ -120,6 +134,7 @@ static ssize_t read_mem(struct file *fil
26042 while (count > 0) {
26043 unsigned long remaining;
26046 sz = size_inside_page(p, count);
26048 @@ -135,7 +150,23 @@ static ssize_t read_mem(struct file *fil
26052 - remaining = copy_to_user(buf, ptr, sz);
26053 +#ifdef CONFIG_PAX_USERCOPY
26054 + temp = kmalloc(sz, GFP_KERNEL);
26056 + unxlate_dev_mem_ptr(p, ptr);
26059 + memcpy(temp, ptr, sz);
26064 + remaining = copy_to_user(buf, temp, sz);
26066 +#ifdef CONFIG_PAX_USERCOPY
26070 unxlate_dev_mem_ptr(p, ptr);
26073 @@ -398,9 +429,8 @@ static ssize_t read_kmem(struct file *fi
26074 size_t count, loff_t *ppos)
26076 unsigned long p = *ppos;
26077 - ssize_t low_count, read, sz;
26078 + ssize_t low_count, read, sz, err = 0;
26079 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
26083 if (p < (unsigned long) high_memory) {
26084 @@ -422,6 +452,8 @@ static ssize_t read_kmem(struct file *fi
26087 while (low_count > 0) {
26090 sz = size_inside_page(p, low_count);
26093 @@ -431,7 +463,22 @@ static ssize_t read_kmem(struct file *fi
26095 kbuf = xlate_dev_kmem_ptr((char *)p);
26097 - if (copy_to_user(buf, kbuf, sz))
26098 +#ifdef CONFIG_PAX_USERCOPY
26099 + temp = kmalloc(sz, GFP_KERNEL);
26102 + memcpy(temp, kbuf, sz);
26107 + err = copy_to_user(buf, temp, sz);
26109 +#ifdef CONFIG_PAX_USERCOPY
26117 @@ -857,6 +904,9 @@ static const struct memdev {
26118 #ifdef CONFIG_CRASH_DUMP
26119 [12] = { "oldmem", 0, &oldmem_fops, NULL },
26121 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
26122 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
26126 static int memory_open(struct inode *inode, struct file *filp)
26127 diff -urNp linux-2.6.38.6/drivers/char/nvram.c linux-2.6.38.6/drivers/char/nvram.c
26128 --- linux-2.6.38.6/drivers/char/nvram.c 2011-03-14 21:20:32.000000000 -0400
26129 +++ linux-2.6.38.6/drivers/char/nvram.c 2011-04-28 19:34:15.000000000 -0400
26130 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
26132 spin_unlock_irq(&rtc_lock);
26134 - if (copy_to_user(buf, contents, tmp - contents))
26135 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
26139 diff -urNp linux-2.6.38.6/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.38.6/drivers/char/pcmcia/ipwireless/tty.c
26140 --- linux-2.6.38.6/drivers/char/pcmcia/ipwireless/tty.c 2011-03-14 21:20:32.000000000 -0400
26141 +++ linux-2.6.38.6/drivers/char/pcmcia/ipwireless/tty.c 2011-04-28 19:34:15.000000000 -0400
26143 #include <linux/tty_driver.h>
26144 #include <linux/tty_flip.h>
26145 #include <linux/uaccess.h>
26146 +#include <asm/local.h>
26149 #include "network.h"
26150 @@ -51,7 +52,7 @@ struct ipw_tty {
26152 struct ipw_network *network;
26153 struct tty_struct *linux_tty;
26155 + local_t open_count;
26156 unsigned int control_lines;
26157 struct mutex ipw_tty_mutex;
26158 int tx_bytes_queued;
26159 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
26160 mutex_unlock(&tty->ipw_tty_mutex);
26163 - if (tty->open_count == 0)
26164 + if (local_read(&tty->open_count) == 0)
26165 tty->tx_bytes_queued = 0;
26167 - tty->open_count++;
26168 + local_inc(&tty->open_count);
26170 tty->linux_tty = linux_tty;
26171 linux_tty->driver_data = tty;
26172 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
26174 static void do_ipw_close(struct ipw_tty *tty)
26176 - tty->open_count--;
26178 - if (tty->open_count == 0) {
26179 + if (local_dec_return(&tty->open_count) == 0) {
26180 struct tty_struct *linux_tty = tty->linux_tty;
26182 if (linux_tty != NULL) {
26183 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
26186 mutex_lock(&tty->ipw_tty_mutex);
26187 - if (tty->open_count == 0) {
26188 + if (local_read(&tty->open_count) == 0) {
26189 mutex_unlock(&tty->ipw_tty_mutex);
26192 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
26196 - if (!tty->open_count) {
26197 + if (!local_read(&tty->open_count)) {
26198 mutex_unlock(&tty->ipw_tty_mutex);
26201 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
26204 mutex_lock(&tty->ipw_tty_mutex);
26205 - if (!tty->open_count) {
26206 + if (!local_read(&tty->open_count)) {
26207 mutex_unlock(&tty->ipw_tty_mutex);
26210 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
26214 - if (!tty->open_count)
26215 + if (!local_read(&tty->open_count))
26218 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
26219 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
26223 - if (!tty->open_count)
26224 + if (!local_read(&tty->open_count))
26227 return tty->tx_bytes_queued;
26228 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
26232 - if (!tty->open_count)
26233 + if (!local_read(&tty->open_count))
26236 return get_control_lines(tty);
26237 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
26241 - if (!tty->open_count)
26242 + if (!local_read(&tty->open_count))
26245 return set_control_lines(tty, set, clear);
26246 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
26250 - if (!tty->open_count)
26251 + if (!local_read(&tty->open_count))
26254 /* FIXME: Exactly how is the tty object locked here .. */
26255 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
26256 against a parallel ioctl etc */
26257 mutex_lock(&ttyj->ipw_tty_mutex);
26259 - while (ttyj->open_count)
26260 + while (local_read(&ttyj->open_count))
26261 do_ipw_close(ttyj);
26262 ipwireless_disassociate_network_ttys(network,
26263 ttyj->channel_idx);
26264 diff -urNp linux-2.6.38.6/drivers/char/random.c linux-2.6.38.6/drivers/char/random.c
26265 --- linux-2.6.38.6/drivers/char/random.c 2011-03-14 21:20:32.000000000 -0400
26266 +++ linux-2.6.38.6/drivers/char/random.c 2011-04-28 19:34:15.000000000 -0400
26267 @@ -254,8 +254,13 @@
26269 * Configuration information
26271 +#ifdef CONFIG_GRKERNSEC_RANDNET
26272 +#define INPUT_POOL_WORDS 512
26273 +#define OUTPUT_POOL_WORDS 128
26275 #define INPUT_POOL_WORDS 128
26276 #define OUTPUT_POOL_WORDS 32
26278 #define SEC_XFER_SIZE 512
26279 #define EXTRACT_SIZE 10
26281 @@ -293,10 +298,17 @@ static struct poolinfo {
26283 int tap1, tap2, tap3, tap4, tap5;
26284 } poolinfo_table[] = {
26285 +#ifdef CONFIG_GRKERNSEC_RANDNET
26286 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
26287 + { 512, 411, 308, 208, 104, 1 },
26288 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
26289 + { 128, 103, 76, 51, 25, 1 },
26291 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
26292 { 128, 103, 76, 51, 25, 1 },
26293 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
26294 { 32, 26, 20, 14, 7, 1 },
26297 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
26298 { 2048, 1638, 1231, 819, 411, 1 },
26299 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
26301 extract_buf(r, tmp);
26302 i = min_t(int, nbytes, EXTRACT_SIZE);
26303 - if (copy_to_user(buf, tmp, i)) {
26304 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
26308 @@ -1207,7 +1219,7 @@ EXPORT_SYMBOL(generate_random_uuid);
26309 #include <linux/sysctl.h>
26311 static int min_read_thresh = 8, min_write_thresh;
26312 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
26313 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
26314 static int max_write_thresh = INPUT_POOL_WORDS * 32;
26315 static char sysctl_bootid[16];
26317 diff -urNp linux-2.6.38.6/drivers/char/rocket.c linux-2.6.38.6/drivers/char/rocket.c
26318 --- linux-2.6.38.6/drivers/char/rocket.c 2011-03-14 21:20:32.000000000 -0400
26319 +++ linux-2.6.38.6/drivers/char/rocket.c 2011-05-16 21:47:08.000000000 -0400
26320 @@ -1277,6 +1277,8 @@ static int get_ports(struct r_port *info
26321 struct rocket_ports tmp;
26324 + pax_track_stack();
26328 memset(&tmp, 0, sizeof (tmp));
26329 diff -urNp linux-2.6.38.6/drivers/char/sonypi.c linux-2.6.38.6/drivers/char/sonypi.c
26330 --- linux-2.6.38.6/drivers/char/sonypi.c 2011-03-14 21:20:32.000000000 -0400
26331 +++ linux-2.6.38.6/drivers/char/sonypi.c 2011-04-28 19:34:15.000000000 -0400
26333 #include <asm/uaccess.h>
26334 #include <asm/io.h>
26335 #include <asm/system.h>
26336 +#include <asm/local.h>
26338 #include <linux/sonypi.h>
26340 @@ -491,7 +492,7 @@ static struct sonypi_device {
26341 spinlock_t fifo_lock;
26342 wait_queue_head_t fifo_proc_list;
26343 struct fasync_struct *fifo_async;
26345 + local_t open_count;
26347 struct input_dev *input_jog_dev;
26348 struct input_dev *input_key_dev;
26349 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
26350 static int sonypi_misc_release(struct inode *inode, struct file *file)
26352 mutex_lock(&sonypi_device.lock);
26353 - sonypi_device.open_count--;
26354 + local_dec(&sonypi_device.open_count);
26355 mutex_unlock(&sonypi_device.lock);
26358 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
26360 mutex_lock(&sonypi_device.lock);
26361 /* Flush input queue on first open */
26362 - if (!sonypi_device.open_count)
26363 + if (!local_read(&sonypi_device.open_count))
26364 kfifo_reset(&sonypi_device.fifo);
26365 - sonypi_device.open_count++;
26366 + local_inc(&sonypi_device.open_count);
26367 mutex_unlock(&sonypi_device.lock);
26370 diff -urNp linux-2.6.38.6/drivers/char/stallion.c linux-2.6.38.6/drivers/char/stallion.c
26371 --- linux-2.6.38.6/drivers/char/stallion.c 2011-03-14 21:20:32.000000000 -0400
26372 +++ linux-2.6.38.6/drivers/char/stallion.c 2011-05-16 21:47:08.000000000 -0400
26373 @@ -2407,6 +2407,8 @@ static int stl_getportstruct(struct stlp
26374 struct stlport stl_dummyport;
26375 struct stlport *portp;
26377 + pax_track_stack();
26379 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
26381 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
26382 diff -urNp linux-2.6.38.6/drivers/char/tpm/tpm_bios.c linux-2.6.38.6/drivers/char/tpm/tpm_bios.c
26383 --- linux-2.6.38.6/drivers/char/tpm/tpm_bios.c 2011-03-14 21:20:32.000000000 -0400
26384 +++ linux-2.6.38.6/drivers/char/tpm/tpm_bios.c 2011-04-28 19:34:15.000000000 -0400
26385 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
26388 if ((event->event_type == 0 && event->event_size == 0) ||
26389 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
26390 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
26394 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
26397 if ((event->event_type == 0 && event->event_size == 0) ||
26398 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
26399 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
26403 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
26406 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
26407 - seq_putc(m, data[i]);
26408 + if (!seq_putc(m, data[i]))
26413 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
26414 log->bios_event_log_end = log->bios_event_log + len;
26416 virt = acpi_os_map_memory(start, len);
26418 + kfree(log->bios_event_log);
26419 + log->bios_event_log = NULL;
26423 memcpy(log->bios_event_log, virt, len);
26425 diff -urNp linux-2.6.38.6/drivers/char/tpm/tpm.c linux-2.6.38.6/drivers/char/tpm/tpm.c
26426 --- linux-2.6.38.6/drivers/char/tpm/tpm.c 2011-04-18 17:27:18.000000000 -0400
26427 +++ linux-2.6.38.6/drivers/char/tpm/tpm.c 2011-05-16 21:47:08.000000000 -0400
26428 @@ -411,7 +411,7 @@ static ssize_t tpm_transmit(struct tpm_c
26429 chip->vendor.req_complete_val)
26432 - if ((status == chip->vendor.req_canceled)) {
26433 + if (status == chip->vendor.req_canceled) {
26434 dev_err(chip->dev, "Operation Canceled\n");
26437 @@ -844,6 +844,8 @@ ssize_t tpm_show_pubek(struct device *de
26439 struct tpm_chip *chip = dev_get_drvdata(dev);
26441 + pax_track_stack();
26443 tpm_cmd.header.in = tpm_readpubek_header;
26444 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
26445 "attempting to read the PUBEK");
26446 diff -urNp linux-2.6.38.6/drivers/cpuidle/sysfs.c linux-2.6.38.6/drivers/cpuidle/sysfs.c
26447 --- linux-2.6.38.6/drivers/cpuidle/sysfs.c 2011-03-14 21:20:32.000000000 -0400
26448 +++ linux-2.6.38.6/drivers/cpuidle/sysfs.c 2011-04-28 19:34:15.000000000 -0400
26449 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
26450 .release = cpuidle_state_sysfs_release,
26453 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
26454 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
26456 kobject_put(&device->kobjs[i]->kobj);
26457 wait_for_completion(&device->kobjs[i]->kobj_unregister);
26458 diff -urNp linux-2.6.38.6/drivers/crypto/hifn_795x.c linux-2.6.38.6/drivers/crypto/hifn_795x.c
26459 --- linux-2.6.38.6/drivers/crypto/hifn_795x.c 2011-03-14 21:20:32.000000000 -0400
26460 +++ linux-2.6.38.6/drivers/crypto/hifn_795x.c 2011-05-16 21:47:08.000000000 -0400
26461 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
26462 0xCA, 0x34, 0x2B, 0x2E};
26463 struct scatterlist sg;
26465 + pax_track_stack();
26467 memset(src, 0, sizeof(src));
26468 memset(ctx.key, 0, sizeof(ctx.key));
26470 diff -urNp linux-2.6.38.6/drivers/crypto/padlock-aes.c linux-2.6.38.6/drivers/crypto/padlock-aes.c
26471 --- linux-2.6.38.6/drivers/crypto/padlock-aes.c 2011-03-14 21:20:32.000000000 -0400
26472 +++ linux-2.6.38.6/drivers/crypto/padlock-aes.c 2011-05-16 21:47:08.000000000 -0400
26473 @@ -109,6 +109,8 @@ static int aes_set_key(struct crypto_tfm
26474 struct crypto_aes_ctx gen_aes;
26477 + pax_track_stack();
26480 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
26482 diff -urNp linux-2.6.38.6/drivers/edac/edac_mc_sysfs.c linux-2.6.38.6/drivers/edac/edac_mc_sysfs.c
26483 --- linux-2.6.38.6/drivers/edac/edac_mc_sysfs.c 2011-03-14 21:20:32.000000000 -0400
26484 +++ linux-2.6.38.6/drivers/edac/edac_mc_sysfs.c 2011-04-28 19:34:15.000000000 -0400
26485 @@ -761,7 +761,7 @@ static void edac_inst_grp_release(struct
26488 /* Intermediate show/store table */
26489 -static struct sysfs_ops inst_grp_ops = {
26490 +static const struct sysfs_ops inst_grp_ops = {
26491 .show = inst_grp_show,
26492 .store = inst_grp_store
26494 diff -urNp linux-2.6.38.6/drivers/edac/edac_pci_sysfs.c linux-2.6.38.6/drivers/edac/edac_pci_sysfs.c
26495 --- linux-2.6.38.6/drivers/edac/edac_pci_sysfs.c 2011-03-14 21:20:32.000000000 -0400
26496 +++ linux-2.6.38.6/drivers/edac/edac_pci_sysfs.c 2011-04-28 19:57:25.000000000 -0400
26497 @@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log
26498 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
26499 static int edac_pci_poll_msec = 1000; /* one second workq period */
26501 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
26502 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
26503 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
26504 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
26506 static struct kobject *edac_pci_top_main_kobj;
26507 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
26508 @@ -582,7 +582,7 @@ static void edac_pci_dev_parity_test(str
26509 edac_printk(KERN_CRIT, EDAC_PCI,
26510 "Signaled System Error on %s\n",
26512 - atomic_inc(&pci_nonparity_count);
26513 + atomic_inc_unchecked(&pci_nonparity_count);
26516 if (status & (PCI_STATUS_PARITY)) {
26517 @@ -590,7 +590,7 @@ static void edac_pci_dev_parity_test(str
26518 "Master Data Parity Error on %s\n",
26521 - atomic_inc(&pci_parity_count);
26522 + atomic_inc_unchecked(&pci_parity_count);
26525 if (status & (PCI_STATUS_DETECTED_PARITY)) {
26526 @@ -598,7 +598,7 @@ static void edac_pci_dev_parity_test(str
26527 "Detected Parity Error on %s\n",
26530 - atomic_inc(&pci_parity_count);
26531 + atomic_inc_unchecked(&pci_parity_count);
26535 @@ -619,7 +619,7 @@ static void edac_pci_dev_parity_test(str
26536 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
26537 "Signaled System Error on %s\n",
26539 - atomic_inc(&pci_nonparity_count);
26540 + atomic_inc_unchecked(&pci_nonparity_count);
26543 if (status & (PCI_STATUS_PARITY)) {
26544 @@ -627,7 +627,7 @@ static void edac_pci_dev_parity_test(str
26545 "Master Data Parity Error on "
26546 "%s\n", pci_name(dev));
26548 - atomic_inc(&pci_parity_count);
26549 + atomic_inc_unchecked(&pci_parity_count);
26552 if (status & (PCI_STATUS_DETECTED_PARITY)) {
26553 @@ -635,7 +635,7 @@ static void edac_pci_dev_parity_test(str
26554 "Detected Parity Error on %s\n",
26557 - atomic_inc(&pci_parity_count);
26558 + atomic_inc_unchecked(&pci_parity_count);
26562 @@ -677,7 +677,7 @@ void edac_pci_do_parity_check(void)
26563 if (!check_pci_errors)
26566 - before_count = atomic_read(&pci_parity_count);
26567 + before_count = atomic_read_unchecked(&pci_parity_count);
26569 /* scan all PCI devices looking for a Parity Error on devices and
26571 @@ -689,7 +689,7 @@ void edac_pci_do_parity_check(void)
26572 /* Only if operator has selected panic on PCI Error */
26573 if (edac_pci_get_panic_on_pe()) {
26574 /* If the count is different 'after' from 'before' */
26575 - if (before_count != atomic_read(&pci_parity_count))
26576 + if (before_count != atomic_read_unchecked(&pci_parity_count))
26577 panic("EDAC: PCI Parity Error");
26580 diff -urNp linux-2.6.38.6/drivers/firewire/core-cdev.c linux-2.6.38.6/drivers/firewire/core-cdev.c
26581 --- linux-2.6.38.6/drivers/firewire/core-cdev.c 2011-03-14 21:20:32.000000000 -0400
26582 +++ linux-2.6.38.6/drivers/firewire/core-cdev.c 2011-04-28 19:34:15.000000000 -0400
26583 @@ -1329,8 +1329,7 @@ static int init_iso_resource(struct clie
26586 if ((request->channels == 0 && request->bandwidth == 0) ||
26587 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
26588 - request->bandwidth < 0)
26589 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
26592 r = kmalloc(sizeof(*r), GFP_KERNEL);
26593 diff -urNp linux-2.6.38.6/drivers/firewire/core-transaction.c linux-2.6.38.6/drivers/firewire/core-transaction.c
26594 --- linux-2.6.38.6/drivers/firewire/core-transaction.c 2011-03-14 21:20:32.000000000 -0400
26595 +++ linux-2.6.38.6/drivers/firewire/core-transaction.c 2011-05-16 21:47:08.000000000 -0400
26597 #include <linux/string.h>
26598 #include <linux/timer.h>
26599 #include <linux/types.h>
26600 +#include <linux/sched.h>
26602 #include <asm/byteorder.h>
26604 @@ -420,6 +421,8 @@ int fw_run_transaction(struct fw_card *c
26605 struct transaction_callback_data d;
26606 struct fw_transaction t;
26608 + pax_track_stack();
26610 init_timer_on_stack(&t.split_timeout_timer);
26611 init_completion(&d.done);
26612 d.payload = payload;
26613 diff -urNp linux-2.6.38.6/drivers/firmware/dmi_scan.c linux-2.6.38.6/drivers/firmware/dmi_scan.c
26614 --- linux-2.6.38.6/drivers/firmware/dmi_scan.c 2011-03-14 21:20:32.000000000 -0400
26615 +++ linux-2.6.38.6/drivers/firmware/dmi_scan.c 2011-04-28 19:34:15.000000000 -0400
26616 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
26621 - * no iounmap() for that ioremap(); it would be a no-op, but
26622 - * it's so early in setup that sucker gets confused into doing
26623 - * what it shouldn't if we actually call it.
26625 p = dmi_ioremap(0xF0000, 0x10000);
26628 diff -urNp linux-2.6.38.6/drivers/gpio/vr41xx_giu.c linux-2.6.38.6/drivers/gpio/vr41xx_giu.c
26629 --- linux-2.6.38.6/drivers/gpio/vr41xx_giu.c 2011-03-14 21:20:32.000000000 -0400
26630 +++ linux-2.6.38.6/drivers/gpio/vr41xx_giu.c 2011-04-28 19:57:25.000000000 -0400
26631 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
26632 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
26633 maskl, pendl, maskh, pendh);
26635 - atomic_inc(&irq_err_count);
26636 + atomic_inc_unchecked(&irq_err_count);
26640 diff -urNp linux-2.6.38.6/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.38.6/drivers/gpu/drm/drm_crtc_helper.c
26641 --- linux-2.6.38.6/drivers/gpu/drm/drm_crtc_helper.c 2011-03-14 21:20:32.000000000 -0400
26642 +++ linux-2.6.38.6/drivers/gpu/drm/drm_crtc_helper.c 2011-05-16 21:47:08.000000000 -0400
26643 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
26644 struct drm_crtc *tmp;
26647 - WARN(!crtc, "checking null crtc?\n");
26652 @@ -343,6 +343,8 @@ bool drm_crtc_helper_set_mode(struct drm
26653 struct drm_encoder *encoder;
26656 + pax_track_stack();
26658 crtc->enabled = drm_helper_crtc_in_use(crtc);
26659 if (!crtc->enabled)
26661 diff -urNp linux-2.6.38.6/drivers/gpu/drm/drm_drv.c linux-2.6.38.6/drivers/gpu/drm/drm_drv.c
26662 --- linux-2.6.38.6/drivers/gpu/drm/drm_drv.c 2011-03-14 21:20:32.000000000 -0400
26663 +++ linux-2.6.38.6/drivers/gpu/drm/drm_drv.c 2011-04-28 19:34:15.000000000 -0400
26664 @@ -425,7 +425,7 @@ long drm_ioctl(struct file *filp,
26666 dev = file_priv->minor->dev;
26667 atomic_inc(&dev->ioctl_count);
26668 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
26669 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
26670 ++file_priv->ioctl_count;
26672 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
26673 diff -urNp linux-2.6.38.6/drivers/gpu/drm/drm_fops.c linux-2.6.38.6/drivers/gpu/drm/drm_fops.c
26674 --- linux-2.6.38.6/drivers/gpu/drm/drm_fops.c 2011-03-14 21:20:32.000000000 -0400
26675 +++ linux-2.6.38.6/drivers/gpu/drm/drm_fops.c 2011-04-28 19:34:15.000000000 -0400
26676 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
26679 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
26680 - atomic_set(&dev->counts[i], 0);
26681 + atomic_set_unchecked(&dev->counts[i], 0);
26683 dev->sigdata.lock = NULL;
26685 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
26687 retcode = drm_open_helper(inode, filp, dev);
26689 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
26690 - if (!dev->open_count++)
26691 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
26692 + if (local_inc_return(&dev->open_count) == 1)
26693 retcode = drm_setup(dev);
26696 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
26698 mutex_lock(&drm_global_mutex);
26700 - DRM_DEBUG("open_count = %d\n", dev->open_count);
26701 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
26703 if (dev->driver->preclose)
26704 dev->driver->preclose(dev, file_priv);
26705 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
26706 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
26707 task_pid_nr(current),
26708 (long)old_encode_dev(file_priv->minor->device),
26709 - dev->open_count);
26710 + local_read(&dev->open_count));
26712 /* if the master has gone away we can't do anything with the lock */
26713 if (file_priv->minor->master)
26714 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
26715 * End inline drm_release
26718 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
26719 - if (!--dev->open_count) {
26720 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
26721 + if (local_dec_and_test(&dev->open_count)) {
26722 if (atomic_read(&dev->ioctl_count)) {
26723 DRM_ERROR("Device busy: %d\n",
26724 atomic_read(&dev->ioctl_count));
26725 diff -urNp linux-2.6.38.6/drivers/gpu/drm/drm_global.c linux-2.6.38.6/drivers/gpu/drm/drm_global.c
26726 --- linux-2.6.38.6/drivers/gpu/drm/drm_global.c 2011-03-14 21:20:32.000000000 -0400
26727 +++ linux-2.6.38.6/drivers/gpu/drm/drm_global.c 2011-04-28 19:34:15.000000000 -0400
26729 struct drm_global_item {
26730 struct mutex mutex;
26733 + atomic_t refcount;
26736 static struct drm_global_item glob[DRM_GLOBAL_NUM];
26737 @@ -49,7 +49,7 @@ void drm_global_init(void)
26738 struct drm_global_item *item = &glob[i];
26739 mutex_init(&item->mutex);
26740 item->object = NULL;
26741 - item->refcount = 0;
26742 + atomic_set(&item->refcount, 0);
26746 @@ -59,7 +59,7 @@ void drm_global_release(void)
26747 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
26748 struct drm_global_item *item = &glob[i];
26749 BUG_ON(item->object != NULL);
26750 - BUG_ON(item->refcount != 0);
26751 + BUG_ON(atomic_read(&item->refcount) != 0);
26755 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
26758 mutex_lock(&item->mutex);
26759 - if (item->refcount == 0) {
26760 + if (atomic_read(&item->refcount) == 0) {
26761 item->object = kzalloc(ref->size, GFP_KERNEL);
26762 if (unlikely(item->object == NULL)) {
26764 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
26768 - ++item->refcount;
26769 + atomic_inc(&item->refcount);
26770 ref->object = item->object;
26771 object = item->object;
26772 mutex_unlock(&item->mutex);
26773 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
26774 struct drm_global_item *item = &glob[ref->global_type];
26776 mutex_lock(&item->mutex);
26777 - BUG_ON(item->refcount == 0);
26778 + BUG_ON(atomic_read(&item->refcount) == 0);
26779 BUG_ON(ref->object != item->object);
26780 - if (--item->refcount == 0) {
26781 + if (atomic_dec_and_test(&item->refcount)) {
26783 item->object = NULL;
26785 diff -urNp linux-2.6.38.6/drivers/gpu/drm/drm_info.c linux-2.6.38.6/drivers/gpu/drm/drm_info.c
26786 --- linux-2.6.38.6/drivers/gpu/drm/drm_info.c 2011-03-14 21:20:32.000000000 -0400
26787 +++ linux-2.6.38.6/drivers/gpu/drm/drm_info.c 2011-04-28 19:34:15.000000000 -0400
26788 @@ -86,10 +86,14 @@ int drm_vm_info(struct seq_file *m, void
26789 struct drm_local_map *map;
26790 struct drm_map_list *r_list;
26792 - /* Hardcoded from _DRM_FRAME_BUFFER,
26793 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
26794 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
26795 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
26796 + static const char * const types[] = {
26797 + [_DRM_FRAME_BUFFER] = "FB",
26798 + [_DRM_REGISTERS] = "REG",
26799 + [_DRM_SHM] = "SHM",
26800 + [_DRM_AGP] = "AGP",
26801 + [_DRM_SCATTER_GATHER] = "SG",
26802 + [_DRM_CONSISTENT] = "PCI",
26803 + [_DRM_GEM] = "GEM" };
26807 @@ -100,7 +104,7 @@ int drm_vm_info(struct seq_file *m, void
26811 - if (map->type < 0 || map->type > 5)
26812 + if (map->type >= ARRAY_SIZE(types))
26815 type = types[map->type];
26816 @@ -301,7 +305,11 @@ int drm_vma_info(struct seq_file *m, voi
26817 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
26818 vma->vm_flags & VM_LOCKED ? 'l' : '-',
26819 vma->vm_flags & VM_IO ? 'i' : '-',
26820 +#ifdef CONFIG_GRKERNSEC_HIDESYM
26826 #if defined(__i386__)
26827 pgprot = pgprot_val(vma->vm_page_prot);
26828 diff -urNp linux-2.6.38.6/drivers/gpu/drm/drm_ioctl.c linux-2.6.38.6/drivers/gpu/drm/drm_ioctl.c
26829 --- linux-2.6.38.6/drivers/gpu/drm/drm_ioctl.c 2011-03-14 21:20:32.000000000 -0400
26830 +++ linux-2.6.38.6/drivers/gpu/drm/drm_ioctl.c 2011-04-28 19:34:15.000000000 -0400
26831 @@ -353,7 +353,7 @@ int drm_getstats(struct drm_device *dev,
26832 stats->data[i].value =
26833 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
26835 - stats->data[i].value = atomic_read(&dev->counts[i]);
26836 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
26837 stats->data[i].type = dev->types[i];
26840 diff -urNp linux-2.6.38.6/drivers/gpu/drm/drm_lock.c linux-2.6.38.6/drivers/gpu/drm/drm_lock.c
26841 --- linux-2.6.38.6/drivers/gpu/drm/drm_lock.c 2011-03-14 21:20:32.000000000 -0400
26842 +++ linux-2.6.38.6/drivers/gpu/drm/drm_lock.c 2011-04-28 19:34:15.000000000 -0400
26843 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
26844 if (drm_lock_take(&master->lock, lock->context)) {
26845 master->lock.file_priv = file_priv;
26846 master->lock.lock_time = jiffies;
26847 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
26848 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
26849 break; /* Got lock */
26852 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
26856 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
26857 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
26859 if (drm_lock_free(&master->lock, lock->context)) {
26860 /* FIXME: Should really bail out here. */
26861 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i810/i810_dma.c linux-2.6.38.6/drivers/gpu/drm/i810/i810_dma.c
26862 --- linux-2.6.38.6/drivers/gpu/drm/i810/i810_dma.c 2011-03-14 21:20:32.000000000 -0400
26863 +++ linux-2.6.38.6/drivers/gpu/drm/i810/i810_dma.c 2011-04-28 19:34:15.000000000 -0400
26864 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
26865 dma->buflist[vertex->idx],
26866 vertex->discard, vertex->used);
26868 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
26869 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
26870 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
26871 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
26872 sarea_priv->last_enqueue = dev_priv->counter - 1;
26873 sarea_priv->last_dispatch = (int)hw_status[5];
26875 @@ -1114,8 +1114,8 @@ static int i810_dma_mc(struct drm_device
26876 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
26879 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
26880 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
26881 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
26882 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
26883 sarea_priv->last_enqueue = dev_priv->counter - 1;
26884 sarea_priv->last_dispatch = (int)hw_status[5];
26886 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i810/i810_drv.h linux-2.6.38.6/drivers/gpu/drm/i810/i810_drv.h
26887 --- linux-2.6.38.6/drivers/gpu/drm/i810/i810_drv.h 2011-03-14 21:20:32.000000000 -0400
26888 +++ linux-2.6.38.6/drivers/gpu/drm/i810/i810_drv.h 2011-04-28 19:57:25.000000000 -0400
26889 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
26892 wait_queue_head_t irq_queue;
26893 - atomic_t irq_received;
26894 - atomic_t irq_emitted;
26895 + atomic_unchecked_t irq_received;
26896 + atomic_unchecked_t irq_emitted;
26899 } drm_i810_private_t;
26900 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i830/i830_drv.h linux-2.6.38.6/drivers/gpu/drm/i830/i830_drv.h
26901 --- linux-2.6.38.6/drivers/gpu/drm/i830/i830_drv.h 2011-03-14 21:20:32.000000000 -0400
26902 +++ linux-2.6.38.6/drivers/gpu/drm/i830/i830_drv.h 2011-04-28 19:57:25.000000000 -0400
26903 @@ -115,8 +115,8 @@ typedef struct drm_i830_private {
26906 wait_queue_head_t irq_queue;
26907 - atomic_t irq_received;
26908 - atomic_t irq_emitted;
26909 + atomic_unchecked_t irq_received;
26910 + atomic_unchecked_t irq_emitted;
26912 int use_mi_batchbuffer_start;
26914 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i830/i830_irq.c linux-2.6.38.6/drivers/gpu/drm/i830/i830_irq.c
26915 --- linux-2.6.38.6/drivers/gpu/drm/i830/i830_irq.c 2011-03-14 21:20:32.000000000 -0400
26916 +++ linux-2.6.38.6/drivers/gpu/drm/i830/i830_irq.c 2011-04-28 19:57:25.000000000 -0400
26917 @@ -47,7 +47,7 @@ irqreturn_t i830_driver_irq_handler(DRM_
26919 I830_WRITE16(I830REG_INT_IDENTITY_R, temp);
26921 - atomic_inc(&dev_priv->irq_received);
26922 + atomic_inc_unchecked(&dev_priv->irq_received);
26923 wake_up_interruptible(&dev_priv->irq_queue);
26925 return IRQ_HANDLED;
26926 @@ -60,14 +60,14 @@ static int i830_emit_irq(struct drm_devi
26928 DRM_DEBUG("%s\n", __func__);
26930 - atomic_inc(&dev_priv->irq_emitted);
26931 + atomic_inc_unchecked(&dev_priv->irq_emitted);
26935 OUT_RING(GFX_OP_USER_INTERRUPT);
26938 - return atomic_read(&dev_priv->irq_emitted);
26939 + return atomic_read_unchecked(&dev_priv->irq_emitted);
26942 static int i830_wait_irq(struct drm_device *dev, int irq_nr)
26943 @@ -79,7 +79,7 @@ static int i830_wait_irq(struct drm_devi
26945 DRM_DEBUG("%s\n", __func__);
26947 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
26948 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
26951 dev_priv->sarea_priv->perf_boxes |= I830_BOX_WAIT;
26952 @@ -88,7 +88,7 @@ static int i830_wait_irq(struct drm_devi
26955 __set_current_state(TASK_INTERRUPTIBLE);
26956 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
26957 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
26959 if ((signed)(end - jiffies) <= 0) {
26960 DRM_ERROR("timeout iir %x imr %x ier %x hwstam %x\n",
26961 @@ -163,8 +163,8 @@ void i830_driver_irq_preinstall(struct d
26962 I830_WRITE16(I830REG_HWSTAM, 0xffff);
26963 I830_WRITE16(I830REG_INT_MASK_R, 0x0);
26964 I830_WRITE16(I830REG_INT_ENABLE_R, 0x0);
26965 - atomic_set(&dev_priv->irq_received, 0);
26966 - atomic_set(&dev_priv->irq_emitted, 0);
26967 + atomic_set_unchecked(&dev_priv->irq_received, 0);
26968 + atomic_set_unchecked(&dev_priv->irq_emitted, 0);
26969 init_waitqueue_head(&dev_priv->irq_queue);
26972 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ch7017.c
26973 --- linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-14 21:20:32.000000000 -0400
26974 +++ linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ch7017.c 2011-04-28 19:34:15.000000000 -0400
26975 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
26979 -struct intel_dvo_dev_ops ch7017_ops = {
26980 +const struct intel_dvo_dev_ops ch7017_ops = {
26981 .init = ch7017_init,
26982 .detect = ch7017_detect,
26983 .mode_valid = ch7017_mode_valid,
26984 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ch7xxx.c
26985 --- linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-14 21:20:32.000000000 -0400
26986 +++ linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-04-28 19:34:15.000000000 -0400
26987 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
26991 -struct intel_dvo_dev_ops ch7xxx_ops = {
26992 +const struct intel_dvo_dev_ops ch7xxx_ops = {
26993 .init = ch7xxx_init,
26994 .detect = ch7xxx_detect,
26995 .mode_valid = ch7xxx_mode_valid,
26996 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/dvo.h linux-2.6.38.6/drivers/gpu/drm/i915/dvo.h
26997 --- linux-2.6.38.6/drivers/gpu/drm/i915/dvo.h 2011-03-14 21:20:32.000000000 -0400
26998 +++ linux-2.6.38.6/drivers/gpu/drm/i915/dvo.h 2011-04-28 19:34:15.000000000 -0400
26999 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
27001 * \return singly-linked list of modes or NULL if no modes found.
27003 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
27004 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
27007 * Clean up driver-specific bits of the output
27009 - void (*destroy) (struct intel_dvo_device *dvo);
27010 + void (* const destroy) (struct intel_dvo_device *dvo);
27013 * Debugging hook to dump device registers to log file
27015 - void (*dump_regs)(struct intel_dvo_device *dvo);
27016 + void (* const dump_regs)(struct intel_dvo_device *dvo);
27019 -extern struct intel_dvo_dev_ops sil164_ops;
27020 -extern struct intel_dvo_dev_ops ch7xxx_ops;
27021 -extern struct intel_dvo_dev_ops ivch_ops;
27022 -extern struct intel_dvo_dev_ops tfp410_ops;
27023 -extern struct intel_dvo_dev_ops ch7017_ops;
27024 +extern const struct intel_dvo_dev_ops sil164_ops;
27025 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
27026 +extern const struct intel_dvo_dev_ops ivch_ops;
27027 +extern const struct intel_dvo_dev_ops tfp410_ops;
27028 +extern const struct intel_dvo_dev_ops ch7017_ops;
27030 #endif /* _INTEL_DVO_H */
27031 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ivch.c
27032 --- linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-14 21:20:32.000000000 -0400
27033 +++ linux-2.6.38.6/drivers/gpu/drm/i915/dvo_ivch.c 2011-04-28 19:34:15.000000000 -0400
27034 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
27038 -struct intel_dvo_dev_ops ivch_ops= {
27039 +const struct intel_dvo_dev_ops ivch_ops= {
27042 .mode_valid = ivch_mode_valid,
27043 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.38.6/drivers/gpu/drm/i915/dvo_sil164.c
27044 --- linux-2.6.38.6/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-14 21:20:32.000000000 -0400
27045 +++ linux-2.6.38.6/drivers/gpu/drm/i915/dvo_sil164.c 2011-04-28 19:34:15.000000000 -0400
27046 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
27050 -struct intel_dvo_dev_ops sil164_ops = {
27051 +const struct intel_dvo_dev_ops sil164_ops = {
27052 .init = sil164_init,
27053 .detect = sil164_detect,
27054 .mode_valid = sil164_mode_valid,
27055 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.38.6/drivers/gpu/drm/i915/dvo_tfp410.c
27056 --- linux-2.6.38.6/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-14 21:20:32.000000000 -0400
27057 +++ linux-2.6.38.6/drivers/gpu/drm/i915/dvo_tfp410.c 2011-04-28 19:34:15.000000000 -0400
27058 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
27062 -struct intel_dvo_dev_ops tfp410_ops = {
27063 +const struct intel_dvo_dev_ops tfp410_ops = {
27064 .init = tfp410_init,
27065 .detect = tfp410_detect,
27066 .mode_valid = tfp410_mode_valid,
27067 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.38.6/drivers/gpu/drm/i915/i915_debugfs.c
27068 --- linux-2.6.38.6/drivers/gpu/drm/i915/i915_debugfs.c 2011-03-14 21:20:32.000000000 -0400
27069 +++ linux-2.6.38.6/drivers/gpu/drm/i915/i915_debugfs.c 2011-04-28 19:57:25.000000000 -0400
27070 @@ -496,7 +496,7 @@ static int i915_interrupt_info(struct se
27073 seq_printf(m, "Interrupts received: %d\n",
27074 - atomic_read(&dev_priv->irq_received));
27075 + atomic_read_unchecked(&dev_priv->irq_received));
27076 for (i = 0; i < I915_NUM_RINGS; i++) {
27077 if (IS_GEN6(dev)) {
27078 seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
27079 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/i915_dma.c linux-2.6.38.6/drivers/gpu/drm/i915/i915_dma.c
27080 --- linux-2.6.38.6/drivers/gpu/drm/i915/i915_dma.c 2011-03-14 21:20:32.000000000 -0400
27081 +++ linux-2.6.38.6/drivers/gpu/drm/i915/i915_dma.c 2011-04-28 19:34:15.000000000 -0400
27082 @@ -1159,7 +1159,7 @@ static bool i915_switcheroo_can_switch(s
27085 spin_lock(&dev->count_lock);
27086 - can_switch = (dev->open_count == 0);
27087 + can_switch = (local_read(&dev->open_count) == 0);
27088 spin_unlock(&dev->count_lock);
27091 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/i915_drv.c linux-2.6.38.6/drivers/gpu/drm/i915/i915_drv.c
27092 --- linux-2.6.38.6/drivers/gpu/drm/i915/i915_drv.c 2011-03-14 21:20:32.000000000 -0400
27093 +++ linux-2.6.38.6/drivers/gpu/drm/i915/i915_drv.c 2011-04-28 19:34:15.000000000 -0400
27094 @@ -673,7 +673,7 @@ static const struct dev_pm_ops i915_pm_o
27095 .restore = i915_pm_resume,
27098 -static struct vm_operations_struct i915_gem_vm_ops = {
27099 +static const struct vm_operations_struct i915_gem_vm_ops = {
27100 .fault = i915_gem_fault,
27101 .open = drm_gem_vm_open,
27102 .close = drm_gem_vm_close,
27103 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/i915_drv.h linux-2.6.38.6/drivers/gpu/drm/i915/i915_drv.h
27104 --- linux-2.6.38.6/drivers/gpu/drm/i915/i915_drv.h 2011-03-14 21:20:32.000000000 -0400
27105 +++ linux-2.6.38.6/drivers/gpu/drm/i915/i915_drv.h 2011-04-28 19:57:25.000000000 -0400
27106 @@ -288,7 +288,7 @@ typedef struct drm_i915_private {
27110 - atomic_t irq_received;
27111 + atomic_unchecked_t irq_received;
27112 u32 trace_irq_seqno;
27114 /* protects the irq masks */
27115 @@ -843,7 +843,7 @@ struct drm_i915_gem_object {
27116 * will be page flipped away on the next vblank. When it
27117 * reaches 0, dev_priv->pending_flip_queue will be woken up.
27119 - atomic_t pending_flip;
27120 + atomic_unchecked_t pending_flip;
27123 #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
27124 @@ -1229,7 +1229,7 @@ extern int intel_setup_gmbus(struct drm_
27125 extern void intel_teardown_gmbus(struct drm_device *dev);
27126 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
27127 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
27128 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
27129 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
27131 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
27133 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-2.6.38.6/drivers/gpu/drm/i915/i915_gem_execbuffer.c
27134 --- linux-2.6.38.6/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-04-18 17:27:16.000000000 -0400
27135 +++ linux-2.6.38.6/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-04-28 19:57:25.000000000 -0400
27136 @@ -904,7 +904,7 @@ i915_gem_execbuffer_wait_for_flips(struc
27138 list_for_each_entry(obj, objects, exec_list) {
27139 if (obj->base.write_domain)
27140 - flips |= atomic_read(&obj->pending_flip);
27141 + flips |= atomic_read_unchecked(&obj->pending_flip);
27144 int plane, flip_mask, ret;
27145 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/i915_irq.c linux-2.6.38.6/drivers/gpu/drm/i915/i915_irq.c
27146 --- linux-2.6.38.6/drivers/gpu/drm/i915/i915_irq.c 2011-04-18 17:27:13.000000000 -0400
27147 +++ linux-2.6.38.6/drivers/gpu/drm/i915/i915_irq.c 2011-04-28 19:57:25.000000000 -0400
27148 @@ -1106,7 +1106,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
27150 int ret = IRQ_NONE;
27152 - atomic_inc(&dev_priv->irq_received);
27153 + atomic_inc_unchecked(&dev_priv->irq_received);
27155 if (HAS_PCH_SPLIT(dev))
27156 return ironlake_irq_handler(dev);
27157 @@ -1684,7 +1684,7 @@ void i915_driver_irq_preinstall(struct d
27159 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
27161 - atomic_set(&dev_priv->irq_received, 0);
27162 + atomic_set_unchecked(&dev_priv->irq_received, 0);
27164 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
27165 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
27166 diff -urNp linux-2.6.38.6/drivers/gpu/drm/i915/intel_display.c linux-2.6.38.6/drivers/gpu/drm/i915/intel_display.c
27167 --- linux-2.6.38.6/drivers/gpu/drm/i915/intel_display.c 2011-05-10 22:06:27.000000000 -0400
27168 +++ linux-2.6.38.6/drivers/gpu/drm/i915/intel_display.c 2011-05-10 22:06:56.000000000 -0400
27169 @@ -1631,7 +1631,7 @@ intel_pipe_set_base(struct drm_crtc *crt
27171 wait_event(dev_priv->pending_flip_queue,
27172 atomic_read(&dev_priv->mm.wedged) ||
27173 - atomic_read(&obj->pending_flip) == 0);
27174 + atomic_read_unchecked(&obj->pending_flip) == 0);
27176 /* Big Hammer, we also need to ensure that any pending
27177 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
27178 @@ -2042,7 +2042,7 @@ static void intel_crtc_wait_for_pending_
27179 obj = to_intel_framebuffer(crtc->fb)->obj;
27180 dev_priv = crtc->dev->dev_private;
27181 wait_event(dev_priv->pending_flip_queue,
27182 - atomic_read(&obj->pending_flip) == 0);
27183 + atomic_read_unchecked(&obj->pending_flip) == 0);
27186 static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
27187 @@ -5428,7 +5428,7 @@ static void do_intel_finish_page_flip(st
27189 atomic_clear_mask(1 << intel_crtc->plane,
27190 &obj->pending_flip.counter);
27191 - if (atomic_read(&obj->pending_flip) == 0)
27192 + if (atomic_read_unchecked(&obj->pending_flip) == 0)
27193 wake_up(&dev_priv->pending_flip_queue);
27195 schedule_work(&work->work);
27196 @@ -5557,7 +5557,7 @@ static int intel_crtc_page_flip(struct d
27197 /* Block clients from rendering to the new back buffer until
27198 * the flip occurs and the object is no longer visible.
27200 - atomic_add(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
27201 + atomic_add_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
27203 switch (INTEL_INFO(dev)->gen) {
27205 diff -urNp linux-2.6.38.6/drivers/gpu/drm/mga/mga_drv.h linux-2.6.38.6/drivers/gpu/drm/mga/mga_drv.h
27206 --- linux-2.6.38.6/drivers/gpu/drm/mga/mga_drv.h 2011-03-14 21:20:32.000000000 -0400
27207 +++ linux-2.6.38.6/drivers/gpu/drm/mga/mga_drv.h 2011-04-28 19:57:25.000000000 -0400
27208 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
27212 - atomic_t vbl_received; /**< Number of vblanks received. */
27213 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
27214 wait_queue_head_t fence_queue;
27215 - atomic_t last_fence_retired;
27216 + atomic_unchecked_t last_fence_retired;
27217 u32 next_fence_to_post;
27219 unsigned int fb_cpp;
27220 diff -urNp linux-2.6.38.6/drivers/gpu/drm/mga/mga_irq.c linux-2.6.38.6/drivers/gpu/drm/mga/mga_irq.c
27221 --- linux-2.6.38.6/drivers/gpu/drm/mga/mga_irq.c 2011-03-14 21:20:32.000000000 -0400
27222 +++ linux-2.6.38.6/drivers/gpu/drm/mga/mga_irq.c 2011-04-28 19:57:25.000000000 -0400
27223 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
27227 - return atomic_read(&dev_priv->vbl_received);
27228 + return atomic_read_unchecked(&dev_priv->vbl_received);
27232 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
27233 /* VBLANK interrupt */
27234 if (status & MGA_VLINEPEN) {
27235 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
27236 - atomic_inc(&dev_priv->vbl_received);
27237 + atomic_inc_unchecked(&dev_priv->vbl_received);
27238 drm_handle_vblank(dev, 0);
27241 @@ -79,7 +79,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
27242 if ((prim_start & ~0x03) != (prim_end & ~0x03))
27243 MGA_WRITE(MGA_PRIMEND, prim_end);
27245 - atomic_inc(&dev_priv->last_fence_retired);
27246 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
27247 DRM_WAKEUP(&dev_priv->fence_queue);
27250 @@ -130,7 +130,7 @@ int mga_driver_fence_wait(struct drm_dev
27253 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
27254 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
27255 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
27256 - *sequence) <= (1 << 23)));
27258 *sequence = cur_fence;
27259 diff -urNp linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_drv.h linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_drv.h
27260 --- linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-03-14 21:20:32.000000000 -0400
27261 +++ linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-04-28 19:57:25.000000000 -0400
27262 @@ -226,7 +226,7 @@ struct nouveau_channel {
27263 struct list_head pending;
27265 uint32_t sequence_ack;
27266 - atomic_t last_sequence_irq;
27267 + atomic_unchecked_t last_sequence_irq;
27270 /* DMA push buffer */
27271 @@ -661,7 +661,7 @@ struct drm_nouveau_private {
27272 struct drm_global_reference mem_global_ref;
27273 struct ttm_bo_global_ref bo_global_ref;
27274 struct ttm_bo_device bdev;
27275 - atomic_t validate_sequence;
27276 + atomic_unchecked_t validate_sequence;
27280 diff -urNp linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_fence.c linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_fence.c
27281 --- linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-03-14 21:20:32.000000000 -0400
27282 +++ linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-04-28 19:57:25.000000000 -0400
27283 @@ -83,7 +83,7 @@ nouveau_fence_update(struct nouveau_chan
27284 if (USE_REFCNT(dev))
27285 sequence = nvchan_rd32(chan, 0x48);
27287 - sequence = atomic_read(&chan->fence.last_sequence_irq);
27288 + sequence = atomic_read_unchecked(&chan->fence.last_sequence_irq);
27290 if (chan->fence.sequence_ack == sequence)
27292 @@ -490,7 +490,7 @@ nouveau_fence_channel_init(struct nouvea
27294 INIT_LIST_HEAD(&chan->fence.pending);
27295 spin_lock_init(&chan->fence.lock);
27296 - atomic_set(&chan->fence.last_sequence_irq, 0);
27297 + atomic_set_unchecked(&chan->fence.last_sequence_irq, 0);
27301 diff -urNp linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_gem.c linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_gem.c
27302 --- linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-03-14 21:20:32.000000000 -0400
27303 +++ linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-04-28 19:57:25.000000000 -0400
27304 @@ -241,7 +241,7 @@ validate_init(struct nouveau_channel *ch
27308 - sequence = atomic_add_return(1, &dev_priv->ttm.validate_sequence);
27309 + sequence = atomic_add_return_unchecked(1, &dev_priv->ttm.validate_sequence);
27311 if (++trycnt > 100000) {
27312 NV_ERROR(dev, "%s failed and gave up.\n", __func__);
27313 diff -urNp linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_state.c
27314 --- linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_state.c 2011-03-14 21:20:32.000000000 -0400
27315 +++ linux-2.6.38.6/drivers/gpu/drm/nouveau/nouveau_state.c 2011-04-28 19:34:15.000000000 -0400
27316 @@ -621,7 +621,7 @@ static bool nouveau_switcheroo_can_switc
27319 spin_lock(&dev->count_lock);
27320 - can_switch = (dev->open_count == 0);
27321 + can_switch = (local_read(&dev->open_count) == 0);
27322 spin_unlock(&dev->count_lock);
27325 diff -urNp linux-2.6.38.6/drivers/gpu/drm/nouveau/nv04_graph.c linux-2.6.38.6/drivers/gpu/drm/nouveau/nv04_graph.c
27326 --- linux-2.6.38.6/drivers/gpu/drm/nouveau/nv04_graph.c 2011-03-14 21:20:32.000000000 -0400
27327 +++ linux-2.6.38.6/drivers/gpu/drm/nouveau/nv04_graph.c 2011-04-28 19:57:25.000000000 -0400
27328 @@ -552,7 +552,7 @@ static int
27329 nv04_graph_mthd_set_ref(struct nouveau_channel *chan,
27330 u32 class, u32 mthd, u32 data)
27332 - atomic_set(&chan->fence.last_sequence_irq, data);
27333 + atomic_set_unchecked(&chan->fence.last_sequence_irq, data);
27337 diff -urNp linux-2.6.38.6/drivers/gpu/drm/r128/r128_cce.c linux-2.6.38.6/drivers/gpu/drm/r128/r128_cce.c
27338 --- linux-2.6.38.6/drivers/gpu/drm/r128/r128_cce.c 2011-03-14 21:20:32.000000000 -0400
27339 +++ linux-2.6.38.6/drivers/gpu/drm/r128/r128_cce.c 2011-04-28 19:57:25.000000000 -0400
27340 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
27342 /* GH: Simple idle check.
27344 - atomic_set(&dev_priv->idle_count, 0);
27345 + atomic_set_unchecked(&dev_priv->idle_count, 0);
27347 /* We don't support anything other than bus-mastering ring mode,
27348 * but the ring can be in either AGP or PCI space for the ring
27349 diff -urNp linux-2.6.38.6/drivers/gpu/drm/r128/r128_drv.h linux-2.6.38.6/drivers/gpu/drm/r128/r128_drv.h
27350 --- linux-2.6.38.6/drivers/gpu/drm/r128/r128_drv.h 2011-03-14 21:20:32.000000000 -0400
27351 +++ linux-2.6.38.6/drivers/gpu/drm/r128/r128_drv.h 2011-04-28 19:57:25.000000000 -0400
27352 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
27354 unsigned long cce_buffers_offset;
27356 - atomic_t idle_count;
27357 + atomic_unchecked_t idle_count;
27362 u32 crtc_offset_cntl;
27364 - atomic_t vbl_received;
27365 + atomic_unchecked_t vbl_received;
27368 unsigned int front_offset;
27369 diff -urNp linux-2.6.38.6/drivers/gpu/drm/r128/r128_irq.c linux-2.6.38.6/drivers/gpu/drm/r128/r128_irq.c
27370 --- linux-2.6.38.6/drivers/gpu/drm/r128/r128_irq.c 2011-03-14 21:20:32.000000000 -0400
27371 +++ linux-2.6.38.6/drivers/gpu/drm/r128/r128_irq.c 2011-04-28 19:57:25.000000000 -0400
27372 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
27376 - return atomic_read(&dev_priv->vbl_received);
27377 + return atomic_read_unchecked(&dev_priv->vbl_received);
27380 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
27381 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
27382 /* VBLANK interrupt */
27383 if (status & R128_CRTC_VBLANK_INT) {
27384 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
27385 - atomic_inc(&dev_priv->vbl_received);
27386 + atomic_inc_unchecked(&dev_priv->vbl_received);
27387 drm_handle_vblank(dev, 0);
27388 return IRQ_HANDLED;
27390 diff -urNp linux-2.6.38.6/drivers/gpu/drm/r128/r128_state.c linux-2.6.38.6/drivers/gpu/drm/r128/r128_state.c
27391 --- linux-2.6.38.6/drivers/gpu/drm/r128/r128_state.c 2011-03-14 21:20:32.000000000 -0400
27392 +++ linux-2.6.38.6/drivers/gpu/drm/r128/r128_state.c 2011-04-28 19:57:25.000000000 -0400
27393 @@ -321,10 +321,10 @@ static void r128_clear_box(drm_r128_priv
27395 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
27397 - if (atomic_read(&dev_priv->idle_count) == 0)
27398 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
27399 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
27401 - atomic_set(&dev_priv->idle_count, 0);
27402 + atomic_set_unchecked(&dev_priv->idle_count, 0);
27406 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/atom.c linux-2.6.38.6/drivers/gpu/drm/radeon/atom.c
27407 --- linux-2.6.38.6/drivers/gpu/drm/radeon/atom.c 2011-05-10 22:06:27.000000000 -0400
27408 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/atom.c 2011-05-16 21:47:08.000000000 -0400
27409 @@ -1245,6 +1245,8 @@ struct atom_context *atom_parse(struct c
27413 + pax_track_stack();
27418 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.38.6/drivers/gpu/drm/radeon/mkregtable.c
27419 --- linux-2.6.38.6/drivers/gpu/drm/radeon/mkregtable.c 2011-03-14 21:20:32.000000000 -0400
27420 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/mkregtable.c 2011-04-28 19:34:15.000000000 -0400
27421 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
27423 regmatch_t match[4];
27431 struct offset *offset;
27432 char last_reg_s[10];
27434 + unsigned long last_reg;
27437 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
27438 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_atombios.c
27439 --- linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-10 22:06:29.000000000 -0400
27440 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-16 21:47:08.000000000 -0400
27441 @@ -545,6 +545,8 @@ bool radeon_get_atom_connector_info_from
27442 struct radeon_gpio_rec gpio;
27443 struct radeon_hpd hpd;
27445 + pax_track_stack();
27447 if (!atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset))
27450 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_device.c
27451 --- linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_device.c 2011-03-14 21:20:32.000000000 -0400
27452 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_device.c 2011-04-28 19:34:15.000000000 -0400
27453 @@ -673,7 +673,7 @@ static bool radeon_switcheroo_can_switch
27456 spin_lock(&dev->count_lock);
27457 - can_switch = (dev->open_count == 0);
27458 + can_switch = (local_read(&dev->open_count) == 0);
27459 spin_unlock(&dev->count_lock);
27462 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_display.c
27463 --- linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_display.c 2011-03-14 21:20:32.000000000 -0400
27464 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_display.c 2011-05-16 21:47:08.000000000 -0400
27465 @@ -934,6 +934,8 @@ void radeon_compute_pll_legacy(struct ra
27467 u32 pll_out_min, pll_out_max;
27469 + pax_track_stack();
27471 DRM_DEBUG_KMS("PLL freq %llu %u %u\n", freq, pll->min_ref_div, pll->max_ref_div);
27472 freq = freq * 1000;
27474 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_drv.h
27475 --- linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_drv.h 2011-03-14 21:20:32.000000000 -0400
27476 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_drv.h 2011-04-28 19:57:25.000000000 -0400
27477 @@ -255,7 +255,7 @@ typedef struct drm_radeon_private {
27480 wait_queue_head_t swi_queue;
27481 - atomic_t swi_emitted;
27482 + atomic_unchecked_t swi_emitted;
27484 uint32_t irq_enable_reg;
27485 uint32_t r500_disp_irq_reg;
27486 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_fence.c
27487 --- linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_fence.c 2011-04-22 19:20:59.000000000 -0400
27488 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_fence.c 2011-04-28 19:57:25.000000000 -0400
27489 @@ -49,7 +49,7 @@ int radeon_fence_emit(struct radeon_devi
27490 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
27493 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
27494 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
27495 if (!rdev->cp.ready) {
27496 /* FIXME: cp is not running assume everythings is done right
27498 @@ -354,7 +354,7 @@ int radeon_fence_driver_init(struct rade
27501 WREG32(rdev->fence_drv.scratch_reg, 0);
27502 - atomic_set(&rdev->fence_drv.seq, 0);
27503 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
27504 INIT_LIST_HEAD(&rdev->fence_drv.created);
27505 INIT_LIST_HEAD(&rdev->fence_drv.emited);
27506 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
27507 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/radeon.h linux-2.6.38.6/drivers/gpu/drm/radeon/radeon.h
27508 --- linux-2.6.38.6/drivers/gpu/drm/radeon/radeon.h 2011-03-14 21:20:32.000000000 -0400
27509 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/radeon.h 2011-04-28 19:57:25.000000000 -0400
27510 @@ -189,7 +189,7 @@ extern int sumo_get_temp(struct radeon_d
27512 struct radeon_fence_driver {
27513 uint32_t scratch_reg;
27515 + atomic_unchecked_t seq;
27517 unsigned long last_jiffies;
27518 unsigned long last_timeout;
27519 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_ioc32.c
27520 --- linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-03-14 21:20:32.000000000 -0400
27521 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-04-28 19:34:15.000000000 -0400
27522 @@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
27523 request = compat_alloc_user_space(sizeof(*request));
27524 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
27525 || __put_user(req32.param, &request->param)
27526 - || __put_user((void __user *)(unsigned long)req32.value,
27527 + || __put_user((unsigned long)req32.value,
27531 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_irq.c
27532 --- linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_irq.c 2011-03-14 21:20:32.000000000 -0400
27533 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_irq.c 2011-04-28 19:57:25.000000000 -0400
27534 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
27538 - atomic_inc(&dev_priv->swi_emitted);
27539 - ret = atomic_read(&dev_priv->swi_emitted);
27540 + atomic_inc_unchecked(&dev_priv->swi_emitted);
27541 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
27544 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
27545 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
27546 drm_radeon_private_t *dev_priv =
27547 (drm_radeon_private_t *) dev->dev_private;
27549 - atomic_set(&dev_priv->swi_emitted, 0);
27550 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
27551 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
27553 dev->max_vblank_count = 0x001fffff;
27554 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_state.c
27555 --- linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_state.c 2011-03-14 21:20:32.000000000 -0400
27556 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_state.c 2011-04-28 19:34:15.000000000 -0400
27557 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
27558 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
27559 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
27561 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
27562 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
27563 sarea_priv->nbox * sizeof(depth_boxes[0])))
27566 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
27568 drm_radeon_private_t *dev_priv = dev->dev_private;
27569 drm_radeon_getparam_t *param = data;
27573 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
27575 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_ttm.c
27576 --- linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-14 21:20:32.000000000 -0400
27577 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/radeon_ttm.c 2011-04-28 19:34:15.000000000 -0400
27578 @@ -603,8 +603,9 @@ void radeon_ttm_set_active_vram_size(str
27579 man->size = size >> PAGE_SHIFT;
27582 -static struct vm_operations_struct radeon_ttm_vm_ops;
27583 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
27584 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
27585 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
27586 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
27588 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
27590 @@ -612,17 +613,22 @@ static int radeon_ttm_fault(struct vm_ar
27591 struct radeon_device *rdev;
27594 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
27595 - if (bo == NULL) {
27596 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
27598 return VM_FAULT_NOPAGE;
27600 rdev = radeon_get_rdev(bo->bdev);
27601 mutex_lock(&rdev->vram_mutex);
27602 - r = ttm_vm_ops->fault(vma, vmf);
27603 + r = ttm_bo_vm_fault(vma, vmf);
27604 mutex_unlock(&rdev->vram_mutex);
27608 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
27609 + .fault = radeon_ttm_fault,
27610 + .open = ttm_bo_vm_open,
27611 + .close = ttm_bo_vm_close
27614 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
27616 struct drm_file *file_priv;
27617 @@ -635,18 +641,11 @@ int radeon_mmap(struct file *filp, struc
27619 file_priv = filp->private_data;
27620 rdev = file_priv->minor->dev->dev_private;
27621 - if (rdev == NULL) {
27625 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
27626 - if (unlikely(r != 0)) {
27630 - if (unlikely(ttm_vm_ops == NULL)) {
27631 - ttm_vm_ops = vma->vm_ops;
27632 - radeon_ttm_vm_ops = *ttm_vm_ops;
27633 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
27635 vma->vm_ops = &radeon_ttm_vm_ops;
27638 diff -urNp linux-2.6.38.6/drivers/gpu/drm/radeon/rs690.c linux-2.6.38.6/drivers/gpu/drm/radeon/rs690.c
27639 --- linux-2.6.38.6/drivers/gpu/drm/radeon/rs690.c 2011-03-14 21:20:32.000000000 -0400
27640 +++ linux-2.6.38.6/drivers/gpu/drm/radeon/rs690.c 2011-04-28 19:34:15.000000000 -0400
27641 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
27642 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
27643 rdev->pm.sideport_bandwidth.full)
27644 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
27645 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
27646 + read_delay_latency.full = dfixed_const(800 * 1000);
27647 read_delay_latency.full = dfixed_div(read_delay_latency,
27648 rdev->pm.igp_sideport_mclk);
27649 + a.full = dfixed_const(370);
27650 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
27652 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
27653 rdev->pm.k8_bandwidth.full)
27654 diff -urNp linux-2.6.38.6/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.38.6/drivers/gpu/drm/ttm/ttm_bo_vm.c
27655 --- linux-2.6.38.6/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-14 21:20:32.000000000 -0400
27656 +++ linux-2.6.38.6/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-04-28 19:34:15.000000000 -0400
27657 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
27661 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
27662 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
27664 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
27665 vma->vm_private_data;
27666 - struct ttm_bo_device *bdev = bo->bdev;
27667 + struct ttm_bo_device *bdev;
27668 unsigned long page_offset;
27669 unsigned long page_last;
27671 @@ -83,8 +83,12 @@ static int ttm_bo_vm_fault(struct vm_are
27673 unsigned long address = (unsigned long)vmf->virtual_address;
27674 int retval = VM_FAULT_NOPAGE;
27675 - struct ttm_mem_type_manager *man =
27676 - &bdev->man[bo->mem.mem_type];
27677 + struct ttm_mem_type_manager *man;
27680 + return VM_FAULT_NOPAGE;
27682 + man = &bdev->man[bo->mem.mem_type];
27685 * Work around locking order reversal in fault / nopfn
27686 @@ -219,22 +223,25 @@ out_unlock:
27687 ttm_bo_unreserve(bo);
27690 +EXPORT_SYMBOL(ttm_bo_vm_fault);
27692 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
27693 +void ttm_bo_vm_open(struct vm_area_struct *vma)
27695 struct ttm_buffer_object *bo =
27696 (struct ttm_buffer_object *)vma->vm_private_data;
27698 (void)ttm_bo_reference(bo);
27700 +EXPORT_SYMBOL(ttm_bo_vm_open);
27702 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
27703 +void ttm_bo_vm_close(struct vm_area_struct *vma)
27705 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
27708 vma->vm_private_data = NULL;
27710 +EXPORT_SYMBOL(ttm_bo_vm_close);
27712 static const struct vm_operations_struct ttm_bo_vm_ops = {
27713 .fault = ttm_bo_vm_fault,
27714 diff -urNp linux-2.6.38.6/drivers/gpu/drm/ttm/ttm_page_alloc.c linux-2.6.38.6/drivers/gpu/drm/ttm/ttm_page_alloc.c
27715 --- linux-2.6.38.6/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-03-14 21:20:32.000000000 -0400
27716 +++ linux-2.6.38.6/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-04-28 19:57:25.000000000 -0400
27717 @@ -396,9 +396,9 @@ static int ttm_pool_get_num_unused_pages
27719 static int ttm_pool_mm_shrink(struct shrinker *shrink, int shrink_pages, gfp_t gfp_mask)
27721 - static atomic_t start_pool = ATOMIC_INIT(0);
27722 + static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
27724 - unsigned pool_offset = atomic_add_return(1, &start_pool);
27725 + unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
27726 struct ttm_page_pool *pool;
27728 pool_offset = pool_offset % NUM_POOLS;
27729 diff -urNp linux-2.6.38.6/drivers/gpu/drm/via/via_drv.h linux-2.6.38.6/drivers/gpu/drm/via/via_drv.h
27730 --- linux-2.6.38.6/drivers/gpu/drm/via/via_drv.h 2011-03-14 21:20:32.000000000 -0400
27731 +++ linux-2.6.38.6/drivers/gpu/drm/via/via_drv.h 2011-04-28 19:57:25.000000000 -0400
27732 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
27733 typedef uint32_t maskarray_t[5];
27735 typedef struct drm_via_irq {
27736 - atomic_t irq_received;
27737 + atomic_unchecked_t irq_received;
27738 uint32_t pending_mask;
27739 uint32_t enable_mask;
27740 wait_queue_head_t irq_queue;
27741 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
27742 struct timeval last_vblank;
27743 int last_vblank_valid;
27744 unsigned usec_per_vblank;
27745 - atomic_t vbl_received;
27746 + atomic_unchecked_t vbl_received;
27747 drm_via_state_t hc_state;
27748 char pci_buf[VIA_PCI_BUF_SIZE];
27749 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
27750 diff -urNp linux-2.6.38.6/drivers/gpu/drm/via/via_irq.c linux-2.6.38.6/drivers/gpu/drm/via/via_irq.c
27751 --- linux-2.6.38.6/drivers/gpu/drm/via/via_irq.c 2011-03-14 21:20:32.000000000 -0400
27752 +++ linux-2.6.38.6/drivers/gpu/drm/via/via_irq.c 2011-04-28 19:57:25.000000000 -0400
27753 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
27757 - return atomic_read(&dev_priv->vbl_received);
27758 + return atomic_read_unchecked(&dev_priv->vbl_received);
27761 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
27762 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
27764 status = VIA_READ(VIA_REG_INTERRUPT);
27765 if (status & VIA_IRQ_VBLANK_PENDING) {
27766 - atomic_inc(&dev_priv->vbl_received);
27767 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
27768 + atomic_inc_unchecked(&dev_priv->vbl_received);
27769 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
27770 do_gettimeofday(&cur_vblank);
27771 if (dev_priv->last_vblank_valid) {
27772 dev_priv->usec_per_vblank =
27773 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
27774 dev_priv->last_vblank = cur_vblank;
27775 dev_priv->last_vblank_valid = 1;
27777 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
27778 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
27779 DRM_DEBUG("US per vblank is: %u\n",
27780 dev_priv->usec_per_vblank);
27782 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
27784 for (i = 0; i < dev_priv->num_irqs; ++i) {
27785 if (status & cur_irq->pending_mask) {
27786 - atomic_inc(&cur_irq->irq_received);
27787 + atomic_inc_unchecked(&cur_irq->irq_received);
27788 DRM_WAKEUP(&cur_irq->irq_queue);
27790 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
27791 @@ -243,11 +243,11 @@ via_driver_irq_wait(struct drm_device *d
27792 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
27793 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
27795 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
27796 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
27798 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
27799 (((cur_irq_sequence =
27800 - atomic_read(&cur_irq->irq_received)) -
27801 + atomic_read_unchecked(&cur_irq->irq_received)) -
27802 *sequence) <= (1 << 23)));
27804 *sequence = cur_irq_sequence;
27805 @@ -285,7 +285,7 @@ void via_driver_irq_preinstall(struct dr
27808 for (i = 0; i < dev_priv->num_irqs; ++i) {
27809 - atomic_set(&cur_irq->irq_received, 0);
27810 + atomic_set_unchecked(&cur_irq->irq_received, 0);
27811 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
27812 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
27813 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
27814 @@ -367,7 +367,7 @@ int via_wait_irq(struct drm_device *dev,
27815 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
27816 case VIA_IRQ_RELATIVE:
27817 irqwait->request.sequence +=
27818 - atomic_read(&cur_irq->irq_received);
27819 + atomic_read_unchecked(&cur_irq->irq_received);
27820 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
27821 case VIA_IRQ_ABSOLUTE:
27823 diff -urNp linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
27824 --- linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-03-14 21:20:32.000000000 -0400
27825 +++ linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-04-28 19:57:25.000000000 -0400
27826 @@ -240,7 +240,7 @@ struct vmw_private {
27827 * Fencing and IRQs.
27830 - atomic_t fence_seq;
27831 + atomic_unchecked_t fence_seq;
27832 wait_queue_head_t fence_queue;
27833 wait_queue_head_t fifo_queue;
27834 atomic_t fence_queue_waiters;
27835 diff -urNp linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
27836 --- linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-03-14 21:20:32.000000000 -0400
27837 +++ linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-04-28 19:57:25.000000000 -0400
27838 @@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev
27839 while (!vmw_lag_lt(queue, us)) {
27840 spin_lock(&queue->lock);
27841 if (list_empty(&queue->head))
27842 - sequence = atomic_read(&dev_priv->fence_seq);
27843 + sequence = atomic_read_unchecked(&dev_priv->fence_seq);
27845 fence = list_first_entry(&queue->head,
27846 struct vmw_fence, head);
27847 diff -urNp linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
27848 --- linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-03-14 21:20:32.000000000 -0400
27849 +++ linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-04-28 19:57:25.000000000 -0400
27850 @@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de
27851 (unsigned int) min,
27852 (unsigned int) fifo->capabilities);
27854 - atomic_set(&dev_priv->fence_seq, dev_priv->last_read_sequence);
27855 + atomic_set_unchecked(&dev_priv->fence_seq, dev_priv->last_read_sequence);
27856 iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE);
27857 vmw_fence_queue_init(&fifo->fence_queue);
27858 return vmw_fifo_send_fence(dev_priv, &dummy);
27859 @@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva
27861 fm = vmw_fifo_reserve(dev_priv, bytes);
27862 if (unlikely(fm == NULL)) {
27863 - *sequence = atomic_read(&dev_priv->fence_seq);
27864 + *sequence = atomic_read_unchecked(&dev_priv->fence_seq);
27866 (void)vmw_fallback_wait(dev_priv, false, true, *sequence,
27868 @@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_priva
27872 - *sequence = atomic_add_return(1, &dev_priv->fence_seq);
27873 + *sequence = atomic_add_return_unchecked(1, &dev_priv->fence_seq);
27874 } while (*sequence == 0);
27876 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
27877 @@ -534,7 +534,7 @@ static int vmw_fifo_vm_fault(struct vm_a
27878 return VM_FAULT_SIGBUS;
27881 -static struct vm_operations_struct vmw_fifo_vm_ops = {
27882 +static const struct vm_operations_struct vmw_fifo_vm_ops = {
27883 .fault = vmw_fifo_vm_fault,
27886 diff -urNp linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
27887 --- linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-03-14 21:20:32.000000000 -0400
27888 +++ linux-2.6.38.6/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-04-28 19:57:25.000000000 -0400
27889 @@ -100,7 +100,7 @@ bool vmw_fence_signaled(struct vmw_priva
27890 * emitted. Then the fence is stale and signaled.
27893 - ret = ((atomic_read(&dev_priv->fence_seq) - sequence)
27894 + ret = ((atomic_read_unchecked(&dev_priv->fence_seq) - sequence)
27898 @@ -131,7 +131,7 @@ int vmw_fallback_wait(struct vmw_private
27901 down_read(&fifo_state->rwsem);
27902 - signal_seq = atomic_read(&dev_priv->fence_seq);
27903 + signal_seq = atomic_read_unchecked(&dev_priv->fence_seq);
27907 diff -urNp linux-2.6.38.6/drivers/hid/hid-core.c linux-2.6.38.6/drivers/hid/hid-core.c
27908 --- linux-2.6.38.6/drivers/hid/hid-core.c 2011-04-18 17:27:14.000000000 -0400
27909 +++ linux-2.6.38.6/drivers/hid/hid-core.c 2011-04-28 19:57:25.000000000 -0400
27910 @@ -1846,7 +1846,7 @@ static bool hid_ignore(struct hid_device
27912 int hid_add_device(struct hid_device *hdev)
27914 - static atomic_t id = ATOMIC_INIT(0);
27915 + static atomic_unchecked_t id = ATOMIC_INIT(0);
27918 if (WARN_ON(hdev->status & HID_STAT_ADDED))
27919 @@ -1861,7 +1861,7 @@ int hid_add_device(struct hid_device *hd
27920 /* XXX hack, any other cleaner solution after the driver core
27921 * is converted to allow more than 20 bytes as the device name? */
27922 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
27923 - hdev->vendor, hdev->product, atomic_inc_return(&id));
27924 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
27926 hid_debug_register(hdev, dev_name(&hdev->dev));
27927 ret = device_add(&hdev->dev);
27928 diff -urNp linux-2.6.38.6/drivers/hid/usbhid/hiddev.c linux-2.6.38.6/drivers/hid/usbhid/hiddev.c
27929 --- linux-2.6.38.6/drivers/hid/usbhid/hiddev.c 2011-03-14 21:20:32.000000000 -0400
27930 +++ linux-2.6.38.6/drivers/hid/usbhid/hiddev.c 2011-04-28 19:34:15.000000000 -0400
27931 @@ -613,7 +613,7 @@ static long hiddev_ioctl(struct file *fi
27934 case HIDIOCAPPLICATION:
27935 - if (arg < 0 || arg >= hid->maxapplication)
27936 + if (arg >= hid->maxapplication)
27939 for (i = 0; i < hid->maxcollection; i++)
27940 diff -urNp linux-2.6.38.6/drivers/hwmon/lis3lv02d.c linux-2.6.38.6/drivers/hwmon/lis3lv02d.c
27941 --- linux-2.6.38.6/drivers/hwmon/lis3lv02d.c 2011-03-14 21:20:32.000000000 -0400
27942 +++ linux-2.6.38.6/drivers/hwmon/lis3lv02d.c 2011-04-28 19:57:25.000000000 -0400
27943 @@ -436,7 +436,7 @@ static irqreturn_t lis302dl_interrupt(in
27944 * the lid is closed. This leads to interrupts as soon as a little move
27947 - atomic_inc(&lis3_dev.count);
27948 + atomic_inc_unchecked(&lis3_dev.count);
27950 wake_up_interruptible(&lis3_dev.misc_wait);
27951 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
27952 @@ -519,7 +519,7 @@ static int lis3lv02d_misc_open(struct in
27953 if (lis3_dev.pm_dev)
27954 pm_runtime_get_sync(lis3_dev.pm_dev);
27956 - atomic_set(&lis3_dev.count, 0);
27957 + atomic_set_unchecked(&lis3_dev.count, 0);
27961 @@ -546,7 +546,7 @@ static ssize_t lis3lv02d_misc_read(struc
27962 add_wait_queue(&lis3_dev.misc_wait, &wait);
27964 set_current_state(TASK_INTERRUPTIBLE);
27965 - data = atomic_xchg(&lis3_dev.count, 0);
27966 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
27970 @@ -584,7 +584,7 @@ out:
27971 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
27973 poll_wait(file, &lis3_dev.misc_wait, wait);
27974 - if (atomic_read(&lis3_dev.count))
27975 + if (atomic_read_unchecked(&lis3_dev.count))
27976 return POLLIN | POLLRDNORM;
27979 diff -urNp linux-2.6.38.6/drivers/hwmon/lis3lv02d.h linux-2.6.38.6/drivers/hwmon/lis3lv02d.h
27980 --- linux-2.6.38.6/drivers/hwmon/lis3lv02d.h 2011-03-14 21:20:32.000000000 -0400
27981 +++ linux-2.6.38.6/drivers/hwmon/lis3lv02d.h 2011-04-28 19:57:25.000000000 -0400
27982 @@ -265,7 +265,7 @@ struct lis3lv02d {
27983 struct input_polled_dev *idev; /* input device */
27984 struct platform_device *pdev; /* platform device */
27985 struct regulator_bulk_data regulators[2];
27986 - atomic_t count; /* interrupt count after last read */
27987 + atomic_unchecked_t count; /* interrupt count after last read */
27988 union axis_conversion ac; /* hw -> logical axis */
27989 int mapped_btns[3];
27991 diff -urNp linux-2.6.38.6/drivers/hwmon/sht15.c linux-2.6.38.6/drivers/hwmon/sht15.c
27992 --- linux-2.6.38.6/drivers/hwmon/sht15.c 2011-04-18 17:27:14.000000000 -0400
27993 +++ linux-2.6.38.6/drivers/hwmon/sht15.c 2011-04-28 19:57:25.000000000 -0400
27994 @@ -113,7 +113,7 @@ struct sht15_data {
27996 int supply_uV_valid;
27997 struct work_struct update_supply_work;
27998 - atomic_t interrupt_handled;
27999 + atomic_unchecked_t interrupt_handled;
28003 @@ -246,13 +246,13 @@ static inline int sht15_update_single_va
28006 gpio_direction_input(data->pdata->gpio_data);
28007 - atomic_set(&data->interrupt_handled, 0);
28008 + atomic_set_unchecked(&data->interrupt_handled, 0);
28010 enable_irq(gpio_to_irq(data->pdata->gpio_data));
28011 if (gpio_get_value(data->pdata->gpio_data) == 0) {
28012 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
28013 /* Only relevant if the interrupt hasn't occured. */
28014 - if (!atomic_read(&data->interrupt_handled))
28015 + if (!atomic_read_unchecked(&data->interrupt_handled))
28016 schedule_work(&data->read_work);
28018 ret = wait_event_timeout(data->wait_queue,
28019 @@ -399,7 +399,7 @@ static irqreturn_t sht15_interrupt_fired
28020 struct sht15_data *data = d;
28021 /* First disable the interrupt */
28022 disable_irq_nosync(irq);
28023 - atomic_inc(&data->interrupt_handled);
28024 + atomic_inc_unchecked(&data->interrupt_handled);
28025 /* Then schedule a reading work struct */
28026 if (data->flag != SHT15_READING_NOTHING)
28027 schedule_work(&data->read_work);
28028 @@ -450,11 +450,11 @@ static void sht15_bh_read_data(struct wo
28029 here as could have gone low in meantime so verify
28032 - atomic_set(&data->interrupt_handled, 0);
28033 + atomic_set_unchecked(&data->interrupt_handled, 0);
28034 enable_irq(gpio_to_irq(data->pdata->gpio_data));
28035 /* If still not occured or another handler has been scheduled */
28036 if (gpio_get_value(data->pdata->gpio_data)
28037 - || atomic_read(&data->interrupt_handled))
28038 + || atomic_read_unchecked(&data->interrupt_handled))
28041 /* Read the data back from the device */
28042 diff -urNp linux-2.6.38.6/drivers/hwmon/w83791d.c linux-2.6.38.6/drivers/hwmon/w83791d.c
28043 --- linux-2.6.38.6/drivers/hwmon/w83791d.c 2011-03-14 21:20:32.000000000 -0400
28044 +++ linux-2.6.38.6/drivers/hwmon/w83791d.c 2011-04-28 19:34:15.000000000 -0400
28045 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
28046 struct i2c_board_info *info);
28047 static int w83791d_remove(struct i2c_client *client);
28049 -static int w83791d_read(struct i2c_client *client, u8 register);
28050 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
28051 +static int w83791d_read(struct i2c_client *client, u8 reg);
28052 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
28053 static struct w83791d_data *w83791d_update_device(struct device *dev);
28056 diff -urNp linux-2.6.38.6/drivers/ide/ide-cd.c linux-2.6.38.6/drivers/ide/ide-cd.c
28057 --- linux-2.6.38.6/drivers/ide/ide-cd.c 2011-03-14 21:20:32.000000000 -0400
28058 +++ linux-2.6.38.6/drivers/ide/ide-cd.c 2011-04-28 19:34:15.000000000 -0400
28059 @@ -776,7 +776,7 @@ static void cdrom_do_block_pc(ide_drive_
28060 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
28061 if ((unsigned long)buf & alignment
28062 || blk_rq_bytes(rq) & q->dma_pad_mask
28063 - || object_is_on_stack(buf))
28064 + || object_starts_on_stack(buf))
28068 diff -urNp linux-2.6.38.6/drivers/ide/ide-floppy.c linux-2.6.38.6/drivers/ide/ide-floppy.c
28069 --- linux-2.6.38.6/drivers/ide/ide-floppy.c 2011-03-14 21:20:32.000000000 -0400
28070 +++ linux-2.6.38.6/drivers/ide/ide-floppy.c 2011-05-16 21:47:08.000000000 -0400
28071 @@ -379,6 +379,8 @@ static int ide_floppy_get_capacity(ide_d
28072 u8 pc_buf[256], header_len, desc_cnt;
28073 int i, rc = 1, blocks, length;
28075 + pax_track_stack();
28077 ide_debug_log(IDE_DBG_FUNC, "enter");
28079 drive->bios_cyl = 0;
28080 diff -urNp linux-2.6.38.6/drivers/ide/setup-pci.c linux-2.6.38.6/drivers/ide/setup-pci.c
28081 --- linux-2.6.38.6/drivers/ide/setup-pci.c 2011-03-14 21:20:32.000000000 -0400
28082 +++ linux-2.6.38.6/drivers/ide/setup-pci.c 2011-05-16 21:47:08.000000000 -0400
28083 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
28084 int ret, i, n_ports = dev2 ? 4 : 2;
28085 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
28087 + pax_track_stack();
28089 for (i = 0; i < n_ports / 2; i++) {
28090 ret = ide_setup_pci_controller(pdev[i], d, !i);
28092 diff -urNp linux-2.6.38.6/drivers/infiniband/core/cm.c linux-2.6.38.6/drivers/infiniband/core/cm.c
28093 --- linux-2.6.38.6/drivers/infiniband/core/cm.c 2011-04-18 17:27:14.000000000 -0400
28094 +++ linux-2.6.38.6/drivers/infiniband/core/cm.c 2011-04-28 19:34:15.000000000 -0400
28095 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
28097 struct cm_counter_group {
28098 struct kobject obj;
28099 - atomic_long_t counter[CM_ATTR_COUNT];
28100 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
28103 struct cm_counter_attribute {
28104 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
28105 struct ib_mad_send_buf *msg = NULL;
28108 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28109 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28110 counter[CM_REQ_COUNTER]);
28112 /* Quick state check to discard duplicate REQs. */
28113 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
28117 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28118 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28119 counter[CM_REP_COUNTER]);
28120 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
28122 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
28123 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
28124 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
28125 spin_unlock_irq(&cm_id_priv->lock);
28126 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28127 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28128 counter[CM_RTU_COUNTER]);
28131 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
28132 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
28133 dreq_msg->local_comm_id);
28135 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28136 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28137 counter[CM_DREQ_COUNTER]);
28138 cm_issue_drep(work->port, work->mad_recv_wc);
28140 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
28141 case IB_CM_MRA_REP_RCVD:
28143 case IB_CM_TIMEWAIT:
28144 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28145 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28146 counter[CM_DREQ_COUNTER]);
28147 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
28149 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
28152 case IB_CM_DREQ_RCVD:
28153 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28154 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28155 counter[CM_DREQ_COUNTER]);
28158 @@ -2504,7 +2504,7 @@ static int cm_mra_handler(struct cm_work
28159 ib_modify_mad(cm_id_priv->av.port->mad_agent,
28160 cm_id_priv->msg, timeout)) {
28161 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
28162 - atomic_long_inc(&work->port->
28163 + atomic_long_inc_unchecked(&work->port->
28164 counter_group[CM_RECV_DUPLICATES].
28165 counter[CM_MRA_COUNTER]);
28167 @@ -2513,7 +2513,7 @@ static int cm_mra_handler(struct cm_work
28169 case IB_CM_MRA_REQ_RCVD:
28170 case IB_CM_MRA_REP_RCVD:
28171 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28172 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28173 counter[CM_MRA_COUNTER]);
28176 @@ -2675,7 +2675,7 @@ static int cm_lap_handler(struct cm_work
28177 case IB_CM_LAP_IDLE:
28179 case IB_CM_MRA_LAP_SENT:
28180 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28181 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28182 counter[CM_LAP_COUNTER]);
28183 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
28185 @@ -2691,7 +2691,7 @@ static int cm_lap_handler(struct cm_work
28188 case IB_CM_LAP_RCVD:
28189 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28190 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28191 counter[CM_LAP_COUNTER]);
28194 @@ -2975,7 +2975,7 @@ static int cm_sidr_req_handler(struct cm
28195 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
28196 if (cur_cm_id_priv) {
28197 spin_unlock_irq(&cm.lock);
28198 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28199 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28200 counter[CM_SIDR_REQ_COUNTER]);
28201 goto out; /* Duplicate message. */
28203 @@ -3187,10 +3187,10 @@ static void cm_send_handler(struct ib_ma
28204 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
28207 - atomic_long_add(1 + msg->retries,
28208 + atomic_long_add_unchecked(1 + msg->retries,
28209 &port->counter_group[CM_XMIT].counter[attr_index]);
28211 - atomic_long_add(msg->retries,
28212 + atomic_long_add_unchecked(msg->retries,
28213 &port->counter_group[CM_XMIT_RETRIES].
28214 counter[attr_index]);
28216 @@ -3400,7 +3400,7 @@ static void cm_recv_handler(struct ib_ma
28219 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
28220 - atomic_long_inc(&port->counter_group[CM_RECV].
28221 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
28222 counter[attr_id - CM_ATTR_ID_OFFSET]);
28224 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
28225 @@ -3598,7 +3598,7 @@ static ssize_t cm_show_counter(struct ko
28226 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
28228 return sprintf(buf, "%ld\n",
28229 - atomic_long_read(&group->counter[cm_attr->index]));
28230 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
28233 static const struct sysfs_ops cm_counter_ops = {
28234 diff -urNp linux-2.6.38.6/drivers/infiniband/core/fmr_pool.c linux-2.6.38.6/drivers/infiniband/core/fmr_pool.c
28235 --- linux-2.6.38.6/drivers/infiniband/core/fmr_pool.c 2011-03-14 21:20:32.000000000 -0400
28236 +++ linux-2.6.38.6/drivers/infiniband/core/fmr_pool.c 2011-04-28 19:57:25.000000000 -0400
28237 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
28239 struct task_struct *thread;
28241 - atomic_t req_ser;
28242 - atomic_t flush_ser;
28243 + atomic_unchecked_t req_ser;
28244 + atomic_unchecked_t flush_ser;
28246 wait_queue_head_t force_wait;
28248 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
28249 struct ib_fmr_pool *pool = pool_ptr;
28252 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
28253 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
28254 ib_fmr_batch_release(pool);
28256 - atomic_inc(&pool->flush_ser);
28257 + atomic_inc_unchecked(&pool->flush_ser);
28258 wake_up_interruptible(&pool->force_wait);
28260 if (pool->flush_function)
28261 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
28264 set_current_state(TASK_INTERRUPTIBLE);
28265 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
28266 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
28267 !kthread_should_stop())
28269 __set_current_state(TASK_RUNNING);
28270 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
28271 pool->dirty_watermark = params->dirty_watermark;
28272 pool->dirty_len = 0;
28273 spin_lock_init(&pool->pool_lock);
28274 - atomic_set(&pool->req_ser, 0);
28275 - atomic_set(&pool->flush_ser, 0);
28276 + atomic_set_unchecked(&pool->req_ser, 0);
28277 + atomic_set_unchecked(&pool->flush_ser, 0);
28278 init_waitqueue_head(&pool->force_wait);
28280 pool->thread = kthread_run(ib_fmr_cleanup_thread,
28281 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
28283 spin_unlock_irq(&pool->pool_lock);
28285 - serial = atomic_inc_return(&pool->req_ser);
28286 + serial = atomic_inc_return_unchecked(&pool->req_ser);
28287 wake_up_process(pool->thread);
28289 if (wait_event_interruptible(pool->force_wait,
28290 - atomic_read(&pool->flush_ser) - serial >= 0))
28291 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
28295 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
28297 list_add_tail(&fmr->list, &pool->dirty_list);
28298 if (++pool->dirty_len >= pool->dirty_watermark) {
28299 - atomic_inc(&pool->req_ser);
28300 + atomic_inc_unchecked(&pool->req_ser);
28301 wake_up_process(pool->thread);
28304 diff -urNp linux-2.6.38.6/drivers/infiniband/hw/cxgb4/mem.c linux-2.6.38.6/drivers/infiniband/hw/cxgb4/mem.c
28305 --- linux-2.6.38.6/drivers/infiniband/hw/cxgb4/mem.c 2011-03-14 21:20:32.000000000 -0400
28306 +++ linux-2.6.38.6/drivers/infiniband/hw/cxgb4/mem.c 2011-04-28 19:57:25.000000000 -0400
28307 @@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_r
28309 struct fw_ri_tpte tpt;
28311 - static atomic_t key;
28312 + static atomic_unchecked_t key;
28314 if (c4iw_fatal_error(rdev))
28316 @@ -135,7 +135,7 @@ static int write_tpt_entry(struct c4iw_r
28317 &rdev->resource.tpt_fifo_lock);
28320 - *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
28321 + *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
28323 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
28324 __func__, stag_state, type, pdid, stag_idx);
28325 diff -urNp linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_fs.c
28326 --- linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_fs.c 2011-03-14 21:20:32.000000000 -0400
28327 +++ linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-16 21:47:08.000000000 -0400
28328 @@ -113,6 +113,8 @@ static ssize_t atomic_counters_read(stru
28329 struct infinipath_counters counters;
28330 struct ipath_devdata *dd;
28332 + pax_track_stack();
28334 dd = file->f_path.dentry->d_inode->i_private;
28335 dd->ipath_f_read_counters(dd, &counters);
28337 diff -urNp linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_rc.c linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_rc.c
28338 --- linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_rc.c 2011-03-14 21:20:32.000000000 -0400
28339 +++ linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_rc.c 2011-05-11 18:35:16.000000000 -0400
28340 @@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *de
28341 struct ib_atomic_eth *ateth;
28342 struct ipath_ack_entry *e;
28344 - atomic64_t *maddr;
28345 + atomic64_unchecked_t *maddr;
28349 @@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *de
28350 IB_ACCESS_REMOTE_ATOMIC)))
28351 goto nack_acc_unlck;
28352 /* Perform atomic OP and save result. */
28353 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
28354 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
28355 sdata = be64_to_cpu(ateth->swap_data);
28356 e = &qp->s_ack_queue[qp->r_head_ack_queue];
28357 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
28358 - (u64) atomic64_add_return(sdata, maddr) - sdata :
28359 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
28360 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
28361 be64_to_cpu(ateth->compare_data),
28363 diff -urNp linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_ruc.c linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_ruc.c
28364 --- linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-03-14 21:20:32.000000000 -0400
28365 +++ linux-2.6.38.6/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-05-11 18:35:16.000000000 -0400
28366 @@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ip
28367 unsigned long flags;
28370 - atomic64_t *maddr;
28371 + atomic64_unchecked_t *maddr;
28372 enum ib_wc_status send_status;
28375 @@ -382,11 +382,11 @@ again:
28376 IB_ACCESS_REMOTE_ATOMIC)))
28378 /* Perform atomic OP and save result. */
28379 - maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
28380 + maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
28381 sdata = wqe->wr.wr.atomic.compare_add;
28382 *(u64 *) sqp->s_sge.sge.vaddr =
28383 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
28384 - (u64) atomic64_add_return(sdata, maddr) - sdata :
28385 + (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
28386 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
28387 sdata, wqe->wr.wr.atomic.swap);
28389 diff -urNp linux-2.6.38.6/drivers/infiniband/hw/nes/nes.c linux-2.6.38.6/drivers/infiniband/hw/nes/nes.c
28390 --- linux-2.6.38.6/drivers/infiniband/hw/nes/nes.c 2011-03-14 21:20:32.000000000 -0400
28391 +++ linux-2.6.38.6/drivers/infiniband/hw/nes/nes.c 2011-04-28 19:57:25.000000000 -0400
28392 @@ -103,7 +103,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
28393 LIST_HEAD(nes_adapter_list);
28394 static LIST_HEAD(nes_dev_list);
28396 -atomic_t qps_destroyed;
28397 +atomic_unchecked_t qps_destroyed;
28399 static unsigned int ee_flsh_adapter;
28400 static unsigned int sysfs_nonidx_addr;
28401 @@ -274,7 +274,7 @@ static void nes_cqp_rem_ref_callback(str
28402 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
28403 struct nes_adapter *nesadapter = nesdev->nesadapter;
28405 - atomic_inc(&qps_destroyed);
28406 + atomic_inc_unchecked(&qps_destroyed);
28408 /* Free the control structures */
28410 diff -urNp linux-2.6.38.6/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.38.6/drivers/infiniband/hw/nes/nes_cm.c
28411 --- linux-2.6.38.6/drivers/infiniband/hw/nes/nes_cm.c 2011-03-14 21:20:32.000000000 -0400
28412 +++ linux-2.6.38.6/drivers/infiniband/hw/nes/nes_cm.c 2011-04-28 19:57:25.000000000 -0400
28413 @@ -68,14 +68,14 @@ u32 cm_packets_dropped;
28414 u32 cm_packets_retrans;
28415 u32 cm_packets_created;
28416 u32 cm_packets_received;
28417 -atomic_t cm_listens_created;
28418 -atomic_t cm_listens_destroyed;
28419 +atomic_unchecked_t cm_listens_created;
28420 +atomic_unchecked_t cm_listens_destroyed;
28421 u32 cm_backlog_drops;
28422 -atomic_t cm_loopbacks;
28423 -atomic_t cm_nodes_created;
28424 -atomic_t cm_nodes_destroyed;
28425 -atomic_t cm_accel_dropped_pkts;
28426 -atomic_t cm_resets_recvd;
28427 +atomic_unchecked_t cm_loopbacks;
28428 +atomic_unchecked_t cm_nodes_created;
28429 +atomic_unchecked_t cm_nodes_destroyed;
28430 +atomic_unchecked_t cm_accel_dropped_pkts;
28431 +atomic_unchecked_t cm_resets_recvd;
28433 static inline int mini_cm_accelerated(struct nes_cm_core *,
28434 struct nes_cm_node *);
28435 @@ -151,13 +151,13 @@ static struct nes_cm_ops nes_cm_api = {
28437 static struct nes_cm_core *g_cm_core;
28439 -atomic_t cm_connects;
28440 -atomic_t cm_accepts;
28441 -atomic_t cm_disconnects;
28442 -atomic_t cm_closes;
28443 -atomic_t cm_connecteds;
28444 -atomic_t cm_connect_reqs;
28445 -atomic_t cm_rejects;
28446 +atomic_unchecked_t cm_connects;
28447 +atomic_unchecked_t cm_accepts;
28448 +atomic_unchecked_t cm_disconnects;
28449 +atomic_unchecked_t cm_closes;
28450 +atomic_unchecked_t cm_connecteds;
28451 +atomic_unchecked_t cm_connect_reqs;
28452 +atomic_unchecked_t cm_rejects;
28456 @@ -1045,7 +1045,7 @@ static int mini_cm_dec_refcnt_listen(str
28460 - atomic_inc(&cm_listens_destroyed);
28461 + atomic_inc_unchecked(&cm_listens_destroyed);
28463 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
28465 @@ -1242,7 +1242,7 @@ static struct nes_cm_node *make_cm_node(
28468 add_hte_node(cm_core, cm_node);
28469 - atomic_inc(&cm_nodes_created);
28470 + atomic_inc_unchecked(&cm_nodes_created);
28474 @@ -1300,7 +1300,7 @@ static int rem_ref_cm_node(struct nes_cm
28477 atomic_dec(&cm_core->node_cnt);
28478 - atomic_inc(&cm_nodes_destroyed);
28479 + atomic_inc_unchecked(&cm_nodes_destroyed);
28480 nesqp = cm_node->nesqp;
28482 nesqp->cm_node = NULL;
28483 @@ -1367,7 +1367,7 @@ static int process_options(struct nes_cm
28485 static void drop_packet(struct sk_buff *skb)
28487 - atomic_inc(&cm_accel_dropped_pkts);
28488 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
28489 dev_kfree_skb_any(skb);
28492 @@ -1430,7 +1430,7 @@ static void handle_rst_pkt(struct nes_cm
28495 int reset = 0; /* whether to send reset in case of err.. */
28496 - atomic_inc(&cm_resets_recvd);
28497 + atomic_inc_unchecked(&cm_resets_recvd);
28498 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
28499 " refcnt=%d\n", cm_node, cm_node->state,
28500 atomic_read(&cm_node->ref_count));
28501 @@ -2059,7 +2059,7 @@ static struct nes_cm_node *mini_cm_conne
28502 rem_ref_cm_node(cm_node->cm_core, cm_node);
28505 - atomic_inc(&cm_loopbacks);
28506 + atomic_inc_unchecked(&cm_loopbacks);
28507 loopbackremotenode->loopbackpartner = cm_node;
28508 loopbackremotenode->tcp_cntxt.rcv_wscale =
28509 NES_CM_DEFAULT_RCV_WND_SCALE;
28510 @@ -2334,7 +2334,7 @@ static int mini_cm_recv_pkt(struct nes_c
28511 add_ref_cm_node(cm_node);
28512 } else if (cm_node->state == NES_CM_STATE_TSA) {
28513 rem_ref_cm_node(cm_core, cm_node);
28514 - atomic_inc(&cm_accel_dropped_pkts);
28515 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
28516 dev_kfree_skb_any(skb);
28519 @@ -2640,7 +2640,7 @@ static int nes_cm_disconn_true(struct ne
28521 if ((cm_id) && (cm_id->event_handler)) {
28522 if (issue_disconn) {
28523 - atomic_inc(&cm_disconnects);
28524 + atomic_inc_unchecked(&cm_disconnects);
28525 cm_event.event = IW_CM_EVENT_DISCONNECT;
28526 cm_event.status = disconn_status;
28527 cm_event.local_addr = cm_id->local_addr;
28528 @@ -2662,7 +2662,7 @@ static int nes_cm_disconn_true(struct ne
28532 - atomic_inc(&cm_closes);
28533 + atomic_inc_unchecked(&cm_closes);
28534 nes_disconnect(nesqp, 1);
28536 cm_id->provider_data = nesqp;
28537 @@ -2793,7 +2793,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
28539 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
28540 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
28541 - atomic_inc(&cm_accepts);
28542 + atomic_inc_unchecked(&cm_accepts);
28544 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
28545 netdev_refcnt_read(nesvnic->netdev));
28546 @@ -3003,7 +3003,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
28548 struct nes_cm_core *cm_core;
28550 - atomic_inc(&cm_rejects);
28551 + atomic_inc_unchecked(&cm_rejects);
28552 cm_node = (struct nes_cm_node *) cm_id->provider_data;
28553 loopback = cm_node->loopbackpartner;
28554 cm_core = cm_node->cm_core;
28555 @@ -3069,7 +3069,7 @@ int nes_connect(struct iw_cm_id *cm_id,
28556 ntohl(cm_id->local_addr.sin_addr.s_addr),
28557 ntohs(cm_id->local_addr.sin_port));
28559 - atomic_inc(&cm_connects);
28560 + atomic_inc_unchecked(&cm_connects);
28561 nesqp->active_conn = 1;
28563 /* cache the cm_id in the qp */
28564 @@ -3175,7 +3175,7 @@ int nes_create_listen(struct iw_cm_id *c
28565 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
28568 - atomic_inc(&cm_listens_created);
28569 + atomic_inc_unchecked(&cm_listens_created);
28572 cm_id->add_ref(cm_id);
28573 @@ -3280,7 +3280,7 @@ static void cm_event_connected(struct ne
28574 if (nesqp->destroyed) {
28577 - atomic_inc(&cm_connecteds);
28578 + atomic_inc_unchecked(&cm_connecteds);
28579 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
28580 " local port 0x%04X. jiffies = %lu.\n",
28582 @@ -3495,7 +3495,7 @@ static void cm_event_reset(struct nes_cm
28584 cm_id->add_ref(cm_id);
28585 ret = cm_id->event_handler(cm_id, &cm_event);
28586 - atomic_inc(&cm_closes);
28587 + atomic_inc_unchecked(&cm_closes);
28588 cm_event.event = IW_CM_EVENT_CLOSE;
28589 cm_event.status = IW_CM_EVENT_STATUS_OK;
28590 cm_event.provider_data = cm_id->provider_data;
28591 @@ -3531,7 +3531,7 @@ static void cm_event_mpa_req(struct nes_
28593 cm_id = cm_node->cm_id;
28595 - atomic_inc(&cm_connect_reqs);
28596 + atomic_inc_unchecked(&cm_connect_reqs);
28597 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
28598 cm_node, cm_id, jiffies);
28600 @@ -3569,7 +3569,7 @@ static void cm_event_mpa_reject(struct n
28602 cm_id = cm_node->cm_id;
28604 - atomic_inc(&cm_connect_reqs);
28605 + atomic_inc_unchecked(&cm_connect_reqs);
28606 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
28607 cm_node, cm_id, jiffies);
28609 diff -urNp linux-2.6.38.6/drivers/infiniband/hw/nes/nes.h linux-2.6.38.6/drivers/infiniband/hw/nes/nes.h
28610 --- linux-2.6.38.6/drivers/infiniband/hw/nes/nes.h 2011-03-14 21:20:32.000000000 -0400
28611 +++ linux-2.6.38.6/drivers/infiniband/hw/nes/nes.h 2011-04-28 19:57:25.000000000 -0400
28612 @@ -175,17 +175,17 @@ extern unsigned int nes_debug_level;
28613 extern unsigned int wqm_quanta;
28614 extern struct list_head nes_adapter_list;
28616 -extern atomic_t cm_connects;
28617 -extern atomic_t cm_accepts;
28618 -extern atomic_t cm_disconnects;
28619 -extern atomic_t cm_closes;
28620 -extern atomic_t cm_connecteds;
28621 -extern atomic_t cm_connect_reqs;
28622 -extern atomic_t cm_rejects;
28623 -extern atomic_t mod_qp_timouts;
28624 -extern atomic_t qps_created;
28625 -extern atomic_t qps_destroyed;
28626 -extern atomic_t sw_qps_destroyed;
28627 +extern atomic_unchecked_t cm_connects;
28628 +extern atomic_unchecked_t cm_accepts;
28629 +extern atomic_unchecked_t cm_disconnects;
28630 +extern atomic_unchecked_t cm_closes;
28631 +extern atomic_unchecked_t cm_connecteds;
28632 +extern atomic_unchecked_t cm_connect_reqs;
28633 +extern atomic_unchecked_t cm_rejects;
28634 +extern atomic_unchecked_t mod_qp_timouts;
28635 +extern atomic_unchecked_t qps_created;
28636 +extern atomic_unchecked_t qps_destroyed;
28637 +extern atomic_unchecked_t sw_qps_destroyed;
28638 extern u32 mh_detected;
28639 extern u32 mh_pauses_sent;
28640 extern u32 cm_packets_sent;
28641 @@ -194,14 +194,14 @@ extern u32 cm_packets_created;
28642 extern u32 cm_packets_received;
28643 extern u32 cm_packets_dropped;
28644 extern u32 cm_packets_retrans;
28645 -extern atomic_t cm_listens_created;
28646 -extern atomic_t cm_listens_destroyed;
28647 +extern atomic_unchecked_t cm_listens_created;
28648 +extern atomic_unchecked_t cm_listens_destroyed;
28649 extern u32 cm_backlog_drops;
28650 -extern atomic_t cm_loopbacks;
28651 -extern atomic_t cm_nodes_created;
28652 -extern atomic_t cm_nodes_destroyed;
28653 -extern atomic_t cm_accel_dropped_pkts;
28654 -extern atomic_t cm_resets_recvd;
28655 +extern atomic_unchecked_t cm_loopbacks;
28656 +extern atomic_unchecked_t cm_nodes_created;
28657 +extern atomic_unchecked_t cm_nodes_destroyed;
28658 +extern atomic_unchecked_t cm_accel_dropped_pkts;
28659 +extern atomic_unchecked_t cm_resets_recvd;
28661 extern u32 int_mod_timer_init;
28662 extern u32 int_mod_cq_depth_256;
28663 diff -urNp linux-2.6.38.6/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.38.6/drivers/infiniband/hw/nes/nes_nic.c
28664 --- linux-2.6.38.6/drivers/infiniband/hw/nes/nes_nic.c 2011-03-14 21:20:32.000000000 -0400
28665 +++ linux-2.6.38.6/drivers/infiniband/hw/nes/nes_nic.c 2011-04-28 19:57:25.000000000 -0400
28666 @@ -1302,31 +1302,31 @@ static void nes_netdev_get_ethtool_stats
28667 target_stat_values[++index] = mh_detected;
28668 target_stat_values[++index] = mh_pauses_sent;
28669 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
28670 - target_stat_values[++index] = atomic_read(&cm_connects);
28671 - target_stat_values[++index] = atomic_read(&cm_accepts);
28672 - target_stat_values[++index] = atomic_read(&cm_disconnects);
28673 - target_stat_values[++index] = atomic_read(&cm_connecteds);
28674 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
28675 - target_stat_values[++index] = atomic_read(&cm_rejects);
28676 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
28677 - target_stat_values[++index] = atomic_read(&qps_created);
28678 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
28679 - target_stat_values[++index] = atomic_read(&qps_destroyed);
28680 - target_stat_values[++index] = atomic_read(&cm_closes);
28681 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
28682 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
28683 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
28684 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
28685 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
28686 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
28687 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
28688 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
28689 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
28690 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
28691 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
28692 target_stat_values[++index] = cm_packets_sent;
28693 target_stat_values[++index] = cm_packets_bounced;
28694 target_stat_values[++index] = cm_packets_created;
28695 target_stat_values[++index] = cm_packets_received;
28696 target_stat_values[++index] = cm_packets_dropped;
28697 target_stat_values[++index] = cm_packets_retrans;
28698 - target_stat_values[++index] = atomic_read(&cm_listens_created);
28699 - target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
28700 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
28701 + target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
28702 target_stat_values[++index] = cm_backlog_drops;
28703 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
28704 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
28705 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
28706 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
28707 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
28708 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
28709 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
28710 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
28711 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
28712 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
28713 target_stat_values[++index] = nesadapter->free_4kpbl;
28714 target_stat_values[++index] = nesadapter->free_256pbl;
28715 target_stat_values[++index] = int_mod_timer_init;
28716 diff -urNp linux-2.6.38.6/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.38.6/drivers/infiniband/hw/nes/nes_verbs.c
28717 --- linux-2.6.38.6/drivers/infiniband/hw/nes/nes_verbs.c 2011-03-14 21:20:32.000000000 -0400
28718 +++ linux-2.6.38.6/drivers/infiniband/hw/nes/nes_verbs.c 2011-04-28 19:57:25.000000000 -0400
28721 #include <rdma/ib_umem.h>
28723 -atomic_t mod_qp_timouts;
28724 -atomic_t qps_created;
28725 -atomic_t sw_qps_destroyed;
28726 +atomic_unchecked_t mod_qp_timouts;
28727 +atomic_unchecked_t qps_created;
28728 +atomic_unchecked_t sw_qps_destroyed;
28730 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
28732 @@ -1141,7 +1141,7 @@ static struct ib_qp *nes_create_qp(struc
28733 if (init_attr->create_flags)
28734 return ERR_PTR(-EINVAL);
28736 - atomic_inc(&qps_created);
28737 + atomic_inc_unchecked(&qps_created);
28738 switch (init_attr->qp_type) {
28740 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
28741 @@ -1470,7 +1470,7 @@ static int nes_destroy_qp(struct ib_qp *
28742 struct iw_cm_event cm_event;
28745 - atomic_inc(&sw_qps_destroyed);
28746 + atomic_inc_unchecked(&sw_qps_destroyed);
28747 nesqp->destroyed = 1;
28749 /* Blow away the connection if it exists. */
28750 diff -urNp linux-2.6.38.6/drivers/infiniband/hw/qib/qib.h linux-2.6.38.6/drivers/infiniband/hw/qib/qib.h
28751 --- linux-2.6.38.6/drivers/infiniband/hw/qib/qib.h 2011-03-14 21:20:32.000000000 -0400
28752 +++ linux-2.6.38.6/drivers/infiniband/hw/qib/qib.h 2011-04-28 19:34:15.000000000 -0400
28754 #include <linux/completion.h>
28755 #include <linux/kref.h>
28756 #include <linux/sched.h>
28757 +#include <linux/slab.h>
28759 #include "qib_common.h"
28760 #include "qib_verbs.h"
28761 diff -urNp linux-2.6.38.6/drivers/input/gameport/gameport.c linux-2.6.38.6/drivers/input/gameport/gameport.c
28762 --- linux-2.6.38.6/drivers/input/gameport/gameport.c 2011-03-14 21:20:32.000000000 -0400
28763 +++ linux-2.6.38.6/drivers/input/gameport/gameport.c 2011-04-28 19:57:25.000000000 -0400
28764 @@ -488,14 +488,14 @@ EXPORT_SYMBOL(gameport_set_phys);
28766 static void gameport_init_port(struct gameport *gameport)
28768 - static atomic_t gameport_no = ATOMIC_INIT(0);
28769 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
28771 __module_get(THIS_MODULE);
28773 mutex_init(&gameport->drv_mutex);
28774 device_initialize(&gameport->dev);
28775 dev_set_name(&gameport->dev, "gameport%lu",
28776 - (unsigned long)atomic_inc_return(&gameport_no) - 1);
28777 + (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
28778 gameport->dev.bus = &gameport_bus;
28779 gameport->dev.release = gameport_release_port;
28780 if (gameport->parent)
28781 diff -urNp linux-2.6.38.6/drivers/input/input.c linux-2.6.38.6/drivers/input/input.c
28782 --- linux-2.6.38.6/drivers/input/input.c 2011-03-14 21:20:32.000000000 -0400
28783 +++ linux-2.6.38.6/drivers/input/input.c 2011-04-28 19:57:25.000000000 -0400
28784 @@ -1820,7 +1820,7 @@ static void input_cleanse_bitmasks(struc
28786 int input_register_device(struct input_dev *dev)
28788 - static atomic_t input_no = ATOMIC_INIT(0);
28789 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
28790 struct input_handler *handler;
28793 @@ -1853,7 +1853,7 @@ int input_register_device(struct input_d
28794 dev->setkeycode_new = input_default_setkeycode;
28796 dev_set_name(&dev->dev, "input%ld",
28797 - (unsigned long) atomic_inc_return(&input_no) - 1);
28798 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
28800 error = device_add(&dev->dev);
28802 diff -urNp linux-2.6.38.6/drivers/input/joystick/sidewinder.c linux-2.6.38.6/drivers/input/joystick/sidewinder.c
28803 --- linux-2.6.38.6/drivers/input/joystick/sidewinder.c 2011-03-14 21:20:32.000000000 -0400
28804 +++ linux-2.6.38.6/drivers/input/joystick/sidewinder.c 2011-05-16 21:47:08.000000000 -0400
28805 @@ -428,6 +428,8 @@ static int sw_read(struct sw *sw)
28806 unsigned char buf[SW_LENGTH];
28809 + pax_track_stack();
28811 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
28813 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
28814 diff -urNp linux-2.6.38.6/drivers/input/joystick/xpad.c linux-2.6.38.6/drivers/input/joystick/xpad.c
28815 --- linux-2.6.38.6/drivers/input/joystick/xpad.c 2011-03-14 21:20:32.000000000 -0400
28816 +++ linux-2.6.38.6/drivers/input/joystick/xpad.c 2011-04-28 19:57:25.000000000 -0400
28817 @@ -689,7 +689,7 @@ static void xpad_led_set(struct led_clas
28819 static int xpad_led_probe(struct usb_xpad *xpad)
28821 - static atomic_t led_seq = ATOMIC_INIT(0);
28822 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
28824 struct xpad_led *led;
28825 struct led_classdev *led_cdev;
28826 @@ -702,7 +702,7 @@ static int xpad_led_probe(struct usb_xpa
28830 - led_no = (long)atomic_inc_return(&led_seq) - 1;
28831 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
28833 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
28835 diff -urNp linux-2.6.38.6/drivers/input/mousedev.c linux-2.6.38.6/drivers/input/mousedev.c
28836 --- linux-2.6.38.6/drivers/input/mousedev.c 2011-03-14 21:20:32.000000000 -0400
28837 +++ linux-2.6.38.6/drivers/input/mousedev.c 2011-04-28 19:34:15.000000000 -0400
28838 @@ -764,7 +764,7 @@ static ssize_t mousedev_read(struct file
28840 spin_unlock_irq(&client->packet_lock);
28842 - if (copy_to_user(buffer, data, count))
28843 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
28847 diff -urNp linux-2.6.38.6/drivers/input/serio/serio.c linux-2.6.38.6/drivers/input/serio/serio.c
28848 --- linux-2.6.38.6/drivers/input/serio/serio.c 2011-03-14 21:20:32.000000000 -0400
28849 +++ linux-2.6.38.6/drivers/input/serio/serio.c 2011-04-28 19:57:25.000000000 -0400
28850 @@ -497,7 +497,7 @@ static void serio_release_port(struct de
28852 static void serio_init_port(struct serio *serio)
28854 - static atomic_t serio_no = ATOMIC_INIT(0);
28855 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
28857 __module_get(THIS_MODULE);
28859 @@ -508,7 +508,7 @@ static void serio_init_port(struct serio
28860 mutex_init(&serio->drv_mutex);
28861 device_initialize(&serio->dev);
28862 dev_set_name(&serio->dev, "serio%ld",
28863 - (long)atomic_inc_return(&serio_no) - 1);
28864 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
28865 serio->dev.bus = &serio_bus;
28866 serio->dev.release = serio_release_port;
28867 serio->dev.groups = serio_device_attr_groups;
28868 diff -urNp linux-2.6.38.6/drivers/isdn/capi/capi.c linux-2.6.38.6/drivers/isdn/capi/capi.c
28869 --- linux-2.6.38.6/drivers/isdn/capi/capi.c 2011-03-14 21:20:32.000000000 -0400
28870 +++ linux-2.6.38.6/drivers/isdn/capi/capi.c 2011-04-28 19:57:25.000000000 -0400
28871 @@ -89,8 +89,8 @@ struct capiminor {
28873 struct capi20_appl *ap;
28875 - atomic_t datahandle;
28877 + atomic_unchecked_t datahandle;
28878 + atomic_unchecked_t msgid;
28880 struct tty_port port;
28882 @@ -414,7 +414,7 @@ gen_data_b3_resp_for(struct capiminor *m
28883 capimsg_setu16(s, 2, mp->ap->applid);
28884 capimsg_setu8 (s, 4, CAPI_DATA_B3);
28885 capimsg_setu8 (s, 5, CAPI_RESP);
28886 - capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
28887 + capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
28888 capimsg_setu32(s, 8, mp->ncci);
28889 capimsg_setu16(s, 12, datahandle);
28891 @@ -547,14 +547,14 @@ static void handle_minor_send(struct cap
28892 mp->outbytes -= len;
28893 spin_unlock_bh(&mp->outlock);
28895 - datahandle = atomic_inc_return(&mp->datahandle);
28896 + datahandle = atomic_inc_return_unchecked(&mp->datahandle);
28897 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
28898 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
28899 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
28900 capimsg_setu16(skb->data, 2, mp->ap->applid);
28901 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
28902 capimsg_setu8 (skb->data, 5, CAPI_REQ);
28903 - capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
28904 + capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
28905 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
28906 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
28907 capimsg_setu16(skb->data, 16, len); /* Data length */
28908 diff -urNp linux-2.6.38.6/drivers/isdn/gigaset/common.c linux-2.6.38.6/drivers/isdn/gigaset/common.c
28909 --- linux-2.6.38.6/drivers/isdn/gigaset/common.c 2011-03-14 21:20:32.000000000 -0400
28910 +++ linux-2.6.38.6/drivers/isdn/gigaset/common.c 2011-04-28 19:34:15.000000000 -0400
28911 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
28912 cs->commands_pending = 0;
28913 cs->cur_at_seq = 0;
28915 - cs->open_count = 0;
28916 + local_set(&cs->open_count, 0);
28919 cs->tty_dev = NULL;
28920 diff -urNp linux-2.6.38.6/drivers/isdn/gigaset/gigaset.h linux-2.6.38.6/drivers/isdn/gigaset/gigaset.h
28921 --- linux-2.6.38.6/drivers/isdn/gigaset/gigaset.h 2011-03-14 21:20:32.000000000 -0400
28922 +++ linux-2.6.38.6/drivers/isdn/gigaset/gigaset.h 2011-04-28 19:34:15.000000000 -0400
28924 #include <linux/tty_driver.h>
28925 #include <linux/list.h>
28926 #include <asm/atomic.h>
28927 +#include <asm/local.h>
28929 #define GIG_VERSION {0, 5, 0, 0}
28930 #define GIG_COMPAT {0, 4, 0, 0}
28931 @@ -433,7 +434,7 @@ struct cardstate {
28932 spinlock_t cmdlock;
28933 unsigned curlen, cmdbytes;
28935 - unsigned open_count;
28936 + local_t open_count;
28937 struct tty_struct *tty;
28938 struct tasklet_struct if_wake_tasklet;
28939 unsigned control_state;
28940 diff -urNp linux-2.6.38.6/drivers/isdn/gigaset/interface.c linux-2.6.38.6/drivers/isdn/gigaset/interface.c
28941 --- linux-2.6.38.6/drivers/isdn/gigaset/interface.c 2011-03-14 21:20:32.000000000 -0400
28942 +++ linux-2.6.38.6/drivers/isdn/gigaset/interface.c 2011-04-28 19:34:15.000000000 -0400
28943 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
28944 return -ERESTARTSYS;
28945 tty->driver_data = cs;
28947 - ++cs->open_count;
28949 - if (cs->open_count == 1) {
28950 + if (local_inc_return(&cs->open_count) == 1) {
28951 spin_lock_irqsave(&cs->lock, flags);
28953 spin_unlock_irqrestore(&cs->lock, flags);
28954 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
28956 if (!cs->connected)
28957 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
28958 - else if (!cs->open_count)
28959 + else if (!local_read(&cs->open_count))
28960 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28962 - if (!--cs->open_count) {
28963 + if (!local_dec_return(&cs->open_count)) {
28964 spin_lock_irqsave(&cs->lock, flags);
28966 spin_unlock_irqrestore(&cs->lock, flags);
28967 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
28968 if (!cs->connected) {
28969 gig_dbg(DEBUG_IF, "not connected");
28971 - } else if (!cs->open_count)
28972 + } else if (!local_read(&cs->open_count))
28973 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28976 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
28980 - if (!cs->open_count) {
28981 + if (!local_read(&cs->open_count)) {
28982 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28985 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
28986 if (!cs->connected) {
28987 gig_dbg(DEBUG_IF, "not connected");
28989 - } else if (!cs->open_count)
28990 + } else if (!local_read(&cs->open_count))
28991 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28992 else if (cs->mstate != MS_LOCKED) {
28993 dev_warn(cs->dev, "can't write to unlocked device\n");
28994 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
28996 if (!cs->connected)
28997 gig_dbg(DEBUG_IF, "not connected");
28998 - else if (!cs->open_count)
28999 + else if (!local_read(&cs->open_count))
29000 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29001 else if (cs->mstate != MS_LOCKED)
29002 dev_warn(cs->dev, "can't write to unlocked device\n");
29003 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
29005 if (!cs->connected)
29006 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29007 - else if (!cs->open_count)
29008 + else if (!local_read(&cs->open_count))
29009 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29011 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
29012 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
29014 if (!cs->connected)
29015 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29016 - else if (!cs->open_count)
29017 + else if (!local_read(&cs->open_count))
29018 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29020 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
29021 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
29025 - if (!cs->open_count) {
29026 + if (!local_read(&cs->open_count)) {
29027 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29030 diff -urNp linux-2.6.38.6/drivers/isdn/hardware/avm/b1.c linux-2.6.38.6/drivers/isdn/hardware/avm/b1.c
29031 --- linux-2.6.38.6/drivers/isdn/hardware/avm/b1.c 2011-03-14 21:20:32.000000000 -0400
29032 +++ linux-2.6.38.6/drivers/isdn/hardware/avm/b1.c 2011-04-28 19:34:15.000000000 -0400
29033 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
29036 if (t4file->user) {
29037 - if (copy_from_user(buf, dp, left))
29038 + if (left > sizeof buf || copy_from_user(buf, dp, left))
29041 memcpy(buf, dp, left);
29042 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
29045 if (config->user) {
29046 - if (copy_from_user(buf, dp, left))
29047 + if (left > sizeof buf || copy_from_user(buf, dp, left))
29050 memcpy(buf, dp, left);
29051 diff -urNp linux-2.6.38.6/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.38.6/drivers/isdn/hardware/eicon/capidtmf.c
29052 --- linux-2.6.38.6/drivers/isdn/hardware/eicon/capidtmf.c 2011-03-14 21:20:32.000000000 -0400
29053 +++ linux-2.6.38.6/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-16 21:47:08.000000000 -0400
29054 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
29055 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
29056 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
29058 + pax_track_stack();
29060 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
29062 diff -urNp linux-2.6.38.6/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.38.6/drivers/isdn/hardware/eicon/capifunc.c
29063 --- linux-2.6.38.6/drivers/isdn/hardware/eicon/capifunc.c 2011-03-14 21:20:32.000000000 -0400
29064 +++ linux-2.6.38.6/drivers/isdn/hardware/eicon/capifunc.c 2011-05-16 21:47:08.000000000 -0400
29065 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
29067 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29069 + pax_track_stack();
29071 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29073 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29074 diff -urNp linux-2.6.38.6/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.38.6/drivers/isdn/hardware/eicon/diddfunc.c
29075 --- linux-2.6.38.6/drivers/isdn/hardware/eicon/diddfunc.c 2011-03-14 21:20:32.000000000 -0400
29076 +++ linux-2.6.38.6/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-16 21:47:08.000000000 -0400
29077 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
29079 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29081 + pax_track_stack();
29083 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29085 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29086 diff -urNp linux-2.6.38.6/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.38.6/drivers/isdn/hardware/eicon/divasfunc.c
29087 --- linux-2.6.38.6/drivers/isdn/hardware/eicon/divasfunc.c 2011-03-14 21:20:32.000000000 -0400
29088 +++ linux-2.6.38.6/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-16 21:47:08.000000000 -0400
29089 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
29091 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29093 + pax_track_stack();
29095 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29097 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29098 diff -urNp linux-2.6.38.6/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.38.6/drivers/isdn/hardware/eicon/idifunc.c
29099 --- linux-2.6.38.6/drivers/isdn/hardware/eicon/idifunc.c 2011-03-14 21:20:32.000000000 -0400
29100 +++ linux-2.6.38.6/drivers/isdn/hardware/eicon/idifunc.c 2011-05-16 21:47:08.000000000 -0400
29101 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
29103 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29105 + pax_track_stack();
29107 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29109 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29110 diff -urNp linux-2.6.38.6/drivers/isdn/hardware/eicon/message.c linux-2.6.38.6/drivers/isdn/hardware/eicon/message.c
29111 --- linux-2.6.38.6/drivers/isdn/hardware/eicon/message.c 2011-03-14 21:20:32.000000000 -0400
29112 +++ linux-2.6.38.6/drivers/isdn/hardware/eicon/message.c 2011-05-16 21:47:08.000000000 -0400
29113 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
29117 + pax_track_stack();
29120 Id = ((word)plci->Id<<8)|a->Id;
29121 PUT_WORD(&SS_Ind[4],0x0000);
29122 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
29126 + pax_track_stack();
29129 for(i=0;i<8;i++) bp_parms[i].length = 0;
29130 for(i=0;i<2;i++) global_config[i].length = 0;
29131 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
29132 const byte llc3[] = {4,3,2,2,6,6,0};
29133 const byte header[] = {0,2,3,3,0,0,0};
29135 + pax_track_stack();
29137 for(i=0;i<8;i++) bp_parms[i].length = 0;
29138 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
29139 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
29140 @@ -14760,6 +14766,8 @@ static void group_optimization(DIVA_CAPI
29141 word appl_number_group_type[MAX_APPL];
29144 + pax_track_stack();
29146 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
29148 if(!a->group_optimization_enabled)
29149 diff -urNp linux-2.6.38.6/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.38.6/drivers/isdn/hardware/eicon/mntfunc.c
29150 --- linux-2.6.38.6/drivers/isdn/hardware/eicon/mntfunc.c 2011-03-14 21:20:32.000000000 -0400
29151 +++ linux-2.6.38.6/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-16 21:47:08.000000000 -0400
29152 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
29154 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29156 + pax_track_stack();
29158 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29160 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29161 diff -urNp linux-2.6.38.6/drivers/isdn/i4l/isdn_common.c linux-2.6.38.6/drivers/isdn/i4l/isdn_common.c
29162 --- linux-2.6.38.6/drivers/isdn/i4l/isdn_common.c 2011-03-14 21:20:32.000000000 -0400
29163 +++ linux-2.6.38.6/drivers/isdn/i4l/isdn_common.c 2011-05-16 21:47:08.000000000 -0400
29164 @@ -1292,6 +1292,8 @@ isdn_ioctl(struct file *file, uint cmd,
29166 void __user *argp = (void __user *)arg;
29168 + pax_track_stack();
29170 #define name iocpar.name
29171 #define bname iocpar.bname
29172 #define iocts iocpar.iocts
29173 diff -urNp linux-2.6.38.6/drivers/isdn/icn/icn.c linux-2.6.38.6/drivers/isdn/icn/icn.c
29174 --- linux-2.6.38.6/drivers/isdn/icn/icn.c 2011-03-14 21:20:32.000000000 -0400
29175 +++ linux-2.6.38.6/drivers/isdn/icn/icn.c 2011-04-28 19:34:15.000000000 -0400
29176 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
29180 - if (copy_from_user(msg, buf, count))
29181 + if (count > sizeof msg || copy_from_user(msg, buf, count))
29184 memcpy(msg, buf, count);
29185 diff -urNp linux-2.6.38.6/drivers/lguest/core.c linux-2.6.38.6/drivers/lguest/core.c
29186 --- linux-2.6.38.6/drivers/lguest/core.c 2011-03-14 21:20:32.000000000 -0400
29187 +++ linux-2.6.38.6/drivers/lguest/core.c 2011-04-28 19:34:15.000000000 -0400
29188 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
29189 * it's worked so far. The end address needs +1 because __get_vm_area
29190 * allocates an extra guard page, so we need space for that.
29193 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29194 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
29195 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
29196 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
29198 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
29199 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
29200 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
29203 if (!switcher_vma) {
29205 printk("lguest: could not map switcher pages high\n");
29206 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
29207 * Now the Switcher is mapped at the right address, we can't fail!
29208 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
29210 - memcpy(switcher_vma->addr, start_switcher_text,
29211 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
29212 end_switcher_text - start_switcher_text);
29214 printk(KERN_INFO "lguest: mapped switcher at %p\n",
29215 diff -urNp linux-2.6.38.6/drivers/lguest/x86/core.c linux-2.6.38.6/drivers/lguest/x86/core.c
29216 --- linux-2.6.38.6/drivers/lguest/x86/core.c 2011-03-14 21:20:32.000000000 -0400
29217 +++ linux-2.6.38.6/drivers/lguest/x86/core.c 2011-04-28 19:34:15.000000000 -0400
29218 @@ -59,7 +59,7 @@ static struct {
29219 /* Offset from where switcher.S was compiled to where we've copied it */
29220 static unsigned long switcher_offset(void)
29222 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
29223 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
29226 /* This cpu's struct lguest_pages. */
29227 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
29228 * These copies are pretty cheap, so we do them unconditionally: */
29229 /* Save the current Host top-level page directory.
29232 +#ifdef CONFIG_PAX_PER_CPU_PGD
29233 + pages->state.host_cr3 = read_cr3();
29235 pages->state.host_cr3 = __pa(current->mm->pgd);
29239 * Set up the Guest's page tables to see this CPU's pages (and no
29240 * other CPU's pages).
29241 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
29242 * compiled-in switcher code and the high-mapped copy we just made.
29244 for (i = 0; i < IDT_ENTRIES; i++)
29245 - default_idt_entries[i] += switcher_offset();
29246 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
29249 * Set up the Switcher's per-cpu areas.
29250 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
29251 * it will be undisturbed when we switch. To change %cs and jump we
29252 * need this structure to feed to Intel's "lcall" instruction.
29254 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
29255 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
29256 lguest_entry.segment = LGUEST_CS;
29259 diff -urNp linux-2.6.38.6/drivers/lguest/x86/switcher_32.S linux-2.6.38.6/drivers/lguest/x86/switcher_32.S
29260 --- linux-2.6.38.6/drivers/lguest/x86/switcher_32.S 2011-03-14 21:20:32.000000000 -0400
29261 +++ linux-2.6.38.6/drivers/lguest/x86/switcher_32.S 2011-04-28 19:34:15.000000000 -0400
29263 #include <asm/page.h>
29264 #include <asm/segment.h>
29265 #include <asm/lguest.h>
29266 +#include <asm/processor-flags.h>
29268 // We mark the start of the code to copy
29269 // It's placed in .text tho it's never run here
29270 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
29271 // Changes type when we load it: damn Intel!
29272 // For after we switch over our page tables
29273 // That entry will be read-only: we'd crash.
29275 +#ifdef CONFIG_PAX_KERNEXEC
29277 + xor $X86_CR0_WP, %edx
29281 movl $(GDT_ENTRY_TSS*8), %edx
29284 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
29285 // Let's clear it again for our return.
29286 // The GDT descriptor of the Host
29287 // Points to the table after two "size" bytes
29288 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
29289 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
29290 // Clear "used" from type field (byte 5, bit 2)
29291 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
29292 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
29294 +#ifdef CONFIG_PAX_KERNEXEC
29296 + xor $X86_CR0_WP, %eax
29300 // Once our page table's switched, the Guest is live!
29301 // The Host fades as we run this final step.
29302 @@ -295,13 +309,12 @@ deliver_to_host:
29303 // I consulted gcc, and it gave
29304 // These instructions, which I gladly credit:
29305 leal (%edx,%ebx,8), %eax
29306 - movzwl (%eax),%edx
29307 - movl 4(%eax), %eax
29310 + movl 4(%eax), %edx
29312 // Now the address of the handler's in %edx
29313 // We call it now: its "iret" drops us home.
29315 + ljmp $__KERNEL_CS, $1f
29318 // Every interrupt can come to us here
29319 // But we must truly tell each apart.
29320 diff -urNp linux-2.6.38.6/drivers/md/dm.c linux-2.6.38.6/drivers/md/dm.c
29321 --- linux-2.6.38.6/drivers/md/dm.c 2011-03-14 21:20:32.000000000 -0400
29322 +++ linux-2.6.38.6/drivers/md/dm.c 2011-04-28 19:57:25.000000000 -0400
29323 @@ -162,9 +162,9 @@ struct mapped_device {
29327 - atomic_t event_nr;
29328 + atomic_unchecked_t event_nr;
29329 wait_queue_head_t eventq;
29330 - atomic_t uevent_seq;
29331 + atomic_unchecked_t uevent_seq;
29332 struct list_head uevent_list;
29333 spinlock_t uevent_lock; /* Protect access to uevent_list */
29335 @@ -1855,8 +1855,8 @@ static struct mapped_device *alloc_dev(i
29336 rwlock_init(&md->map_lock);
29337 atomic_set(&md->holders, 1);
29338 atomic_set(&md->open_count, 0);
29339 - atomic_set(&md->event_nr, 0);
29340 - atomic_set(&md->uevent_seq, 0);
29341 + atomic_set_unchecked(&md->event_nr, 0);
29342 + atomic_set_unchecked(&md->uevent_seq, 0);
29343 INIT_LIST_HEAD(&md->uevent_list);
29344 spin_lock_init(&md->uevent_lock);
29346 @@ -1990,7 +1990,7 @@ static void event_callback(void *context
29348 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
29350 - atomic_inc(&md->event_nr);
29351 + atomic_inc_unchecked(&md->event_nr);
29352 wake_up(&md->eventq);
29355 @@ -2569,18 +2569,18 @@ int dm_kobject_uevent(struct mapped_devi
29357 uint32_t dm_next_uevent_seq(struct mapped_device *md)
29359 - return atomic_add_return(1, &md->uevent_seq);
29360 + return atomic_add_return_unchecked(1, &md->uevent_seq);
29363 uint32_t dm_get_event_nr(struct mapped_device *md)
29365 - return atomic_read(&md->event_nr);
29366 + return atomic_read_unchecked(&md->event_nr);
29369 int dm_wait_event(struct mapped_device *md, int event_nr)
29371 return wait_event_interruptible(md->eventq,
29372 - (event_nr != atomic_read(&md->event_nr)));
29373 + (event_nr != atomic_read_unchecked(&md->event_nr)));
29376 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
29377 diff -urNp linux-2.6.38.6/drivers/md/dm-ioctl.c linux-2.6.38.6/drivers/md/dm-ioctl.c
29378 --- linux-2.6.38.6/drivers/md/dm-ioctl.c 2011-03-14 21:20:32.000000000 -0400
29379 +++ linux-2.6.38.6/drivers/md/dm-ioctl.c 2011-04-28 19:34:15.000000000 -0400
29380 @@ -1541,7 +1541,7 @@ static int validate_params(uint cmd, str
29381 cmd == DM_LIST_VERSIONS_CMD)
29384 - if ((cmd == DM_DEV_CREATE_CMD)) {
29385 + if (cmd == DM_DEV_CREATE_CMD) {
29386 if (!*param->name) {
29387 DMWARN("name not supplied when creating device");
29389 diff -urNp linux-2.6.38.6/drivers/md/dm-raid1.c linux-2.6.38.6/drivers/md/dm-raid1.c
29390 --- linux-2.6.38.6/drivers/md/dm-raid1.c 2011-03-14 21:20:32.000000000 -0400
29391 +++ linux-2.6.38.6/drivers/md/dm-raid1.c 2011-04-28 19:57:25.000000000 -0400
29392 @@ -42,7 +42,7 @@ enum dm_raid1_error {
29395 struct mirror_set *ms;
29396 - atomic_t error_count;
29397 + atomic_unchecked_t error_count;
29398 unsigned long error_type;
29399 struct dm_dev *dev;
29401 @@ -187,7 +187,7 @@ static struct mirror *get_valid_mirror(s
29404 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
29405 - if (!atomic_read(&m->error_count))
29406 + if (!atomic_read_unchecked(&m->error_count))
29410 @@ -219,7 +219,7 @@ static void fail_mirror(struct mirror *m
29411 * simple way to tell if a device has encountered
29414 - atomic_inc(&m->error_count);
29415 + atomic_inc_unchecked(&m->error_count);
29417 if (test_and_set_bit(error_type, &m->error_type))
29419 @@ -410,7 +410,7 @@ static struct mirror *choose_mirror(stru
29420 struct mirror *m = get_default_mirror(ms);
29423 - if (likely(!atomic_read(&m->error_count)))
29424 + if (likely(!atomic_read_unchecked(&m->error_count)))
29427 if (m-- == ms->mirror)
29428 @@ -424,7 +424,7 @@ static int default_ok(struct mirror *m)
29430 struct mirror *default_mirror = get_default_mirror(m->ms);
29432 - return !atomic_read(&default_mirror->error_count);
29433 + return !atomic_read_unchecked(&default_mirror->error_count);
29436 static int mirror_available(struct mirror_set *ms, struct bio *bio)
29437 @@ -561,7 +561,7 @@ static void do_reads(struct mirror_set *
29439 if (likely(region_in_sync(ms, region, 1)))
29440 m = choose_mirror(ms, bio->bi_sector);
29441 - else if (m && atomic_read(&m->error_count))
29442 + else if (m && atomic_read_unchecked(&m->error_count))
29446 @@ -941,7 +941,7 @@ static int get_mirror(struct mirror_set
29449 ms->mirror[mirror].ms = ms;
29450 - atomic_set(&(ms->mirror[mirror].error_count), 0);
29451 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
29452 ms->mirror[mirror].error_type = 0;
29453 ms->mirror[mirror].offset = offset;
29455 @@ -1349,7 +1349,7 @@ static void mirror_resume(struct dm_targ
29457 static char device_status_char(struct mirror *m)
29459 - if (!atomic_read(&(m->error_count)))
29460 + if (!atomic_read_unchecked(&(m->error_count)))
29463 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
29464 diff -urNp linux-2.6.38.6/drivers/md/dm-stripe.c linux-2.6.38.6/drivers/md/dm-stripe.c
29465 --- linux-2.6.38.6/drivers/md/dm-stripe.c 2011-03-14 21:20:32.000000000 -0400
29466 +++ linux-2.6.38.6/drivers/md/dm-stripe.c 2011-04-28 19:57:25.000000000 -0400
29467 @@ -20,7 +20,7 @@ struct stripe {
29468 struct dm_dev *dev;
29469 sector_t physical_start;
29471 - atomic_t error_count;
29472 + atomic_unchecked_t error_count;
29476 @@ -192,7 +192,7 @@ static int stripe_ctr(struct dm_target *
29480 - atomic_set(&(sc->stripe[i].error_count), 0);
29481 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
29485 @@ -314,7 +314,7 @@ static int stripe_status(struct dm_targe
29486 DMEMIT("%d ", sc->stripes);
29487 for (i = 0; i < sc->stripes; i++) {
29488 DMEMIT("%s ", sc->stripe[i].dev->name);
29489 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
29490 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
29494 @@ -361,8 +361,8 @@ static int stripe_end_io(struct dm_targe
29496 for (i = 0; i < sc->stripes; i++)
29497 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
29498 - atomic_inc(&(sc->stripe[i].error_count));
29499 - if (atomic_read(&(sc->stripe[i].error_count)) <
29500 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
29501 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
29502 DM_IO_ERROR_THRESHOLD)
29503 schedule_work(&sc->trigger_event);
29505 diff -urNp linux-2.6.38.6/drivers/md/dm-table.c linux-2.6.38.6/drivers/md/dm-table.c
29506 --- linux-2.6.38.6/drivers/md/dm-table.c 2011-03-14 21:20:32.000000000 -0400
29507 +++ linux-2.6.38.6/drivers/md/dm-table.c 2011-04-28 19:34:15.000000000 -0400
29508 @@ -372,7 +372,7 @@ static int device_area_is_invalid(struct
29512 - if ((start >= dev_size) || (start + len > dev_size)) {
29513 + if ((start >= dev_size) || (len > dev_size - start)) {
29514 DMWARN("%s: %s too small for target: "
29515 "start=%llu, len=%llu, dev_size=%llu",
29516 dm_device_name(ti->table->md), bdevname(bdev, b),
29517 diff -urNp linux-2.6.38.6/drivers/md/md.c linux-2.6.38.6/drivers/md/md.c
29518 --- linux-2.6.38.6/drivers/md/md.c 2011-03-14 21:20:32.000000000 -0400
29519 +++ linux-2.6.38.6/drivers/md/md.c 2011-04-28 19:57:25.000000000 -0400
29520 @@ -226,10 +226,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
29521 * start build, activate spare
29523 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
29524 -static atomic_t md_event_count;
29525 +static atomic_unchecked_t md_event_count;
29526 void md_new_event(mddev_t *mddev)
29528 - atomic_inc(&md_event_count);
29529 + atomic_inc_unchecked(&md_event_count);
29530 wake_up(&md_event_waiters);
29532 EXPORT_SYMBOL_GPL(md_new_event);
29533 @@ -239,7 +239,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
29535 static void md_new_event_inintr(mddev_t *mddev)
29537 - atomic_inc(&md_event_count);
29538 + atomic_inc_unchecked(&md_event_count);
29539 wake_up(&md_event_waiters);
29542 @@ -1443,7 +1443,7 @@ static int super_1_load(mdk_rdev_t *rdev
29544 rdev->preferred_minor = 0xffff;
29545 rdev->data_offset = le64_to_cpu(sb->data_offset);
29546 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
29547 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
29549 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
29550 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
29551 @@ -1621,7 +1621,7 @@ static void super_1_sync(mddev_t *mddev,
29553 sb->resync_offset = cpu_to_le64(0);
29555 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
29556 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
29558 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
29559 sb->size = cpu_to_le64(mddev->dev_sectors);
29560 @@ -2403,7 +2403,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
29562 errors_show(mdk_rdev_t *rdev, char *page)
29564 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
29565 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
29569 @@ -2412,7 +2412,7 @@ errors_store(mdk_rdev_t *rdev, const cha
29571 unsigned long n = simple_strtoul(buf, &e, 10);
29572 if (*buf && (*e == 0 || *e == '\n')) {
29573 - atomic_set(&rdev->corrected_errors, n);
29574 + atomic_set_unchecked(&rdev->corrected_errors, n);
29578 @@ -2768,8 +2768,8 @@ void md_rdev_init(mdk_rdev_t *rdev)
29579 rdev->last_read_error.tv_sec = 0;
29580 rdev->last_read_error.tv_nsec = 0;
29581 atomic_set(&rdev->nr_pending, 0);
29582 - atomic_set(&rdev->read_errors, 0);
29583 - atomic_set(&rdev->corrected_errors, 0);
29584 + atomic_set_unchecked(&rdev->read_errors, 0);
29585 + atomic_set_unchecked(&rdev->corrected_errors, 0);
29587 INIT_LIST_HEAD(&rdev->same_set);
29588 init_waitqueue_head(&rdev->blocked_wait);
29589 @@ -6373,7 +6373,7 @@ static int md_seq_show(struct seq_file *
29591 spin_unlock(&pers_lock);
29592 seq_printf(seq, "\n");
29593 - mi->event = atomic_read(&md_event_count);
29594 + mi->event = atomic_read_unchecked(&md_event_count);
29597 if (v == (void*)2) {
29598 @@ -6462,7 +6462,7 @@ static int md_seq_show(struct seq_file *
29599 chunk_kb ? "KB" : "B");
29600 if (bitmap->file) {
29601 seq_printf(seq, ", file: ");
29602 - seq_path(seq, &bitmap->file->f_path, " \t\n");
29603 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
29606 seq_printf(seq, "\n");
29607 @@ -6496,7 +6496,7 @@ static int md_seq_open(struct inode *ino
29609 struct seq_file *p = file->private_data;
29611 - mi->event = atomic_read(&md_event_count);
29612 + mi->event = atomic_read_unchecked(&md_event_count);
29616 @@ -6512,7 +6512,7 @@ static unsigned int mdstat_poll(struct f
29617 /* always allow read */
29618 mask = POLLIN | POLLRDNORM;
29620 - if (mi->event != atomic_read(&md_event_count))
29621 + if (mi->event != atomic_read_unchecked(&md_event_count))
29622 mask |= POLLERR | POLLPRI;
29625 @@ -6556,7 +6556,7 @@ static int is_mddev_idle(mddev_t *mddev,
29626 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
29627 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
29628 (int)part_stat_read(&disk->part0, sectors[1]) -
29629 - atomic_read(&disk->sync_io);
29630 + atomic_read_unchecked(&disk->sync_io);
29631 /* sync IO will cause sync_io to increase before the disk_stats
29632 * as sync_io is counted when a request starts, and
29633 * disk_stats is counted when it completes.
29634 diff -urNp linux-2.6.38.6/drivers/md/md.h linux-2.6.38.6/drivers/md/md.h
29635 --- linux-2.6.38.6/drivers/md/md.h 2011-03-14 21:20:32.000000000 -0400
29636 +++ linux-2.6.38.6/drivers/md/md.h 2011-04-28 19:57:25.000000000 -0400
29637 @@ -117,13 +117,13 @@ struct mdk_rdev_s
29638 * only maintained for arrays that
29639 * support hot removal
29641 - atomic_t read_errors; /* number of consecutive read errors that
29642 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
29643 * we have tried to ignore.
29645 struct timespec last_read_error; /* monotonic time since our
29648 - atomic_t corrected_errors; /* number of corrected read errors,
29649 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
29650 * for reporting to userspace and storing
29653 @@ -360,7 +360,7 @@ static inline void rdev_dec_pending(mdk_
29655 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
29657 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
29658 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
29661 struct mdk_personality
29662 diff -urNp linux-2.6.38.6/drivers/md/raid10.c linux-2.6.38.6/drivers/md/raid10.c
29663 --- linux-2.6.38.6/drivers/md/raid10.c 2011-03-14 21:20:32.000000000 -0400
29664 +++ linux-2.6.38.6/drivers/md/raid10.c 2011-04-28 19:57:25.000000000 -0400
29665 @@ -1258,7 +1258,7 @@ static void end_sync_read(struct bio *bi
29666 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
29667 set_bit(R10BIO_Uptodate, &r10_bio->state);
29669 - atomic_add(r10_bio->sectors,
29670 + atomic_add_unchecked(r10_bio->sectors,
29671 &conf->mirrors[d].rdev->corrected_errors);
29672 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
29673 md_error(r10_bio->mddev,
29674 @@ -1466,7 +1466,7 @@ static void check_decay_read_errors(mdde
29676 struct timespec cur_time_mon;
29677 unsigned long hours_since_last;
29678 - unsigned int read_errors = atomic_read(&rdev->read_errors);
29679 + unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
29681 ktime_get_ts(&cur_time_mon);
29683 @@ -1488,9 +1488,9 @@ static void check_decay_read_errors(mdde
29684 * overflowing the shift of read_errors by hours_since_last.
29686 if (hours_since_last >= 8 * sizeof(read_errors))
29687 - atomic_set(&rdev->read_errors, 0);
29688 + atomic_set_unchecked(&rdev->read_errors, 0);
29690 - atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
29691 + atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
29695 @@ -1525,8 +1525,8 @@ static void fix_read_error(conf_t *conf,
29698 check_decay_read_errors(mddev, rdev);
29699 - atomic_inc(&rdev->read_errors);
29700 - cur_read_error_count = atomic_read(&rdev->read_errors);
29701 + atomic_inc_unchecked(&rdev->read_errors);
29702 + cur_read_error_count = atomic_read_unchecked(&rdev->read_errors);
29703 if (cur_read_error_count > max_read_errors) {
29706 @@ -1599,7 +1599,7 @@ static void fix_read_error(conf_t *conf,
29707 test_bit(In_sync, &rdev->flags)) {
29708 atomic_inc(&rdev->nr_pending);
29710 - atomic_add(s, &rdev->corrected_errors);
29711 + atomic_add_unchecked(s, &rdev->corrected_errors);
29712 if (sync_page_io(rdev,
29713 r10_bio->devs[sl].addr +
29715 diff -urNp linux-2.6.38.6/drivers/md/raid1.c linux-2.6.38.6/drivers/md/raid1.c
29716 --- linux-2.6.38.6/drivers/md/raid1.c 2011-03-14 21:20:32.000000000 -0400
29717 +++ linux-2.6.38.6/drivers/md/raid1.c 2011-04-28 19:57:25.000000000 -0400
29718 @@ -1392,7 +1392,7 @@ static void sync_request_write(mddev_t *
29719 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
29721 rdev = conf->mirrors[d].rdev;
29722 - atomic_add(s, &rdev->corrected_errors);
29723 + atomic_add_unchecked(s, &rdev->corrected_errors);
29724 if (sync_page_io(rdev,
29727 @@ -1538,7 +1538,7 @@ static void fix_read_error(conf_t *conf,
29728 /* Well, this device is dead */
29729 md_error(mddev, rdev);
29731 - atomic_add(s, &rdev->corrected_errors);
29732 + atomic_add_unchecked(s, &rdev->corrected_errors);
29734 "md/raid1:%s: read error corrected "
29735 "(%d sectors at %llu on %s)\n",
29736 diff -urNp linux-2.6.38.6/drivers/md/raid5.c linux-2.6.38.6/drivers/md/raid5.c
29737 --- linux-2.6.38.6/drivers/md/raid5.c 2011-03-14 21:20:32.000000000 -0400
29738 +++ linux-2.6.38.6/drivers/md/raid5.c 2011-05-16 21:47:08.000000000 -0400
29739 @@ -555,7 +555,7 @@ static void ops_run_io(struct stripe_hea
29740 bi->bi_next = NULL;
29742 test_bit(R5_ReWrite, &sh->dev[i].flags))
29743 - atomic_add(STRIPE_SECTORS,
29744 + atomic_add_unchecked(STRIPE_SECTORS,
29745 &rdev->corrected_errors);
29746 generic_make_request(bi);
29748 @@ -1602,15 +1602,15 @@ static void raid5_end_read_request(struc
29749 clear_bit(R5_ReadError, &sh->dev[i].flags);
29750 clear_bit(R5_ReWrite, &sh->dev[i].flags);
29752 - if (atomic_read(&conf->disks[i].rdev->read_errors))
29753 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
29754 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
29755 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
29757 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
29759 rdev = conf->disks[i].rdev;
29761 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
29762 - atomic_inc(&rdev->read_errors);
29763 + atomic_inc_unchecked(&rdev->read_errors);
29764 if (conf->mddev->degraded >= conf->max_degraded)
29765 printk_rl(KERN_WARNING
29766 "md/raid:%s: read error not correctable "
29767 @@ -1628,7 +1628,7 @@ static void raid5_end_read_request(struc
29768 (unsigned long long)(sh->sector
29769 + rdev->data_offset),
29771 - else if (atomic_read(&rdev->read_errors)
29772 + else if (atomic_read_unchecked(&rdev->read_errors)
29773 > conf->max_nr_stripes)
29774 printk(KERN_WARNING
29775 "md/raid:%s: Too many read errors, failing device %s.\n",
29776 @@ -1953,6 +1953,7 @@ static sector_t compute_blocknr(struct s
29778 struct stripe_head sh2;
29780 + pax_track_stack();
29782 chunk_offset = sector_div(new_sector, sectors_per_chunk);
29783 stripe = new_sector;
29784 diff -urNp linux-2.6.38.6/drivers/media/common/saa7146_hlp.c linux-2.6.38.6/drivers/media/common/saa7146_hlp.c
29785 --- linux-2.6.38.6/drivers/media/common/saa7146_hlp.c 2011-03-14 21:20:32.000000000 -0400
29786 +++ linux-2.6.38.6/drivers/media/common/saa7146_hlp.c 2011-05-16 21:47:08.000000000 -0400
29787 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
29789 int x[32], y[32], w[32], h[32];
29791 + pax_track_stack();
29793 /* clear out memory */
29794 memset(&line_list[0], 0x00, sizeof(u32)*32);
29795 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
29796 diff -urNp linux-2.6.38.6/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.38.6/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
29797 --- linux-2.6.38.6/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-03-14 21:20:32.000000000 -0400
29798 +++ linux-2.6.38.6/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-16 21:47:08.000000000 -0400
29799 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
29800 u8 buf[HOST_LINK_BUF_SIZE];
29803 + pax_track_stack();
29805 dprintk("%s\n", __func__);
29807 /* check if we have space for a link buf in the rx_buffer */
29808 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
29809 unsigned long timeout;
29812 + pax_track_stack();
29814 dprintk("%s\n", __func__);
29816 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
29817 diff -urNp linux-2.6.38.6/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.38.6/drivers/media/dvb/dvb-core/dvbdev.c
29818 --- linux-2.6.38.6/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-14 21:20:32.000000000 -0400
29819 +++ linux-2.6.38.6/drivers/media/dvb/dvb-core/dvbdev.c 2011-04-28 19:34:15.000000000 -0400
29820 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
29821 const struct dvb_device *template, void *priv, int type)
29823 struct dvb_device *dvbdev;
29824 - struct file_operations *dvbdevfops;
29825 + struct file_operations *dvbdevfops; /* cannot be const, see this function */
29826 struct device *clsdev;
29829 diff -urNp linux-2.6.38.6/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.38.6/drivers/media/dvb/dvb-usb/dib0700_core.c
29830 --- linux-2.6.38.6/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-03-14 21:20:32.000000000 -0400
29831 +++ linux-2.6.38.6/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-16 21:47:08.000000000 -0400
29832 @@ -366,6 +366,8 @@ int dib0700_download_firmware(struct usb
29836 + pax_track_stack();
29838 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
29839 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",
29840 hx.addr, hx.len, hx.chk);
29841 diff -urNp linux-2.6.38.6/drivers/media/dvb/dvb-usb/lmedm04.c linux-2.6.38.6/drivers/media/dvb/dvb-usb/lmedm04.c
29842 --- linux-2.6.38.6/drivers/media/dvb/dvb-usb/lmedm04.c 2011-03-14 21:20:32.000000000 -0400
29843 +++ linux-2.6.38.6/drivers/media/dvb/dvb-usb/lmedm04.c 2011-05-16 21:47:08.000000000 -0400
29844 @@ -611,6 +611,7 @@ static int lme2510_download_firmware(str
29845 packet_size = 0x31;
29848 + pax_track_stack();
29850 info("FRM Starting Firmware Download");
29852 @@ -666,6 +667,8 @@ static void lme_coldreset(struct usb_dev
29853 int ret = 0, len_in;
29854 u8 data[512] = {0};
29856 + pax_track_stack();
29860 info("FRM Firmware Cold Reset");
29861 diff -urNp linux-2.6.38.6/drivers/media/dvb/frontends/mb86a16.c linux-2.6.38.6/drivers/media/dvb/frontends/mb86a16.c
29862 --- linux-2.6.38.6/drivers/media/dvb/frontends/mb86a16.c 2011-03-14 21:20:32.000000000 -0400
29863 +++ linux-2.6.38.6/drivers/media/dvb/frontends/mb86a16.c 2011-05-16 21:47:08.000000000 -0400
29864 @@ -1060,6 +1060,8 @@ static int mb86a16_set_fe(struct mb86a16
29868 + pax_track_stack();
29870 dprintk(verbose, MB86A16_INFO, 1, "freq=%d Mhz, symbrt=%d Ksps", state->frequency, state->srate);
29873 diff -urNp linux-2.6.38.6/drivers/media/dvb/frontends/or51211.c linux-2.6.38.6/drivers/media/dvb/frontends/or51211.c
29874 --- linux-2.6.38.6/drivers/media/dvb/frontends/or51211.c 2011-03-14 21:20:32.000000000 -0400
29875 +++ linux-2.6.38.6/drivers/media/dvb/frontends/or51211.c 2011-05-16 21:47:08.000000000 -0400
29876 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
29880 + pax_track_stack();
29882 dprintk("Firmware is %zd bytes\n",fw->size);
29884 /* Get eprom data */
29885 diff -urNp linux-2.6.38.6/drivers/media/radio/radio-cadet.c linux-2.6.38.6/drivers/media/radio/radio-cadet.c
29886 --- linux-2.6.38.6/drivers/media/radio/radio-cadet.c 2011-03-14 21:20:32.000000000 -0400
29887 +++ linux-2.6.38.6/drivers/media/radio/radio-cadet.c 2011-04-28 19:34:15.000000000 -0400
29888 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
29889 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
29890 mutex_unlock(&dev->lock);
29892 - if (copy_to_user(data, readbuf, i))
29893 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
29897 diff -urNp linux-2.6.38.6/drivers/media/rc/ir-lirc-codec.c linux-2.6.38.6/drivers/media/rc/ir-lirc-codec.c
29898 --- linux-2.6.38.6/drivers/media/rc/ir-lirc-codec.c 2011-03-14 21:20:32.000000000 -0400
29899 +++ linux-2.6.38.6/drivers/media/rc/ir-lirc-codec.c 2011-04-28 19:34:15.000000000 -0400
29900 @@ -277,7 +277,7 @@ static void ir_lirc_close(void *data)
29904 -static struct file_operations lirc_fops = {
29905 +static const struct file_operations lirc_fops = {
29906 .owner = THIS_MODULE,
29907 .write = ir_lirc_transmit_ir,
29908 .unlocked_ioctl = ir_lirc_ioctl,
29909 diff -urNp linux-2.6.38.6/drivers/media/rc/lirc_dev.c linux-2.6.38.6/drivers/media/rc/lirc_dev.c
29910 --- linux-2.6.38.6/drivers/media/rc/lirc_dev.c 2011-03-14 21:20:32.000000000 -0400
29911 +++ linux-2.6.38.6/drivers/media/rc/lirc_dev.c 2011-04-28 19:34:15.000000000 -0400
29912 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
29916 -static struct file_operations lirc_dev_fops = {
29917 +static const struct file_operations lirc_dev_fops = {
29918 .owner = THIS_MODULE,
29919 .read = lirc_dev_fop_read,
29920 .write = lirc_dev_fop_write,
29921 diff -urNp linux-2.6.38.6/drivers/media/rc/rc-main.c linux-2.6.38.6/drivers/media/rc/rc-main.c
29922 --- linux-2.6.38.6/drivers/media/rc/rc-main.c 2011-03-14 21:20:32.000000000 -0400
29923 +++ linux-2.6.38.6/drivers/media/rc/rc-main.c 2011-04-28 19:57:25.000000000 -0400
29924 @@ -994,7 +994,7 @@ EXPORT_SYMBOL_GPL(rc_free_device);
29926 int rc_register_device(struct rc_dev *dev)
29928 - static atomic_t devno = ATOMIC_INIT(0);
29929 + static atomic_unchecked_t devno = ATOMIC_INIT(0);
29930 struct rc_map *rc_map;
29933 @@ -1017,7 +1017,7 @@ int rc_register_device(struct rc_dev *de
29935 dev->input_dev->close = ir_close;
29937 - dev->devno = (unsigned long)(atomic_inc_return(&devno) - 1);
29938 + dev->devno = (unsigned long)(atomic_inc_return_unchecked(&devno) - 1);
29939 dev_set_name(&dev->dev, "rc%ld", dev->devno);
29940 dev_set_drvdata(&dev->dev, dev);
29941 rc = device_add(&dev->dev);
29942 diff -urNp linux-2.6.38.6/drivers/media/video/cx18/cx18-driver.c linux-2.6.38.6/drivers/media/video/cx18/cx18-driver.c
29943 --- linux-2.6.38.6/drivers/media/video/cx18/cx18-driver.c 2011-03-14 21:20:32.000000000 -0400
29944 +++ linux-2.6.38.6/drivers/media/video/cx18/cx18-driver.c 2011-05-16 21:47:08.000000000 -0400
29945 @@ -60,7 +60,7 @@ static struct pci_device_id cx18_pci_tbl
29947 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
29949 -static atomic_t cx18_instance = ATOMIC_INIT(0);
29950 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
29952 /* Parameter declarations */
29953 static int cardtype[CX18_MAX_CARDS];
29954 @@ -326,6 +326,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
29955 struct i2c_client c;
29958 + pax_track_stack();
29960 memset(&c, 0, sizeof(c));
29961 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
29962 c.adapter = &cx->i2c_adap[0];
29963 @@ -884,7 +886,7 @@ static int __devinit cx18_probe(struct p
29966 /* FIXME - module parameter arrays constrain max instances */
29967 - i = atomic_inc_return(&cx18_instance) - 1;
29968 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
29969 if (i >= CX18_MAX_CARDS) {
29970 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
29971 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
29972 diff -urNp linux-2.6.38.6/drivers/media/video/cx23885/cx23885-input.c linux-2.6.38.6/drivers/media/video/cx23885/cx23885-input.c
29973 --- linux-2.6.38.6/drivers/media/video/cx23885/cx23885-input.c 2011-03-14 21:20:32.000000000 -0400
29974 +++ linux-2.6.38.6/drivers/media/video/cx23885/cx23885-input.c 2011-05-16 21:47:08.000000000 -0400
29975 @@ -53,6 +53,8 @@ static void cx23885_input_process_measur
29976 bool handle = false;
29977 struct ir_raw_event ir_core_event[64];
29979 + pax_track_stack();
29983 v4l2_subdev_call(dev->sd_ir, ir, rx_read, (u8 *) ir_core_event,
29984 diff -urNp linux-2.6.38.6/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.38.6/drivers/media/video/ivtv/ivtv-driver.c
29985 --- linux-2.6.38.6/drivers/media/video/ivtv/ivtv-driver.c 2011-03-14 21:20:32.000000000 -0400
29986 +++ linux-2.6.38.6/drivers/media/video/ivtv/ivtv-driver.c 2011-04-28 19:57:25.000000000 -0400
29987 @@ -80,7 +80,7 @@ static struct pci_device_id ivtv_pci_tbl
29988 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
29990 /* ivtv instance counter */
29991 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
29992 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
29994 /* Parameter declarations */
29995 static int cardtype[IVTV_MAX_CARDS];
29996 diff -urNp linux-2.6.38.6/drivers/media/video/omap24xxcam.c linux-2.6.38.6/drivers/media/video/omap24xxcam.c
29997 --- linux-2.6.38.6/drivers/media/video/omap24xxcam.c 2011-03-14 21:20:32.000000000 -0400
29998 +++ linux-2.6.38.6/drivers/media/video/omap24xxcam.c 2011-04-28 19:57:25.000000000 -0400
29999 @@ -402,7 +402,7 @@ static void omap24xxcam_vbq_complete(str
30000 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
30002 do_gettimeofday(&vb->ts);
30003 - vb->field_count = atomic_add_return(2, &fh->field_count);
30004 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
30005 if (csr & csr_error) {
30006 vb->state = VIDEOBUF_ERROR;
30007 if (!atomic_read(&fh->cam->in_reset)) {
30008 diff -urNp linux-2.6.38.6/drivers/media/video/omap24xxcam.h linux-2.6.38.6/drivers/media/video/omap24xxcam.h
30009 --- linux-2.6.38.6/drivers/media/video/omap24xxcam.h 2011-03-14 21:20:32.000000000 -0400
30010 +++ linux-2.6.38.6/drivers/media/video/omap24xxcam.h 2011-04-28 19:57:25.000000000 -0400
30011 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
30012 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
30013 struct videobuf_queue vbq;
30014 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
30015 - atomic_t field_count; /* field counter for videobuf_buffer */
30016 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
30017 /* accessing cam here doesn't need serialisation: it's constant */
30018 struct omap24xxcam_device *cam;
30020 diff -urNp linux-2.6.38.6/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.38.6/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
30021 --- linux-2.6.38.6/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-03-14 21:20:32.000000000 -0400
30022 +++ linux-2.6.38.6/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-16 21:47:08.000000000 -0400
30023 @@ -120,6 +120,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
30025 struct tveeprom tvdata;
30027 + pax_track_stack();
30029 memset(&tvdata,0,sizeof(tvdata));
30031 eeprom = pvr2_eeprom_fetch(hdw);
30032 diff -urNp linux-2.6.38.6/drivers/media/video/saa7134/saa6752hs.c linux-2.6.38.6/drivers/media/video/saa7134/saa6752hs.c
30033 --- linux-2.6.38.6/drivers/media/video/saa7134/saa6752hs.c 2011-03-14 21:20:32.000000000 -0400
30034 +++ linux-2.6.38.6/drivers/media/video/saa7134/saa6752hs.c 2011-05-16 21:47:08.000000000 -0400
30035 @@ -682,6 +682,8 @@ static int saa6752hs_init(struct v4l2_su
30036 unsigned char localPAT[256];
30037 unsigned char localPMT[256];
30039 + pax_track_stack();
30041 /* Set video format - must be done first as it resets other settings */
30042 set_reg8(client, 0x41, h->video_format);
30044 diff -urNp linux-2.6.38.6/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.38.6/drivers/media/video/saa7164/saa7164-cmd.c
30045 --- linux-2.6.38.6/drivers/media/video/saa7164/saa7164-cmd.c 2011-03-14 21:20:32.000000000 -0400
30046 +++ linux-2.6.38.6/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-16 21:47:08.000000000 -0400
30047 @@ -88,6 +88,8 @@ int saa7164_irq_dequeue(struct saa7164_d
30049 dprintk(DBGLVL_CMD, "%s()\n", __func__);
30051 + pax_track_stack();
30053 /* While any outstand message on the bus exists... */
30056 @@ -141,6 +143,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
30058 dprintk(DBGLVL_CMD, "%s()\n", __func__);
30060 + pax_track_stack();
30064 struct tmComResInfo tRsp = { 0, 0, 0, 0, 0, 0 };
30065 diff -urNp linux-2.6.38.6/drivers/media/video/usbvision/usbvision-core.c linux-2.6.38.6/drivers/media/video/usbvision/usbvision-core.c
30066 --- linux-2.6.38.6/drivers/media/video/usbvision/usbvision-core.c 2011-03-14 21:20:32.000000000 -0400
30067 +++ linux-2.6.38.6/drivers/media/video/usbvision/usbvision-core.c 2011-05-16 21:47:08.000000000 -0400
30068 @@ -799,6 +799,8 @@ static enum parse_state usbvision_parse_
30069 unsigned char rv, gv, bv;
30070 static unsigned char *Y, *U, *V;
30072 + pax_track_stack();
30074 frame = usbvision->cur_frame;
30075 image_size = frame->frmwidth * frame->frmheight;
30076 if ((frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
30077 diff -urNp linux-2.6.38.6/drivers/media/video/v4l2-device.c linux-2.6.38.6/drivers/media/video/v4l2-device.c
30078 --- linux-2.6.38.6/drivers/media/video/v4l2-device.c 2011-03-14 21:20:32.000000000 -0400
30079 +++ linux-2.6.38.6/drivers/media/video/v4l2-device.c 2011-04-28 19:57:25.000000000 -0400
30080 @@ -55,9 +55,9 @@ int v4l2_device_register(struct device *
30081 EXPORT_SYMBOL_GPL(v4l2_device_register);
30083 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
30084 - atomic_t *instance)
30085 + atomic_unchecked_t *instance)
30087 - int num = atomic_inc_return(instance) - 1;
30088 + int num = atomic_inc_return_unchecked(instance) - 1;
30089 int len = strlen(basename);
30091 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
30092 diff -urNp linux-2.6.38.6/drivers/media/video/videobuf-dma-sg.c linux-2.6.38.6/drivers/media/video/videobuf-dma-sg.c
30093 --- linux-2.6.38.6/drivers/media/video/videobuf-dma-sg.c 2011-03-14 21:20:32.000000000 -0400
30094 +++ linux-2.6.38.6/drivers/media/video/videobuf-dma-sg.c 2011-05-16 21:47:08.000000000 -0400
30095 @@ -606,6 +606,8 @@ void *videobuf_sg_alloc(size_t size)
30097 struct videobuf_queue q;
30099 + pax_track_stack();
30101 /* Required to make generic handler to call __videobuf_alloc */
30102 q.int_ops = &sg_ops;
30104 diff -urNp linux-2.6.38.6/drivers/message/fusion/mptbase.c linux-2.6.38.6/drivers/message/fusion/mptbase.c
30105 --- linux-2.6.38.6/drivers/message/fusion/mptbase.c 2011-03-14 21:20:32.000000000 -0400
30106 +++ linux-2.6.38.6/drivers/message/fusion/mptbase.c 2011-04-28 19:34:15.000000000 -0400
30107 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
30108 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
30109 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
30111 +#ifdef CONFIG_GRKERNSEC_HIDESYM
30112 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
30114 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
30115 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
30119 * Rounding UP to nearest 4-kB boundary here...
30121 diff -urNp linux-2.6.38.6/drivers/message/fusion/mptsas.c linux-2.6.38.6/drivers/message/fusion/mptsas.c
30122 --- linux-2.6.38.6/drivers/message/fusion/mptsas.c 2011-03-14 21:20:32.000000000 -0400
30123 +++ linux-2.6.38.6/drivers/message/fusion/mptsas.c 2011-04-28 19:34:15.000000000 -0400
30124 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
30128 +static inline void
30129 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
30131 + if (phy_info->port_details) {
30132 + phy_info->port_details->rphy = rphy;
30133 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
30134 + ioc->name, rphy));
30138 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
30139 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
30140 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
30141 + ioc->name, rphy, rphy->dev.release));
30147 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
30148 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
30152 -static inline void
30153 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
30155 - if (phy_info->port_details) {
30156 - phy_info->port_details->rphy = rphy;
30157 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
30158 - ioc->name, rphy));
30162 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
30163 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
30164 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
30165 - ioc->name, rphy, rphy->dev.release));
30169 static inline struct sas_port *
30170 mptsas_get_port(struct mptsas_phyinfo *phy_info)
30172 diff -urNp linux-2.6.38.6/drivers/message/fusion/mptscsih.c linux-2.6.38.6/drivers/message/fusion/mptscsih.c
30173 --- linux-2.6.38.6/drivers/message/fusion/mptscsih.c 2011-03-14 21:20:32.000000000 -0400
30174 +++ linux-2.6.38.6/drivers/message/fusion/mptscsih.c 2011-04-28 19:34:15.000000000 -0400
30175 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
30177 h = shost_priv(SChost);
30180 - if (h->info_kbuf == NULL)
30181 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
30182 - return h->info_kbuf;
30183 - h->info_kbuf[0] = '\0';
30187 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
30188 - h->info_kbuf[size-1] = '\0';
30190 + if (h->info_kbuf == NULL)
30191 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
30192 + return h->info_kbuf;
30193 + h->info_kbuf[0] = '\0';
30195 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
30196 + h->info_kbuf[size-1] = '\0';
30198 return h->info_kbuf;
30200 diff -urNp linux-2.6.38.6/drivers/message/i2o/i2o_config.c linux-2.6.38.6/drivers/message/i2o/i2o_config.c
30201 --- linux-2.6.38.6/drivers/message/i2o/i2o_config.c 2011-03-14 21:20:32.000000000 -0400
30202 +++ linux-2.6.38.6/drivers/message/i2o/i2o_config.c 2011-05-16 21:47:08.000000000 -0400
30203 @@ -781,6 +781,8 @@ static int i2o_cfg_passthru(unsigned lon
30204 struct i2o_message *msg;
30207 + pax_track_stack();
30209 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
30212 diff -urNp linux-2.6.38.6/drivers/message/i2o/i2o_proc.c linux-2.6.38.6/drivers/message/i2o/i2o_proc.c
30213 --- linux-2.6.38.6/drivers/message/i2o/i2o_proc.c 2011-03-14 21:20:32.000000000 -0400
30214 +++ linux-2.6.38.6/drivers/message/i2o/i2o_proc.c 2011-04-28 19:34:15.000000000 -0400
30215 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
30216 "Array Controller Device"
30219 -static char *chtostr(u8 * chars, int n)
30223 - return strncat(tmp, (char *)chars, n);
30226 static int i2o_report_query_status(struct seq_file *seq, int block_status,
30229 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
30231 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
30232 seq_printf(seq, "%-#8x", ddm_table.module_id);
30233 - seq_printf(seq, "%-29s",
30234 - chtostr(ddm_table.module_name_version, 28));
30235 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
30236 seq_printf(seq, "%9d ", ddm_table.data_size);
30237 seq_printf(seq, "%8d", ddm_table.code_size);
30239 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
30241 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
30242 seq_printf(seq, "%-#8x", dst->module_id);
30243 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
30244 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
30245 + seq_printf(seq, "%-.28s", dst->module_name_version);
30246 + seq_printf(seq, "%-.8s", dst->date);
30247 seq_printf(seq, "%8d ", dst->module_size);
30248 seq_printf(seq, "%8d ", dst->mpb_size);
30249 seq_printf(seq, "0x%04x", dst->module_flags);
30250 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
30251 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
30252 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
30253 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
30254 - seq_printf(seq, "Vendor info : %s\n",
30255 - chtostr((u8 *) (work32 + 2), 16));
30256 - seq_printf(seq, "Product info : %s\n",
30257 - chtostr((u8 *) (work32 + 6), 16));
30258 - seq_printf(seq, "Description : %s\n",
30259 - chtostr((u8 *) (work32 + 10), 16));
30260 - seq_printf(seq, "Product rev. : %s\n",
30261 - chtostr((u8 *) (work32 + 14), 8));
30262 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
30263 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
30264 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
30265 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
30267 seq_printf(seq, "Serial number : ");
30268 print_serial_number(seq, (u8 *) (work32 + 16),
30269 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
30272 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
30273 - seq_printf(seq, "Module name : %s\n",
30274 - chtostr(result.module_name, 24));
30275 - seq_printf(seq, "Module revision : %s\n",
30276 - chtostr(result.module_rev, 8));
30277 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
30278 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
30280 seq_printf(seq, "Serial number : ");
30281 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
30282 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
30286 - seq_printf(seq, "Device name : %s\n",
30287 - chtostr(result.device_name, 64));
30288 - seq_printf(seq, "Service name : %s\n",
30289 - chtostr(result.service_name, 64));
30290 - seq_printf(seq, "Physical name : %s\n",
30291 - chtostr(result.physical_location, 64));
30292 - seq_printf(seq, "Instance number : %s\n",
30293 - chtostr(result.instance_number, 4));
30294 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
30295 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
30296 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
30297 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
30301 diff -urNp linux-2.6.38.6/drivers/message/i2o/iop.c linux-2.6.38.6/drivers/message/i2o/iop.c
30302 --- linux-2.6.38.6/drivers/message/i2o/iop.c 2011-03-14 21:20:32.000000000 -0400
30303 +++ linux-2.6.38.6/drivers/message/i2o/iop.c 2011-04-28 19:57:25.000000000 -0400
30304 @@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
30306 spin_lock_irqsave(&c->context_list_lock, flags);
30308 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
30309 - atomic_inc(&c->context_list_counter);
30310 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
30311 + atomic_inc_unchecked(&c->context_list_counter);
30313 - entry->context = atomic_read(&c->context_list_counter);
30314 + entry->context = atomic_read_unchecked(&c->context_list_counter);
30316 list_add(&entry->list, &c->context_list);
30318 @@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(voi
30320 #if BITS_PER_LONG == 64
30321 spin_lock_init(&c->context_list_lock);
30322 - atomic_set(&c->context_list_counter, 0);
30323 + atomic_set_unchecked(&c->context_list_counter, 0);
30324 INIT_LIST_HEAD(&c->context_list);
30327 diff -urNp linux-2.6.38.6/drivers/mfd/janz-cmodio.c linux-2.6.38.6/drivers/mfd/janz-cmodio.c
30328 --- linux-2.6.38.6/drivers/mfd/janz-cmodio.c 2011-03-14 21:20:32.000000000 -0400
30329 +++ linux-2.6.38.6/drivers/mfd/janz-cmodio.c 2011-04-28 19:34:15.000000000 -0400
30332 #include <linux/kernel.h>
30333 #include <linux/module.h>
30334 +#include <linux/slab.h>
30335 #include <linux/init.h>
30336 #include <linux/pci.h>
30337 #include <linux/interrupt.h>
30338 diff -urNp linux-2.6.38.6/drivers/mfd/wm8350-i2c.c linux-2.6.38.6/drivers/mfd/wm8350-i2c.c
30339 --- linux-2.6.38.6/drivers/mfd/wm8350-i2c.c 2011-03-14 21:20:32.000000000 -0400
30340 +++ linux-2.6.38.6/drivers/mfd/wm8350-i2c.c 2011-05-16 21:47:08.000000000 -0400
30341 @@ -44,6 +44,8 @@ static int wm8350_i2c_write_device(struc
30342 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
30345 + pax_track_stack();
30347 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
30350 diff -urNp linux-2.6.38.6/drivers/misc/kgdbts.c linux-2.6.38.6/drivers/misc/kgdbts.c
30351 --- linux-2.6.38.6/drivers/misc/kgdbts.c 2011-03-14 21:20:32.000000000 -0400
30352 +++ linux-2.6.38.6/drivers/misc/kgdbts.c 2011-04-28 19:34:15.000000000 -0400
30353 @@ -118,7 +118,7 @@
30355 #define MAX_CONFIG_LEN 40
30357 -static struct kgdb_io kgdbts_io_ops;
30358 +static const struct kgdb_io kgdbts_io_ops;
30359 static char get_buf[BUFMAX];
30360 static int get_buf_cnt;
30361 static char put_buf[BUFMAX];
30362 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
30363 module_put(THIS_MODULE);
30366 -static struct kgdb_io kgdbts_io_ops = {
30367 +static const struct kgdb_io kgdbts_io_ops = {
30369 .read_char = kgdbts_get_char,
30370 .write_char = kgdbts_put_char,
30371 diff -urNp linux-2.6.38.6/drivers/misc/sgi-gru/gruhandles.c linux-2.6.38.6/drivers/misc/sgi-gru/gruhandles.c
30372 --- linux-2.6.38.6/drivers/misc/sgi-gru/gruhandles.c 2011-03-14 21:20:32.000000000 -0400
30373 +++ linux-2.6.38.6/drivers/misc/sgi-gru/gruhandles.c 2011-04-28 19:34:15.000000000 -0400
30374 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
30375 unsigned long nsec;
30377 nsec = CLKS2NSEC(clks);
30378 - atomic_long_inc(&mcs_op_statistics[op].count);
30379 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
30380 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
30381 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
30382 if (mcs_op_statistics[op].max < nsec)
30383 mcs_op_statistics[op].max = nsec;
30385 diff -urNp linux-2.6.38.6/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.38.6/drivers/misc/sgi-gru/gruprocfs.c
30386 --- linux-2.6.38.6/drivers/misc/sgi-gru/gruprocfs.c 2011-03-14 21:20:32.000000000 -0400
30387 +++ linux-2.6.38.6/drivers/misc/sgi-gru/gruprocfs.c 2011-04-28 19:34:15.000000000 -0400
30390 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
30392 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
30393 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
30395 - unsigned long val = atomic_long_read(v);
30396 + unsigned long val = atomic_long_read_unchecked(v);
30398 seq_printf(s, "%16lu %s\n", val, id);
30400 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
30402 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
30403 for (op = 0; op < mcsop_last; op++) {
30404 - count = atomic_long_read(&mcs_op_statistics[op].count);
30405 - total = atomic_long_read(&mcs_op_statistics[op].total);
30406 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
30407 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
30408 max = mcs_op_statistics[op].max;
30409 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
30410 count ? total / count : 0, max);
30411 diff -urNp linux-2.6.38.6/drivers/misc/sgi-gru/grutables.h linux-2.6.38.6/drivers/misc/sgi-gru/grutables.h
30412 --- linux-2.6.38.6/drivers/misc/sgi-gru/grutables.h 2011-03-14 21:20:32.000000000 -0400
30413 +++ linux-2.6.38.6/drivers/misc/sgi-gru/grutables.h 2011-04-28 19:34:15.000000000 -0400
30414 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
30417 struct gru_stats_s {
30418 - atomic_long_t vdata_alloc;
30419 - atomic_long_t vdata_free;
30420 - atomic_long_t gts_alloc;
30421 - atomic_long_t gts_free;
30422 - atomic_long_t gms_alloc;
30423 - atomic_long_t gms_free;
30424 - atomic_long_t gts_double_allocate;
30425 - atomic_long_t assign_context;
30426 - atomic_long_t assign_context_failed;
30427 - atomic_long_t free_context;
30428 - atomic_long_t load_user_context;
30429 - atomic_long_t load_kernel_context;
30430 - atomic_long_t lock_kernel_context;
30431 - atomic_long_t unlock_kernel_context;
30432 - atomic_long_t steal_user_context;
30433 - atomic_long_t steal_kernel_context;
30434 - atomic_long_t steal_context_failed;
30435 - atomic_long_t nopfn;
30436 - atomic_long_t asid_new;
30437 - atomic_long_t asid_next;
30438 - atomic_long_t asid_wrap;
30439 - atomic_long_t asid_reuse;
30440 - atomic_long_t intr;
30441 - atomic_long_t intr_cbr;
30442 - atomic_long_t intr_tfh;
30443 - atomic_long_t intr_spurious;
30444 - atomic_long_t intr_mm_lock_failed;
30445 - atomic_long_t call_os;
30446 - atomic_long_t call_os_wait_queue;
30447 - atomic_long_t user_flush_tlb;
30448 - atomic_long_t user_unload_context;
30449 - atomic_long_t user_exception;
30450 - atomic_long_t set_context_option;
30451 - atomic_long_t check_context_retarget_intr;
30452 - atomic_long_t check_context_unload;
30453 - atomic_long_t tlb_dropin;
30454 - atomic_long_t tlb_preload_page;
30455 - atomic_long_t tlb_dropin_fail_no_asid;
30456 - atomic_long_t tlb_dropin_fail_upm;
30457 - atomic_long_t tlb_dropin_fail_invalid;
30458 - atomic_long_t tlb_dropin_fail_range_active;
30459 - atomic_long_t tlb_dropin_fail_idle;
30460 - atomic_long_t tlb_dropin_fail_fmm;
30461 - atomic_long_t tlb_dropin_fail_no_exception;
30462 - atomic_long_t tfh_stale_on_fault;
30463 - atomic_long_t mmu_invalidate_range;
30464 - atomic_long_t mmu_invalidate_page;
30465 - atomic_long_t flush_tlb;
30466 - atomic_long_t flush_tlb_gru;
30467 - atomic_long_t flush_tlb_gru_tgh;
30468 - atomic_long_t flush_tlb_gru_zero_asid;
30470 - atomic_long_t copy_gpa;
30471 - atomic_long_t read_gpa;
30473 - atomic_long_t mesq_receive;
30474 - atomic_long_t mesq_receive_none;
30475 - atomic_long_t mesq_send;
30476 - atomic_long_t mesq_send_failed;
30477 - atomic_long_t mesq_noop;
30478 - atomic_long_t mesq_send_unexpected_error;
30479 - atomic_long_t mesq_send_lb_overflow;
30480 - atomic_long_t mesq_send_qlimit_reached;
30481 - atomic_long_t mesq_send_amo_nacked;
30482 - atomic_long_t mesq_send_put_nacked;
30483 - atomic_long_t mesq_page_overflow;
30484 - atomic_long_t mesq_qf_locked;
30485 - atomic_long_t mesq_qf_noop_not_full;
30486 - atomic_long_t mesq_qf_switch_head_failed;
30487 - atomic_long_t mesq_qf_unexpected_error;
30488 - atomic_long_t mesq_noop_unexpected_error;
30489 - atomic_long_t mesq_noop_lb_overflow;
30490 - atomic_long_t mesq_noop_qlimit_reached;
30491 - atomic_long_t mesq_noop_amo_nacked;
30492 - atomic_long_t mesq_noop_put_nacked;
30493 - atomic_long_t mesq_noop_page_overflow;
30494 + atomic_long_unchecked_t vdata_alloc;
30495 + atomic_long_unchecked_t vdata_free;
30496 + atomic_long_unchecked_t gts_alloc;
30497 + atomic_long_unchecked_t gts_free;
30498 + atomic_long_unchecked_t gms_alloc;
30499 + atomic_long_unchecked_t gms_free;
30500 + atomic_long_unchecked_t gts_double_allocate;
30501 + atomic_long_unchecked_t assign_context;
30502 + atomic_long_unchecked_t assign_context_failed;
30503 + atomic_long_unchecked_t free_context;
30504 + atomic_long_unchecked_t load_user_context;
30505 + atomic_long_unchecked_t load_kernel_context;
30506 + atomic_long_unchecked_t lock_kernel_context;
30507 + atomic_long_unchecked_t unlock_kernel_context;
30508 + atomic_long_unchecked_t steal_user_context;
30509 + atomic_long_unchecked_t steal_kernel_context;
30510 + atomic_long_unchecked_t steal_context_failed;
30511 + atomic_long_unchecked_t nopfn;
30512 + atomic_long_unchecked_t asid_new;
30513 + atomic_long_unchecked_t asid_next;
30514 + atomic_long_unchecked_t asid_wrap;
30515 + atomic_long_unchecked_t asid_reuse;
30516 + atomic_long_unchecked_t intr;
30517 + atomic_long_unchecked_t intr_cbr;
30518 + atomic_long_unchecked_t intr_tfh;
30519 + atomic_long_unchecked_t intr_spurious;
30520 + atomic_long_unchecked_t intr_mm_lock_failed;
30521 + atomic_long_unchecked_t call_os;
30522 + atomic_long_unchecked_t call_os_wait_queue;
30523 + atomic_long_unchecked_t user_flush_tlb;
30524 + atomic_long_unchecked_t user_unload_context;
30525 + atomic_long_unchecked_t user_exception;
30526 + atomic_long_unchecked_t set_context_option;
30527 + atomic_long_unchecked_t check_context_retarget_intr;
30528 + atomic_long_unchecked_t check_context_unload;
30529 + atomic_long_unchecked_t tlb_dropin;
30530 + atomic_long_unchecked_t tlb_preload_page;
30531 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
30532 + atomic_long_unchecked_t tlb_dropin_fail_upm;
30533 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
30534 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
30535 + atomic_long_unchecked_t tlb_dropin_fail_idle;
30536 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
30537 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
30538 + atomic_long_unchecked_t tfh_stale_on_fault;
30539 + atomic_long_unchecked_t mmu_invalidate_range;
30540 + atomic_long_unchecked_t mmu_invalidate_page;
30541 + atomic_long_unchecked_t flush_tlb;
30542 + atomic_long_unchecked_t flush_tlb_gru;
30543 + atomic_long_unchecked_t flush_tlb_gru_tgh;
30544 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
30546 + atomic_long_unchecked_t copy_gpa;
30547 + atomic_long_unchecked_t read_gpa;
30549 + atomic_long_unchecked_t mesq_receive;
30550 + atomic_long_unchecked_t mesq_receive_none;
30551 + atomic_long_unchecked_t mesq_send;
30552 + atomic_long_unchecked_t mesq_send_failed;
30553 + atomic_long_unchecked_t mesq_noop;
30554 + atomic_long_unchecked_t mesq_send_unexpected_error;
30555 + atomic_long_unchecked_t mesq_send_lb_overflow;
30556 + atomic_long_unchecked_t mesq_send_qlimit_reached;
30557 + atomic_long_unchecked_t mesq_send_amo_nacked;
30558 + atomic_long_unchecked_t mesq_send_put_nacked;
30559 + atomic_long_unchecked_t mesq_page_overflow;
30560 + atomic_long_unchecked_t mesq_qf_locked;
30561 + atomic_long_unchecked_t mesq_qf_noop_not_full;
30562 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
30563 + atomic_long_unchecked_t mesq_qf_unexpected_error;
30564 + atomic_long_unchecked_t mesq_noop_unexpected_error;
30565 + atomic_long_unchecked_t mesq_noop_lb_overflow;
30566 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
30567 + atomic_long_unchecked_t mesq_noop_amo_nacked;
30568 + atomic_long_unchecked_t mesq_noop_put_nacked;
30569 + atomic_long_unchecked_t mesq_noop_page_overflow;
30573 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
30574 tghop_invalidate, mcsop_last};
30576 struct mcs_op_statistic {
30577 - atomic_long_t count;
30578 - atomic_long_t total;
30579 + atomic_long_unchecked_t count;
30580 + atomic_long_unchecked_t total;
30584 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
30586 #define STAT(id) do { \
30587 if (gru_options & OPT_STATS) \
30588 - atomic_long_inc(&gru_stats.id); \
30589 + atomic_long_inc_unchecked(&gru_stats.id); \
30592 #ifdef CONFIG_SGI_GRU_DEBUG
30593 diff -urNp linux-2.6.38.6/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.38.6/drivers/mtd/chips/cfi_cmdset_0001.c
30594 --- linux-2.6.38.6/drivers/mtd/chips/cfi_cmdset_0001.c 2011-03-14 21:20:32.000000000 -0400
30595 +++ linux-2.6.38.6/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-16 21:47:08.000000000 -0400
30596 @@ -757,6 +757,8 @@ static int chip_ready (struct map_info *
30597 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
30598 unsigned long timeo = jiffies + HZ;
30600 + pax_track_stack();
30602 /* Prevent setting state FL_SYNCING for chip in suspended state. */
30603 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
30605 @@ -1657,6 +1659,8 @@ static int __xipram do_write_buffer(stru
30606 unsigned long initial_adr;
30607 int initial_len = len;
30609 + pax_track_stack();
30611 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
30612 adr += chip->start;
30614 @@ -1875,6 +1879,8 @@ static int __xipram do_erase_oneblock(st
30618 + pax_track_stack();
30620 adr += chip->start;
30623 diff -urNp linux-2.6.38.6/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.38.6/drivers/mtd/chips/cfi_cmdset_0020.c
30624 --- linux-2.6.38.6/drivers/mtd/chips/cfi_cmdset_0020.c 2011-03-14 21:20:32.000000000 -0400
30625 +++ linux-2.6.38.6/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-16 21:47:08.000000000 -0400
30626 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
30627 unsigned long cmd_addr;
30628 struct cfi_private *cfi = map->fldrv_priv;
30630 + pax_track_stack();
30632 adr += chip->start;
30634 /* Ensure cmd read/writes are aligned. */
30635 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
30636 DECLARE_WAITQUEUE(wait, current);
30639 + pax_track_stack();
30641 /* M58LW064A requires bus alignment for buffer wriets -- saw */
30642 if (adr & (map_bankwidth(map)-1))
30644 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
30645 DECLARE_WAITQUEUE(wait, current);
30648 + pax_track_stack();
30650 adr += chip->start;
30652 /* Let's determine this according to the interleave only once */
30653 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
30654 unsigned long timeo = jiffies + HZ;
30655 DECLARE_WAITQUEUE(wait, current);
30657 + pax_track_stack();
30659 adr += chip->start;
30661 /* Let's determine this according to the interleave only once */
30662 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
30663 unsigned long timeo = jiffies + HZ;
30664 DECLARE_WAITQUEUE(wait, current);
30666 + pax_track_stack();
30668 adr += chip->start;
30670 /* Let's determine this according to the interleave only once */
30671 diff -urNp linux-2.6.38.6/drivers/mtd/devices/doc2000.c linux-2.6.38.6/drivers/mtd/devices/doc2000.c
30672 --- linux-2.6.38.6/drivers/mtd/devices/doc2000.c 2011-03-14 21:20:32.000000000 -0400
30673 +++ linux-2.6.38.6/drivers/mtd/devices/doc2000.c 2011-04-28 19:34:15.000000000 -0400
30674 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
30676 /* The ECC will not be calculated correctly if less than 512 is written */
30678 - if (len != 0x200 && eccbuf)
30679 + if (len != 0x200)
30680 printk(KERN_WARNING
30681 "ECC needs a full sector write (adr: %lx size %lx)\n",
30682 (long) to, (long) len);
30683 diff -urNp linux-2.6.38.6/drivers/mtd/devices/doc2001.c linux-2.6.38.6/drivers/mtd/devices/doc2001.c
30684 --- linux-2.6.38.6/drivers/mtd/devices/doc2001.c 2011-03-14 21:20:32.000000000 -0400
30685 +++ linux-2.6.38.6/drivers/mtd/devices/doc2001.c 2011-04-28 19:34:15.000000000 -0400
30686 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
30687 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
30689 /* Don't allow read past end of device */
30690 - if (from >= this->totlen)
30691 + if (from >= this->totlen || !len)
30694 /* Don't allow a single read to cross a 512-byte block boundary */
30695 diff -urNp linux-2.6.38.6/drivers/mtd/ftl.c linux-2.6.38.6/drivers/mtd/ftl.c
30696 --- linux-2.6.38.6/drivers/mtd/ftl.c 2011-03-14 21:20:32.000000000 -0400
30697 +++ linux-2.6.38.6/drivers/mtd/ftl.c 2011-05-16 21:47:08.000000000 -0400
30698 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
30700 uint16_t srcunitswap = cpu_to_le16(srcunit);
30702 + pax_track_stack();
30704 eun = &part->EUNInfo[srcunit];
30705 xfer = &part->XferInfo[xferunit];
30706 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
30707 diff -urNp linux-2.6.38.6/drivers/mtd/inftlcore.c linux-2.6.38.6/drivers/mtd/inftlcore.c
30708 --- linux-2.6.38.6/drivers/mtd/inftlcore.c 2011-03-14 21:20:32.000000000 -0400
30709 +++ linux-2.6.38.6/drivers/mtd/inftlcore.c 2011-05-16 21:47:08.000000000 -0400
30710 @@ -259,6 +259,8 @@ static u16 INFTL_foldchain(struct INFTLr
30711 struct inftl_oob oob;
30714 + pax_track_stack();
30716 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
30717 "pending=%d)\n", inftl, thisVUC, pendingblock);
30719 diff -urNp linux-2.6.38.6/drivers/mtd/inftlmount.c linux-2.6.38.6/drivers/mtd/inftlmount.c
30720 --- linux-2.6.38.6/drivers/mtd/inftlmount.c 2011-03-14 21:20:32.000000000 -0400
30721 +++ linux-2.6.38.6/drivers/mtd/inftlmount.c 2011-05-16 21:47:08.000000000 -0400
30722 @@ -53,6 +53,8 @@ static int find_boot_record(struct INFTL
30723 struct INFTLPartition *ip;
30726 + pax_track_stack();
30728 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
30731 diff -urNp linux-2.6.38.6/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.38.6/drivers/mtd/lpddr/qinfo_probe.c
30732 --- linux-2.6.38.6/drivers/mtd/lpddr/qinfo_probe.c 2011-03-14 21:20:32.000000000 -0400
30733 +++ linux-2.6.38.6/drivers/mtd/lpddr/qinfo_probe.c 2011-05-16 21:47:08.000000000 -0400
30734 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
30736 map_word pfow_val[4];
30738 + pax_track_stack();
30740 /* Check identification string */
30741 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
30742 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
30743 diff -urNp linux-2.6.38.6/drivers/mtd/mtdchar.c linux-2.6.38.6/drivers/mtd/mtdchar.c
30744 --- linux-2.6.38.6/drivers/mtd/mtdchar.c 2011-03-14 21:20:32.000000000 -0400
30745 +++ linux-2.6.38.6/drivers/mtd/mtdchar.c 2011-05-16 21:47:08.000000000 -0400
30746 @@ -560,6 +560,8 @@ static int mtd_ioctl(struct file *file,
30748 struct mtd_info_user info;
30750 + pax_track_stack();
30752 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
30754 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
30755 diff -urNp linux-2.6.38.6/drivers/mtd/nand/denali.c linux-2.6.38.6/drivers/mtd/nand/denali.c
30756 --- linux-2.6.38.6/drivers/mtd/nand/denali.c 2011-03-14 21:20:32.000000000 -0400
30757 +++ linux-2.6.38.6/drivers/mtd/nand/denali.c 2011-04-28 19:34:15.000000000 -0400
30759 #include <linux/pci.h>
30760 #include <linux/mtd/mtd.h>
30761 #include <linux/module.h>
30762 +#include <linux/slab.h>
30764 #include "denali.h"
30766 diff -urNp linux-2.6.38.6/drivers/mtd/nftlcore.c linux-2.6.38.6/drivers/mtd/nftlcore.c
30767 --- linux-2.6.38.6/drivers/mtd/nftlcore.c 2011-03-14 21:20:32.000000000 -0400
30768 +++ linux-2.6.38.6/drivers/mtd/nftlcore.c 2011-05-16 21:47:08.000000000 -0400
30769 @@ -264,6 +264,8 @@ static u16 NFTL_foldchain (struct NFTLre
30773 + pax_track_stack();
30775 memset(BlockMap, 0xff, sizeof(BlockMap));
30776 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
30778 diff -urNp linux-2.6.38.6/drivers/mtd/nftlmount.c linux-2.6.38.6/drivers/mtd/nftlmount.c
30779 --- linux-2.6.38.6/drivers/mtd/nftlmount.c 2011-03-14 21:20:32.000000000 -0400
30780 +++ linux-2.6.38.6/drivers/mtd/nftlmount.c 2011-05-16 21:47:08.000000000 -0400
30781 @@ -45,6 +45,8 @@ static int find_boot_record(struct NFTLr
30782 struct mtd_info *mtd = nftl->mbd.mtd;
30785 + pax_track_stack();
30787 /* Assume logical EraseSize == physical erasesize for starting the scan.
30788 We'll sort it out later if we find a MediaHeader which says otherwise */
30789 /* Actually, we won't. The new DiskOnChip driver has already scanned
30790 diff -urNp linux-2.6.38.6/drivers/mtd/ubi/build.c linux-2.6.38.6/drivers/mtd/ubi/build.c
30791 --- linux-2.6.38.6/drivers/mtd/ubi/build.c 2011-03-14 21:20:32.000000000 -0400
30792 +++ linux-2.6.38.6/drivers/mtd/ubi/build.c 2011-04-28 19:34:15.000000000 -0400
30793 @@ -1285,7 +1285,7 @@ module_exit(ubi_exit);
30794 static int __init bytes_str_to_int(const char *str)
30797 - unsigned long result;
30798 + unsigned long result, scale = 1;
30800 result = simple_strtoul(str, &endp, 0);
30801 if (str == endp || result >= INT_MAX) {
30802 @@ -1296,11 +1296,11 @@ static int __init bytes_str_to_int(const
30814 if (endp[1] == 'i' && endp[2] == 'B')
30817 @@ -1311,7 +1311,13 @@ static int __init bytes_str_to_int(const
30822 + if ((intoverflow_t)result*scale >= INT_MAX) {
30823 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
30828 + return result*scale;
30832 diff -urNp linux-2.6.38.6/drivers/net/bnx2.c linux-2.6.38.6/drivers/net/bnx2.c
30833 --- linux-2.6.38.6/drivers/net/bnx2.c 2011-03-14 21:20:32.000000000 -0400
30834 +++ linux-2.6.38.6/drivers/net/bnx2.c 2011-05-16 21:47:08.000000000 -0400
30835 @@ -5826,6 +5826,8 @@ bnx2_test_nvram(struct bnx2 *bp)
30839 + pax_track_stack();
30841 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
30842 goto test_nvram_done;
30844 diff -urNp linux-2.6.38.6/drivers/net/bnx2x/bnx2x_ethtool.c linux-2.6.38.6/drivers/net/bnx2x/bnx2x_ethtool.c
30845 --- linux-2.6.38.6/drivers/net/bnx2x/bnx2x_ethtool.c 2011-03-14 21:20:32.000000000 -0400
30846 +++ linux-2.6.38.6/drivers/net/bnx2x/bnx2x_ethtool.c 2011-05-16 21:47:08.000000000 -0400
30847 @@ -1788,6 +1788,8 @@ static int bnx2x_test_nvram(struct bnx2x
30851 + pax_track_stack();
30856 diff -urNp linux-2.6.38.6/drivers/net/cxgb4/cxgb4_main.c linux-2.6.38.6/drivers/net/cxgb4/cxgb4_main.c
30857 --- linux-2.6.38.6/drivers/net/cxgb4/cxgb4_main.c 2011-03-14 21:20:32.000000000 -0400
30858 +++ linux-2.6.38.6/drivers/net/cxgb4/cxgb4_main.c 2011-05-16 21:47:08.000000000 -0400
30859 @@ -3429,6 +3429,8 @@ static int __devinit enable_msix(struct
30860 unsigned int nchan = adap->params.nports;
30861 struct msix_entry entries[MAX_INGQ + 1];
30863 + pax_track_stack();
30865 for (i = 0; i < ARRAY_SIZE(entries); ++i)
30866 entries[i].entry = i;
30868 diff -urNp linux-2.6.38.6/drivers/net/cxgb4/t4_hw.c linux-2.6.38.6/drivers/net/cxgb4/t4_hw.c
30869 --- linux-2.6.38.6/drivers/net/cxgb4/t4_hw.c 2011-03-14 21:20:32.000000000 -0400
30870 +++ linux-2.6.38.6/drivers/net/cxgb4/t4_hw.c 2011-05-16 21:47:08.000000000 -0400
30871 @@ -362,6 +362,8 @@ static int get_vpd_params(struct adapter
30872 u8 vpd[VPD_LEN], csum;
30873 unsigned int vpdr_len, kw_offset, id_len;
30875 + pax_track_stack();
30877 ret = pci_read_vpd(adapter->pdev, VPD_BASE, sizeof(vpd), vpd);
30880 diff -urNp linux-2.6.38.6/drivers/net/e1000e/82571.c linux-2.6.38.6/drivers/net/e1000e/82571.c
30881 --- linux-2.6.38.6/drivers/net/e1000e/82571.c 2011-03-14 21:20:32.000000000 -0400
30882 +++ linux-2.6.38.6/drivers/net/e1000e/82571.c 2011-04-28 19:34:15.000000000 -0400
30883 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
30885 struct e1000_hw *hw = &adapter->hw;
30886 struct e1000_mac_info *mac = &hw->mac;
30887 - struct e1000_mac_operations *func = &mac->ops;
30888 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
30891 bool force_clear_smbi = false;
30892 @@ -1930,7 +1930,7 @@ static void e1000_clear_hw_cntrs_82571(s
30896 -static struct e1000_mac_operations e82571_mac_ops = {
30897 +static const struct e1000_mac_operations e82571_mac_ops = {
30898 /* .check_mng_mode: mac type dependent */
30899 /* .check_for_link: media type dependent */
30900 .id_led_init = e1000e_id_led_init,
30901 @@ -1952,7 +1952,7 @@ static struct e1000_mac_operations e8257
30902 .read_mac_addr = e1000_read_mac_addr_82571,
30905 -static struct e1000_phy_operations e82_phy_ops_igp = {
30906 +static const struct e1000_phy_operations e82_phy_ops_igp = {
30907 .acquire = e1000_get_hw_semaphore_82571,
30908 .check_polarity = e1000_check_polarity_igp,
30909 .check_reset_block = e1000e_check_reset_block_generic,
30910 @@ -1970,7 +1970,7 @@ static struct e1000_phy_operations e82_p
30911 .cfg_on_link_up = NULL,
30914 -static struct e1000_phy_operations e82_phy_ops_m88 = {
30915 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
30916 .acquire = e1000_get_hw_semaphore_82571,
30917 .check_polarity = e1000_check_polarity_m88,
30918 .check_reset_block = e1000e_check_reset_block_generic,
30919 @@ -1988,7 +1988,7 @@ static struct e1000_phy_operations e82_p
30920 .cfg_on_link_up = NULL,
30923 -static struct e1000_phy_operations e82_phy_ops_bm = {
30924 +static const struct e1000_phy_operations e82_phy_ops_bm = {
30925 .acquire = e1000_get_hw_semaphore_82571,
30926 .check_polarity = e1000_check_polarity_m88,
30927 .check_reset_block = e1000e_check_reset_block_generic,
30928 @@ -2006,7 +2006,7 @@ static struct e1000_phy_operations e82_p
30929 .cfg_on_link_up = NULL,
30932 -static struct e1000_nvm_operations e82571_nvm_ops = {
30933 +static const struct e1000_nvm_operations e82571_nvm_ops = {
30934 .acquire = e1000_acquire_nvm_82571,
30935 .read = e1000e_read_nvm_eerd,
30936 .release = e1000_release_nvm_82571,
30937 diff -urNp linux-2.6.38.6/drivers/net/e1000e/e1000.h linux-2.6.38.6/drivers/net/e1000e/e1000.h
30938 --- linux-2.6.38.6/drivers/net/e1000e/e1000.h 2011-03-14 21:20:32.000000000 -0400
30939 +++ linux-2.6.38.6/drivers/net/e1000e/e1000.h 2011-04-28 19:34:15.000000000 -0400
30940 @@ -408,9 +408,9 @@ struct e1000_info {
30942 u32 max_hw_frame_size;
30943 s32 (*get_variants)(struct e1000_adapter *);
30944 - struct e1000_mac_operations *mac_ops;
30945 - struct e1000_phy_operations *phy_ops;
30946 - struct e1000_nvm_operations *nvm_ops;
30947 + const struct e1000_mac_operations *mac_ops;
30948 + const struct e1000_phy_operations *phy_ops;
30949 + const struct e1000_nvm_operations *nvm_ops;
30952 /* hardware capability, feature, and workaround flags */
30953 diff -urNp linux-2.6.38.6/drivers/net/e1000e/es2lan.c linux-2.6.38.6/drivers/net/e1000e/es2lan.c
30954 --- linux-2.6.38.6/drivers/net/e1000e/es2lan.c 2011-03-14 21:20:32.000000000 -0400
30955 +++ linux-2.6.38.6/drivers/net/e1000e/es2lan.c 2011-04-28 19:34:15.000000000 -0400
30956 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
30958 struct e1000_hw *hw = &adapter->hw;
30959 struct e1000_mac_info *mac = &hw->mac;
30960 - struct e1000_mac_operations *func = &mac->ops;
30961 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
30963 /* Set media type */
30964 switch (adapter->pdev->device) {
30965 @@ -1431,7 +1431,7 @@ static void e1000_clear_hw_cntrs_80003es
30969 -static struct e1000_mac_operations es2_mac_ops = {
30970 +static const struct e1000_mac_operations es2_mac_ops = {
30971 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
30972 .id_led_init = e1000e_id_led_init,
30973 .check_mng_mode = e1000e_check_mng_mode_generic,
30974 @@ -1453,7 +1453,7 @@ static struct e1000_mac_operations es2_m
30975 .setup_led = e1000e_setup_led_generic,
30978 -static struct e1000_phy_operations es2_phy_ops = {
30979 +static const struct e1000_phy_operations es2_phy_ops = {
30980 .acquire = e1000_acquire_phy_80003es2lan,
30981 .check_polarity = e1000_check_polarity_m88,
30982 .check_reset_block = e1000e_check_reset_block_generic,
30983 @@ -1471,7 +1471,7 @@ static struct e1000_phy_operations es2_p
30984 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
30987 -static struct e1000_nvm_operations es2_nvm_ops = {
30988 +static const struct e1000_nvm_operations es2_nvm_ops = {
30989 .acquire = e1000_acquire_nvm_80003es2lan,
30990 .read = e1000e_read_nvm_eerd,
30991 .release = e1000_release_nvm_80003es2lan,
30992 diff -urNp linux-2.6.38.6/drivers/net/e1000e/hw.h linux-2.6.38.6/drivers/net/e1000e/hw.h
30993 --- linux-2.6.38.6/drivers/net/e1000e/hw.h 2011-03-14 21:20:32.000000000 -0400
30994 +++ linux-2.6.38.6/drivers/net/e1000e/hw.h 2011-04-28 19:34:15.000000000 -0400
30995 @@ -801,16 +801,17 @@ struct e1000_phy_operations {
30997 /* Function pointers for the NVM. */
30998 struct e1000_nvm_operations {
30999 - s32 (*acquire)(struct e1000_hw *);
31000 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
31001 - void (*release)(struct e1000_hw *);
31002 - s32 (*update)(struct e1000_hw *);
31003 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
31004 - s32 (*validate)(struct e1000_hw *);
31005 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
31006 + s32 (* acquire)(struct e1000_hw *); /* cannot be const, see drivers/net/e1000e/82571.c e1000_init_nvm_params_82571() */
31007 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
31008 + void (* release)(struct e1000_hw *); /* cannot be const, see drivers/net/e1000e/82571.c e1000_init_nvm_params_82571() */
31009 + s32 (* const update)(struct e1000_hw *);
31010 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
31011 + s32 (* const validate)(struct e1000_hw *);
31012 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
31015 struct e1000_mac_info {
31016 + /* cannot be const see e1000_init_mac_params_ich8lan */
31017 struct e1000_mac_operations ops;
31020 @@ -853,6 +854,7 @@ struct e1000_mac_info {
31023 struct e1000_phy_info {
31024 + /* Cannot be const see e1000_init_phy_params_82571() */
31025 struct e1000_phy_operations ops;
31027 enum e1000_phy_type type;
31028 @@ -887,6 +889,7 @@ struct e1000_phy_info {
31031 struct e1000_nvm_info {
31032 + /* cannot be const */
31033 struct e1000_nvm_operations ops;
31035 enum e1000_nvm_type type;
31036 diff -urNp linux-2.6.38.6/drivers/net/e1000e/ich8lan.c linux-2.6.38.6/drivers/net/e1000e/ich8lan.c
31037 --- linux-2.6.38.6/drivers/net/e1000e/ich8lan.c 2011-03-14 21:20:32.000000000 -0400
31038 +++ linux-2.6.38.6/drivers/net/e1000e/ich8lan.c 2011-04-28 19:34:15.000000000 -0400
31039 @@ -3840,7 +3840,7 @@ static void e1000_clear_hw_cntrs_ich8lan
31043 -static struct e1000_mac_operations ich8_mac_ops = {
31044 +static const struct e1000_mac_operations ich8_mac_ops = {
31045 .id_led_init = e1000e_id_led_init,
31046 /* check_mng_mode dependent on mac type */
31047 .check_for_link = e1000_check_for_copper_link_ich8lan,
31048 @@ -3859,7 +3859,7 @@ static struct e1000_mac_operations ich8_
31049 /* id_led_init dependent on mac type */
31052 -static struct e1000_phy_operations ich8_phy_ops = {
31053 +static const struct e1000_phy_operations ich8_phy_ops = {
31054 .acquire = e1000_acquire_swflag_ich8lan,
31055 .check_reset_block = e1000_check_reset_block_ich8lan,
31057 @@ -3873,7 +3873,7 @@ static struct e1000_phy_operations ich8_
31058 .write_reg = e1000e_write_phy_reg_igp,
31061 -static struct e1000_nvm_operations ich8_nvm_ops = {
31062 +static const struct e1000_nvm_operations ich8_nvm_ops = {
31063 .acquire = e1000_acquire_nvm_ich8lan,
31064 .read = e1000_read_nvm_ich8lan,
31065 .release = e1000_release_nvm_ich8lan,
31066 diff -urNp linux-2.6.38.6/drivers/net/hamradio/6pack.c linux-2.6.38.6/drivers/net/hamradio/6pack.c
31067 --- linux-2.6.38.6/drivers/net/hamradio/6pack.c 2011-03-14 21:20:32.000000000 -0400
31068 +++ linux-2.6.38.6/drivers/net/hamradio/6pack.c 2011-05-16 21:47:08.000000000 -0400
31069 @@ -463,6 +463,8 @@ static void sixpack_receive_buf(struct t
31070 unsigned char buf[512];
31073 + pax_track_stack();
31078 diff -urNp linux-2.6.38.6/drivers/net/igb/e1000_82575.c linux-2.6.38.6/drivers/net/igb/e1000_82575.c
31079 --- linux-2.6.38.6/drivers/net/igb/e1000_82575.c 2011-03-14 21:20:32.000000000 -0400
31080 +++ linux-2.6.38.6/drivers/net/igb/e1000_82575.c 2011-04-28 19:34:15.000000000 -0400
31081 @@ -1747,7 +1747,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
31085 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
31086 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
31087 .init_hw = igb_init_hw_82575,
31088 .check_for_link = igb_check_for_link_82575,
31089 .rar_set = igb_rar_set,
31090 @@ -1755,13 +1755,13 @@ static struct e1000_mac_operations e1000
31091 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
31094 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
31095 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
31096 .acquire = igb_acquire_phy_82575,
31097 .get_cfg_done = igb_get_cfg_done_82575,
31098 .release = igb_release_phy_82575,
31101 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
31102 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
31103 .acquire = igb_acquire_nvm_82575,
31104 .read = igb_read_nvm_eerd,
31105 .release = igb_release_nvm_82575,
31106 diff -urNp linux-2.6.38.6/drivers/net/igb/e1000_hw.h linux-2.6.38.6/drivers/net/igb/e1000_hw.h
31107 --- linux-2.6.38.6/drivers/net/igb/e1000_hw.h 2011-03-14 21:20:32.000000000 -0400
31108 +++ linux-2.6.38.6/drivers/net/igb/e1000_hw.h 2011-04-28 19:34:15.000000000 -0400
31109 @@ -327,22 +327,23 @@ struct e1000_phy_operations {
31112 struct e1000_nvm_operations {
31113 - s32 (*acquire)(struct e1000_hw *);
31114 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
31115 - void (*release)(struct e1000_hw *);
31116 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
31117 + s32 (* const acquire)(struct e1000_hw *);
31118 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
31119 + void (* const release)(struct e1000_hw *);
31120 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
31123 struct e1000_info {
31124 s32 (*get_invariants)(struct e1000_hw *);
31125 - struct e1000_mac_operations *mac_ops;
31126 - struct e1000_phy_operations *phy_ops;
31127 - struct e1000_nvm_operations *nvm_ops;
31128 + const struct e1000_mac_operations *mac_ops;
31129 + const struct e1000_phy_operations *phy_ops;
31130 + const struct e1000_nvm_operations *nvm_ops;
31133 extern const struct e1000_info e1000_82575_info;
31135 struct e1000_mac_info {
31136 + /* cannot be const see igb_get_invariants_82575() */
31137 struct e1000_mac_operations ops;
31140 @@ -381,6 +382,7 @@ struct e1000_mac_info {
31143 struct e1000_phy_info {
31144 + /* cannot be const see igb_get_invariants_82575() */
31145 struct e1000_phy_operations ops;
31147 enum e1000_phy_type type;
31148 @@ -416,6 +418,7 @@ struct e1000_phy_info {
31151 struct e1000_nvm_info {
31152 + /* cannot be const */
31153 struct e1000_nvm_operations ops;
31155 enum e1000_nvm_type type;
31156 diff -urNp linux-2.6.38.6/drivers/net/igbvf/vf.h linux-2.6.38.6/drivers/net/igbvf/vf.h
31157 --- linux-2.6.38.6/drivers/net/igbvf/vf.h 2011-03-14 21:20:32.000000000 -0400
31158 +++ linux-2.6.38.6/drivers/net/igbvf/vf.h 2011-04-28 19:34:15.000000000 -0400
31159 @@ -191,6 +191,7 @@ struct e1000_mac_operations {
31162 struct e1000_mac_info {
31163 + /* cannot be const see e1000_init_mac_params_vf() */
31164 struct e1000_mac_operations ops;
31167 diff -urNp linux-2.6.38.6/drivers/net/ixgb/ixgb_main.c linux-2.6.38.6/drivers/net/ixgb/ixgb_main.c
31168 --- linux-2.6.38.6/drivers/net/ixgb/ixgb_main.c 2011-03-14 21:20:32.000000000 -0400
31169 +++ linux-2.6.38.6/drivers/net/ixgb/ixgb_main.c 2011-05-16 21:47:08.000000000 -0400
31170 @@ -1072,6 +1072,8 @@ ixgb_set_multi(struct net_device *netdev
31174 + pax_track_stack();
31176 /* Check for Promiscuous and All Multicast modes */
31178 rctl = IXGB_READ_REG(hw, RCTL);
31179 diff -urNp linux-2.6.38.6/drivers/net/ixgb/ixgb_param.c linux-2.6.38.6/drivers/net/ixgb/ixgb_param.c
31180 --- linux-2.6.38.6/drivers/net/ixgb/ixgb_param.c 2011-03-14 21:20:32.000000000 -0400
31181 +++ linux-2.6.38.6/drivers/net/ixgb/ixgb_param.c 2011-05-16 21:47:08.000000000 -0400
31182 @@ -261,6 +261,9 @@ void __devinit
31183 ixgb_check_options(struct ixgb_adapter *adapter)
31185 int bd = adapter->bd_number;
31187 + pax_track_stack();
31189 if (bd >= IXGB_MAX_NIC) {
31190 pr_notice("Warning: no configuration for board #%i\n", bd);
31191 pr_notice("Using defaults for all values\n");
31192 diff -urNp linux-2.6.38.6/drivers/net/ksz884x.c linux-2.6.38.6/drivers/net/ksz884x.c
31193 --- linux-2.6.38.6/drivers/net/ksz884x.c 2011-03-14 21:20:32.000000000 -0400
31194 +++ linux-2.6.38.6/drivers/net/ksz884x.c 2011-05-16 21:47:08.000000000 -0400
31195 @@ -6536,6 +6536,8 @@ static void netdev_get_ethtool_stats(str
31197 u64 counter[TOTAL_PORT_COUNTER_NUM];
31199 + pax_track_stack();
31201 mutex_lock(&hw_priv->lock);
31202 n = SWITCH_PORT_NUM;
31203 for (i = 0, p = port->first_port; i < port->mib_port_cnt; i++, p++) {
31204 diff -urNp linux-2.6.38.6/drivers/net/mlx4/main.c linux-2.6.38.6/drivers/net/mlx4/main.c
31205 --- linux-2.6.38.6/drivers/net/mlx4/main.c 2011-03-14 21:20:32.000000000 -0400
31206 +++ linux-2.6.38.6/drivers/net/mlx4/main.c 2011-05-16 21:47:08.000000000 -0400
31207 @@ -737,6 +737,8 @@ static int mlx4_init_hca(struct mlx4_dev
31211 + pax_track_stack();
31213 err = mlx4_QUERY_FW(dev);
31215 if (err == -EACCES)
31216 diff -urNp linux-2.6.38.6/drivers/net/niu.c linux-2.6.38.6/drivers/net/niu.c
31217 --- linux-2.6.38.6/drivers/net/niu.c 2011-03-14 21:20:32.000000000 -0400
31218 +++ linux-2.6.38.6/drivers/net/niu.c 2011-05-16 21:47:08.000000000 -0400
31219 @@ -9067,6 +9067,8 @@ static void __devinit niu_try_msix(struc
31220 int i, num_irqs, err;
31223 + pax_track_stack();
31225 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
31226 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
31227 ldg_num_map[i] = first_ldg + i;
31228 diff -urNp linux-2.6.38.6/drivers/net/pcnet32.c linux-2.6.38.6/drivers/net/pcnet32.c
31229 --- linux-2.6.38.6/drivers/net/pcnet32.c 2011-03-14 21:20:32.000000000 -0400
31230 +++ linux-2.6.38.6/drivers/net/pcnet32.c 2011-04-28 19:34:15.000000000 -0400
31231 @@ -82,7 +82,7 @@ static int cards_found;
31233 * VLB I/O addresses
31235 -static unsigned int pcnet32_portlist[] __initdata =
31236 +static unsigned int pcnet32_portlist[] __devinitdata =
31237 { 0x300, 0x320, 0x340, 0x360, 0 };
31239 static int pcnet32_debug;
31240 diff -urNp linux-2.6.38.6/drivers/net/ppp_generic.c linux-2.6.38.6/drivers/net/ppp_generic.c
31241 --- linux-2.6.38.6/drivers/net/ppp_generic.c 2011-03-14 21:20:32.000000000 -0400
31242 +++ linux-2.6.38.6/drivers/net/ppp_generic.c 2011-04-28 19:34:15.000000000 -0400
31243 @@ -986,7 +986,6 @@ ppp_net_ioctl(struct net_device *dev, st
31244 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
31245 struct ppp_stats stats;
31246 struct ppp_comp_stats cstats;
31250 case SIOCGPPPSTATS:
31251 @@ -1008,8 +1007,7 @@ ppp_net_ioctl(struct net_device *dev, st
31255 - vers = PPP_VERSION;
31256 - if (copy_to_user(addr, vers, strlen(vers) + 1))
31257 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
31261 diff -urNp linux-2.6.38.6/drivers/net/tg3.c linux-2.6.38.6/drivers/net/tg3.c
31262 --- linux-2.6.38.6/drivers/net/tg3.c 2011-03-14 21:20:32.000000000 -0400
31263 +++ linux-2.6.38.6/drivers/net/tg3.c 2011-05-11 18:35:16.000000000 -0400
31264 @@ -13003,7 +13003,7 @@ done:
31266 static struct pci_dev * __devinit tg3_find_peer(struct tg3 *);
31268 -static void inline vlan_features_add(struct net_device *dev, unsigned long flags)
31269 +static inline void vlan_features_add(struct net_device *dev, unsigned long flags)
31271 dev->vlan_features |= flags;
31273 diff -urNp linux-2.6.38.6/drivers/net/tg3.h linux-2.6.38.6/drivers/net/tg3.h
31274 --- linux-2.6.38.6/drivers/net/tg3.h 2011-03-14 21:20:32.000000000 -0400
31275 +++ linux-2.6.38.6/drivers/net/tg3.h 2011-04-28 19:34:15.000000000 -0400
31276 @@ -131,6 +131,7 @@
31277 #define CHIPREV_ID_5750_A0 0x4000
31278 #define CHIPREV_ID_5750_A1 0x4001
31279 #define CHIPREV_ID_5750_A3 0x4003
31280 +#define CHIPREV_ID_5750_C1 0x4201
31281 #define CHIPREV_ID_5750_C2 0x4202
31282 #define CHIPREV_ID_5752_A0_HW 0x5000
31283 #define CHIPREV_ID_5752_A0 0x6000
31284 diff -urNp linux-2.6.38.6/drivers/net/tulip/de2104x.c linux-2.6.38.6/drivers/net/tulip/de2104x.c
31285 --- linux-2.6.38.6/drivers/net/tulip/de2104x.c 2011-03-14 21:20:32.000000000 -0400
31286 +++ linux-2.6.38.6/drivers/net/tulip/de2104x.c 2011-05-16 21:47:08.000000000 -0400
31287 @@ -1817,6 +1817,8 @@ static void __devinit de21041_get_srom_i
31288 struct de_srom_info_leaf *il;
31291 + pax_track_stack();
31293 /* download entire eeprom */
31294 for (i = 0; i < DE_EEPROM_WORDS; i++)
31295 ((__le16 *)ee_data)[i] =
31296 diff -urNp linux-2.6.38.6/drivers/net/tulip/de4x5.c linux-2.6.38.6/drivers/net/tulip/de4x5.c
31297 --- linux-2.6.38.6/drivers/net/tulip/de4x5.c 2011-03-14 21:20:32.000000000 -0400
31298 +++ linux-2.6.38.6/drivers/net/tulip/de4x5.c 2011-04-28 19:34:15.000000000 -0400
31299 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
31300 for (i=0; i<ETH_ALEN; i++) {
31301 tmp.addr[i] = dev->dev_addr[i];
31303 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
31304 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
31307 case DE4X5_SET_HWADDR: /* Set the hardware address */
31308 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
31309 spin_lock_irqsave(&lp->lock, flags);
31310 memcpy(&statbuf, &lp->pktStats, ioc->len);
31311 spin_unlock_irqrestore(&lp->lock, flags);
31312 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
31313 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
31317 diff -urNp linux-2.6.38.6/drivers/net/usb/hso.c linux-2.6.38.6/drivers/net/usb/hso.c
31318 --- linux-2.6.38.6/drivers/net/usb/hso.c 2011-03-14 21:20:32.000000000 -0400
31319 +++ linux-2.6.38.6/drivers/net/usb/hso.c 2011-04-28 19:34:15.000000000 -0400
31321 #include <asm/byteorder.h>
31322 #include <linux/serial_core.h>
31323 #include <linux/serial.h>
31325 +#include <asm/local.h>
31327 #define MOD_AUTHOR "Option Wireless"
31328 #define MOD_DESCRIPTION "USB High Speed Option driver"
31329 @@ -257,7 +257,7 @@ struct hso_serial {
31331 /* from usb_serial_port */
31332 struct tty_struct *tty;
31334 + local_t open_count;
31335 spinlock_t serial_lock;
31337 int (*write_data) (struct hso_serial *serial);
31338 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
31341 urb = serial->rx_urb[0];
31342 - if (serial->open_count > 0) {
31343 + if (local_read(&serial->open_count) > 0) {
31344 count = put_rxbuf_data(urb, serial);
31347 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
31348 DUMP1(urb->transfer_buffer, urb->actual_length);
31350 /* Anyone listening? */
31351 - if (serial->open_count == 0)
31352 + if (local_read(&serial->open_count) == 0)
31356 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
31357 spin_unlock_irq(&serial->serial_lock);
31359 /* check for port already opened, if not set the termios */
31360 - serial->open_count++;
31361 - if (serial->open_count == 1) {
31362 + if (local_inc_return(&serial->open_count) == 1) {
31363 serial->rx_state = RX_IDLE;
31364 /* Force default termio settings */
31365 _hso_serial_set_termios(tty, NULL);
31366 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
31367 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
31369 hso_stop_serial_device(serial->parent);
31370 - serial->open_count--;
31371 + local_dec(&serial->open_count);
31372 kref_put(&serial->parent->ref, hso_serial_ref_free);
31375 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
31377 /* reset the rts and dtr */
31378 /* do the actual close */
31379 - serial->open_count--;
31380 + local_dec(&serial->open_count);
31382 - if (serial->open_count <= 0) {
31383 - serial->open_count = 0;
31384 + if (local_read(&serial->open_count) <= 0) {
31385 + local_set(&serial->open_count, 0);
31386 spin_lock_irq(&serial->serial_lock);
31387 if (serial->tty == tty) {
31388 serial->tty->driver_data = NULL;
31389 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
31391 /* the actual setup */
31392 spin_lock_irqsave(&serial->serial_lock, flags);
31393 - if (serial->open_count)
31394 + if (local_read(&serial->open_count))
31395 _hso_serial_set_termios(tty, old);
31397 tty->termios = old;
31398 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
31399 D1("Pending read interrupt on port %d\n", i);
31400 spin_lock(&serial->serial_lock);
31401 if (serial->rx_state == RX_IDLE &&
31402 - serial->open_count > 0) {
31403 + local_read(&serial->open_count) > 0) {
31404 /* Setup and send a ctrl req read on
31406 if (!serial->rx_urb_filled[0]) {
31407 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
31408 /* Start all serial ports */
31409 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
31410 if (serial_table[i] && (serial_table[i]->interface == iface)) {
31411 - if (dev2ser(serial_table[i])->open_count) {
31412 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
31414 hso_start_serial_device(serial_table[i], GFP_NOIO);
31415 hso_kick_transmit(dev2ser(serial_table[i]));
31416 diff -urNp linux-2.6.38.6/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-2.6.38.6/drivers/net/vmxnet3/vmxnet3_ethtool.c
31417 --- linux-2.6.38.6/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-04-18 17:27:18.000000000 -0400
31418 +++ linux-2.6.38.6/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-04-28 19:34:15.000000000 -0400
31419 @@ -628,8 +628,7 @@ vmxnet3_set_rss_indir(struct net_device
31420 * Return with error code if any of the queue indices
31423 - if (p->ring_index[i] < 0 ||
31424 - p->ring_index[i] >= adapter->num_rx_queues)
31425 + if (p->ring_index[i] >= adapter->num_rx_queues)
31429 diff -urNp linux-2.6.38.6/drivers/net/vxge/vxge-main.c linux-2.6.38.6/drivers/net/vxge/vxge-main.c
31430 --- linux-2.6.38.6/drivers/net/vxge/vxge-main.c 2011-03-14 21:20:32.000000000 -0400
31431 +++ linux-2.6.38.6/drivers/net/vxge/vxge-main.c 2011-05-16 21:47:08.000000000 -0400
31432 @@ -97,6 +97,8 @@ static inline void VXGE_COMPLETE_VPATH_T
31433 struct sk_buff *completed[NR_SKB_COMPLETED];
31436 + pax_track_stack();
31440 skb_ptr = completed;
31441 @@ -1889,6 +1891,8 @@ static enum vxge_hw_status vxge_rth_conf
31442 u8 mtable[256] = {0}; /* CPU to vpath mapping */
31445 + pax_track_stack();
31449 * - itable with bucket numbers
31450 diff -urNp linux-2.6.38.6/drivers/net/wan/cycx_x25.c linux-2.6.38.6/drivers/net/wan/cycx_x25.c
31451 --- linux-2.6.38.6/drivers/net/wan/cycx_x25.c 2011-03-14 21:20:32.000000000 -0400
31452 +++ linux-2.6.38.6/drivers/net/wan/cycx_x25.c 2011-05-16 21:47:08.000000000 -0400
31453 @@ -1018,6 +1018,8 @@ static void hex_dump(char *msg, unsigned
31454 unsigned char hex[1024],
31457 + pax_track_stack();
31459 if (len >= (sizeof(hex) / 2))
31460 len = (sizeof(hex) / 2) - 1;
31462 diff -urNp linux-2.6.38.6/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.38.6/drivers/net/wimax/i2400m/usb-fw.c
31463 --- linux-2.6.38.6/drivers/net/wimax/i2400m/usb-fw.c 2011-03-14 21:20:32.000000000 -0400
31464 +++ linux-2.6.38.6/drivers/net/wimax/i2400m/usb-fw.c 2011-05-16 21:47:08.000000000 -0400
31465 @@ -287,6 +287,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
31467 DECLARE_COMPLETION_ONSTACK(notif_completion);
31469 + pax_track_stack();
31471 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
31472 i2400m, ack, ack_size);
31473 BUG_ON(_ack == i2400m->bm_ack_buf);
31474 diff -urNp linux-2.6.38.6/drivers/net/wireless/airo.c linux-2.6.38.6/drivers/net/wireless/airo.c
31475 --- linux-2.6.38.6/drivers/net/wireless/airo.c 2011-03-14 21:20:32.000000000 -0400
31476 +++ linux-2.6.38.6/drivers/net/wireless/airo.c 2011-05-16 21:47:08.000000000 -0400
31477 @@ -3001,6 +3001,8 @@ static void airo_process_scan_results (s
31478 BSSListElement * loop_net;
31479 BSSListElement * tmp_net;
31481 + pax_track_stack();
31483 /* Blow away current list of scan results */
31484 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
31485 list_move_tail (&loop_net->list, &ai->network_free_list);
31486 @@ -3792,6 +3794,8 @@ static u16 setup_card(struct airo_info *
31490 + pax_track_stack();
31492 memset( &mySsid, 0, sizeof( mySsid ) );
31495 @@ -4760,6 +4764,8 @@ static int proc_stats_rid_open( struct i
31496 __le32 *vals = stats.vals;
31499 + pax_track_stack();
31501 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
31503 data = file->private_data;
31504 @@ -5483,6 +5489,8 @@ static int proc_BSSList_open( struct ino
31505 /* If doLoseSync is not 1, we won't do a Lose Sync */
31506 int doLoseSync = -1;
31508 + pax_track_stack();
31510 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
31512 data = file->private_data;
31513 @@ -7190,6 +7198,8 @@ static int airo_get_aplist(struct net_de
31515 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
31517 + pax_track_stack();
31519 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
31522 @@ -7750,6 +7760,8 @@ static void airo_read_wireless_stats(str
31523 CapabilityRid cap_rid;
31524 __le32 *vals = stats_rid.vals;
31526 + pax_track_stack();
31528 /* Get stats out of the card */
31529 clear_bit(JOB_WSTATS, &local->jobs);
31530 if (local->power.event) {
31531 diff -urNp linux-2.6.38.6/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.38.6/drivers/net/wireless/ath/ath5k/debug.c
31532 --- linux-2.6.38.6/drivers/net/wireless/ath/ath5k/debug.c 2011-03-14 21:20:32.000000000 -0400
31533 +++ linux-2.6.38.6/drivers/net/wireless/ath/ath5k/debug.c 2011-05-16 21:47:08.000000000 -0400
31534 @@ -204,6 +204,8 @@ static ssize_t read_file_beacon(struct f
31538 + pax_track_stack();
31540 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
31541 len += snprintf(buf+len, sizeof(buf)-len,
31542 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
31543 @@ -325,6 +327,8 @@ static ssize_t read_file_debug(struct fi
31544 unsigned int len = 0;
31547 + pax_track_stack();
31549 len += snprintf(buf+len, sizeof(buf)-len,
31550 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
31552 @@ -386,6 +390,8 @@ static ssize_t read_file_antenna(struct
31556 + pax_track_stack();
31558 len += snprintf(buf+len, sizeof(buf)-len, "antenna mode\t%d\n",
31559 sc->ah->ah_ant_mode);
31560 len += snprintf(buf+len, sizeof(buf)-len, "default antenna\t%d\n",
31561 @@ -496,6 +502,8 @@ static ssize_t read_file_misc(struct fil
31562 unsigned int len = 0;
31563 u32 filt = ath5k_hw_get_rx_filter(sc->ah);
31565 + pax_track_stack();
31567 len += snprintf(buf+len, sizeof(buf)-len, "bssid-mask: %pM\n",
31569 len += snprintf(buf+len, sizeof(buf)-len, "filter-flags: 0x%x ",
31570 @@ -552,6 +560,8 @@ static ssize_t read_file_frameerrors(str
31571 unsigned int len = 0;
31574 + pax_track_stack();
31576 len += snprintf(buf+len, sizeof(buf)-len,
31577 "RX\n---------------------\n");
31578 len += snprintf(buf+len, sizeof(buf)-len, "CRC\t%u\t(%u%%)\n",
31579 @@ -669,6 +679,8 @@ static ssize_t read_file_ani(struct file
31581 unsigned int len = 0;
31583 + pax_track_stack();
31585 len += snprintf(buf+len, sizeof(buf)-len,
31586 "HW has PHY error counters:\t%s\n",
31587 sc->ah->ah_capabilities.cap_has_phyerr_counters ?
31588 @@ -829,6 +841,8 @@ static ssize_t read_file_queue(struct fi
31589 struct ath5k_buf *bf, *bf0;
31592 + pax_track_stack();
31594 len += snprintf(buf+len, sizeof(buf)-len,
31595 "available txbuffers: %d\n", sc->txbuf_len);
31597 diff -urNp linux-2.6.38.6/drivers/net/wireless/ath/ath9k/ar9003_calib.c linux-2.6.38.6/drivers/net/wireless/ath/ath9k/ar9003_calib.c
31598 --- linux-2.6.38.6/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-03-14 21:20:32.000000000 -0400
31599 +++ linux-2.6.38.6/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-05-16 21:47:08.000000000 -0400
31600 @@ -734,6 +734,8 @@ static void ar9003_hw_tx_iq_cal(struct a
31601 s32 i, j, ip, im, nmeasurement;
31602 u8 nchains = get_streams(common->tx_chainmask);
31604 + pax_track_stack();
31606 for (ip = 0; ip < MPASS; ip++) {
31607 REG_RMW_FIELD(ah, AR_PHY_TX_IQCAL_CONTROL_1,
31608 AR_PHY_TX_IQCAQL_CONTROL_1_IQCORR_I_Q_COFF_DELPT,
31609 @@ -856,6 +858,8 @@ static void ar9003_hw_tx_iq_cal_post_pro
31613 + pax_track_stack();
31615 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
31616 if (ah->txchainmask & (1 << i))
31618 diff -urNp linux-2.6.38.6/drivers/net/wireless/ath/ath9k/ar9003_paprd.c linux-2.6.38.6/drivers/net/wireless/ath/ath9k/ar9003_paprd.c
31619 --- linux-2.6.38.6/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-03-14 21:20:32.000000000 -0400
31620 +++ linux-2.6.38.6/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-05-16 21:47:08.000000000 -0400
31621 @@ -356,6 +356,8 @@ static bool create_pa_curve(u32 *data_L,
31622 int theta_low_bin = 0;
31625 + pax_track_stack();
31627 /* disregard any bin that contains <= 16 samples */
31628 thresh_accum_cnt = 16;
31630 diff -urNp linux-2.6.38.6/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.38.6/drivers/net/wireless/ath/ath9k/debug.c
31631 --- linux-2.6.38.6/drivers/net/wireless/ath/ath9k/debug.c 2011-03-14 21:20:32.000000000 -0400
31632 +++ linux-2.6.38.6/drivers/net/wireless/ath/ath9k/debug.c 2011-05-16 21:47:08.000000000 -0400
31633 @@ -321,6 +321,8 @@ static ssize_t read_file_interrupt(struc
31635 unsigned int len = 0;
31637 + pax_track_stack();
31639 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
31640 len += snprintf(buf + len, sizeof(buf) - len,
31641 "%8s: %10u\n", "RXLP", sc->debug.stats.istats.rxlp);
31642 @@ -410,6 +412,8 @@ static ssize_t read_file_wiphy(struct fi
31646 + pax_track_stack();
31648 len += snprintf(buf + len, sizeof(buf) - len,
31649 "primary: %s (%s chan=%d ht=%d)\n",
31650 wiphy_name(sc->pri_wiphy->hw->wiphy),
31651 diff -urNp linux-2.6.38.6/drivers/net/wireless/ath/ath9k/htc_drv_main.c linux-2.6.38.6/drivers/net/wireless/ath/ath9k/htc_drv_main.c
31652 --- linux-2.6.38.6/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-03-14 21:20:32.000000000 -0400
31653 +++ linux-2.6.38.6/drivers/net/wireless/ath/ath9k/htc_drv_main.c 2011-05-16 21:47:08.000000000 -0400
31654 @@ -620,6 +620,8 @@ static ssize_t read_file_tgt_stats(struc
31655 unsigned int len = 0;
31658 + pax_track_stack();
31660 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
31662 WMI_CMD(WMI_TGT_STATS_CMDID);
31663 @@ -665,6 +667,8 @@ static ssize_t read_file_xmit(struct fil
31665 unsigned int len = 0;
31667 + pax_track_stack();
31669 len += snprintf(buf + len, sizeof(buf) - len,
31670 "%20s : %10u\n", "Buffers queued",
31671 priv->debug.tx_stats.buf_queued);
31672 @@ -714,6 +718,8 @@ static ssize_t read_file_recv(struct fil
31674 unsigned int len = 0;
31676 + pax_track_stack();
31678 len += snprintf(buf + len, sizeof(buf) - len,
31679 "%20s : %10u\n", "SKBs allocated",
31680 priv->debug.rx_stats.skb_allocated);
31681 diff -urNp linux-2.6.38.6/drivers/net/wireless/b43/debugfs.c linux-2.6.38.6/drivers/net/wireless/b43/debugfs.c
31682 --- linux-2.6.38.6/drivers/net/wireless/b43/debugfs.c 2011-03-14 21:20:32.000000000 -0400
31683 +++ linux-2.6.38.6/drivers/net/wireless/b43/debugfs.c 2011-04-28 19:34:15.000000000 -0400
31684 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
31685 struct b43_debugfs_fops {
31686 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
31687 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
31688 - struct file_operations fops;
31689 + const struct file_operations fops;
31690 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
31691 size_t file_struct_offset;
31693 diff -urNp linux-2.6.38.6/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.38.6/drivers/net/wireless/b43legacy/debugfs.c
31694 --- linux-2.6.38.6/drivers/net/wireless/b43legacy/debugfs.c 2011-03-14 21:20:32.000000000 -0400
31695 +++ linux-2.6.38.6/drivers/net/wireless/b43legacy/debugfs.c 2011-04-28 19:34:15.000000000 -0400
31696 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
31697 struct b43legacy_debugfs_fops {
31698 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
31699 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
31700 - struct file_operations fops;
31701 + const struct file_operations fops;
31702 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
31703 size_t file_struct_offset;
31704 /* Take wl->irq_lock before calling read/write? */
31705 diff -urNp linux-2.6.38.6/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.38.6/drivers/net/wireless/ipw2x00/ipw2100.c
31706 --- linux-2.6.38.6/drivers/net/wireless/ipw2x00/ipw2100.c 2011-03-14 21:20:32.000000000 -0400
31707 +++ linux-2.6.38.6/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-16 21:47:08.000000000 -0400
31708 @@ -2101,6 +2101,8 @@ static int ipw2100_set_essid(struct ipw2
31710 DECLARE_SSID_BUF(ssid);
31712 + pax_track_stack();
31714 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
31717 @@ -5455,6 +5457,8 @@ static int ipw2100_set_key(struct ipw210
31718 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
31721 + pax_track_stack();
31723 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
31726 diff -urNp linux-2.6.38.6/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.38.6/drivers/net/wireless/ipw2x00/libipw_rx.c
31727 --- linux-2.6.38.6/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-03-14 21:20:32.000000000 -0400
31728 +++ linux-2.6.38.6/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-16 21:47:08.000000000 -0400
31729 @@ -1565,6 +1565,8 @@ static void libipw_process_probe_respons
31730 unsigned long flags;
31731 DECLARE_SSID_BUF(ssid);
31733 + pax_track_stack();
31735 LIBIPW_DEBUG_SCAN("'%s' (%pM"
31736 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
31737 print_ssid(ssid, info_element->data, info_element->len),
31738 diff -urNp linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
31739 --- linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-03-14 21:20:32.000000000 -0400
31740 +++ linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-16 21:47:08.000000000 -0400
31741 @@ -883,6 +883,8 @@ static void rs_tx_status(void *priv_r, s
31742 struct iwl_station_priv *sta_priv = (void *)sta->drv_priv;
31743 struct iwl_rxon_context *ctx = sta_priv->common.ctx;
31745 + pax_track_stack();
31747 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
31749 /* Treat uninitialized rate scaling data same as non-existing. */
31750 @@ -2892,6 +2894,8 @@ static void rs_fill_link_cmd(struct iwl_
31751 u8 valid_tx_ant = 0;
31752 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
31754 + pax_track_stack();
31756 /* Override starting rate (index 0) if needed for debug purposes */
31757 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
31759 diff -urNp linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-debugfs.c
31760 --- linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-03-14 21:20:32.000000000 -0400
31761 +++ linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-16 21:47:08.000000000 -0400
31762 @@ -518,6 +518,8 @@ static ssize_t iwl_dbgfs_status_read(str
31764 const size_t bufsz = sizeof(buf);
31766 + pax_track_stack();
31768 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
31769 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
31770 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_INT_ENABLED:\t %d\n",
31771 @@ -650,6 +652,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
31772 char buf[256 * NUM_IWL_RXON_CTX];
31773 const size_t bufsz = sizeof(buf);
31775 + pax_track_stack();
31777 for_each_context(priv, ctx) {
31778 pos += scnprintf(buf + pos, bufsz - pos, "context %d:\n",
31780 diff -urNp linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-debug.h
31781 --- linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-14 21:20:32.000000000 -0400
31782 +++ linux-2.6.38.6/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-04-28 19:34:15.000000000 -0400
31783 @@ -68,8 +68,8 @@ do {
31787 -#define IWL_DEBUG(__priv, level, fmt, args...)
31788 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
31789 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
31790 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
31791 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
31792 const void *p, u32 len)
31794 diff -urNp linux-2.6.38.6/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.38.6/drivers/net/wireless/iwmc3200wifi/debugfs.c
31795 --- linux-2.6.38.6/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-03-14 21:20:32.000000000 -0400
31796 +++ linux-2.6.38.6/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-16 21:47:08.000000000 -0400
31797 @@ -327,6 +327,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
31801 + pax_track_stack();
31805 if (count < sizeof(buf))
31806 diff -urNp linux-2.6.38.6/drivers/net/wireless/libertas/debugfs.c linux-2.6.38.6/drivers/net/wireless/libertas/debugfs.c
31807 --- linux-2.6.38.6/drivers/net/wireless/libertas/debugfs.c 2011-03-14 21:20:32.000000000 -0400
31808 +++ linux-2.6.38.6/drivers/net/wireless/libertas/debugfs.c 2011-04-28 19:34:15.000000000 -0400
31809 @@ -702,7 +702,7 @@ out_unlock:
31810 struct lbs_debugfs_files {
31813 - struct file_operations fops;
31814 + const struct file_operations fops;
31817 static const struct lbs_debugfs_files debugfs_files[] = {
31818 diff -urNp linux-2.6.38.6/drivers/net/wireless/rndis_wlan.c linux-2.6.38.6/drivers/net/wireless/rndis_wlan.c
31819 --- linux-2.6.38.6/drivers/net/wireless/rndis_wlan.c 2011-03-14 21:20:32.000000000 -0400
31820 +++ linux-2.6.38.6/drivers/net/wireless/rndis_wlan.c 2011-04-28 19:34:15.000000000 -0400
31821 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
31823 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
31825 - if (rts_threshold < 0 || rts_threshold > 2347)
31826 + if (rts_threshold > 2347)
31827 rts_threshold = 2347;
31829 tmp = cpu_to_le32(rts_threshold);
31830 diff -urNp linux-2.6.38.6/drivers/net/wireless/rtlwifi/rtl8192ce/phy.c linux-2.6.38.6/drivers/net/wireless/rtlwifi/rtl8192ce/phy.c
31831 --- linux-2.6.38.6/drivers/net/wireless/rtlwifi/rtl8192ce/phy.c 2011-03-14 21:20:32.000000000 -0400
31832 +++ linux-2.6.38.6/drivers/net/wireless/rtlwifi/rtl8192ce/phy.c 2011-05-16 21:47:08.000000000 -0400
31833 @@ -1277,6 +1277,8 @@ static bool _rtl92c_phy_sw_chnl_step_by_
31835 u8 num_total_rfpath = rtlphy->num_total_rfpath;
31837 + pax_track_stack();
31839 precommoncmdcnt = 0;
31840 _rtl92c_phy_set_sw_chnl_cmdarray(precommoncmd, precommoncmdcnt++,
31842 diff -urNp linux-2.6.38.6/drivers/net/wireless/wl12xx/spi.c linux-2.6.38.6/drivers/net/wireless/wl12xx/spi.c
31843 --- linux-2.6.38.6/drivers/net/wireless/wl12xx/spi.c 2011-03-14 21:20:32.000000000 -0400
31844 +++ linux-2.6.38.6/drivers/net/wireless/wl12xx/spi.c 2011-05-16 21:47:08.000000000 -0400
31845 @@ -279,6 +279,8 @@ static void wl1271_spi_raw_write(struct
31849 + pax_track_stack();
31851 WARN_ON(len > WL1271_AGGR_BUFFER_SIZE);
31853 spi_message_init(&m);
31854 diff -urNp linux-2.6.38.6/drivers/oprofile/buffer_sync.c linux-2.6.38.6/drivers/oprofile/buffer_sync.c
31855 --- linux-2.6.38.6/drivers/oprofile/buffer_sync.c 2011-03-14 21:20:32.000000000 -0400
31856 +++ linux-2.6.38.6/drivers/oprofile/buffer_sync.c 2011-04-28 19:34:15.000000000 -0400
31857 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
31858 if (cookie == NO_COOKIE)
31860 if (cookie == INVALID_COOKIE) {
31861 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
31862 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
31865 if (cookie != last_cookie) {
31866 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
31867 /* add userspace sample */
31870 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
31871 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
31875 cookie = lookup_dcookie(mm, s->eip, &offset);
31877 if (cookie == INVALID_COOKIE) {
31878 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
31879 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
31883 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
31884 /* ignore backtraces if failed to add a sample */
31885 if (state == sb_bt_start) {
31886 state = sb_bt_ignore;
31887 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
31888 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
31892 diff -urNp linux-2.6.38.6/drivers/oprofile/event_buffer.c linux-2.6.38.6/drivers/oprofile/event_buffer.c
31893 --- linux-2.6.38.6/drivers/oprofile/event_buffer.c 2011-03-14 21:20:32.000000000 -0400
31894 +++ linux-2.6.38.6/drivers/oprofile/event_buffer.c 2011-04-28 19:34:15.000000000 -0400
31895 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
31898 if (buffer_pos == buffer_size) {
31899 - atomic_inc(&oprofile_stats.event_lost_overflow);
31900 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
31904 diff -urNp linux-2.6.38.6/drivers/oprofile/oprof.c linux-2.6.38.6/drivers/oprofile/oprof.c
31905 --- linux-2.6.38.6/drivers/oprofile/oprof.c 2011-03-14 21:20:32.000000000 -0400
31906 +++ linux-2.6.38.6/drivers/oprofile/oprof.c 2011-04-28 19:34:15.000000000 -0400
31907 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
31908 if (oprofile_ops.switch_events())
31911 - atomic_inc(&oprofile_stats.multiplex_counter);
31912 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
31913 start_switch_worker();
31916 diff -urNp linux-2.6.38.6/drivers/oprofile/oprofilefs.c linux-2.6.38.6/drivers/oprofile/oprofilefs.c
31917 --- linux-2.6.38.6/drivers/oprofile/oprofilefs.c 2011-03-14 21:20:32.000000000 -0400
31918 +++ linux-2.6.38.6/drivers/oprofile/oprofilefs.c 2011-04-28 19:34:15.000000000 -0400
31919 @@ -186,7 +186,7 @@ static const struct file_operations atom
31922 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
31923 - char const *name, atomic_t *val)
31924 + char const *name, atomic_unchecked_t *val)
31926 return __oprofilefs_create_file(sb, root, name,
31927 &atomic_ro_fops, 0444, val);
31928 diff -urNp linux-2.6.38.6/drivers/oprofile/oprofile_stats.c linux-2.6.38.6/drivers/oprofile/oprofile_stats.c
31929 --- linux-2.6.38.6/drivers/oprofile/oprofile_stats.c 2011-03-14 21:20:32.000000000 -0400
31930 +++ linux-2.6.38.6/drivers/oprofile/oprofile_stats.c 2011-04-28 19:34:15.000000000 -0400
31931 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
31932 cpu_buf->sample_invalid_eip = 0;
31935 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
31936 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
31937 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
31938 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
31939 - atomic_set(&oprofile_stats.multiplex_counter, 0);
31940 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
31941 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
31942 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
31943 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
31944 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
31948 diff -urNp linux-2.6.38.6/drivers/oprofile/oprofile_stats.h linux-2.6.38.6/drivers/oprofile/oprofile_stats.h
31949 --- linux-2.6.38.6/drivers/oprofile/oprofile_stats.h 2011-03-14 21:20:32.000000000 -0400
31950 +++ linux-2.6.38.6/drivers/oprofile/oprofile_stats.h 2011-04-28 19:34:15.000000000 -0400
31951 @@ -13,11 +13,11 @@
31952 #include <asm/atomic.h>
31954 struct oprofile_stat_struct {
31955 - atomic_t sample_lost_no_mm;
31956 - atomic_t sample_lost_no_mapping;
31957 - atomic_t bt_lost_no_mapping;
31958 - atomic_t event_lost_overflow;
31959 - atomic_t multiplex_counter;
31960 + atomic_unchecked_t sample_lost_no_mm;
31961 + atomic_unchecked_t sample_lost_no_mapping;
31962 + atomic_unchecked_t bt_lost_no_mapping;
31963 + atomic_unchecked_t event_lost_overflow;
31964 + atomic_unchecked_t multiplex_counter;
31967 extern struct oprofile_stat_struct oprofile_stats;
31968 diff -urNp linux-2.6.38.6/drivers/parport/procfs.c linux-2.6.38.6/drivers/parport/procfs.c
31969 --- linux-2.6.38.6/drivers/parport/procfs.c 2011-03-14 21:20:32.000000000 -0400
31970 +++ linux-2.6.38.6/drivers/parport/procfs.c 2011-04-28 19:34:15.000000000 -0400
31971 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
31975 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
31976 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
31979 #ifdef CONFIG_PARPORT_1284
31980 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
31984 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
31985 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
31987 #endif /* IEEE1284.3 support. */
31989 diff -urNp linux-2.6.38.6/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.38.6/drivers/pci/hotplug/acpiphp_glue.c
31990 --- linux-2.6.38.6/drivers/pci/hotplug/acpiphp_glue.c 2011-04-18 17:27:16.000000000 -0400
31991 +++ linux-2.6.38.6/drivers/pci/hotplug/acpiphp_glue.c 2011-04-28 19:34:15.000000000 -0400
31992 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
31996 -static struct acpi_dock_ops acpiphp_dock_ops = {
31997 +static const struct acpi_dock_ops acpiphp_dock_ops = {
31998 .handler = handle_hotplug_event_func,
32001 diff -urNp linux-2.6.38.6/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.38.6/drivers/pci/hotplug/cpqphp_nvram.c
32002 --- linux-2.6.38.6/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-14 21:20:32.000000000 -0400
32003 +++ linux-2.6.38.6/drivers/pci/hotplug/cpqphp_nvram.c 2011-04-28 19:34:15.000000000 -0400
32004 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
32006 void compaq_nvram_init (void __iomem *rom_start)
32009 +#ifndef CONFIG_PAX_KERNEXEC
32011 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
32015 dbg("int15 entry = %p\n", compaq_int15_entry_point);
32017 /* initialize our int15 lock */
32018 diff -urNp linux-2.6.38.6/drivers/pci/intel-iommu.c linux-2.6.38.6/drivers/pci/intel-iommu.c
32019 --- linux-2.6.38.6/drivers/pci/intel-iommu.c 2011-05-10 22:06:27.000000000 -0400
32020 +++ linux-2.6.38.6/drivers/pci/intel-iommu.c 2011-05-10 22:06:56.000000000 -0400
32021 @@ -2934,7 +2934,7 @@ static int intel_mapping_error(struct de
32025 -struct dma_map_ops intel_dma_ops = {
32026 +const struct dma_map_ops intel_dma_ops = {
32027 .alloc_coherent = intel_alloc_coherent,
32028 .free_coherent = intel_free_coherent,
32029 .map_sg = intel_map_sg,
32030 diff -urNp linux-2.6.38.6/drivers/pci/pcie/aspm.c linux-2.6.38.6/drivers/pci/pcie/aspm.c
32031 --- linux-2.6.38.6/drivers/pci/pcie/aspm.c 2011-04-18 17:27:18.000000000 -0400
32032 +++ linux-2.6.38.6/drivers/pci/pcie/aspm.c 2011-04-28 19:34:15.000000000 -0400
32034 #define MODULE_PARAM_PREFIX "pcie_aspm."
32036 /* Note: those are not register definitions */
32037 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
32038 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
32039 -#define ASPM_STATE_L1 (4) /* L1 state */
32040 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
32041 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
32042 +#define ASPM_STATE_L1 (4U) /* L1 state */
32043 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
32044 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
32046 diff -urNp linux-2.6.38.6/drivers/pci/probe.c linux-2.6.38.6/drivers/pci/probe.c
32047 --- linux-2.6.38.6/drivers/pci/probe.c 2011-03-14 21:20:32.000000000 -0400
32048 +++ linux-2.6.38.6/drivers/pci/probe.c 2011-04-28 19:34:15.000000000 -0400
32049 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
32053 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
32054 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
32055 struct device_attribute *attr,
32058 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
32061 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
32062 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
32063 struct device_attribute *attr,
32066 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
32070 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
32071 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
32073 if (!dev->mmio_always_on) {
32074 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
32075 diff -urNp linux-2.6.38.6/drivers/pci/proc.c linux-2.6.38.6/drivers/pci/proc.c
32076 --- linux-2.6.38.6/drivers/pci/proc.c 2011-03-14 21:20:32.000000000 -0400
32077 +++ linux-2.6.38.6/drivers/pci/proc.c 2011-04-28 19:34:15.000000000 -0400
32078 @@ -476,7 +476,16 @@ static const struct file_operations proc
32079 static int __init pci_proc_init(void)
32081 struct pci_dev *dev = NULL;
32083 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
32084 +#ifdef CONFIG_GRKERNSEC_PROC_USER
32085 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
32086 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32087 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
32090 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
32092 proc_create("devices", 0, proc_bus_pci_dir,
32093 &proc_bus_pci_dev_operations);
32094 proc_initialized = 1;
32095 diff -urNp linux-2.6.38.6/drivers/pci/xen-pcifront.c linux-2.6.38.6/drivers/pci/xen-pcifront.c
32096 --- linux-2.6.38.6/drivers/pci/xen-pcifront.c 2011-03-14 21:20:32.000000000 -0400
32097 +++ linux-2.6.38.6/drivers/pci/xen-pcifront.c 2011-05-16 21:47:08.000000000 -0400
32098 @@ -187,6 +187,8 @@ static int pcifront_bus_read(struct pci_
32099 struct pcifront_sd *sd = bus->sysdata;
32100 struct pcifront_device *pdev = pcifront_get_pdev(sd);
32102 + pax_track_stack();
32104 if (verbose_request)
32105 dev_info(&pdev->xdev->dev,
32106 "read dev=%04x:%02x:%02x.%01x - offset %x size %d\n",
32107 @@ -226,6 +228,8 @@ static int pcifront_bus_write(struct pci
32108 struct pcifront_sd *sd = bus->sysdata;
32109 struct pcifront_device *pdev = pcifront_get_pdev(sd);
32111 + pax_track_stack();
32113 if (verbose_request)
32114 dev_info(&pdev->xdev->dev,
32115 "write dev=%04x:%02x:%02x.%01x - "
32116 @@ -258,6 +262,8 @@ static int pci_frontend_enable_msix(stru
32117 struct pcifront_device *pdev = pcifront_get_pdev(sd);
32118 struct msi_desc *entry;
32120 + pax_track_stack();
32122 if (nvec > SH_INFO_MAX_VEC) {
32123 dev_err(&dev->dev, "too much vector for pci frontend: %x."
32124 " Increase SH_INFO_MAX_VEC.\n", nvec);
32125 @@ -303,6 +309,8 @@ static void pci_frontend_disable_msix(st
32126 struct pcifront_sd *sd = dev->bus->sysdata;
32127 struct pcifront_device *pdev = pcifront_get_pdev(sd);
32129 + pax_track_stack();
32131 err = do_pci_op(pdev, &op);
32133 /* What should do for error ? */
32134 @@ -322,6 +330,8 @@ static int pci_frontend_enable_msi(struc
32135 struct pcifront_sd *sd = dev->bus->sysdata;
32136 struct pcifront_device *pdev = pcifront_get_pdev(sd);
32138 + pax_track_stack();
32140 err = do_pci_op(pdev, &op);
32141 if (likely(!err)) {
32142 *(*vector) = op.value;
32143 diff -urNp linux-2.6.38.6/drivers/platform/x86/asus-laptop.c linux-2.6.38.6/drivers/platform/x86/asus-laptop.c
32144 --- linux-2.6.38.6/drivers/platform/x86/asus-laptop.c 2011-03-14 21:20:32.000000000 -0400
32145 +++ linux-2.6.38.6/drivers/platform/x86/asus-laptop.c 2011-04-28 19:34:15.000000000 -0400
32146 @@ -243,7 +243,6 @@ struct asus_laptop {
32147 struct asus_led gled;
32148 struct asus_led kled;
32149 struct workqueue_struct *led_workqueue;
32151 int wireless_status;
32154 diff -urNp linux-2.6.38.6/drivers/pnp/pnpbios/bioscalls.c linux-2.6.38.6/drivers/pnp/pnpbios/bioscalls.c
32155 --- linux-2.6.38.6/drivers/pnp/pnpbios/bioscalls.c 2011-03-14 21:20:32.000000000 -0400
32156 +++ linux-2.6.38.6/drivers/pnp/pnpbios/bioscalls.c 2011-04-28 19:34:15.000000000 -0400
32157 @@ -59,7 +59,7 @@ do { \
32158 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
32161 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
32162 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
32163 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
32166 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
32169 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
32171 + pax_open_kernel();
32172 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
32173 + pax_close_kernel();
32175 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
32176 spin_lock_irqsave(&pnp_bios_lock, flags);
32177 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
32179 spin_unlock_irqrestore(&pnp_bios_lock, flags);
32181 + pax_open_kernel();
32182 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
32183 + pax_close_kernel();
32187 /* If we get here and this is set then the PnP BIOS faulted on us. */
32188 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
32192 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
32193 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
32197 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
32198 pnp_bios_callpoint.offset = header->fields.pm16offset;
32199 pnp_bios_callpoint.segment = PNP_CS16;
32201 + pax_open_kernel();
32203 for_each_possible_cpu(i) {
32204 struct desc_struct *gdt = get_cpu_gdt_table(i);
32206 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
32207 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
32208 (unsigned long)__va(header->fields.pm16dseg));
32211 + pax_close_kernel();
32213 diff -urNp linux-2.6.38.6/drivers/pnp/resource.c linux-2.6.38.6/drivers/pnp/resource.c
32214 --- linux-2.6.38.6/drivers/pnp/resource.c 2011-03-14 21:20:32.000000000 -0400
32215 +++ linux-2.6.38.6/drivers/pnp/resource.c 2011-04-28 19:34:15.000000000 -0400
32216 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
32219 /* check if the resource is valid */
32220 - if (*irq < 0 || *irq > 15)
32224 /* check if the resource is reserved */
32225 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
32228 /* check if the resource is valid */
32229 - if (*dma < 0 || *dma == 4 || *dma > 7)
32230 + if (*dma == 4 || *dma > 7)
32233 /* check if the resource is reserved */
32234 diff -urNp linux-2.6.38.6/drivers/rtc/rtc-dev.c linux-2.6.38.6/drivers/rtc/rtc-dev.c
32235 --- linux-2.6.38.6/drivers/rtc/rtc-dev.c 2011-03-14 21:20:32.000000000 -0400
32236 +++ linux-2.6.38.6/drivers/rtc/rtc-dev.c 2011-04-28 19:34:15.000000000 -0400
32238 #include <linux/module.h>
32239 #include <linux/rtc.h>
32240 #include <linux/sched.h>
32241 +#include <linux/grsecurity.h>
32242 #include "rtc-core.h"
32244 static dev_t rtc_devt;
32245 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
32246 if (copy_from_user(&tm, uarg, sizeof(tm)))
32249 + gr_log_timechange();
32251 return rtc_set_time(rtc, &tm);
32254 diff -urNp linux-2.6.38.6/drivers/s390/cio/qdio_debug.c linux-2.6.38.6/drivers/s390/cio/qdio_debug.c
32255 --- linux-2.6.38.6/drivers/s390/cio/qdio_debug.c 2011-03-14 21:20:32.000000000 -0400
32256 +++ linux-2.6.38.6/drivers/s390/cio/qdio_debug.c 2011-04-28 19:34:15.000000000 -0400
32257 @@ -225,7 +225,7 @@ static int qperf_seq_open(struct inode *
32258 filp->f_path.dentry->d_inode->i_private);
32261 -static struct file_operations debugfs_perf_fops = {
32262 +static const struct file_operations debugfs_perf_fops = {
32263 .owner = THIS_MODULE,
32264 .open = qperf_seq_open,
32266 diff -urNp linux-2.6.38.6/drivers/scsi/aacraid/commctrl.c linux-2.6.38.6/drivers/scsi/aacraid/commctrl.c
32267 --- linux-2.6.38.6/drivers/scsi/aacraid/commctrl.c 2011-03-14 21:20:32.000000000 -0400
32268 +++ linux-2.6.38.6/drivers/scsi/aacraid/commctrl.c 2011-05-16 21:47:08.000000000 -0400
32269 @@ -481,6 +481,7 @@ static int aac_send_raw_srb(struct aac_d
32270 u32 actual_fibsize64, actual_fibsize = 0;
32273 + pax_track_stack();
32275 if (dev->in_reset) {
32276 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
32277 diff -urNp linux-2.6.38.6/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.38.6/drivers/scsi/aic94xx/aic94xx_init.c
32278 --- linux-2.6.38.6/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-14 21:20:32.000000000 -0400
32279 +++ linux-2.6.38.6/drivers/scsi/aic94xx/aic94xx_init.c 2011-04-28 19:34:15.000000000 -0400
32280 @@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(stru
32281 flash_error_table[i].reason);
32284 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
32285 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
32286 asd_show_update_bios, asd_store_update_bios);
32288 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
32289 diff -urNp linux-2.6.38.6/drivers/scsi/bfa/bfad.c linux-2.6.38.6/drivers/scsi/bfa/bfad.c
32290 --- linux-2.6.38.6/drivers/scsi/bfa/bfad.c 2011-03-14 21:20:32.000000000 -0400
32291 +++ linux-2.6.38.6/drivers/scsi/bfa/bfad.c 2011-05-16 21:47:08.000000000 -0400
32292 @@ -1027,6 +1027,8 @@ bfad_start_ops(struct bfad_s *bfad) {
32293 struct bfad_vport_s *vport, *vport_new;
32294 struct bfa_fcs_driver_info_s driver_info;
32296 + pax_track_stack();
32298 /* Fill the driver_info info to fcs*/
32299 memset(&driver_info, 0, sizeof(driver_info));
32300 strncpy(driver_info.version, BFAD_DRIVER_VERSION,
32301 diff -urNp linux-2.6.38.6/drivers/scsi/bfa/bfa_fcs_lport.c linux-2.6.38.6/drivers/scsi/bfa/bfa_fcs_lport.c
32302 --- linux-2.6.38.6/drivers/scsi/bfa/bfa_fcs_lport.c 2011-03-14 21:20:32.000000000 -0400
32303 +++ linux-2.6.38.6/drivers/scsi/bfa/bfa_fcs_lport.c 2011-05-16 21:47:08.000000000 -0400
32304 @@ -1559,6 +1559,8 @@ bfa_fcs_lport_fdmi_build_rhba_pyld(struc
32308 + pax_track_stack();
32311 * get hba attributes
32313 @@ -1836,6 +1838,8 @@ bfa_fcs_lport_fdmi_build_portattr_block(
32317 + pax_track_stack();
32320 * get port attributes
32322 diff -urNp linux-2.6.38.6/drivers/scsi/bfa/bfa_fcs_rport.c linux-2.6.38.6/drivers/scsi/bfa/bfa_fcs_rport.c
32323 --- linux-2.6.38.6/drivers/scsi/bfa/bfa_fcs_rport.c 2011-03-14 21:20:32.000000000 -0400
32324 +++ linux-2.6.38.6/drivers/scsi/bfa/bfa_fcs_rport.c 2011-05-16 21:47:08.000000000 -0400
32325 @@ -1844,6 +1844,8 @@ bfa_fcs_rport_process_rpsc(struct bfa_fc
32326 struct fc_rpsc_speed_info_s speeds;
32327 struct bfa_port_attr_s pport_attr;
32329 + pax_track_stack();
32331 bfa_trc(port->fcs, rx_fchs->s_id);
32332 bfa_trc(port->fcs, rx_fchs->d_id);
32334 diff -urNp linux-2.6.38.6/drivers/scsi/BusLogic.c linux-2.6.38.6/drivers/scsi/BusLogic.c
32335 --- linux-2.6.38.6/drivers/scsi/BusLogic.c 2011-03-14 21:20:32.000000000 -0400
32336 +++ linux-2.6.38.6/drivers/scsi/BusLogic.c 2011-05-16 21:47:08.000000000 -0400
32337 @@ -962,6 +962,8 @@ static int __init BusLogic_InitializeFla
32338 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
32339 *PrototypeHostAdapter)
32341 + pax_track_stack();
32344 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
32345 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
32346 diff -urNp linux-2.6.38.6/drivers/scsi/dpt_i2o.c linux-2.6.38.6/drivers/scsi/dpt_i2o.c
32347 --- linux-2.6.38.6/drivers/scsi/dpt_i2o.c 2011-03-14 21:20:32.000000000 -0400
32348 +++ linux-2.6.38.6/drivers/scsi/dpt_i2o.c 2011-05-16 21:47:08.000000000 -0400
32349 @@ -1811,6 +1811,8 @@ static int adpt_i2o_passthru(adpt_hba* p
32353 + pax_track_stack();
32355 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
32356 // get user msg size in u32s
32357 if(get_user(size, &user_msg[0])){
32358 @@ -2317,6 +2319,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
32362 + pax_track_stack();
32364 memset(msg, 0 , sizeof(msg));
32365 len = scsi_bufflen(cmd);
32366 direction = 0x00000000;
32367 diff -urNp linux-2.6.38.6/drivers/scsi/eata.c linux-2.6.38.6/drivers/scsi/eata.c
32368 --- linux-2.6.38.6/drivers/scsi/eata.c 2011-03-14 21:20:32.000000000 -0400
32369 +++ linux-2.6.38.6/drivers/scsi/eata.c 2011-05-16 21:47:08.000000000 -0400
32370 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
32371 struct hostdata *ha;
32374 + pax_track_stack();
32376 sprintf(name, "%s%d", driver_name, j);
32378 if (!request_region(port_base, REGION_SIZE, driver_name)) {
32379 diff -urNp linux-2.6.38.6/drivers/scsi/fcoe/libfcoe.c linux-2.6.38.6/drivers/scsi/fcoe/libfcoe.c
32380 --- linux-2.6.38.6/drivers/scsi/fcoe/libfcoe.c 2011-03-14 21:20:32.000000000 -0400
32381 +++ linux-2.6.38.6/drivers/scsi/fcoe/libfcoe.c 2011-05-16 21:47:08.000000000 -0400
32382 @@ -2484,6 +2484,8 @@ static int fcoe_ctlr_vn_recv(struct fcoe
32386 + pax_track_stack();
32388 fiph = (struct fip_header *)skb->data;
32389 sub = fiph->fip_subcode;
32391 diff -urNp linux-2.6.38.6/drivers/scsi/gdth.c linux-2.6.38.6/drivers/scsi/gdth.c
32392 --- linux-2.6.38.6/drivers/scsi/gdth.c 2011-03-14 21:20:32.000000000 -0400
32393 +++ linux-2.6.38.6/drivers/scsi/gdth.c 2011-05-16 21:47:08.000000000 -0400
32394 @@ -4107,6 +4107,8 @@ static int ioc_lockdrv(void __user *arg)
32395 unsigned long flags;
32398 + pax_track_stack();
32400 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
32402 ha = gdth_find_ha(ldrv.ionode);
32403 @@ -4139,6 +4141,8 @@ static int ioc_resetdrv(void __user *arg
32407 + pax_track_stack();
32409 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
32410 res.number >= MAX_HDRIVES)
32412 @@ -4174,6 +4178,8 @@ static int ioc_general(void __user *arg,
32416 + pax_track_stack();
32418 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
32420 ha = gdth_find_ha(gen.ionode);
32421 @@ -4642,6 +4648,9 @@ static void gdth_flush(gdth_ha_str *ha)
32423 gdth_cmd_str gdtcmd;
32424 char cmnd[MAX_COMMAND_SIZE];
32426 + pax_track_stack();
32428 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
32430 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
32431 diff -urNp linux-2.6.38.6/drivers/scsi/gdth_proc.c linux-2.6.38.6/drivers/scsi/gdth_proc.c
32432 --- linux-2.6.38.6/drivers/scsi/gdth_proc.c 2011-03-14 21:20:32.000000000 -0400
32433 +++ linux-2.6.38.6/drivers/scsi/gdth_proc.c 2011-05-16 21:47:08.000000000 -0400
32434 @@ -47,6 +47,9 @@ static int gdth_set_asc_info(struct Scsi
32437 char cmnd[MAX_COMMAND_SIZE];
32439 + pax_track_stack();
32441 memset(cmnd, 0xff, 12);
32442 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
32444 @@ -175,6 +178,8 @@ static int gdth_get_info(char *buffer,ch
32445 gdth_hget_str *phg;
32446 char cmnd[MAX_COMMAND_SIZE];
32448 + pax_track_stack();
32450 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
32451 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
32452 if (!gdtcmd || !estr)
32453 diff -urNp linux-2.6.38.6/drivers/scsi/hosts.c linux-2.6.38.6/drivers/scsi/hosts.c
32454 --- linux-2.6.38.6/drivers/scsi/hosts.c 2011-03-14 21:20:32.000000000 -0400
32455 +++ linux-2.6.38.6/drivers/scsi/hosts.c 2011-04-28 19:57:25.000000000 -0400
32457 #include "scsi_logging.h"
32460 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
32461 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
32464 static void scsi_host_cls_release(struct device *dev)
32465 @@ -354,7 +354,7 @@ struct Scsi_Host *scsi_host_alloc(struct
32466 * subtract one because we increment first then return, but we need to
32467 * know what the next host number was before increment
32469 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
32470 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
32471 shost->dma_channel = 0xff;
32473 /* These three are default values which can be overridden */
32474 diff -urNp linux-2.6.38.6/drivers/scsi/hpsa.c linux-2.6.38.6/drivers/scsi/hpsa.c
32475 --- linux-2.6.38.6/drivers/scsi/hpsa.c 2011-03-14 21:20:32.000000000 -0400
32476 +++ linux-2.6.38.6/drivers/scsi/hpsa.c 2011-04-28 19:34:15.000000000 -0400
32477 @@ -2281,6 +2281,8 @@ static int hpsa_ioctl32_passthru(struct
32481 + memset(&arg64, 0, sizeof(arg64));
32484 err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
32485 sizeof(arg64.LUN_info));
32486 diff -urNp linux-2.6.38.6/drivers/scsi/ipr.c linux-2.6.38.6/drivers/scsi/ipr.c
32487 --- linux-2.6.38.6/drivers/scsi/ipr.c 2011-03-14 21:20:32.000000000 -0400
32488 +++ linux-2.6.38.6/drivers/scsi/ipr.c 2011-04-28 19:34:15.000000000 -0400
32489 @@ -6207,7 +6207,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
32493 -static struct ata_port_operations ipr_sata_ops = {
32494 +static const struct ata_port_operations ipr_sata_ops = {
32495 .phy_reset = ipr_ata_phy_reset,
32496 .hardreset = ipr_sata_reset,
32497 .post_internal_cmd = ipr_ata_post_internal,
32498 diff -urNp linux-2.6.38.6/drivers/scsi/libfc/fc_exch.c linux-2.6.38.6/drivers/scsi/libfc/fc_exch.c
32499 --- linux-2.6.38.6/drivers/scsi/libfc/fc_exch.c 2011-03-14 21:20:32.000000000 -0400
32500 +++ linux-2.6.38.6/drivers/scsi/libfc/fc_exch.c 2011-04-28 19:34:15.000000000 -0400
32501 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
32502 * all together if not used XXX
32505 - atomic_t no_free_exch;
32506 - atomic_t no_free_exch_xid;
32507 - atomic_t xid_not_found;
32508 - atomic_t xid_busy;
32509 - atomic_t seq_not_found;
32510 - atomic_t non_bls_resp;
32511 + atomic_unchecked_t no_free_exch;
32512 + atomic_unchecked_t no_free_exch_xid;
32513 + atomic_unchecked_t xid_not_found;
32514 + atomic_unchecked_t xid_busy;
32515 + atomic_unchecked_t seq_not_found;
32516 + atomic_unchecked_t non_bls_resp;
32520 @@ -687,7 +687,7 @@ static struct fc_exch *fc_exch_em_alloc(
32521 /* allocate memory for exchange */
32522 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
32524 - atomic_inc(&mp->stats.no_free_exch);
32525 + atomic_inc_unchecked(&mp->stats.no_free_exch);
32528 memset(ep, 0, sizeof(*ep));
32529 @@ -748,7 +748,7 @@ out:
32532 spin_unlock_bh(&pool->lock);
32533 - atomic_inc(&mp->stats.no_free_exch_xid);
32534 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
32535 mempool_free(ep, mp->ep_pool);
32538 @@ -893,7 +893,7 @@ static enum fc_pf_rjt_reason fc_seq_look
32539 xid = ntohs(fh->fh_ox_id); /* we originated exch */
32540 ep = fc_exch_find(mp, xid);
32542 - atomic_inc(&mp->stats.xid_not_found);
32543 + atomic_inc_unchecked(&mp->stats.xid_not_found);
32544 reject = FC_RJT_OX_ID;
32547 @@ -923,7 +923,7 @@ static enum fc_pf_rjt_reason fc_seq_look
32548 ep = fc_exch_find(mp, xid);
32549 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
32551 - atomic_inc(&mp->stats.xid_busy);
32552 + atomic_inc_unchecked(&mp->stats.xid_busy);
32553 reject = FC_RJT_RX_ID;
32556 @@ -934,7 +934,7 @@ static enum fc_pf_rjt_reason fc_seq_look
32558 xid = ep->xid; /* get our XID */
32560 - atomic_inc(&mp->stats.xid_not_found);
32561 + atomic_inc_unchecked(&mp->stats.xid_not_found);
32562 reject = FC_RJT_RX_ID; /* XID not found */
32565 @@ -951,7 +951,7 @@ static enum fc_pf_rjt_reason fc_seq_look
32568 if (sp->id != fh->fh_seq_id) {
32569 - atomic_inc(&mp->stats.seq_not_found);
32570 + atomic_inc_unchecked(&mp->stats.seq_not_found);
32571 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
32574 @@ -1368,22 +1368,22 @@ static void fc_exch_recv_seq_resp(struct
32576 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
32578 - atomic_inc(&mp->stats.xid_not_found);
32579 + atomic_inc_unchecked(&mp->stats.xid_not_found);
32582 if (ep->esb_stat & ESB_ST_COMPLETE) {
32583 - atomic_inc(&mp->stats.xid_not_found);
32584 + atomic_inc_unchecked(&mp->stats.xid_not_found);
32587 if (ep->rxid == FC_XID_UNKNOWN)
32588 ep->rxid = ntohs(fh->fh_rx_id);
32589 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
32590 - atomic_inc(&mp->stats.xid_not_found);
32591 + atomic_inc_unchecked(&mp->stats.xid_not_found);
32594 if (ep->did != ntoh24(fh->fh_s_id) &&
32595 ep->did != FC_FID_FLOGI) {
32596 - atomic_inc(&mp->stats.xid_not_found);
32597 + atomic_inc_unchecked(&mp->stats.xid_not_found);
32601 @@ -1392,7 +1392,7 @@ static void fc_exch_recv_seq_resp(struct
32602 sp->ssb_stat |= SSB_ST_RESP;
32603 sp->id = fh->fh_seq_id;
32604 } else if (sp->id != fh->fh_seq_id) {
32605 - atomic_inc(&mp->stats.seq_not_found);
32606 + atomic_inc_unchecked(&mp->stats.seq_not_found);
32610 @@ -1455,9 +1455,9 @@ static void fc_exch_recv_resp(struct fc_
32611 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
32614 - atomic_inc(&mp->stats.xid_not_found);
32615 + atomic_inc_unchecked(&mp->stats.xid_not_found);
32617 - atomic_inc(&mp->stats.non_bls_resp);
32618 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
32622 diff -urNp linux-2.6.38.6/drivers/scsi/libsas/sas_ata.c linux-2.6.38.6/drivers/scsi/libsas/sas_ata.c
32623 --- linux-2.6.38.6/drivers/scsi/libsas/sas_ata.c 2011-03-14 21:20:32.000000000 -0400
32624 +++ linux-2.6.38.6/drivers/scsi/libsas/sas_ata.c 2011-04-28 19:34:15.000000000 -0400
32625 @@ -348,7 +348,7 @@ static int sas_ata_scr_read(struct ata_l
32629 -static struct ata_port_operations sas_sata_ops = {
32630 +static const struct ata_port_operations sas_sata_ops = {
32631 .phy_reset = sas_ata_phy_reset,
32632 .post_internal_cmd = sas_ata_post_internal,
32633 .qc_defer = ata_std_qc_defer,
32634 diff -urNp linux-2.6.38.6/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.38.6/drivers/scsi/lpfc/lpfc_debugfs.c
32635 --- linux-2.6.38.6/drivers/scsi/lpfc/lpfc_debugfs.c 2011-03-14 21:20:32.000000000 -0400
32636 +++ linux-2.6.38.6/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-16 21:47:08.000000000 -0400
32637 @@ -125,7 +125,7 @@ struct lpfc_debug {
32641 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
32642 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
32643 static unsigned long lpfc_debugfs_start_time = 0L;
32646 @@ -159,7 +159,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
32647 lpfc_debugfs_enable = 0;
32650 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
32651 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
32652 (lpfc_debugfs_max_disc_trc - 1);
32653 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
32654 dtp = vport->disc_trc + i;
32655 @@ -220,7 +220,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
32656 lpfc_debugfs_enable = 0;
32659 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
32660 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
32661 (lpfc_debugfs_max_slow_ring_trc - 1);
32662 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
32663 dtp = phba->slow_ring_trc + i;
32664 @@ -398,6 +398,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
32668 + pax_track_stack();
32671 spin_lock_irq(&phba->hbalock);
32673 @@ -635,14 +637,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
32674 !vport || !vport->disc_trc)
32677 - index = atomic_inc_return(&vport->disc_trc_cnt) &
32678 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
32679 (lpfc_debugfs_max_disc_trc - 1);
32680 dtp = vport->disc_trc + index;
32682 dtp->data1 = data1;
32683 dtp->data2 = data2;
32684 dtp->data3 = data3;
32685 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
32686 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
32687 dtp->jif = jiffies;
32690 @@ -673,14 +675,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
32691 !phba || !phba->slow_ring_trc)
32694 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
32695 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
32696 (lpfc_debugfs_max_slow_ring_trc - 1);
32697 dtp = phba->slow_ring_trc + index;
32699 dtp->data1 = data1;
32700 dtp->data2 = data2;
32701 dtp->data3 = data3;
32702 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
32703 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
32704 dtp->jif = jiffies;
32707 @@ -1365,7 +1367,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
32708 "slow_ring buffer\n");
32711 - atomic_set(&phba->slow_ring_trc_cnt, 0);
32712 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
32713 memset(phba->slow_ring_trc, 0,
32714 (sizeof(struct lpfc_debugfs_trc) *
32715 lpfc_debugfs_max_slow_ring_trc));
32716 @@ -1411,7 +1413,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
32720 - atomic_set(&vport->disc_trc_cnt, 0);
32721 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
32723 snprintf(name, sizeof(name), "discovery_trace");
32724 vport->debug_disc_trc =
32725 diff -urNp linux-2.6.38.6/drivers/scsi/lpfc/lpfc.h linux-2.6.38.6/drivers/scsi/lpfc/lpfc.h
32726 --- linux-2.6.38.6/drivers/scsi/lpfc/lpfc.h 2011-03-14 21:20:32.000000000 -0400
32727 +++ linux-2.6.38.6/drivers/scsi/lpfc/lpfc.h 2011-04-28 19:57:25.000000000 -0400
32728 @@ -414,7 +414,7 @@ struct lpfc_vport {
32729 struct dentry *debug_nodelist;
32730 struct dentry *vport_debugfs_root;
32731 struct lpfc_debugfs_trc *disc_trc;
32732 - atomic_t disc_trc_cnt;
32733 + atomic_unchecked_t disc_trc_cnt;
32735 uint8_t stat_data_enabled;
32736 uint8_t stat_data_blocked;
32737 @@ -776,8 +776,8 @@ struct lpfc_hba {
32738 struct timer_list fabric_block_timer;
32739 unsigned long bit_flags;
32740 #define FABRIC_COMANDS_BLOCKED 0
32741 - atomic_t num_rsrc_err;
32742 - atomic_t num_cmd_success;
32743 + atomic_unchecked_t num_rsrc_err;
32744 + atomic_unchecked_t num_cmd_success;
32745 unsigned long last_rsrc_error_time;
32746 unsigned long last_ramp_down_time;
32747 unsigned long last_ramp_up_time;
32748 @@ -791,7 +791,7 @@ struct lpfc_hba {
32749 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
32750 struct dentry *debug_slow_ring_trc;
32751 struct lpfc_debugfs_trc *slow_ring_trc;
32752 - atomic_t slow_ring_trc_cnt;
32753 + atomic_unchecked_t slow_ring_trc_cnt;
32756 /* Used for deferred freeing of ELS data buffers */
32757 diff -urNp linux-2.6.38.6/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.38.6/drivers/scsi/lpfc/lpfc_scsi.c
32758 --- linux-2.6.38.6/drivers/scsi/lpfc/lpfc_scsi.c 2011-03-14 21:20:32.000000000 -0400
32759 +++ linux-2.6.38.6/drivers/scsi/lpfc/lpfc_scsi.c 2011-04-28 19:57:25.000000000 -0400
32760 @@ -297,7 +297,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
32761 uint32_t evt_posted;
32763 spin_lock_irqsave(&phba->hbalock, flags);
32764 - atomic_inc(&phba->num_rsrc_err);
32765 + atomic_inc_unchecked(&phba->num_rsrc_err);
32766 phba->last_rsrc_error_time = jiffies;
32768 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
32769 @@ -338,7 +338,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
32770 unsigned long flags;
32771 struct lpfc_hba *phba = vport->phba;
32772 uint32_t evt_posted;
32773 - atomic_inc(&phba->num_cmd_success);
32774 + atomic_inc_unchecked(&phba->num_cmd_success);
32776 if (vport->cfg_lun_queue_depth <= queue_depth)
32778 @@ -382,8 +382,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
32779 unsigned long num_rsrc_err, num_cmd_success;
32782 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
32783 - num_cmd_success = atomic_read(&phba->num_cmd_success);
32784 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
32785 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
32787 vports = lpfc_create_vport_work_array(phba);
32788 if (vports != NULL)
32789 @@ -403,8 +403,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
32792 lpfc_destroy_vport_work_array(phba, vports);
32793 - atomic_set(&phba->num_rsrc_err, 0);
32794 - atomic_set(&phba->num_cmd_success, 0);
32795 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
32796 + atomic_set_unchecked(&phba->num_cmd_success, 0);
32800 @@ -438,8 +438,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
32803 lpfc_destroy_vport_work_array(phba, vports);
32804 - atomic_set(&phba->num_rsrc_err, 0);
32805 - atomic_set(&phba->num_cmd_success, 0);
32806 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
32807 + atomic_set_unchecked(&phba->num_cmd_success, 0);
32811 diff -urNp linux-2.6.38.6/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.38.6/drivers/scsi/megaraid/megaraid_mbox.c
32812 --- linux-2.6.38.6/drivers/scsi/megaraid/megaraid_mbox.c 2011-03-14 21:20:32.000000000 -0400
32813 +++ linux-2.6.38.6/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-16 21:47:08.000000000 -0400
32814 @@ -3510,6 +3510,8 @@ megaraid_cmm_register(adapter_t *adapter
32818 + pax_track_stack();
32820 // Allocate memory for the base list of scb for management module.
32821 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
32823 diff -urNp linux-2.6.38.6/drivers/scsi/osd/osd_initiator.c linux-2.6.38.6/drivers/scsi/osd/osd_initiator.c
32824 --- linux-2.6.38.6/drivers/scsi/osd/osd_initiator.c 2011-03-14 21:20:32.000000000 -0400
32825 +++ linux-2.6.38.6/drivers/scsi/osd/osd_initiator.c 2011-05-16 21:47:08.000000000 -0400
32826 @@ -97,6 +97,8 @@ static int _osd_get_print_system_info(st
32827 int nelem = ARRAY_SIZE(get_attrs), a = 0;
32830 + pax_track_stack();
32832 or = osd_start_request(od, GFP_KERNEL);
32835 diff -urNp linux-2.6.38.6/drivers/scsi/pmcraid.c linux-2.6.38.6/drivers/scsi/pmcraid.c
32836 --- linux-2.6.38.6/drivers/scsi/pmcraid.c 2011-05-10 22:06:29.000000000 -0400
32837 +++ linux-2.6.38.6/drivers/scsi/pmcraid.c 2011-05-10 22:08:57.000000000 -0400
32838 @@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
32839 res->scsi_dev = scsi_dev;
32840 scsi_dev->hostdata = res;
32841 res->change_detected = 0;
32842 - atomic_set(&res->read_failures, 0);
32843 - atomic_set(&res->write_failures, 0);
32844 + atomic_set_unchecked(&res->read_failures, 0);
32845 + atomic_set_unchecked(&res->write_failures, 0);
32848 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
32849 @@ -2677,9 +2677,9 @@ static int pmcraid_error_handler(struct
32851 /* If this was a SCSI read/write command keep count of errors */
32852 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
32853 - atomic_inc(&res->read_failures);
32854 + atomic_inc_unchecked(&res->read_failures);
32855 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
32856 - atomic_inc(&res->write_failures);
32857 + atomic_inc_unchecked(&res->write_failures);
32859 if (!RES_IS_GSCSI(res->cfg_entry) &&
32860 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
32861 @@ -3535,7 +3535,7 @@ static int pmcraid_queuecommand_lck(
32862 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
32863 * hrrq_id assigned here in queuecommand
32865 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
32866 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
32867 pinstance->num_hrrq;
32868 cmd->cmd_done = pmcraid_io_done;
32870 @@ -3860,7 +3860,7 @@ static long pmcraid_ioctl_passthrough(
32871 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
32872 * hrrq_id assigned here in queuecommand
32874 - ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
32875 + ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
32876 pinstance->num_hrrq;
32878 if (request_size) {
32879 @@ -4495,7 +4495,7 @@ static void pmcraid_worker_function(stru
32881 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
32882 /* add resources only after host is added into system */
32883 - if (!atomic_read(&pinstance->expose_resources))
32884 + if (!atomic_read_unchecked(&pinstance->expose_resources))
32887 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
32888 @@ -5329,8 +5329,8 @@ static int __devinit pmcraid_init_instan
32889 init_waitqueue_head(&pinstance->reset_wait_q);
32891 atomic_set(&pinstance->outstanding_cmds, 0);
32892 - atomic_set(&pinstance->last_message_id, 0);
32893 - atomic_set(&pinstance->expose_resources, 0);
32894 + atomic_set_unchecked(&pinstance->last_message_id, 0);
32895 + atomic_set_unchecked(&pinstance->expose_resources, 0);
32897 INIT_LIST_HEAD(&pinstance->free_res_q);
32898 INIT_LIST_HEAD(&pinstance->used_res_q);
32899 @@ -6045,7 +6045,7 @@ static int __devinit pmcraid_probe(
32900 /* Schedule worker thread to handle CCN and take care of adding and
32901 * removing devices to OS
32903 - atomic_set(&pinstance->expose_resources, 1);
32904 + atomic_set_unchecked(&pinstance->expose_resources, 1);
32905 schedule_work(&pinstance->worker_q);
32908 diff -urNp linux-2.6.38.6/drivers/scsi/pmcraid.h linux-2.6.38.6/drivers/scsi/pmcraid.h
32909 --- linux-2.6.38.6/drivers/scsi/pmcraid.h 2011-03-14 21:20:32.000000000 -0400
32910 +++ linux-2.6.38.6/drivers/scsi/pmcraid.h 2011-04-28 19:57:25.000000000 -0400
32911 @@ -750,7 +750,7 @@ struct pmcraid_instance {
32912 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
32914 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
32915 - atomic_t last_message_id;
32916 + atomic_unchecked_t last_message_id;
32918 /* configuration table */
32919 struct pmcraid_config_table *cfg_table;
32920 @@ -779,7 +779,7 @@ struct pmcraid_instance {
32921 atomic_t outstanding_cmds;
32923 /* should add/delete resources to mid-layer now ?*/
32924 - atomic_t expose_resources;
32925 + atomic_unchecked_t expose_resources;
32929 @@ -815,8 +815,8 @@ struct pmcraid_resource_entry {
32930 struct pmcraid_config_table_entry_ext cfg_entry_ext;
32932 struct scsi_device *scsi_dev; /* Link scsi_device structure */
32933 - atomic_t read_failures; /* count of failed READ commands */
32934 - atomic_t write_failures; /* count of failed WRITE commands */
32935 + atomic_unchecked_t read_failures; /* count of failed READ commands */
32936 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
32938 /* To indicate add/delete/modify during CCN */
32939 u8 change_detected;
32940 diff -urNp linux-2.6.38.6/drivers/scsi/qla2xxx/qla_os.c linux-2.6.38.6/drivers/scsi/qla2xxx/qla_os.c
32941 --- linux-2.6.38.6/drivers/scsi/qla2xxx/qla_os.c 2011-03-14 21:20:32.000000000 -0400
32942 +++ linux-2.6.38.6/drivers/scsi/qla2xxx/qla_os.c 2011-04-28 19:34:15.000000000 -0400
32943 @@ -4096,7 +4096,7 @@ static struct pci_driver qla2xxx_pci_dri
32944 .err_handler = &qla2xxx_err_handler,
32947 -static struct file_operations apidev_fops = {
32948 +static const struct file_operations apidev_fops = {
32949 .owner = THIS_MODULE,
32950 .llseek = noop_llseek,
32952 diff -urNp linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_def.h
32953 --- linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_def.h 2011-03-14 21:20:32.000000000 -0400
32954 +++ linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_def.h 2011-04-28 19:57:25.000000000 -0400
32955 @@ -256,7 +256,7 @@ struct ddb_entry {
32956 atomic_t retry_relogin_timer; /* Min Time between relogins
32958 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
32959 - atomic_t relogin_retry_count; /* Num of times relogin has been
32960 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
32964 diff -urNp linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_init.c
32965 --- linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_init.c 2011-03-14 21:20:32.000000000 -0400
32966 +++ linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_init.c 2011-04-28 19:57:25.000000000 -0400
32967 @@ -680,7 +680,7 @@ static struct ddb_entry * qla4xxx_alloc_
32968 ddb_entry->fw_ddb_index = fw_ddb_index;
32969 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
32970 atomic_set(&ddb_entry->relogin_timer, 0);
32971 - atomic_set(&ddb_entry->relogin_retry_count, 0);
32972 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
32973 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
32974 list_add_tail(&ddb_entry->list, &ha->ddb_list);
32975 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
32976 @@ -1570,7 +1570,7 @@ int qla4xxx_process_ddb_changed(struct s
32977 /* Device is back online. */
32978 if (ddb_entry->fw_ddb_device_state == DDB_DS_SESSION_ACTIVE) {
32979 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
32980 - atomic_set(&ddb_entry->relogin_retry_count, 0);
32981 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
32982 atomic_set(&ddb_entry->relogin_timer, 0);
32983 clear_bit(DF_RELOGIN, &ddb_entry->flags);
32984 clear_bit(DF_NO_RELOGIN, &ddb_entry->flags);
32985 diff -urNp linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_os.c
32986 --- linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_os.c 2011-03-14 21:20:32.000000000 -0400
32987 +++ linux-2.6.38.6/drivers/scsi/qla4xxx/ql4_os.c 2011-04-28 19:57:25.000000000 -0400
32988 @@ -801,13 +801,13 @@ static void qla4xxx_timer(struct scsi_ql
32989 ddb_entry->fw_ddb_device_state ==
32990 DDB_DS_SESSION_FAILED) {
32991 /* Reset retry relogin timer */
32992 - atomic_inc(&ddb_entry->relogin_retry_count);
32993 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
32994 DEBUG2(printk("scsi%ld: ddb [%d] relogin"
32995 " timed out-retrying"
32998 ddb_entry->fw_ddb_index,
32999 - atomic_read(&ddb_entry->
33000 + atomic_read_unchecked(&ddb_entry->
33001 relogin_retry_count))
33004 diff -urNp linux-2.6.38.6/drivers/scsi/scsi.c linux-2.6.38.6/drivers/scsi/scsi.c
33005 --- linux-2.6.38.6/drivers/scsi/scsi.c 2011-03-14 21:20:32.000000000 -0400
33006 +++ linux-2.6.38.6/drivers/scsi/scsi.c 2011-04-28 19:57:25.000000000 -0400
33007 @@ -655,7 +655,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
33008 unsigned long timeout;
33011 - atomic_inc(&cmd->device->iorequest_cnt);
33012 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
33014 /* check if the device is still usable */
33015 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
33016 diff -urNp linux-2.6.38.6/drivers/scsi/scsi_debug.c linux-2.6.38.6/drivers/scsi/scsi_debug.c
33017 --- linux-2.6.38.6/drivers/scsi/scsi_debug.c 2011-03-14 21:20:32.000000000 -0400
33018 +++ linux-2.6.38.6/drivers/scsi/scsi_debug.c 2011-05-16 21:47:08.000000000 -0400
33019 @@ -1476,6 +1476,8 @@ static int resp_mode_select(struct scsi_
33020 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
33021 unsigned char *cmd = (unsigned char *)scp->cmnd;
33023 + pax_track_stack();
33025 if ((errsts = check_readiness(scp, 1, devip)))
33027 memset(arr, 0, sizeof(arr));
33028 @@ -1573,6 +1575,8 @@ static int resp_log_sense(struct scsi_cm
33029 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
33030 unsigned char *cmd = (unsigned char *)scp->cmnd;
33032 + pax_track_stack();
33034 if ((errsts = check_readiness(scp, 1, devip)))
33036 memset(arr, 0, sizeof(arr));
33037 diff -urNp linux-2.6.38.6/drivers/scsi/scsi_lib.c linux-2.6.38.6/drivers/scsi/scsi_lib.c
33038 --- linux-2.6.38.6/drivers/scsi/scsi_lib.c 2011-05-10 22:06:29.000000000 -0400
33039 +++ linux-2.6.38.6/drivers/scsi/scsi_lib.c 2011-05-10 22:08:57.000000000 -0400
33040 @@ -1381,7 +1381,7 @@ static void scsi_kill_request(struct req
33041 shost = sdev->host;
33042 scsi_init_cmd_errh(cmd);
33043 cmd->result = DID_NO_CONNECT << 16;
33044 - atomic_inc(&cmd->device->iorequest_cnt);
33045 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
33048 * SCSI request completion path will do scsi_device_unbusy(),
33049 @@ -1407,9 +1407,9 @@ static void scsi_softirq_done(struct req
33051 INIT_LIST_HEAD(&cmd->eh_entry);
33053 - atomic_inc(&cmd->device->iodone_cnt);
33054 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
33056 - atomic_inc(&cmd->device->ioerr_cnt);
33057 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
33059 disposition = scsi_decide_disposition(cmd);
33060 if (disposition != SUCCESS &&
33061 diff -urNp linux-2.6.38.6/drivers/scsi/scsi_sysfs.c linux-2.6.38.6/drivers/scsi/scsi_sysfs.c
33062 --- linux-2.6.38.6/drivers/scsi/scsi_sysfs.c 2011-05-10 22:06:29.000000000 -0400
33063 +++ linux-2.6.38.6/drivers/scsi/scsi_sysfs.c 2011-05-10 22:08:57.000000000 -0400
33064 @@ -621,7 +621,7 @@ show_iostat_##field(struct device *dev,
33067 struct scsi_device *sdev = to_scsi_device(dev); \
33068 - unsigned long long count = atomic_read(&sdev->field); \
33069 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
33070 return snprintf(buf, 20, "0x%llx\n", count); \
33072 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
33073 diff -urNp linux-2.6.38.6/drivers/scsi/scsi_transport_fc.c linux-2.6.38.6/drivers/scsi/scsi_transport_fc.c
33074 --- linux-2.6.38.6/drivers/scsi/scsi_transport_fc.c 2011-03-14 21:20:32.000000000 -0400
33075 +++ linux-2.6.38.6/drivers/scsi/scsi_transport_fc.c 2011-04-28 19:57:25.000000000 -0400
33076 @@ -485,7 +485,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_
33077 * Netlink Infrastructure
33080 -static atomic_t fc_event_seq;
33081 +static atomic_unchecked_t fc_event_seq;
33084 * fc_get_event_number - Obtain the next sequential FC event number
33085 @@ -498,7 +498,7 @@ static atomic_t fc_event_seq;
33087 fc_get_event_number(void)
33089 - return atomic_add_return(1, &fc_event_seq);
33090 + return atomic_add_return_unchecked(1, &fc_event_seq);
33092 EXPORT_SYMBOL(fc_get_event_number);
33094 @@ -646,7 +646,7 @@ static __init int fc_transport_init(void
33098 - atomic_set(&fc_event_seq, 0);
33099 + atomic_set_unchecked(&fc_event_seq, 0);
33101 error = transport_class_register(&fc_host_class);
33103 @@ -836,7 +836,7 @@ static int fc_str_to_dev_loss(const char
33106 *val = simple_strtoul(buf, &cp, 0);
33107 - if ((*cp && (*cp != '\n')) || (*val < 0))
33108 + if (*cp && (*cp != '\n'))
33111 * Check for overflow; dev_loss_tmo is u32
33112 diff -urNp linux-2.6.38.6/drivers/scsi/scsi_transport_iscsi.c linux-2.6.38.6/drivers/scsi/scsi_transport_iscsi.c
33113 --- linux-2.6.38.6/drivers/scsi/scsi_transport_iscsi.c 2011-04-18 17:27:18.000000000 -0400
33114 +++ linux-2.6.38.6/drivers/scsi/scsi_transport_iscsi.c 2011-04-28 19:57:25.000000000 -0400
33115 @@ -83,7 +83,7 @@ struct iscsi_internal {
33116 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
33119 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
33120 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
33121 static struct workqueue_struct *iscsi_eh_timer_workq;
33124 @@ -761,7 +761,7 @@ int iscsi_add_session(struct iscsi_cls_s
33127 ihost = shost->shost_data;
33128 - session->sid = atomic_add_return(1, &iscsi_session_nr);
33129 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
33131 if (id == ISCSI_MAX_TARGET) {
33132 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
33133 @@ -2130,7 +2130,7 @@ static __init int iscsi_transport_init(v
33134 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
33135 ISCSI_TRANSPORT_VERSION);
33137 - atomic_set(&iscsi_session_nr, 0);
33138 + atomic_set_unchecked(&iscsi_session_nr, 0);
33140 err = class_register(&iscsi_transport_class);
33142 diff -urNp linux-2.6.38.6/drivers/scsi/scsi_transport_srp.c linux-2.6.38.6/drivers/scsi/scsi_transport_srp.c
33143 --- linux-2.6.38.6/drivers/scsi/scsi_transport_srp.c 2011-03-14 21:20:32.000000000 -0400
33144 +++ linux-2.6.38.6/drivers/scsi/scsi_transport_srp.c 2011-04-28 19:57:25.000000000 -0400
33146 #include "scsi_transport_srp_internal.h"
33148 struct srp_host_attrs {
33149 - atomic_t next_port_id;
33150 + atomic_unchecked_t next_port_id;
33152 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
33154 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
33155 struct Scsi_Host *shost = dev_to_shost(dev);
33156 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
33158 - atomic_set(&srp_host->next_port_id, 0);
33159 + atomic_set_unchecked(&srp_host->next_port_id, 0);
33163 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
33164 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
33165 rport->roles = ids->roles;
33167 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
33168 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
33169 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
33171 transport_setup_device(&rport->dev);
33172 diff -urNp linux-2.6.38.6/drivers/scsi/sg.c linux-2.6.38.6/drivers/scsi/sg.c
33173 --- linux-2.6.38.6/drivers/scsi/sg.c 2011-03-14 21:20:32.000000000 -0400
33174 +++ linux-2.6.38.6/drivers/scsi/sg.c 2011-04-28 19:34:15.000000000 -0400
33175 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
33176 const struct file_operations * fops;
33179 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
33180 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
33181 {"allow_dio", &adio_fops},
33182 {"debug", &debug_fops},
33183 {"def_reserved_size", &dressz_fops},
33184 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
33187 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
33188 - struct sg_proc_leaf * leaf;
33189 + const struct sg_proc_leaf * leaf;
33191 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
33193 diff -urNp linux-2.6.38.6/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.38.6/drivers/scsi/sym53c8xx_2/sym_glue.c
33194 --- linux-2.6.38.6/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-03-14 21:20:32.000000000 -0400
33195 +++ linux-2.6.38.6/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-16 21:47:08.000000000 -0400
33196 @@ -1756,6 +1756,8 @@ static int __devinit sym2_probe(struct p
33197 int do_iounmap = 0;
33198 int do_disable_device = 1;
33200 + pax_track_stack();
33202 memset(&sym_dev, 0, sizeof(sym_dev));
33203 memset(&nvram, 0, sizeof(nvram));
33204 sym_dev.pdev = pdev;
33205 diff -urNp linux-2.6.38.6/drivers/scsi/vmw_pvscsi.c linux-2.6.38.6/drivers/scsi/vmw_pvscsi.c
33206 --- linux-2.6.38.6/drivers/scsi/vmw_pvscsi.c 2011-03-14 21:20:32.000000000 -0400
33207 +++ linux-2.6.38.6/drivers/scsi/vmw_pvscsi.c 2011-05-16 21:47:08.000000000 -0400
33208 @@ -447,6 +447,8 @@ static void pvscsi_setup_all_rings(const
33212 + pax_track_stack();
33214 cmd.ringsStatePPN = adapter->ringStatePA >> PAGE_SHIFT;
33215 cmd.reqRingNumPages = adapter->req_pages;
33216 cmd.cmpRingNumPages = adapter->cmp_pages;
33217 diff -urNp linux-2.6.38.6/drivers/spi/spi.c linux-2.6.38.6/drivers/spi/spi.c
33218 --- linux-2.6.38.6/drivers/spi/spi.c 2011-03-14 21:20:32.000000000 -0400
33219 +++ linux-2.6.38.6/drivers/spi/spi.c 2011-05-11 18:34:57.000000000 -0400
33220 @@ -1023,7 +1023,7 @@ int spi_bus_unlock(struct spi_master *ma
33221 EXPORT_SYMBOL_GPL(spi_bus_unlock);
33223 /* portable code must never pass more than 32 bytes */
33224 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
33225 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
33229 diff -urNp linux-2.6.38.6/drivers/staging/autofs/root.c linux-2.6.38.6/drivers/staging/autofs/root.c
33230 --- linux-2.6.38.6/drivers/staging/autofs/root.c 2011-03-14 21:20:32.000000000 -0400
33231 +++ linux-2.6.38.6/drivers/staging/autofs/root.c 2011-04-28 19:34:15.000000000 -0400
33232 @@ -311,7 +311,8 @@ static int autofs_root_symlink(struct in
33233 set_bit(n,sbi->symlink_bitmap);
33234 sl = &sbi->symlink[n];
33235 sl->len = strlen(symname);
33236 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
33237 + slsize = sl->len+1;
33238 + sl->data = kmalloc(slsize, GFP_KERNEL);
33240 clear_bit(n,sbi->symlink_bitmap);
33242 diff -urNp linux-2.6.38.6/drivers/staging/bcm/Bcmchar.c linux-2.6.38.6/drivers/staging/bcm/Bcmchar.c
33243 --- linux-2.6.38.6/drivers/staging/bcm/Bcmchar.c 2011-03-14 21:20:32.000000000 -0400
33244 +++ linux-2.6.38.6/drivers/staging/bcm/Bcmchar.c 2011-04-28 19:34:15.000000000 -0400
33245 @@ -2093,7 +2093,7 @@ static long bcm_char_ioctl(struct file *
33249 -static struct file_operations bcm_fops = {
33250 +static const struct file_operations bcm_fops = {
33251 .owner = THIS_MODULE,
33252 .open = bcm_char_open,
33253 .release = bcm_char_release,
33254 diff -urNp linux-2.6.38.6/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.38.6/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
33255 --- linux-2.6.38.6/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-03-14 21:20:32.000000000 -0400
33256 +++ linux-2.6.38.6/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-04-28 19:34:15.000000000 -0400
33257 @@ -863,14 +863,14 @@ static void dhd_op_if(dhd_if_t *ifp)
33258 free_netdev(ifp->net);
33260 /* Allocate etherdev, including space for private structure */
33261 - ifp->net = alloc_etherdev(sizeof(dhd));
33262 + ifp->net = alloc_etherdev(sizeof(*dhd));
33264 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
33268 strcpy(ifp->net->name, ifp->name);
33269 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
33270 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
33271 err = dhd_net_attach(&dhd->pub, ifp->idx);
33273 DHD_ERROR(("%s: dhd_net_attach failed, "
33274 @@ -1969,25 +1969,23 @@ dhd_pub_t *dhd_attach(struct osl_info *o
33275 strcpy(nv_path, nvram_path);
33277 /* Allocate etherdev, including space for private structure */
33278 - net = alloc_etherdev(sizeof(dhd));
33279 + net = alloc_etherdev(sizeof(*dhd));
33281 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
33285 /* Allocate primary dhd_info */
33286 - dhd = kmalloc(sizeof(dhd_info_t), GFP_ATOMIC);
33287 + dhd = kzalloc(sizeof(dhd_info_t), GFP_ATOMIC);
33289 DHD_ERROR(("%s: OOM - alloc dhd_info\n", __func__));
33293 - memset(dhd, 0, sizeof(dhd_info_t));
33296 * Save the dhd_info into the priv
33298 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
33299 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
33300 dhd->pub.osh = osh;
33302 /* Set network interface name if it was provided as module parameter */
33303 @@ -2105,7 +2103,7 @@ dhd_pub_t *dhd_attach(struct osl_info *o
33305 * Save the dhd_info into the priv
33307 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
33308 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
33310 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
33312 diff -urNp linux-2.6.38.6/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.38.6/drivers/staging/brcm80211/brcmfmac/wl_iw.c
33313 --- linux-2.6.38.6/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-03-14 21:20:32.000000000 -0400
33314 +++ linux-2.6.38.6/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-04-28 19:34:15.000000000 -0400
33315 @@ -513,7 +513,7 @@ wl_iw_get_range(struct net_device *dev,
33316 list = (wl_u32_list_t *) channels;
33318 dwrq->length = sizeof(struct iw_range);
33319 - memset(range, 0, sizeof(range));
33320 + memset(range, 0, sizeof(*range));
33322 range->min_nwid = range->max_nwid = 0;
33324 diff -urNp linux-2.6.38.6/drivers/staging/comedi/comedi_fops.c linux-2.6.38.6/drivers/staging/comedi/comedi_fops.c
33325 --- linux-2.6.38.6/drivers/staging/comedi/comedi_fops.c 2011-03-14 21:20:32.000000000 -0400
33326 +++ linux-2.6.38.6/drivers/staging/comedi/comedi_fops.c 2011-04-28 19:34:15.000000000 -0400
33327 @@ -1426,7 +1426,7 @@ static void comedi_unmap(struct vm_area_
33328 mutex_unlock(&dev->mutex);
33331 -static struct vm_operations_struct comedi_vm_ops = {
33332 +static const struct vm_operations_struct comedi_vm_ops = {
33333 .close = comedi_unmap,
33336 diff -urNp linux-2.6.38.6/drivers/staging/et131x/et1310_tx.c linux-2.6.38.6/drivers/staging/et131x/et1310_tx.c
33337 --- linux-2.6.38.6/drivers/staging/et131x/et1310_tx.c 2011-03-14 21:20:32.000000000 -0400
33338 +++ linux-2.6.38.6/drivers/staging/et131x/et1310_tx.c 2011-04-28 19:57:25.000000000 -0400
33339 @@ -635,11 +635,11 @@ inline void et131x_free_send_packet(stru
33340 struct net_device_stats *stats = &etdev->net_stats;
33342 if (tcb->flags & fMP_DEST_BROAD)
33343 - atomic_inc(&etdev->Stats.brdcstxmt);
33344 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
33345 else if (tcb->flags & fMP_DEST_MULTI)
33346 - atomic_inc(&etdev->Stats.multixmt);
33347 + atomic_inc_unchecked(&etdev->Stats.multixmt);
33349 - atomic_inc(&etdev->Stats.unixmt);
33350 + atomic_inc_unchecked(&etdev->Stats.unixmt);
33353 stats->tx_bytes += tcb->skb->len;
33354 diff -urNp linux-2.6.38.6/drivers/staging/et131x/et131x_adapter.h linux-2.6.38.6/drivers/staging/et131x/et131x_adapter.h
33355 --- linux-2.6.38.6/drivers/staging/et131x/et131x_adapter.h 2011-03-14 21:20:32.000000000 -0400
33356 +++ linux-2.6.38.6/drivers/staging/et131x/et131x_adapter.h 2011-04-28 19:57:25.000000000 -0400
33357 @@ -112,11 +112,11 @@ typedef struct _ce_stats_t {
33360 u32 unircv; /* # multicast packets received */
33361 - atomic_t unixmt; /* # multicast packets for Tx */
33362 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
33363 u32 multircv; /* # multicast packets received */
33364 - atomic_t multixmt; /* # multicast packets for Tx */
33365 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
33366 u32 brdcstrcv; /* # broadcast packets received */
33367 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
33368 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
33369 u32 norcvbuf; /* # Rx packets discarded */
33370 u32 noxmtbuf; /* # Tx packets discarded */
33372 diff -urNp linux-2.6.38.6/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c linux-2.6.38.6/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c
33373 --- linux-2.6.38.6/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-03-14 21:20:32.000000000 -0400
33374 +++ linux-2.6.38.6/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-04-28 19:34:15.000000000 -0400
33375 @@ -55,7 +55,7 @@ int numofmsgbuf = 0;
33377 // Table of entry-point routines for char device
33379 -static struct file_operations ft1000fops =
33380 +static const struct file_operations ft1000fops =
33382 .unlocked_ioctl = ft1000_ioctl,
33383 .poll = ft1000_poll_dev,
33384 diff -urNp linux-2.6.38.6/drivers/staging/go7007/go7007-v4l2.c linux-2.6.38.6/drivers/staging/go7007/go7007-v4l2.c
33385 --- linux-2.6.38.6/drivers/staging/go7007/go7007-v4l2.c 2011-03-14 21:20:32.000000000 -0400
33386 +++ linux-2.6.38.6/drivers/staging/go7007/go7007-v4l2.c 2011-04-28 19:34:15.000000000 -0400
33387 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
33391 -static struct vm_operations_struct go7007_vm_ops = {
33392 +static const struct vm_operations_struct go7007_vm_ops = {
33393 .open = go7007_vm_open,
33394 .close = go7007_vm_close,
33395 .fault = go7007_vm_fault,
33396 diff -urNp linux-2.6.38.6/drivers/staging/hv/channel.c linux-2.6.38.6/drivers/staging/hv/channel.c
33397 --- linux-2.6.38.6/drivers/staging/hv/channel.c 2011-04-18 17:27:18.000000000 -0400
33398 +++ linux-2.6.38.6/drivers/staging/hv/channel.c 2011-04-28 19:57:25.000000000 -0400
33399 @@ -501,8 +501,8 @@ int vmbus_establish_gpadl(struct vmbus_c
33400 unsigned long flags;
33403 - next_gpadl_handle = atomic_read(&gVmbusConnection.NextGpadlHandle);
33404 - atomic_inc(&gVmbusConnection.NextGpadlHandle);
33405 + next_gpadl_handle = atomic_read_unchecked(&gVmbusConnection.NextGpadlHandle);
33406 + atomic_inc_unchecked(&gVmbusConnection.NextGpadlHandle);
33408 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
33410 diff -urNp linux-2.6.38.6/drivers/staging/hv/hv.c linux-2.6.38.6/drivers/staging/hv/hv.c
33411 --- linux-2.6.38.6/drivers/staging/hv/hv.c 2011-03-14 21:20:32.000000000 -0400
33412 +++ linux-2.6.38.6/drivers/staging/hv/hv.c 2011-04-28 19:34:15.000000000 -0400
33413 @@ -163,7 +163,7 @@ static u64 do_hypercall(u64 control, voi
33414 u64 output_address = (output) ? virt_to_phys(output) : 0;
33415 u32 output_address_hi = output_address >> 32;
33416 u32 output_address_lo = output_address & 0xFFFFFFFF;
33417 - volatile void *hypercall_page = hv_context.hypercall_page;
33418 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
33420 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
33421 control, input, output);
33422 diff -urNp linux-2.6.38.6/drivers/staging/hv/rndis_filter.c linux-2.6.38.6/drivers/staging/hv/rndis_filter.c
33423 --- linux-2.6.38.6/drivers/staging/hv/rndis_filter.c 2011-03-14 21:20:32.000000000 -0400
33424 +++ linux-2.6.38.6/drivers/staging/hv/rndis_filter.c 2011-04-28 19:57:25.000000000 -0400
33425 @@ -47,7 +47,7 @@ struct rndis_device {
33427 enum rndis_device_state state;
33429 - atomic_t new_req_id;
33430 + atomic_unchecked_t new_req_id;
33432 spinlock_t request_lock;
33433 struct list_head req_list;
33434 @@ -145,7 +145,7 @@ static struct rndis_request *get_rndis_r
33437 set = &rndis_msg->msg.set_req;
33438 - set->req_id = atomic_inc_return(&dev->new_req_id);
33439 + set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
33441 /* Add to the request list */
33442 spin_lock_irqsave(&dev->request_lock, flags);
33443 @@ -707,7 +707,7 @@ static void rndis_filter_halt_device(str
33445 /* Setup the rndis set */
33446 halt = &request->request_msg.msg.halt_req;
33447 - halt->req_id = atomic_inc_return(&dev->new_req_id);
33448 + halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
33450 /* Ignore return since this msg is optional. */
33451 rndis_filter_send_request(dev, request);
33452 diff -urNp linux-2.6.38.6/drivers/staging/hv/vmbus_drv.c linux-2.6.38.6/drivers/staging/hv/vmbus_drv.c
33453 --- linux-2.6.38.6/drivers/staging/hv/vmbus_drv.c 2011-04-18 17:27:18.000000000 -0400
33454 +++ linux-2.6.38.6/drivers/staging/hv/vmbus_drv.c 2011-04-28 19:57:25.000000000 -0400
33455 @@ -727,14 +727,14 @@ int vmbus_child_device_register(struct h
33456 to_vm_device(root_device_obj);
33457 struct vm_device *child_device_ctx =
33458 to_vm_device(child_device_obj);
33459 - static atomic_t device_num = ATOMIC_INIT(0);
33460 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
33462 DPRINT_DBG(VMBUS_DRV, "child device (%p) registering",
33465 /* Set the device name. Otherwise, device_register() will fail. */
33466 dev_set_name(&child_device_ctx->device, "vmbus_0_%d",
33467 - atomic_inc_return(&device_num));
33468 + atomic_inc_return_unchecked(&device_num));
33470 /* The new device belongs to this bus */
33471 child_device_ctx->device.bus = &g_vmbus_drv.bus; /* device->dev.bus; */
33472 diff -urNp linux-2.6.38.6/drivers/staging/hv/vmbus_private.h linux-2.6.38.6/drivers/staging/hv/vmbus_private.h
33473 --- linux-2.6.38.6/drivers/staging/hv/vmbus_private.h 2011-04-18 17:27:18.000000000 -0400
33474 +++ linux-2.6.38.6/drivers/staging/hv/vmbus_private.h 2011-04-28 19:57:25.000000000 -0400
33475 @@ -58,7 +58,7 @@ enum VMBUS_CONNECT_STATE {
33476 struct VMBUS_CONNECTION {
33477 enum VMBUS_CONNECT_STATE ConnectState;
33479 - atomic_t NextGpadlHandle;
33480 + atomic_unchecked_t NextGpadlHandle;
33483 * Represents channel interrupts. Each bit position represents a
33484 diff -urNp linux-2.6.38.6/drivers/staging/octeon/ethernet.c linux-2.6.38.6/drivers/staging/octeon/ethernet.c
33485 --- linux-2.6.38.6/drivers/staging/octeon/ethernet.c 2011-03-14 21:20:32.000000000 -0400
33486 +++ linux-2.6.38.6/drivers/staging/octeon/ethernet.c 2011-04-28 19:57:25.000000000 -0400
33487 @@ -258,11 +258,11 @@ static struct net_device_stats *cvm_oct_
33488 * since the RX tasklet also increments it.
33490 #ifdef CONFIG_64BIT
33491 - atomic64_add(rx_status.dropped_packets,
33492 - (atomic64_t *)&priv->stats.rx_dropped);
33493 + atomic64_add_unchecked(rx_status.dropped_packets,
33494 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
33496 - atomic_add(rx_status.dropped_packets,
33497 - (atomic_t *)&priv->stats.rx_dropped);
33498 + atomic_add_unchecked(rx_status.dropped_packets,
33499 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
33503 diff -urNp linux-2.6.38.6/drivers/staging/octeon/ethernet-rx.c linux-2.6.38.6/drivers/staging/octeon/ethernet-rx.c
33504 --- linux-2.6.38.6/drivers/staging/octeon/ethernet-rx.c 2011-03-14 21:20:32.000000000 -0400
33505 +++ linux-2.6.38.6/drivers/staging/octeon/ethernet-rx.c 2011-04-28 19:57:25.000000000 -0400
33506 @@ -417,11 +417,11 @@ static int cvm_oct_napi_poll(struct napi
33507 /* Increment RX stats for virtual ports */
33508 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
33509 #ifdef CONFIG_64BIT
33510 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
33511 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
33512 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
33513 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
33515 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
33516 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
33517 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
33518 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
33521 netif_receive_skb(skb);
33522 @@ -433,9 +433,9 @@ static int cvm_oct_napi_poll(struct napi
33525 #ifdef CONFIG_64BIT
33526 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
33527 + atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
33529 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
33530 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
33532 dev_kfree_skb_irq(skb);
33534 diff -urNp linux-2.6.38.6/drivers/staging/phison/phison.c linux-2.6.38.6/drivers/staging/phison/phison.c
33535 --- linux-2.6.38.6/drivers/staging/phison/phison.c 2011-03-14 21:20:32.000000000 -0400
33536 +++ linux-2.6.38.6/drivers/staging/phison/phison.c 2011-04-28 19:34:15.000000000 -0400
33537 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
33538 ATA_BMDMA_SHT(DRV_NAME),
33541 -static struct ata_port_operations phison_ops = {
33542 +static const struct ata_port_operations phison_ops = {
33543 .inherits = &ata_bmdma_port_ops,
33544 .prereset = phison_pre_reset,
33546 diff -urNp linux-2.6.38.6/drivers/staging/pohmelfs/inode.c linux-2.6.38.6/drivers/staging/pohmelfs/inode.c
33547 --- linux-2.6.38.6/drivers/staging/pohmelfs/inode.c 2011-03-14 21:20:32.000000000 -0400
33548 +++ linux-2.6.38.6/drivers/staging/pohmelfs/inode.c 2011-04-28 19:57:25.000000000 -0400
33549 @@ -1855,7 +1855,7 @@ static int pohmelfs_fill_super(struct su
33550 mutex_init(&psb->mcache_lock);
33551 psb->mcache_root = RB_ROOT;
33552 psb->mcache_timeout = msecs_to_jiffies(5000);
33553 - atomic_long_set(&psb->mcache_gen, 0);
33554 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
33556 psb->trans_max_pages = 100;
33558 @@ -1870,7 +1870,7 @@ static int pohmelfs_fill_super(struct su
33559 INIT_LIST_HEAD(&psb->crypto_ready_list);
33560 INIT_LIST_HEAD(&psb->crypto_active_list);
33562 - atomic_set(&psb->trans_gen, 1);
33563 + atomic_set_unchecked(&psb->trans_gen, 1);
33564 atomic_long_set(&psb->total_inodes, 0);
33566 mutex_init(&psb->state_lock);
33567 diff -urNp linux-2.6.38.6/drivers/staging/pohmelfs/mcache.c linux-2.6.38.6/drivers/staging/pohmelfs/mcache.c
33568 --- linux-2.6.38.6/drivers/staging/pohmelfs/mcache.c 2011-03-14 21:20:32.000000000 -0400
33569 +++ linux-2.6.38.6/drivers/staging/pohmelfs/mcache.c 2011-04-28 19:34:15.000000000 -0400
33570 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
33574 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
33575 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
33577 mutex_lock(&psb->mcache_lock);
33578 err = pohmelfs_mcache_insert(psb, m);
33579 diff -urNp linux-2.6.38.6/drivers/staging/pohmelfs/netfs.h linux-2.6.38.6/drivers/staging/pohmelfs/netfs.h
33580 --- linux-2.6.38.6/drivers/staging/pohmelfs/netfs.h 2011-03-14 21:20:32.000000000 -0400
33581 +++ linux-2.6.38.6/drivers/staging/pohmelfs/netfs.h 2011-04-28 19:57:25.000000000 -0400
33582 @@ -571,14 +571,14 @@ struct pohmelfs_config;
33583 struct pohmelfs_sb {
33584 struct rb_root mcache_root;
33585 struct mutex mcache_lock;
33586 - atomic_long_t mcache_gen;
33587 + atomic_long_unchecked_t mcache_gen;
33588 unsigned long mcache_timeout;
33592 unsigned int trans_retries;
33594 - atomic_t trans_gen;
33595 + atomic_unchecked_t trans_gen;
33597 unsigned int crypto_attached_size;
33598 unsigned int crypto_align_size;
33599 diff -urNp linux-2.6.38.6/drivers/staging/pohmelfs/trans.c linux-2.6.38.6/drivers/staging/pohmelfs/trans.c
33600 --- linux-2.6.38.6/drivers/staging/pohmelfs/trans.c 2011-03-14 21:20:32.000000000 -0400
33601 +++ linux-2.6.38.6/drivers/staging/pohmelfs/trans.c 2011-04-28 19:57:25.000000000 -0400
33602 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
33604 struct netfs_cmd *cmd = t->iovec.iov_base;
33606 - t->gen = atomic_inc_return(&psb->trans_gen);
33607 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
33609 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
33610 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
33611 diff -urNp linux-2.6.38.6/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.38.6/drivers/staging/rtl8192u/ieee80211/proc.c
33612 --- linux-2.6.38.6/drivers/staging/rtl8192u/ieee80211/proc.c 2011-03-14 21:20:32.000000000 -0400
33613 +++ linux-2.6.38.6/drivers/staging/rtl8192u/ieee80211/proc.c 2011-04-28 19:34:15.000000000 -0400
33614 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
33615 return seq_open(file, &crypto_seq_ops);
33618 -static struct file_operations proc_crypto_ops = {
33619 +static const struct file_operations proc_crypto_ops = {
33620 .open = crypto_info_open,
33622 .llseek = seq_lseek,
33623 diff -urNp linux-2.6.38.6/drivers/staging/spectra/ffsport.c linux-2.6.38.6/drivers/staging/spectra/ffsport.c
33624 --- linux-2.6.38.6/drivers/staging/spectra/ffsport.c 2011-03-14 21:20:32.000000000 -0400
33625 +++ linux-2.6.38.6/drivers/staging/spectra/ffsport.c 2011-04-28 19:34:15.000000000 -0400
33626 @@ -604,7 +604,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
33630 -static struct block_device_operations GLOB_SBD_ops = {
33631 +static const struct block_device_operations GLOB_SBD_ops = {
33632 .owner = THIS_MODULE,
33633 .open = GLOB_SBD_open,
33634 .release = GLOB_SBD_release,
33635 diff -urNp linux-2.6.38.6/drivers/staging/usbip/vhci.h linux-2.6.38.6/drivers/staging/usbip/vhci.h
33636 --- linux-2.6.38.6/drivers/staging/usbip/vhci.h 2011-03-14 21:20:32.000000000 -0400
33637 +++ linux-2.6.38.6/drivers/staging/usbip/vhci.h 2011-04-28 19:57:25.000000000 -0400
33638 @@ -92,7 +92,7 @@ struct vhci_hcd {
33639 unsigned resuming:1;
33640 unsigned long re_timeout;
33643 + atomic_unchecked_t seqnum;
33647 diff -urNp linux-2.6.38.6/drivers/staging/usbip/vhci_hcd.c linux-2.6.38.6/drivers/staging/usbip/vhci_hcd.c
33648 --- linux-2.6.38.6/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:06:29.000000000 -0400
33649 +++ linux-2.6.38.6/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:08:57.000000000 -0400
33650 @@ -535,7 +535,7 @@ static void vhci_tx_urb(struct urb *urb)
33654 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
33655 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
33656 if (priv->seqnum == 0xffff)
33657 usbip_uinfo("seqnum max\n");
33659 @@ -794,7 +794,7 @@ static int vhci_urb_dequeue(struct usb_h
33663 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
33664 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
33665 if (unlink->seqnum == 0xffff)
33666 usbip_uinfo("seqnum max\n");
33668 @@ -989,7 +989,7 @@ static int vhci_start(struct usb_hcd *hc
33669 vdev->rhport = rhport;
33672 - atomic_set(&vhci->seqnum, 0);
33673 + atomic_set_unchecked(&vhci->seqnum, 0);
33674 spin_lock_init(&vhci->lock);
33677 diff -urNp linux-2.6.38.6/drivers/staging/usbip/vhci_rx.c linux-2.6.38.6/drivers/staging/usbip/vhci_rx.c
33678 --- linux-2.6.38.6/drivers/staging/usbip/vhci_rx.c 2011-04-18 17:27:18.000000000 -0400
33679 +++ linux-2.6.38.6/drivers/staging/usbip/vhci_rx.c 2011-04-28 19:57:25.000000000 -0400
33680 @@ -80,7 +80,7 @@ static void vhci_recv_ret_submit(struct
33681 usbip_uerr("cannot find a urb of seqnum %u\n",
33683 usbip_uinfo("max seqnum %d\n",
33684 - atomic_read(&the_controller->seqnum));
33685 + atomic_read_unchecked(&the_controller->seqnum));
33686 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
33689 diff -urNp linux-2.6.38.6/drivers/staging/vme/devices/vme_user.c linux-2.6.38.6/drivers/staging/vme/devices/vme_user.c
33690 --- linux-2.6.38.6/drivers/staging/vme/devices/vme_user.c 2011-03-14 21:20:32.000000000 -0400
33691 +++ linux-2.6.38.6/drivers/staging/vme/devices/vme_user.c 2011-04-28 19:34:15.000000000 -0400
33692 @@ -138,7 +138,7 @@ static long vme_user_unlocked_ioctl(stru
33693 static int __devinit vme_user_probe(struct device *, int, int);
33694 static int __devexit vme_user_remove(struct device *, int, int);
33696 -static struct file_operations vme_user_fops = {
33697 +static const struct file_operations vme_user_fops = {
33698 .open = vme_user_open,
33699 .release = vme_user_release,
33700 .read = vme_user_read,
33701 diff -urNp linux-2.6.38.6/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.38.6/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
33702 --- linux-2.6.38.6/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-03-14 21:20:32.000000000 -0400
33703 +++ linux-2.6.38.6/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-04-28 19:34:15.000000000 -0400
33704 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
33707 /*standard block device driver interface */
33708 -static struct block_device_operations cyasblkdev_bdops = {
33709 +static const struct block_device_operations cyasblkdev_bdops = {
33710 .open = cyasblkdev_blk_open,
33711 .release = cyasblkdev_blk_release,
33712 .ioctl = cyasblkdev_blk_ioctl,
33713 diff -urNp linux-2.6.38.6/drivers/target/target_core_alua.c linux-2.6.38.6/drivers/target/target_core_alua.c
33714 --- linux-2.6.38.6/drivers/target/target_core_alua.c 2011-03-14 21:20:32.000000000 -0400
33715 +++ linux-2.6.38.6/drivers/target/target_core_alua.c 2011-05-16 21:47:08.000000000 -0400
33716 @@ -675,6 +675,8 @@ static int core_alua_update_tpg_primary_
33717 char path[ALUA_METADATA_PATH_LEN];
33720 + pax_track_stack();
33722 memset(path, 0, ALUA_METADATA_PATH_LEN);
33724 len = snprintf(md_buf, tg_pt_gp->tg_pt_gp_md_buf_len,
33725 @@ -938,6 +940,8 @@ static int core_alua_update_tpg_secondar
33726 char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN];
33729 + pax_track_stack();
33731 memset(path, 0, ALUA_METADATA_PATH_LEN);
33732 memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
33734 diff -urNp linux-2.6.38.6/drivers/target/target_core_cdb.c linux-2.6.38.6/drivers/target/target_core_cdb.c
33735 --- linux-2.6.38.6/drivers/target/target_core_cdb.c 2011-04-18 17:27:14.000000000 -0400
33736 +++ linux-2.6.38.6/drivers/target/target_core_cdb.c 2011-05-16 21:47:08.000000000 -0400
33737 @@ -838,6 +838,8 @@ target_emulate_modesense(struct se_cmd *
33739 unsigned char buf[SE_MODE_PAGE_BUF];
33741 + pax_track_stack();
33743 memset(buf, 0, SE_MODE_PAGE_BUF);
33745 switch (cdb[2] & 0x3f) {
33746 diff -urNp linux-2.6.38.6/drivers/target/target_core_configfs.c linux-2.6.38.6/drivers/target/target_core_configfs.c
33747 --- linux-2.6.38.6/drivers/target/target_core_configfs.c 2011-03-14 21:20:32.000000000 -0400
33748 +++ linux-2.6.38.6/drivers/target/target_core_configfs.c 2011-05-16 21:47:08.000000000 -0400
33749 @@ -1279,6 +1279,8 @@ static ssize_t target_core_dev_pr_show_a
33751 int reg_count = 0, prf_isid;
33753 + pax_track_stack();
33755 if (!(su_dev->se_dev_ptr))
33758 diff -urNp linux-2.6.38.6/drivers/target/target_core_pr.c linux-2.6.38.6/drivers/target/target_core_pr.c
33759 --- linux-2.6.38.6/drivers/target/target_core_pr.c 2011-03-14 21:20:32.000000000 -0400
33760 +++ linux-2.6.38.6/drivers/target/target_core_pr.c 2011-05-16 21:47:08.000000000 -0400
33761 @@ -918,6 +918,8 @@ static int __core_scsi3_check_aptpl_regi
33762 unsigned char t_port[PR_APTPL_MAX_TPORT_LEN];
33765 + pax_track_stack();
33767 memset(i_port, 0, PR_APTPL_MAX_IPORT_LEN);
33768 memset(t_port, 0, PR_APTPL_MAX_TPORT_LEN);
33770 @@ -1861,6 +1863,8 @@ static int __core_scsi3_update_aptpl_buf
33774 + pax_track_stack();
33776 memset(buf, 0, pr_aptpl_buf_len);
33778 * Called to clear metadata once APTPL has been deactivated.
33779 @@ -1983,6 +1987,8 @@ static int __core_scsi3_write_aptpl_to_f
33783 + pax_track_stack();
33785 memset(iov, 0, sizeof(struct iovec));
33786 memset(path, 0, 512);
33788 diff -urNp linux-2.6.38.6/drivers/target/target_core_tmr.c linux-2.6.38.6/drivers/target/target_core_tmr.c
33789 --- linux-2.6.38.6/drivers/target/target_core_tmr.c 2011-03-14 21:20:32.000000000 -0400
33790 +++ linux-2.6.38.6/drivers/target/target_core_tmr.c 2011-04-28 19:57:25.000000000 -0400
33791 @@ -262,7 +262,7 @@ int core_tmr_lun_reset(
33792 CMD_TFO(cmd)->get_task_tag(cmd), cmd->pr_res_key,
33793 T_TASK(cmd)->t_task_cdbs,
33794 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
33795 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
33796 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
33797 atomic_read(&T_TASK(cmd)->t_transport_active),
33798 atomic_read(&T_TASK(cmd)->t_transport_stop),
33799 atomic_read(&T_TASK(cmd)->t_transport_sent));
33800 @@ -304,7 +304,7 @@ int core_tmr_lun_reset(
33801 DEBUG_LR("LUN_RESET: got t_transport_active = 1 for"
33802 " task: %p, t_fe_count: %d dev: %p\n", task,
33804 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
33805 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
33806 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock,
33808 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
33809 @@ -314,7 +314,7 @@ int core_tmr_lun_reset(
33811 DEBUG_LR("LUN_RESET: Got t_transport_active = 0 for task: %p,"
33812 " t_fe_count: %d dev: %p\n", task, fe_count, dev);
33813 - atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
33814 + atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
33815 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock, flags);
33816 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
33818 diff -urNp linux-2.6.38.6/drivers/target/target_core_transport.c linux-2.6.38.6/drivers/target/target_core_transport.c
33819 --- linux-2.6.38.6/drivers/target/target_core_transport.c 2011-03-14 21:20:32.000000000 -0400
33820 +++ linux-2.6.38.6/drivers/target/target_core_transport.c 2011-04-28 19:57:25.000000000 -0400
33821 @@ -1678,7 +1678,7 @@ struct se_device *transport_add_device_t
33823 dev->queue_depth = dev_limits->queue_depth;
33824 atomic_set(&dev->depth_left, dev->queue_depth);
33825 - atomic_set(&dev->dev_ordered_id, 0);
33826 + atomic_set_unchecked(&dev->dev_ordered_id, 0);
33828 se_dev_set_default_attribs(dev, dev_limits);
33830 @@ -1880,7 +1880,7 @@ static int transport_check_alloc_task_at
33831 * Used to determine when ORDERED commands should go from
33832 * Dormant to Active status.
33834 - cmd->se_ordered_id = atomic_inc_return(&SE_DEV(cmd)->dev_ordered_id);
33835 + cmd->se_ordered_id = atomic_inc_return_unchecked(&SE_DEV(cmd)->dev_ordered_id);
33836 smp_mb__after_atomic_inc();
33837 DEBUG_STA("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
33838 cmd->se_ordered_id, cmd->sam_task_attr,
33839 @@ -2160,7 +2160,7 @@ static void transport_generic_request_fa
33840 " t_transport_active: %d t_transport_stop: %d"
33841 " t_transport_sent: %d\n", T_TASK(cmd)->t_task_cdbs,
33842 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
33843 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
33844 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
33845 atomic_read(&T_TASK(cmd)->t_task_cdbs_ex_left),
33846 atomic_read(&T_TASK(cmd)->t_transport_active),
33847 atomic_read(&T_TASK(cmd)->t_transport_stop),
33848 @@ -2664,9 +2664,9 @@ check_depth:
33849 spin_lock_irqsave(&T_TASK(cmd)->t_state_lock, flags);
33850 atomic_set(&task->task_active, 1);
33851 atomic_set(&task->task_sent, 1);
33852 - atomic_inc(&T_TASK(cmd)->t_task_cdbs_sent);
33853 + atomic_inc_unchecked(&T_TASK(cmd)->t_task_cdbs_sent);
33855 - if (atomic_read(&T_TASK(cmd)->t_task_cdbs_sent) ==
33856 + if (atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent) ==
33857 T_TASK(cmd)->t_task_cdbs)
33858 atomic_set(&cmd->transport_sent, 1);
33860 @@ -5550,7 +5550,7 @@ static void transport_generic_wait_for_t
33861 atomic_set(&T_TASK(cmd)->transport_lun_stop, 0);
33863 if (!atomic_read(&T_TASK(cmd)->t_transport_active) ||
33864 - atomic_read(&T_TASK(cmd)->t_transport_aborted))
33865 + atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted))
33868 atomic_set(&T_TASK(cmd)->t_transport_stop, 1);
33869 @@ -5779,7 +5779,7 @@ int transport_check_aborted_status(struc
33873 - if (atomic_read(&T_TASK(cmd)->t_transport_aborted) != 0) {
33874 + if (atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted) != 0) {
33875 if (!(send_status) ||
33876 (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
33878 @@ -5807,7 +5807,7 @@ void transport_send_task_abort(struct se
33880 if (cmd->data_direction == DMA_TO_DEVICE) {
33881 if (CMD_TFO(cmd)->write_pending_status(cmd) != 0) {
33882 - atomic_inc(&T_TASK(cmd)->t_transport_aborted);
33883 + atomic_inc_unchecked(&T_TASK(cmd)->t_transport_aborted);
33884 smp_mb__after_atomic_inc();
33885 cmd->scsi_status = SAM_STAT_TASK_ABORTED;
33886 transport_new_cmd_failure(cmd);
33887 @@ -5936,7 +5936,7 @@ static void transport_processing_shutdow
33888 CMD_TFO(cmd)->get_task_tag(cmd),
33889 T_TASK(cmd)->t_task_cdbs,
33890 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
33891 - atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
33892 + atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
33893 atomic_read(&T_TASK(cmd)->t_transport_active),
33894 atomic_read(&T_TASK(cmd)->t_transport_stop),
33895 atomic_read(&T_TASK(cmd)->t_transport_sent));
33896 diff -urNp linux-2.6.38.6/drivers/telephony/ixj.c linux-2.6.38.6/drivers/telephony/ixj.c
33897 --- linux-2.6.38.6/drivers/telephony/ixj.c 2011-03-14 21:20:32.000000000 -0400
33898 +++ linux-2.6.38.6/drivers/telephony/ixj.c 2011-05-16 21:47:08.000000000 -0400
33899 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
33903 + pax_track_stack();
33905 if (!SCI_Prepare(j))
33908 diff -urNp linux-2.6.38.6/drivers/tty/hvc/hvc_console.h linux-2.6.38.6/drivers/tty/hvc/hvc_console.h
33909 --- linux-2.6.38.6/drivers/tty/hvc/hvc_console.h 2011-03-14 21:20:32.000000000 -0400
33910 +++ linux-2.6.38.6/drivers/tty/hvc/hvc_console.h 2011-04-28 19:34:15.000000000 -0400
33911 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
33912 /* register a vterm for hvc tty operation (module_init or hotplug add) */
33913 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
33914 const struct hv_ops *ops, int outbuf_size);
33916 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
33917 extern int hvc_remove(struct hvc_struct *hp);
33919 diff -urNp linux-2.6.38.6/drivers/tty/hvc/hvcs.c linux-2.6.38.6/drivers/tty/hvc/hvcs.c
33920 --- linux-2.6.38.6/drivers/tty/hvc/hvcs.c 2011-03-14 21:20:32.000000000 -0400
33921 +++ linux-2.6.38.6/drivers/tty/hvc/hvcs.c 2011-04-28 19:34:15.000000000 -0400
33923 #include <asm/hvcserver.h>
33924 #include <asm/uaccess.h>
33925 #include <asm/vio.h>
33926 +#include <asm/local.h>
33929 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
33930 @@ -270,7 +271,7 @@ struct hvcs_struct {
33931 unsigned int index;
33933 struct tty_struct *tty;
33935 + local_t open_count;
33938 * Used to tell the driver kernel_thread what operations need to take
33939 @@ -420,7 +421,7 @@ static ssize_t hvcs_vterm_state_store(st
33941 spin_lock_irqsave(&hvcsd->lock, flags);
33943 - if (hvcsd->open_count > 0) {
33944 + if (local_read(&hvcsd->open_count) > 0) {
33945 spin_unlock_irqrestore(&hvcsd->lock, flags);
33946 printk(KERN_INFO "HVCS: vterm state unchanged. "
33947 "The hvcs device node is still in use.\n");
33948 @@ -1136,7 +1137,7 @@ static int hvcs_open(struct tty_struct *
33949 if ((retval = hvcs_partner_connect(hvcsd)))
33950 goto error_release;
33952 - hvcsd->open_count = 1;
33953 + local_set(&hvcsd->open_count, 1);
33955 tty->driver_data = hvcsd;
33957 @@ -1170,7 +1171,7 @@ fast_open:
33959 spin_lock_irqsave(&hvcsd->lock, flags);
33960 kref_get(&hvcsd->kref);
33961 - hvcsd->open_count++;
33962 + local_inc(&hvcsd->open_count);
33963 hvcsd->todo_mask |= HVCS_SCHED_READ;
33964 spin_unlock_irqrestore(&hvcsd->lock, flags);
33966 @@ -1214,7 +1215,7 @@ static void hvcs_close(struct tty_struct
33967 hvcsd = tty->driver_data;
33969 spin_lock_irqsave(&hvcsd->lock, flags);
33970 - if (--hvcsd->open_count == 0) {
33971 + if (local_dec_and_test(&hvcsd->open_count)) {
33973 vio_disable_interrupts(hvcsd->vdev);
33975 @@ -1240,10 +1241,10 @@ static void hvcs_close(struct tty_struct
33976 free_irq(irq, hvcsd);
33977 kref_put(&hvcsd->kref, destroy_hvcs_struct);
33979 - } else if (hvcsd->open_count < 0) {
33980 + } else if (local_read(&hvcsd->open_count) < 0) {
33981 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
33982 " is missmanaged.\n",
33983 - hvcsd->vdev->unit_address, hvcsd->open_count);
33984 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
33987 spin_unlock_irqrestore(&hvcsd->lock, flags);
33988 @@ -1259,7 +1260,7 @@ static void hvcs_hangup(struct tty_struc
33990 spin_lock_irqsave(&hvcsd->lock, flags);
33991 /* Preserve this so that we know how many kref refs to put */
33992 - temp_open_count = hvcsd->open_count;
33993 + temp_open_count = local_read(&hvcsd->open_count);
33996 * Don't kref put inside the spinlock because the destruction
33997 @@ -1274,7 +1275,7 @@ static void hvcs_hangup(struct tty_struc
33998 hvcsd->tty->driver_data = NULL;
34001 - hvcsd->open_count = 0;
34002 + local_set(&hvcsd->open_count, 0);
34004 /* This will drop any buffered data on the floor which is OK in a hangup
34006 @@ -1345,7 +1346,7 @@ static int hvcs_write(struct tty_struct
34007 * the middle of a write operation? This is a crummy place to do this
34008 * but we want to keep it all in the spinlock.
34010 - if (hvcsd->open_count <= 0) {
34011 + if (local_read(&hvcsd->open_count) <= 0) {
34012 spin_unlock_irqrestore(&hvcsd->lock, flags);
34015 @@ -1419,7 +1420,7 @@ static int hvcs_write_room(struct tty_st
34017 struct hvcs_struct *hvcsd = tty->driver_data;
34019 - if (!hvcsd || hvcsd->open_count <= 0)
34020 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
34023 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
34024 diff -urNp linux-2.6.38.6/drivers/tty/hvc/hvc_xen.c linux-2.6.38.6/drivers/tty/hvc/hvc_xen.c
34025 --- linux-2.6.38.6/drivers/tty/hvc/hvc_xen.c 2011-03-14 21:20:32.000000000 -0400
34026 +++ linux-2.6.38.6/drivers/tty/hvc/hvc_xen.c 2011-04-28 19:34:15.000000000 -0400
34027 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
34031 -static struct hv_ops domU_hvc_ops = {
34032 +static const struct hv_ops domU_hvc_ops = {
34033 .get_chars = domU_read_console,
34034 .put_chars = domU_write_console,
34035 .notifier_add = notifier_add_irq,
34036 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
34040 -static struct hv_ops dom0_hvc_ops = {
34041 +static const struct hv_ops dom0_hvc_ops = {
34042 .get_chars = dom0_read_console,
34043 .put_chars = dom0_write_console,
34044 .notifier_add = notifier_add_irq,
34045 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
34046 static int __init xen_hvc_init(void)
34048 struct hvc_struct *hp;
34049 - struct hv_ops *ops;
34050 + const struct hv_ops *ops;
34052 if (!xen_pv_domain())
34054 @@ -203,7 +203,7 @@ static void __exit xen_hvc_fini(void)
34056 static int xen_cons_init(void)
34058 - struct hv_ops *ops;
34059 + const struct hv_ops *ops;
34061 if (!xen_pv_domain())
34063 diff -urNp linux-2.6.38.6/drivers/tty/n_gsm.c linux-2.6.38.6/drivers/tty/n_gsm.c
34064 --- linux-2.6.38.6/drivers/tty/n_gsm.c 2011-05-10 22:06:27.000000000 -0400
34065 +++ linux-2.6.38.6/drivers/tty/n_gsm.c 2011-05-10 22:06:56.000000000 -0400
34066 @@ -1589,7 +1589,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
34068 spin_lock_init(&dlci->lock);
34069 dlci->fifo = &dlci->_fifo;
34070 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
34071 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
34075 diff -urNp linux-2.6.38.6/drivers/tty/n_tty.c linux-2.6.38.6/drivers/tty/n_tty.c
34076 --- linux-2.6.38.6/drivers/tty/n_tty.c 2011-03-14 21:20:32.000000000 -0400
34077 +++ linux-2.6.38.6/drivers/tty/n_tty.c 2011-04-28 19:34:15.000000000 -0400
34078 @@ -2116,6 +2116,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
34080 *ops = tty_ldisc_N_TTY;
34082 - ops->refcount = ops->flags = 0;
34083 + atomic_set(&ops->refcount, 0);
34086 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
34087 diff -urNp linux-2.6.38.6/drivers/tty/pty.c linux-2.6.38.6/drivers/tty/pty.c
34088 --- linux-2.6.38.6/drivers/tty/pty.c 2011-03-14 21:20:32.000000000 -0400
34089 +++ linux-2.6.38.6/drivers/tty/pty.c 2011-04-28 19:34:15.000000000 -0400
34090 @@ -700,7 +700,18 @@ out:
34094 -static struct file_operations ptmx_fops;
34095 +static const struct file_operations ptmx_fops = {
34096 + .llseek = no_llseek,
34097 + .read = tty_read,
34098 + .write = tty_write,
34099 + .poll = tty_poll,
34100 + .unlocked_ioctl = tty_ioctl,
34101 + .compat_ioctl = tty_compat_ioctl,
34102 + .open = ptmx_open,
34103 + .release = tty_release,
34104 + .fasync = tty_fasync,
34108 static void __init unix98_pty_init(void)
34110 @@ -753,10 +764,6 @@ static void __init unix98_pty_init(void)
34112 register_sysctl_table(pty_root_table);
34114 - /* Now create the /dev/ptmx special device */
34115 - tty_default_fops(&ptmx_fops);
34116 - ptmx_fops.open = ptmx_open;
34118 cdev_init(&ptmx_cdev, &ptmx_fops);
34119 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
34120 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
34121 diff -urNp linux-2.6.38.6/drivers/tty/serial/kgdboc.c linux-2.6.38.6/drivers/tty/serial/kgdboc.c
34122 --- linux-2.6.38.6/drivers/tty/serial/kgdboc.c 2011-03-14 21:20:32.000000000 -0400
34123 +++ linux-2.6.38.6/drivers/tty/serial/kgdboc.c 2011-04-28 19:34:15.000000000 -0400
34126 #define MAX_CONFIG_LEN 40
34128 -static struct kgdb_io kgdboc_io_ops;
34129 +static struct kgdb_io kgdboc_io_ops; /* cannot be const, see configure_kgdboc() */
34131 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
34132 static int configured = -1;
34133 @@ -293,7 +293,7 @@ static void kgdboc_post_exp_handler(void
34134 kgdboc_restore_input();
34137 -static struct kgdb_io kgdboc_io_ops = {
34138 +static struct kgdb_io kgdboc_io_ops = { /* cannot be const, see configure_kgdboc() */
34140 .read_char = kgdboc_get_char,
34141 .write_char = kgdboc_put_char,
34142 diff -urNp linux-2.6.38.6/drivers/tty/serial/mrst_max3110.c linux-2.6.38.6/drivers/tty/serial/mrst_max3110.c
34143 --- linux-2.6.38.6/drivers/tty/serial/mrst_max3110.c 2011-04-18 17:27:14.000000000 -0400
34144 +++ linux-2.6.38.6/drivers/tty/serial/mrst_max3110.c 2011-05-16 21:47:08.000000000 -0400
34145 @@ -393,6 +393,8 @@ static void max3110_con_receive(struct u
34146 int loop = 1, num, total = 0;
34147 u8 recv_buf[512], *pbuf;
34149 + pax_track_stack();
34153 num = max3110_read_multi(max, pbuf);
34154 diff -urNp linux-2.6.38.6/drivers/tty/tty_io.c linux-2.6.38.6/drivers/tty/tty_io.c
34155 --- linux-2.6.38.6/drivers/tty/tty_io.c 2011-03-14 21:20:32.000000000 -0400
34156 +++ linux-2.6.38.6/drivers/tty/tty_io.c 2011-04-28 19:34:15.000000000 -0400
34157 @@ -140,21 +140,11 @@ EXPORT_SYMBOL(tty_mutex);
34158 /* Spinlock to protect the tty->tty_files list */
34159 DEFINE_SPINLOCK(tty_files_lock);
34161 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
34162 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
34163 ssize_t redirected_tty_write(struct file *, const char __user *,
34165 -static unsigned int tty_poll(struct file *, poll_table *);
34166 static int tty_open(struct inode *, struct file *);
34167 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
34168 -#ifdef CONFIG_COMPAT
34169 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
34170 - unsigned long arg);
34172 -#define tty_compat_ioctl NULL
34174 static int __tty_fasync(int fd, struct file *filp, int on);
34175 -static int tty_fasync(int fd, struct file *filp, int on);
34176 static void release_tty(struct tty_struct *tty, int idx);
34177 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
34178 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
34179 @@ -938,7 +928,7 @@ EXPORT_SYMBOL(start_tty);
34180 * read calls may be outstanding in parallel.
34183 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
34184 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
34188 @@ -964,6 +954,8 @@ static ssize_t tty_read(struct file *fil
34192 +EXPORT_SYMBOL(tty_read);
34194 void tty_write_unlock(struct tty_struct *tty)
34196 mutex_unlock(&tty->atomic_write_lock);
34197 @@ -1113,7 +1105,7 @@ void tty_write_message(struct tty_struct
34198 * write method will not be invoked in parallel for each device.
34201 -static ssize_t tty_write(struct file *file, const char __user *buf,
34202 +ssize_t tty_write(struct file *file, const char __user *buf,
34203 size_t count, loff_t *ppos)
34205 struct inode *inode = file->f_path.dentry->d_inode;
34206 @@ -1139,6 +1131,8 @@ static ssize_t tty_write(struct file *fi
34210 +EXPORT_SYMBOL(tty_write);
34212 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
34213 size_t count, loff_t *ppos)
34215 @@ -1778,6 +1772,8 @@ int tty_release(struct inode *inode, str
34219 +EXPORT_SYMBOL(tty_release);
34222 * tty_open - open a tty device
34223 * @inode: inode of device file
34224 @@ -1969,7 +1965,7 @@ got_driver:
34225 * may be re-entered freely by other callers.
34228 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
34229 +unsigned int tty_poll(struct file *filp, poll_table *wait)
34231 struct tty_struct *tty = file_tty(filp);
34232 struct tty_ldisc *ld;
34233 @@ -1985,6 +1981,8 @@ static unsigned int tty_poll(struct file
34237 +EXPORT_SYMBOL(tty_poll);
34239 static int __tty_fasync(int fd, struct file *filp, int on)
34241 struct tty_struct *tty = file_tty(filp);
34242 @@ -2026,7 +2024,7 @@ out:
34246 -static int tty_fasync(int fd, struct file *filp, int on)
34247 +int tty_fasync(int fd, struct file *filp, int on)
34251 @@ -2035,6 +2033,8 @@ static int tty_fasync(int fd, struct fil
34255 +EXPORT_SYMBOL(tty_fasync);
34258 * tiocsti - fake input character
34259 * @tty: tty to fake input into
34260 @@ -2692,8 +2692,10 @@ long tty_ioctl(struct file *file, unsign
34264 +EXPORT_SYMBOL(tty_ioctl);
34266 #ifdef CONFIG_COMPAT
34267 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
34268 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
34271 struct inode *inode = file->f_dentry->d_inode;
34272 @@ -2717,6 +2719,9 @@ static long tty_compat_ioctl(struct file
34277 +EXPORT_SYMBOL(tty_compat_ioctl);
34282 @@ -3195,11 +3200,6 @@ struct tty_struct *get_current_tty(void)
34284 EXPORT_SYMBOL_GPL(get_current_tty);
34286 -void tty_default_fops(struct file_operations *fops)
34288 - *fops = tty_fops;
34292 * Initialize the console device. This is called *early*, so
34293 * we can't necessarily depend on lots of kernel help here.
34294 diff -urNp linux-2.6.38.6/drivers/tty/tty_ldisc.c linux-2.6.38.6/drivers/tty/tty_ldisc.c
34295 --- linux-2.6.38.6/drivers/tty/tty_ldisc.c 2011-03-14 21:20:32.000000000 -0400
34296 +++ linux-2.6.38.6/drivers/tty/tty_ldisc.c 2011-04-28 19:34:15.000000000 -0400
34297 @@ -76,7 +76,7 @@ static void put_ldisc(struct tty_ldisc *
34298 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
34299 struct tty_ldisc_ops *ldo = ld->ops;
34302 + atomic_dec(&ldo->refcount);
34303 module_put(ldo->owner);
34304 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
34306 @@ -111,7 +111,7 @@ int tty_register_ldisc(int disc, struct
34307 spin_lock_irqsave(&tty_ldisc_lock, flags);
34308 tty_ldiscs[disc] = new_ldisc;
34309 new_ldisc->num = disc;
34310 - new_ldisc->refcount = 0;
34311 + atomic_set(&new_ldisc->refcount, 0);
34312 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
34315 @@ -139,7 +139,7 @@ int tty_unregister_ldisc(int disc)
34318 spin_lock_irqsave(&tty_ldisc_lock, flags);
34319 - if (tty_ldiscs[disc]->refcount)
34320 + if (atomic_read(&tty_ldiscs[disc]->refcount))
34323 tty_ldiscs[disc] = NULL;
34324 @@ -160,7 +160,7 @@ static struct tty_ldisc_ops *get_ldops(i
34326 ret = ERR_PTR(-EAGAIN);
34327 if (try_module_get(ldops->owner)) {
34328 - ldops->refcount++;
34329 + atomic_inc(&ldops->refcount);
34333 @@ -173,7 +173,7 @@ static void put_ldops(struct tty_ldisc_o
34334 unsigned long flags;
34336 spin_lock_irqsave(&tty_ldisc_lock, flags);
34337 - ldops->refcount--;
34338 + atomic_dec(&ldops->refcount);
34339 module_put(ldops->owner);
34340 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
34342 diff -urNp linux-2.6.38.6/drivers/tty/vt/keyboard.c linux-2.6.38.6/drivers/tty/vt/keyboard.c
34343 --- linux-2.6.38.6/drivers/tty/vt/keyboard.c 2011-03-14 21:20:32.000000000 -0400
34344 +++ linux-2.6.38.6/drivers/tty/vt/keyboard.c 2011-04-28 19:34:15.000000000 -0400
34345 @@ -657,6 +657,16 @@ static void k_spec(struct vc_data *vc, u
34346 kbd->kbdmode == VC_MEDIUMRAW) &&
34347 value != KVAL(K_SAK))
34348 return; /* SAK is allowed even in raw mode */
34350 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
34352 + void *func = fn_handler[value];
34353 + if (func == fn_show_state || func == fn_show_ptregs ||
34354 + func == fn_show_mem)
34359 fn_handler[value](vc);
34362 diff -urNp linux-2.6.38.6/drivers/tty/vt/vt.c linux-2.6.38.6/drivers/tty/vt/vt.c
34363 --- linux-2.6.38.6/drivers/tty/vt/vt.c 2011-03-14 21:20:32.000000000 -0400
34364 +++ linux-2.6.38.6/drivers/tty/vt/vt.c 2011-04-28 19:34:15.000000000 -0400
34365 @@ -262,7 +262,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
34367 static void notify_write(struct vc_data *vc, unsigned int unicode)
34369 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
34370 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
34371 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, ¶m);
34374 diff -urNp linux-2.6.38.6/drivers/tty/vt/vt_ioctl.c linux-2.6.38.6/drivers/tty/vt/vt_ioctl.c
34375 --- linux-2.6.38.6/drivers/tty/vt/vt_ioctl.c 2011-03-14 21:20:32.000000000 -0400
34376 +++ linux-2.6.38.6/drivers/tty/vt/vt_ioctl.c 2011-04-28 19:34:15.000000000 -0400
34377 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
34378 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
34381 - if (!capable(CAP_SYS_TTY_CONFIG))
34386 key_map = key_maps[s];
34387 @@ -224,6 +221,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
34388 val = (i ? K_HOLE : K_NOSUCHMAP);
34389 return put_user(val, &user_kbe->kb_value);
34391 + if (!capable(CAP_SYS_TTY_CONFIG))
34396 if (!i && v == K_NOSUCHMAP) {
34397 @@ -325,9 +325,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
34401 - if (!capable(CAP_SYS_TTY_CONFIG))
34404 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
34407 @@ -361,6 +358,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
34409 return ((p && *p) ? -EOVERFLOW : 0);
34411 + if (!capable(CAP_SYS_TTY_CONFIG))
34417 diff -urNp linux-2.6.38.6/drivers/uio/uio.c linux-2.6.38.6/drivers/uio/uio.c
34418 --- linux-2.6.38.6/drivers/uio/uio.c 2011-03-14 21:20:32.000000000 -0400
34419 +++ linux-2.6.38.6/drivers/uio/uio.c 2011-04-28 19:57:25.000000000 -0400
34421 #include <linux/kobject.h>
34422 #include <linux/cdev.h>
34423 #include <linux/uio_driver.h>
34424 +#include <asm/local.h>
34426 #define UIO_MAX_DEVICES (1U << MINORBITS)
34428 @@ -32,10 +33,10 @@ struct uio_device {
34429 struct module *owner;
34430 struct device *dev;
34433 + atomic_unchecked_t event;
34434 struct fasync_struct *async_queue;
34435 wait_queue_head_t wait;
34437 + local_t vma_count;
34438 struct uio_info *info;
34439 struct kobject *map_dir;
34440 struct kobject *portio_dir;
34441 @@ -242,7 +243,7 @@ static ssize_t show_event(struct device
34442 struct device_attribute *attr, char *buf)
34444 struct uio_device *idev = dev_get_drvdata(dev);
34445 - return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
34446 + return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
34449 static struct device_attribute uio_class_attributes[] = {
34450 @@ -402,7 +403,7 @@ void uio_event_notify(struct uio_info *i
34452 struct uio_device *idev = info->uio_dev;
34454 - atomic_inc(&idev->event);
34455 + atomic_inc_unchecked(&idev->event);
34456 wake_up_interruptible(&idev->wait);
34457 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
34459 @@ -455,7 +456,7 @@ static int uio_open(struct inode *inode,
34462 listener->dev = idev;
34463 - listener->event_count = atomic_read(&idev->event);
34464 + listener->event_count = atomic_read_unchecked(&idev->event);
34465 filep->private_data = listener;
34467 if (idev->info->open) {
34468 @@ -506,7 +507,7 @@ static unsigned int uio_poll(struct file
34471 poll_wait(filep, &idev->wait, wait);
34472 - if (listener->event_count != atomic_read(&idev->event))
34473 + if (listener->event_count != atomic_read_unchecked(&idev->event))
34474 return POLLIN | POLLRDNORM;
34477 @@ -531,7 +532,7 @@ static ssize_t uio_read(struct file *fil
34479 set_current_state(TASK_INTERRUPTIBLE);
34481 - event_count = atomic_read(&idev->event);
34482 + event_count = atomic_read_unchecked(&idev->event);
34483 if (event_count != listener->event_count) {
34484 if (copy_to_user(buf, &event_count, count))
34486 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
34487 static void uio_vma_open(struct vm_area_struct *vma)
34489 struct uio_device *idev = vma->vm_private_data;
34490 - idev->vma_count++;
34491 + local_inc(&idev->vma_count);
34494 static void uio_vma_close(struct vm_area_struct *vma)
34496 struct uio_device *idev = vma->vm_private_data;
34497 - idev->vma_count--;
34498 + local_dec(&idev->vma_count);
34501 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
34502 @@ -819,7 +820,7 @@ int __uio_register_device(struct module
34503 idev->owner = owner;
34505 init_waitqueue_head(&idev->wait);
34506 - atomic_set(&idev->event, 0);
34507 + atomic_set_unchecked(&idev->event, 0);
34509 ret = uio_get_minor(idev);
34511 diff -urNp linux-2.6.38.6/drivers/usb/atm/cxacru.c linux-2.6.38.6/drivers/usb/atm/cxacru.c
34512 --- linux-2.6.38.6/drivers/usb/atm/cxacru.c 2011-03-14 21:20:32.000000000 -0400
34513 +++ linux-2.6.38.6/drivers/usb/atm/cxacru.c 2011-04-28 19:34:15.000000000 -0400
34514 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
34515 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
34518 - if (index < 0 || index > 0x7f)
34519 + if (index > 0x7f)
34523 diff -urNp linux-2.6.38.6/drivers/usb/atm/usbatm.c linux-2.6.38.6/drivers/usb/atm/usbatm.c
34524 --- linux-2.6.38.6/drivers/usb/atm/usbatm.c 2011-03-14 21:20:32.000000000 -0400
34525 +++ linux-2.6.38.6/drivers/usb/atm/usbatm.c 2011-04-28 19:34:15.000000000 -0400
34526 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
34527 if (printk_ratelimit())
34528 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
34529 __func__, vpi, vci);
34530 - atomic_inc(&vcc->stats->rx_err);
34531 + atomic_inc_unchecked(&vcc->stats->rx_err);
34535 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
34536 if (length > ATM_MAX_AAL5_PDU) {
34537 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
34538 __func__, length, vcc);
34539 - atomic_inc(&vcc->stats->rx_err);
34540 + atomic_inc_unchecked(&vcc->stats->rx_err);
34544 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
34545 if (sarb->len < pdu_length) {
34546 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
34547 __func__, pdu_length, sarb->len, vcc);
34548 - atomic_inc(&vcc->stats->rx_err);
34549 + atomic_inc_unchecked(&vcc->stats->rx_err);
34553 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
34554 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
34556 - atomic_inc(&vcc->stats->rx_err);
34557 + atomic_inc_unchecked(&vcc->stats->rx_err);
34561 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
34562 if (printk_ratelimit())
34563 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
34565 - atomic_inc(&vcc->stats->rx_drop);
34566 + atomic_inc_unchecked(&vcc->stats->rx_drop);
34570 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
34572 vcc->push(vcc, skb);
34574 - atomic_inc(&vcc->stats->rx);
34575 + atomic_inc_unchecked(&vcc->stats->rx);
34579 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
34580 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
34582 usbatm_pop(vcc, skb);
34583 - atomic_inc(&vcc->stats->tx);
34584 + atomic_inc_unchecked(&vcc->stats->tx);
34586 skb = skb_dequeue(&instance->sndqueue);
34588 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
34590 return sprintf(page,
34591 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
34592 - atomic_read(&atm_dev->stats.aal5.tx),
34593 - atomic_read(&atm_dev->stats.aal5.tx_err),
34594 - atomic_read(&atm_dev->stats.aal5.rx),
34595 - atomic_read(&atm_dev->stats.aal5.rx_err),
34596 - atomic_read(&atm_dev->stats.aal5.rx_drop));
34597 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
34598 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
34599 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
34600 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
34601 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
34604 if (instance->disconnected)
34605 diff -urNp linux-2.6.38.6/drivers/usb/core/devices.c linux-2.6.38.6/drivers/usb/core/devices.c
34606 --- linux-2.6.38.6/drivers/usb/core/devices.c 2011-04-22 19:20:59.000000000 -0400
34607 +++ linux-2.6.38.6/drivers/usb/core/devices.c 2011-04-28 19:57:25.000000000 -0400
34608 @@ -126,7 +126,7 @@ static const char *format_endpt =
34609 * time it gets called.
34611 static struct device_connect_event {
34613 + atomic_unchecked_t count;
34614 wait_queue_head_t wait;
34616 .count = ATOMIC_INIT(1),
34617 @@ -164,7 +164,7 @@ static const struct class_info clas_info
34619 void usbfs_conn_disc_event(void)
34621 - atomic_add(2, &device_event.count);
34622 + atomic_add_unchecked(2, &device_event.count);
34623 wake_up(&device_event.wait);
34626 @@ -648,7 +648,7 @@ static unsigned int usb_device_poll(stru
34628 poll_wait(file, &device_event.wait, wait);
34630 - event_count = atomic_read(&device_event.count);
34631 + event_count = atomic_read_unchecked(&device_event.count);
34632 if (file->f_version != event_count) {
34633 file->f_version = event_count;
34634 return POLLIN | POLLRDNORM;
34635 diff -urNp linux-2.6.38.6/drivers/usb/core/hcd.c linux-2.6.38.6/drivers/usb/core/hcd.c
34636 --- linux-2.6.38.6/drivers/usb/core/hcd.c 2011-04-22 19:20:59.000000000 -0400
34637 +++ linux-2.6.38.6/drivers/usb/core/hcd.c 2011-04-28 19:34:15.000000000 -0400
34638 @@ -2457,7 +2457,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
34640 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
34642 -struct usb_mon_operations *mon_ops;
34643 +const struct usb_mon_operations *mon_ops;
34646 * The registration is unlocked.
34647 @@ -2467,7 +2467,7 @@ struct usb_mon_operations *mon_ops;
34648 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
34651 -int usb_mon_register (struct usb_mon_operations *ops)
34652 +int usb_mon_register (const struct usb_mon_operations *ops)
34656 diff -urNp linux-2.6.38.6/drivers/usb/core/message.c linux-2.6.38.6/drivers/usb/core/message.c
34657 --- linux-2.6.38.6/drivers/usb/core/message.c 2011-03-14 21:20:32.000000000 -0400
34658 +++ linux-2.6.38.6/drivers/usb/core/message.c 2011-04-28 19:34:15.000000000 -0400
34659 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
34660 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
34662 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
34664 - smallbuf = kmalloc(++len, GFP_NOIO);
34666 + smallbuf = kmalloc(len, GFP_NOIO);
34669 memcpy(smallbuf, buf, len);
34670 diff -urNp linux-2.6.38.6/drivers/usb/early/ehci-dbgp.c linux-2.6.38.6/drivers/usb/early/ehci-dbgp.c
34671 --- linux-2.6.38.6/drivers/usb/early/ehci-dbgp.c 2011-03-14 21:20:32.000000000 -0400
34672 +++ linux-2.6.38.6/drivers/usb/early/ehci-dbgp.c 2011-04-28 19:34:15.000000000 -0400
34673 @@ -96,7 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
34677 -static struct kgdb_io kgdbdbgp_io_ops;
34678 +static struct kgdb_io kgdbdbgp_io_ops; /* cannot be const, see kgdbdbgp_parse_config */
34679 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
34681 #define dbgp_kgdb_mode (0)
34682 @@ -1026,7 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
34683 early_dbgp_write(NULL, &chr, 1);
34686 -static struct kgdb_io kgdbdbgp_io_ops = {
34687 +static struct kgdb_io kgdbdbgp_io_ops = { /* cannot be const, see kgdbdbgp_parse_config() */
34688 .name = "kgdbdbgp",
34689 .read_char = kgdbdbgp_read_char,
34690 .write_char = kgdbdbgp_write_char,
34691 diff -urNp linux-2.6.38.6/drivers/usb/host/xhci-mem.c linux-2.6.38.6/drivers/usb/host/xhci-mem.c
34692 --- linux-2.6.38.6/drivers/usb/host/xhci-mem.c 2011-04-22 19:20:59.000000000 -0400
34693 +++ linux-2.6.38.6/drivers/usb/host/xhci-mem.c 2011-05-16 21:47:08.000000000 -0400
34694 @@ -1616,6 +1616,8 @@ static int xhci_check_trb_in_td_math(str
34695 unsigned int num_tests;
34698 + pax_track_stack();
34700 num_tests = ARRAY_SIZE(simple_test_vector);
34701 for (i = 0; i < num_tests; i++) {
34702 ret = xhci_test_trb_in_td(xhci,
34703 diff -urNp linux-2.6.38.6/drivers/usb/mon/mon_main.c linux-2.6.38.6/drivers/usb/mon/mon_main.c
34704 --- linux-2.6.38.6/drivers/usb/mon/mon_main.c 2011-03-14 21:20:32.000000000 -0400
34705 +++ linux-2.6.38.6/drivers/usb/mon/mon_main.c 2011-04-28 19:34:15.000000000 -0400
34706 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
34710 -static struct usb_mon_operations mon_ops_0 = {
34711 +static const struct usb_mon_operations mon_ops_0 = {
34712 .urb_submit = mon_submit,
34713 .urb_submit_error = mon_submit_error,
34714 .urb_complete = mon_complete,
34715 diff -urNp linux-2.6.38.6/drivers/usb/wusbcore/wa-hc.h linux-2.6.38.6/drivers/usb/wusbcore/wa-hc.h
34716 --- linux-2.6.38.6/drivers/usb/wusbcore/wa-hc.h 2011-03-14 21:20:32.000000000 -0400
34717 +++ linux-2.6.38.6/drivers/usb/wusbcore/wa-hc.h 2011-04-28 19:57:25.000000000 -0400
34718 @@ -192,7 +192,7 @@ struct wahc {
34719 struct list_head xfer_delayed_list;
34720 spinlock_t xfer_list_lock;
34721 struct work_struct xfer_work;
34722 - atomic_t xfer_id_count;
34723 + atomic_unchecked_t xfer_id_count;
34727 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
34728 INIT_LIST_HEAD(&wa->xfer_delayed_list);
34729 spin_lock_init(&wa->xfer_list_lock);
34730 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
34731 - atomic_set(&wa->xfer_id_count, 1);
34732 + atomic_set_unchecked(&wa->xfer_id_count, 1);
34736 diff -urNp linux-2.6.38.6/drivers/usb/wusbcore/wa-xfer.c linux-2.6.38.6/drivers/usb/wusbcore/wa-xfer.c
34737 --- linux-2.6.38.6/drivers/usb/wusbcore/wa-xfer.c 2011-03-14 21:20:32.000000000 -0400
34738 +++ linux-2.6.38.6/drivers/usb/wusbcore/wa-xfer.c 2011-04-28 19:57:25.000000000 -0400
34739 @@ -294,7 +294,7 @@ out:
34741 static void wa_xfer_id_init(struct wa_xfer *xfer)
34743 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
34744 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
34748 diff -urNp linux-2.6.38.6/drivers/vhost/vhost.c linux-2.6.38.6/drivers/vhost/vhost.c
34749 --- linux-2.6.38.6/drivers/vhost/vhost.c 2011-03-14 21:20:32.000000000 -0400
34750 +++ linux-2.6.38.6/drivers/vhost/vhost.c 2011-04-28 19:34:15.000000000 -0400
34751 @@ -565,7 +565,7 @@ static int init_used(struct vhost_virtqu
34752 return get_user(vq->last_used_idx, &used->idx);
34755 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
34756 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
34758 struct file *eventfp, *filep = NULL,
34759 *pollstart = NULL, *pollstop = NULL;
34760 diff -urNp linux-2.6.38.6/drivers/video/fbcmap.c linux-2.6.38.6/drivers/video/fbcmap.c
34761 --- linux-2.6.38.6/drivers/video/fbcmap.c 2011-03-14 21:20:32.000000000 -0400
34762 +++ linux-2.6.38.6/drivers/video/fbcmap.c 2011-04-28 19:34:15.000000000 -0400
34763 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
34767 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
34768 - !info->fbops->fb_setcmap)) {
34769 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
34773 diff -urNp linux-2.6.38.6/drivers/video/fbmem.c linux-2.6.38.6/drivers/video/fbmem.c
34774 --- linux-2.6.38.6/drivers/video/fbmem.c 2011-03-14 21:20:32.000000000 -0400
34775 +++ linux-2.6.38.6/drivers/video/fbmem.c 2011-05-16 21:47:08.000000000 -0400
34776 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
34777 image->dx += image->width + 8;
34779 } else if (rotate == FB_ROTATE_UD) {
34780 - for (x = 0; x < num && image->dx >= 0; x++) {
34781 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
34782 info->fbops->fb_imageblit(info, image);
34783 image->dx -= image->width + 8;
34785 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
34786 image->dy += image->height + 8;
34788 } else if (rotate == FB_ROTATE_CCW) {
34789 - for (x = 0; x < num && image->dy >= 0; x++) {
34790 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
34791 info->fbops->fb_imageblit(info, image);
34792 image->dy -= image->height + 8;
34794 @@ -897,6 +897,8 @@ fb_set_var(struct fb_info *info, struct
34795 int flags = info->flags;
34798 + pax_track_stack();
34800 if (var->activate & FB_ACTIVATE_INV_MODE) {
34801 struct fb_videomode mode1, mode2;
34803 @@ -1022,6 +1024,8 @@ static long do_fb_ioctl(struct fb_info *
34804 void __user *argp = (void __user *)arg;
34807 + pax_track_stack();
34810 case FBIOGET_VSCREENINFO:
34811 if (!lock_fb_info(info))
34812 @@ -1101,7 +1105,7 @@ static long do_fb_ioctl(struct fb_info *
34814 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
34816 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
34817 + if (con2fb.framebuffer >= FB_MAX)
34819 if (!registered_fb[con2fb.framebuffer])
34820 request_module("fb%d", con2fb.framebuffer);
34821 diff -urNp linux-2.6.38.6/drivers/video/i810/i810_accel.c linux-2.6.38.6/drivers/video/i810/i810_accel.c
34822 --- linux-2.6.38.6/drivers/video/i810/i810_accel.c 2011-03-14 21:20:32.000000000 -0400
34823 +++ linux-2.6.38.6/drivers/video/i810/i810_accel.c 2011-04-28 19:34:15.000000000 -0400
34824 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
34827 printk("ringbuffer lockup!!!\n");
34828 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
34829 i810_report_error(mmio);
34830 par->dev_flags |= LOCKUP;
34831 info->pixmap.scan_align = 1;
34832 diff -urNp linux-2.6.38.6/drivers/video/pxa3xx-gcu.c linux-2.6.38.6/drivers/video/pxa3xx-gcu.c
34833 --- linux-2.6.38.6/drivers/video/pxa3xx-gcu.c 2011-03-14 21:20:32.000000000 -0400
34834 +++ linux-2.6.38.6/drivers/video/pxa3xx-gcu.c 2011-04-28 19:34:15.000000000 -0400
34835 @@ -103,7 +103,7 @@ struct pxa3xx_gcu_priv {
34836 dma_addr_t shared_phys;
34837 struct resource *resource_mem;
34838 struct miscdevice misc_dev;
34839 - struct file_operations misc_fops;
34840 + const struct file_operations misc_fops;
34841 wait_queue_head_t wait_idle;
34842 wait_queue_head_t wait_free;
34843 spinlock_t spinlock;
34844 diff -urNp linux-2.6.38.6/drivers/video/udlfb.c linux-2.6.38.6/drivers/video/udlfb.c
34845 --- linux-2.6.38.6/drivers/video/udlfb.c 2011-03-14 21:20:32.000000000 -0400
34846 +++ linux-2.6.38.6/drivers/video/udlfb.c 2011-04-28 19:57:25.000000000 -0400
34847 @@ -584,11 +584,11 @@ int dlfb_handle_damage(struct dlfb_data
34848 dlfb_urb_completion(urb);
34851 - atomic_add(bytes_sent, &dev->bytes_sent);
34852 - atomic_add(bytes_identical, &dev->bytes_identical);
34853 - atomic_add(width*height*2, &dev->bytes_rendered);
34854 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
34855 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
34856 + atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
34857 end_cycles = get_cycles();
34858 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
34859 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
34860 >> 10)), /* Kcycles */
34861 &dev->cpu_kcycles_used);
34863 @@ -709,11 +709,11 @@ static void dlfb_dpy_deferred_io(struct
34864 dlfb_urb_completion(urb);
34867 - atomic_add(bytes_sent, &dev->bytes_sent);
34868 - atomic_add(bytes_identical, &dev->bytes_identical);
34869 - atomic_add(bytes_rendered, &dev->bytes_rendered);
34870 + atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
34871 + atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
34872 + atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
34873 end_cycles = get_cycles();
34874 - atomic_add(((unsigned int) ((end_cycles - start_cycles)
34875 + atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
34876 >> 10)), /* Kcycles */
34877 &dev->cpu_kcycles_used);
34879 @@ -1301,7 +1301,7 @@ static ssize_t metrics_bytes_rendered_sh
34880 struct fb_info *fb_info = dev_get_drvdata(fbdev);
34881 struct dlfb_data *dev = fb_info->par;
34882 return snprintf(buf, PAGE_SIZE, "%u\n",
34883 - atomic_read(&dev->bytes_rendered));
34884 + atomic_read_unchecked(&dev->bytes_rendered));
34887 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
34888 @@ -1309,7 +1309,7 @@ static ssize_t metrics_bytes_identical_s
34889 struct fb_info *fb_info = dev_get_drvdata(fbdev);
34890 struct dlfb_data *dev = fb_info->par;
34891 return snprintf(buf, PAGE_SIZE, "%u\n",
34892 - atomic_read(&dev->bytes_identical));
34893 + atomic_read_unchecked(&dev->bytes_identical));
34896 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
34897 @@ -1317,7 +1317,7 @@ static ssize_t metrics_bytes_sent_show(s
34898 struct fb_info *fb_info = dev_get_drvdata(fbdev);
34899 struct dlfb_data *dev = fb_info->par;
34900 return snprintf(buf, PAGE_SIZE, "%u\n",
34901 - atomic_read(&dev->bytes_sent));
34902 + atomic_read_unchecked(&dev->bytes_sent));
34905 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
34906 @@ -1325,7 +1325,7 @@ static ssize_t metrics_cpu_kcycles_used_
34907 struct fb_info *fb_info = dev_get_drvdata(fbdev);
34908 struct dlfb_data *dev = fb_info->par;
34909 return snprintf(buf, PAGE_SIZE, "%u\n",
34910 - atomic_read(&dev->cpu_kcycles_used));
34911 + atomic_read_unchecked(&dev->cpu_kcycles_used));
34914 static ssize_t edid_show(
34915 @@ -1382,10 +1382,10 @@ static ssize_t metrics_reset_store(struc
34916 struct fb_info *fb_info = dev_get_drvdata(fbdev);
34917 struct dlfb_data *dev = fb_info->par;
34919 - atomic_set(&dev->bytes_rendered, 0);
34920 - atomic_set(&dev->bytes_identical, 0);
34921 - atomic_set(&dev->bytes_sent, 0);
34922 - atomic_set(&dev->cpu_kcycles_used, 0);
34923 + atomic_set_unchecked(&dev->bytes_rendered, 0);
34924 + atomic_set_unchecked(&dev->bytes_identical, 0);
34925 + atomic_set_unchecked(&dev->bytes_sent, 0);
34926 + atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
34930 diff -urNp linux-2.6.38.6/drivers/video/uvesafb.c linux-2.6.38.6/drivers/video/uvesafb.c
34931 --- linux-2.6.38.6/drivers/video/uvesafb.c 2011-03-14 21:20:32.000000000 -0400
34932 +++ linux-2.6.38.6/drivers/video/uvesafb.c 2011-04-28 19:34:15.000000000 -0400
34934 #include <linux/io.h>
34935 #include <linux/mutex.h>
34936 #include <linux/slab.h>
34937 +#include <linux/moduleloader.h>
34938 #include <video/edid.h>
34939 #include <video/uvesafb.h>
34941 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
34945 - return call_usermodehelper(v86d_path, argv, envp, 1);
34946 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
34950 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
34951 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
34952 par->pmi_setpal = par->ypan = 0;
34955 +#ifdef CONFIG_PAX_KERNEXEC
34956 +#ifdef CONFIG_MODULES
34957 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
34959 + if (!par->pmi_code) {
34960 + par->pmi_setpal = par->ypan = 0;
34965 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
34966 + task->t.regs.edi);
34968 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
34969 + pax_open_kernel();
34970 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
34971 + pax_close_kernel();
34973 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
34974 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
34976 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
34977 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
34980 printk(KERN_INFO "uvesafb: protected mode interface info at "
34982 (u16)task->t.regs.es, (u16)task->t.regs.edi);
34983 @@ -1800,6 +1823,11 @@ out:
34984 if (par->vbe_modes)
34985 kfree(par->vbe_modes);
34987 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
34988 + if (par->pmi_code)
34989 + module_free_exec(NULL, par->pmi_code);
34992 framebuffer_release(info);
34995 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
34996 kfree(par->vbe_state_orig);
34997 if (par->vbe_state_saved)
34998 kfree(par->vbe_state_saved);
35000 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35001 + if (par->pmi_code)
35002 + module_free_exec(NULL, par->pmi_code);
35007 framebuffer_release(info);
35008 diff -urNp linux-2.6.38.6/drivers/video/vesafb.c linux-2.6.38.6/drivers/video/vesafb.c
35009 --- linux-2.6.38.6/drivers/video/vesafb.c 2011-03-14 21:20:32.000000000 -0400
35010 +++ linux-2.6.38.6/drivers/video/vesafb.c 2011-04-28 19:34:15.000000000 -0400
35014 #include <linux/module.h>
35015 +#include <linux/moduleloader.h>
35016 #include <linux/kernel.h>
35017 #include <linux/errno.h>
35018 #include <linux/string.h>
35019 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
35020 static int vram_total __initdata; /* Set total amount of memory */
35021 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
35022 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
35023 -static void (*pmi_start)(void) __read_mostly;
35024 -static void (*pmi_pal) (void) __read_mostly;
35025 +static void (*pmi_start)(void) __read_only;
35026 +static void (*pmi_pal) (void) __read_only;
35027 static int depth __read_mostly;
35028 static int vga_compat __read_mostly;
35029 /* --------------------------------------------------------------------- */
35030 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
35031 unsigned int size_vmode;
35032 unsigned int size_remap;
35033 unsigned int size_total;
35034 + void *pmi_code = NULL;
35036 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
35038 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
35039 size_remap = size_total;
35040 vesafb_fix.smem_len = size_remap;
35043 - screen_info.vesapm_seg = 0;
35046 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
35047 printk(KERN_WARNING
35048 "vesafb: cannot reserve video memory at 0x%lx\n",
35049 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
35050 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
35051 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
35055 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35056 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
35058 +#elif !defined(CONFIG_PAX_KERNEXEC)
35063 + screen_info.vesapm_seg = 0;
35065 if (screen_info.vesapm_seg) {
35066 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
35067 - screen_info.vesapm_seg,screen_info.vesapm_off);
35068 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
35069 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
35072 if (screen_info.vesapm_seg < 0xc000)
35073 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
35075 if (ypan || pmi_setpal) {
35076 unsigned short *pmi_base;
35077 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
35078 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
35079 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
35081 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
35083 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35084 + pax_open_kernel();
35085 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
35087 + pmi_code = pmi_base;
35090 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
35091 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
35093 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35094 + pmi_start = ktva_ktla(pmi_start);
35095 + pmi_pal = ktva_ktla(pmi_pal);
35096 + pax_close_kernel();
35099 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
35101 printk(KERN_INFO "vesafb: pmi: ports = ");
35102 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
35103 info->node, info->fix.id);
35107 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35108 + module_free_exec(NULL, pmi_code);
35111 if (info->screen_base)
35112 iounmap(info->screen_base);
35113 framebuffer_release(info);
35114 diff -urNp linux-2.6.38.6/drivers/virtio/virtio_balloon.c linux-2.6.38.6/drivers/virtio/virtio_balloon.c
35115 --- linux-2.6.38.6/drivers/virtio/virtio_balloon.c 2011-03-14 21:20:32.000000000 -0400
35116 +++ linux-2.6.38.6/drivers/virtio/virtio_balloon.c 2011-05-16 21:47:08.000000000 -0400
35117 @@ -176,6 +176,8 @@ static void update_balloon_stats(struct
35121 + pax_track_stack();
35123 all_vm_events(events);
35126 diff -urNp linux-2.6.38.6/fs/9p/vfs_inode.c linux-2.6.38.6/fs/9p/vfs_inode.c
35127 --- linux-2.6.38.6/fs/9p/vfs_inode.c 2011-03-14 21:20:32.000000000 -0400
35128 +++ linux-2.6.38.6/fs/9p/vfs_inode.c 2011-04-28 19:34:15.000000000 -0400
35129 @@ -1094,7 +1094,7 @@ static void *v9fs_vfs_follow_link(struct
35131 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
35133 - char *s = nd_get_link(nd);
35134 + const char *s = nd_get_link(nd);
35136 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
35137 IS_ERR(s) ? "<error>" : s);
35138 diff -urNp linux-2.6.38.6/fs/aio.c linux-2.6.38.6/fs/aio.c
35139 --- linux-2.6.38.6/fs/aio.c 2011-04-18 17:27:16.000000000 -0400
35140 +++ linux-2.6.38.6/fs/aio.c 2011-05-16 21:47:08.000000000 -0400
35141 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
35142 size += sizeof(struct io_event) * nr_events;
35143 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
35145 - if (nr_pages < 0)
35146 + if (nr_pages <= 0)
35149 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
35150 @@ -1099,6 +1099,8 @@ static int read_events(struct kioctx *ct
35151 struct aio_timeout to;
35154 + pax_track_stack();
35156 /* needed to zero any padding within an entry (there shouldn't be
35157 * any, but C is fun!
35159 diff -urNp linux-2.6.38.6/fs/attr.c linux-2.6.38.6/fs/attr.c
35160 --- linux-2.6.38.6/fs/attr.c 2011-03-14 21:20:32.000000000 -0400
35161 +++ linux-2.6.38.6/fs/attr.c 2011-04-28 19:34:15.000000000 -0400
35162 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
35163 unsigned long limit;
35165 limit = rlimit(RLIMIT_FSIZE);
35166 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
35167 if (limit != RLIM_INFINITY && offset > limit)
35169 if (offset > inode->i_sb->s_maxbytes)
35170 diff -urNp linux-2.6.38.6/fs/befs/linuxvfs.c linux-2.6.38.6/fs/befs/linuxvfs.c
35171 --- linux-2.6.38.6/fs/befs/linuxvfs.c 2011-03-14 21:20:32.000000000 -0400
35172 +++ linux-2.6.38.6/fs/befs/linuxvfs.c 2011-04-28 19:34:15.000000000 -0400
35173 @@ -499,7 +499,7 @@ static void befs_put_link(struct dentry
35175 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
35176 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
35177 - char *link = nd_get_link(nd);
35178 + const char *link = nd_get_link(nd);
35182 diff -urNp linux-2.6.38.6/fs/binfmt_aout.c linux-2.6.38.6/fs/binfmt_aout.c
35183 --- linux-2.6.38.6/fs/binfmt_aout.c 2011-03-14 21:20:32.000000000 -0400
35184 +++ linux-2.6.38.6/fs/binfmt_aout.c 2011-04-28 19:34:15.000000000 -0400
35186 #include <linux/string.h>
35187 #include <linux/fs.h>
35188 #include <linux/file.h>
35189 +#include <linux/security.h>
35190 #include <linux/stat.h>
35191 #include <linux/fcntl.h>
35192 #include <linux/ptrace.h>
35193 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
35195 # define START_STACK(u) ((void __user *)u.start_stack)
35197 + memset(&dump, 0, sizeof(dump));
35202 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
35204 /* If the size of the dump file exceeds the rlimit, then see what would happen
35205 if we wrote the stack, but not the data area. */
35206 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
35207 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
35210 /* Make sure we have enough room to write the stack and data areas. */
35211 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
35212 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
35215 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
35216 rlim = rlimit(RLIMIT_DATA);
35217 if (rlim >= RLIM_INFINITY)
35220 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
35221 if (ex.a_data + ex.a_bss > rlim)
35224 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
35225 install_exec_creds(bprm);
35226 current->flags &= ~PF_FORKNOEXEC;
35228 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
35229 + current->mm->pax_flags = 0UL;
35232 +#ifdef CONFIG_PAX_PAGEEXEC
35233 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
35234 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
35236 +#ifdef CONFIG_PAX_EMUTRAMP
35237 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
35238 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
35241 +#ifdef CONFIG_PAX_MPROTECT
35242 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
35243 + current->mm->pax_flags |= MF_PAX_MPROTECT;
35249 if (N_MAGIC(ex) == OMAGIC) {
35250 unsigned long text_addr, map_size;
35252 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
35254 down_write(¤t->mm->mmap_sem);
35255 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
35256 - PROT_READ | PROT_WRITE | PROT_EXEC,
35257 + PROT_READ | PROT_WRITE,
35258 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
35259 fd_offset + ex.a_text);
35260 up_write(¤t->mm->mmap_sem);
35261 diff -urNp linux-2.6.38.6/fs/binfmt_elf.c linux-2.6.38.6/fs/binfmt_elf.c
35262 --- linux-2.6.38.6/fs/binfmt_elf.c 2011-04-22 19:20:59.000000000 -0400
35263 +++ linux-2.6.38.6/fs/binfmt_elf.c 2011-05-16 21:47:08.000000000 -0400
35264 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
35265 #define elf_core_dump NULL
35268 +#ifdef CONFIG_PAX_MPROTECT
35269 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
35272 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
35273 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
35275 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
35276 .load_binary = load_elf_binary,
35277 .load_shlib = load_elf_library,
35278 .core_dump = elf_core_dump,
35280 +#ifdef CONFIG_PAX_MPROTECT
35281 + .handle_mprotect= elf_handle_mprotect,
35284 .min_coredump = ELF_EXEC_PAGESIZE,
35287 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
35289 static int set_brk(unsigned long start, unsigned long end)
35291 + unsigned long e = end;
35293 start = ELF_PAGEALIGN(start);
35294 end = ELF_PAGEALIGN(end);
35296 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
35297 if (BAD_ADDR(addr))
35300 - current->mm->start_brk = current->mm->brk = end;
35301 + current->mm->start_brk = current->mm->brk = e;
35305 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
35306 elf_addr_t __user *u_rand_bytes;
35307 const char *k_platform = ELF_PLATFORM;
35308 const char *k_base_platform = ELF_BASE_PLATFORM;
35309 - unsigned char k_rand_bytes[16];
35310 + u32 k_rand_bytes[4];
35312 elf_addr_t *elf_info;
35314 const struct cred *cred = current_cred();
35315 struct vm_area_struct *vma;
35316 + unsigned long saved_auxv[AT_VECTOR_SIZE];
35318 + pax_track_stack();
35321 * In some cases (e.g. Hyper-Threading), we want to avoid L1
35322 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
35323 * Generate 16 random bytes for userspace PRNG seeding.
35325 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
35326 - u_rand_bytes = (elf_addr_t __user *)
35327 - STACK_ALLOC(p, sizeof(k_rand_bytes));
35328 + srandom32(k_rand_bytes[0] ^ random32());
35329 + srandom32(k_rand_bytes[1] ^ random32());
35330 + srandom32(k_rand_bytes[2] ^ random32());
35331 + srandom32(k_rand_bytes[3] ^ random32());
35332 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
35333 + u_rand_bytes = (elf_addr_t __user *) p;
35334 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
35337 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
35339 current->mm->env_end = p;
35341 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
35343 /* Put the elf_info on the stack in the right place. */
35344 sp = (elf_addr_t __user *)envp + 1;
35345 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
35346 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
35350 @@ -381,10 +401,10 @@ static unsigned long load_elf_interp(str
35352 struct elf_phdr *elf_phdata;
35353 struct elf_phdr *eppnt;
35354 - unsigned long load_addr = 0;
35355 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
35356 int load_addr_set = 0;
35357 unsigned long last_bss = 0, elf_bss = 0;
35358 - unsigned long error = ~0UL;
35359 + unsigned long error = -EINVAL;
35360 unsigned long total_size;
35361 int retval, i, size;
35363 @@ -430,6 +450,11 @@ static unsigned long load_elf_interp(str
35367 +#ifdef CONFIG_PAX_SEGMEXEC
35368 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
35369 + pax_task_size = SEGMEXEC_TASK_SIZE;
35372 eppnt = elf_phdata;
35373 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
35374 if (eppnt->p_type == PT_LOAD) {
35375 @@ -473,8 +498,8 @@ static unsigned long load_elf_interp(str
35376 k = load_addr + eppnt->p_vaddr;
35378 eppnt->p_filesz > eppnt->p_memsz ||
35379 - eppnt->p_memsz > TASK_SIZE ||
35380 - TASK_SIZE - eppnt->p_memsz < k) {
35381 + eppnt->p_memsz > pax_task_size ||
35382 + pax_task_size - eppnt->p_memsz < k) {
35386 @@ -528,6 +553,193 @@ out:
35390 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
35391 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
35393 + unsigned long pax_flags = 0UL;
35395 +#ifdef CONFIG_PAX_PAGEEXEC
35396 + if (elf_phdata->p_flags & PF_PAGEEXEC)
35397 + pax_flags |= MF_PAX_PAGEEXEC;
35400 +#ifdef CONFIG_PAX_SEGMEXEC
35401 + if (elf_phdata->p_flags & PF_SEGMEXEC)
35402 + pax_flags |= MF_PAX_SEGMEXEC;
35405 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
35406 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
35407 + if ((__supported_pte_mask & _PAGE_NX))
35408 + pax_flags &= ~MF_PAX_SEGMEXEC;
35410 + pax_flags &= ~MF_PAX_PAGEEXEC;
35414 +#ifdef CONFIG_PAX_EMUTRAMP
35415 + if (elf_phdata->p_flags & PF_EMUTRAMP)
35416 + pax_flags |= MF_PAX_EMUTRAMP;
35419 +#ifdef CONFIG_PAX_MPROTECT
35420 + if (elf_phdata->p_flags & PF_MPROTECT)
35421 + pax_flags |= MF_PAX_MPROTECT;
35424 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
35425 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
35426 + pax_flags |= MF_PAX_RANDMMAP;
35429 + return pax_flags;
35433 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
35434 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
35436 + unsigned long pax_flags = 0UL;
35438 +#ifdef CONFIG_PAX_PAGEEXEC
35439 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
35440 + pax_flags |= MF_PAX_PAGEEXEC;
35443 +#ifdef CONFIG_PAX_SEGMEXEC
35444 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
35445 + pax_flags |= MF_PAX_SEGMEXEC;
35448 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
35449 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
35450 + if ((__supported_pte_mask & _PAGE_NX))
35451 + pax_flags &= ~MF_PAX_SEGMEXEC;
35453 + pax_flags &= ~MF_PAX_PAGEEXEC;
35457 +#ifdef CONFIG_PAX_EMUTRAMP
35458 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
35459 + pax_flags |= MF_PAX_EMUTRAMP;
35462 +#ifdef CONFIG_PAX_MPROTECT
35463 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
35464 + pax_flags |= MF_PAX_MPROTECT;
35467 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
35468 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
35469 + pax_flags |= MF_PAX_RANDMMAP;
35472 + return pax_flags;
35476 +#ifdef CONFIG_PAX_EI_PAX
35477 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
35479 + unsigned long pax_flags = 0UL;
35481 +#ifdef CONFIG_PAX_PAGEEXEC
35482 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
35483 + pax_flags |= MF_PAX_PAGEEXEC;
35486 +#ifdef CONFIG_PAX_SEGMEXEC
35487 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
35488 + pax_flags |= MF_PAX_SEGMEXEC;
35491 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
35492 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
35493 + if ((__supported_pte_mask & _PAGE_NX))
35494 + pax_flags &= ~MF_PAX_SEGMEXEC;
35496 + pax_flags &= ~MF_PAX_PAGEEXEC;
35500 +#ifdef CONFIG_PAX_EMUTRAMP
35501 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
35502 + pax_flags |= MF_PAX_EMUTRAMP;
35505 +#ifdef CONFIG_PAX_MPROTECT
35506 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
35507 + pax_flags |= MF_PAX_MPROTECT;
35510 +#ifdef CONFIG_PAX_ASLR
35511 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
35512 + pax_flags |= MF_PAX_RANDMMAP;
35515 + return pax_flags;
35519 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
35520 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
35522 + unsigned long pax_flags = 0UL;
35524 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
35526 + int found_flags = 0;
35529 +#ifdef CONFIG_PAX_EI_PAX
35530 + pax_flags = pax_parse_ei_pax(elf_ex);
35533 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
35534 + for (i = 0UL; i < elf_ex->e_phnum; i++)
35535 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
35536 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
35537 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
35538 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
35539 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
35540 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
35543 +#ifdef CONFIG_PAX_SOFTMODE
35544 + if (pax_softmode)
35545 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
35549 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
35555 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
35556 + if (found_flags == 0) {
35557 + struct elf_phdr phdr;
35558 + memset(&phdr, 0, sizeof(phdr));
35559 + phdr.p_flags = PF_NOEMUTRAMP;
35560 +#ifdef CONFIG_PAX_SOFTMODE
35561 + if (pax_softmode)
35562 + pax_flags = pax_parse_softmode(&phdr);
35565 + pax_flags = pax_parse_hardmode(&phdr);
35569 + if (0 > pax_check_flags(&pax_flags))
35572 + current->mm->pax_flags = pax_flags;
35578 * These are the functions used to load ELF style executables and shared
35579 * libraries. There is no binary dependent code anywhere else.
35580 @@ -544,6 +756,11 @@ static unsigned long randomize_stack_top
35582 unsigned int random_variable = 0;
35584 +#ifdef CONFIG_PAX_RANDUSTACK
35585 + if (randomize_va_space)
35586 + return stack_top - current->mm->delta_stack;
35589 if ((current->flags & PF_RANDOMIZE) &&
35590 !(current->personality & ADDR_NO_RANDOMIZE)) {
35591 random_variable = get_random_int() & STACK_RND_MASK;
35592 @@ -562,7 +779,7 @@ static int load_elf_binary(struct linux_
35593 unsigned long load_addr = 0, load_bias = 0;
35594 int load_addr_set = 0;
35595 char * elf_interpreter = NULL;
35596 - unsigned long error;
35597 + unsigned long error = 0;
35598 struct elf_phdr *elf_ppnt, *elf_phdata;
35599 unsigned long elf_bss, elf_brk;
35601 @@ -572,11 +789,11 @@ static int load_elf_binary(struct linux_
35602 unsigned long start_code, end_code, start_data, end_data;
35603 unsigned long reloc_func_desc = 0;
35604 int executable_stack = EXSTACK_DEFAULT;
35605 - unsigned long def_flags = 0;
35607 struct elfhdr elf_ex;
35608 struct elfhdr interp_elf_ex;
35610 + unsigned long pax_task_size = TASK_SIZE;
35612 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
35614 @@ -714,11 +931,81 @@ static int load_elf_binary(struct linux_
35616 /* OK, This is the point of no return */
35617 current->flags &= ~PF_FORKNOEXEC;
35618 - current->mm->def_flags = def_flags;
35620 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
35621 + current->mm->pax_flags = 0UL;
35624 +#ifdef CONFIG_PAX_DLRESOLVE
35625 + current->mm->call_dl_resolve = 0UL;
35628 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
35629 + current->mm->call_syscall = 0UL;
35632 +#ifdef CONFIG_PAX_ASLR
35633 + current->mm->delta_mmap = 0UL;
35634 + current->mm->delta_stack = 0UL;
35637 + current->mm->def_flags = 0;
35639 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
35640 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
35641 + send_sig(SIGKILL, current, 0);
35642 + goto out_free_dentry;
35646 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
35647 + pax_set_initial_flags(bprm);
35648 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
35649 + if (pax_set_initial_flags_func)
35650 + (pax_set_initial_flags_func)(bprm);
35653 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
35654 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
35655 + current->mm->context.user_cs_limit = PAGE_SIZE;
35656 + current->mm->def_flags |= VM_PAGEEXEC;
35660 +#ifdef CONFIG_PAX_SEGMEXEC
35661 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
35662 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
35663 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
35664 + pax_task_size = SEGMEXEC_TASK_SIZE;
35665 + current->mm->def_flags |= VM_NOHUGEPAGE;
35669 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
35670 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
35671 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
35676 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
35677 may depend on the personality. */
35678 SET_PERSONALITY(loc->elf_ex);
35680 +#ifdef CONFIG_PAX_ASLR
35681 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
35682 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
35683 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
35687 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
35688 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
35689 + executable_stack = EXSTACK_DISABLE_X;
35690 + current->personality &= ~READ_IMPLIES_EXEC;
35694 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
35695 current->personality |= READ_IMPLIES_EXEC;
35697 @@ -800,6 +1087,20 @@ static int load_elf_binary(struct linux_
35699 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
35702 +#ifdef CONFIG_PAX_RANDMMAP
35703 + /* PaX: randomize base address at the default exe base if requested */
35704 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
35705 +#ifdef CONFIG_SPARC64
35706 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
35708 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
35710 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
35711 + elf_flags |= MAP_FIXED;
35717 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
35718 @@ -832,9 +1133,9 @@ static int load_elf_binary(struct linux_
35719 * allowed task size. Note that p_filesz must always be
35720 * <= p_memsz so it is only necessary to check p_memsz.
35722 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
35723 - elf_ppnt->p_memsz > TASK_SIZE ||
35724 - TASK_SIZE - elf_ppnt->p_memsz < k) {
35725 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
35726 + elf_ppnt->p_memsz > pax_task_size ||
35727 + pax_task_size - elf_ppnt->p_memsz < k) {
35728 /* set_brk can never work. Avoid overflows. */
35729 send_sig(SIGKILL, current, 0);
35731 @@ -862,6 +1163,11 @@ static int load_elf_binary(struct linux_
35732 start_data += load_bias;
35733 end_data += load_bias;
35735 +#ifdef CONFIG_PAX_RANDMMAP
35736 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
35737 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
35740 /* Calling set_brk effectively mmaps the pages that we need
35741 * for the bss and break sections. We must do this before
35742 * mapping in the interpreter, to make sure it doesn't wind
35743 @@ -873,9 +1179,11 @@ static int load_elf_binary(struct linux_
35744 goto out_free_dentry;
35746 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
35747 - send_sig(SIGSEGV, current, 0);
35748 - retval = -EFAULT; /* Nobody gets to see this, but.. */
35749 - goto out_free_dentry;
35751 + * This bss-zeroing can fail if the ELF
35752 + * file specifies odd protections. So
35753 + * we don't check the return value
35757 if (elf_interpreter) {
35758 @@ -1090,7 +1398,7 @@ out:
35759 * Decide what to dump of a segment, part, all or none.
35761 static unsigned long vma_dump_size(struct vm_area_struct *vma,
35762 - unsigned long mm_flags)
35763 + unsigned long mm_flags, long signr)
35765 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
35767 @@ -1124,7 +1432,7 @@ static unsigned long vma_dump_size(struc
35768 if (vma->vm_file == NULL)
35771 - if (FILTER(MAPPED_PRIVATE))
35772 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
35776 @@ -1346,9 +1654,9 @@ static void fill_auxv_note(struct memelf
35778 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
35783 - while (auxv[i - 2] != AT_NULL);
35784 + } while (auxv[i - 2] != AT_NULL);
35785 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
35788 @@ -1854,14 +2162,14 @@ static void fill_extnum_info(struct elfh
35791 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
35792 - unsigned long mm_flags)
35793 + struct coredump_params *cprm)
35795 struct vm_area_struct *vma;
35798 for (vma = first_vma(current, gate_vma); vma != NULL;
35799 vma = next_vma(vma, gate_vma))
35800 - size += vma_dump_size(vma, mm_flags);
35801 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
35805 @@ -1955,7 +2263,7 @@ static int elf_core_dump(struct coredump
35807 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
35809 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
35810 + offset += elf_core_vma_data_size(gate_vma, cprm);
35811 offset += elf_core_extra_data_size();
35814 @@ -1969,10 +2277,12 @@ static int elf_core_dump(struct coredump
35817 size += sizeof(*elf);
35818 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
35819 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
35822 size += sizeof(*phdr4note);
35823 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
35824 if (size > cprm->limit
35825 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
35827 @@ -1986,7 +2296,7 @@ static int elf_core_dump(struct coredump
35828 phdr.p_offset = offset;
35829 phdr.p_vaddr = vma->vm_start;
35831 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
35832 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
35833 phdr.p_memsz = vma->vm_end - vma->vm_start;
35834 offset += phdr.p_filesz;
35835 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
35836 @@ -1997,6 +2307,7 @@ static int elf_core_dump(struct coredump
35837 phdr.p_align = ELF_EXEC_PAGESIZE;
35839 size += sizeof(phdr);
35840 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
35841 if (size > cprm->limit
35842 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
35844 @@ -2021,7 +2332,7 @@ static int elf_core_dump(struct coredump
35845 unsigned long addr;
35848 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
35849 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
35851 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
35853 @@ -2030,6 +2341,7 @@ static int elf_core_dump(struct coredump
35854 page = get_dump_page(addr);
35856 void *kaddr = kmap(page);
35857 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
35858 stop = ((size += PAGE_SIZE) > cprm->limit) ||
35859 !dump_write(cprm->file, kaddr,
35861 @@ -2047,6 +2359,7 @@ static int elf_core_dump(struct coredump
35863 if (e_phnum == PN_XNUM) {
35864 size += sizeof(*shdr4extnum);
35865 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
35866 if (size > cprm->limit
35867 || !dump_write(cprm->file, shdr4extnum,
35868 sizeof(*shdr4extnum)))
35869 @@ -2067,6 +2380,97 @@ out:
35871 #endif /* CONFIG_ELF_CORE */
35873 +#ifdef CONFIG_PAX_MPROTECT
35874 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
35875 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
35876 + * we'll remove VM_MAYWRITE for good on RELRO segments.
35878 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
35879 + * basis because we want to allow the common case and not the special ones.
35881 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
35883 + struct elfhdr elf_h;
35884 + struct elf_phdr elf_p;
35886 + unsigned long oldflags;
35887 + bool is_textrel_rw, is_textrel_rx, is_relro;
35889 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
35892 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
35893 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
35895 +#ifdef CONFIG_PAX_ELFRELOCS
35896 + /* possible TEXTREL */
35897 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
35898 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
35900 + is_textrel_rw = false;
35901 + is_textrel_rx = false;
35904 + /* possible RELRO */
35905 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
35907 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
35910 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
35911 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
35913 +#ifdef CONFIG_PAX_ETEXECRELOCS
35914 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
35916 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
35919 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
35920 + !elf_check_arch(&elf_h) ||
35921 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
35922 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
35925 + for (i = 0UL; i < elf_h.e_phnum; i++) {
35926 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
35928 + switch (elf_p.p_type) {
35930 + if (!is_textrel_rw && !is_textrel_rx)
35933 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
35936 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
35938 + if (dyn.d_tag == DT_NULL)
35940 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
35941 + gr_log_textrel(vma);
35942 + if (is_textrel_rw)
35943 + vma->vm_flags |= VM_MAYWRITE;
35945 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
35946 + vma->vm_flags &= ~VM_MAYWRITE;
35953 + case PT_GNU_RELRO:
35956 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
35957 + vma->vm_flags &= ~VM_MAYWRITE;
35964 static int __init init_elf_binfmt(void)
35966 return register_binfmt(&elf_format);
35967 diff -urNp linux-2.6.38.6/fs/binfmt_flat.c linux-2.6.38.6/fs/binfmt_flat.c
35968 --- linux-2.6.38.6/fs/binfmt_flat.c 2011-03-14 21:20:32.000000000 -0400
35969 +++ linux-2.6.38.6/fs/binfmt_flat.c 2011-04-28 19:34:15.000000000 -0400
35970 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
35971 realdatastart = (unsigned long) -ENOMEM;
35972 printk("Unable to allocate RAM for process data, errno %d\n",
35973 (int)-realdatastart);
35974 + down_write(¤t->mm->mmap_sem);
35975 do_munmap(current->mm, textpos, text_len);
35976 + up_write(¤t->mm->mmap_sem);
35977 ret = realdatastart;
35980 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
35982 if (IS_ERR_VALUE(result)) {
35983 printk("Unable to read data+bss, errno %d\n", (int)-result);
35984 + down_write(¤t->mm->mmap_sem);
35985 do_munmap(current->mm, textpos, text_len);
35986 do_munmap(current->mm, realdatastart, len);
35987 + up_write(¤t->mm->mmap_sem);
35991 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
35993 if (IS_ERR_VALUE(result)) {
35994 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
35995 + down_write(¤t->mm->mmap_sem);
35996 do_munmap(current->mm, textpos, text_len + data_len + extra +
35997 MAX_SHARED_LIBS * sizeof(unsigned long));
35998 + up_write(¤t->mm->mmap_sem);
36002 diff -urNp linux-2.6.38.6/fs/bio.c linux-2.6.38.6/fs/bio.c
36003 --- linux-2.6.38.6/fs/bio.c 2011-03-14 21:20:32.000000000 -0400
36004 +++ linux-2.6.38.6/fs/bio.c 2011-04-28 19:34:15.000000000 -0400
36005 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
36006 const int read = bio_data_dir(bio) == READ;
36007 struct bio_map_data *bmd = bio->bi_private;
36009 - char *p = bmd->sgvecs[0].iov_base;
36010 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
36012 __bio_for_each_segment(bvec, bio, i, 0) {
36013 char *addr = page_address(bvec->bv_page);
36014 diff -urNp linux-2.6.38.6/fs/block_dev.c linux-2.6.38.6/fs/block_dev.c
36015 --- linux-2.6.38.6/fs/block_dev.c 2011-03-14 21:20:32.000000000 -0400
36016 +++ linux-2.6.38.6/fs/block_dev.c 2011-04-28 19:34:15.000000000 -0400
36017 @@ -669,7 +669,7 @@ static bool bd_may_claim(struct block_de
36018 else if (bdev->bd_contains == bdev)
36019 return true; /* is a whole device which isn't held */
36021 - else if (whole->bd_holder == bd_may_claim)
36022 + else if (whole->bd_holder == (void *)bd_may_claim)
36023 return true; /* is a partition of a device that is being partitioned */
36024 else if (whole->bd_holder != NULL)
36025 return false; /* is a partition of a held device */
36026 diff -urNp linux-2.6.38.6/fs/btrfs/ctree.c linux-2.6.38.6/fs/btrfs/ctree.c
36027 --- linux-2.6.38.6/fs/btrfs/ctree.c 2011-03-14 21:20:32.000000000 -0400
36028 +++ linux-2.6.38.6/fs/btrfs/ctree.c 2011-04-28 19:34:15.000000000 -0400
36029 @@ -468,9 +468,12 @@ static noinline int __btrfs_cow_block(st
36030 free_extent_buffer(buf);
36031 add_root_to_dirty_list(root);
36033 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
36034 - parent_start = parent->start;
36036 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
36038 + parent_start = parent->start;
36040 + parent_start = 0;
36044 WARN_ON(trans->transid != btrfs_header_generation(parent));
36045 @@ -3776,7 +3779,6 @@ setup_items_for_insert(struct btrfs_tran
36049 - struct btrfs_disk_key disk_key;
36050 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
36051 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
36053 diff -urNp linux-2.6.38.6/fs/btrfs/disk-io.c linux-2.6.38.6/fs/btrfs/disk-io.c
36054 --- linux-2.6.38.6/fs/btrfs/disk-io.c 2011-04-18 17:27:18.000000000 -0400
36055 +++ linux-2.6.38.6/fs/btrfs/disk-io.c 2011-04-28 19:34:15.000000000 -0400
36057 #include "tree-log.h"
36058 #include "free-space-cache.h"
36060 -static struct extent_io_ops btree_extent_io_ops;
36061 +static const struct extent_io_ops btree_extent_io_ops;
36062 static void end_workqueue_fn(struct btrfs_work *work);
36063 static void free_fs_root(struct btrfs_root *root);
36064 static void btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
36065 @@ -3030,7 +3030,7 @@ static int btrfs_cleanup_transaction(str
36069 -static struct extent_io_ops btree_extent_io_ops = {
36070 +static const struct extent_io_ops btree_extent_io_ops = {
36071 .write_cache_pages_lock_hook = btree_lock_page_hook,
36072 .readpage_end_io_hook = btree_readpage_end_io_hook,
36073 .submit_bio_hook = btree_submit_bio_hook,
36074 diff -urNp linux-2.6.38.6/fs/btrfs/extent_io.h linux-2.6.38.6/fs/btrfs/extent_io.h
36075 --- linux-2.6.38.6/fs/btrfs/extent_io.h 2011-03-14 21:20:32.000000000 -0400
36076 +++ linux-2.6.38.6/fs/btrfs/extent_io.h 2011-04-28 19:34:15.000000000 -0400
36077 @@ -55,36 +55,36 @@ typedef int (extent_submit_bio_hook_t)(s
36078 struct bio *bio, int mirror_num,
36079 unsigned long bio_flags, u64 bio_offset);
36080 struct extent_io_ops {
36081 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
36082 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
36083 u64 start, u64 end, int *page_started,
36084 unsigned long *nr_written);
36085 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
36086 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
36087 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
36088 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
36089 extent_submit_bio_hook_t *submit_bio_hook;
36090 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
36091 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
36092 size_t size, struct bio *bio,
36093 unsigned long bio_flags);
36094 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
36095 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
36096 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
36097 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
36098 u64 start, u64 end,
36099 struct extent_state *state);
36100 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
36101 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
36102 u64 start, u64 end,
36103 struct extent_state *state);
36104 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
36105 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
36106 struct extent_state *state);
36107 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
36108 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
36109 struct extent_state *state, int uptodate);
36110 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
36111 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
36113 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
36114 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
36116 - int (*merge_extent_hook)(struct inode *inode,
36117 + int (* const merge_extent_hook)(struct inode *inode,
36118 struct extent_state *new,
36119 struct extent_state *other);
36120 - int (*split_extent_hook)(struct inode *inode,
36121 + int (* const split_extent_hook)(struct inode *inode,
36122 struct extent_state *orig, u64 split);
36123 - int (*write_cache_pages_lock_hook)(struct page *page);
36124 + int (* const write_cache_pages_lock_hook)(struct page *page);
36127 struct extent_io_tree {
36128 @@ -94,7 +94,7 @@ struct extent_io_tree {
36131 spinlock_t buffer_lock;
36132 - struct extent_io_ops *ops;
36133 + const struct extent_io_ops *ops;
36136 struct extent_state {
36137 diff -urNp linux-2.6.38.6/fs/btrfs/free-space-cache.c linux-2.6.38.6/fs/btrfs/free-space-cache.c
36138 --- linux-2.6.38.6/fs/btrfs/free-space-cache.c 2011-03-14 21:20:32.000000000 -0400
36139 +++ linux-2.6.38.6/fs/btrfs/free-space-cache.c 2011-04-28 19:34:15.000000000 -0400
36140 @@ -1855,8 +1855,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
36143 if (entry->bytes < bytes || entry->offset < min_start) {
36144 - struct rb_node *node;
36146 node = rb_next(&entry->offset_index);
36149 @@ -2018,7 +2016,7 @@ again:
36151 while (entry->bitmap || found_bitmap ||
36152 (!entry->bitmap && entry->bytes < min_bytes)) {
36153 - struct rb_node *node = rb_next(&entry->offset_index);
36154 + node = rb_next(&entry->offset_index);
36156 if (entry->bitmap && entry->bytes > bytes + empty_size) {
36157 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
36158 diff -urNp linux-2.6.38.6/fs/btrfs/inode.c linux-2.6.38.6/fs/btrfs/inode.c
36159 --- linux-2.6.38.6/fs/btrfs/inode.c 2011-03-14 21:20:32.000000000 -0400
36160 +++ linux-2.6.38.6/fs/btrfs/inode.c 2011-04-28 19:34:15.000000000 -0400
36161 @@ -64,7 +64,7 @@ static const struct inode_operations btr
36162 static const struct address_space_operations btrfs_aops;
36163 static const struct address_space_operations btrfs_symlink_aops;
36164 static const struct file_operations btrfs_dir_file_operations;
36165 -static struct extent_io_ops btrfs_extent_io_ops;
36166 +static const struct extent_io_ops btrfs_extent_io_ops;
36168 static struct kmem_cache *btrfs_inode_cachep;
36169 struct kmem_cache *btrfs_trans_handle_cachep;
36170 @@ -6796,7 +6796,7 @@ fail:
36174 -static int btrfs_getattr(struct vfsmount *mnt,
36175 +int btrfs_getattr(struct vfsmount *mnt,
36176 struct dentry *dentry, struct kstat *stat)
36178 struct inode *inode = dentry->d_inode;
36179 @@ -6808,6 +6808,14 @@ static int btrfs_getattr(struct vfsmount
36183 +EXPORT_SYMBOL(btrfs_getattr);
36185 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
36187 + return BTRFS_I(inode)->root->anon_super.s_dev;
36189 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
36191 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
36192 struct inode *new_dir, struct dentry *new_dentry)
36194 @@ -7311,7 +7319,7 @@ static const struct file_operations btrf
36195 .fsync = btrfs_sync_file,
36198 -static struct extent_io_ops btrfs_extent_io_ops = {
36199 +static const struct extent_io_ops btrfs_extent_io_ops = {
36200 .fill_delalloc = run_delalloc_range,
36201 .submit_bio_hook = btrfs_submit_bio_hook,
36202 .merge_bio_hook = btrfs_merge_bio_hook,
36203 diff -urNp linux-2.6.38.6/fs/btrfs/ioctl.c linux-2.6.38.6/fs/btrfs/ioctl.c
36204 --- linux-2.6.38.6/fs/btrfs/ioctl.c 2011-04-18 17:27:18.000000000 -0400
36205 +++ linux-2.6.38.6/fs/btrfs/ioctl.c 2011-04-28 19:34:15.000000000 -0400
36206 @@ -2274,9 +2274,12 @@ long btrfs_ioctl_space_info(struct btrfs
36207 for (i = 0; i < num_types; i++) {
36208 struct btrfs_space_info *tmp;
36210 + /* Don't copy in more than we allocated */
36218 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
36219 @@ -2298,10 +2301,7 @@ long btrfs_ioctl_space_info(struct btrfs
36220 memcpy(dest, &space, sizeof(space));
36222 space_args.total_spaces++;
36228 up_read(&info->groups_sem);
36230 diff -urNp linux-2.6.38.6/fs/btrfs/relocation.c linux-2.6.38.6/fs/btrfs/relocation.c
36231 --- linux-2.6.38.6/fs/btrfs/relocation.c 2011-03-14 21:20:32.000000000 -0400
36232 +++ linux-2.6.38.6/fs/btrfs/relocation.c 2011-04-28 19:34:15.000000000 -0400
36233 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
36235 spin_unlock(&rc->reloc_root_tree.lock);
36237 - BUG_ON((struct btrfs_root *)node->data != root);
36238 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
36241 spin_lock(&rc->reloc_root_tree.lock);
36242 diff -urNp linux-2.6.38.6/fs/cachefiles/bind.c linux-2.6.38.6/fs/cachefiles/bind.c
36243 --- linux-2.6.38.6/fs/cachefiles/bind.c 2011-03-14 21:20:32.000000000 -0400
36244 +++ linux-2.6.38.6/fs/cachefiles/bind.c 2011-04-28 19:34:15.000000000 -0400
36245 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
36248 /* start by checking things over */
36249 - ASSERT(cache->fstop_percent >= 0 &&
36250 - cache->fstop_percent < cache->fcull_percent &&
36251 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
36252 cache->fcull_percent < cache->frun_percent &&
36253 cache->frun_percent < 100);
36255 - ASSERT(cache->bstop_percent >= 0 &&
36256 - cache->bstop_percent < cache->bcull_percent &&
36257 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
36258 cache->bcull_percent < cache->brun_percent &&
36259 cache->brun_percent < 100);
36261 diff -urNp linux-2.6.38.6/fs/cachefiles/daemon.c linux-2.6.38.6/fs/cachefiles/daemon.c
36262 --- linux-2.6.38.6/fs/cachefiles/daemon.c 2011-03-14 21:20:32.000000000 -0400
36263 +++ linux-2.6.38.6/fs/cachefiles/daemon.c 2011-04-28 19:34:15.000000000 -0400
36264 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
36268 - if (copy_to_user(_buffer, buffer, n) != 0)
36269 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
36273 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
36274 if (test_bit(CACHEFILES_DEAD, &cache->flags))
36277 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
36278 + if (datalen > PAGE_SIZE - 1)
36279 return -EOPNOTSUPP;
36281 /* drag the command string into the kernel so we can parse it */
36282 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
36283 if (args[0] != '%' || args[1] != '\0')
36286 - if (fstop < 0 || fstop >= cache->fcull_percent)
36287 + if (fstop >= cache->fcull_percent)
36288 return cachefiles_daemon_range_error(cache, args);
36290 cache->fstop_percent = fstop;
36291 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
36292 if (args[0] != '%' || args[1] != '\0')
36295 - if (bstop < 0 || bstop >= cache->bcull_percent)
36296 + if (bstop >= cache->bcull_percent)
36297 return cachefiles_daemon_range_error(cache, args);
36299 cache->bstop_percent = bstop;
36300 diff -urNp linux-2.6.38.6/fs/cachefiles/internal.h linux-2.6.38.6/fs/cachefiles/internal.h
36301 --- linux-2.6.38.6/fs/cachefiles/internal.h 2011-03-14 21:20:32.000000000 -0400
36302 +++ linux-2.6.38.6/fs/cachefiles/internal.h 2011-04-28 19:57:25.000000000 -0400
36303 @@ -57,7 +57,7 @@ struct cachefiles_cache {
36304 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
36305 struct rb_root active_nodes; /* active nodes (can't be culled) */
36306 rwlock_t active_lock; /* lock for active_nodes */
36307 - atomic_t gravecounter; /* graveyard uniquifier */
36308 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
36309 unsigned frun_percent; /* when to stop culling (% files) */
36310 unsigned fcull_percent; /* when to start culling (% files) */
36311 unsigned fstop_percent; /* when to stop allocating (% files) */
36312 @@ -169,19 +169,19 @@ extern int cachefiles_check_in_use(struc
36315 #ifdef CONFIG_CACHEFILES_HISTOGRAM
36316 -extern atomic_t cachefiles_lookup_histogram[HZ];
36317 -extern atomic_t cachefiles_mkdir_histogram[HZ];
36318 -extern atomic_t cachefiles_create_histogram[HZ];
36319 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
36320 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
36321 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
36323 extern int __init cachefiles_proc_init(void);
36324 extern void cachefiles_proc_cleanup(void);
36326 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
36327 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
36329 unsigned long jif = jiffies - start_jif;
36332 - atomic_inc(&histogram[jif]);
36333 + atomic_inc_unchecked(&histogram[jif]);
36337 diff -urNp linux-2.6.38.6/fs/cachefiles/namei.c linux-2.6.38.6/fs/cachefiles/namei.c
36338 --- linux-2.6.38.6/fs/cachefiles/namei.c 2011-03-14 21:20:32.000000000 -0400
36339 +++ linux-2.6.38.6/fs/cachefiles/namei.c 2011-04-28 19:57:25.000000000 -0400
36340 @@ -309,7 +309,7 @@ try_again:
36341 /* first step is to make up a grave dentry in the graveyard */
36342 sprintf(nbuffer, "%08x%08x",
36343 (uint32_t) get_seconds(),
36344 - (uint32_t) atomic_inc_return(&cache->gravecounter));
36345 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
36347 /* do the multiway lock magic */
36348 trap = lock_rename(cache->graveyard, dir);
36349 diff -urNp linux-2.6.38.6/fs/cachefiles/proc.c linux-2.6.38.6/fs/cachefiles/proc.c
36350 --- linux-2.6.38.6/fs/cachefiles/proc.c 2011-03-14 21:20:32.000000000 -0400
36351 +++ linux-2.6.38.6/fs/cachefiles/proc.c 2011-04-28 19:57:25.000000000 -0400
36353 #include <linux/seq_file.h>
36354 #include "internal.h"
36356 -atomic_t cachefiles_lookup_histogram[HZ];
36357 -atomic_t cachefiles_mkdir_histogram[HZ];
36358 -atomic_t cachefiles_create_histogram[HZ];
36359 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
36360 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
36361 +atomic_unchecked_t cachefiles_create_histogram[HZ];
36364 * display the latency histogram
36365 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
36368 index = (unsigned long) v - 3;
36369 - x = atomic_read(&cachefiles_lookup_histogram[index]);
36370 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
36371 - z = atomic_read(&cachefiles_create_histogram[index]);
36372 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
36373 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
36374 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
36375 if (x == 0 && y == 0 && z == 0)
36378 diff -urNp linux-2.6.38.6/fs/cachefiles/rdwr.c linux-2.6.38.6/fs/cachefiles/rdwr.c
36379 --- linux-2.6.38.6/fs/cachefiles/rdwr.c 2011-03-14 21:20:32.000000000 -0400
36380 +++ linux-2.6.38.6/fs/cachefiles/rdwr.c 2011-04-28 19:34:15.000000000 -0400
36381 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
36384 ret = file->f_op->write(
36385 - file, (const void __user *) data, len, &pos);
36386 + file, (__force const void __user *) data, len, &pos);
36390 diff -urNp linux-2.6.38.6/fs/ceph/dir.c linux-2.6.38.6/fs/ceph/dir.c
36391 --- linux-2.6.38.6/fs/ceph/dir.c 2011-03-14 21:20:32.000000000 -0400
36392 +++ linux-2.6.38.6/fs/ceph/dir.c 2011-04-28 19:34:15.000000000 -0400
36393 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
36394 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
36395 struct ceph_mds_client *mdsc = fsc->mdsc;
36396 unsigned frag = fpos_frag(filp->f_pos);
36397 - int off = fpos_off(filp->f_pos);
36398 + unsigned int off = fpos_off(filp->f_pos);
36401 struct ceph_mds_reply_info_parsed *rinfo;
36402 @@ -358,7 +358,7 @@ more:
36403 rinfo = &fi->last_readdir->r_reply_info;
36404 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
36405 rinfo->dir_nr, off, fi->offset);
36406 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
36407 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
36408 u64 pos = ceph_make_fpos(frag, off);
36409 struct ceph_mds_reply_inode *in =
36410 rinfo->dir_in[off - fi->offset].in;
36411 diff -urNp linux-2.6.38.6/fs/cifs/cifs_debug.c linux-2.6.38.6/fs/cifs/cifs_debug.c
36412 --- linux-2.6.38.6/fs/cifs/cifs_debug.c 2011-03-14 21:20:32.000000000 -0400
36413 +++ linux-2.6.38.6/fs/cifs/cifs_debug.c 2011-04-28 19:57:25.000000000 -0400
36414 @@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
36415 tcon = list_entry(tmp3,
36416 struct cifsTconInfo,
36418 - atomic_set(&tcon->num_smbs_sent, 0);
36419 - atomic_set(&tcon->num_writes, 0);
36420 - atomic_set(&tcon->num_reads, 0);
36421 - atomic_set(&tcon->num_oplock_brks, 0);
36422 - atomic_set(&tcon->num_opens, 0);
36423 - atomic_set(&tcon->num_posixopens, 0);
36424 - atomic_set(&tcon->num_posixmkdirs, 0);
36425 - atomic_set(&tcon->num_closes, 0);
36426 - atomic_set(&tcon->num_deletes, 0);
36427 - atomic_set(&tcon->num_mkdirs, 0);
36428 - atomic_set(&tcon->num_rmdirs, 0);
36429 - atomic_set(&tcon->num_renames, 0);
36430 - atomic_set(&tcon->num_t2renames, 0);
36431 - atomic_set(&tcon->num_ffirst, 0);
36432 - atomic_set(&tcon->num_fnext, 0);
36433 - atomic_set(&tcon->num_fclose, 0);
36434 - atomic_set(&tcon->num_hardlinks, 0);
36435 - atomic_set(&tcon->num_symlinks, 0);
36436 - atomic_set(&tcon->num_locks, 0);
36437 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
36438 + atomic_set_unchecked(&tcon->num_writes, 0);
36439 + atomic_set_unchecked(&tcon->num_reads, 0);
36440 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
36441 + atomic_set_unchecked(&tcon->num_opens, 0);
36442 + atomic_set_unchecked(&tcon->num_posixopens, 0);
36443 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
36444 + atomic_set_unchecked(&tcon->num_closes, 0);
36445 + atomic_set_unchecked(&tcon->num_deletes, 0);
36446 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
36447 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
36448 + atomic_set_unchecked(&tcon->num_renames, 0);
36449 + atomic_set_unchecked(&tcon->num_t2renames, 0);
36450 + atomic_set_unchecked(&tcon->num_ffirst, 0);
36451 + atomic_set_unchecked(&tcon->num_fnext, 0);
36452 + atomic_set_unchecked(&tcon->num_fclose, 0);
36453 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
36454 + atomic_set_unchecked(&tcon->num_symlinks, 0);
36455 + atomic_set_unchecked(&tcon->num_locks, 0);
36459 @@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
36460 if (tcon->need_reconnect)
36461 seq_puts(m, "\tDISCONNECTED ");
36462 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
36463 - atomic_read(&tcon->num_smbs_sent),
36464 - atomic_read(&tcon->num_oplock_brks));
36465 + atomic_read_unchecked(&tcon->num_smbs_sent),
36466 + atomic_read_unchecked(&tcon->num_oplock_brks));
36467 seq_printf(m, "\nReads: %d Bytes: %lld",
36468 - atomic_read(&tcon->num_reads),
36469 + atomic_read_unchecked(&tcon->num_reads),
36470 (long long)(tcon->bytes_read));
36471 seq_printf(m, "\nWrites: %d Bytes: %lld",
36472 - atomic_read(&tcon->num_writes),
36473 + atomic_read_unchecked(&tcon->num_writes),
36474 (long long)(tcon->bytes_written));
36475 seq_printf(m, "\nFlushes: %d",
36476 - atomic_read(&tcon->num_flushes));
36477 + atomic_read_unchecked(&tcon->num_flushes));
36478 seq_printf(m, "\nLocks: %d HardLinks: %d "
36480 - atomic_read(&tcon->num_locks),
36481 - atomic_read(&tcon->num_hardlinks),
36482 - atomic_read(&tcon->num_symlinks));
36483 + atomic_read_unchecked(&tcon->num_locks),
36484 + atomic_read_unchecked(&tcon->num_hardlinks),
36485 + atomic_read_unchecked(&tcon->num_symlinks));
36486 seq_printf(m, "\nOpens: %d Closes: %d "
36488 - atomic_read(&tcon->num_opens),
36489 - atomic_read(&tcon->num_closes),
36490 - atomic_read(&tcon->num_deletes));
36491 + atomic_read_unchecked(&tcon->num_opens),
36492 + atomic_read_unchecked(&tcon->num_closes),
36493 + atomic_read_unchecked(&tcon->num_deletes));
36494 seq_printf(m, "\nPosix Opens: %d "
36495 "Posix Mkdirs: %d",
36496 - atomic_read(&tcon->num_posixopens),
36497 - atomic_read(&tcon->num_posixmkdirs));
36498 + atomic_read_unchecked(&tcon->num_posixopens),
36499 + atomic_read_unchecked(&tcon->num_posixmkdirs));
36500 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
36501 - atomic_read(&tcon->num_mkdirs),
36502 - atomic_read(&tcon->num_rmdirs));
36503 + atomic_read_unchecked(&tcon->num_mkdirs),
36504 + atomic_read_unchecked(&tcon->num_rmdirs));
36505 seq_printf(m, "\nRenames: %d T2 Renames %d",
36506 - atomic_read(&tcon->num_renames),
36507 - atomic_read(&tcon->num_t2renames));
36508 + atomic_read_unchecked(&tcon->num_renames),
36509 + atomic_read_unchecked(&tcon->num_t2renames));
36510 seq_printf(m, "\nFindFirst: %d FNext %d "
36512 - atomic_read(&tcon->num_ffirst),
36513 - atomic_read(&tcon->num_fnext),
36514 - atomic_read(&tcon->num_fclose));
36515 + atomic_read_unchecked(&tcon->num_ffirst),
36516 + atomic_read_unchecked(&tcon->num_fnext),
36517 + atomic_read_unchecked(&tcon->num_fclose));
36521 diff -urNp linux-2.6.38.6/fs/cifs/cifsglob.h linux-2.6.38.6/fs/cifs/cifsglob.h
36522 --- linux-2.6.38.6/fs/cifs/cifsglob.h 2011-03-14 21:20:32.000000000 -0400
36523 +++ linux-2.6.38.6/fs/cifs/cifsglob.h 2011-04-28 19:57:25.000000000 -0400
36524 @@ -305,28 +305,28 @@ struct cifsTconInfo {
36525 __u16 Flags; /* optional support bits */
36526 enum statusEnum tidStatus;
36527 #ifdef CONFIG_CIFS_STATS
36528 - atomic_t num_smbs_sent;
36529 - atomic_t num_writes;
36530 - atomic_t num_reads;
36531 - atomic_t num_flushes;
36532 - atomic_t num_oplock_brks;
36533 - atomic_t num_opens;
36534 - atomic_t num_closes;
36535 - atomic_t num_deletes;
36536 - atomic_t num_mkdirs;
36537 - atomic_t num_posixopens;
36538 - atomic_t num_posixmkdirs;
36539 - atomic_t num_rmdirs;
36540 - atomic_t num_renames;
36541 - atomic_t num_t2renames;
36542 - atomic_t num_ffirst;
36543 - atomic_t num_fnext;
36544 - atomic_t num_fclose;
36545 - atomic_t num_hardlinks;
36546 - atomic_t num_symlinks;
36547 - atomic_t num_locks;
36548 - atomic_t num_acl_get;
36549 - atomic_t num_acl_set;
36550 + atomic_unchecked_t num_smbs_sent;
36551 + atomic_unchecked_t num_writes;
36552 + atomic_unchecked_t num_reads;
36553 + atomic_unchecked_t num_flushes;
36554 + atomic_unchecked_t num_oplock_brks;
36555 + atomic_unchecked_t num_opens;
36556 + atomic_unchecked_t num_closes;
36557 + atomic_unchecked_t num_deletes;
36558 + atomic_unchecked_t num_mkdirs;
36559 + atomic_unchecked_t num_posixopens;
36560 + atomic_unchecked_t num_posixmkdirs;
36561 + atomic_unchecked_t num_rmdirs;
36562 + atomic_unchecked_t num_renames;
36563 + atomic_unchecked_t num_t2renames;
36564 + atomic_unchecked_t num_ffirst;
36565 + atomic_unchecked_t num_fnext;
36566 + atomic_unchecked_t num_fclose;
36567 + atomic_unchecked_t num_hardlinks;
36568 + atomic_unchecked_t num_symlinks;
36569 + atomic_unchecked_t num_locks;
36570 + atomic_unchecked_t num_acl_get;
36571 + atomic_unchecked_t num_acl_set;
36572 #ifdef CONFIG_CIFS_STATS2
36573 unsigned long long time_writes;
36574 unsigned long long time_reads;
36575 @@ -509,7 +509,7 @@ static inline char CIFS_DIR_SEP(const st
36578 #ifdef CONFIG_CIFS_STATS
36579 -#define cifs_stats_inc atomic_inc
36580 +#define cifs_stats_inc atomic_inc_unchecked
36582 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
36583 unsigned int bytes)
36584 diff -urNp linux-2.6.38.6/fs/cifs/link.c linux-2.6.38.6/fs/cifs/link.c
36585 --- linux-2.6.38.6/fs/cifs/link.c 2011-03-14 21:20:32.000000000 -0400
36586 +++ linux-2.6.38.6/fs/cifs/link.c 2011-04-28 19:34:15.000000000 -0400
36587 @@ -577,7 +577,7 @@ symlink_exit:
36589 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
36591 - char *p = nd_get_link(nd);
36592 + const char *p = nd_get_link(nd);
36596 diff -urNp linux-2.6.38.6/fs/coda/cache.c linux-2.6.38.6/fs/coda/cache.c
36597 --- linux-2.6.38.6/fs/coda/cache.c 2011-03-14 21:20:32.000000000 -0400
36598 +++ linux-2.6.38.6/fs/coda/cache.c 2011-04-28 19:57:25.000000000 -0400
36600 #include "coda_linux.h"
36601 #include "coda_cache.h"
36603 -static atomic_t permission_epoch = ATOMIC_INIT(0);
36604 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
36606 /* replace or extend an acl cache hit */
36607 void coda_cache_enter(struct inode *inode, int mask)
36608 @@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inod
36609 struct coda_inode_info *cii = ITOC(inode);
36611 spin_lock(&cii->c_lock);
36612 - cii->c_cached_epoch = atomic_read(&permission_epoch);
36613 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
36614 if (cii->c_uid != current_fsuid()) {
36615 cii->c_uid = current_fsuid();
36616 cii->c_cached_perm = mask;
36617 @@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode
36619 struct coda_inode_info *cii = ITOC(inode);
36620 spin_lock(&cii->c_lock);
36621 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
36622 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
36623 spin_unlock(&cii->c_lock);
36626 /* remove all acl caches */
36627 void coda_cache_clear_all(struct super_block *sb)
36629 - atomic_inc(&permission_epoch);
36630 + atomic_inc_unchecked(&permission_epoch);
36634 @@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode
36635 spin_lock(&cii->c_lock);
36636 hit = (mask & cii->c_cached_perm) == mask &&
36637 cii->c_uid == current_fsuid() &&
36638 - cii->c_cached_epoch == atomic_read(&permission_epoch);
36639 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
36640 spin_unlock(&cii->c_lock);
36643 diff -urNp linux-2.6.38.6/fs/compat_binfmt_elf.c linux-2.6.38.6/fs/compat_binfmt_elf.c
36644 --- linux-2.6.38.6/fs/compat_binfmt_elf.c 2011-03-14 21:20:32.000000000 -0400
36645 +++ linux-2.6.38.6/fs/compat_binfmt_elf.c 2011-04-28 19:34:15.000000000 -0400
36646 @@ -30,11 +30,13 @@
36652 #define elfhdr elf32_hdr
36653 #define elf_phdr elf32_phdr
36654 #define elf_shdr elf32_shdr
36655 #define elf_note elf32_note
36656 +#define elf_dyn Elf32_Dyn
36657 #define elf_addr_t Elf32_Addr
36660 diff -urNp linux-2.6.38.6/fs/compat.c linux-2.6.38.6/fs/compat.c
36661 --- linux-2.6.38.6/fs/compat.c 2011-03-14 21:20:32.000000000 -0400
36662 +++ linux-2.6.38.6/fs/compat.c 2011-05-16 21:47:08.000000000 -0400
36663 @@ -594,7 +594,7 @@ ssize_t compat_rw_copy_check_uvector(int
36667 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
36668 + if (nr_segs > UIO_MAXIOV)
36670 if (nr_segs > fast_segs) {
36672 @@ -876,6 +876,7 @@ struct compat_old_linux_dirent {
36674 struct compat_readdir_callback {
36675 struct compat_old_linux_dirent __user *dirent;
36676 + struct file * file;
36680 @@ -893,6 +894,10 @@ static int compat_fillonedir(void *__buf
36681 buf->result = -EOVERFLOW;
36685 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
36689 dirent = buf->dirent;
36690 if (!access_ok(VERIFY_WRITE, dirent,
36691 @@ -925,6 +930,7 @@ asmlinkage long compat_sys_old_readdir(u
36694 buf.dirent = dirent;
36697 error = vfs_readdir(file, compat_fillonedir, &buf);
36699 @@ -945,6 +951,7 @@ struct compat_linux_dirent {
36700 struct compat_getdents_callback {
36701 struct compat_linux_dirent __user *current_dir;
36702 struct compat_linux_dirent __user *previous;
36703 + struct file * file;
36707 @@ -966,6 +973,10 @@ static int compat_filldir(void *__buf, c
36708 buf->error = -EOVERFLOW;
36712 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
36715 dirent = buf->previous;
36717 if (__put_user(offset, &dirent->d_off))
36718 @@ -1013,6 +1024,7 @@ asmlinkage long compat_sys_getdents(unsi
36719 buf.previous = NULL;
36724 error = vfs_readdir(file, compat_filldir, &buf);
36726 @@ -1034,6 +1046,7 @@ out:
36727 struct compat_getdents_callback64 {
36728 struct linux_dirent64 __user *current_dir;
36729 struct linux_dirent64 __user *previous;
36730 + struct file * file;
36734 @@ -1050,6 +1063,10 @@ static int compat_filldir64(void * __buf
36735 buf->error = -EINVAL; /* only used if we fail.. */
36736 if (reclen > buf->count)
36739 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
36742 dirent = buf->previous;
36745 @@ -1101,6 +1118,7 @@ asmlinkage long compat_sys_getdents64(un
36746 buf.previous = NULL;
36751 error = vfs_readdir(file, compat_filldir64, &buf);
36753 @@ -1464,6 +1482,11 @@ int compat_do_execve(char * filename,
36754 compat_uptr_t __user *envp,
36755 struct pt_regs * regs)
36757 +#ifdef CONFIG_GRKERNSEC
36758 + struct file *old_exec_file;
36759 + struct acl_subject_label *old_acl;
36760 + struct rlimit old_rlim[RLIM_NLIMITS];
36762 struct linux_binprm *bprm;
36764 struct files_struct *displaced;
36765 @@ -1500,6 +1523,19 @@ int compat_do_execve(char * filename,
36766 bprm->filename = filename;
36767 bprm->interp = filename;
36769 + if (gr_process_user_ban()) {
36774 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
36775 + retval = -EAGAIN;
36776 + if (gr_handle_nproc())
36778 + retval = -EACCES;
36779 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
36782 retval = bprm_mm_init(bprm);
36785 @@ -1529,9 +1565,40 @@ int compat_do_execve(char * filename,
36789 + if (!gr_tpe_allow(file)) {
36790 + retval = -EACCES;
36794 + if (gr_check_crash_exec(file)) {
36795 + retval = -EACCES;
36799 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
36801 + gr_handle_exec_args_compat(bprm, argv);
36803 +#ifdef CONFIG_GRKERNSEC
36804 + old_acl = current->acl;
36805 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
36806 + old_exec_file = current->exec_file;
36808 + current->exec_file = file;
36811 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
36812 + bprm->unsafe & LSM_UNSAFE_SHARE);
36816 retval = search_binary_handler(bprm, regs);
36820 +#ifdef CONFIG_GRKERNSEC
36821 + if (old_exec_file)
36822 + fput(old_exec_file);
36825 /* execve succeeded */
36826 current->fs->in_exec = 0;
36827 @@ -1542,6 +1609,14 @@ int compat_do_execve(char * filename,
36828 put_files_struct(displaced);
36832 +#ifdef CONFIG_GRKERNSEC
36833 + current->acl = old_acl;
36834 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
36835 + fput(current->exec_file);
36836 + current->exec_file = old_exec_file;
36841 acct_arg_size(bprm, 0);
36842 @@ -1712,6 +1787,8 @@ int compat_core_sys_select(int n, compat
36843 struct fdtable *fdt;
36844 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
36846 + pax_track_stack();
36851 diff -urNp linux-2.6.38.6/fs/compat_ioctl.c linux-2.6.38.6/fs/compat_ioctl.c
36852 --- linux-2.6.38.6/fs/compat_ioctl.c 2011-03-14 21:20:32.000000000 -0400
36853 +++ linux-2.6.38.6/fs/compat_ioctl.c 2011-04-28 19:34:15.000000000 -0400
36854 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
36856 err = get_user(palp, &up->palette);
36857 err |= get_user(length, &up->length);
36861 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
36862 err = put_user(compat_ptr(palp), &up_native->palette);
36863 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
36864 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
36867 - a = *(unsigned int *)p;
36868 - b = *(unsigned int *)q;
36869 + a = *(const unsigned int *)p;
36870 + b = *(const unsigned int *)q;
36874 diff -urNp linux-2.6.38.6/fs/configfs/dir.c linux-2.6.38.6/fs/configfs/dir.c
36875 --- linux-2.6.38.6/fs/configfs/dir.c 2011-03-14 21:20:32.000000000 -0400
36876 +++ linux-2.6.38.6/fs/configfs/dir.c 2011-05-11 18:34:57.000000000 -0400
36877 @@ -1571,7 +1571,8 @@ static int configfs_readdir(struct file
36879 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
36880 struct configfs_dirent *next;
36881 - const char * name;
36882 + const unsigned char * name;
36883 + char d_name[sizeof(next->s_dentry->d_iname)];
36886 next = list_entry(p, struct configfs_dirent,
36887 @@ -1580,7 +1581,12 @@ static int configfs_readdir(struct file
36890 name = configfs_get_name(next);
36891 - len = strlen(name);
36892 + if (next->s_dentry && name == next->s_dentry->d_iname) {
36893 + len = next->s_dentry->d_name.len;
36894 + memcpy(d_name, name, len);
36897 + len = strlen(name);
36898 if (next->s_dentry)
36899 ino = next->s_dentry->d_inode->i_ino;
36901 diff -urNp linux-2.6.38.6/fs/dcache.c linux-2.6.38.6/fs/dcache.c
36902 --- linux-2.6.38.6/fs/dcache.c 2011-04-18 17:27:16.000000000 -0400
36903 +++ linux-2.6.38.6/fs/dcache.c 2011-04-28 19:34:15.000000000 -0400
36904 @@ -3092,7 +3092,7 @@ void __init vfs_caches_init(unsigned lon
36905 mempages -= reserve;
36907 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
36908 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
36909 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
36913 diff -urNp linux-2.6.38.6/fs/dlm/lockspace.c linux-2.6.38.6/fs/dlm/lockspace.c
36914 --- linux-2.6.38.6/fs/dlm/lockspace.c 2011-03-14 21:20:32.000000000 -0400
36915 +++ linux-2.6.38.6/fs/dlm/lockspace.c 2011-04-28 19:34:15.000000000 -0400
36916 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
36920 -static struct kset_uevent_ops dlm_uevent_ops = {
36921 +static const struct kset_uevent_ops dlm_uevent_ops = {
36922 .uevent = dlm_uevent,
36925 diff -urNp linux-2.6.38.6/fs/ecryptfs/inode.c linux-2.6.38.6/fs/ecryptfs/inode.c
36926 --- linux-2.6.38.6/fs/ecryptfs/inode.c 2011-03-14 21:20:32.000000000 -0400
36927 +++ linux-2.6.38.6/fs/ecryptfs/inode.c 2011-04-28 19:34:15.000000000 -0400
36928 @@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
36931 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
36932 - (char __user *)lower_buf,
36933 + (__force char __user *)lower_buf,
36937 @@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
36941 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
36942 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
36946 @@ -719,7 +719,7 @@ out:
36948 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
36950 - char *buf = nd_get_link(nd);
36951 + const char *buf = nd_get_link(nd);
36952 if (!IS_ERR(buf)) {
36953 /* Free the char* */
36955 diff -urNp linux-2.6.38.6/fs/ecryptfs/miscdev.c linux-2.6.38.6/fs/ecryptfs/miscdev.c
36956 --- linux-2.6.38.6/fs/ecryptfs/miscdev.c 2011-03-14 21:20:32.000000000 -0400
36957 +++ linux-2.6.38.6/fs/ecryptfs/miscdev.c 2011-04-28 19:34:15.000000000 -0400
36958 @@ -328,7 +328,7 @@ check_list:
36959 goto out_unlock_msg_ctx;
36961 if (msg_ctx->msg) {
36962 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
36963 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
36964 goto out_unlock_msg_ctx;
36965 i += packet_length_size;
36966 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
36967 diff -urNp linux-2.6.38.6/fs/exec.c linux-2.6.38.6/fs/exec.c
36968 --- linux-2.6.38.6/fs/exec.c 2011-03-14 21:20:32.000000000 -0400
36969 +++ linux-2.6.38.6/fs/exec.c 2011-04-28 19:57:25.000000000 -0400
36970 @@ -55,12 +55,24 @@
36971 #include <linux/fs_struct.h>
36972 #include <linux/pipe_fs_i.h>
36973 #include <linux/oom.h>
36974 +#include <linux/random.h>
36975 +#include <linux/seq_file.h>
36977 +#ifdef CONFIG_PAX_REFCOUNT
36978 +#include <linux/kallsyms.h>
36979 +#include <linux/kdebug.h>
36982 #include <asm/uaccess.h>
36983 #include <asm/mmu_context.h>
36984 #include <asm/tlb.h>
36985 #include "internal.h"
36987 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
36988 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
36989 +EXPORT_SYMBOL(pax_set_initial_flags_func);
36993 char core_pattern[CORENAME_MAX_SIZE] = "core";
36994 unsigned int core_pipe_limit;
36995 @@ -70,7 +82,7 @@ struct core_name {
36999 -static atomic_t call_count = ATOMIC_INIT(1);
37000 +static atomic_unchecked_t call_count = ATOMIC_INIT(1);
37002 /* The maximal length of core_pattern is also specified in sysctl.c */
37004 @@ -120,7 +132,7 @@ SYSCALL_DEFINE1(uselib, const char __use
37007 file = do_filp_open(AT_FDCWD, tmp,
37008 - O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 0,
37009 + O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC, 0,
37010 MAY_READ | MAY_EXEC | MAY_OPEN);
37012 error = PTR_ERR(file);
37013 @@ -187,18 +199,10 @@ struct page *get_arg_page(struct linux_b
37019 -#ifdef CONFIG_STACK_GROWSUP
37021 - ret = expand_stack_downwards(bprm->vma, pos);
37026 - ret = get_user_pages(current, bprm->mm, pos,
37027 - 1, write, 1, &page, NULL);
37029 + if (0 > expand_stack_downwards(bprm->vma, pos))
37031 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
37035 @@ -273,6 +277,11 @@ static int __bprm_mm_init(struct linux_b
37036 vma->vm_end = STACK_TOP_MAX;
37037 vma->vm_start = vma->vm_end - PAGE_SIZE;
37038 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
37040 +#ifdef CONFIG_PAX_SEGMEXEC
37041 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
37044 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
37045 INIT_LIST_HEAD(&vma->anon_vma_chain);
37047 @@ -287,6 +296,12 @@ static int __bprm_mm_init(struct linux_b
37048 mm->stack_vm = mm->total_vm = 1;
37049 up_write(&mm->mmap_sem);
37050 bprm->p = vma->vm_end - sizeof(void *);
37052 +#ifdef CONFIG_PAX_RANDUSTACK
37053 + if (randomize_va_space)
37054 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
37059 up_write(&mm->mmap_sem);
37060 @@ -522,7 +537,7 @@ int copy_strings_kernel(int argc, const
37062 mm_segment_t oldfs = get_fs();
37064 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
37065 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
37069 @@ -552,7 +567,8 @@ static int shift_arg_pages(struct vm_are
37070 unsigned long new_end = old_end - shift;
37071 struct mmu_gather *tlb;
37073 - BUG_ON(new_start > new_end);
37074 + if (new_start >= new_end || new_start < mmap_min_addr)
37078 * ensure there are no vmas between where we want to go
37079 @@ -561,6 +577,10 @@ static int shift_arg_pages(struct vm_are
37080 if (vma != find_vma(mm, new_start))
37083 +#ifdef CONFIG_PAX_SEGMEXEC
37084 + BUG_ON(pax_find_mirror_vma(vma));
37088 * cover the whole range: [new_start, old_end)
37090 @@ -641,10 +661,6 @@ int setup_arg_pages(struct linux_binprm
37091 stack_top = arch_align_stack(stack_top);
37092 stack_top = PAGE_ALIGN(stack_top);
37094 - if (unlikely(stack_top < mmap_min_addr) ||
37095 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
37098 stack_shift = vma->vm_end - stack_top;
37100 bprm->p -= stack_shift;
37101 @@ -656,8 +672,28 @@ int setup_arg_pages(struct linux_binprm
37102 bprm->exec -= stack_shift;
37104 down_write(&mm->mmap_sem);
37106 + /* Move stack pages down in memory. */
37107 + if (stack_shift) {
37108 + ret = shift_arg_pages(vma, stack_shift);
37113 vm_flags = VM_STACK_FLAGS;
37115 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
37116 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
37117 + vm_flags &= ~VM_EXEC;
37119 +#ifdef CONFIG_PAX_MPROTECT
37120 + if (mm->pax_flags & MF_PAX_MPROTECT)
37121 + vm_flags &= ~VM_MAYEXEC;
37128 * Adjust stack execute permissions; explicitly enable for
37129 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
37130 @@ -676,13 +712,6 @@ int setup_arg_pages(struct linux_binprm
37132 BUG_ON(prev != vma);
37134 - /* Move stack pages down in memory. */
37135 - if (stack_shift) {
37136 - ret = shift_arg_pages(vma, stack_shift);
37141 /* mprotect_fixup is overkill to remove the temporary stack flags */
37142 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
37144 @@ -723,7 +752,7 @@ struct file *open_exec(const char *name)
37147 file = do_filp_open(AT_FDCWD, name,
37148 - O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 0,
37149 + O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC, 0,
37150 MAY_EXEC | MAY_OPEN);
37153 @@ -760,7 +789,7 @@ int kernel_read(struct file *file, loff_
37156 /* The cast to a user pointer is valid due to the set_fs() */
37157 - result = vfs_read(file, (void __user *)addr, count, &pos);
37158 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
37162 @@ -1182,7 +1211,7 @@ int check_unsafe_exec(struct linux_binpr
37166 - if (p->fs->users > n_fs) {
37167 + if (atomic_read(&p->fs->users) > n_fs) {
37168 bprm->unsafe |= LSM_UNSAFE_SHARE;
37171 @@ -1378,6 +1407,11 @@ int do_execve(const char * filename,
37172 const char __user *const __user *envp,
37173 struct pt_regs * regs)
37175 +#ifdef CONFIG_GRKERNSEC
37176 + struct file *old_exec_file;
37177 + struct acl_subject_label *old_acl;
37178 + struct rlimit old_rlim[RLIM_NLIMITS];
37180 struct linux_binprm *bprm;
37182 struct files_struct *displaced;
37183 @@ -1414,6 +1448,23 @@ int do_execve(const char * filename,
37184 bprm->filename = filename;
37185 bprm->interp = filename;
37187 + if (gr_process_user_ban()) {
37192 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
37194 + if (gr_handle_nproc()) {
37195 + retval = -EAGAIN;
37199 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
37200 + retval = -EACCES;
37204 retval = bprm_mm_init(bprm);
37207 @@ -1443,9 +1494,40 @@ int do_execve(const char * filename,
37211 + if (!gr_tpe_allow(file)) {
37212 + retval = -EACCES;
37216 + if (gr_check_crash_exec(file)) {
37217 + retval = -EACCES;
37221 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
37223 + gr_handle_exec_args(bprm, argv);
37225 +#ifdef CONFIG_GRKERNSEC
37226 + old_acl = current->acl;
37227 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
37228 + old_exec_file = current->exec_file;
37230 + current->exec_file = file;
37233 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
37234 + bprm->unsafe & LSM_UNSAFE_SHARE);
37238 retval = search_binary_handler(bprm,regs);
37242 +#ifdef CONFIG_GRKERNSEC
37243 + if (old_exec_file)
37244 + fput(old_exec_file);
37247 /* execve succeeded */
37248 current->fs->in_exec = 0;
37249 @@ -1456,6 +1538,14 @@ int do_execve(const char * filename,
37250 put_files_struct(displaced);
37254 +#ifdef CONFIG_GRKERNSEC
37255 + current->acl = old_acl;
37256 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
37257 + fput(current->exec_file);
37258 + current->exec_file = old_exec_file;
37263 acct_arg_size(bprm, 0);
37264 @@ -1501,7 +1591,7 @@ static int expand_corename(struct core_n
37266 char *old_corename = cn->corename;
37268 - cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
37269 + cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
37270 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
37272 if (!cn->corename) {
37273 @@ -1554,7 +1644,7 @@ static int format_corename(struct core_n
37274 int pid_in_pattern = 0;
37277 - cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
37278 + cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
37279 cn->corename = kmalloc(cn->size, GFP_KERNEL);
37282 @@ -1642,6 +1732,208 @@ out:
37286 +int pax_check_flags(unsigned long *flags)
37290 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
37291 + if (*flags & MF_PAX_SEGMEXEC)
37293 + *flags &= ~MF_PAX_SEGMEXEC;
37294 + retval = -EINVAL;
37298 + if ((*flags & MF_PAX_PAGEEXEC)
37300 +#ifdef CONFIG_PAX_PAGEEXEC
37301 + && (*flags & MF_PAX_SEGMEXEC)
37306 + *flags &= ~MF_PAX_PAGEEXEC;
37307 + retval = -EINVAL;
37310 + if ((*flags & MF_PAX_MPROTECT)
37312 +#ifdef CONFIG_PAX_MPROTECT
37313 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
37318 + *flags &= ~MF_PAX_MPROTECT;
37319 + retval = -EINVAL;
37322 + if ((*flags & MF_PAX_EMUTRAMP)
37324 +#ifdef CONFIG_PAX_EMUTRAMP
37325 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
37330 + *flags &= ~MF_PAX_EMUTRAMP;
37331 + retval = -EINVAL;
37337 +EXPORT_SYMBOL(pax_check_flags);
37339 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
37340 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
37342 + struct task_struct *tsk = current;
37343 + struct mm_struct *mm = current->mm;
37344 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
37345 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
37346 + char *path_exec = NULL;
37347 + char *path_fault = NULL;
37348 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
37350 + if (buffer_exec && buffer_fault) {
37351 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
37353 + down_read(&mm->mmap_sem);
37355 + while (vma && (!vma_exec || !vma_fault)) {
37356 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
37358 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
37360 + vma = vma->vm_next;
37363 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
37364 + if (IS_ERR(path_exec))
37365 + path_exec = "<path too long>";
37367 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
37370 + path_exec = buffer_exec;
37372 + path_exec = "<path too long>";
37376 + start = vma_fault->vm_start;
37377 + end = vma_fault->vm_end;
37378 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
37379 + if (vma_fault->vm_file) {
37380 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
37381 + if (IS_ERR(path_fault))
37382 + path_fault = "<path too long>";
37384 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
37385 + if (path_fault) {
37387 + path_fault = buffer_fault;
37389 + path_fault = "<path too long>";
37392 + path_fault = "<anonymous mapping>";
37394 + up_read(&mm->mmap_sem);
37396 + if (tsk->signal->curr_ip)
37397 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
37399 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
37400 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
37401 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
37402 + task_uid(tsk), task_euid(tsk), pc, sp);
37403 + free_page((unsigned long)buffer_exec);
37404 + free_page((unsigned long)buffer_fault);
37405 + pax_report_insns(pc, sp);
37406 + do_coredump(SIGKILL, SIGKILL, regs);
37410 +#ifdef CONFIG_PAX_REFCOUNT
37411 +void pax_report_refcount_overflow(struct pt_regs *regs)
37413 + if (current->signal->curr_ip)
37414 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
37415 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
37417 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
37418 + current->comm, task_pid_nr(current), current_uid(), current_euid());
37419 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
37421 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
37425 +#ifdef CONFIG_PAX_USERCOPY
37426 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
37427 +int object_is_on_stack(const void *obj, unsigned long len)
37429 + const void * const stack = task_stack_page(current);
37430 + const void * const stackend = stack + THREAD_SIZE;
37432 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
37433 + const void *frame = NULL;
37434 + const void *oldframe;
37437 + if (obj + len < obj)
37440 + if (obj + len <= stack || stackend <= obj)
37443 + if (obj < stack || stackend < obj + len)
37446 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
37447 + oldframe = __builtin_frame_address(1);
37449 + frame = __builtin_frame_address(2);
37451 + low ----------------------------------------------> high
37452 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
37453 + ^----------------^
37454 + allow copies only within here
37456 + while (stack <= frame && frame < stackend) {
37457 + /* if obj + len extends past the last frame, this
37458 + check won't pass and the next frame will be 0,
37459 + causing us to bail out and correctly report
37460 + the copy as invalid
37462 + if (obj + len <= frame)
37463 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
37464 + oldframe = frame;
37465 + frame = *(const void * const *)frame;
37474 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
37476 + if (current->signal->curr_ip)
37477 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
37478 + ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
37480 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
37481 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
37483 + gr_handle_kernel_exploit();
37484 + do_group_exit(SIGKILL);
37488 static int zap_process(struct task_struct *start, int exit_code)
37490 struct task_struct *t;
37491 @@ -1852,17 +2144,17 @@ static void wait_for_dump_helpers(struct
37492 pipe = file->f_path.dentry->d_inode->i_pipe;
37497 + atomic_inc(&pipe->readers);
37498 + atomic_dec(&pipe->writers);
37500 - while ((pipe->readers > 1) && (!signal_pending(current))) {
37501 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
37502 wake_up_interruptible_sync(&pipe->wait);
37503 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
37509 + atomic_dec(&pipe->readers);
37510 + atomic_inc(&pipe->writers);
37514 @@ -1923,7 +2215,7 @@ void do_coredump(long signr, int exit_co
37518 - static atomic_t core_dump_count = ATOMIC_INIT(0);
37519 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
37520 struct coredump_params cprm = {
37523 @@ -1938,6 +2230,9 @@ void do_coredump(long signr, int exit_co
37525 audit_core_dumps(signr);
37527 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
37528 + gr_handle_brute_attach(current, cprm.mm_flags);
37530 binfmt = mm->binfmt;
37531 if (!binfmt || !binfmt->core_dump)
37533 @@ -1978,6 +2273,8 @@ void do_coredump(long signr, int exit_co
37534 goto fail_corename;
37537 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
37541 char **helper_argv;
37542 @@ -2005,7 +2302,7 @@ void do_coredump(long signr, int exit_co
37544 cprm.limit = RLIM_INFINITY;
37546 - dump_count = atomic_inc_return(&core_dump_count);
37547 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
37548 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
37549 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
37550 task_tgid_vnr(current), current->comm);
37551 @@ -2075,7 +2372,7 @@ close_fail:
37552 filp_close(cprm.file, NULL);
37555 - atomic_dec(&core_dump_count);
37556 + atomic_dec_unchecked(&core_dump_count);
37558 kfree(cn.corename);
37560 diff -urNp linux-2.6.38.6/fs/ext2/balloc.c linux-2.6.38.6/fs/ext2/balloc.c
37561 --- linux-2.6.38.6/fs/ext2/balloc.c 2011-03-14 21:20:32.000000000 -0400
37562 +++ linux-2.6.38.6/fs/ext2/balloc.c 2011-04-28 19:34:15.000000000 -0400
37563 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
37565 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
37566 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
37567 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
37568 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
37569 sbi->s_resuid != current_fsuid() &&
37570 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
37572 diff -urNp linux-2.6.38.6/fs/ext3/balloc.c linux-2.6.38.6/fs/ext3/balloc.c
37573 --- linux-2.6.38.6/fs/ext3/balloc.c 2011-03-14 21:20:32.000000000 -0400
37574 +++ linux-2.6.38.6/fs/ext3/balloc.c 2011-04-28 19:34:15.000000000 -0400
37575 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
37577 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
37578 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
37579 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
37580 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
37581 sbi->s_resuid != current_fsuid() &&
37582 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
37584 diff -urNp linux-2.6.38.6/fs/ext4/balloc.c linux-2.6.38.6/fs/ext4/balloc.c
37585 --- linux-2.6.38.6/fs/ext4/balloc.c 2011-03-14 21:20:32.000000000 -0400
37586 +++ linux-2.6.38.6/fs/ext4/balloc.c 2011-04-28 19:34:15.000000000 -0400
37587 @@ -519,7 +519,7 @@ static int ext4_has_free_blocks(struct e
37588 /* Hm, nope. Are (enough) root reserved blocks available? */
37589 if (sbi->s_resuid == current_fsuid() ||
37590 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
37591 - capable(CAP_SYS_RESOURCE)) {
37592 + capable_nolog(CAP_SYS_RESOURCE)) {
37593 if (free_blocks >= (nblocks + dirty_blocks))
37596 diff -urNp linux-2.6.38.6/fs/ext4/ext4.h linux-2.6.38.6/fs/ext4/ext4.h
37597 --- linux-2.6.38.6/fs/ext4/ext4.h 2011-03-14 21:20:32.000000000 -0400
37598 +++ linux-2.6.38.6/fs/ext4/ext4.h 2011-04-28 19:34:15.000000000 -0400
37599 @@ -1166,19 +1166,19 @@ struct ext4_sb_info {
37600 unsigned long s_mb_last_start;
37602 /* stats for buddy allocator */
37603 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
37604 - atomic_t s_bal_success; /* we found long enough chunks */
37605 - atomic_t s_bal_allocated; /* in blocks */
37606 - atomic_t s_bal_ex_scanned; /* total extents scanned */
37607 - atomic_t s_bal_goals; /* goal hits */
37608 - atomic_t s_bal_breaks; /* too long searches */
37609 - atomic_t s_bal_2orders; /* 2^order hits */
37610 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
37611 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
37612 + atomic_unchecked_t s_bal_allocated; /* in blocks */
37613 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
37614 + atomic_unchecked_t s_bal_goals; /* goal hits */
37615 + atomic_unchecked_t s_bal_breaks; /* too long searches */
37616 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
37617 spinlock_t s_bal_lock;
37618 unsigned long s_mb_buddies_generated;
37619 unsigned long long s_mb_generation_time;
37620 - atomic_t s_mb_lost_chunks;
37621 - atomic_t s_mb_preallocated;
37622 - atomic_t s_mb_discarded;
37623 + atomic_unchecked_t s_mb_lost_chunks;
37624 + atomic_unchecked_t s_mb_preallocated;
37625 + atomic_unchecked_t s_mb_discarded;
37626 atomic_t s_lock_busy;
37628 /* locality groups */
37629 diff -urNp linux-2.6.38.6/fs/ext4/mballoc.c linux-2.6.38.6/fs/ext4/mballoc.c
37630 --- linux-2.6.38.6/fs/ext4/mballoc.c 2011-03-14 21:20:32.000000000 -0400
37631 +++ linux-2.6.38.6/fs/ext4/mballoc.c 2011-05-16 21:47:08.000000000 -0400
37632 @@ -1846,7 +1846,7 @@ void ext4_mb_simple_scan_group(struct ex
37633 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
37635 if (EXT4_SB(sb)->s_mb_stats)
37636 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
37637 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
37641 @@ -2140,7 +2140,7 @@ repeat:
37642 ac->ac_status = AC_STATUS_CONTINUE;
37643 ac->ac_flags |= EXT4_MB_HINT_FIRST;
37645 - atomic_inc(&sbi->s_mb_lost_chunks);
37646 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
37650 @@ -2183,6 +2183,8 @@ static int ext4_mb_seq_groups_show(struc
37651 ext4_grpblk_t counters[16];
37654 + pax_track_stack();
37658 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
37659 @@ -2606,25 +2608,25 @@ int ext4_mb_release(struct super_block *
37660 if (sbi->s_mb_stats) {
37662 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
37663 - atomic_read(&sbi->s_bal_allocated),
37664 - atomic_read(&sbi->s_bal_reqs),
37665 - atomic_read(&sbi->s_bal_success));
37666 + atomic_read_unchecked(&sbi->s_bal_allocated),
37667 + atomic_read_unchecked(&sbi->s_bal_reqs),
37668 + atomic_read_unchecked(&sbi->s_bal_success));
37670 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
37671 "%u 2^N hits, %u breaks, %u lost\n",
37672 - atomic_read(&sbi->s_bal_ex_scanned),
37673 - atomic_read(&sbi->s_bal_goals),
37674 - atomic_read(&sbi->s_bal_2orders),
37675 - atomic_read(&sbi->s_bal_breaks),
37676 - atomic_read(&sbi->s_mb_lost_chunks));
37677 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
37678 + atomic_read_unchecked(&sbi->s_bal_goals),
37679 + atomic_read_unchecked(&sbi->s_bal_2orders),
37680 + atomic_read_unchecked(&sbi->s_bal_breaks),
37681 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
37683 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
37684 sbi->s_mb_buddies_generated++,
37685 sbi->s_mb_generation_time);
37687 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
37688 - atomic_read(&sbi->s_mb_preallocated),
37689 - atomic_read(&sbi->s_mb_discarded));
37690 + atomic_read_unchecked(&sbi->s_mb_preallocated),
37691 + atomic_read_unchecked(&sbi->s_mb_discarded));
37694 free_percpu(sbi->s_locality_groups);
37695 @@ -3100,16 +3102,16 @@ static void ext4_mb_collect_stats(struct
37696 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
37698 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
37699 - atomic_inc(&sbi->s_bal_reqs);
37700 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
37701 + atomic_inc_unchecked(&sbi->s_bal_reqs);
37702 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
37703 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
37704 - atomic_inc(&sbi->s_bal_success);
37705 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
37706 + atomic_inc_unchecked(&sbi->s_bal_success);
37707 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
37708 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
37709 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
37710 - atomic_inc(&sbi->s_bal_goals);
37711 + atomic_inc_unchecked(&sbi->s_bal_goals);
37712 if (ac->ac_found > sbi->s_mb_max_to_scan)
37713 - atomic_inc(&sbi->s_bal_breaks);
37714 + atomic_inc_unchecked(&sbi->s_bal_breaks);
37717 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
37718 @@ -3507,7 +3509,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
37719 trace_ext4_mb_new_inode_pa(ac, pa);
37721 ext4_mb_use_inode_pa(ac, pa);
37722 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
37723 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
37725 ei = EXT4_I(ac->ac_inode);
37726 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
37727 @@ -3567,7 +3569,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
37728 trace_ext4_mb_new_group_pa(ac, pa);
37730 ext4_mb_use_group_pa(ac, pa);
37731 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
37732 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
37734 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
37736 @@ -3654,7 +3656,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
37737 * from the bitmap and continue.
37740 - atomic_add(free, &sbi->s_mb_discarded);
37741 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
37745 @@ -3672,7 +3674,7 @@ ext4_mb_release_group_pa(struct ext4_bud
37746 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
37747 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
37748 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
37749 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
37750 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
37751 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
37754 diff -urNp linux-2.6.38.6/fs/fcntl.c linux-2.6.38.6/fs/fcntl.c
37755 --- linux-2.6.38.6/fs/fcntl.c 2011-03-14 21:20:32.000000000 -0400
37756 +++ linux-2.6.38.6/fs/fcntl.c 2011-04-28 19:34:15.000000000 -0400
37757 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
37761 + if (gr_handle_chroot_fowner(pid, type))
37763 + if (gr_check_protected_task_fowner(pid, type))
37766 f_modown(filp, pid, type, force);
37769 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
37772 case F_DUPFD_CLOEXEC:
37773 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
37774 if (arg >= rlimit(RLIMIT_NOFILE))
37776 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
37777 @@ -808,14 +814,14 @@ static int __init fcntl_init(void)
37778 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
37779 * is defined as O_NONBLOCK on some platforms and not on others.
37781 - BUILD_BUG_ON(18 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
37782 + BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
37783 O_RDONLY | O_WRONLY | O_RDWR |
37784 O_CREAT | O_EXCL | O_NOCTTY |
37785 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
37786 __O_SYNC | O_DSYNC | FASYNC |
37787 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
37788 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
37790 + __FMODE_EXEC | FMODE_GREXEC
37793 fasync_cache = kmem_cache_create("fasync_cache",
37794 diff -urNp linux-2.6.38.6/fs/fifo.c linux-2.6.38.6/fs/fifo.c
37795 --- linux-2.6.38.6/fs/fifo.c 2011-03-14 21:20:32.000000000 -0400
37796 +++ linux-2.6.38.6/fs/fifo.c 2011-04-28 19:34:15.000000000 -0400
37797 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
37799 filp->f_op = &read_pipefifo_fops;
37801 - if (pipe->readers++ == 0)
37802 + if (atomic_inc_return(&pipe->readers) == 1)
37803 wake_up_partner(inode);
37805 - if (!pipe->writers) {
37806 + if (!atomic_read(&pipe->writers)) {
37807 if ((filp->f_flags & O_NONBLOCK)) {
37808 /* suppress POLLHUP until we have
37810 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
37811 * errno=ENXIO when there is no process reading the FIFO.
37814 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
37815 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
37818 filp->f_op = &write_pipefifo_fops;
37820 - if (!pipe->writers++)
37821 + if (atomic_inc_return(&pipe->writers) == 1)
37822 wake_up_partner(inode);
37824 - if (!pipe->readers) {
37825 + if (!atomic_read(&pipe->readers)) {
37826 wait_for_partner(inode, &pipe->r_counter);
37827 if (signal_pending(current))
37829 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
37831 filp->f_op = &rdwr_pipefifo_fops;
37835 + atomic_inc(&pipe->readers);
37836 + atomic_inc(&pipe->writers);
37839 - if (pipe->readers == 1 || pipe->writers == 1)
37840 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
37841 wake_up_partner(inode);
37844 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
37848 - if (!--pipe->readers)
37849 + if (atomic_dec_and_test(&pipe->readers))
37850 wake_up_interruptible(&pipe->wait);
37851 ret = -ERESTARTSYS;
37855 - if (!--pipe->writers)
37856 + if (atomic_dec_and_test(&pipe->writers))
37857 wake_up_interruptible(&pipe->wait);
37858 ret = -ERESTARTSYS;
37862 - if (!pipe->readers && !pipe->writers)
37863 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
37864 free_pipe_info(inode);
37867 diff -urNp linux-2.6.38.6/fs/file.c linux-2.6.38.6/fs/file.c
37868 --- linux-2.6.38.6/fs/file.c 2011-05-10 22:06:27.000000000 -0400
37869 +++ linux-2.6.38.6/fs/file.c 2011-05-10 22:06:56.000000000 -0400
37871 #include <linux/slab.h>
37872 #include <linux/vmalloc.h>
37873 #include <linux/file.h>
37874 +#include <linux/security.h>
37875 #include <linux/fdtable.h>
37876 #include <linux/bitops.h>
37877 #include <linux/interrupt.h>
37878 @@ -254,6 +255,7 @@ int expand_files(struct files_struct *fi
37879 * N.B. For clone tasks sharing a files structure, this test
37880 * will limit the total number of files that can be opened.
37882 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
37883 if (nr >= rlimit(RLIMIT_NOFILE))
37886 diff -urNp linux-2.6.38.6/fs/filesystems.c linux-2.6.38.6/fs/filesystems.c
37887 --- linux-2.6.38.6/fs/filesystems.c 2011-03-14 21:20:32.000000000 -0400
37888 +++ linux-2.6.38.6/fs/filesystems.c 2011-04-28 19:34:15.000000000 -0400
37889 @@ -275,7 +275,12 @@ struct file_system_type *get_fs_type(con
37890 int len = dot ? dot - name : strlen(name);
37892 fs = __get_fs_type(name, len);
37894 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
37895 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
37897 if (!fs && (request_module("%.*s", len, name) == 0))
37899 fs = __get_fs_type(name, len);
37901 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
37902 diff -urNp linux-2.6.38.6/fs/fscache/cookie.c linux-2.6.38.6/fs/fscache/cookie.c
37903 --- linux-2.6.38.6/fs/fscache/cookie.c 2011-03-14 21:20:32.000000000 -0400
37904 +++ linux-2.6.38.6/fs/fscache/cookie.c 2011-04-28 19:57:25.000000000 -0400
37905 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
37906 parent ? (char *) parent->def->name : "<no-parent>",
37907 def->name, netfs_data);
37909 - fscache_stat(&fscache_n_acquires);
37910 + fscache_stat_unchecked(&fscache_n_acquires);
37912 /* if there's no parent cookie, then we don't create one here either */
37914 - fscache_stat(&fscache_n_acquires_null);
37915 + fscache_stat_unchecked(&fscache_n_acquires_null);
37916 _leave(" [no parent]");
37919 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
37920 /* allocate and initialise a cookie */
37921 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
37923 - fscache_stat(&fscache_n_acquires_oom);
37924 + fscache_stat_unchecked(&fscache_n_acquires_oom);
37925 _leave(" [ENOMEM]");
37928 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
37930 switch (cookie->def->type) {
37931 case FSCACHE_COOKIE_TYPE_INDEX:
37932 - fscache_stat(&fscache_n_cookie_index);
37933 + fscache_stat_unchecked(&fscache_n_cookie_index);
37935 case FSCACHE_COOKIE_TYPE_DATAFILE:
37936 - fscache_stat(&fscache_n_cookie_data);
37937 + fscache_stat_unchecked(&fscache_n_cookie_data);
37940 - fscache_stat(&fscache_n_cookie_special);
37941 + fscache_stat_unchecked(&fscache_n_cookie_special);
37945 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
37946 if (fscache_acquire_non_index_cookie(cookie) < 0) {
37947 atomic_dec(&parent->n_children);
37948 __fscache_cookie_put(cookie);
37949 - fscache_stat(&fscache_n_acquires_nobufs);
37950 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
37956 - fscache_stat(&fscache_n_acquires_ok);
37957 + fscache_stat_unchecked(&fscache_n_acquires_ok);
37958 _leave(" = %p", cookie);
37961 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
37962 cache = fscache_select_cache_for_object(cookie->parent);
37964 up_read(&fscache_addremove_sem);
37965 - fscache_stat(&fscache_n_acquires_no_cache);
37966 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
37967 _leave(" = -ENOMEDIUM [no cache]");
37970 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
37971 object = cache->ops->alloc_object(cache, cookie);
37972 fscache_stat_d(&fscache_n_cop_alloc_object);
37973 if (IS_ERR(object)) {
37974 - fscache_stat(&fscache_n_object_no_alloc);
37975 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
37976 ret = PTR_ERR(object);
37980 - fscache_stat(&fscache_n_object_alloc);
37981 + fscache_stat_unchecked(&fscache_n_object_alloc);
37983 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
37985 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
37986 struct fscache_object *object;
37987 struct hlist_node *_p;
37989 - fscache_stat(&fscache_n_updates);
37990 + fscache_stat_unchecked(&fscache_n_updates);
37993 - fscache_stat(&fscache_n_updates_null);
37994 + fscache_stat_unchecked(&fscache_n_updates_null);
37995 _leave(" [no cookie]");
37998 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
37999 struct fscache_object *object;
38000 unsigned long event;
38002 - fscache_stat(&fscache_n_relinquishes);
38003 + fscache_stat_unchecked(&fscache_n_relinquishes);
38005 - fscache_stat(&fscache_n_relinquishes_retire);
38006 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
38009 - fscache_stat(&fscache_n_relinquishes_null);
38010 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
38011 _leave(" [no cookie]");
38014 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
38016 /* wait for the cookie to finish being instantiated (or to fail) */
38017 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
38018 - fscache_stat(&fscache_n_relinquishes_waitcrt);
38019 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
38020 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
38021 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
38023 diff -urNp linux-2.6.38.6/fs/fscache/internal.h linux-2.6.38.6/fs/fscache/internal.h
38024 --- linux-2.6.38.6/fs/fscache/internal.h 2011-03-14 21:20:32.000000000 -0400
38025 +++ linux-2.6.38.6/fs/fscache/internal.h 2011-05-02 19:07:09.000000000 -0400
38026 @@ -144,94 +144,94 @@ extern void fscache_proc_cleanup(void);
38027 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
38028 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
38030 -extern atomic_t fscache_n_op_pend;
38031 -extern atomic_t fscache_n_op_run;
38032 -extern atomic_t fscache_n_op_enqueue;
38033 -extern atomic_t fscache_n_op_deferred_release;
38034 -extern atomic_t fscache_n_op_release;
38035 -extern atomic_t fscache_n_op_gc;
38036 -extern atomic_t fscache_n_op_cancelled;
38037 -extern atomic_t fscache_n_op_rejected;
38039 -extern atomic_t fscache_n_attr_changed;
38040 -extern atomic_t fscache_n_attr_changed_ok;
38041 -extern atomic_t fscache_n_attr_changed_nobufs;
38042 -extern atomic_t fscache_n_attr_changed_nomem;
38043 -extern atomic_t fscache_n_attr_changed_calls;
38045 -extern atomic_t fscache_n_allocs;
38046 -extern atomic_t fscache_n_allocs_ok;
38047 -extern atomic_t fscache_n_allocs_wait;
38048 -extern atomic_t fscache_n_allocs_nobufs;
38049 -extern atomic_t fscache_n_allocs_intr;
38050 -extern atomic_t fscache_n_allocs_object_dead;
38051 -extern atomic_t fscache_n_alloc_ops;
38052 -extern atomic_t fscache_n_alloc_op_waits;
38054 -extern atomic_t fscache_n_retrievals;
38055 -extern atomic_t fscache_n_retrievals_ok;
38056 -extern atomic_t fscache_n_retrievals_wait;
38057 -extern atomic_t fscache_n_retrievals_nodata;
38058 -extern atomic_t fscache_n_retrievals_nobufs;
38059 -extern atomic_t fscache_n_retrievals_intr;
38060 -extern atomic_t fscache_n_retrievals_nomem;
38061 -extern atomic_t fscache_n_retrievals_object_dead;
38062 -extern atomic_t fscache_n_retrieval_ops;
38063 -extern atomic_t fscache_n_retrieval_op_waits;
38065 -extern atomic_t fscache_n_stores;
38066 -extern atomic_t fscache_n_stores_ok;
38067 -extern atomic_t fscache_n_stores_again;
38068 -extern atomic_t fscache_n_stores_nobufs;
38069 -extern atomic_t fscache_n_stores_oom;
38070 -extern atomic_t fscache_n_store_ops;
38071 -extern atomic_t fscache_n_store_calls;
38072 -extern atomic_t fscache_n_store_pages;
38073 -extern atomic_t fscache_n_store_radix_deletes;
38074 -extern atomic_t fscache_n_store_pages_over_limit;
38076 -extern atomic_t fscache_n_store_vmscan_not_storing;
38077 -extern atomic_t fscache_n_store_vmscan_gone;
38078 -extern atomic_t fscache_n_store_vmscan_busy;
38079 -extern atomic_t fscache_n_store_vmscan_cancelled;
38081 -extern atomic_t fscache_n_marks;
38082 -extern atomic_t fscache_n_uncaches;
38084 -extern atomic_t fscache_n_acquires;
38085 -extern atomic_t fscache_n_acquires_null;
38086 -extern atomic_t fscache_n_acquires_no_cache;
38087 -extern atomic_t fscache_n_acquires_ok;
38088 -extern atomic_t fscache_n_acquires_nobufs;
38089 -extern atomic_t fscache_n_acquires_oom;
38091 -extern atomic_t fscache_n_updates;
38092 -extern atomic_t fscache_n_updates_null;
38093 -extern atomic_t fscache_n_updates_run;
38095 -extern atomic_t fscache_n_relinquishes;
38096 -extern atomic_t fscache_n_relinquishes_null;
38097 -extern atomic_t fscache_n_relinquishes_waitcrt;
38098 -extern atomic_t fscache_n_relinquishes_retire;
38100 -extern atomic_t fscache_n_cookie_index;
38101 -extern atomic_t fscache_n_cookie_data;
38102 -extern atomic_t fscache_n_cookie_special;
38104 -extern atomic_t fscache_n_object_alloc;
38105 -extern atomic_t fscache_n_object_no_alloc;
38106 -extern atomic_t fscache_n_object_lookups;
38107 -extern atomic_t fscache_n_object_lookups_negative;
38108 -extern atomic_t fscache_n_object_lookups_positive;
38109 -extern atomic_t fscache_n_object_lookups_timed_out;
38110 -extern atomic_t fscache_n_object_created;
38111 -extern atomic_t fscache_n_object_avail;
38112 -extern atomic_t fscache_n_object_dead;
38114 -extern atomic_t fscache_n_checkaux_none;
38115 -extern atomic_t fscache_n_checkaux_okay;
38116 -extern atomic_t fscache_n_checkaux_update;
38117 -extern atomic_t fscache_n_checkaux_obsolete;
38118 +extern atomic_unchecked_t fscache_n_op_pend;
38119 +extern atomic_unchecked_t fscache_n_op_run;
38120 +extern atomic_unchecked_t fscache_n_op_enqueue;
38121 +extern atomic_unchecked_t fscache_n_op_deferred_release;
38122 +extern atomic_unchecked_t fscache_n_op_release;
38123 +extern atomic_unchecked_t fscache_n_op_gc;
38124 +extern atomic_unchecked_t fscache_n_op_cancelled;
38125 +extern atomic_unchecked_t fscache_n_op_rejected;
38127 +extern atomic_unchecked_t fscache_n_attr_changed;
38128 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
38129 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
38130 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
38131 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
38133 +extern atomic_unchecked_t fscache_n_allocs;
38134 +extern atomic_unchecked_t fscache_n_allocs_ok;
38135 +extern atomic_unchecked_t fscache_n_allocs_wait;
38136 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
38137 +extern atomic_unchecked_t fscache_n_allocs_intr;
38138 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
38139 +extern atomic_unchecked_t fscache_n_alloc_ops;
38140 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
38142 +extern atomic_unchecked_t fscache_n_retrievals;
38143 +extern atomic_unchecked_t fscache_n_retrievals_ok;
38144 +extern atomic_unchecked_t fscache_n_retrievals_wait;
38145 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
38146 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
38147 +extern atomic_unchecked_t fscache_n_retrievals_intr;
38148 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
38149 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
38150 +extern atomic_unchecked_t fscache_n_retrieval_ops;
38151 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
38153 +extern atomic_unchecked_t fscache_n_stores;
38154 +extern atomic_unchecked_t fscache_n_stores_ok;
38155 +extern atomic_unchecked_t fscache_n_stores_again;
38156 +extern atomic_unchecked_t fscache_n_stores_nobufs;
38157 +extern atomic_unchecked_t fscache_n_stores_oom;
38158 +extern atomic_unchecked_t fscache_n_store_ops;
38159 +extern atomic_unchecked_t fscache_n_store_calls;
38160 +extern atomic_unchecked_t fscache_n_store_pages;
38161 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
38162 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
38164 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
38165 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
38166 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
38167 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
38169 +extern atomic_unchecked_t fscache_n_marks;
38170 +extern atomic_unchecked_t fscache_n_uncaches;
38172 +extern atomic_unchecked_t fscache_n_acquires;
38173 +extern atomic_unchecked_t fscache_n_acquires_null;
38174 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
38175 +extern atomic_unchecked_t fscache_n_acquires_ok;
38176 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
38177 +extern atomic_unchecked_t fscache_n_acquires_oom;
38179 +extern atomic_unchecked_t fscache_n_updates;
38180 +extern atomic_unchecked_t fscache_n_updates_null;
38181 +extern atomic_unchecked_t fscache_n_updates_run;
38183 +extern atomic_unchecked_t fscache_n_relinquishes;
38184 +extern atomic_unchecked_t fscache_n_relinquishes_null;
38185 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
38186 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
38188 +extern atomic_unchecked_t fscache_n_cookie_index;
38189 +extern atomic_unchecked_t fscache_n_cookie_data;
38190 +extern atomic_unchecked_t fscache_n_cookie_special;
38192 +extern atomic_unchecked_t fscache_n_object_alloc;
38193 +extern atomic_unchecked_t fscache_n_object_no_alloc;
38194 +extern atomic_unchecked_t fscache_n_object_lookups;
38195 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
38196 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
38197 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
38198 +extern atomic_unchecked_t fscache_n_object_created;
38199 +extern atomic_unchecked_t fscache_n_object_avail;
38200 +extern atomic_unchecked_t fscache_n_object_dead;
38202 +extern atomic_unchecked_t fscache_n_checkaux_none;
38203 +extern atomic_unchecked_t fscache_n_checkaux_okay;
38204 +extern atomic_unchecked_t fscache_n_checkaux_update;
38205 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
38207 extern atomic_t fscache_n_cop_alloc_object;
38208 extern atomic_t fscache_n_cop_lookup_object;
38209 @@ -255,6 +255,11 @@ static inline void fscache_stat(atomic_t
38213 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
38215 + atomic_inc_unchecked(stat);
38218 static inline void fscache_stat_d(atomic_t *stat)
38221 @@ -267,6 +272,7 @@ extern const struct file_operations fsca
38223 #define __fscache_stat(stat) (NULL)
38224 #define fscache_stat(stat) do {} while (0)
38225 +#define fscache_stat_unchecked(stat) do {} while (0)
38226 #define fscache_stat_d(stat) do {} while (0)
38229 diff -urNp linux-2.6.38.6/fs/fscache/object.c linux-2.6.38.6/fs/fscache/object.c
38230 --- linux-2.6.38.6/fs/fscache/object.c 2011-03-14 21:20:32.000000000 -0400
38231 +++ linux-2.6.38.6/fs/fscache/object.c 2011-04-28 19:57:25.000000000 -0400
38232 @@ -128,7 +128,7 @@ static void fscache_object_state_machine
38233 /* update the object metadata on disk */
38234 case FSCACHE_OBJECT_UPDATING:
38235 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
38236 - fscache_stat(&fscache_n_updates_run);
38237 + fscache_stat_unchecked(&fscache_n_updates_run);
38238 fscache_stat(&fscache_n_cop_update_object);
38239 object->cache->ops->update_object(object);
38240 fscache_stat_d(&fscache_n_cop_update_object);
38241 @@ -217,7 +217,7 @@ static void fscache_object_state_machine
38242 spin_lock(&object->lock);
38243 object->state = FSCACHE_OBJECT_DEAD;
38244 spin_unlock(&object->lock);
38245 - fscache_stat(&fscache_n_object_dead);
38246 + fscache_stat_unchecked(&fscache_n_object_dead);
38247 goto terminal_transit;
38249 /* handle the parent cache of this object being withdrawn from
38250 @@ -232,7 +232,7 @@ static void fscache_object_state_machine
38251 spin_lock(&object->lock);
38252 object->state = FSCACHE_OBJECT_DEAD;
38253 spin_unlock(&object->lock);
38254 - fscache_stat(&fscache_n_object_dead);
38255 + fscache_stat_unchecked(&fscache_n_object_dead);
38256 goto terminal_transit;
38258 /* complain about the object being woken up once it is
38259 @@ -461,7 +461,7 @@ static void fscache_lookup_object(struct
38260 parent->cookie->def->name, cookie->def->name,
38261 object->cache->tag->name);
38263 - fscache_stat(&fscache_n_object_lookups);
38264 + fscache_stat_unchecked(&fscache_n_object_lookups);
38265 fscache_stat(&fscache_n_cop_lookup_object);
38266 ret = object->cache->ops->lookup_object(object);
38267 fscache_stat_d(&fscache_n_cop_lookup_object);
38268 @@ -472,7 +472,7 @@ static void fscache_lookup_object(struct
38269 if (ret == -ETIMEDOUT) {
38270 /* probably stuck behind another object, so move this one to
38271 * the back of the queue */
38272 - fscache_stat(&fscache_n_object_lookups_timed_out);
38273 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
38274 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
38277 @@ -495,7 +495,7 @@ void fscache_object_lookup_negative(stru
38279 spin_lock(&object->lock);
38280 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
38281 - fscache_stat(&fscache_n_object_lookups_negative);
38282 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
38284 /* transit here to allow write requests to begin stacking up
38285 * and read requests to begin returning ENODATA */
38286 @@ -541,7 +541,7 @@ void fscache_obtained_object(struct fsca
38287 * result, in which case there may be data available */
38288 spin_lock(&object->lock);
38289 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
38290 - fscache_stat(&fscache_n_object_lookups_positive);
38291 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
38293 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
38295 @@ -555,7 +555,7 @@ void fscache_obtained_object(struct fsca
38296 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
38298 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
38299 - fscache_stat(&fscache_n_object_created);
38300 + fscache_stat_unchecked(&fscache_n_object_created);
38302 object->state = FSCACHE_OBJECT_AVAILABLE;
38303 spin_unlock(&object->lock);
38304 @@ -602,7 +602,7 @@ static void fscache_object_available(str
38305 fscache_enqueue_dependents(object);
38307 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
38308 - fscache_stat(&fscache_n_object_avail);
38309 + fscache_stat_unchecked(&fscache_n_object_avail);
38313 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
38314 enum fscache_checkaux result;
38316 if (!object->cookie->def->check_aux) {
38317 - fscache_stat(&fscache_n_checkaux_none);
38318 + fscache_stat_unchecked(&fscache_n_checkaux_none);
38319 return FSCACHE_CHECKAUX_OKAY;
38322 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
38324 /* entry okay as is */
38325 case FSCACHE_CHECKAUX_OKAY:
38326 - fscache_stat(&fscache_n_checkaux_okay);
38327 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
38330 /* entry requires update */
38331 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
38332 - fscache_stat(&fscache_n_checkaux_update);
38333 + fscache_stat_unchecked(&fscache_n_checkaux_update);
38336 /* entry requires deletion */
38337 case FSCACHE_CHECKAUX_OBSOLETE:
38338 - fscache_stat(&fscache_n_checkaux_obsolete);
38339 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
38343 diff -urNp linux-2.6.38.6/fs/fscache/operation.c linux-2.6.38.6/fs/fscache/operation.c
38344 --- linux-2.6.38.6/fs/fscache/operation.c 2011-03-14 21:20:32.000000000 -0400
38345 +++ linux-2.6.38.6/fs/fscache/operation.c 2011-04-28 19:57:25.000000000 -0400
38347 #include <linux/slab.h>
38348 #include "internal.h"
38350 -atomic_t fscache_op_debug_id;
38351 +atomic_unchecked_t fscache_op_debug_id;
38352 EXPORT_SYMBOL(fscache_op_debug_id);
38355 @@ -40,7 +40,7 @@ void fscache_enqueue_operation(struct fs
38356 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
38357 ASSERTCMP(atomic_read(&op->usage), >, 0);
38359 - fscache_stat(&fscache_n_op_enqueue);
38360 + fscache_stat_unchecked(&fscache_n_op_enqueue);
38361 switch (op->flags & FSCACHE_OP_TYPE) {
38362 case FSCACHE_OP_ASYNC:
38363 _debug("queue async");
38364 @@ -73,7 +73,7 @@ static void fscache_run_op(struct fscach
38365 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
38367 fscache_enqueue_operation(op);
38368 - fscache_stat(&fscache_n_op_run);
38369 + fscache_stat_unchecked(&fscache_n_op_run);
38373 @@ -104,11 +104,11 @@ int fscache_submit_exclusive_op(struct f
38374 if (object->n_ops > 1) {
38375 atomic_inc(&op->usage);
38376 list_add_tail(&op->pend_link, &object->pending_ops);
38377 - fscache_stat(&fscache_n_op_pend);
38378 + fscache_stat_unchecked(&fscache_n_op_pend);
38379 } else if (!list_empty(&object->pending_ops)) {
38380 atomic_inc(&op->usage);
38381 list_add_tail(&op->pend_link, &object->pending_ops);
38382 - fscache_stat(&fscache_n_op_pend);
38383 + fscache_stat_unchecked(&fscache_n_op_pend);
38384 fscache_start_operations(object);
38386 ASSERTCMP(object->n_in_progress, ==, 0);
38387 @@ -124,7 +124,7 @@ int fscache_submit_exclusive_op(struct f
38388 object->n_exclusive++; /* reads and writes must wait */
38389 atomic_inc(&op->usage);
38390 list_add_tail(&op->pend_link, &object->pending_ops);
38391 - fscache_stat(&fscache_n_op_pend);
38392 + fscache_stat_unchecked(&fscache_n_op_pend);
38395 /* not allowed to submit ops in any other state */
38396 @@ -211,11 +211,11 @@ int fscache_submit_op(struct fscache_obj
38397 if (object->n_exclusive > 0) {
38398 atomic_inc(&op->usage);
38399 list_add_tail(&op->pend_link, &object->pending_ops);
38400 - fscache_stat(&fscache_n_op_pend);
38401 + fscache_stat_unchecked(&fscache_n_op_pend);
38402 } else if (!list_empty(&object->pending_ops)) {
38403 atomic_inc(&op->usage);
38404 list_add_tail(&op->pend_link, &object->pending_ops);
38405 - fscache_stat(&fscache_n_op_pend);
38406 + fscache_stat_unchecked(&fscache_n_op_pend);
38407 fscache_start_operations(object);
38409 ASSERTCMP(object->n_exclusive, ==, 0);
38410 @@ -227,12 +227,12 @@ int fscache_submit_op(struct fscache_obj
38412 atomic_inc(&op->usage);
38413 list_add_tail(&op->pend_link, &object->pending_ops);
38414 - fscache_stat(&fscache_n_op_pend);
38415 + fscache_stat_unchecked(&fscache_n_op_pend);
38417 } else if (object->state == FSCACHE_OBJECT_DYING ||
38418 object->state == FSCACHE_OBJECT_LC_DYING ||
38419 object->state == FSCACHE_OBJECT_WITHDRAWING) {
38420 - fscache_stat(&fscache_n_op_rejected);
38421 + fscache_stat_unchecked(&fscache_n_op_rejected);
38423 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
38424 fscache_report_unexpected_submission(object, op, ostate);
38425 @@ -302,7 +302,7 @@ int fscache_cancel_op(struct fscache_ope
38428 if (!list_empty(&op->pend_link)) {
38429 - fscache_stat(&fscache_n_op_cancelled);
38430 + fscache_stat_unchecked(&fscache_n_op_cancelled);
38431 list_del_init(&op->pend_link);
38433 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
38434 @@ -341,7 +341,7 @@ void fscache_put_operation(struct fscach
38435 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
38438 - fscache_stat(&fscache_n_op_release);
38439 + fscache_stat_unchecked(&fscache_n_op_release);
38443 @@ -358,7 +358,7 @@ void fscache_put_operation(struct fscach
38444 * lock, and defer it otherwise */
38445 if (!spin_trylock(&object->lock)) {
38446 _debug("defer put");
38447 - fscache_stat(&fscache_n_op_deferred_release);
38448 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
38450 cache = object->cache;
38451 spin_lock(&cache->op_gc_list_lock);
38452 @@ -420,7 +420,7 @@ void fscache_operation_gc(struct work_st
38454 _debug("GC DEFERRED REL OBJ%x OP%x",
38455 object->debug_id, op->debug_id);
38456 - fscache_stat(&fscache_n_op_gc);
38457 + fscache_stat_unchecked(&fscache_n_op_gc);
38459 ASSERTCMP(atomic_read(&op->usage), ==, 0);
38461 diff -urNp linux-2.6.38.6/fs/fscache/page.c linux-2.6.38.6/fs/fscache/page.c
38462 --- linux-2.6.38.6/fs/fscache/page.c 2011-03-14 21:20:32.000000000 -0400
38463 +++ linux-2.6.38.6/fs/fscache/page.c 2011-04-28 19:57:25.000000000 -0400
38464 @@ -60,7 +60,7 @@ bool __fscache_maybe_release_page(struct
38465 val = radix_tree_lookup(&cookie->stores, page->index);
38468 - fscache_stat(&fscache_n_store_vmscan_not_storing);
38469 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
38470 __fscache_uncache_page(cookie, page);
38473 @@ -90,11 +90,11 @@ bool __fscache_maybe_release_page(struct
38474 spin_unlock(&cookie->stores_lock);
38477 - fscache_stat(&fscache_n_store_vmscan_cancelled);
38478 - fscache_stat(&fscache_n_store_radix_deletes);
38479 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
38480 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
38481 ASSERTCMP(xpage, ==, page);
38483 - fscache_stat(&fscache_n_store_vmscan_gone);
38484 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
38487 wake_up_bit(&cookie->flags, 0);
38488 @@ -107,7 +107,7 @@ page_busy:
38489 /* we might want to wait here, but that could deadlock the allocator as
38490 * the work threads writing to the cache may all end up sleeping
38491 * on memory allocation */
38492 - fscache_stat(&fscache_n_store_vmscan_busy);
38493 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
38496 EXPORT_SYMBOL(__fscache_maybe_release_page);
38497 @@ -131,7 +131,7 @@ static void fscache_end_page_write(struc
38498 FSCACHE_COOKIE_STORING_TAG);
38499 if (!radix_tree_tag_get(&cookie->stores, page->index,
38500 FSCACHE_COOKIE_PENDING_TAG)) {
38501 - fscache_stat(&fscache_n_store_radix_deletes);
38502 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
38503 xpage = radix_tree_delete(&cookie->stores, page->index);
38505 spin_unlock(&cookie->stores_lock);
38506 @@ -152,7 +152,7 @@ static void fscache_attr_changed_op(stru
38508 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
38510 - fscache_stat(&fscache_n_attr_changed_calls);
38511 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
38513 if (fscache_object_is_active(object)) {
38514 fscache_set_op_state(op, "CallFS");
38515 @@ -179,11 +179,11 @@ int __fscache_attr_changed(struct fscach
38517 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
38519 - fscache_stat(&fscache_n_attr_changed);
38520 + fscache_stat_unchecked(&fscache_n_attr_changed);
38522 op = kzalloc(sizeof(*op), GFP_KERNEL);
38524 - fscache_stat(&fscache_n_attr_changed_nomem);
38525 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
38526 _leave(" = -ENOMEM");
38529 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
38530 if (fscache_submit_exclusive_op(object, op) < 0)
38532 spin_unlock(&cookie->lock);
38533 - fscache_stat(&fscache_n_attr_changed_ok);
38534 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
38535 fscache_put_operation(op);
38538 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
38540 spin_unlock(&cookie->lock);
38542 - fscache_stat(&fscache_n_attr_changed_nobufs);
38543 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
38544 _leave(" = %d", -ENOBUFS);
38547 @@ -246,7 +246,7 @@ static struct fscache_retrieval *fscache
38548 /* allocate a retrieval operation and attempt to submit it */
38549 op = kzalloc(sizeof(*op), GFP_NOIO);
38551 - fscache_stat(&fscache_n_retrievals_nomem);
38552 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
38556 @@ -275,13 +275,13 @@ static int fscache_wait_for_deferred_loo
38560 - fscache_stat(&fscache_n_retrievals_wait);
38561 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
38564 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
38565 fscache_wait_bit_interruptible,
38566 TASK_INTERRUPTIBLE) != 0) {
38567 - fscache_stat(&fscache_n_retrievals_intr);
38568 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
38569 _leave(" = -ERESTARTSYS");
38570 return -ERESTARTSYS;
38572 @@ -299,8 +299,8 @@ static int fscache_wait_for_deferred_loo
38574 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
38575 struct fscache_retrieval *op,
38576 - atomic_t *stat_op_waits,
38577 - atomic_t *stat_object_dead)
38578 + atomic_unchecked_t *stat_op_waits,
38579 + atomic_unchecked_t *stat_object_dead)
38583 @@ -308,7 +308,7 @@ static int fscache_wait_for_retrieval_ac
38584 goto check_if_dead;
38587 - fscache_stat(stat_op_waits);
38588 + fscache_stat_unchecked(stat_op_waits);
38589 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
38590 fscache_wait_bit_interruptible,
38591 TASK_INTERRUPTIBLE) < 0) {
38592 @@ -325,7 +325,7 @@ static int fscache_wait_for_retrieval_ac
38595 if (unlikely(fscache_object_is_dead(object))) {
38596 - fscache_stat(stat_object_dead);
38597 + fscache_stat_unchecked(stat_object_dead);
38601 @@ -352,7 +352,7 @@ int __fscache_read_or_alloc_page(struct
38603 _enter("%p,%p,,,", cookie, page);
38605 - fscache_stat(&fscache_n_retrievals);
38606 + fscache_stat_unchecked(&fscache_n_retrievals);
38608 if (hlist_empty(&cookie->backing_objects))
38610 @@ -386,7 +386,7 @@ int __fscache_read_or_alloc_page(struct
38611 goto nobufs_unlock;
38612 spin_unlock(&cookie->lock);
38614 - fscache_stat(&fscache_n_retrieval_ops);
38615 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
38617 /* pin the netfs read context in case we need to do the actual netfs
38618 * read because we've encountered a cache read failure */
38619 @@ -416,15 +416,15 @@ int __fscache_read_or_alloc_page(struct
38622 if (ret == -ENOMEM)
38623 - fscache_stat(&fscache_n_retrievals_nomem);
38624 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
38625 else if (ret == -ERESTARTSYS)
38626 - fscache_stat(&fscache_n_retrievals_intr);
38627 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
38628 else if (ret == -ENODATA)
38629 - fscache_stat(&fscache_n_retrievals_nodata);
38630 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
38632 - fscache_stat(&fscache_n_retrievals_nobufs);
38633 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
38635 - fscache_stat(&fscache_n_retrievals_ok);
38636 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
38638 fscache_put_retrieval(op);
38639 _leave(" = %d", ret);
38640 @@ -434,7 +434,7 @@ nobufs_unlock:
38641 spin_unlock(&cookie->lock);
38644 - fscache_stat(&fscache_n_retrievals_nobufs);
38645 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
38646 _leave(" = -ENOBUFS");
38649 @@ -472,7 +472,7 @@ int __fscache_read_or_alloc_pages(struct
38651 _enter("%p,,%d,,,", cookie, *nr_pages);
38653 - fscache_stat(&fscache_n_retrievals);
38654 + fscache_stat_unchecked(&fscache_n_retrievals);
38656 if (hlist_empty(&cookie->backing_objects))
38658 @@ -503,7 +503,7 @@ int __fscache_read_or_alloc_pages(struct
38659 goto nobufs_unlock;
38660 spin_unlock(&cookie->lock);
38662 - fscache_stat(&fscache_n_retrieval_ops);
38663 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
38665 /* pin the netfs read context in case we need to do the actual netfs
38666 * read because we've encountered a cache read failure */
38667 @@ -533,15 +533,15 @@ int __fscache_read_or_alloc_pages(struct
38670 if (ret == -ENOMEM)
38671 - fscache_stat(&fscache_n_retrievals_nomem);
38672 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
38673 else if (ret == -ERESTARTSYS)
38674 - fscache_stat(&fscache_n_retrievals_intr);
38675 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
38676 else if (ret == -ENODATA)
38677 - fscache_stat(&fscache_n_retrievals_nodata);
38678 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
38680 - fscache_stat(&fscache_n_retrievals_nobufs);
38681 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
38683 - fscache_stat(&fscache_n_retrievals_ok);
38684 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
38686 fscache_put_retrieval(op);
38687 _leave(" = %d", ret);
38688 @@ -551,7 +551,7 @@ nobufs_unlock:
38689 spin_unlock(&cookie->lock);
38692 - fscache_stat(&fscache_n_retrievals_nobufs);
38693 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
38694 _leave(" = -ENOBUFS");
38697 @@ -575,7 +575,7 @@ int __fscache_alloc_page(struct fscache_
38699 _enter("%p,%p,,,", cookie, page);
38701 - fscache_stat(&fscache_n_allocs);
38702 + fscache_stat_unchecked(&fscache_n_allocs);
38704 if (hlist_empty(&cookie->backing_objects))
38706 @@ -602,7 +602,7 @@ int __fscache_alloc_page(struct fscache_
38707 goto nobufs_unlock;
38708 spin_unlock(&cookie->lock);
38710 - fscache_stat(&fscache_n_alloc_ops);
38711 + fscache_stat_unchecked(&fscache_n_alloc_ops);
38713 ret = fscache_wait_for_retrieval_activation(
38715 @@ -618,11 +618,11 @@ int __fscache_alloc_page(struct fscache_
38718 if (ret == -ERESTARTSYS)
38719 - fscache_stat(&fscache_n_allocs_intr);
38720 + fscache_stat_unchecked(&fscache_n_allocs_intr);
38722 - fscache_stat(&fscache_n_allocs_nobufs);
38723 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
38725 - fscache_stat(&fscache_n_allocs_ok);
38726 + fscache_stat_unchecked(&fscache_n_allocs_ok);
38728 fscache_put_retrieval(op);
38729 _leave(" = %d", ret);
38730 @@ -632,7 +632,7 @@ nobufs_unlock:
38731 spin_unlock(&cookie->lock);
38734 - fscache_stat(&fscache_n_allocs_nobufs);
38735 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
38736 _leave(" = -ENOBUFS");
38739 @@ -675,7 +675,7 @@ static void fscache_write_op(struct fsca
38741 spin_lock(&cookie->stores_lock);
38743 - fscache_stat(&fscache_n_store_calls);
38744 + fscache_stat_unchecked(&fscache_n_store_calls);
38746 /* find a page to store */
38748 @@ -686,7 +686,7 @@ static void fscache_write_op(struct fsca
38750 _debug("gang %d [%lx]", n, page->index);
38751 if (page->index > op->store_limit) {
38752 - fscache_stat(&fscache_n_store_pages_over_limit);
38753 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
38757 @@ -699,7 +699,7 @@ static void fscache_write_op(struct fsca
38758 spin_unlock(&object->lock);
38760 fscache_set_op_state(&op->op, "Store");
38761 - fscache_stat(&fscache_n_store_pages);
38762 + fscache_stat_unchecked(&fscache_n_store_pages);
38763 fscache_stat(&fscache_n_cop_write_page);
38764 ret = object->cache->ops->write_page(op, page);
38765 fscache_stat_d(&fscache_n_cop_write_page);
38766 @@ -769,7 +769,7 @@ int __fscache_write_page(struct fscache_
38767 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
38768 ASSERT(PageFsCache(page));
38770 - fscache_stat(&fscache_n_stores);
38771 + fscache_stat_unchecked(&fscache_n_stores);
38773 op = kzalloc(sizeof(*op), GFP_NOIO);
38775 @@ -821,7 +821,7 @@ int __fscache_write_page(struct fscache_
38776 spin_unlock(&cookie->stores_lock);
38777 spin_unlock(&object->lock);
38779 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
38780 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
38781 op->store_limit = object->store_limit;
38783 if (fscache_submit_op(object, &op->op) < 0)
38784 @@ -829,8 +829,8 @@ int __fscache_write_page(struct fscache_
38786 spin_unlock(&cookie->lock);
38787 radix_tree_preload_end();
38788 - fscache_stat(&fscache_n_store_ops);
38789 - fscache_stat(&fscache_n_stores_ok);
38790 + fscache_stat_unchecked(&fscache_n_store_ops);
38791 + fscache_stat_unchecked(&fscache_n_stores_ok);
38793 /* the work queue now carries its own ref on the object */
38794 fscache_put_operation(&op->op);
38795 @@ -838,14 +838,14 @@ int __fscache_write_page(struct fscache_
38799 - fscache_stat(&fscache_n_stores_again);
38800 + fscache_stat_unchecked(&fscache_n_stores_again);
38802 spin_unlock(&cookie->stores_lock);
38803 spin_unlock(&object->lock);
38804 spin_unlock(&cookie->lock);
38805 radix_tree_preload_end();
38807 - fscache_stat(&fscache_n_stores_ok);
38808 + fscache_stat_unchecked(&fscache_n_stores_ok);
38812 @@ -864,14 +864,14 @@ nobufs:
38813 spin_unlock(&cookie->lock);
38814 radix_tree_preload_end();
38816 - fscache_stat(&fscache_n_stores_nobufs);
38817 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
38818 _leave(" = -ENOBUFS");
38824 - fscache_stat(&fscache_n_stores_oom);
38825 + fscache_stat_unchecked(&fscache_n_stores_oom);
38826 _leave(" = -ENOMEM");
38829 @@ -889,7 +889,7 @@ void __fscache_uncache_page(struct fscac
38830 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
38831 ASSERTCMP(page, !=, NULL);
38833 - fscache_stat(&fscache_n_uncaches);
38834 + fscache_stat_unchecked(&fscache_n_uncaches);
38836 /* cache withdrawal may beat us to it */
38837 if (!PageFsCache(page))
38838 @@ -942,7 +942,7 @@ void fscache_mark_pages_cached(struct fs
38839 unsigned long loop;
38841 #ifdef CONFIG_FSCACHE_STATS
38842 - atomic_add(pagevec->nr, &fscache_n_marks);
38843 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
38846 for (loop = 0; loop < pagevec->nr; loop++) {
38847 diff -urNp linux-2.6.38.6/fs/fscache/stats.c linux-2.6.38.6/fs/fscache/stats.c
38848 --- linux-2.6.38.6/fs/fscache/stats.c 2011-03-14 21:20:32.000000000 -0400
38849 +++ linux-2.6.38.6/fs/fscache/stats.c 2011-04-28 19:57:25.000000000 -0400
38850 @@ -18,95 +18,95 @@
38852 * operation counters
38854 -atomic_t fscache_n_op_pend;
38855 -atomic_t fscache_n_op_run;
38856 -atomic_t fscache_n_op_enqueue;
38857 -atomic_t fscache_n_op_requeue;
38858 -atomic_t fscache_n_op_deferred_release;
38859 -atomic_t fscache_n_op_release;
38860 -atomic_t fscache_n_op_gc;
38861 -atomic_t fscache_n_op_cancelled;
38862 -atomic_t fscache_n_op_rejected;
38864 -atomic_t fscache_n_attr_changed;
38865 -atomic_t fscache_n_attr_changed_ok;
38866 -atomic_t fscache_n_attr_changed_nobufs;
38867 -atomic_t fscache_n_attr_changed_nomem;
38868 -atomic_t fscache_n_attr_changed_calls;
38870 -atomic_t fscache_n_allocs;
38871 -atomic_t fscache_n_allocs_ok;
38872 -atomic_t fscache_n_allocs_wait;
38873 -atomic_t fscache_n_allocs_nobufs;
38874 -atomic_t fscache_n_allocs_intr;
38875 -atomic_t fscache_n_allocs_object_dead;
38876 -atomic_t fscache_n_alloc_ops;
38877 -atomic_t fscache_n_alloc_op_waits;
38879 -atomic_t fscache_n_retrievals;
38880 -atomic_t fscache_n_retrievals_ok;
38881 -atomic_t fscache_n_retrievals_wait;
38882 -atomic_t fscache_n_retrievals_nodata;
38883 -atomic_t fscache_n_retrievals_nobufs;
38884 -atomic_t fscache_n_retrievals_intr;
38885 -atomic_t fscache_n_retrievals_nomem;
38886 -atomic_t fscache_n_retrievals_object_dead;
38887 -atomic_t fscache_n_retrieval_ops;
38888 -atomic_t fscache_n_retrieval_op_waits;
38890 -atomic_t fscache_n_stores;
38891 -atomic_t fscache_n_stores_ok;
38892 -atomic_t fscache_n_stores_again;
38893 -atomic_t fscache_n_stores_nobufs;
38894 -atomic_t fscache_n_stores_oom;
38895 -atomic_t fscache_n_store_ops;
38896 -atomic_t fscache_n_store_calls;
38897 -atomic_t fscache_n_store_pages;
38898 -atomic_t fscache_n_store_radix_deletes;
38899 -atomic_t fscache_n_store_pages_over_limit;
38901 -atomic_t fscache_n_store_vmscan_not_storing;
38902 -atomic_t fscache_n_store_vmscan_gone;
38903 -atomic_t fscache_n_store_vmscan_busy;
38904 -atomic_t fscache_n_store_vmscan_cancelled;
38906 -atomic_t fscache_n_marks;
38907 -atomic_t fscache_n_uncaches;
38909 -atomic_t fscache_n_acquires;
38910 -atomic_t fscache_n_acquires_null;
38911 -atomic_t fscache_n_acquires_no_cache;
38912 -atomic_t fscache_n_acquires_ok;
38913 -atomic_t fscache_n_acquires_nobufs;
38914 -atomic_t fscache_n_acquires_oom;
38916 -atomic_t fscache_n_updates;
38917 -atomic_t fscache_n_updates_null;
38918 -atomic_t fscache_n_updates_run;
38920 -atomic_t fscache_n_relinquishes;
38921 -atomic_t fscache_n_relinquishes_null;
38922 -atomic_t fscache_n_relinquishes_waitcrt;
38923 -atomic_t fscache_n_relinquishes_retire;
38925 -atomic_t fscache_n_cookie_index;
38926 -atomic_t fscache_n_cookie_data;
38927 -atomic_t fscache_n_cookie_special;
38929 -atomic_t fscache_n_object_alloc;
38930 -atomic_t fscache_n_object_no_alloc;
38931 -atomic_t fscache_n_object_lookups;
38932 -atomic_t fscache_n_object_lookups_negative;
38933 -atomic_t fscache_n_object_lookups_positive;
38934 -atomic_t fscache_n_object_lookups_timed_out;
38935 -atomic_t fscache_n_object_created;
38936 -atomic_t fscache_n_object_avail;
38937 -atomic_t fscache_n_object_dead;
38939 -atomic_t fscache_n_checkaux_none;
38940 -atomic_t fscache_n_checkaux_okay;
38941 -atomic_t fscache_n_checkaux_update;
38942 -atomic_t fscache_n_checkaux_obsolete;
38943 +atomic_unchecked_t fscache_n_op_pend;
38944 +atomic_unchecked_t fscache_n_op_run;
38945 +atomic_unchecked_t fscache_n_op_enqueue;
38946 +atomic_unchecked_t fscache_n_op_requeue;
38947 +atomic_unchecked_t fscache_n_op_deferred_release;
38948 +atomic_unchecked_t fscache_n_op_release;
38949 +atomic_unchecked_t fscache_n_op_gc;
38950 +atomic_unchecked_t fscache_n_op_cancelled;
38951 +atomic_unchecked_t fscache_n_op_rejected;
38953 +atomic_unchecked_t fscache_n_attr_changed;
38954 +atomic_unchecked_t fscache_n_attr_changed_ok;
38955 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
38956 +atomic_unchecked_t fscache_n_attr_changed_nomem;
38957 +atomic_unchecked_t fscache_n_attr_changed_calls;
38959 +atomic_unchecked_t fscache_n_allocs;
38960 +atomic_unchecked_t fscache_n_allocs_ok;
38961 +atomic_unchecked_t fscache_n_allocs_wait;
38962 +atomic_unchecked_t fscache_n_allocs_nobufs;
38963 +atomic_unchecked_t fscache_n_allocs_intr;
38964 +atomic_unchecked_t fscache_n_allocs_object_dead;
38965 +atomic_unchecked_t fscache_n_alloc_ops;
38966 +atomic_unchecked_t fscache_n_alloc_op_waits;
38968 +atomic_unchecked_t fscache_n_retrievals;
38969 +atomic_unchecked_t fscache_n_retrievals_ok;
38970 +atomic_unchecked_t fscache_n_retrievals_wait;
38971 +atomic_unchecked_t fscache_n_retrievals_nodata;
38972 +atomic_unchecked_t fscache_n_retrievals_nobufs;
38973 +atomic_unchecked_t fscache_n_retrievals_intr;
38974 +atomic_unchecked_t fscache_n_retrievals_nomem;
38975 +atomic_unchecked_t fscache_n_retrievals_object_dead;
38976 +atomic_unchecked_t fscache_n_retrieval_ops;
38977 +atomic_unchecked_t fscache_n_retrieval_op_waits;
38979 +atomic_unchecked_t fscache_n_stores;
38980 +atomic_unchecked_t fscache_n_stores_ok;
38981 +atomic_unchecked_t fscache_n_stores_again;
38982 +atomic_unchecked_t fscache_n_stores_nobufs;
38983 +atomic_unchecked_t fscache_n_stores_oom;
38984 +atomic_unchecked_t fscache_n_store_ops;
38985 +atomic_unchecked_t fscache_n_store_calls;
38986 +atomic_unchecked_t fscache_n_store_pages;
38987 +atomic_unchecked_t fscache_n_store_radix_deletes;
38988 +atomic_unchecked_t fscache_n_store_pages_over_limit;
38990 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
38991 +atomic_unchecked_t fscache_n_store_vmscan_gone;
38992 +atomic_unchecked_t fscache_n_store_vmscan_busy;
38993 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
38995 +atomic_unchecked_t fscache_n_marks;
38996 +atomic_unchecked_t fscache_n_uncaches;
38998 +atomic_unchecked_t fscache_n_acquires;
38999 +atomic_unchecked_t fscache_n_acquires_null;
39000 +atomic_unchecked_t fscache_n_acquires_no_cache;
39001 +atomic_unchecked_t fscache_n_acquires_ok;
39002 +atomic_unchecked_t fscache_n_acquires_nobufs;
39003 +atomic_unchecked_t fscache_n_acquires_oom;
39005 +atomic_unchecked_t fscache_n_updates;
39006 +atomic_unchecked_t fscache_n_updates_null;
39007 +atomic_unchecked_t fscache_n_updates_run;
39009 +atomic_unchecked_t fscache_n_relinquishes;
39010 +atomic_unchecked_t fscache_n_relinquishes_null;
39011 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
39012 +atomic_unchecked_t fscache_n_relinquishes_retire;
39014 +atomic_unchecked_t fscache_n_cookie_index;
39015 +atomic_unchecked_t fscache_n_cookie_data;
39016 +atomic_unchecked_t fscache_n_cookie_special;
39018 +atomic_unchecked_t fscache_n_object_alloc;
39019 +atomic_unchecked_t fscache_n_object_no_alloc;
39020 +atomic_unchecked_t fscache_n_object_lookups;
39021 +atomic_unchecked_t fscache_n_object_lookups_negative;
39022 +atomic_unchecked_t fscache_n_object_lookups_positive;
39023 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
39024 +atomic_unchecked_t fscache_n_object_created;
39025 +atomic_unchecked_t fscache_n_object_avail;
39026 +atomic_unchecked_t fscache_n_object_dead;
39028 +atomic_unchecked_t fscache_n_checkaux_none;
39029 +atomic_unchecked_t fscache_n_checkaux_okay;
39030 +atomic_unchecked_t fscache_n_checkaux_update;
39031 +atomic_unchecked_t fscache_n_checkaux_obsolete;
39033 atomic_t fscache_n_cop_alloc_object;
39034 atomic_t fscache_n_cop_lookup_object;
39035 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
39036 seq_puts(m, "FS-Cache statistics\n");
39038 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
39039 - atomic_read(&fscache_n_cookie_index),
39040 - atomic_read(&fscache_n_cookie_data),
39041 - atomic_read(&fscache_n_cookie_special));
39042 + atomic_read_unchecked(&fscache_n_cookie_index),
39043 + atomic_read_unchecked(&fscache_n_cookie_data),
39044 + atomic_read_unchecked(&fscache_n_cookie_special));
39046 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
39047 - atomic_read(&fscache_n_object_alloc),
39048 - atomic_read(&fscache_n_object_no_alloc),
39049 - atomic_read(&fscache_n_object_avail),
39050 - atomic_read(&fscache_n_object_dead));
39051 + atomic_read_unchecked(&fscache_n_object_alloc),
39052 + atomic_read_unchecked(&fscache_n_object_no_alloc),
39053 + atomic_read_unchecked(&fscache_n_object_avail),
39054 + atomic_read_unchecked(&fscache_n_object_dead));
39055 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
39056 - atomic_read(&fscache_n_checkaux_none),
39057 - atomic_read(&fscache_n_checkaux_okay),
39058 - atomic_read(&fscache_n_checkaux_update),
39059 - atomic_read(&fscache_n_checkaux_obsolete));
39060 + atomic_read_unchecked(&fscache_n_checkaux_none),
39061 + atomic_read_unchecked(&fscache_n_checkaux_okay),
39062 + atomic_read_unchecked(&fscache_n_checkaux_update),
39063 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
39065 seq_printf(m, "Pages : mrk=%u unc=%u\n",
39066 - atomic_read(&fscache_n_marks),
39067 - atomic_read(&fscache_n_uncaches));
39068 + atomic_read_unchecked(&fscache_n_marks),
39069 + atomic_read_unchecked(&fscache_n_uncaches));
39071 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
39073 - atomic_read(&fscache_n_acquires),
39074 - atomic_read(&fscache_n_acquires_null),
39075 - atomic_read(&fscache_n_acquires_no_cache),
39076 - atomic_read(&fscache_n_acquires_ok),
39077 - atomic_read(&fscache_n_acquires_nobufs),
39078 - atomic_read(&fscache_n_acquires_oom));
39079 + atomic_read_unchecked(&fscache_n_acquires),
39080 + atomic_read_unchecked(&fscache_n_acquires_null),
39081 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
39082 + atomic_read_unchecked(&fscache_n_acquires_ok),
39083 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
39084 + atomic_read_unchecked(&fscache_n_acquires_oom));
39086 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
39087 - atomic_read(&fscache_n_object_lookups),
39088 - atomic_read(&fscache_n_object_lookups_negative),
39089 - atomic_read(&fscache_n_object_lookups_positive),
39090 - atomic_read(&fscache_n_object_created),
39091 - atomic_read(&fscache_n_object_lookups_timed_out));
39092 + atomic_read_unchecked(&fscache_n_object_lookups),
39093 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
39094 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
39095 + atomic_read_unchecked(&fscache_n_object_created),
39096 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
39098 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
39099 - atomic_read(&fscache_n_updates),
39100 - atomic_read(&fscache_n_updates_null),
39101 - atomic_read(&fscache_n_updates_run));
39102 + atomic_read_unchecked(&fscache_n_updates),
39103 + atomic_read_unchecked(&fscache_n_updates_null),
39104 + atomic_read_unchecked(&fscache_n_updates_run));
39106 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
39107 - atomic_read(&fscache_n_relinquishes),
39108 - atomic_read(&fscache_n_relinquishes_null),
39109 - atomic_read(&fscache_n_relinquishes_waitcrt),
39110 - atomic_read(&fscache_n_relinquishes_retire));
39111 + atomic_read_unchecked(&fscache_n_relinquishes),
39112 + atomic_read_unchecked(&fscache_n_relinquishes_null),
39113 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
39114 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
39116 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
39117 - atomic_read(&fscache_n_attr_changed),
39118 - atomic_read(&fscache_n_attr_changed_ok),
39119 - atomic_read(&fscache_n_attr_changed_nobufs),
39120 - atomic_read(&fscache_n_attr_changed_nomem),
39121 - atomic_read(&fscache_n_attr_changed_calls));
39122 + atomic_read_unchecked(&fscache_n_attr_changed),
39123 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
39124 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
39125 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
39126 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
39128 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
39129 - atomic_read(&fscache_n_allocs),
39130 - atomic_read(&fscache_n_allocs_ok),
39131 - atomic_read(&fscache_n_allocs_wait),
39132 - atomic_read(&fscache_n_allocs_nobufs),
39133 - atomic_read(&fscache_n_allocs_intr));
39134 + atomic_read_unchecked(&fscache_n_allocs),
39135 + atomic_read_unchecked(&fscache_n_allocs_ok),
39136 + atomic_read_unchecked(&fscache_n_allocs_wait),
39137 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
39138 + atomic_read_unchecked(&fscache_n_allocs_intr));
39139 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
39140 - atomic_read(&fscache_n_alloc_ops),
39141 - atomic_read(&fscache_n_alloc_op_waits),
39142 - atomic_read(&fscache_n_allocs_object_dead));
39143 + atomic_read_unchecked(&fscache_n_alloc_ops),
39144 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
39145 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
39147 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
39148 " int=%u oom=%u\n",
39149 - atomic_read(&fscache_n_retrievals),
39150 - atomic_read(&fscache_n_retrievals_ok),
39151 - atomic_read(&fscache_n_retrievals_wait),
39152 - atomic_read(&fscache_n_retrievals_nodata),
39153 - atomic_read(&fscache_n_retrievals_nobufs),
39154 - atomic_read(&fscache_n_retrievals_intr),
39155 - atomic_read(&fscache_n_retrievals_nomem));
39156 + atomic_read_unchecked(&fscache_n_retrievals),
39157 + atomic_read_unchecked(&fscache_n_retrievals_ok),
39158 + atomic_read_unchecked(&fscache_n_retrievals_wait),
39159 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
39160 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
39161 + atomic_read_unchecked(&fscache_n_retrievals_intr),
39162 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
39163 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
39164 - atomic_read(&fscache_n_retrieval_ops),
39165 - atomic_read(&fscache_n_retrieval_op_waits),
39166 - atomic_read(&fscache_n_retrievals_object_dead));
39167 + atomic_read_unchecked(&fscache_n_retrieval_ops),
39168 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
39169 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
39171 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
39172 - atomic_read(&fscache_n_stores),
39173 - atomic_read(&fscache_n_stores_ok),
39174 - atomic_read(&fscache_n_stores_again),
39175 - atomic_read(&fscache_n_stores_nobufs),
39176 - atomic_read(&fscache_n_stores_oom));
39177 + atomic_read_unchecked(&fscache_n_stores),
39178 + atomic_read_unchecked(&fscache_n_stores_ok),
39179 + atomic_read_unchecked(&fscache_n_stores_again),
39180 + atomic_read_unchecked(&fscache_n_stores_nobufs),
39181 + atomic_read_unchecked(&fscache_n_stores_oom));
39182 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
39183 - atomic_read(&fscache_n_store_ops),
39184 - atomic_read(&fscache_n_store_calls),
39185 - atomic_read(&fscache_n_store_pages),
39186 - atomic_read(&fscache_n_store_radix_deletes),
39187 - atomic_read(&fscache_n_store_pages_over_limit));
39188 + atomic_read_unchecked(&fscache_n_store_ops),
39189 + atomic_read_unchecked(&fscache_n_store_calls),
39190 + atomic_read_unchecked(&fscache_n_store_pages),
39191 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
39192 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
39194 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
39195 - atomic_read(&fscache_n_store_vmscan_not_storing),
39196 - atomic_read(&fscache_n_store_vmscan_gone),
39197 - atomic_read(&fscache_n_store_vmscan_busy),
39198 - atomic_read(&fscache_n_store_vmscan_cancelled));
39199 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
39200 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
39201 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
39202 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
39204 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
39205 - atomic_read(&fscache_n_op_pend),
39206 - atomic_read(&fscache_n_op_run),
39207 - atomic_read(&fscache_n_op_enqueue),
39208 - atomic_read(&fscache_n_op_cancelled),
39209 - atomic_read(&fscache_n_op_rejected));
39210 + atomic_read_unchecked(&fscache_n_op_pend),
39211 + atomic_read_unchecked(&fscache_n_op_run),
39212 + atomic_read_unchecked(&fscache_n_op_enqueue),
39213 + atomic_read_unchecked(&fscache_n_op_cancelled),
39214 + atomic_read_unchecked(&fscache_n_op_rejected));
39215 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
39216 - atomic_read(&fscache_n_op_deferred_release),
39217 - atomic_read(&fscache_n_op_release),
39218 - atomic_read(&fscache_n_op_gc));
39219 + atomic_read_unchecked(&fscache_n_op_deferred_release),
39220 + atomic_read_unchecked(&fscache_n_op_release),
39221 + atomic_read_unchecked(&fscache_n_op_gc));
39223 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
39224 atomic_read(&fscache_n_cop_alloc_object),
39225 diff -urNp linux-2.6.38.6/fs/fs_struct.c linux-2.6.38.6/fs/fs_struct.c
39226 --- linux-2.6.38.6/fs/fs_struct.c 2011-03-14 21:20:32.000000000 -0400
39227 +++ linux-2.6.38.6/fs/fs_struct.c 2011-04-28 19:34:15.000000000 -0400
39229 #include <linux/slab.h>
39230 #include <linux/fs_struct.h>
39231 #include <linux/vserver/global.h>
39232 +#include <linux/grsecurity.h>
39233 #include "internal.h"
39235 static inline void path_get_longterm(struct path *path)
39236 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
39237 old_root = fs->root;
39239 path_get_longterm(path);
39240 + gr_set_chroot_entries(current, path);
39241 write_seqcount_end(&fs->seq);
39242 spin_unlock(&fs->lock);
39243 if (old_root.dentry)
39244 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
39245 && fs->root.mnt == old_root->mnt) {
39246 path_get_longterm(new_root);
39247 fs->root = *new_root;
39248 + gr_set_chroot_entries(p, new_root);
39251 if (fs->pwd.dentry == old_root->dentry
39252 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
39253 spin_lock(&fs->lock);
39254 write_seqcount_begin(&fs->seq);
39256 - kill = !--fs->users;
39257 + gr_clear_chroot_entries(tsk);
39258 + kill = !atomic_dec_return(&fs->users);
39259 write_seqcount_end(&fs->seq);
39260 spin_unlock(&fs->lock);
39262 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
39263 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
39264 /* We don't need to lock fs - think why ;-) */
39267 + atomic_set(&fs->users, 1);
39269 spin_lock_init(&fs->lock);
39270 seqcount_init(&fs->seq);
39271 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
39272 spin_lock(&old->lock);
39273 fs->root = old->root;
39274 path_get_longterm(&fs->root);
39275 + /* instead of calling gr_set_chroot_entries here,
39276 + we call it from every caller of this function
39278 fs->pwd = old->pwd;
39279 path_get_longterm(&fs->pwd);
39280 spin_unlock(&old->lock);
39281 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
39283 task_lock(current);
39284 spin_lock(&fs->lock);
39285 - kill = !--fs->users;
39286 + kill = !atomic_dec_return(&fs->users);
39287 current->fs = new_fs;
39288 + gr_set_chroot_entries(current, &new_fs->root);
39289 spin_unlock(&fs->lock);
39290 task_unlock(current);
39292 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
39294 /* to be mentioned only in INIT_TASK */
39295 struct fs_struct init_fs = {
39297 + .users = ATOMIC_INIT(1),
39298 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
39299 .seq = SEQCNT_ZERO,
39301 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
39302 task_lock(current);
39304 spin_lock(&init_fs.lock);
39306 + atomic_inc(&init_fs.users);
39307 spin_unlock(&init_fs.lock);
39309 spin_lock(&fs->lock);
39310 current->fs = &init_fs;
39311 - kill = !--fs->users;
39312 + gr_set_chroot_entries(current, ¤t->fs->root);
39313 + kill = !atomic_dec_return(&fs->users);
39314 spin_unlock(&fs->lock);
39316 task_unlock(current);
39317 diff -urNp linux-2.6.38.6/fs/fuse/cuse.c linux-2.6.38.6/fs/fuse/cuse.c
39318 --- linux-2.6.38.6/fs/fuse/cuse.c 2011-03-14 21:20:32.000000000 -0400
39319 +++ linux-2.6.38.6/fs/fuse/cuse.c 2011-04-28 19:34:15.000000000 -0400
39320 @@ -530,8 +530,18 @@ static int cuse_channel_release(struct i
39324 -static struct file_operations cuse_channel_fops; /* initialized during init */
39326 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
39327 + .owner = THIS_MODULE,
39328 + .llseek = no_llseek,
39329 + .read = do_sync_read,
39330 + .aio_read = fuse_dev_read,
39331 + .write = do_sync_write,
39332 + .aio_write = fuse_dev_write,
39333 + .poll = fuse_dev_poll,
39334 + .open = cuse_channel_open,
39335 + .release = cuse_channel_release,
39336 + .fasync = fuse_dev_fasync,
39339 /**************************************************************************
39340 * Misc stuff and module initializatiion
39341 @@ -577,12 +587,6 @@ static int __init cuse_init(void)
39342 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
39343 INIT_LIST_HEAD(&cuse_conntbl[i]);
39345 - /* inherit and extend fuse_dev_operations */
39346 - cuse_channel_fops = fuse_dev_operations;
39347 - cuse_channel_fops.owner = THIS_MODULE;
39348 - cuse_channel_fops.open = cuse_channel_open;
39349 - cuse_channel_fops.release = cuse_channel_release;
39351 cuse_class = class_create(THIS_MODULE, "cuse");
39352 if (IS_ERR(cuse_class))
39353 return PTR_ERR(cuse_class);
39354 diff -urNp linux-2.6.38.6/fs/fuse/dev.c linux-2.6.38.6/fs/fuse/dev.c
39355 --- linux-2.6.38.6/fs/fuse/dev.c 2011-03-14 21:20:32.000000000 -0400
39356 +++ linux-2.6.38.6/fs/fuse/dev.c 2011-04-28 19:34:15.000000000 -0400
39357 @@ -1183,7 +1183,7 @@ static ssize_t fuse_dev_do_read(struct f
39361 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
39362 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
39363 unsigned long nr_segs, loff_t pos)
39365 struct fuse_copy_state cs;
39366 @@ -1197,6 +1197,8 @@ static ssize_t fuse_dev_read(struct kioc
39367 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
39370 +EXPORT_SYMBOL_GPL(fuse_dev_read);
39372 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
39373 struct pipe_buffer *buf)
39375 @@ -1240,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(stru
39379 - if (!pipe->readers) {
39380 + if (!atomic_read(&pipe->readers)) {
39381 send_sig(SIGPIPE, current, 0);
39384 @@ -1733,7 +1735,7 @@ static ssize_t fuse_dev_do_write(struct
39388 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
39389 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
39390 unsigned long nr_segs, loff_t pos)
39392 struct fuse_copy_state cs;
39393 @@ -1746,6 +1748,8 @@ static ssize_t fuse_dev_write(struct kio
39394 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
39397 +EXPORT_SYMBOL_GPL(fuse_dev_write);
39399 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
39400 struct file *out, loff_t *ppos,
39401 size_t len, unsigned int flags)
39402 @@ -1824,7 +1828,7 @@ out:
39406 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
39407 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
39409 unsigned mask = POLLOUT | POLLWRNORM;
39410 struct fuse_conn *fc = fuse_get_conn(file);
39411 @@ -1843,6 +1847,8 @@ static unsigned fuse_dev_poll(struct fil
39415 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
39418 * Abort all requests on the given list (pending or processing)
39420 @@ -1962,7 +1968,7 @@ int fuse_dev_release(struct inode *inode
39422 EXPORT_SYMBOL_GPL(fuse_dev_release);
39424 -static int fuse_dev_fasync(int fd, struct file *file, int on)
39425 +int fuse_dev_fasync(int fd, struct file *file, int on)
39427 struct fuse_conn *fc = fuse_get_conn(file);
39429 @@ -1972,6 +1978,8 @@ static int fuse_dev_fasync(int fd, struc
39430 return fasync_helper(fd, file, on, &fc->fasync);
39433 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
39435 const struct file_operations fuse_dev_operations = {
39436 .owner = THIS_MODULE,
39437 .llseek = no_llseek,
39438 diff -urNp linux-2.6.38.6/fs/fuse/dir.c linux-2.6.38.6/fs/fuse/dir.c
39439 --- linux-2.6.38.6/fs/fuse/dir.c 2011-03-14 21:20:32.000000000 -0400
39440 +++ linux-2.6.38.6/fs/fuse/dir.c 2011-04-28 19:34:15.000000000 -0400
39441 @@ -1133,7 +1133,7 @@ static char *read_link(struct dentry *de
39445 -static void free_link(char *link)
39446 +static void free_link(const char *link)
39449 free_page((unsigned long) link);
39450 diff -urNp linux-2.6.38.6/fs/fuse/fuse_i.h linux-2.6.38.6/fs/fuse/fuse_i.h
39451 --- linux-2.6.38.6/fs/fuse/fuse_i.h 2011-03-14 21:20:32.000000000 -0400
39452 +++ linux-2.6.38.6/fs/fuse/fuse_i.h 2011-04-28 19:34:15.000000000 -0400
39453 @@ -541,6 +541,16 @@ extern const struct file_operations fuse
39455 extern const struct dentry_operations fuse_dentry_operations;
39457 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
39458 + unsigned long nr_segs, loff_t pos);
39460 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
39461 + unsigned long nr_segs, loff_t pos);
39463 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
39465 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
39468 * Inode to nodeid comparison.
39470 diff -urNp linux-2.6.38.6/fs/gfs2/ops_inode.c linux-2.6.38.6/fs/gfs2/ops_inode.c
39471 --- linux-2.6.38.6/fs/gfs2/ops_inode.c 2011-03-14 21:20:32.000000000 -0400
39472 +++ linux-2.6.38.6/fs/gfs2/ops_inode.c 2011-05-16 21:47:08.000000000 -0400
39473 @@ -740,6 +740,8 @@ static int gfs2_rename(struct inode *odi
39477 + pax_track_stack();
39479 if (ndentry->d_inode) {
39480 nip = GFS2_I(ndentry->d_inode);
39482 @@ -1019,7 +1021,7 @@ out:
39484 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
39486 - char *s = nd_get_link(nd);
39487 + const char *s = nd_get_link(nd);
39491 diff -urNp linux-2.6.38.6/fs/hfsplus/catalog.c linux-2.6.38.6/fs/hfsplus/catalog.c
39492 --- linux-2.6.38.6/fs/hfsplus/catalog.c 2011-03-14 21:20:32.000000000 -0400
39493 +++ linux-2.6.38.6/fs/hfsplus/catalog.c 2011-05-16 21:47:08.000000000 -0400
39494 @@ -179,6 +179,8 @@ int hfsplus_find_cat(struct super_block
39498 + pax_track_stack();
39500 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
39501 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
39503 @@ -210,6 +212,8 @@ int hfsplus_create_cat(u32 cnid, struct
39507 + pax_track_stack();
39509 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n",
39510 str->name, cnid, inode->i_nlink);
39511 hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
39512 @@ -349,6 +353,8 @@ int hfsplus_rename_cat(u32 cnid,
39513 int entry_size, type;
39516 + pax_track_stack();
39518 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n",
39519 cnid, src_dir->i_ino, src_name->name,
39520 dst_dir->i_ino, dst_name->name);
39521 diff -urNp linux-2.6.38.6/fs/hfsplus/dir.c linux-2.6.38.6/fs/hfsplus/dir.c
39522 --- linux-2.6.38.6/fs/hfsplus/dir.c 2011-03-14 21:20:32.000000000 -0400
39523 +++ linux-2.6.38.6/fs/hfsplus/dir.c 2011-05-16 21:47:08.000000000 -0400
39524 @@ -129,6 +129,8 @@ static int hfsplus_readdir(struct file *
39525 struct hfsplus_readdir_data *rd;
39528 + pax_track_stack();
39530 if (filp->f_pos >= inode->i_size)
39533 diff -urNp linux-2.6.38.6/fs/hfsplus/inode.c linux-2.6.38.6/fs/hfsplus/inode.c
39534 --- linux-2.6.38.6/fs/hfsplus/inode.c 2011-03-14 21:20:32.000000000 -0400
39535 +++ linux-2.6.38.6/fs/hfsplus/inode.c 2011-05-16 21:47:08.000000000 -0400
39536 @@ -491,6 +491,8 @@ int hfsplus_cat_read_inode(struct inode
39540 + pax_track_stack();
39542 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
39544 HFSPLUS_I(inode)->linkid = 0;
39545 @@ -554,6 +556,8 @@ int hfsplus_cat_write_inode(struct inode
39546 struct hfs_find_data fd;
39547 hfsplus_cat_entry entry;
39549 + pax_track_stack();
39551 if (HFSPLUS_IS_RSRC(inode))
39552 main_inode = HFSPLUS_I(inode)->rsrc_inode;
39554 diff -urNp linux-2.6.38.6/fs/hfsplus/ioctl.c linux-2.6.38.6/fs/hfsplus/ioctl.c
39555 --- linux-2.6.38.6/fs/hfsplus/ioctl.c 2011-03-14 21:20:32.000000000 -0400
39556 +++ linux-2.6.38.6/fs/hfsplus/ioctl.c 2011-05-16 21:47:08.000000000 -0400
39557 @@ -122,6 +122,8 @@ int hfsplus_setxattr(struct dentry *dent
39558 struct hfsplus_cat_file *file;
39561 + pax_track_stack();
39563 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
39564 return -EOPNOTSUPP;
39566 @@ -166,6 +168,8 @@ ssize_t hfsplus_getxattr(struct dentry *
39567 struct hfsplus_cat_file *file;
39570 + pax_track_stack();
39572 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
39573 return -EOPNOTSUPP;
39575 diff -urNp linux-2.6.38.6/fs/hfsplus/super.c linux-2.6.38.6/fs/hfsplus/super.c
39576 --- linux-2.6.38.6/fs/hfsplus/super.c 2011-03-14 21:20:32.000000000 -0400
39577 +++ linux-2.6.38.6/fs/hfsplus/super.c 2011-05-16 21:47:08.000000000 -0400
39578 @@ -340,6 +340,8 @@ static int hfsplus_fill_super(struct sup
39579 struct nls_table *nls = NULL;
39582 + pax_track_stack();
39585 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
39587 diff -urNp linux-2.6.38.6/fs/hugetlbfs/inode.c linux-2.6.38.6/fs/hugetlbfs/inode.c
39588 --- linux-2.6.38.6/fs/hugetlbfs/inode.c 2011-03-14 21:20:32.000000000 -0400
39589 +++ linux-2.6.38.6/fs/hugetlbfs/inode.c 2011-04-28 19:34:15.000000000 -0400
39590 @@ -915,7 +915,7 @@ static struct file_system_type hugetlbfs
39591 .kill_sb = kill_litter_super,
39594 -static struct vfsmount *hugetlbfs_vfsmount;
39595 +struct vfsmount *hugetlbfs_vfsmount;
39597 static int can_do_hugetlb_shm(void)
39599 diff -urNp linux-2.6.38.6/fs/inode.c linux-2.6.38.6/fs/inode.c
39600 --- linux-2.6.38.6/fs/inode.c 2011-03-14 21:20:32.000000000 -0400
39601 +++ linux-2.6.38.6/fs/inode.c 2011-04-28 19:34:15.000000000 -0400
39602 @@ -801,8 +801,8 @@ unsigned int get_next_ino(void)
39605 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
39606 - static atomic_t shared_last_ino;
39607 - int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
39608 + static atomic_unchecked_t shared_last_ino;
39609 + int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
39611 res = next - LAST_INO_BATCH;
39613 diff -urNp linux-2.6.38.6/fs/jbd/checkpoint.c linux-2.6.38.6/fs/jbd/checkpoint.c
39614 --- linux-2.6.38.6/fs/jbd/checkpoint.c 2011-03-14 21:20:32.000000000 -0400
39615 +++ linux-2.6.38.6/fs/jbd/checkpoint.c 2011-05-16 21:47:08.000000000 -0400
39616 @@ -350,6 +350,8 @@ int log_do_checkpoint(journal_t *journal
39620 + pax_track_stack();
39622 jbd_debug(1, "Start checkpoint\n");
39625 diff -urNp linux-2.6.38.6/fs/jffs2/compr_rtime.c linux-2.6.38.6/fs/jffs2/compr_rtime.c
39626 --- linux-2.6.38.6/fs/jffs2/compr_rtime.c 2011-03-14 21:20:32.000000000 -0400
39627 +++ linux-2.6.38.6/fs/jffs2/compr_rtime.c 2011-05-16 21:47:08.000000000 -0400
39628 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
39632 + pax_track_stack();
39634 memset(positions,0,sizeof(positions));
39636 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
39637 @@ -78,6 +80,8 @@ static int jffs2_rtime_decompress(unsign
39641 + pax_track_stack();
39643 memset(positions,0,sizeof(positions));
39645 while (outpos<destlen) {
39646 diff -urNp linux-2.6.38.6/fs/jffs2/compr_rubin.c linux-2.6.38.6/fs/jffs2/compr_rubin.c
39647 --- linux-2.6.38.6/fs/jffs2/compr_rubin.c 2011-03-14 21:20:32.000000000 -0400
39648 +++ linux-2.6.38.6/fs/jffs2/compr_rubin.c 2011-05-16 21:47:08.000000000 -0400
39649 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
39651 uint32_t mysrclen, mydstlen;
39653 + pax_track_stack();
39655 mysrclen = *sourcelen;
39656 mydstlen = *dstlen - 8;
39658 diff -urNp linux-2.6.38.6/fs/jffs2/erase.c linux-2.6.38.6/fs/jffs2/erase.c
39659 --- linux-2.6.38.6/fs/jffs2/erase.c 2011-03-14 21:20:32.000000000 -0400
39660 +++ linux-2.6.38.6/fs/jffs2/erase.c 2011-04-28 19:34:15.000000000 -0400
39661 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
39662 struct jffs2_unknown_node marker = {
39663 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
39664 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
39665 - .totlen = cpu_to_je32(c->cleanmarker_size)
39666 + .totlen = cpu_to_je32(c->cleanmarker_size),
39667 + .hdr_crc = cpu_to_je32(0)
39670 jffs2_prealloc_raw_node_refs(c, jeb, 1);
39671 diff -urNp linux-2.6.38.6/fs/jffs2/wbuf.c linux-2.6.38.6/fs/jffs2/wbuf.c
39672 --- linux-2.6.38.6/fs/jffs2/wbuf.c 2011-03-14 21:20:32.000000000 -0400
39673 +++ linux-2.6.38.6/fs/jffs2/wbuf.c 2011-04-28 19:34:15.000000000 -0400
39674 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
39676 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
39677 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
39678 - .totlen = constant_cpu_to_je32(8)
39679 + .totlen = constant_cpu_to_je32(8),
39680 + .hdr_crc = constant_cpu_to_je32(0)
39684 diff -urNp linux-2.6.38.6/fs/jffs2/xattr.c linux-2.6.38.6/fs/jffs2/xattr.c
39685 --- linux-2.6.38.6/fs/jffs2/xattr.c 2011-03-14 21:20:32.000000000 -0400
39686 +++ linux-2.6.38.6/fs/jffs2/xattr.c 2011-05-16 21:47:08.000000000 -0400
39687 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
39689 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
39691 + pax_track_stack();
39693 /* Phase.1 : Merge same xref */
39694 for (i=0; i < XREF_TMPHASH_SIZE; i++)
39695 xref_tmphash[i] = NULL;
39696 diff -urNp linux-2.6.38.6/fs/Kconfig.binfmt linux-2.6.38.6/fs/Kconfig.binfmt
39697 --- linux-2.6.38.6/fs/Kconfig.binfmt 2011-03-14 21:20:32.000000000 -0400
39698 +++ linux-2.6.38.6/fs/Kconfig.binfmt 2011-04-28 19:34:15.000000000 -0400
39699 @@ -86,7 +86,7 @@ config HAVE_AOUT
39702 tristate "Kernel support for a.out and ECOFF binaries"
39703 - depends on HAVE_AOUT
39704 + depends on HAVE_AOUT && BROKEN
39706 A.out (Assembler.OUTput) is a set of formats for libraries and
39707 executables used in the earliest versions of UNIX. Linux used
39708 diff -urNp linux-2.6.38.6/fs/libfs.c linux-2.6.38.6/fs/libfs.c
39709 --- linux-2.6.38.6/fs/libfs.c 2011-03-14 21:20:32.000000000 -0400
39710 +++ linux-2.6.38.6/fs/libfs.c 2011-05-11 18:34:57.000000000 -0400
39711 @@ -163,6 +163,9 @@ int dcache_readdir(struct file * filp, v
39713 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
39714 struct dentry *next;
39715 + char d_name[sizeof(next->d_iname)];
39716 + const unsigned char *name;
39718 next = list_entry(p, struct dentry, d_u.d_child);
39719 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
39720 if (!simple_positive(next)) {
39721 @@ -172,7 +175,12 @@ int dcache_readdir(struct file * filp, v
39723 spin_unlock(&next->d_lock);
39724 spin_unlock(&dentry->d_lock);
39725 - if (filldir(dirent, next->d_name.name,
39726 + name = next->d_name.name;
39727 + if (name == next->d_iname) {
39728 + memcpy(d_name, name, next->d_name.len);
39731 + if (filldir(dirent, name,
39732 next->d_name.len, filp->f_pos,
39733 next->d_inode->i_ino,
39734 dt_type(next->d_inode)) < 0)
39735 diff -urNp linux-2.6.38.6/fs/lockd/clntproc.c linux-2.6.38.6/fs/lockd/clntproc.c
39736 --- linux-2.6.38.6/fs/lockd/clntproc.c 2011-03-14 21:20:32.000000000 -0400
39737 +++ linux-2.6.38.6/fs/lockd/clntproc.c 2011-05-16 21:47:08.000000000 -0400
39738 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
39740 * Cookie counter for NLM requests
39742 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
39743 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
39745 void nlmclnt_next_cookie(struct nlm_cookie *c)
39747 - u32 cookie = atomic_inc_return(&nlm_cookie);
39748 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
39750 memcpy(c->data, &cookie, 4);
39752 @@ -620,6 +620,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
39753 struct nlm_rqst reqst, *req;
39756 + pax_track_stack();
39759 memset(req, 0, sizeof(*req));
39760 locks_init_lock(&req->a_args.lock.fl);
39761 diff -urNp linux-2.6.38.6/fs/lockd/svc.c linux-2.6.38.6/fs/lockd/svc.c
39762 --- linux-2.6.38.6/fs/lockd/svc.c 2011-03-14 21:20:32.000000000 -0400
39763 +++ linux-2.6.38.6/fs/lockd/svc.c 2011-04-28 19:34:15.000000000 -0400
39766 static struct svc_program nlmsvc_program;
39768 -struct nlmsvc_binding * nlmsvc_ops;
39769 +const struct nlmsvc_binding * nlmsvc_ops;
39770 EXPORT_SYMBOL_GPL(nlmsvc_ops);
39772 static DEFINE_MUTEX(nlmsvc_mutex);
39773 diff -urNp linux-2.6.38.6/fs/locks.c linux-2.6.38.6/fs/locks.c
39774 --- linux-2.6.38.6/fs/locks.c 2011-03-14 21:20:32.000000000 -0400
39775 +++ linux-2.6.38.6/fs/locks.c 2011-04-28 19:34:15.000000000 -0400
39776 @@ -2044,16 +2044,16 @@ void locks_remove_flock(struct file *fil
39779 if (filp->f_op && filp->f_op->flock) {
39780 - struct file_lock fl = {
39781 + struct file_lock flock = {
39782 .fl_pid = current->tgid,
39784 .fl_flags = FL_FLOCK,
39785 .fl_type = F_UNLCK,
39786 .fl_end = OFFSET_MAX,
39788 - filp->f_op->flock(filp, F_SETLKW, &fl);
39789 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
39790 - fl.fl_ops->fl_release_private(&fl);
39791 + filp->f_op->flock(filp, F_SETLKW, &flock);
39792 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
39793 + flock.fl_ops->fl_release_private(&flock);
39797 diff -urNp linux-2.6.38.6/fs/logfs/super.c linux-2.6.38.6/fs/logfs/super.c
39798 --- linux-2.6.38.6/fs/logfs/super.c 2011-03-14 21:20:32.000000000 -0400
39799 +++ linux-2.6.38.6/fs/logfs/super.c 2011-05-16 21:47:08.000000000 -0400
39800 @@ -266,6 +266,8 @@ static int logfs_recover_sb(struct super
39801 struct logfs_disk_super _ds1, *ds1 = &_ds1;
39802 int err, valid0, valid1;
39804 + pax_track_stack();
39806 /* read first superblock */
39807 err = wbuf_read(sb, super->s_sb_ofs[0], sizeof(*ds0), ds0);
39809 diff -urNp linux-2.6.38.6/fs/namei.c linux-2.6.38.6/fs/namei.c
39810 --- linux-2.6.38.6/fs/namei.c 2011-04-22 19:20:59.000000000 -0400
39811 +++ linux-2.6.38.6/fs/namei.c 2011-05-16 21:47:08.000000000 -0400
39812 @@ -226,14 +226,6 @@ int generic_permission(struct inode *ino
39816 - * Read/write DACs are always overridable.
39817 - * Executable DACs are overridable if at least one exec bit is set.
39819 - if (!(mask & MAY_EXEC) || execute_ok(inode))
39820 - if (capable(CAP_DAC_OVERRIDE))
39824 * Searching includes executable on directories, else just read.
39826 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
39827 @@ -241,6 +233,14 @@ int generic_permission(struct inode *ino
39828 if (capable(CAP_DAC_READ_SEARCH))
39832 + * Read/write DACs are always overridable.
39833 + * Executable DACs are overridable if at least one exec bit is set.
39835 + if (!(mask & MAY_EXEC) || execute_ok(inode))
39836 + if (capable(CAP_DAC_OVERRIDE))
39842 @@ -687,7 +687,8 @@ static inline int exec_permission(struct
39843 if (ret == -ECHILD)
39846 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
39847 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
39848 + capable(CAP_DAC_OVERRIDE))
39852 @@ -776,7 +777,7 @@ __do_follow_link(const struct path *link
39853 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
39854 error = PTR_ERR(*p);
39856 - char *s = nd_get_link(nd);
39857 + const char *s = nd_get_link(nd);
39860 error = __vfs_follow_link(nd, s);
39861 @@ -815,6 +816,13 @@ static inline int do_follow_link(struct
39862 err = security_inode_follow_link(path->dentry, nd);
39866 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
39867 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
39872 current->link_count++;
39873 current->total_link_count++;
39875 @@ -1506,13 +1514,36 @@ return_reval:
39877 if (nameidata_drop_rcu_last_maybe(nd))
39880 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
39882 + goto err_and_ret;
39887 if (!(nd->flags & LOOKUP_RCU))
39888 path_put_conditional(&next, nd);
39891 +#ifdef CONFIG_GRKERNSEC
39892 + /* we do this because we can't operate here on an rcu'd dentry,
39893 + acquire a properly-referenced copy
39895 + if (nameidata_drop_rcu_last_maybe(nd))
39899 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
39903 +#ifndef CONFIG_GRKERNSEC
39904 + /* since we convert to ref-walk above, always put the path if we reach
39907 if (!(nd->flags & LOOKUP_RCU))
39909 path_put(&nd->path);
39912 @@ -1739,6 +1770,9 @@ static int do_path_lookup(int dfd, const
39915 if (likely(!retval)) {
39916 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
39919 if (unlikely(!audit_dummy_context())) {
39920 if (nd->path.dentry && nd->inode)
39921 audit_inode(name, nd->path.dentry);
39922 @@ -2079,6 +2113,30 @@ int vfs_create(struct inode *dir, struct
39927 + * Note that while the flag value (low two bits) for sys_open means:
39929 + * 01 - write-only
39930 + * 10 - read-write
39932 + * it is changed into
39933 + * 00 - no permissions needed
39934 + * 01 - read-permission
39935 + * 10 - write-permission
39936 + * 11 - read-write
39937 + * for the internal routines (ie open_namei()/follow_link() etc)
39938 + * This is more logical, and also allows the 00 "no perm needed"
39939 + * to be used for symlinks (where the permissions are checked
39943 +static inline int open_to_namei_flags(int flag)
39945 + if ((flag+1) & O_ACCMODE)
39950 int may_open(struct path *path, int acc_mode, int flag)
39952 struct dentry *dentry = path->dentry;
39953 @@ -2127,7 +2185,27 @@ int may_open(struct path *path, int acc_
39955 * Ensure there are no outstanding leases on the file.
39957 - return break_lease(inode, flag);
39958 + error = break_lease(inode, flag);
39963 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
39968 + if (gr_handle_rawio(inode)) {
39973 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
39981 static int handle_truncate(struct file *filp)
39982 @@ -2162,6 +2240,12 @@ static int __open_namei_create(struct na
39985 struct dentry *dir = nd->path.dentry;
39986 + int flag = open_to_namei_flags(open_flag);
39988 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
39993 if (!IS_POSIXACL(dir->d_inode))
39994 mode &= ~current_umask();
39995 @@ -2169,6 +2253,8 @@ static int __open_namei_create(struct na
39998 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
40000 + gr_handle_create(path->dentry, nd->path.mnt);
40002 mutex_unlock(&dir->d_inode->i_mutex);
40003 dput(nd->path.dentry);
40004 @@ -2180,30 +2266,6 @@ out_unlock:
40005 return may_open(&nd->path, 0, open_flag & ~O_TRUNC);
40009 - * Note that while the flag value (low two bits) for sys_open means:
40011 - * 01 - write-only
40012 - * 10 - read-write
40014 - * it is changed into
40015 - * 00 - no permissions needed
40016 - * 01 - read-permission
40017 - * 10 - write-permission
40018 - * 11 - read-write
40019 - * for the internal routines (ie open_namei()/follow_link() etc)
40020 - * This is more logical, and also allows the 00 "no perm needed"
40021 - * to be used for symlinks (where the permissions are checked
40025 -static inline int open_to_namei_flags(int flag)
40027 - if ((flag+1) & O_ACCMODE)
40032 static int open_will_truncate(int flag, struct inode *inode)
40035 @@ -2274,6 +2336,7 @@ static struct file *do_last(struct namei
40036 int mode, const char *pathname)
40038 struct dentry *dir = nd->path.dentry;
40039 + int flag = open_to_namei_flags(open_flag);
40041 int error = -EISDIR;
40043 @@ -2352,6 +2415,14 @@ static struct file *do_last(struct namei
40045 * It already exists.
40048 + /* only check if O_CREAT is specified, all other checks need to go
40050 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
40052 + goto exit_mutex_unlock;
40055 mutex_unlock(&dir->d_inode->i_mutex);
40056 audit_inode(pathname, path->dentry);
40058 @@ -2535,6 +2606,11 @@ reval:
40059 error = security_inode_follow_link(link.dentry, &nd);
40062 + if (gr_handle_follow_link(link.dentry->d_parent->d_inode,
40063 + link.dentry->d_inode, link.dentry, nd.path.mnt)) {
40067 error = __do_follow_link(&link, &nd, &cookie);
40068 if (unlikely(error)) {
40069 if (!IS_ERR(cookie) && linki->i_op->put_link)
40070 @@ -2705,6 +2781,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
40071 error = may_mknod(mode);
40075 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
40080 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
40085 error = mnt_want_write(nd.path.mnt);
40088 @@ -2725,6 +2812,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
40091 mnt_drop_write(nd.path.mnt);
40094 + gr_handle_create(dentry, nd.path.mnt);
40098 @@ -2777,6 +2867,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
40099 if (IS_ERR(dentry))
40102 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
40107 if (!IS_POSIXACL(nd.path.dentry->d_inode))
40108 mode &= ~current_umask();
40109 error = mnt_want_write(nd.path.mnt);
40110 @@ -2788,6 +2883,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
40111 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
40113 mnt_drop_write(nd.path.mnt);
40116 + gr_handle_create(dentry, nd.path.mnt);
40121 @@ -2867,6 +2966,8 @@ static long do_rmdir(int dfd, const char
40123 struct dentry *dentry;
40124 struct nameidata nd;
40125 + ino_t saved_ino = 0;
40126 + dev_t saved_dev = 0;
40128 error = user_path_parent(dfd, pathname, &nd, &name);
40130 @@ -2891,6 +2992,19 @@ static long do_rmdir(int dfd, const char
40131 error = PTR_ERR(dentry);
40132 if (IS_ERR(dentry))
40135 + if (dentry->d_inode != NULL) {
40136 + if (dentry->d_inode->i_nlink <= 1) {
40137 + saved_ino = dentry->d_inode->i_ino;
40138 + saved_dev = gr_get_dev_from_dentry(dentry);
40141 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
40147 error = mnt_want_write(nd.path.mnt);
40150 @@ -2898,6 +3012,8 @@ static long do_rmdir(int dfd, const char
40153 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
40154 + if (!error && (saved_dev || saved_ino))
40155 + gr_handle_delete(saved_ino, saved_dev);
40157 mnt_drop_write(nd.path.mnt);
40159 @@ -2960,6 +3076,8 @@ static long do_unlinkat(int dfd, const c
40160 struct dentry *dentry;
40161 struct nameidata nd;
40162 struct inode *inode = NULL;
40163 + ino_t saved_ino = 0;
40164 + dev_t saved_dev = 0;
40166 error = user_path_parent(dfd, pathname, &nd, &name);
40168 @@ -2979,8 +3097,17 @@ static long do_unlinkat(int dfd, const c
40169 if (nd.last.name[nd.last.len])
40171 inode = dentry->d_inode;
40175 + if (inode->i_nlink <= 1) {
40176 + saved_ino = inode->i_ino;
40177 + saved_dev = gr_get_dev_from_dentry(dentry);
40179 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
40184 error = mnt_want_write(nd.path.mnt);
40187 @@ -2988,6 +3115,8 @@ static long do_unlinkat(int dfd, const c
40190 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
40191 + if (!error && (saved_ino || saved_dev))
40192 + gr_handle_delete(saved_ino, saved_dev);
40194 mnt_drop_write(nd.path.mnt);
40196 @@ -3065,6 +3194,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
40197 if (IS_ERR(dentry))
40200 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
40205 error = mnt_want_write(nd.path.mnt);
40208 @@ -3072,6 +3206,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
40210 goto out_drop_write;
40211 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
40213 + gr_handle_create(dentry, nd.path.mnt);
40215 mnt_drop_write(nd.path.mnt);
40217 @@ -3164,6 +3300,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
40218 error = PTR_ERR(new_dentry);
40219 if (IS_ERR(new_dentry))
40222 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
40223 + old_path.dentry->d_inode,
40224 + old_path.dentry->d_inode->i_mode, to)) {
40229 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
40230 + old_path.dentry, old_path.mnt, to)) {
40235 error = mnt_want_write(nd.path.mnt);
40238 @@ -3171,6 +3321,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
40240 goto out_drop_write;
40241 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
40243 + gr_handle_create(new_dentry, nd.path.mnt);
40245 mnt_drop_write(nd.path.mnt);
40247 @@ -3348,6 +3500,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
40251 + pax_track_stack();
40253 error = user_path_parent(olddfd, oldname, &oldnd, &from);
40256 @@ -3404,6 +3558,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
40257 if (new_dentry == trap)
40260 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
40261 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
40266 error = mnt_want_write(oldnd.path.mnt);
40269 @@ -3413,6 +3573,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
40271 error = vfs_rename(old_dir->d_inode, old_dentry,
40272 new_dir->d_inode, new_dentry);
40274 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
40275 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
40277 mnt_drop_write(oldnd.path.mnt);
40279 @@ -3438,6 +3601,8 @@ SYSCALL_DEFINE2(rename, const char __use
40281 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
40284 + const char *newlink;
40287 len = PTR_ERR(link);
40288 @@ -3447,7 +3612,14 @@ int vfs_readlink(struct dentry *dentry,
40289 len = strlen(link);
40290 if (len > (unsigned) buflen)
40292 - if (copy_to_user(buffer, link, len))
40294 + if (len < sizeof(tmpbuf)) {
40295 + memcpy(tmpbuf, link, len);
40296 + newlink = tmpbuf;
40300 + if (copy_to_user(buffer, newlink, len))
40304 diff -urNp linux-2.6.38.6/fs/namespace.c linux-2.6.38.6/fs/namespace.c
40305 --- linux-2.6.38.6/fs/namespace.c 2011-04-18 17:27:16.000000000 -0400
40306 +++ linux-2.6.38.6/fs/namespace.c 2011-04-28 19:34:15.000000000 -0400
40307 @@ -1285,6 +1285,9 @@ static int do_umount(struct vfsmount *mn
40308 if (!(sb->s_flags & MS_RDONLY))
40309 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
40310 up_write(&sb->s_umount);
40312 + gr_log_remount(mnt->mnt_devname, retval);
40317 @@ -1304,6 +1307,9 @@ static int do_umount(struct vfsmount *mn
40318 br_write_unlock(vfsmount_lock);
40319 up_write(&namespace_sem);
40320 release_mounts(&umount_list);
40322 + gr_log_unmount(mnt->mnt_devname, retval);
40327 @@ -2241,6 +2247,16 @@ long do_mount(char *dev_name, char *dir_
40328 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
40331 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
40336 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
40341 if (flags & MS_REMOUNT)
40342 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
40344 @@ -2255,6 +2271,9 @@ long do_mount(char *dev_name, char *dir_
40345 dev_name, data_page);
40349 + gr_log_mount(dev_name, dir_name, retval);
40354 @@ -2480,6 +2499,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
40358 + if (gr_handle_chroot_pivot()) {
40364 get_fs_root(current->fs, &root);
40365 down_write(&namespace_sem);
40366 mutex_lock(&old.dentry->d_inode->i_mutex);
40367 diff -urNp linux-2.6.38.6/fs/ncpfs/dir.c linux-2.6.38.6/fs/ncpfs/dir.c
40368 --- linux-2.6.38.6/fs/ncpfs/dir.c 2011-03-14 21:20:32.000000000 -0400
40369 +++ linux-2.6.38.6/fs/ncpfs/dir.c 2011-05-16 21:47:09.000000000 -0400
40370 @@ -299,6 +299,8 @@ ncp_lookup_validate(struct dentry *dentr
40371 int res, val = 0, len;
40372 __u8 __name[NCP_MAXPATHLEN + 1];
40374 + pax_track_stack();
40376 if (dentry == dentry->d_sb->s_root)
40379 @@ -844,6 +846,8 @@ static struct dentry *ncp_lookup(struct
40380 int error, res, len;
40381 __u8 __name[NCP_MAXPATHLEN + 1];
40383 + pax_track_stack();
40386 if (!ncp_conn_valid(server))
40388 @@ -931,6 +935,8 @@ int ncp_create_new(struct inode *dir, st
40389 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
40390 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
40392 + pax_track_stack();
40394 ncp_age_dentry(server, dentry);
40395 len = sizeof(__name);
40396 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
40397 @@ -992,6 +998,8 @@ static int ncp_mkdir(struct inode *dir,
40399 __u8 __name[NCP_MAXPATHLEN + 1];
40401 + pax_track_stack();
40403 DPRINTK("ncp_mkdir: making %s/%s\n",
40404 dentry->d_parent->d_name.name, dentry->d_name.name);
40406 @@ -1135,6 +1143,8 @@ static int ncp_rename(struct inode *old_
40407 int old_len, new_len;
40408 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
40410 + pax_track_stack();
40412 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
40413 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
40414 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
40415 diff -urNp linux-2.6.38.6/fs/ncpfs/inode.c linux-2.6.38.6/fs/ncpfs/inode.c
40416 --- linux-2.6.38.6/fs/ncpfs/inode.c 2011-03-14 21:20:32.000000000 -0400
40417 +++ linux-2.6.38.6/fs/ncpfs/inode.c 2011-05-16 21:47:09.000000000 -0400
40418 @@ -461,6 +461,8 @@ static int ncp_fill_super(struct super_b
40420 struct ncp_entry_info finfo;
40422 + pax_track_stack();
40424 data.wdog_pid = NULL;
40425 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
40427 diff -urNp linux-2.6.38.6/fs/nfs/inode.c linux-2.6.38.6/fs/nfs/inode.c
40428 --- linux-2.6.38.6/fs/nfs/inode.c 2011-03-14 21:20:32.000000000 -0400
40429 +++ linux-2.6.38.6/fs/nfs/inode.c 2011-04-28 19:34:15.000000000 -0400
40430 @@ -998,16 +998,16 @@ static int nfs_size_need_update(const st
40431 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
40434 -static atomic_long_t nfs_attr_generation_counter;
40435 +static atomic_long_unchecked_t nfs_attr_generation_counter;
40437 static unsigned long nfs_read_attr_generation_counter(void)
40439 - return atomic_long_read(&nfs_attr_generation_counter);
40440 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
40443 unsigned long nfs_inc_attr_generation_counter(void)
40445 - return atomic_long_inc_return(&nfs_attr_generation_counter);
40446 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
40449 void nfs_fattr_init(struct nfs_fattr *fattr)
40450 diff -urNp linux-2.6.38.6/fs/nfsd/lockd.c linux-2.6.38.6/fs/nfsd/lockd.c
40451 --- linux-2.6.38.6/fs/nfsd/lockd.c 2011-04-18 17:27:18.000000000 -0400
40452 +++ linux-2.6.38.6/fs/nfsd/lockd.c 2011-04-28 19:34:15.000000000 -0400
40453 @@ -60,7 +60,7 @@ nlm_fclose(struct file *filp)
40457 -static struct nlmsvc_binding nfsd_nlm_ops = {
40458 +static const struct nlmsvc_binding nfsd_nlm_ops = {
40459 .fopen = nlm_fopen, /* open file for locking */
40460 .fclose = nlm_fclose, /* close file */
40462 diff -urNp linux-2.6.38.6/fs/nfsd/nfs4state.c linux-2.6.38.6/fs/nfsd/nfs4state.c
40463 --- linux-2.6.38.6/fs/nfsd/nfs4state.c 2011-05-10 22:06:27.000000000 -0400
40464 +++ linux-2.6.38.6/fs/nfsd/nfs4state.c 2011-05-16 21:47:09.000000000 -0400
40465 @@ -3783,6 +3783,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
40466 unsigned int strhashval;
40469 + pax_track_stack();
40471 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
40472 (long long) lock->lk_offset,
40473 (long long) lock->lk_length);
40474 diff -urNp linux-2.6.38.6/fs/nfsd/nfs4xdr.c linux-2.6.38.6/fs/nfsd/nfs4xdr.c
40475 --- linux-2.6.38.6/fs/nfsd/nfs4xdr.c 2011-04-18 17:27:16.000000000 -0400
40476 +++ linux-2.6.38.6/fs/nfsd/nfs4xdr.c 2011-05-16 21:47:09.000000000 -0400
40477 @@ -1793,6 +1793,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
40481 + pax_track_stack();
40483 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
40484 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
40485 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
40486 diff -urNp linux-2.6.38.6/fs/nfsd/nfsctl.c linux-2.6.38.6/fs/nfsd/nfsctl.c
40487 --- linux-2.6.38.6/fs/nfsd/nfsctl.c 2011-03-14 21:20:32.000000000 -0400
40488 +++ linux-2.6.38.6/fs/nfsd/nfsctl.c 2011-04-28 19:34:15.000000000 -0400
40489 @@ -180,7 +180,7 @@ static int export_features_open(struct i
40490 return single_open(file, export_features_show, NULL);
40493 -static struct file_operations export_features_operations = {
40494 +static const struct file_operations export_features_operations = {
40495 .open = export_features_open,
40497 .llseek = seq_lseek,
40498 diff -urNp linux-2.6.38.6/fs/nfsd/vfs.c linux-2.6.38.6/fs/nfsd/vfs.c
40499 --- linux-2.6.38.6/fs/nfsd/vfs.c 2011-05-10 22:06:29.000000000 -0400
40500 +++ linux-2.6.38.6/fs/nfsd/vfs.c 2011-05-10 22:08:57.000000000 -0400
40501 @@ -898,7 +898,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
40505 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
40506 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
40510 @@ -1002,7 +1002,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
40512 /* Write the data. */
40513 oldfs = get_fs(); set_fs(KERNEL_DS);
40514 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
40515 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
40519 @@ -1525,7 +1525,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
40522 oldfs = get_fs(); set_fs(KERNEL_DS);
40523 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
40524 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
40528 diff -urNp linux-2.6.38.6/fs/notify/dnotify/dnotify.c linux-2.6.38.6/fs/notify/dnotify/dnotify.c
40529 --- linux-2.6.38.6/fs/notify/dnotify/dnotify.c 2011-03-14 21:20:32.000000000 -0400
40530 +++ linux-2.6.38.6/fs/notify/dnotify/dnotify.c 2011-04-28 19:34:15.000000000 -0400
40531 @@ -151,7 +151,7 @@ static void dnotify_free_mark(struct fsn
40532 kmem_cache_free(dnotify_mark_cache, dn_mark);
40535 -static struct fsnotify_ops dnotify_fsnotify_ops = {
40536 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
40537 .handle_event = dnotify_handle_event,
40538 .should_send_event = dnotify_should_send_event,
40539 .free_group_priv = NULL,
40540 diff -urNp linux-2.6.38.6/fs/notify/notification.c linux-2.6.38.6/fs/notify/notification.c
40541 --- linux-2.6.38.6/fs/notify/notification.c 2011-03-14 21:20:32.000000000 -0400
40542 +++ linux-2.6.38.6/fs/notify/notification.c 2011-04-28 19:57:25.000000000 -0400
40543 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
40544 * get set to 0 so it will never get 'freed'
40546 static struct fsnotify_event *q_overflow_event;
40547 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
40548 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
40551 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
40552 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
40554 u32 fsnotify_get_cookie(void)
40556 - return atomic_inc_return(&fsnotify_sync_cookie);
40557 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
40559 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
40561 diff -urNp linux-2.6.38.6/fs/ntfs/dir.c linux-2.6.38.6/fs/ntfs/dir.c
40562 --- linux-2.6.38.6/fs/ntfs/dir.c 2011-03-14 21:20:32.000000000 -0400
40563 +++ linux-2.6.38.6/fs/ntfs/dir.c 2011-04-28 19:34:15.000000000 -0400
40564 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
40565 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
40566 ~(s64)(ndir->itype.index.block_size - 1)));
40567 /* Bounds checks. */
40568 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
40569 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
40570 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
40571 "inode 0x%lx or driver bug.", vdir->i_ino);
40573 diff -urNp linux-2.6.38.6/fs/ntfs/file.c linux-2.6.38.6/fs/ntfs/file.c
40574 --- linux-2.6.38.6/fs/ntfs/file.c 2011-03-14 21:20:32.000000000 -0400
40575 +++ linux-2.6.38.6/fs/ntfs/file.c 2011-04-28 19:34:15.000000000 -0400
40576 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
40577 #endif /* NTFS_RW */
40580 -const struct file_operations ntfs_empty_file_ops = {};
40581 +const struct file_operations ntfs_empty_file_ops __read_only;
40583 -const struct inode_operations ntfs_empty_inode_ops = {};
40584 +const struct inode_operations ntfs_empty_inode_ops __read_only;
40585 diff -urNp linux-2.6.38.6/fs/ocfs2/localalloc.c linux-2.6.38.6/fs/ocfs2/localalloc.c
40586 --- linux-2.6.38.6/fs/ocfs2/localalloc.c 2011-03-14 21:20:32.000000000 -0400
40587 +++ linux-2.6.38.6/fs/ocfs2/localalloc.c 2011-04-28 19:34:15.000000000 -0400
40588 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
40592 - atomic_inc(&osb->alloc_stats.moves);
40593 + atomic_inc_unchecked(&osb->alloc_stats.moves);
40597 diff -urNp linux-2.6.38.6/fs/ocfs2/namei.c linux-2.6.38.6/fs/ocfs2/namei.c
40598 --- linux-2.6.38.6/fs/ocfs2/namei.c 2011-03-14 21:20:32.000000000 -0400
40599 +++ linux-2.6.38.6/fs/ocfs2/namei.c 2011-05-16 21:47:09.000000000 -0400
40600 @@ -1064,6 +1064,8 @@ static int ocfs2_rename(struct inode *ol
40601 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
40602 struct ocfs2_dir_lookup_result target_insert = { NULL, };
40604 + pax_track_stack();
40606 /* At some point it might be nice to break this function up a
40609 diff -urNp linux-2.6.38.6/fs/ocfs2/ocfs2.h linux-2.6.38.6/fs/ocfs2/ocfs2.h
40610 --- linux-2.6.38.6/fs/ocfs2/ocfs2.h 2011-03-14 21:20:32.000000000 -0400
40611 +++ linux-2.6.38.6/fs/ocfs2/ocfs2.h 2011-04-28 19:34:15.000000000 -0400
40612 @@ -230,11 +230,11 @@ enum ocfs2_vol_state
40614 struct ocfs2_alloc_stats
40617 - atomic_t local_data;
40618 - atomic_t bitmap_data;
40619 - atomic_t bg_allocs;
40620 - atomic_t bg_extends;
40621 + atomic_unchecked_t moves;
40622 + atomic_unchecked_t local_data;
40623 + atomic_unchecked_t bitmap_data;
40624 + atomic_unchecked_t bg_allocs;
40625 + atomic_unchecked_t bg_extends;
40628 enum ocfs2_local_alloc_state
40629 diff -urNp linux-2.6.38.6/fs/ocfs2/suballoc.c linux-2.6.38.6/fs/ocfs2/suballoc.c
40630 --- linux-2.6.38.6/fs/ocfs2/suballoc.c 2011-03-14 21:20:32.000000000 -0400
40631 +++ linux-2.6.38.6/fs/ocfs2/suballoc.c 2011-05-11 18:34:57.000000000 -0400
40632 @@ -877,7 +877,7 @@ static int ocfs2_reserve_suballoc_bits(s
40633 mlog_errno(status);
40636 - atomic_inc(&osb->alloc_stats.bg_extends);
40637 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
40639 /* You should never ask for this much metadata */
40640 BUG_ON(bits_wanted >
40641 @@ -2012,7 +2012,7 @@ int ocfs2_claim_metadata(handle_t *handl
40642 mlog_errno(status);
40645 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
40646 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
40648 *suballoc_loc = res.sr_bg_blkno;
40649 *suballoc_bit_start = res.sr_bit_offset;
40650 @@ -2175,7 +2175,7 @@ int ocfs2_claim_new_inode_at_loc(handle_
40651 mlog(0, "Allocated %u bits from suballocator %llu\n", res->sr_bits,
40652 (unsigned long long)di_blkno);
40654 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
40655 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
40657 BUG_ON(res->sr_bits != 1);
40659 @@ -2219,7 +2219,7 @@ int ocfs2_claim_new_inode(handle_t *hand
40660 mlog_errno(status);
40663 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
40664 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
40666 BUG_ON(res.sr_bits != 1);
40668 @@ -2324,7 +2324,7 @@ int __ocfs2_claim_clusters(handle_t *han
40672 - atomic_inc(&osb->alloc_stats.local_data);
40673 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
40675 if (min_clusters > (osb->bitmap_cpg - 1)) {
40676 /* The only paths asking for contiguousness
40677 @@ -2350,7 +2350,7 @@ int __ocfs2_claim_clusters(handle_t *han
40678 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
40680 res.sr_bit_offset);
40681 - atomic_inc(&osb->alloc_stats.bitmap_data);
40682 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
40683 *num_clusters = res.sr_bits;
40686 diff -urNp linux-2.6.38.6/fs/ocfs2/super.c linux-2.6.38.6/fs/ocfs2/super.c
40687 --- linux-2.6.38.6/fs/ocfs2/super.c 2011-03-14 21:20:32.000000000 -0400
40688 +++ linux-2.6.38.6/fs/ocfs2/super.c 2011-04-28 19:34:15.000000000 -0400
40689 @@ -297,11 +297,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
40690 "%10s => GlobalAllocs: %d LocalAllocs: %d "
40691 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
40693 - atomic_read(&osb->alloc_stats.bitmap_data),
40694 - atomic_read(&osb->alloc_stats.local_data),
40695 - atomic_read(&osb->alloc_stats.bg_allocs),
40696 - atomic_read(&osb->alloc_stats.moves),
40697 - atomic_read(&osb->alloc_stats.bg_extends));
40698 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
40699 + atomic_read_unchecked(&osb->alloc_stats.local_data),
40700 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
40701 + atomic_read_unchecked(&osb->alloc_stats.moves),
40702 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
40704 out += snprintf(buf + out, len - out,
40705 "%10s => State: %u Descriptor: %llu Size: %u bits "
40706 @@ -2141,11 +2141,11 @@ static int ocfs2_initialize_super(struct
40707 spin_lock_init(&osb->osb_xattr_lock);
40708 ocfs2_init_steal_slots(osb);
40710 - atomic_set(&osb->alloc_stats.moves, 0);
40711 - atomic_set(&osb->alloc_stats.local_data, 0);
40712 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
40713 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
40714 - atomic_set(&osb->alloc_stats.bg_extends, 0);
40715 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
40716 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
40717 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
40718 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
40719 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
40721 /* Copy the blockcheck stats from the superblock probe */
40722 osb->osb_ecc_stats = *stats;
40723 diff -urNp linux-2.6.38.6/fs/ocfs2/symlink.c linux-2.6.38.6/fs/ocfs2/symlink.c
40724 --- linux-2.6.38.6/fs/ocfs2/symlink.c 2011-03-14 21:20:32.000000000 -0400
40725 +++ linux-2.6.38.6/fs/ocfs2/symlink.c 2011-04-28 19:34:15.000000000 -0400
40726 @@ -148,7 +148,7 @@ bail:
40728 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
40730 - char *link = nd_get_link(nd);
40731 + const char *link = nd_get_link(nd);
40735 diff -urNp linux-2.6.38.6/fs/open.c linux-2.6.38.6/fs/open.c
40736 --- linux-2.6.38.6/fs/open.c 2011-03-14 21:20:32.000000000 -0400
40737 +++ linux-2.6.38.6/fs/open.c 2011-04-28 19:34:15.000000000 -0400
40738 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
40739 error = locks_verify_truncate(inode, NULL, length);
40741 error = security_path_truncate(&path);
40743 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
40747 error = do_truncate(path.dentry, length, 0, NULL);
40749 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
40750 if (__mnt_is_readonly(path.mnt))
40753 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
40759 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
40763 + gr_log_chdir(path.dentry, path.mnt);
40765 set_fs_pwd(current->fs, &path);
40768 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
40771 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
40773 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
40777 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
40780 set_fs_pwd(current->fs, &file->f_path);
40782 @@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
40786 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
40787 + goto dput_and_out;
40789 + if (gr_handle_chroot_caps(&path)) {
40791 + goto dput_and_out;
40794 set_fs_root(current->fs, &path);
40796 + gr_handle_chroot_chdir(&path);
40801 @@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
40802 err = mnt_want_write_file(file);
40806 mutex_lock(&inode->i_mutex);
40808 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
40813 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
40816 if (mode == (mode_t) -1)
40817 mode = inode->i_mode;
40819 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
40824 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
40825 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
40826 err = notify_change(dentry, &newattrs);
40827 @@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
40828 error = mnt_want_write(path.mnt);
40832 mutex_lock(&inode->i_mutex);
40834 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
40839 error = security_path_chmod(path.dentry, path.mnt, mode);
40842 if (mode == (mode_t) -1)
40843 mode = inode->i_mode;
40845 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
40850 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
40851 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
40852 error = notify_change(path.dentry, &newattrs);
40853 @@ -528,6 +581,9 @@ static int chown_common(struct path *pat
40855 struct iattr newattrs;
40857 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
40860 newattrs.ia_valid = ATTR_CTIME;
40861 if (user != (uid_t) -1) {
40862 newattrs.ia_valid |= ATTR_UID;
40863 @@ -898,7 +954,10 @@ long do_sys_open(int dfd, const char __u
40864 if (!IS_ERR(tmp)) {
40865 fd = get_unused_fd_flags(flags);
40867 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
40869 + /* don't allow to be set by userland */
40870 + flags &= ~FMODE_GREXEC;
40871 + f = do_filp_open(dfd, tmp, flags, mode, 0);
40875 diff -urNp linux-2.6.38.6/fs/partitions/ldm.c linux-2.6.38.6/fs/partitions/ldm.c
40876 --- linux-2.6.38.6/fs/partitions/ldm.c 2011-05-10 22:06:29.000000000 -0400
40877 +++ linux-2.6.38.6/fs/partitions/ldm.c 2011-04-28 19:34:15.000000000 -0400
40878 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
40879 ldm_error ("A VBLK claims to have %d parts.", num);
40884 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
40886 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
40890 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
40891 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
40893 ldm_crit ("Out of memory.");
40895 diff -urNp linux-2.6.38.6/fs/pipe.c linux-2.6.38.6/fs/pipe.c
40896 --- linux-2.6.38.6/fs/pipe.c 2011-03-14 21:20:32.000000000 -0400
40897 +++ linux-2.6.38.6/fs/pipe.c 2011-04-28 19:34:15.000000000 -0400
40898 @@ -420,9 +420,9 @@ redo:
40900 if (bufs) /* More to do? */
40902 - if (!pipe->writers)
40903 + if (!atomic_read(&pipe->writers))
40905 - if (!pipe->waiting_writers) {
40906 + if (!atomic_read(&pipe->waiting_writers)) {
40907 /* syscall merging: Usually we must not sleep
40908 * if O_NONBLOCK is set, or if we got some data.
40909 * But if a writer sleeps in kernel space, then
40910 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
40911 mutex_lock(&inode->i_mutex);
40912 pipe = inode->i_pipe;
40914 - if (!pipe->readers) {
40915 + if (!atomic_read(&pipe->readers)) {
40916 send_sig(SIGPIPE, current, 0);
40919 @@ -530,7 +530,7 @@ redo1:
40923 - if (!pipe->readers) {
40924 + if (!atomic_read(&pipe->readers)) {
40925 send_sig(SIGPIPE, current, 0);
40928 @@ -616,9 +616,9 @@ redo2:
40929 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
40932 - pipe->waiting_writers++;
40933 + atomic_inc(&pipe->waiting_writers);
40935 - pipe->waiting_writers--;
40936 + atomic_dec(&pipe->waiting_writers);
40939 mutex_unlock(&inode->i_mutex);
40940 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
40942 if (filp->f_mode & FMODE_READ) {
40943 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
40944 - if (!pipe->writers && filp->f_version != pipe->w_counter)
40945 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
40949 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
40950 * Most Unices do not set POLLERR for FIFOs but on Linux they
40951 * behave exactly like pipes for poll().
40953 - if (!pipe->readers)
40954 + if (!atomic_read(&pipe->readers))
40958 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
40960 mutex_lock(&inode->i_mutex);
40961 pipe = inode->i_pipe;
40962 - pipe->readers -= decr;
40963 - pipe->writers -= decw;
40964 + atomic_sub(decr, &pipe->readers);
40965 + atomic_sub(decw, &pipe->writers);
40967 - if (!pipe->readers && !pipe->writers) {
40968 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
40969 free_pipe_info(inode);
40971 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
40972 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
40974 if (inode->i_pipe) {
40976 - inode->i_pipe->readers++;
40977 + atomic_inc(&inode->i_pipe->readers);
40980 mutex_unlock(&inode->i_mutex);
40981 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
40983 if (inode->i_pipe) {
40985 - inode->i_pipe->writers++;
40986 + atomic_inc(&inode->i_pipe->writers);
40989 mutex_unlock(&inode->i_mutex);
40990 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
40991 if (inode->i_pipe) {
40993 if (filp->f_mode & FMODE_READ)
40994 - inode->i_pipe->readers++;
40995 + atomic_inc(&inode->i_pipe->readers);
40996 if (filp->f_mode & FMODE_WRITE)
40997 - inode->i_pipe->writers++;
40998 + atomic_inc(&inode->i_pipe->writers);
41001 mutex_unlock(&inode->i_mutex);
41002 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
41003 inode->i_pipe = NULL;
41006 -static struct vfsmount *pipe_mnt __read_mostly;
41007 +struct vfsmount *pipe_mnt __read_mostly;
41010 * pipefs_dname() is called from d_path().
41011 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
41013 inode->i_pipe = pipe;
41015 - pipe->readers = pipe->writers = 1;
41016 + atomic_set(&pipe->readers, 1);
41017 + atomic_set(&pipe->writers, 1);
41018 inode->i_fop = &rdwr_pipefifo_fops;
41021 diff -urNp linux-2.6.38.6/fs/proc/array.c linux-2.6.38.6/fs/proc/array.c
41022 --- linux-2.6.38.6/fs/proc/array.c 2011-04-18 17:27:16.000000000 -0400
41023 +++ linux-2.6.38.6/fs/proc/array.c 2011-05-16 21:47:08.000000000 -0400
41025 #include <linux/tty.h>
41026 #include <linux/string.h>
41027 #include <linux/mman.h>
41028 +#include <linux/grsecurity.h>
41029 #include <linux/proc_fs.h>
41030 #include <linux/ioport.h>
41031 #include <linux/uaccess.h>
41032 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
41036 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
41037 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
41040 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
41041 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
41042 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
41043 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
41044 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
41045 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
41047 + seq_printf(m, "PaX:\t-----\n");
41051 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
41052 struct pid *pid, struct task_struct *task)
41054 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
41055 cpuset_task_status_allowed(m, task);
41056 task_vs_id(m, task);
41057 task_context_switch_counts(m, task);
41059 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
41060 + task_pax(m, task);
41063 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
41064 + task_grsec_rbac(m, task);
41070 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41071 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
41072 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
41073 + _mm->pax_flags & MF_PAX_SEGMEXEC))
41076 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
41077 struct pid *pid, struct task_struct *task, int whole)
41079 @@ -375,9 +406,11 @@ static int do_task_stat(struct seq_file
41080 cputime_t cutime, cstime, utime, stime;
41081 cputime_t cgtime, gtime;
41082 unsigned long rsslim = 0;
41083 - char tcomm[sizeof(task->comm)];
41084 + char tcomm[sizeof(task->comm)] = { 0 };
41085 unsigned long flags;
41087 + pax_track_stack();
41089 state = *get_task_state(task);
41090 vsize = eip = esp = 0;
41091 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
41092 @@ -449,6 +482,19 @@ static int do_task_stat(struct seq_file
41093 gtime = task->gtime;
41096 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41097 + if (PAX_RAND_FLAGS(mm)) {
41103 +#ifdef CONFIG_GRKERNSEC_HIDESYM
41109 /* scale priority and nice values from timeslices to -20..20 */
41110 /* to make it look like a "normal" Unix priority/nice value */
41111 priority = task_prio(task);
41112 @@ -489,9 +535,15 @@ static int do_task_stat(struct seq_file
41114 mm ? get_mm_rss(mm) : 0,
41116 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41117 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
41118 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
41119 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
41121 mm ? (permitted ? mm->start_code : 1) : 0,
41122 mm ? (permitted ? mm->end_code : 1) : 0,
41123 (permitted && mm) ? mm->start_stack : 0,
41127 /* The signal information here is obsolete.
41128 @@ -544,3 +596,18 @@ int proc_pid_statm(struct seq_file *m, s
41133 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
41134 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
41137 + unsigned long flags;
41139 + if (lock_task_sighand(task, &flags)) {
41140 + curr_ip = task->signal->curr_ip;
41141 + unlock_task_sighand(task, &flags);
41144 + return sprintf(buffer, "%pI4\n", &curr_ip);
41147 diff -urNp linux-2.6.38.6/fs/proc/base.c linux-2.6.38.6/fs/proc/base.c
41148 --- linux-2.6.38.6/fs/proc/base.c 2011-04-22 19:20:59.000000000 -0400
41149 +++ linux-2.6.38.6/fs/proc/base.c 2011-04-28 19:34:15.000000000 -0400
41150 @@ -104,6 +104,22 @@ struct pid_entry {
41154 +struct getdents_callback {
41155 + struct linux_dirent __user * current_dir;
41156 + struct linux_dirent __user * previous;
41157 + struct file * file;
41162 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
41163 + loff_t offset, u64 ino, unsigned int d_type)
41165 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
41166 + buf->error = -EINVAL;
41170 #define NOD(NAME, MODE, IOP, FOP, OP) { \
41172 .len = sizeof(NAME) - 1, \
41173 @@ -203,6 +219,9 @@ static int check_mem_permission(struct t
41174 if (task == current)
41177 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
41181 * If current is actively ptrace'ing, and would also be
41182 * permitted to freshly attach with ptrace now, permit it.
41183 @@ -250,6 +269,9 @@ static int proc_pid_cmdline(struct task_
41185 goto out_mm; /* Shh! No looking before we're done */
41187 + if (gr_acl_handle_procpidmem(task))
41190 len = mm->arg_end - mm->arg_start;
41192 if (len > PAGE_SIZE)
41193 @@ -277,12 +299,28 @@ out:
41197 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41198 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
41199 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
41200 + _mm->pax_flags & MF_PAX_SEGMEXEC))
41203 static int proc_pid_auxv(struct task_struct *task, char *buffer)
41206 struct mm_struct *mm = get_task_mm(task);
41208 unsigned int nwords = 0;
41210 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41211 + /* allow if we're currently ptracing this task */
41212 + if (PAX_RAND_FLAGS(mm) &&
41213 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
41221 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
41222 @@ -296,7 +334,7 @@ static int proc_pid_auxv(struct task_str
41226 -#ifdef CONFIG_KALLSYMS
41227 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
41229 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
41230 * Returns the resolved symbol. If that fails, simply return the address.
41231 @@ -318,7 +356,7 @@ static int proc_pid_wchan(struct task_st
41233 #endif /* CONFIG_KALLSYMS */
41235 -#ifdef CONFIG_STACKTRACE
41236 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
41238 #define MAX_STACK_TRACE_DEPTH 64
41240 @@ -503,7 +541,7 @@ static int proc_pid_limits(struct task_s
41244 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
41245 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
41246 static int proc_pid_syscall(struct task_struct *task, char *buffer)
41249 @@ -528,7 +566,7 @@ static int proc_pid_syscall(struct task_
41250 /************************************************************************/
41252 /* permission checks */
41253 -static int proc_fd_access_allowed(struct inode *inode)
41254 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
41256 struct task_struct *task;
41258 @@ -538,7 +576,10 @@ static int proc_fd_access_allowed(struct
41260 task = get_proc_task(inode);
41262 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
41264 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
41266 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
41267 put_task_struct(task);
41270 @@ -917,6 +958,9 @@ static ssize_t environ_read(struct file
41274 + if (gr_acl_handle_procpidmem(task))
41277 if (!ptrace_may_access(task, PTRACE_MODE_READ))
41280 @@ -1606,7 +1650,7 @@ static void *proc_pid_follow_link(struct
41281 path_put(&nd->path);
41283 /* Are we allowed to snoop on the tasks file descriptors? */
41284 - if (!proc_fd_access_allowed(inode))
41285 + if (!proc_fd_access_allowed(inode,0))
41288 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
41289 @@ -1645,8 +1689,18 @@ static int proc_pid_readlink(struct dent
41292 /* Are we allowed to snoop on the tasks file descriptors? */
41293 - if (!proc_fd_access_allowed(inode))
41295 + /* logging this is needed for learning on chromium to work properly,
41296 + but we don't want to flood the logs from 'ps' which does a readlink
41297 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
41298 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
41300 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
41301 + if (!proc_fd_access_allowed(inode,0))
41304 + if (!proc_fd_access_allowed(inode,1))
41308 error = PROC_I(inode)->op.proc_get_link(inode, &path);
41310 @@ -1712,7 +1766,11 @@ static struct inode *proc_pid_make_inode
41312 cred = __task_cred(task);
41313 inode->i_uid = cred->euid;
41314 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
41315 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
41317 inode->i_gid = cred->egid;
41321 security_task_to_inode(task, inode);
41322 @@ -1730,6 +1788,9 @@ static int pid_getattr(struct vfsmount *
41323 struct inode *inode = dentry->d_inode;
41324 struct task_struct *task;
41325 const struct cred *cred;
41326 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41327 + const struct cred *tmpcred = current_cred();
41330 generic_fillattr(inode, stat);
41332 @@ -1737,12 +1798,34 @@ static int pid_getattr(struct vfsmount *
41335 task = pid_task(proc_pid(inode), PIDTYPE_PID);
41337 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
41338 + rcu_read_unlock();
41343 + cred = __task_cred(task);
41344 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41345 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
41346 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
41347 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
41351 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
41352 +#ifdef CONFIG_GRKERNSEC_PROC_USER
41353 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
41354 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41355 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
41357 task_dumpable(task)) {
41358 - cred = __task_cred(task);
41359 stat->uid = cred->euid;
41360 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
41361 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
41363 stat->gid = cred->egid;
41368 @@ -1780,11 +1863,20 @@ static int pid_revalidate(struct dentry
41371 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
41372 +#ifdef CONFIG_GRKERNSEC_PROC_USER
41373 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
41374 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41375 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
41377 task_dumpable(task)) {
41379 cred = __task_cred(task);
41380 inode->i_uid = cred->euid;
41381 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
41382 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
41384 inode->i_gid = cred->egid;
41389 @@ -1905,7 +1997,8 @@ static int proc_fd_info(struct inode *in
41390 int fd = proc_fd(inode);
41393 - files = get_files_struct(task);
41394 + if (!gr_acl_handle_procpidmem(task))
41395 + files = get_files_struct(task);
41396 put_task_struct(task);
41399 @@ -2165,15 +2258,25 @@ static const struct file_operations proc
41401 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
41403 + struct task_struct *task;
41406 if (flags & IPERM_FLAG_RCU)
41408 rv = generic_permission(inode, mask, flags, NULL);
41412 if (task_pid(current) == proc_pid(inode))
41415 + task = get_proc_task(inode);
41416 + if (task == NULL)
41419 + if (gr_acl_handle_procpidmem(task))
41422 + put_task_struct(task);
41427 @@ -2283,6 +2386,9 @@ static struct dentry *proc_pident_lookup
41431 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
41435 * Yes, it does not scale. And it should not. Don't add
41436 * new entries into /proc/<tgid>/ without very good reasons.
41437 @@ -2327,6 +2433,9 @@ static int proc_pident_readdir(struct fi
41441 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
41447 @@ -2597,7 +2706,7 @@ static void *proc_self_follow_link(struc
41448 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
41451 - char *s = nd_get_link(nd);
41452 + const char *s = nd_get_link(nd);
41456 @@ -2777,7 +2886,7 @@ static const struct pid_entry tgid_base_
41457 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
41459 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
41460 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
41461 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
41462 INF("syscall", S_IRUSR, proc_pid_syscall),
41464 INF("cmdline", S_IRUGO, proc_pid_cmdline),
41465 @@ -2802,10 +2911,10 @@ static const struct pid_entry tgid_base_
41466 #ifdef CONFIG_SECURITY
41467 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
41469 -#ifdef CONFIG_KALLSYMS
41470 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
41471 INF("wchan", S_IRUGO, proc_pid_wchan),
41473 -#ifdef CONFIG_STACKTRACE
41474 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
41475 ONE("stack", S_IRUSR, proc_pid_stack),
41477 #ifdef CONFIG_SCHEDSTATS
41478 @@ -2836,6 +2945,9 @@ static const struct pid_entry tgid_base_
41479 INF("io", S_IRUGO, proc_tgid_io_accounting),
41481 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
41482 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
41483 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
41487 static int proc_tgid_base_readdir(struct file * filp,
41488 @@ -2961,7 +3073,14 @@ static struct dentry *proc_pid_instantia
41492 +#ifdef CONFIG_GRKERNSEC_PROC_USER
41493 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
41494 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41495 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
41496 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
41498 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
41500 inode->i_op = &proc_tgid_base_inode_operations;
41501 inode->i_fop = &proc_tgid_base_operations;
41502 inode->i_flags|=S_IMMUTABLE;
41503 @@ -3003,7 +3122,11 @@ struct dentry *proc_pid_lookup(struct in
41507 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
41508 + goto out_put_task;
41510 result = proc_pid_instantiate(dir, dentry, task, NULL);
41512 put_task_struct(task);
41515 @@ -3068,6 +3191,11 @@ int proc_pid_readdir(struct file * filp,
41518 struct task_struct *reaper;
41519 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41520 + const struct cred *tmpcred = current_cred();
41521 + const struct cred *itercred;
41523 + filldir_t __filldir = filldir;
41524 struct tgid_iter iter;
41525 struct pid_namespace *ns;
41527 @@ -3091,8 +3219,27 @@ int proc_pid_readdir(struct file * filp,
41528 for (iter = next_tgid(ns, iter);
41530 iter.tgid += 1, iter = next_tgid(ns, iter)) {
41531 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41533 + itercred = __task_cred(iter.task);
41535 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
41536 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41537 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
41538 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
41539 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
41544 + __filldir = &gr_fake_filldir;
41546 + __filldir = filldir;
41547 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41548 + rcu_read_unlock();
41550 filp->f_pos = iter.tgid + TGID_OFFSET;
41551 if (!vx_proc_task_visible(iter.task))
41553 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
41554 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
41555 put_task_struct(iter.task);
41556 @@ -3119,7 +3266,7 @@ static const struct pid_entry tid_base_s
41557 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
41559 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
41560 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
41561 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
41562 INF("syscall", S_IRUSR, proc_pid_syscall),
41564 INF("cmdline", S_IRUGO, proc_pid_cmdline),
41565 @@ -3143,10 +3290,10 @@ static const struct pid_entry tid_base_s
41566 #ifdef CONFIG_SECURITY
41567 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
41569 -#ifdef CONFIG_KALLSYMS
41570 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
41571 INF("wchan", S_IRUGO, proc_pid_wchan),
41573 -#ifdef CONFIG_STACKTRACE
41574 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
41575 ONE("stack", S_IRUSR, proc_pid_stack),
41577 #ifdef CONFIG_SCHEDSTATS
41578 diff -urNp linux-2.6.38.6/fs/proc/cmdline.c linux-2.6.38.6/fs/proc/cmdline.c
41579 --- linux-2.6.38.6/fs/proc/cmdline.c 2011-03-14 21:20:32.000000000 -0400
41580 +++ linux-2.6.38.6/fs/proc/cmdline.c 2011-04-28 19:34:15.000000000 -0400
41581 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
41583 static int __init proc_cmdline_init(void)
41585 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
41586 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
41588 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
41592 module_init(proc_cmdline_init);
41593 diff -urNp linux-2.6.38.6/fs/proc/devices.c linux-2.6.38.6/fs/proc/devices.c
41594 --- linux-2.6.38.6/fs/proc/devices.c 2011-03-14 21:20:32.000000000 -0400
41595 +++ linux-2.6.38.6/fs/proc/devices.c 2011-04-28 19:34:15.000000000 -0400
41596 @@ -64,7 +64,11 @@ static const struct file_operations proc
41598 static int __init proc_devices_init(void)
41600 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
41601 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
41603 proc_create("devices", 0, NULL, &proc_devinfo_operations);
41607 module_init(proc_devices_init);
41608 diff -urNp linux-2.6.38.6/fs/proc/inode.c linux-2.6.38.6/fs/proc/inode.c
41609 --- linux-2.6.38.6/fs/proc/inode.c 2011-03-14 21:20:32.000000000 -0400
41610 +++ linux-2.6.38.6/fs/proc/inode.c 2011-04-28 19:34:15.000000000 -0400
41611 @@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
41613 inode->i_mode = de->mode;
41614 inode->i_uid = de->uid;
41615 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
41616 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
41618 inode->i_gid = de->gid;
41622 inode->i_size = de->size;
41623 diff -urNp linux-2.6.38.6/fs/proc/internal.h linux-2.6.38.6/fs/proc/internal.h
41624 --- linux-2.6.38.6/fs/proc/internal.h 2011-03-14 21:20:32.000000000 -0400
41625 +++ linux-2.6.38.6/fs/proc/internal.h 2011-04-28 19:34:15.000000000 -0400
41626 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
41627 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
41628 struct pid *pid, struct task_struct *task);
41630 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
41631 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
41633 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
41635 extern const struct file_operations proc_maps_operations;
41636 diff -urNp linux-2.6.38.6/fs/proc/Kconfig linux-2.6.38.6/fs/proc/Kconfig
41637 --- linux-2.6.38.6/fs/proc/Kconfig 2011-03-14 21:20:32.000000000 -0400
41638 +++ linux-2.6.38.6/fs/proc/Kconfig 2011-04-28 19:34:15.000000000 -0400
41639 @@ -30,12 +30,12 @@ config PROC_FS
41642 bool "/proc/kcore support" if !ARM
41643 - depends on PROC_FS && MMU
41644 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
41647 bool "/proc/vmcore support"
41648 - depends on PROC_FS && CRASH_DUMP
41650 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
41653 Exports the dump image of crashed kernel in ELF format.
41655 @@ -59,8 +59,8 @@ config PROC_SYSCTL
41658 config PROC_PAGE_MONITOR
41660 - depends on PROC_FS && MMU
41662 + depends on PROC_FS && MMU && !GRKERNSEC
41663 bool "Enable /proc page monitoring" if EXPERT
41665 Various /proc files exist to monitor process memory utilization:
41666 diff -urNp linux-2.6.38.6/fs/proc/kcore.c linux-2.6.38.6/fs/proc/kcore.c
41667 --- linux-2.6.38.6/fs/proc/kcore.c 2011-03-14 21:20:32.000000000 -0400
41668 +++ linux-2.6.38.6/fs/proc/kcore.c 2011-05-16 21:47:08.000000000 -0400
41669 @@ -321,6 +321,8 @@ static void elf_kcore_store_hdr(char *bu
41671 struct kcore_list *m;
41673 + pax_track_stack();
41675 /* setup ELF header */
41676 elf = (struct elfhdr *) bufp;
41677 bufp += sizeof(struct elfhdr);
41678 @@ -478,9 +480,10 @@ read_kcore(struct file *file, char __use
41679 * the addresses in the elf_phdr on our list.
41681 start = kc_offset_to_vaddr(*fpos - elf_buflen);
41682 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
41683 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
41684 + if (tsz > buflen)
41689 struct kcore_list *m;
41691 @@ -509,20 +512,23 @@ read_kcore(struct file *file, char __use
41694 if (kern_addr_valid(start)) {
41697 + mm_segment_t oldfs;
41699 - n = copy_to_user(buffer, (char *)start, tsz);
41701 - * We cannot distingush between fault on source
41702 - * and fault on destination. When this happens
41703 - * we clear too and hope it will trigger the
41707 - if (clear_user(buffer + tsz - n,
41709 + elf_buf = kmalloc(tsz, GFP_KERNEL);
41712 + oldfs = get_fs();
41713 + set_fs(KERNEL_DS);
41714 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
41716 + if (copy_to_user(buffer, elf_buf, tsz)) {
41724 if (clear_user(buffer, tsz))
41726 @@ -542,6 +548,9 @@ read_kcore(struct file *file, char __use
41728 static int open_kcore(struct inode *inode, struct file *filp)
41730 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
41733 if (!capable(CAP_SYS_RAWIO))
41735 if (kcore_need_update)
41736 diff -urNp linux-2.6.38.6/fs/proc/meminfo.c linux-2.6.38.6/fs/proc/meminfo.c
41737 --- linux-2.6.38.6/fs/proc/meminfo.c 2011-03-14 21:20:32.000000000 -0400
41738 +++ linux-2.6.38.6/fs/proc/meminfo.c 2011-05-16 21:47:08.000000000 -0400
41739 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
41740 unsigned long pages[NR_LRU_LISTS];
41743 + pax_track_stack();
41746 * display in kilobytes.
41748 @@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_
41750 vmi.largest_chunk >> 10
41751 #ifdef CONFIG_MEMORY_FAILURE
41752 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
41753 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
41755 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
41756 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
41757 diff -urNp linux-2.6.38.6/fs/proc/nommu.c linux-2.6.38.6/fs/proc/nommu.c
41758 --- linux-2.6.38.6/fs/proc/nommu.c 2011-03-14 21:20:32.000000000 -0400
41759 +++ linux-2.6.38.6/fs/proc/nommu.c 2011-04-28 19:34:15.000000000 -0400
41760 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
41763 seq_printf(m, "%*c", len, ' ');
41764 - seq_path(m, &file->f_path, "");
41765 + seq_path(m, &file->f_path, "\n\\");
41769 diff -urNp linux-2.6.38.6/fs/proc/proc_net.c linux-2.6.38.6/fs/proc/proc_net.c
41770 --- linux-2.6.38.6/fs/proc/proc_net.c 2011-03-14 21:20:32.000000000 -0400
41771 +++ linux-2.6.38.6/fs/proc/proc_net.c 2011-04-28 19:34:15.000000000 -0400
41772 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
41773 struct task_struct *task;
41774 struct nsproxy *ns;
41775 struct net *net = NULL;
41776 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41777 + const struct cred *cred = current_cred();
41780 +#ifdef CONFIG_GRKERNSEC_PROC_USER
41783 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41784 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
41789 task = pid_task(proc_pid(dir), PIDTYPE_PID);
41790 diff -urNp linux-2.6.38.6/fs/proc/proc_sysctl.c linux-2.6.38.6/fs/proc/proc_sysctl.c
41791 --- linux-2.6.38.6/fs/proc/proc_sysctl.c 2011-03-14 21:20:32.000000000 -0400
41792 +++ linux-2.6.38.6/fs/proc/proc_sysctl.c 2011-04-28 19:34:15.000000000 -0400
41794 #include <linux/namei.h>
41795 #include "internal.h"
41797 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
41799 static const struct dentry_operations proc_sys_dentry_operations;
41800 static const struct file_operations proc_sys_file_operations;
41801 static const struct inode_operations proc_sys_inode_operations;
41802 @@ -112,6 +114,9 @@ static struct dentry *proc_sys_lookup(st
41806 + if (gr_handle_sysctl(p, MAY_EXEC))
41809 err = ERR_PTR(-ENOMEM);
41810 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
41812 @@ -231,6 +236,9 @@ static int scan(struct ctl_table_header
41813 if (*pos < file->f_pos)
41816 + if (gr_handle_sysctl(table, 0))
41819 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
41822 @@ -359,6 +367,9 @@ static int proc_sys_getattr(struct vfsmo
41824 return PTR_ERR(head);
41826 + if (table && gr_handle_sysctl(table, MAY_EXEC))
41829 generic_fillattr(inode, stat);
41831 stat->mode = (stat->mode & S_IFMT) | table->mode;
41832 diff -urNp linux-2.6.38.6/fs/proc/root.c linux-2.6.38.6/fs/proc/root.c
41833 --- linux-2.6.38.6/fs/proc/root.c 2011-03-14 21:20:32.000000000 -0400
41834 +++ linux-2.6.38.6/fs/proc/root.c 2011-04-28 19:34:15.000000000 -0400
41835 @@ -132,7 +132,15 @@ void __init proc_root_init(void)
41836 #ifdef CONFIG_PROC_DEVICETREE
41837 proc_device_tree_init();
41839 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
41840 +#ifdef CONFIG_GRKERNSEC_PROC_USER
41841 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
41842 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
41843 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
41846 proc_mkdir("bus", NULL);
41851 diff -urNp linux-2.6.38.6/fs/proc/task_mmu.c linux-2.6.38.6/fs/proc/task_mmu.c
41852 --- linux-2.6.38.6/fs/proc/task_mmu.c 2011-04-18 17:27:16.000000000 -0400
41853 +++ linux-2.6.38.6/fs/proc/task_mmu.c 2011-04-28 19:34:15.000000000 -0400
41854 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
41855 "VmExe:\t%8lu kB\n"
41856 "VmLib:\t%8lu kB\n"
41857 "VmPTE:\t%8lu kB\n"
41858 - "VmSwap:\t%8lu kB\n",
41859 - hiwater_vm << (PAGE_SHIFT-10),
41860 + "VmSwap:\t%8lu kB\n"
41862 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
41863 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
41866 + ,hiwater_vm << (PAGE_SHIFT-10),
41867 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
41868 mm->locked_vm << (PAGE_SHIFT-10),
41869 hiwater_rss << (PAGE_SHIFT-10),
41870 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
41871 data << (PAGE_SHIFT-10),
41872 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
41873 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
41874 - swap << (PAGE_SHIFT-10));
41875 + swap << (PAGE_SHIFT-10)
41877 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
41878 + , mm->context.user_cs_base, mm->context.user_cs_limit
41884 unsigned long task_vsize(struct mm_struct *mm)
41885 @@ -180,7 +191,8 @@ static void m_stop(struct seq_file *m, v
41886 struct proc_maps_private *priv = m->private;
41887 struct vm_area_struct *vma = v;
41889 - vma_stop(priv, vma);
41890 + if (!IS_ERR(vma))
41891 + vma_stop(priv, vma);
41893 put_task_struct(priv->task);
41895 @@ -204,6 +216,12 @@ static int do_maps_open(struct inode *in
41899 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41900 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
41901 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
41902 + _mm->pax_flags & MF_PAX_SEGMEXEC))
41905 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
41907 struct mm_struct *mm = vma->vm_mm;
41908 @@ -211,7 +229,6 @@ static void show_map_vma(struct seq_file
41909 int flags = vma->vm_flags;
41910 unsigned long ino = 0;
41911 unsigned long long pgoff = 0;
41912 - unsigned long start;
41916 @@ -222,20 +239,23 @@ static void show_map_vma(struct seq_file
41917 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
41920 - /* We don't show the stack guard page in /proc/maps */
41921 - start = vma->vm_start;
41922 - if (vma->vm_flags & VM_GROWSDOWN)
41923 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
41924 - start += PAGE_SIZE;
41926 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
41928 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41929 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
41930 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
41935 flags & VM_READ ? 'r' : '-',
41936 flags & VM_WRITE ? 'w' : '-',
41937 flags & VM_EXEC ? 'x' : '-',
41938 flags & VM_MAYSHARE ? 's' : 'p',
41939 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41940 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
41944 MAJOR(dev), MINOR(dev), ino, &len);
41947 @@ -244,16 +264,16 @@ static void show_map_vma(struct seq_file
41950 pad_len_spaces(m, len);
41951 - seq_path(m, &file->f_path, "\n");
41952 + seq_path(m, &file->f_path, "\n\\");
41954 const char *name = arch_vma_name(vma);
41957 - if (vma->vm_start <= mm->brk &&
41958 - vma->vm_end >= mm->start_brk) {
41959 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
41961 - } else if (vma->vm_start <= mm->start_stack &&
41962 - vma->vm_end >= mm->start_stack) {
41963 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
41964 + (vma->vm_start <= mm->start_stack &&
41965 + vma->vm_end >= mm->start_stack)) {
41969 @@ -399,11 +419,16 @@ static int show_smap(struct seq_file *m,
41972 memset(&mss, 0, sizeof mss);
41974 - /* mmap_sem is held in m_start */
41975 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
41976 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
41978 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41979 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
41982 + /* mmap_sem is held in m_start */
41983 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
41984 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
41985 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41988 show_map_vma(m, vma);
41991 @@ -420,7 +445,11 @@ static int show_smap(struct seq_file *m,
41992 "KernelPageSize: %8lu kB\n"
41993 "MMUPageSize: %8lu kB\n"
41994 "Locked: %8lu kB\n",
41995 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41996 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
41998 (vma->vm_end - vma->vm_start) >> 10,
42000 mss.resident >> 10,
42001 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
42002 mss.shared_clean >> 10,
42003 diff -urNp linux-2.6.38.6/fs/proc/task_nommu.c linux-2.6.38.6/fs/proc/task_nommu.c
42004 --- linux-2.6.38.6/fs/proc/task_nommu.c 2011-03-14 21:20:32.000000000 -0400
42005 +++ linux-2.6.38.6/fs/proc/task_nommu.c 2011-04-28 19:34:15.000000000 -0400
42006 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
42008 bytes += kobjsize(mm);
42010 - if (current->fs && current->fs->users > 1)
42011 + if (current->fs && atomic_read(¤t->fs->users) > 1)
42012 sbytes += kobjsize(current->fs);
42014 bytes += kobjsize(current->fs);
42015 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
42018 pad_len_spaces(m, len);
42019 - seq_path(m, &file->f_path, "");
42020 + seq_path(m, &file->f_path, "\n\\");
42022 if (vma->vm_start <= mm->start_stack &&
42023 vma->vm_end >= mm->start_stack) {
42024 diff -urNp linux-2.6.38.6/fs/quota/netlink.c linux-2.6.38.6/fs/quota/netlink.c
42025 --- linux-2.6.38.6/fs/quota/netlink.c 2011-03-14 21:20:32.000000000 -0400
42026 +++ linux-2.6.38.6/fs/quota/netlink.c 2011-04-28 19:57:25.000000000 -0400
42027 @@ -33,7 +33,7 @@ static struct genl_family quota_genl_fam
42028 void quota_send_warning(short type, unsigned int id, dev_t dev,
42029 const char warntype)
42031 - static atomic_t seq;
42032 + static atomic_unchecked_t seq;
42033 struct sk_buff *skb;
42036 @@ -49,7 +49,7 @@ void quota_send_warning(short type, unsi
42037 "VFS: Not enough memory to send quota warning.\n");
42040 - msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
42041 + msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
42042 "a_genl_family, 0, QUOTA_NL_C_WARNING);
42045 diff -urNp linux-2.6.38.6/fs/readdir.c linux-2.6.38.6/fs/readdir.c
42046 --- linux-2.6.38.6/fs/readdir.c 2011-03-14 21:20:32.000000000 -0400
42047 +++ linux-2.6.38.6/fs/readdir.c 2011-04-28 19:34:15.000000000 -0400
42049 #include <linux/security.h>
42050 #include <linux/syscalls.h>
42051 #include <linux/unistd.h>
42052 +#include <linux/namei.h>
42054 #include <asm/uaccess.h>
42056 @@ -67,6 +68,7 @@ struct old_linux_dirent {
42058 struct readdir_callback {
42059 struct old_linux_dirent __user * dirent;
42060 + struct file * file;
42064 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
42065 buf->result = -EOVERFLOW;
42069 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
42073 dirent = buf->dirent;
42074 if (!access_ok(VERIFY_WRITE, dirent,
42075 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
42078 buf.dirent = dirent;
42081 error = vfs_readdir(file, fillonedir, &buf);
42083 @@ -142,6 +149,7 @@ struct linux_dirent {
42084 struct getdents_callback {
42085 struct linux_dirent __user * current_dir;
42086 struct linux_dirent __user * previous;
42087 + struct file * file;
42091 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
42092 buf->error = -EOVERFLOW;
42096 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
42099 dirent = buf->previous;
42101 if (__put_user(offset, &dirent->d_off))
42102 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
42103 buf.previous = NULL;
42108 error = vfs_readdir(file, filldir, &buf);
42110 @@ -229,6 +242,7 @@ out:
42111 struct getdents_callback64 {
42112 struct linux_dirent64 __user * current_dir;
42113 struct linux_dirent64 __user * previous;
42114 + struct file *file;
42118 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
42119 buf->error = -EINVAL; /* only used if we fail.. */
42120 if (reclen > buf->count)
42123 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
42126 dirent = buf->previous;
42128 if (__put_user(offset, &dirent->d_off))
42129 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
42131 buf.current_dir = dirent;
42132 buf.previous = NULL;
42137 diff -urNp linux-2.6.38.6/fs/reiserfs/dir.c linux-2.6.38.6/fs/reiserfs/dir.c
42138 --- linux-2.6.38.6/fs/reiserfs/dir.c 2011-03-14 21:20:32.000000000 -0400
42139 +++ linux-2.6.38.6/fs/reiserfs/dir.c 2011-05-16 21:47:09.000000000 -0400
42140 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
42141 struct reiserfs_dir_entry de;
42144 + pax_track_stack();
42146 reiserfs_write_lock(inode->i_sb);
42148 reiserfs_check_lock_depth(inode->i_sb, "readdir");
42149 diff -urNp linux-2.6.38.6/fs/reiserfs/do_balan.c linux-2.6.38.6/fs/reiserfs/do_balan.c
42150 --- linux-2.6.38.6/fs/reiserfs/do_balan.c 2011-03-14 21:20:32.000000000 -0400
42151 +++ linux-2.6.38.6/fs/reiserfs/do_balan.c 2011-04-28 19:34:15.000000000 -0400
42152 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
42156 - atomic_inc(&(fs_generation(tb->tb_sb)));
42157 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
42158 do_balance_starts(tb);
42160 /* balance leaf returns 0 except if combining L R and S into
42161 diff -urNp linux-2.6.38.6/fs/reiserfs/item_ops.c linux-2.6.38.6/fs/reiserfs/item_ops.c
42162 --- linux-2.6.38.6/fs/reiserfs/item_ops.c 2011-03-14 21:20:32.000000000 -0400
42163 +++ linux-2.6.38.6/fs/reiserfs/item_ops.c 2011-04-28 19:34:15.000000000 -0400
42164 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
42165 vi->vi_index, vi->vi_type, vi->vi_ih);
42168 -static struct item_operations stat_data_ops = {
42169 +static const struct item_operations stat_data_ops = {
42170 .bytes_number = sd_bytes_number,
42171 .decrement_key = sd_decrement_key,
42172 .is_left_mergeable = sd_is_left_mergeable,
42173 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
42174 vi->vi_index, vi->vi_type, vi->vi_ih);
42177 -static struct item_operations direct_ops = {
42178 +static const struct item_operations direct_ops = {
42179 .bytes_number = direct_bytes_number,
42180 .decrement_key = direct_decrement_key,
42181 .is_left_mergeable = direct_is_left_mergeable,
42182 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
42183 vi->vi_index, vi->vi_type, vi->vi_ih);
42186 -static struct item_operations indirect_ops = {
42187 +static const struct item_operations indirect_ops = {
42188 .bytes_number = indirect_bytes_number,
42189 .decrement_key = indirect_decrement_key,
42190 .is_left_mergeable = indirect_is_left_mergeable,
42191 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
42195 -static struct item_operations direntry_ops = {
42196 +static const struct item_operations direntry_ops = {
42197 .bytes_number = direntry_bytes_number,
42198 .decrement_key = direntry_decrement_key,
42199 .is_left_mergeable = direntry_is_left_mergeable,
42200 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
42201 "Invalid item type observed, run fsck ASAP");
42204 -static struct item_operations errcatch_ops = {
42205 +static const struct item_operations errcatch_ops = {
42206 errcatch_bytes_number,
42207 errcatch_decrement_key,
42208 errcatch_is_left_mergeable,
42209 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
42210 #error Item types must use disk-format assigned values.
42213 -struct item_operations *item_ops[TYPE_ANY + 1] = {
42214 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
42218 diff -urNp linux-2.6.38.6/fs/reiserfs/journal.c linux-2.6.38.6/fs/reiserfs/journal.c
42219 --- linux-2.6.38.6/fs/reiserfs/journal.c 2011-03-14 21:20:32.000000000 -0400
42220 +++ linux-2.6.38.6/fs/reiserfs/journal.c 2011-05-16 21:47:09.000000000 -0400
42221 @@ -2299,6 +2299,8 @@ static struct buffer_head *reiserfs_brea
42222 struct buffer_head *bh;
42225 + pax_track_stack();
42227 bh = __getblk(dev, block, bufsize);
42228 if (buffer_uptodate(bh))
42230 diff -urNp linux-2.6.38.6/fs/reiserfs/namei.c linux-2.6.38.6/fs/reiserfs/namei.c
42231 --- linux-2.6.38.6/fs/reiserfs/namei.c 2011-03-14 21:20:32.000000000 -0400
42232 +++ linux-2.6.38.6/fs/reiserfs/namei.c 2011-05-16 21:47:09.000000000 -0400
42233 @@ -1228,6 +1228,8 @@ static int reiserfs_rename(struct inode
42234 unsigned long savelink = 1;
42235 struct timespec ctime;
42237 + pax_track_stack();
42239 /* three balancings: (1) old name removal, (2) new name insertion
42240 and (3) maybe "save" link insertion
42241 stat data updates: (1) old directory,
42242 diff -urNp linux-2.6.38.6/fs/reiserfs/procfs.c linux-2.6.38.6/fs/reiserfs/procfs.c
42243 --- linux-2.6.38.6/fs/reiserfs/procfs.c 2011-03-14 21:20:32.000000000 -0400
42244 +++ linux-2.6.38.6/fs/reiserfs/procfs.c 2011-05-16 21:47:08.000000000 -0400
42245 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
42246 "SMALL_TAILS " : "NO_TAILS ",
42247 replay_only(sb) ? "REPLAY_ONLY " : "",
42248 convert_reiserfs(sb) ? "CONV " : "",
42249 - atomic_read(&r->s_generation_counter),
42250 + atomic_read_unchecked(&r->s_generation_counter),
42251 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
42252 SF(s_do_balance), SF(s_unneeded_left_neighbor),
42253 SF(s_good_search_by_key_reada), SF(s_bmaps),
42254 @@ -299,6 +299,8 @@ static int show_journal(struct seq_file
42255 struct journal_params *jp = &rs->s_v1.s_journal;
42256 char b[BDEVNAME_SIZE];
42258 + pax_track_stack();
42260 seq_printf(m, /* on-disk fields */
42261 "jp_journal_1st_block: \t%i\n"
42262 "jp_journal_dev: \t%s[%x]\n"
42263 diff -urNp linux-2.6.38.6/fs/reiserfs/stree.c linux-2.6.38.6/fs/reiserfs/stree.c
42264 --- linux-2.6.38.6/fs/reiserfs/stree.c 2011-03-14 21:20:32.000000000 -0400
42265 +++ linux-2.6.38.6/fs/reiserfs/stree.c 2011-05-16 21:47:09.000000000 -0400
42266 @@ -1196,6 +1196,8 @@ int reiserfs_delete_item(struct reiserfs
42270 + pax_track_stack();
42272 BUG_ON(!th->t_trans_id);
42274 init_tb_struct(th, &s_del_balance, sb, path,
42275 @@ -1333,6 +1335,8 @@ void reiserfs_delete_solid_item(struct r
42277 int quota_cut_bytes = 0;
42279 + pax_track_stack();
42281 BUG_ON(!th->t_trans_id);
42283 le_key2cpu_key(&cpu_key, key);
42284 @@ -1562,6 +1566,8 @@ int reiserfs_cut_from_item(struct reiser
42285 int quota_cut_bytes;
42286 loff_t tail_pos = 0;
42288 + pax_track_stack();
42290 BUG_ON(!th->t_trans_id);
42292 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
42293 @@ -1957,6 +1963,8 @@ int reiserfs_paste_into_item(struct reis
42297 + pax_track_stack();
42299 BUG_ON(!th->t_trans_id);
42301 fs_gen = get_generation(inode->i_sb);
42302 @@ -2045,6 +2053,8 @@ int reiserfs_insert_item(struct reiserfs
42304 int quota_bytes = 0;
42306 + pax_track_stack();
42308 BUG_ON(!th->t_trans_id);
42310 if (inode) { /* Do we count quotas for item? */
42311 diff -urNp linux-2.6.38.6/fs/reiserfs/super.c linux-2.6.38.6/fs/reiserfs/super.c
42312 --- linux-2.6.38.6/fs/reiserfs/super.c 2011-03-14 21:20:32.000000000 -0400
42313 +++ linux-2.6.38.6/fs/reiserfs/super.c 2011-05-16 21:47:09.000000000 -0400
42314 @@ -927,6 +927,8 @@ static int reiserfs_parse_options(struct
42315 {.option_name = NULL}
42318 + pax_track_stack();
42321 if (!options || !*options)
42322 /* use default configuration: create tails, journaling on, no
42323 diff -urNp linux-2.6.38.6/fs/select.c linux-2.6.38.6/fs/select.c
42324 --- linux-2.6.38.6/fs/select.c 2011-03-14 21:20:32.000000000 -0400
42325 +++ linux-2.6.38.6/fs/select.c 2011-05-16 21:47:08.000000000 -0400
42327 #include <linux/module.h>
42328 #include <linux/slab.h>
42329 #include <linux/poll.h>
42330 +#include <linux/security.h>
42331 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
42332 #include <linux/file.h>
42333 #include <linux/fdtable.h>
42334 @@ -403,6 +404,8 @@ int do_select(int n, fd_set_bits *fds, s
42335 int retval, i, timed_out = 0;
42336 unsigned long slack = 0;
42338 + pax_track_stack();
42341 retval = max_select_fd(n, fds);
42343 @@ -531,6 +534,8 @@ int core_sys_select(int n, fd_set __user
42344 /* Allocate small arguments on the stack to save memory and be faster */
42345 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
42347 + pax_track_stack();
42352 @@ -840,6 +845,9 @@ int do_sys_poll(struct pollfd __user *uf
42353 struct poll_list *walk = head;
42354 unsigned long todo = nfds;
42356 + pax_track_stack();
42358 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
42359 if (nfds > rlimit(RLIMIT_NOFILE))
42362 diff -urNp linux-2.6.38.6/fs/seq_file.c linux-2.6.38.6/fs/seq_file.c
42363 --- linux-2.6.38.6/fs/seq_file.c 2011-03-14 21:20:32.000000000 -0400
42364 +++ linux-2.6.38.6/fs/seq_file.c 2011-04-28 19:34:15.000000000 -0400
42365 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
42369 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
42370 + m->size = PAGE_SIZE;
42371 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
42375 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
42379 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
42381 + m->buf = kmalloc(m->size, GFP_KERNEL);
42382 return !m->buf ? -ENOMEM : -EAGAIN;
42385 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
42386 m->version = file->f_version;
42387 /* grab buffer if we didn't have one */
42389 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
42390 + m->size = PAGE_SIZE;
42391 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
42395 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
42399 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
42401 + m->buf = kmalloc(m->size, GFP_KERNEL);
42405 diff -urNp linux-2.6.38.6/fs/splice.c linux-2.6.38.6/fs/splice.c
42406 --- linux-2.6.38.6/fs/splice.c 2011-03-14 21:20:32.000000000 -0400
42407 +++ linux-2.6.38.6/fs/splice.c 2011-05-16 21:47:08.000000000 -0400
42408 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
42412 - if (!pipe->readers) {
42413 + if (!atomic_read(&pipe->readers)) {
42414 send_sig(SIGPIPE, current, 0);
42417 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
42421 - pipe->waiting_writers++;
42422 + atomic_inc(&pipe->waiting_writers);
42424 - pipe->waiting_writers--;
42425 + atomic_dec(&pipe->waiting_writers);
42429 @@ -316,6 +316,8 @@ __generic_file_splice_read(struct file *
42430 .spd_release = spd_release_page,
42433 + pax_track_stack();
42435 if (splice_grow_spd(pipe, &spd))
42438 @@ -556,7 +558,7 @@ static ssize_t kernel_readv(struct file
42441 /* The cast to a user pointer is valid due to the set_fs() */
42442 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
42443 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
42447 @@ -571,7 +573,7 @@ static ssize_t kernel_write(struct file
42450 /* The cast to a user pointer is valid due to the set_fs() */
42451 - res = vfs_write(file, (const char __user *)buf, count, &pos);
42452 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
42456 @@ -599,6 +601,8 @@ ssize_t default_file_splice_read(struct
42457 .spd_release = spd_release_page,
42460 + pax_track_stack();
42462 if (splice_grow_spd(pipe, &spd))
42465 @@ -622,7 +626,7 @@ ssize_t default_file_splice_read(struct
42468 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
42469 - vec[i].iov_base = (void __user *) page_address(page);
42470 + vec[i].iov_base = (__force void __user *) page_address(page);
42471 vec[i].iov_len = this_len;
42472 spd.pages[i] = page;
42474 @@ -842,10 +846,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
42475 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
42477 while (!pipe->nrbufs) {
42478 - if (!pipe->writers)
42479 + if (!atomic_read(&pipe->writers))
42482 - if (!pipe->waiting_writers && sd->num_spliced)
42483 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
42486 if (sd->flags & SPLICE_F_NONBLOCK)
42487 @@ -1178,7 +1182,7 @@ ssize_t splice_direct_to_actor(struct fi
42488 * out of the pipe right after the splice_to_pipe(). So set
42489 * PIPE_READERS appropriately.
42491 - pipe->readers = 1;
42492 + atomic_set(&pipe->readers, 1);
42494 current->splice_pipe = pipe;
42496 @@ -1615,6 +1619,8 @@ static long vmsplice_to_pipe(struct file
42500 + pax_track_stack();
42502 pipe = get_pipe_info(file);
42505 @@ -1730,9 +1736,9 @@ static int ipipe_prep(struct pipe_inode_
42506 ret = -ERESTARTSYS;
42509 - if (!pipe->writers)
42510 + if (!atomic_read(&pipe->writers))
42512 - if (!pipe->waiting_writers) {
42513 + if (!atomic_read(&pipe->waiting_writers)) {
42514 if (flags & SPLICE_F_NONBLOCK) {
42517 @@ -1764,7 +1770,7 @@ static int opipe_prep(struct pipe_inode_
42520 while (pipe->nrbufs >= pipe->buffers) {
42521 - if (!pipe->readers) {
42522 + if (!atomic_read(&pipe->readers)) {
42523 send_sig(SIGPIPE, current, 0);
42526 @@ -1777,9 +1783,9 @@ static int opipe_prep(struct pipe_inode_
42527 ret = -ERESTARTSYS;
42530 - pipe->waiting_writers++;
42531 + atomic_inc(&pipe->waiting_writers);
42533 - pipe->waiting_writers--;
42534 + atomic_dec(&pipe->waiting_writers);
42538 @@ -1815,14 +1821,14 @@ retry:
42539 pipe_double_lock(ipipe, opipe);
42542 - if (!opipe->readers) {
42543 + if (!atomic_read(&opipe->readers)) {
42544 send_sig(SIGPIPE, current, 0);
42550 - if (!ipipe->nrbufs && !ipipe->writers)
42551 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
42555 @@ -1922,7 +1928,7 @@ static int link_pipe(struct pipe_inode_i
42556 pipe_double_lock(ipipe, opipe);
42559 - if (!opipe->readers) {
42560 + if (!atomic_read(&opipe->readers)) {
42561 send_sig(SIGPIPE, current, 0);
42564 @@ -1967,7 +1973,7 @@ static int link_pipe(struct pipe_inode_i
42565 * return EAGAIN if we have the potential of some data in the
42566 * future, otherwise just return 0
42568 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
42569 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
42572 pipe_unlock(ipipe);
42573 diff -urNp linux-2.6.38.6/fs/sysfs/file.c linux-2.6.38.6/fs/sysfs/file.c
42574 --- linux-2.6.38.6/fs/sysfs/file.c 2011-03-14 21:20:32.000000000 -0400
42575 +++ linux-2.6.38.6/fs/sysfs/file.c 2011-04-28 19:57:25.000000000 -0400
42576 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
42578 struct sysfs_open_dirent {
42581 + atomic_unchecked_t event;
42582 wait_queue_head_t poll;
42583 struct list_head buffers; /* goes through sysfs_buffer.list */
42585 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
42586 if (!sysfs_get_active(attr_sd))
42589 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
42590 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
42591 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
42593 sysfs_put_active(attr_sd);
42594 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
42597 atomic_set(&new_od->refcnt, 0);
42598 - atomic_set(&new_od->event, 1);
42599 + atomic_set_unchecked(&new_od->event, 1);
42600 init_waitqueue_head(&new_od->poll);
42601 INIT_LIST_HEAD(&new_od->buffers);
42603 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
42605 sysfs_put_active(attr_sd);
42607 - if (buffer->event != atomic_read(&od->event))
42608 + if (buffer->event != atomic_read_unchecked(&od->event))
42611 return DEFAULT_POLLMASK;
42612 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
42614 od = sd->s_attr.open;
42616 - atomic_inc(&od->event);
42617 + atomic_inc_unchecked(&od->event);
42618 wake_up_interruptible(&od->poll);
42621 diff -urNp linux-2.6.38.6/fs/sysfs/mount.c linux-2.6.38.6/fs/sysfs/mount.c
42622 --- linux-2.6.38.6/fs/sysfs/mount.c 2011-03-14 21:20:32.000000000 -0400
42623 +++ linux-2.6.38.6/fs/sysfs/mount.c 2011-04-28 19:34:15.000000000 -0400
42624 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
42626 .s_count = ATOMIC_INIT(1),
42627 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
42628 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
42629 + .s_mode = S_IFDIR | S_IRWXU,
42631 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
42636 diff -urNp linux-2.6.38.6/fs/sysfs/symlink.c linux-2.6.38.6/fs/sysfs/symlink.c
42637 --- linux-2.6.38.6/fs/sysfs/symlink.c 2011-03-14 21:20:32.000000000 -0400
42638 +++ linux-2.6.38.6/fs/sysfs/symlink.c 2011-04-28 19:34:15.000000000 -0400
42639 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
42641 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
42643 - char *page = nd_get_link(nd);
42644 + const char *page = nd_get_link(nd);
42646 free_page((unsigned long)page);
42648 diff -urNp linux-2.6.38.6/fs/udf/inode.c linux-2.6.38.6/fs/udf/inode.c
42649 --- linux-2.6.38.6/fs/udf/inode.c 2011-03-14 21:20:32.000000000 -0400
42650 +++ linux-2.6.38.6/fs/udf/inode.c 2011-05-16 21:47:09.000000000 -0400
42651 @@ -477,6 +477,8 @@ static struct buffer_head *inode_getblk(
42652 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
42655 + pax_track_stack();
42657 prev_epos.offset = udf_file_entry_alloc_offset(inode);
42658 prev_epos.block = iinfo->i_location;
42659 prev_epos.bh = NULL;
42660 diff -urNp linux-2.6.38.6/fs/udf/misc.c linux-2.6.38.6/fs/udf/misc.c
42661 --- linux-2.6.38.6/fs/udf/misc.c 2011-03-14 21:20:32.000000000 -0400
42662 +++ linux-2.6.38.6/fs/udf/misc.c 2011-04-28 19:34:15.000000000 -0400
42663 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
42665 u8 udf_tag_checksum(const struct tag *t)
42667 - u8 *data = (u8 *)t;
42668 + const u8 *data = (const u8 *)t;
42671 for (i = 0; i < sizeof(struct tag); ++i)
42672 diff -urNp linux-2.6.38.6/fs/utimes.c linux-2.6.38.6/fs/utimes.c
42673 --- linux-2.6.38.6/fs/utimes.c 2011-03-14 21:20:32.000000000 -0400
42674 +++ linux-2.6.38.6/fs/utimes.c 2011-04-28 19:34:15.000000000 -0400
42676 #include <linux/compiler.h>
42677 #include <linux/file.h>
42678 #include <linux/fs.h>
42679 +#include <linux/security.h>
42680 #include <linux/linkage.h>
42681 #include <linux/mount.h>
42682 #include <linux/namei.h>
42683 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
42684 goto mnt_drop_write_and_out;
42688 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
42690 + goto mnt_drop_write_and_out;
42693 mutex_lock(&inode->i_mutex);
42694 error = notify_change(path->dentry, &newattrs);
42695 mutex_unlock(&inode->i_mutex);
42696 diff -urNp linux-2.6.38.6/fs/xattr_acl.c linux-2.6.38.6/fs/xattr_acl.c
42697 --- linux-2.6.38.6/fs/xattr_acl.c 2011-03-14 21:20:32.000000000 -0400
42698 +++ linux-2.6.38.6/fs/xattr_acl.c 2011-04-28 19:34:15.000000000 -0400
42701 posix_acl_from_xattr(const void *value, size_t size)
42703 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
42704 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
42705 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
42706 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
42708 struct posix_acl *acl;
42709 struct posix_acl_entry *acl_e;
42710 diff -urNp linux-2.6.38.6/fs/xattr.c linux-2.6.38.6/fs/xattr.c
42711 --- linux-2.6.38.6/fs/xattr.c 2011-03-14 21:20:32.000000000 -0400
42712 +++ linux-2.6.38.6/fs/xattr.c 2011-04-28 19:34:15.000000000 -0400
42713 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
42714 * Extended attribute SET operations
42717 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
42718 +setxattr(struct path *path, const char __user *name, const void __user *value,
42719 size_t size, int flags)
42722 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
42723 return PTR_ERR(kvalue);
42726 - error = vfs_setxattr(d, kname, kvalue, size, flags);
42727 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
42732 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
42737 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
42739 error = mnt_want_write(path.mnt);
42741 - error = setxattr(path.dentry, name, value, size, flags);
42742 + error = setxattr(&path, name, value, size, flags);
42743 mnt_drop_write(path.mnt);
42746 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
42748 error = mnt_want_write(path.mnt);
42750 - error = setxattr(path.dentry, name, value, size, flags);
42751 + error = setxattr(&path, name, value, size, flags);
42752 mnt_drop_write(path.mnt);
42755 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
42756 const void __user *,value, size_t, size, int, flags)
42759 - struct dentry *dentry;
42760 int error = -EBADF;
42765 - dentry = f->f_path.dentry;
42766 - audit_inode(NULL, dentry);
42767 + audit_inode(NULL, f->f_path.dentry);
42768 error = mnt_want_write_file(f);
42770 - error = setxattr(dentry, name, value, size, flags);
42771 + error = setxattr(&f->f_path, name, value, size, flags);
42772 mnt_drop_write(f->f_path.mnt);
42775 diff -urNp linux-2.6.38.6/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.38.6/fs/xfs/linux-2.6/xfs_ioctl32.c
42776 --- linux-2.6.38.6/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-14 21:20:32.000000000 -0400
42777 +++ linux-2.6.38.6/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-04-28 19:34:15.000000000 -0400
42778 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
42779 xfs_fsop_geom_t fsgeo;
42782 + memset(&fsgeo, 0, sizeof(fsgeo));
42783 error = xfs_fs_geometry(mp, &fsgeo, 3);
42786 diff -urNp linux-2.6.38.6/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.38.6/fs/xfs/linux-2.6/xfs_ioctl.c
42787 --- linux-2.6.38.6/fs/xfs/linux-2.6/xfs_ioctl.c 2011-03-14 21:20:32.000000000 -0400
42788 +++ linux-2.6.38.6/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-28 19:34:15.000000000 -0400
42789 @@ -128,7 +128,7 @@ xfs_find_handle(
42793 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
42794 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
42795 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
42798 diff -urNp linux-2.6.38.6/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.38.6/fs/xfs/linux-2.6/xfs_iops.c
42799 --- linux-2.6.38.6/fs/xfs/linux-2.6/xfs_iops.c 2011-03-14 21:20:32.000000000 -0400
42800 +++ linux-2.6.38.6/fs/xfs/linux-2.6/xfs_iops.c 2011-04-28 19:34:15.000000000 -0400
42801 @@ -436,7 +436,7 @@ xfs_vn_put_link(
42802 struct nameidata *nd,
42805 - char *s = nd_get_link(nd);
42806 + const char *s = nd_get_link(nd);
42810 diff -urNp linux-2.6.38.6/fs/xfs/xfs_bmap.c linux-2.6.38.6/fs/xfs/xfs_bmap.c
42811 --- linux-2.6.38.6/fs/xfs/xfs_bmap.c 2011-03-14 21:20:32.000000000 -0400
42812 +++ linux-2.6.38.6/fs/xfs/xfs_bmap.c 2011-04-28 19:34:15.000000000 -0400
42813 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
42817 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
42818 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
42822 diff -urNp linux-2.6.38.6/fs/xfs/xfs_dir2_sf.c linux-2.6.38.6/fs/xfs/xfs_dir2_sf.c
42823 --- linux-2.6.38.6/fs/xfs/xfs_dir2_sf.c 2011-03-14 21:20:32.000000000 -0400
42824 +++ linux-2.6.38.6/fs/xfs/xfs_dir2_sf.c 2011-04-28 19:34:15.000000000 -0400
42825 @@ -780,7 +780,15 @@ xfs_dir2_sf_getdents(
42828 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
42829 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
42830 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
42831 + char name[sfep->namelen];
42832 + memcpy(name, sfep->name, sfep->namelen);
42833 + if (filldir(dirent, name, sfep->namelen,
42834 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
42835 + *offset = off & 0x7fffffff;
42838 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
42839 off & 0x7fffffff, ino, DT_UNKNOWN)) {
42840 *offset = off & 0x7fffffff;
42842 diff -urNp linux-2.6.38.6/grsecurity/gracl_alloc.c linux-2.6.38.6/grsecurity/gracl_alloc.c
42843 --- linux-2.6.38.6/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
42844 +++ linux-2.6.38.6/grsecurity/gracl_alloc.c 2011-04-28 19:34:15.000000000 -0400
42846 +#include <linux/kernel.h>
42847 +#include <linux/mm.h>
42848 +#include <linux/slab.h>
42849 +#include <linux/vmalloc.h>
42850 +#include <linux/gracl.h>
42851 +#include <linux/grsecurity.h>
42853 +static unsigned long alloc_stack_next = 1;
42854 +static unsigned long alloc_stack_size = 1;
42855 +static void **alloc_stack;
42857 +static __inline__ int
42860 + if (alloc_stack_next == 1)
42863 + kfree(alloc_stack[alloc_stack_next - 2]);
42865 + alloc_stack_next--;
42870 +static __inline__ int
42871 +alloc_push(void *buf)
42873 + if (alloc_stack_next >= alloc_stack_size)
42876 + alloc_stack[alloc_stack_next - 1] = buf;
42878 + alloc_stack_next++;
42884 +acl_alloc(unsigned long len)
42886 + void *ret = NULL;
42888 + if (!len || len > PAGE_SIZE)
42891 + ret = kmalloc(len, GFP_KERNEL);
42894 + if (alloc_push(ret)) {
42905 +acl_alloc_num(unsigned long num, unsigned long len)
42907 + if (!len || (num > (PAGE_SIZE / len)))
42910 + return acl_alloc(num * len);
42914 +acl_free_all(void)
42916 + if (gr_acl_is_enabled() || !alloc_stack)
42919 + while (alloc_pop()) ;
42921 + if (alloc_stack) {
42922 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
42923 + kfree(alloc_stack);
42925 + vfree(alloc_stack);
42928 + alloc_stack = NULL;
42929 + alloc_stack_size = 1;
42930 + alloc_stack_next = 1;
42936 +acl_alloc_stack_init(unsigned long size)
42938 + if ((size * sizeof (void *)) <= PAGE_SIZE)
42940 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
42942 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
42944 + alloc_stack_size = size;
42946 + if (!alloc_stack)
42951 diff -urNp linux-2.6.38.6/grsecurity/gracl.c linux-2.6.38.6/grsecurity/gracl.c
42952 --- linux-2.6.38.6/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
42953 +++ linux-2.6.38.6/grsecurity/gracl.c 2011-05-17 17:30:19.000000000 -0400
42955 +#include <linux/kernel.h>
42956 +#include <linux/module.h>
42957 +#include <linux/sched.h>
42958 +#include <linux/mm.h>
42959 +#include <linux/file.h>
42960 +#include <linux/fs.h>
42961 +#include <linux/namei.h>
42962 +#include <linux/mount.h>
42963 +#include <linux/tty.h>
42964 +#include <linux/proc_fs.h>
42965 +#include <linux/smp_lock.h>
42966 +#include <linux/lglock.h>
42967 +#include <linux/slab.h>
42968 +#include <linux/vmalloc.h>
42969 +#include <linux/types.h>
42970 +#include <linux/sysctl.h>
42971 +#include <linux/netdevice.h>
42972 +#include <linux/ptrace.h>
42973 +#include <linux/gracl.h>
42974 +#include <linux/gralloc.h>
42975 +#include <linux/grsecurity.h>
42976 +#include <linux/grinternal.h>
42977 +#include <linux/pid_namespace.h>
42978 +#include <linux/fdtable.h>
42979 +#include <linux/percpu.h>
42981 +#include <asm/uaccess.h>
42982 +#include <asm/errno.h>
42983 +#include <asm/mman.h>
42985 +static struct acl_role_db acl_role_set;
42986 +static struct name_db name_set;
42987 +static struct inodev_db inodev_set;
42989 +/* for keeping track of userspace pointers used for subjects, so we
42990 + can share references in the kernel as well
42993 +static struct path real_root;
42995 +static struct acl_subj_map_db subj_map_set;
42997 +static struct acl_role_label *default_role;
42999 +static struct acl_role_label *role_list;
43001 +static u16 acl_sp_role_value;
43003 +extern char *gr_shared_page[4];
43004 +static DEFINE_MUTEX(gr_dev_mutex);
43005 +DEFINE_RWLOCK(gr_inode_lock);
43007 +struct gr_arg *gr_usermode;
43009 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
43011 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
43012 +extern void gr_clear_learn_entries(void);
43014 +#ifdef CONFIG_GRKERNSEC_RESLOG
43015 +extern void gr_log_resource(const struct task_struct *task,
43016 + const int res, const unsigned long wanted, const int gt);
43019 +unsigned char *gr_system_salt;
43020 +unsigned char *gr_system_sum;
43022 +static struct sprole_pw **acl_special_roles = NULL;
43023 +static __u16 num_sprole_pws = 0;
43025 +static struct acl_role_label *kernel_role = NULL;
43027 +static unsigned int gr_auth_attempts = 0;
43028 +static unsigned long gr_auth_expires = 0UL;
43030 +extern struct vfsmount *sock_mnt;
43031 +extern struct vfsmount *pipe_mnt;
43032 +extern struct vfsmount *shm_mnt;
43033 +#ifdef CONFIG_HUGETLBFS
43034 +extern struct vfsmount *hugetlbfs_vfsmount;
43037 +static struct acl_object_label *fakefs_obj;
43039 +extern int gr_init_uidset(void);
43040 +extern void gr_free_uidset(void);
43041 +extern void gr_remove_uid(uid_t uid);
43042 +extern int gr_find_uid(uid_t uid);
43044 +DECLARE_BRLOCK(vfsmount_lock);
43047 +gr_acl_is_enabled(void)
43049 + return (gr_status & GR_READY);
43052 +#ifdef CONFIG_BTRFS_FS
43053 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
43054 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
43057 +static inline dev_t __get_dev(const struct dentry *dentry)
43059 +#ifdef CONFIG_BTRFS_FS
43060 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
43061 + return get_btrfs_dev_from_inode(dentry->d_inode);
43064 + return dentry->d_inode->i_sb->s_dev;
43067 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
43069 + return __get_dev(dentry);
43072 +static char gr_task_roletype_to_char(struct task_struct *task)
43074 + switch (task->role->roletype &
43075 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
43076 + GR_ROLE_SPECIAL)) {
43077 + case GR_ROLE_DEFAULT:
43079 + case GR_ROLE_USER:
43081 + case GR_ROLE_GROUP:
43083 + case GR_ROLE_SPECIAL:
43090 +char gr_roletype_to_char(void)
43092 + return gr_task_roletype_to_char(current);
43096 +gr_acl_tpe_check(void)
43098 + if (unlikely(!(gr_status & GR_READY)))
43100 + if (current->role->roletype & GR_ROLE_TPE)
43107 +gr_handle_rawio(const struct inode *inode)
43109 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
43110 + if (inode && S_ISBLK(inode->i_mode) &&
43111 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
43112 + !capable(CAP_SYS_RAWIO))
43119 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
43121 + if (likely(lena != lenb))
43124 + return !memcmp(a, b, lena);
43127 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
43129 + *buflen -= namelen;
43131 + return -ENAMETOOLONG;
43132 + *buffer -= namelen;
43133 + memcpy(*buffer, str, namelen);
43137 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
43139 + return prepend(buffer, buflen, name->name, name->len);
43142 +static int prepend_path(const struct path *path, struct path *root,
43143 + char **buffer, int *buflen)
43145 + struct dentry *dentry = path->dentry;
43146 + struct vfsmount *vfsmnt = path->mnt;
43147 + bool slash = false;
43150 + while (dentry != root->dentry || vfsmnt != root->mnt) {
43151 + struct dentry * parent;
43153 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
43154 + /* Global root? */
43155 + if (vfsmnt->mnt_parent == vfsmnt) {
43158 + dentry = vfsmnt->mnt_mountpoint;
43159 + vfsmnt = vfsmnt->mnt_parent;
43162 + parent = dentry->d_parent;
43163 + prefetch(parent);
43164 + spin_lock(&dentry->d_lock);
43165 + error = prepend_name(buffer, buflen, &dentry->d_name);
43166 + spin_unlock(&dentry->d_lock);
43168 + error = prepend(buffer, buflen, "/", 1);
43177 + if (!error && !slash)
43178 + error = prepend(buffer, buflen, "/", 1);
43183 +/* this must be called with vfsmount_lock and rename_lock held */
43185 +static char *__our_d_path(const struct path *path, struct path *root,
43186 + char *buf, int buflen)
43188 + char *res = buf + buflen;
43191 + prepend(&res, &buflen, "\0", 1);
43192 + error = prepend_path(path, root, &res, &buflen);
43194 + return ERR_PTR(error);
43200 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
43204 + retval = __our_d_path(path, root, buf, buflen);
43205 + if (unlikely(IS_ERR(retval)))
43206 + retval = strcpy(buf, "<path too long>");
43207 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
43208 + retval[1] = '\0';
43214 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
43215 + char *buf, int buflen)
43217 + struct path path;
43220 + path.dentry = (struct dentry *)dentry;
43221 + path.mnt = (struct vfsmount *)vfsmnt;
43223 + /* we can use real_root.dentry, real_root.mnt, because this is only called
43224 + by the RBAC system */
43225 + res = gen_full_path(&path, &real_root, buf, buflen);
43231 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
43232 + char *buf, int buflen)
43235 + struct path path;
43236 + struct path root;
43237 + struct task_struct *reaper = &init_task;
43239 + path.dentry = (struct dentry *)dentry;
43240 + path.mnt = (struct vfsmount *)vfsmnt;
43242 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
43243 + get_fs_root(reaper->fs, &root);
43245 + write_seqlock(&rename_lock);
43246 + br_read_lock(vfsmount_lock);
43247 + res = gen_full_path(&path, &root, buf, buflen);
43248 + br_read_unlock(vfsmount_lock);
43249 + write_sequnlock(&rename_lock);
43256 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
43259 + write_seqlock(&rename_lock);
43260 + br_read_lock(vfsmount_lock);
43261 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
43263 + br_read_unlock(vfsmount_lock);
43264 + write_sequnlock(&rename_lock);
43269 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
43271 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
43276 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
43278 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
43283 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
43285 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
43290 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
43292 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
43297 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
43299 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
43304 +to_gr_audit(const __u32 reqmode)
43306 + /* masks off auditable permission flags, then shifts them to create
43307 + auditing flags, and adds the special case of append auditing if
43308 + we're requesting write */
43309 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
43312 +struct acl_subject_label *
43313 +lookup_subject_map(const struct acl_subject_label *userp)
43315 + unsigned int index = shash(userp, subj_map_set.s_size);
43316 + struct subject_map *match;
43318 + match = subj_map_set.s_hash[index];
43320 + while (match && match->user != userp)
43321 + match = match->next;
43323 + if (match != NULL)
43324 + return match->kernel;
43330 +insert_subj_map_entry(struct subject_map *subjmap)
43332 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
43333 + struct subject_map **curr;
43335 + subjmap->prev = NULL;
43337 + curr = &subj_map_set.s_hash[index];
43338 + if (*curr != NULL)
43339 + (*curr)->prev = subjmap;
43341 + subjmap->next = *curr;
43347 +static struct acl_role_label *
43348 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
43351 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
43352 + struct acl_role_label *match;
43353 + struct role_allowed_ip *ipp;
43355 + u32 curr_ip = task->signal->curr_ip;
43357 + task->signal->saved_ip = curr_ip;
43359 + match = acl_role_set.r_hash[index];
43362 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
43363 + for (x = 0; x < match->domain_child_num; x++) {
43364 + if (match->domain_children[x] == uid)
43367 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
43369 + match = match->next;
43372 + if (match == NULL) {
43374 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
43375 + match = acl_role_set.r_hash[index];
43378 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
43379 + for (x = 0; x < match->domain_child_num; x++) {
43380 + if (match->domain_children[x] == gid)
43383 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
43385 + match = match->next;
43388 + if (match == NULL)
43389 + match = default_role;
43390 + if (match->allowed_ips == NULL)
43393 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
43395 + ((ntohl(curr_ip) & ipp->netmask) ==
43396 + (ntohl(ipp->addr) & ipp->netmask)))
43399 + match = default_role;
43401 + } else if (match->allowed_ips == NULL) {
43404 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
43406 + ((ntohl(curr_ip) & ipp->netmask) ==
43407 + (ntohl(ipp->addr) & ipp->netmask)))
43416 +struct acl_subject_label *
43417 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
43418 + const struct acl_role_label *role)
43420 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
43421 + struct acl_subject_label *match;
43423 + match = role->subj_hash[index];
43425 + while (match && (match->inode != ino || match->device != dev ||
43426 + (match->mode & GR_DELETED))) {
43427 + match = match->next;
43430 + if (match && !(match->mode & GR_DELETED))
43436 +struct acl_subject_label *
43437 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
43438 + const struct acl_role_label *role)
43440 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
43441 + struct acl_subject_label *match;
43443 + match = role->subj_hash[index];
43445 + while (match && (match->inode != ino || match->device != dev ||
43446 + !(match->mode & GR_DELETED))) {
43447 + match = match->next;
43450 + if (match && (match->mode & GR_DELETED))
43456 +static struct acl_object_label *
43457 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
43458 + const struct acl_subject_label *subj)
43460 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
43461 + struct acl_object_label *match;
43463 + match = subj->obj_hash[index];
43465 + while (match && (match->inode != ino || match->device != dev ||
43466 + (match->mode & GR_DELETED))) {
43467 + match = match->next;
43470 + if (match && !(match->mode & GR_DELETED))
43476 +static struct acl_object_label *
43477 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
43478 + const struct acl_subject_label *subj)
43480 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
43481 + struct acl_object_label *match;
43483 + match = subj->obj_hash[index];
43485 + while (match && (match->inode != ino || match->device != dev ||
43486 + !(match->mode & GR_DELETED))) {
43487 + match = match->next;
43490 + if (match && (match->mode & GR_DELETED))
43493 + match = subj->obj_hash[index];
43495 + while (match && (match->inode != ino || match->device != dev ||
43496 + (match->mode & GR_DELETED))) {
43497 + match = match->next;
43500 + if (match && !(match->mode & GR_DELETED))
43506 +static struct name_entry *
43507 +lookup_name_entry(const char *name)
43509 + unsigned int len = strlen(name);
43510 + unsigned int key = full_name_hash(name, len);
43511 + unsigned int index = key % name_set.n_size;
43512 + struct name_entry *match;
43514 + match = name_set.n_hash[index];
43516 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
43517 + match = match->next;
43522 +static struct name_entry *
43523 +lookup_name_entry_create(const char *name)
43525 + unsigned int len = strlen(name);
43526 + unsigned int key = full_name_hash(name, len);
43527 + unsigned int index = key % name_set.n_size;
43528 + struct name_entry *match;
43530 + match = name_set.n_hash[index];
43532 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
43533 + !match->deleted))
43534 + match = match->next;
43536 + if (match && match->deleted)
43539 + match = name_set.n_hash[index];
43541 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
43543 + match = match->next;
43545 + if (match && !match->deleted)
43551 +static struct inodev_entry *
43552 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
43554 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
43555 + struct inodev_entry *match;
43557 + match = inodev_set.i_hash[index];
43559 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
43560 + match = match->next;
43566 +insert_inodev_entry(struct inodev_entry *entry)
43568 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
43569 + inodev_set.i_size);
43570 + struct inodev_entry **curr;
43572 + entry->prev = NULL;
43574 + curr = &inodev_set.i_hash[index];
43575 + if (*curr != NULL)
43576 + (*curr)->prev = entry;
43578 + entry->next = *curr;
43585 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
43587 + unsigned int index =
43588 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
43589 + struct acl_role_label **curr;
43590 + struct acl_role_label *tmp;
43592 + curr = &acl_role_set.r_hash[index];
43594 + /* if role was already inserted due to domains and already has
43595 + a role in the same bucket as it attached, then we need to
43596 + combine these two buckets
43598 + if (role->next) {
43599 + tmp = role->next;
43600 + while (tmp->next)
43602 + tmp->next = *curr;
43604 + role->next = *curr;
43611 +insert_acl_role_label(struct acl_role_label *role)
43615 + if (role_list == NULL) {
43616 + role_list = role;
43617 + role->prev = NULL;
43619 + role->prev = role_list;
43620 + role_list = role;
43623 + /* used for hash chains */
43624 + role->next = NULL;
43626 + if (role->roletype & GR_ROLE_DOMAIN) {
43627 + for (i = 0; i < role->domain_child_num; i++)
43628 + __insert_acl_role_label(role, role->domain_children[i]);
43630 + __insert_acl_role_label(role, role->uidgid);
43634 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
43636 + struct name_entry **curr, *nentry;
43637 + struct inodev_entry *ientry;
43638 + unsigned int len = strlen(name);
43639 + unsigned int key = full_name_hash(name, len);
43640 + unsigned int index = key % name_set.n_size;
43642 + curr = &name_set.n_hash[index];
43644 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
43645 + curr = &((*curr)->next);
43647 + if (*curr != NULL)
43650 + nentry = acl_alloc(sizeof (struct name_entry));
43651 + if (nentry == NULL)
43653 + ientry = acl_alloc(sizeof (struct inodev_entry));
43654 + if (ientry == NULL)
43656 + ientry->nentry = nentry;
43658 + nentry->key = key;
43659 + nentry->name = name;
43660 + nentry->inode = inode;
43661 + nentry->device = device;
43662 + nentry->len = len;
43663 + nentry->deleted = deleted;
43665 + nentry->prev = NULL;
43666 + curr = &name_set.n_hash[index];
43667 + if (*curr != NULL)
43668 + (*curr)->prev = nentry;
43669 + nentry->next = *curr;
43672 + /* insert us into the table searchable by inode/dev */
43673 + insert_inodev_entry(ientry);
43679 +insert_acl_obj_label(struct acl_object_label *obj,
43680 + struct acl_subject_label *subj)
43682 + unsigned int index =
43683 + fhash(obj->inode, obj->device, subj->obj_hash_size);
43684 + struct acl_object_label **curr;
43687 + obj->prev = NULL;
43689 + curr = &subj->obj_hash[index];
43690 + if (*curr != NULL)
43691 + (*curr)->prev = obj;
43693 + obj->next = *curr;
43700 +insert_acl_subj_label(struct acl_subject_label *obj,
43701 + struct acl_role_label *role)
43703 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
43704 + struct acl_subject_label **curr;
43706 + obj->prev = NULL;
43708 + curr = &role->subj_hash[index];
43709 + if (*curr != NULL)
43710 + (*curr)->prev = obj;
43712 + obj->next = *curr;
43718 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
43721 +create_table(__u32 * len, int elementsize)
43723 + unsigned int table_sizes[] = {
43724 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
43725 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
43726 + 4194301, 8388593, 16777213, 33554393, 67108859
43728 + void *newtable = NULL;
43729 + unsigned int pwr = 0;
43731 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
43732 + table_sizes[pwr] <= *len)
43735 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
43738 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
43740 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
43742 + newtable = vmalloc(table_sizes[pwr] * elementsize);
43744 + *len = table_sizes[pwr];
43750 +init_variables(const struct gr_arg *arg)
43752 + struct task_struct *reaper = &init_task;
43753 + unsigned int stacksize;
43755 + subj_map_set.s_size = arg->role_db.num_subjects;
43756 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
43757 + name_set.n_size = arg->role_db.num_objects;
43758 + inodev_set.i_size = arg->role_db.num_objects;
43760 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
43761 + !name_set.n_size || !inodev_set.i_size)
43764 + if (!gr_init_uidset())
43767 + /* set up the stack that holds allocation info */
43769 + stacksize = arg->role_db.num_pointers + 5;
43771 + if (!acl_alloc_stack_init(stacksize))
43774 + /* grab reference for the real root dentry and vfsmount */
43775 + get_fs_root(reaper->fs, &real_root);
43777 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
43778 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
43781 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
43782 + if (fakefs_obj == NULL)
43784 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
43786 + subj_map_set.s_hash =
43787 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
43788 + acl_role_set.r_hash =
43789 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
43790 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
43791 + inodev_set.i_hash =
43792 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
43794 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
43795 + !name_set.n_hash || !inodev_set.i_hash)
43798 + memset(subj_map_set.s_hash, 0,
43799 + sizeof(struct subject_map *) * subj_map_set.s_size);
43800 + memset(acl_role_set.r_hash, 0,
43801 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
43802 + memset(name_set.n_hash, 0,
43803 + sizeof (struct name_entry *) * name_set.n_size);
43804 + memset(inodev_set.i_hash, 0,
43805 + sizeof (struct inodev_entry *) * inodev_set.i_size);
43810 +/* free information not needed after startup
43811 + currently contains user->kernel pointer mappings for subjects
43815 +free_init_variables(void)
43819 + if (subj_map_set.s_hash) {
43820 + for (i = 0; i < subj_map_set.s_size; i++) {
43821 + if (subj_map_set.s_hash[i]) {
43822 + kfree(subj_map_set.s_hash[i]);
43823 + subj_map_set.s_hash[i] = NULL;
43827 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
43829 + kfree(subj_map_set.s_hash);
43831 + vfree(subj_map_set.s_hash);
43838 +free_variables(void)
43840 + struct acl_subject_label *s;
43841 + struct acl_role_label *r;
43842 + struct task_struct *task, *task2;
43845 + gr_clear_learn_entries();
43847 + read_lock(&tasklist_lock);
43848 + do_each_thread(task2, task) {
43849 + task->acl_sp_role = 0;
43850 + task->acl_role_id = 0;
43851 + task->acl = NULL;
43852 + task->role = NULL;
43853 + } while_each_thread(task2, task);
43854 + read_unlock(&tasklist_lock);
43856 + /* release the reference to the real root dentry and vfsmount */
43857 + path_put(&real_root);
43859 + /* free all object hash tables */
43861 + FOR_EACH_ROLE_START(r)
43862 + if (r->subj_hash == NULL)
43864 + FOR_EACH_SUBJECT_START(r, s, x)
43865 + if (s->obj_hash == NULL)
43867 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
43868 + kfree(s->obj_hash);
43870 + vfree(s->obj_hash);
43871 + FOR_EACH_SUBJECT_END(s, x)
43872 + FOR_EACH_NESTED_SUBJECT_START(r, s)
43873 + if (s->obj_hash == NULL)
43875 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
43876 + kfree(s->obj_hash);
43878 + vfree(s->obj_hash);
43879 + FOR_EACH_NESTED_SUBJECT_END(s)
43880 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
43881 + kfree(r->subj_hash);
43883 + vfree(r->subj_hash);
43884 + r->subj_hash = NULL;
43886 + FOR_EACH_ROLE_END(r)
43890 + if (acl_role_set.r_hash) {
43891 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
43893 + kfree(acl_role_set.r_hash);
43895 + vfree(acl_role_set.r_hash);
43897 + if (name_set.n_hash) {
43898 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
43900 + kfree(name_set.n_hash);
43902 + vfree(name_set.n_hash);
43905 + if (inodev_set.i_hash) {
43906 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
43908 + kfree(inodev_set.i_hash);
43910 + vfree(inodev_set.i_hash);
43913 + gr_free_uidset();
43915 + memset(&name_set, 0, sizeof (struct name_db));
43916 + memset(&inodev_set, 0, sizeof (struct inodev_db));
43917 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
43918 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
43920 + default_role = NULL;
43921 + role_list = NULL;
43927 +count_user_objs(struct acl_object_label *userp)
43929 + struct acl_object_label o_tmp;
43933 + if (copy_from_user(&o_tmp, userp,
43934 + sizeof (struct acl_object_label)))
43937 + userp = o_tmp.prev;
43944 +static struct acl_subject_label *
43945 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
43948 +copy_user_glob(struct acl_object_label *obj)
43950 + struct acl_object_label *g_tmp, **guser;
43951 + unsigned int len;
43954 + if (obj->globbed == NULL)
43957 + guser = &obj->globbed;
43959 + g_tmp = (struct acl_object_label *)
43960 + acl_alloc(sizeof (struct acl_object_label));
43961 + if (g_tmp == NULL)
43964 + if (copy_from_user(g_tmp, *guser,
43965 + sizeof (struct acl_object_label)))
43968 + len = strnlen_user(g_tmp->filename, PATH_MAX);
43970 + if (!len || len >= PATH_MAX)
43973 + if ((tmp = (char *) acl_alloc(len)) == NULL)
43976 + if (copy_from_user(tmp, g_tmp->filename, len))
43978 + tmp[len-1] = '\0';
43979 + g_tmp->filename = tmp;
43982 + guser = &(g_tmp->next);
43989 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
43990 + struct acl_role_label *role)
43992 + struct acl_object_label *o_tmp;
43993 + unsigned int len;
43998 + if ((o_tmp = (struct acl_object_label *)
43999 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
44002 + if (copy_from_user(o_tmp, userp,
44003 + sizeof (struct acl_object_label)))
44006 + userp = o_tmp->prev;
44008 + len = strnlen_user(o_tmp->filename, PATH_MAX);
44010 + if (!len || len >= PATH_MAX)
44013 + if ((tmp = (char *) acl_alloc(len)) == NULL)
44016 + if (copy_from_user(tmp, o_tmp->filename, len))
44018 + tmp[len-1] = '\0';
44019 + o_tmp->filename = tmp;
44021 + insert_acl_obj_label(o_tmp, subj);
44022 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
44023 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
44026 + ret = copy_user_glob(o_tmp);
44030 + if (o_tmp->nested) {
44031 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
44032 + if (IS_ERR(o_tmp->nested))
44033 + return PTR_ERR(o_tmp->nested);
44035 + /* insert into nested subject list */
44036 + o_tmp->nested->next = role->hash->first;
44037 + role->hash->first = o_tmp->nested;
44045 +count_user_subjs(struct acl_subject_label *userp)
44047 + struct acl_subject_label s_tmp;
44051 + if (copy_from_user(&s_tmp, userp,
44052 + sizeof (struct acl_subject_label)))
44055 + userp = s_tmp.prev;
44056 + /* do not count nested subjects against this count, since
44057 + they are not included in the hash table, but are
44058 + attached to objects. We have already counted
44059 + the subjects in userspace for the allocation
44062 + if (!(s_tmp.mode & GR_NESTED))
44070 +copy_user_allowedips(struct acl_role_label *rolep)
44072 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
44074 + ruserip = rolep->allowed_ips;
44076 + while (ruserip) {
44079 + if ((rtmp = (struct role_allowed_ip *)
44080 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
44083 + if (copy_from_user(rtmp, ruserip,
44084 + sizeof (struct role_allowed_ip)))
44087 + ruserip = rtmp->prev;
44090 + rtmp->prev = NULL;
44091 + rolep->allowed_ips = rtmp;
44093 + rlast->next = rtmp;
44094 + rtmp->prev = rlast;
44098 + rtmp->next = NULL;
44105 +copy_user_transitions(struct acl_role_label *rolep)
44107 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
44109 + unsigned int len;
44112 + rusertp = rolep->transitions;
44114 + while (rusertp) {
44117 + if ((rtmp = (struct role_transition *)
44118 + acl_alloc(sizeof (struct role_transition))) == NULL)
44121 + if (copy_from_user(rtmp, rusertp,
44122 + sizeof (struct role_transition)))
44125 + rusertp = rtmp->prev;
44127 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
44129 + if (!len || len >= GR_SPROLE_LEN)
44132 + if ((tmp = (char *) acl_alloc(len)) == NULL)
44135 + if (copy_from_user(tmp, rtmp->rolename, len))
44137 + tmp[len-1] = '\0';
44138 + rtmp->rolename = tmp;
44141 + rtmp->prev = NULL;
44142 + rolep->transitions = rtmp;
44144 + rlast->next = rtmp;
44145 + rtmp->prev = rlast;
44149 + rtmp->next = NULL;
44155 +static struct acl_subject_label *
44156 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
44158 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
44159 + unsigned int len;
44162 + struct acl_ip_label **i_tmp, *i_utmp2;
44163 + struct gr_hash_struct ghash;
44164 + struct subject_map *subjmap;
44165 + unsigned int i_num;
44168 + s_tmp = lookup_subject_map(userp);
44170 + /* we've already copied this subject into the kernel, just return
44171 + the reference to it, and don't copy it over again
44176 + if ((s_tmp = (struct acl_subject_label *)
44177 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
44178 + return ERR_PTR(-ENOMEM);
44180 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
44181 + if (subjmap == NULL)
44182 + return ERR_PTR(-ENOMEM);
44184 + subjmap->user = userp;
44185 + subjmap->kernel = s_tmp;
44186 + insert_subj_map_entry(subjmap);
44188 + if (copy_from_user(s_tmp, userp,
44189 + sizeof (struct acl_subject_label)))
44190 + return ERR_PTR(-EFAULT);
44192 + len = strnlen_user(s_tmp->filename, PATH_MAX);
44194 + if (!len || len >= PATH_MAX)
44195 + return ERR_PTR(-EINVAL);
44197 + if ((tmp = (char *) acl_alloc(len)) == NULL)
44198 + return ERR_PTR(-ENOMEM);
44200 + if (copy_from_user(tmp, s_tmp->filename, len))
44201 + return ERR_PTR(-EFAULT);
44202 + tmp[len-1] = '\0';
44203 + s_tmp->filename = tmp;
44205 + if (!strcmp(s_tmp->filename, "/"))
44206 + role->root_label = s_tmp;
44208 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
44209 + return ERR_PTR(-EFAULT);
44211 + /* copy user and group transition tables */
44213 + if (s_tmp->user_trans_num) {
44216 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
44217 + if (uidlist == NULL)
44218 + return ERR_PTR(-ENOMEM);
44219 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
44220 + return ERR_PTR(-EFAULT);
44222 + s_tmp->user_transitions = uidlist;
44225 + if (s_tmp->group_trans_num) {
44228 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
44229 + if (gidlist == NULL)
44230 + return ERR_PTR(-ENOMEM);
44231 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
44232 + return ERR_PTR(-EFAULT);
44234 + s_tmp->group_transitions = gidlist;
44237 + /* set up object hash table */
44238 + num_objs = count_user_objs(ghash.first);
44240 + s_tmp->obj_hash_size = num_objs;
44241 + s_tmp->obj_hash =
44242 + (struct acl_object_label **)
44243 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
44245 + if (!s_tmp->obj_hash)
44246 + return ERR_PTR(-ENOMEM);
44248 + memset(s_tmp->obj_hash, 0,
44249 + s_tmp->obj_hash_size *
44250 + sizeof (struct acl_object_label *));
44252 + /* add in objects */
44253 + err = copy_user_objs(ghash.first, s_tmp, role);
44256 + return ERR_PTR(err);
44258 + /* set pointer for parent subject */
44259 + if (s_tmp->parent_subject) {
44260 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
44262 + if (IS_ERR(s_tmp2))
44265 + s_tmp->parent_subject = s_tmp2;
44268 + /* add in ip acls */
44270 + if (!s_tmp->ip_num) {
44271 + s_tmp->ips = NULL;
44276 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
44277 + sizeof (struct acl_ip_label *));
44280 + return ERR_PTR(-ENOMEM);
44282 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
44283 + *(i_tmp + i_num) =
44284 + (struct acl_ip_label *)
44285 + acl_alloc(sizeof (struct acl_ip_label));
44286 + if (!*(i_tmp + i_num))
44287 + return ERR_PTR(-ENOMEM);
44289 + if (copy_from_user
44290 + (&i_utmp2, s_tmp->ips + i_num,
44291 + sizeof (struct acl_ip_label *)))
44292 + return ERR_PTR(-EFAULT);
44294 + if (copy_from_user
44295 + (*(i_tmp + i_num), i_utmp2,
44296 + sizeof (struct acl_ip_label)))
44297 + return ERR_PTR(-EFAULT);
44299 + if ((*(i_tmp + i_num))->iface == NULL)
44302 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
44303 + if (!len || len >= IFNAMSIZ)
44304 + return ERR_PTR(-EINVAL);
44305 + tmp = acl_alloc(len);
44307 + return ERR_PTR(-ENOMEM);
44308 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
44309 + return ERR_PTR(-EFAULT);
44310 + (*(i_tmp + i_num))->iface = tmp;
44313 + s_tmp->ips = i_tmp;
44316 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
44317 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
44318 + return ERR_PTR(-ENOMEM);
44324 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
44326 + struct acl_subject_label s_pre;
44327 + struct acl_subject_label * ret;
44331 + if (copy_from_user(&s_pre, userp,
44332 + sizeof (struct acl_subject_label)))
44335 + /* do not add nested subjects here, add
44336 + while parsing objects
44339 + if (s_pre.mode & GR_NESTED) {
44340 + userp = s_pre.prev;
44344 + ret = do_copy_user_subj(userp, role);
44346 + err = PTR_ERR(ret);
44350 + insert_acl_subj_label(ret, role);
44352 + userp = s_pre.prev;
44359 +copy_user_acl(struct gr_arg *arg)
44361 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
44362 + struct sprole_pw *sptmp;
44363 + struct gr_hash_struct *ghash;
44364 + uid_t *domainlist;
44365 + unsigned int r_num;
44366 + unsigned int len;
44372 + /* we need a default and kernel role */
44373 + if (arg->role_db.num_roles < 2)
44376 + /* copy special role authentication info from userspace */
44378 + num_sprole_pws = arg->num_sprole_pws;
44379 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
44381 + if (!acl_special_roles) {
44386 + for (i = 0; i < num_sprole_pws; i++) {
44387 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
44392 + if (copy_from_user(sptmp, arg->sprole_pws + i,
44393 + sizeof (struct sprole_pw))) {
44399 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
44401 + if (!len || len >= GR_SPROLE_LEN) {
44406 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
44411 + if (copy_from_user(tmp, sptmp->rolename, len)) {
44415 + tmp[len-1] = '\0';
44416 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
44417 + printk(KERN_ALERT "Copying special role %s\n", tmp);
44419 + sptmp->rolename = tmp;
44420 + acl_special_roles[i] = sptmp;
44423 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
44425 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
44426 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
44433 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
44434 + sizeof (struct acl_role_label *))) {
44439 + if (copy_from_user(r_tmp, r_utmp2,
44440 + sizeof (struct acl_role_label))) {
44445 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
44447 + if (!len || len >= PATH_MAX) {
44452 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
44456 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
44460 + tmp[len-1] = '\0';
44461 + r_tmp->rolename = tmp;
44463 + if (!strcmp(r_tmp->rolename, "default")
44464 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
44465 + default_role = r_tmp;
44466 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
44467 + kernel_role = r_tmp;
44470 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
44474 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
44479 + r_tmp->hash = ghash;
44481 + num_subjs = count_user_subjs(r_tmp->hash->first);
44483 + r_tmp->subj_hash_size = num_subjs;
44484 + r_tmp->subj_hash =
44485 + (struct acl_subject_label **)
44486 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
44488 + if (!r_tmp->subj_hash) {
44493 + err = copy_user_allowedips(r_tmp);
44497 + /* copy domain info */
44498 + if (r_tmp->domain_children != NULL) {
44499 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
44500 + if (domainlist == NULL) {
44504 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
44508 + r_tmp->domain_children = domainlist;
44511 + err = copy_user_transitions(r_tmp);
44515 + memset(r_tmp->subj_hash, 0,
44516 + r_tmp->subj_hash_size *
44517 + sizeof (struct acl_subject_label *));
44519 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
44524 + /* set nested subject list to null */
44525 + r_tmp->hash->first = NULL;
44527 + insert_acl_role_label(r_tmp);
44532 + free_variables();
44539 +gracl_init(struct gr_arg *args)
44543 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
44544 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
44546 + if (init_variables(args)) {
44547 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
44549 + free_variables();
44553 + error = copy_user_acl(args);
44554 + free_init_variables();
44556 + free_variables();
44560 + if ((error = gr_set_acls(0))) {
44561 + free_variables();
44565 + pax_open_kernel();
44566 + gr_status |= GR_READY;
44567 + pax_close_kernel();
44573 +/* derived from glibc fnmatch() 0: match, 1: no match*/
44576 +glob_match(const char *p, const char *n)
44580 + while ((c = *p++) != '\0') {
44585 + else if (*n == '/')
44593 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
44596 + else if (c == '?') {
44606 + const char *endp;
44608 + if ((endp = strchr(n, '/')) == NULL)
44609 + endp = n + strlen(n);
44612 + for (--p; n < endp; ++n)
44613 + if (!glob_match(p, n))
44615 + } else if (c == '/') {
44616 + while (*n != '\0' && *n != '/')
44618 + if (*n == '/' && !glob_match(p, n + 1))
44621 + for (--p; n < endp; ++n)
44622 + if (*n == c && !glob_match(p, n))
44633 + if (*n == '\0' || *n == '/')
44636 + not = (*p == '!' || *p == '^');
44642 + unsigned char fn = (unsigned char)*n;
44652 + if (c == '-' && *p != ']') {
44653 + unsigned char cend = *p++;
44655 + if (cend == '\0')
44658 + if (cold <= fn && fn <= cend)
44672 + while (c != ']') {
44699 +static struct acl_object_label *
44700 +chk_glob_label(struct acl_object_label *globbed,
44701 + struct dentry *dentry, struct vfsmount *mnt, char **path)
44703 + struct acl_object_label *tmp;
44705 + if (*path == NULL)
44706 + *path = gr_to_filename_nolock(dentry, mnt);
44711 + if (!glob_match(tmp->filename, *path))
44719 +static struct acl_object_label *
44720 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
44721 + const ino_t curr_ino, const dev_t curr_dev,
44722 + const struct acl_subject_label *subj, char **path, const int checkglob)
44724 + struct acl_subject_label *tmpsubj;
44725 + struct acl_object_label *retval;
44726 + struct acl_object_label *retval2;
44728 + tmpsubj = (struct acl_subject_label *) subj;
44729 + read_lock(&gr_inode_lock);
44731 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
44733 + if (checkglob && retval->globbed) {
44734 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
44735 + (struct vfsmount *)orig_mnt, path);
44737 + retval = retval2;
44741 + } while ((tmpsubj = tmpsubj->parent_subject));
44742 + read_unlock(&gr_inode_lock);
44747 +static __inline__ struct acl_object_label *
44748 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
44749 + struct dentry *curr_dentry,
44750 + const struct acl_subject_label *subj, char **path, const int checkglob)
44752 + int newglob = checkglob;
44756 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
44757 + as we don't want a / * rule to match instead of the / object
44758 + don't do this for create lookups that call this function though, since they're looking up
44759 + on the parent and thus need globbing checks on all paths
44761 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
44762 + newglob = GR_NO_GLOB;
44764 + spin_lock(&curr_dentry->d_lock);
44765 + inode = curr_dentry->d_inode->i_ino;
44766 + device = __get_dev(curr_dentry);
44767 + spin_unlock(&curr_dentry->d_lock);
44769 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
44772 +static struct acl_object_label *
44773 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
44774 + const struct acl_subject_label *subj, char *path, const int checkglob)
44776 + struct dentry *dentry = (struct dentry *) l_dentry;
44777 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
44778 + struct acl_object_label *retval;
44779 + struct dentry *parent;
44781 + write_seqlock(&rename_lock);
44782 + br_read_lock(vfsmount_lock);
44784 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt || mnt == sock_mnt ||
44785 +#ifdef CONFIG_HUGETLBFS
44786 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
44788 + /* ignore Eric Biederman */
44789 + IS_PRIVATE(l_dentry->d_inode))) {
44790 + retval = fakefs_obj;
44795 + if (dentry == real_root.dentry && mnt == real_root.mnt)
44798 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
44799 + if (mnt->mnt_parent == mnt)
44802 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
44803 + if (retval != NULL)
44806 + dentry = mnt->mnt_mountpoint;
44807 + mnt = mnt->mnt_parent;
44811 + parent = dentry->d_parent;
44812 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
44813 + if (retval != NULL)
44819 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
44821 + /* real_root is pinned so we don't have to hold a reference */
44822 + if (retval == NULL)
44823 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
44825 + br_read_unlock(vfsmount_lock);
44826 + write_sequnlock(&rename_lock);
44828 + BUG_ON(retval == NULL);
44833 +static __inline__ struct acl_object_label *
44834 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
44835 + const struct acl_subject_label *subj)
44837 + char *path = NULL;
44838 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
44841 +static __inline__ struct acl_object_label *
44842 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
44843 + const struct acl_subject_label *subj)
44845 + char *path = NULL;
44846 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
44849 +static __inline__ struct acl_object_label *
44850 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
44851 + const struct acl_subject_label *subj, char *path)
44853 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
44856 +static struct acl_subject_label *
44857 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
44858 + const struct acl_role_label *role)
44860 + struct dentry *dentry = (struct dentry *) l_dentry;
44861 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
44862 + struct acl_subject_label *retval;
44863 + struct dentry *parent;
44865 + write_seqlock(&rename_lock);
44866 + br_read_lock(vfsmount_lock);
44869 + if (dentry == real_root.dentry && mnt == real_root.mnt)
44871 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
44872 + if (mnt->mnt_parent == mnt)
44875 + spin_lock(&dentry->d_lock);
44876 + read_lock(&gr_inode_lock);
44878 + lookup_acl_subj_label(dentry->d_inode->i_ino,
44879 + __get_dev(dentry), role);
44880 + read_unlock(&gr_inode_lock);
44881 + spin_unlock(&dentry->d_lock);
44882 + if (retval != NULL)
44885 + dentry = mnt->mnt_mountpoint;
44886 + mnt = mnt->mnt_parent;
44890 + spin_lock(&dentry->d_lock);
44891 + read_lock(&gr_inode_lock);
44892 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
44893 + __get_dev(dentry), role);
44894 + read_unlock(&gr_inode_lock);
44895 + parent = dentry->d_parent;
44896 + spin_unlock(&dentry->d_lock);
44898 + if (retval != NULL)
44904 + spin_lock(&dentry->d_lock);
44905 + read_lock(&gr_inode_lock);
44906 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
44907 + __get_dev(dentry), role);
44908 + read_unlock(&gr_inode_lock);
44909 + spin_unlock(&dentry->d_lock);
44911 + if (unlikely(retval == NULL)) {
44912 + /* real_root is pinned, we don't need to hold a reference */
44913 + read_lock(&gr_inode_lock);
44914 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
44915 + __get_dev(real_root.dentry), role);
44916 + read_unlock(&gr_inode_lock);
44919 + br_read_unlock(vfsmount_lock);
44920 + write_sequnlock(&rename_lock);
44922 + BUG_ON(retval == NULL);
44928 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
44930 + struct task_struct *task = current;
44931 + const struct cred *cred = current_cred();
44933 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
44934 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
44935 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
44936 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
44942 +gr_log_learn_sysctl(const char *path, const __u32 mode)
44944 + struct task_struct *task = current;
44945 + const struct cred *cred = current_cred();
44947 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
44948 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
44949 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
44950 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
44956 +gr_log_learn_id_change(const char type, const unsigned int real,
44957 + const unsigned int effective, const unsigned int fs)
44959 + struct task_struct *task = current;
44960 + const struct cred *cred = current_cred();
44962 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
44963 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
44964 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
44965 + type, real, effective, fs, &task->signal->saved_ip);
44971 +gr_check_link(const struct dentry * new_dentry,
44972 + const struct dentry * parent_dentry,
44973 + const struct vfsmount * parent_mnt,
44974 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
44976 + struct acl_object_label *obj;
44977 + __u32 oldmode, newmode;
44980 + if (unlikely(!(gr_status & GR_READY)))
44981 + return (GR_CREATE | GR_LINK);
44983 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
44984 + oldmode = obj->mode;
44986 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
44987 + oldmode |= (GR_CREATE | GR_LINK);
44989 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
44990 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
44991 + needmode |= GR_SETID | GR_AUDIT_SETID;
44994 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
44995 + oldmode | needmode);
44997 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
44998 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
44999 + GR_INHERIT | GR_AUDIT_INHERIT);
45001 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
45004 + if ((oldmode & needmode) != needmode)
45007 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
45008 + if ((newmode & needmode) != needmode)
45011 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
45014 + needmode = oldmode;
45015 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
45016 + needmode |= GR_SETID;
45018 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
45019 + gr_log_learn(old_dentry, old_mnt, needmode);
45020 + return (GR_CREATE | GR_LINK);
45021 + } else if (newmode & GR_SUPPRESS)
45022 + return GR_SUPPRESS;
45028 +gr_search_file(const struct dentry * dentry, const __u32 mode,
45029 + const struct vfsmount * mnt)
45031 + __u32 retval = mode;
45032 + struct acl_subject_label *curracl;
45033 + struct acl_object_label *currobj;
45035 + if (unlikely(!(gr_status & GR_READY)))
45036 + return (mode & ~GR_AUDITS);
45038 + curracl = current->acl;
45040 + currobj = chk_obj_label(dentry, mnt, curracl);
45041 + retval = currobj->mode & mode;
45043 + /* if we're opening a specified transfer file for writing
45044 + (e.g. /dev/initctl), then transfer our role to init
45046 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
45047 + current->role->roletype & GR_ROLE_PERSIST)) {
45048 + struct task_struct *task = init_pid_ns.child_reaper;
45050 + if (task->role != current->role) {
45051 + task->acl_sp_role = 0;
45052 + task->acl_role_id = current->acl_role_id;
45053 + task->role = current->role;
45055 + read_lock(&grsec_exec_file_lock);
45056 + gr_apply_subject_to_task(task);
45057 + read_unlock(&grsec_exec_file_lock);
45058 + rcu_read_unlock();
45059 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
45064 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
45065 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
45066 + __u32 new_mode = mode;
45068 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
45070 + retval = new_mode;
45072 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
45073 + new_mode |= GR_INHERIT;
45075 + if (!(mode & GR_NOLEARN))
45076 + gr_log_learn(dentry, mnt, new_mode);
45083 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
45084 + const struct vfsmount * mnt, const __u32 mode)
45086 + struct name_entry *match;
45087 + struct acl_object_label *matchpo;
45088 + struct acl_subject_label *curracl;
45092 + if (unlikely(!(gr_status & GR_READY)))
45093 + return (mode & ~GR_AUDITS);
45095 + preempt_disable();
45096 + path = gr_to_filename_rbac(new_dentry, mnt);
45097 + match = lookup_name_entry_create(path);
45100 + goto check_parent;
45102 + curracl = current->acl;
45104 + read_lock(&gr_inode_lock);
45105 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
45106 + read_unlock(&gr_inode_lock);
45109 + if ((matchpo->mode & mode) !=
45110 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
45111 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
45112 + __u32 new_mode = mode;
45114 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
45116 + gr_log_learn(new_dentry, mnt, new_mode);
45118 + preempt_enable();
45121 + preempt_enable();
45122 + return (matchpo->mode & mode);
45126 + curracl = current->acl;
45128 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
45129 + retval = matchpo->mode & mode;
45131 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
45132 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
45133 + __u32 new_mode = mode;
45135 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
45137 + gr_log_learn(new_dentry, mnt, new_mode);
45138 + preempt_enable();
45142 + preempt_enable();
45147 +gr_check_hidden_task(const struct task_struct *task)
45149 + if (unlikely(!(gr_status & GR_READY)))
45152 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
45159 +gr_check_protected_task(const struct task_struct *task)
45161 + if (unlikely(!(gr_status & GR_READY) || !task))
45164 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
45165 + task->acl != current->acl)
45172 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
45174 + struct task_struct *p;
45177 + if (unlikely(!(gr_status & GR_READY) || !pid))
45180 + read_lock(&tasklist_lock);
45181 + do_each_pid_task(pid, type, p) {
45182 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
45183 + p->acl != current->acl) {
45187 + } while_each_pid_task(pid, type, p);
45189 + read_unlock(&tasklist_lock);
45195 +gr_copy_label(struct task_struct *tsk)
45197 + tsk->signal->used_accept = 0;
45198 + tsk->acl_sp_role = 0;
45199 + tsk->acl_role_id = current->acl_role_id;
45200 + tsk->acl = current->acl;
45201 + tsk->role = current->role;
45202 + tsk->signal->curr_ip = current->signal->curr_ip;
45203 + tsk->signal->saved_ip = current->signal->saved_ip;
45204 + if (current->exec_file)
45205 + get_file(current->exec_file);
45206 + tsk->exec_file = current->exec_file;
45207 + tsk->is_writable = current->is_writable;
45208 + if (unlikely(current->signal->used_accept)) {
45209 + current->signal->curr_ip = 0;
45210 + current->signal->saved_ip = 0;
45217 +gr_set_proc_res(struct task_struct *task)
45219 + struct acl_subject_label *proc;
45220 + unsigned short i;
45222 + proc = task->acl;
45224 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
45227 + for (i = 0; i < RLIM_NLIMITS; i++) {
45228 + if (!(proc->resmask & (1 << i)))
45231 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
45232 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
45238 +extern int __gr_process_user_ban(struct user_struct *user);
45241 +gr_check_user_change(int real, int effective, int fs)
45248 + int effectiveok = 0;
45251 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
45252 + struct user_struct *user;
45257 + user = find_user(real);
45258 + if (user == NULL)
45261 + if (__gr_process_user_ban(user)) {
45262 + /* for find_user */
45267 + /* for find_user */
45273 + if (unlikely(!(gr_status & GR_READY)))
45276 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
45277 + gr_log_learn_id_change('u', real, effective, fs);
45279 + num = current->acl->user_trans_num;
45280 + uidlist = current->acl->user_transitions;
45282 + if (uidlist == NULL)
45287 + if (effective == -1)
45292 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
45293 + for (i = 0; i < num; i++) {
45294 + curuid = (int)uidlist[i];
45295 + if (real == curuid)
45297 + if (effective == curuid)
45299 + if (fs == curuid)
45302 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
45303 + for (i = 0; i < num; i++) {
45304 + curuid = (int)uidlist[i];
45305 + if (real == curuid)
45307 + if (effective == curuid)
45309 + if (fs == curuid)
45312 + /* not in deny list */
45320 + if (realok && effectiveok && fsok)
45323 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
45329 +gr_check_group_change(int real, int effective, int fs)
45336 + int effectiveok = 0;
45339 + if (unlikely(!(gr_status & GR_READY)))
45342 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
45343 + gr_log_learn_id_change('g', real, effective, fs);
45345 + num = current->acl->group_trans_num;
45346 + gidlist = current->acl->group_transitions;
45348 + if (gidlist == NULL)
45353 + if (effective == -1)
45358 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
45359 + for (i = 0; i < num; i++) {
45360 + curgid = (int)gidlist[i];
45361 + if (real == curgid)
45363 + if (effective == curgid)
45365 + if (fs == curgid)
45368 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
45369 + for (i = 0; i < num; i++) {
45370 + curgid = (int)gidlist[i];
45371 + if (real == curgid)
45373 + if (effective == curgid)
45375 + if (fs == curgid)
45378 + /* not in deny list */
45386 + if (realok && effectiveok && fsok)
45389 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
45395 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
45397 + struct acl_role_label *role = task->role;
45398 + struct acl_subject_label *subj = NULL;
45399 + struct acl_object_label *obj;
45400 + struct file *filp;
45402 + if (unlikely(!(gr_status & GR_READY)))
45405 + filp = task->exec_file;
45407 + /* kernel process, we'll give them the kernel role */
45408 + if (unlikely(!filp)) {
45409 + task->role = kernel_role;
45410 + task->acl = kernel_role->root_label;
45412 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
45413 + role = lookup_acl_role_label(task, uid, gid);
45415 + /* perform subject lookup in possibly new role
45416 + we can use this result below in the case where role == task->role
45418 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
45420 + /* if we changed uid/gid, but result in the same role
45421 + and are using inheritance, don't lose the inherited subject
45422 + if current subject is other than what normal lookup
45423 + would result in, we arrived via inheritance, don't
45426 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
45427 + (subj == task->acl)))
45428 + task->acl = subj;
45430 + task->role = role;
45432 + task->is_writable = 0;
45434 + /* ignore additional mmap checks for processes that are writable
45435 + by the default ACL */
45436 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
45437 + if (unlikely(obj->mode & GR_WRITE))
45438 + task->is_writable = 1;
45439 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
45440 + if (unlikely(obj->mode & GR_WRITE))
45441 + task->is_writable = 1;
45443 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
45444 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
45447 + gr_set_proc_res(task);
45453 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
45454 + const int unsafe_share)
45456 + struct task_struct *task = current;
45457 + struct acl_subject_label *newacl;
45458 + struct acl_object_label *obj;
45461 + if (unlikely(!(gr_status & GR_READY)))
45464 + newacl = chk_subj_label(dentry, mnt, task->role);
45467 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
45468 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
45469 + !(task->role->roletype & GR_ROLE_GOD) &&
45470 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
45471 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
45472 + task_unlock(task);
45473 + if (unsafe_share)
45474 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
45476 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
45479 + task_unlock(task);
45481 + obj = chk_obj_label(dentry, mnt, task->acl);
45482 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
45484 + if (!(task->acl->mode & GR_INHERITLEARN) &&
45485 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
45487 + task->acl = obj->nested;
45489 + task->acl = newacl;
45490 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
45491 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
45493 + task->is_writable = 0;
45495 + /* ignore additional mmap checks for processes that are writable
45496 + by the default ACL */
45497 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
45498 + if (unlikely(obj->mode & GR_WRITE))
45499 + task->is_writable = 1;
45500 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
45501 + if (unlikely(obj->mode & GR_WRITE))
45502 + task->is_writable = 1;
45504 + gr_set_proc_res(task);
45506 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
45507 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
45512 +/* always called with valid inodev ptr */
45514 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
45516 + struct acl_object_label *matchpo;
45517 + struct acl_subject_label *matchps;
45518 + struct acl_subject_label *subj;
45519 + struct acl_role_label *role;
45522 + FOR_EACH_ROLE_START(role)
45523 + FOR_EACH_SUBJECT_START(role, subj, x)
45524 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
45525 + matchpo->mode |= GR_DELETED;
45526 + FOR_EACH_SUBJECT_END(subj,x)
45527 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
45528 + if (subj->inode == ino && subj->device == dev)
45529 + subj->mode |= GR_DELETED;
45530 + FOR_EACH_NESTED_SUBJECT_END(subj)
45531 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
45532 + matchps->mode |= GR_DELETED;
45533 + FOR_EACH_ROLE_END(role)
45535 + inodev->nentry->deleted = 1;
45541 +gr_handle_delete(const ino_t ino, const dev_t dev)
45543 + struct inodev_entry *inodev;
45545 + if (unlikely(!(gr_status & GR_READY)))
45548 + write_lock(&gr_inode_lock);
45549 + inodev = lookup_inodev_entry(ino, dev);
45550 + if (inodev != NULL)
45551 + do_handle_delete(inodev, ino, dev);
45552 + write_unlock(&gr_inode_lock);
45558 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
45559 + const ino_t newinode, const dev_t newdevice,
45560 + struct acl_subject_label *subj)
45562 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
45563 + struct acl_object_label *match;
45565 + match = subj->obj_hash[index];
45567 + while (match && (match->inode != oldinode ||
45568 + match->device != olddevice ||
45569 + !(match->mode & GR_DELETED)))
45570 + match = match->next;
45572 + if (match && (match->inode == oldinode)
45573 + && (match->device == olddevice)
45574 + && (match->mode & GR_DELETED)) {
45575 + if (match->prev == NULL) {
45576 + subj->obj_hash[index] = match->next;
45577 + if (match->next != NULL)
45578 + match->next->prev = NULL;
45580 + match->prev->next = match->next;
45581 + if (match->next != NULL)
45582 + match->next->prev = match->prev;
45584 + match->prev = NULL;
45585 + match->next = NULL;
45586 + match->inode = newinode;
45587 + match->device = newdevice;
45588 + match->mode &= ~GR_DELETED;
45590 + insert_acl_obj_label(match, subj);
45597 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
45598 + const ino_t newinode, const dev_t newdevice,
45599 + struct acl_role_label *role)
45601 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
45602 + struct acl_subject_label *match;
45604 + match = role->subj_hash[index];
45606 + while (match && (match->inode != oldinode ||
45607 + match->device != olddevice ||
45608 + !(match->mode & GR_DELETED)))
45609 + match = match->next;
45611 + if (match && (match->inode == oldinode)
45612 + && (match->device == olddevice)
45613 + && (match->mode & GR_DELETED)) {
45614 + if (match->prev == NULL) {
45615 + role->subj_hash[index] = match->next;
45616 + if (match->next != NULL)
45617 + match->next->prev = NULL;
45619 + match->prev->next = match->next;
45620 + if (match->next != NULL)
45621 + match->next->prev = match->prev;
45623 + match->prev = NULL;
45624 + match->next = NULL;
45625 + match->inode = newinode;
45626 + match->device = newdevice;
45627 + match->mode &= ~GR_DELETED;
45629 + insert_acl_subj_label(match, role);
45636 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
45637 + const ino_t newinode, const dev_t newdevice)
45639 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
45640 + struct inodev_entry *match;
45642 + match = inodev_set.i_hash[index];
45644 + while (match && (match->nentry->inode != oldinode ||
45645 + match->nentry->device != olddevice || !match->nentry->deleted))
45646 + match = match->next;
45648 + if (match && (match->nentry->inode == oldinode)
45649 + && (match->nentry->device == olddevice) &&
45650 + match->nentry->deleted) {
45651 + if (match->prev == NULL) {
45652 + inodev_set.i_hash[index] = match->next;
45653 + if (match->next != NULL)
45654 + match->next->prev = NULL;
45656 + match->prev->next = match->next;
45657 + if (match->next != NULL)
45658 + match->next->prev = match->prev;
45660 + match->prev = NULL;
45661 + match->next = NULL;
45662 + match->nentry->inode = newinode;
45663 + match->nentry->device = newdevice;
45664 + match->nentry->deleted = 0;
45666 + insert_inodev_entry(match);
45673 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
45674 + const struct vfsmount *mnt)
45676 + struct acl_subject_label *subj;
45677 + struct acl_role_label *role;
45679 + ino_t ino = dentry->d_inode->i_ino;
45680 + dev_t dev = __get_dev(dentry);
45682 + FOR_EACH_ROLE_START(role)
45683 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
45685 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
45686 + if ((subj->inode == ino) && (subj->device == dev)) {
45687 + subj->inode = ino;
45688 + subj->device = dev;
45690 + FOR_EACH_NESTED_SUBJECT_END(subj)
45691 + FOR_EACH_SUBJECT_START(role, subj, x)
45692 + update_acl_obj_label(matchn->inode, matchn->device,
45694 + FOR_EACH_SUBJECT_END(subj,x)
45695 + FOR_EACH_ROLE_END(role)
45697 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
45703 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
45705 + struct name_entry *matchn;
45707 + if (unlikely(!(gr_status & GR_READY)))
45710 + preempt_disable();
45711 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
45713 + if (unlikely((unsigned long)matchn)) {
45714 + write_lock(&gr_inode_lock);
45715 + do_handle_create(matchn, dentry, mnt);
45716 + write_unlock(&gr_inode_lock);
45718 + preempt_enable();
45724 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
45725 + struct dentry *old_dentry,
45726 + struct dentry *new_dentry,
45727 + struct vfsmount *mnt, const __u8 replace)
45729 + struct name_entry *matchn;
45730 + struct inodev_entry *inodev;
45731 + ino_t old_ino = old_dentry->d_inode->i_ino;
45732 + dev_t old_dev = __get_dev(old_dentry);
45734 + /* vfs_rename swaps the name and parent link for old_dentry and
45736 + at this point, old_dentry has the new name, parent link, and inode
45737 + for the renamed file
45738 + if a file is being replaced by a rename, new_dentry has the inode
45739 + and name for the replaced file
45742 + if (unlikely(!(gr_status & GR_READY)))
45745 + preempt_disable();
45746 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
45748 + /* we wouldn't have to check d_inode if it weren't for
45749 + NFS silly-renaming
45752 + write_lock(&gr_inode_lock);
45753 + if (unlikely(replace && new_dentry->d_inode)) {
45754 + ino_t new_ino = new_dentry->d_inode->i_ino;
45755 + dev_t new_dev = __get_dev(new_dentry);
45757 + inodev = lookup_inodev_entry(new_ino, new_dev);
45758 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
45759 + do_handle_delete(inodev, new_ino, new_dev);
45762 + inodev = lookup_inodev_entry(old_ino, old_dev);
45763 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
45764 + do_handle_delete(inodev, old_ino, old_dev);
45766 + if (unlikely((unsigned long)matchn))
45767 + do_handle_create(matchn, old_dentry, mnt);
45769 + write_unlock(&gr_inode_lock);
45770 + preempt_enable();
45776 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
45777 + unsigned char **sum)
45779 + struct acl_role_label *r;
45780 + struct role_allowed_ip *ipp;
45781 + struct role_transition *trans;
45784 + u32 curr_ip = current->signal->curr_ip;
45786 + current->signal->saved_ip = curr_ip;
45788 + /* check transition table */
45790 + for (trans = current->role->transitions; trans; trans = trans->next) {
45791 + if (!strcmp(rolename, trans->rolename)) {
45800 + /* handle special roles that do not require authentication
45803 + FOR_EACH_ROLE_START(r)
45804 + if (!strcmp(rolename, r->rolename) &&
45805 + (r->roletype & GR_ROLE_SPECIAL)) {
45807 + if (r->allowed_ips != NULL) {
45808 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
45809 + if ((ntohl(curr_ip) & ipp->netmask) ==
45810 + (ntohl(ipp->addr) & ipp->netmask))
45818 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
45819 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
45825 + FOR_EACH_ROLE_END(r)
45827 + for (i = 0; i < num_sprole_pws; i++) {
45828 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
45829 + *salt = acl_special_roles[i]->salt;
45830 + *sum = acl_special_roles[i]->sum;
45839 +assign_special_role(char *rolename)
45841 + struct acl_object_label *obj;
45842 + struct acl_role_label *r;
45843 + struct acl_role_label *assigned = NULL;
45844 + struct task_struct *tsk;
45845 + struct file *filp;
45847 + FOR_EACH_ROLE_START(r)
45848 + if (!strcmp(rolename, r->rolename) &&
45849 + (r->roletype & GR_ROLE_SPECIAL)) {
45853 + FOR_EACH_ROLE_END(r)
45858 + read_lock(&tasklist_lock);
45859 + read_lock(&grsec_exec_file_lock);
45861 + tsk = current->real_parent;
45865 + filp = tsk->exec_file;
45866 + if (filp == NULL)
45869 + tsk->is_writable = 0;
45871 + tsk->acl_sp_role = 1;
45872 + tsk->acl_role_id = ++acl_sp_role_value;
45873 + tsk->role = assigned;
45874 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
45876 + /* ignore additional mmap checks for processes that are writable
45877 + by the default ACL */
45878 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
45879 + if (unlikely(obj->mode & GR_WRITE))
45880 + tsk->is_writable = 1;
45881 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
45882 + if (unlikely(obj->mode & GR_WRITE))
45883 + tsk->is_writable = 1;
45885 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
45886 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
45890 + read_unlock(&grsec_exec_file_lock);
45891 + read_unlock(&tasklist_lock);
45895 +int gr_check_secure_terminal(struct task_struct *task)
45897 + struct task_struct *p, *p2, *p3;
45898 + struct files_struct *files;
45899 + struct fdtable *fdt;
45900 + struct file *our_file = NULL, *file;
45903 + if (task->signal->tty == NULL)
45906 + files = get_files_struct(task);
45907 + if (files != NULL) {
45909 + fdt = files_fdtable(files);
45910 + for (i=0; i < fdt->max_fds; i++) {
45911 + file = fcheck_files(files, i);
45912 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
45917 + rcu_read_unlock();
45918 + put_files_struct(files);
45921 + if (our_file == NULL)
45924 + read_lock(&tasklist_lock);
45925 + do_each_thread(p2, p) {
45926 + files = get_files_struct(p);
45927 + if (files == NULL ||
45928 + (p->signal && p->signal->tty == task->signal->tty)) {
45929 + if (files != NULL)
45930 + put_files_struct(files);
45934 + fdt = files_fdtable(files);
45935 + for (i=0; i < fdt->max_fds; i++) {
45936 + file = fcheck_files(files, i);
45937 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
45938 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
45940 + while (p3->pid > 0) {
45943 + p3 = p3->real_parent;
45947 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
45948 + gr_handle_alertkill(p);
45949 + rcu_read_unlock();
45950 + put_files_struct(files);
45951 + read_unlock(&tasklist_lock);
45956 + rcu_read_unlock();
45957 + put_files_struct(files);
45958 + } while_each_thread(p2, p);
45959 + read_unlock(&tasklist_lock);
45966 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
45968 + struct gr_arg_wrapper uwrap;
45969 + unsigned char *sprole_salt = NULL;
45970 + unsigned char *sprole_sum = NULL;
45971 + int error = sizeof (struct gr_arg_wrapper);
45974 + mutex_lock(&gr_dev_mutex);
45976 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
45981 + if (count != sizeof (struct gr_arg_wrapper)) {
45982 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
45988 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
45989 + gr_auth_expires = 0;
45990 + gr_auth_attempts = 0;
45993 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
45998 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
46003 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
46008 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
46009 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
46010 + time_after(gr_auth_expires, get_seconds())) {
46015 + /* if non-root trying to do anything other than use a special role,
46016 + do not attempt authentication, do not count towards authentication
46020 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
46021 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
46027 + /* ensure pw and special role name are null terminated */
46029 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
46030 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
46033 + * We have our enough of the argument structure..(we have yet
46034 + * to copy_from_user the tables themselves) . Copy the tables
46035 + * only if we need them, i.e. for loading operations. */
46037 + switch (gr_usermode->mode) {
46039 + if (gr_status & GR_READY) {
46041 + if (!gr_check_secure_terminal(current))
46046 + case GR_SHUTDOWN:
46047 + if ((gr_status & GR_READY)
46048 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
46049 + pax_open_kernel();
46050 + gr_status &= ~GR_READY;
46051 + pax_close_kernel();
46053 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
46054 + free_variables();
46055 + memset(gr_usermode, 0, sizeof (struct gr_arg));
46056 + memset(gr_system_salt, 0, GR_SALT_LEN);
46057 + memset(gr_system_sum, 0, GR_SHA_LEN);
46058 + } else if (gr_status & GR_READY) {
46059 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
46062 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
46067 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
46068 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
46070 + if (gr_status & GR_READY)
46074 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
46078 + if (!(gr_status & GR_READY)) {
46079 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
46081 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
46082 + preempt_disable();
46084 + pax_open_kernel();
46085 + gr_status &= ~GR_READY;
46086 + pax_close_kernel();
46088 + free_variables();
46089 + if (!(error2 = gracl_init(gr_usermode))) {
46090 + preempt_enable();
46091 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
46093 + preempt_enable();
46095 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
46098 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
46103 + if (unlikely(!(gr_status & GR_READY))) {
46104 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
46109 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
46110 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
46111 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
46112 + struct acl_subject_label *segvacl;
46114 + lookup_acl_subj_label(gr_usermode->segv_inode,
46115 + gr_usermode->segv_device,
46118 + segvacl->crashes = 0;
46119 + segvacl->expires = 0;
46121 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
46122 + gr_remove_uid(gr_usermode->segv_uid);
46125 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
46130 + case GR_SPROLEPAM:
46131 + if (unlikely(!(gr_status & GR_READY))) {
46132 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
46137 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
46138 + current->role->expires = 0;
46139 + current->role->auth_attempts = 0;
46142 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
46143 + time_after(current->role->expires, get_seconds())) {
46148 + if (lookup_special_role_auth
46149 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
46150 + && ((!sprole_salt && !sprole_sum)
46151 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
46153 + assign_special_role(gr_usermode->sp_role);
46154 + read_lock(&tasklist_lock);
46155 + if (current->real_parent)
46156 + p = current->real_parent->role->rolename;
46157 + read_unlock(&tasklist_lock);
46158 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
46159 + p, acl_sp_role_value);
46161 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
46163 + if(!(current->role->auth_attempts++))
46164 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
46169 + case GR_UNSPROLE:
46170 + if (unlikely(!(gr_status & GR_READY))) {
46171 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
46176 + if (current->role->roletype & GR_ROLE_SPECIAL) {
46180 + read_lock(&tasklist_lock);
46181 + if (current->real_parent) {
46182 + p = current->real_parent->role->rolename;
46183 + i = current->real_parent->acl_role_id;
46185 + read_unlock(&tasklist_lock);
46187 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
46195 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
46200 + if (error != -EPERM)
46203 + if(!(gr_auth_attempts++))
46204 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
46207 + mutex_unlock(&gr_dev_mutex);
46211 +/* must be called with
46213 + read_lock(&tasklist_lock);
46214 + read_lock(&grsec_exec_file_lock);
46216 +int gr_apply_subject_to_task(struct task_struct *task)
46218 + struct acl_object_label *obj;
46220 + struct acl_subject_label *tmpsubj;
46221 + struct file *filp;
46222 + struct name_entry *nmatch;
46224 + filp = task->exec_file;
46225 + if (filp == NULL)
46228 + /* the following is to apply the correct subject
46229 + on binaries running when the RBAC system
46230 + is enabled, when the binaries have been
46231 + replaced or deleted since their execution
46233 + when the RBAC system starts, the inode/dev
46234 + from exec_file will be one the RBAC system
46235 + is unaware of. It only knows the inode/dev
46236 + of the present file on disk, or the absence
46239 + preempt_disable();
46240 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
46242 + nmatch = lookup_name_entry(tmpname);
46243 + preempt_enable();
46246 + if (nmatch->deleted)
46247 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
46249 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
46250 + if (tmpsubj != NULL)
46251 + task->acl = tmpsubj;
46253 + if (tmpsubj == NULL)
46254 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
46257 + struct acl_subject_label *curr;
46258 + curr = task->acl;
46260 + task->is_writable = 0;
46261 + /* ignore additional mmap checks for processes that are writable
46262 + by the default ACL */
46263 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
46264 + if (unlikely(obj->mode & GR_WRITE))
46265 + task->is_writable = 1;
46266 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
46267 + if (unlikely(obj->mode & GR_WRITE))
46268 + task->is_writable = 1;
46270 + gr_set_proc_res(task);
46272 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
46273 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
46283 +gr_set_acls(const int type)
46285 + struct task_struct *task, *task2;
46286 + struct acl_role_label *role = current->role;
46287 + __u16 acl_role_id = current->acl_role_id;
46288 + const struct cred *cred;
46292 + read_lock(&tasklist_lock);
46293 + read_lock(&grsec_exec_file_lock);
46294 + do_each_thread(task2, task) {
46295 + /* check to see if we're called from the exit handler,
46296 + if so, only replace ACLs that have inherited the admin
46299 + if (type && (task->role != role ||
46300 + task->acl_role_id != acl_role_id))
46303 + task->acl_role_id = 0;
46304 + task->acl_sp_role = 0;
46306 + if (task->exec_file) {
46307 + cred = __task_cred(task);
46308 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
46309 + ret = gr_apply_subject_to_task(task);
46311 + read_unlock(&grsec_exec_file_lock);
46312 + read_unlock(&tasklist_lock);
46313 + rcu_read_unlock();
46314 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
46318 + // it's a kernel process
46319 + task->role = kernel_role;
46320 + task->acl = kernel_role->root_label;
46321 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
46322 + task->acl->mode &= ~GR_PROCFIND;
46325 + } while_each_thread(task2, task);
46326 + read_unlock(&grsec_exec_file_lock);
46327 + read_unlock(&tasklist_lock);
46328 + rcu_read_unlock();
46334 +gr_learn_resource(const struct task_struct *task,
46335 + const int res, const unsigned long wanted, const int gt)
46337 + struct acl_subject_label *acl;
46338 + const struct cred *cred;
46340 + if (unlikely((gr_status & GR_READY) &&
46341 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
46342 + goto skip_reslog;
46344 +#ifdef CONFIG_GRKERNSEC_RESLOG
46345 + gr_log_resource(task, res, wanted, gt);
46349 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
46354 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
46355 + !(acl->resmask & (1 << (unsigned short) res))))
46358 + if (wanted >= acl->res[res].rlim_cur) {
46359 + unsigned long res_add;
46361 + res_add = wanted;
46364 + res_add += GR_RLIM_CPU_BUMP;
46366 + case RLIMIT_FSIZE:
46367 + res_add += GR_RLIM_FSIZE_BUMP;
46369 + case RLIMIT_DATA:
46370 + res_add += GR_RLIM_DATA_BUMP;
46372 + case RLIMIT_STACK:
46373 + res_add += GR_RLIM_STACK_BUMP;
46375 + case RLIMIT_CORE:
46376 + res_add += GR_RLIM_CORE_BUMP;
46379 + res_add += GR_RLIM_RSS_BUMP;
46381 + case RLIMIT_NPROC:
46382 + res_add += GR_RLIM_NPROC_BUMP;
46384 + case RLIMIT_NOFILE:
46385 + res_add += GR_RLIM_NOFILE_BUMP;
46387 + case RLIMIT_MEMLOCK:
46388 + res_add += GR_RLIM_MEMLOCK_BUMP;
46391 + res_add += GR_RLIM_AS_BUMP;
46393 + case RLIMIT_LOCKS:
46394 + res_add += GR_RLIM_LOCKS_BUMP;
46396 + case RLIMIT_SIGPENDING:
46397 + res_add += GR_RLIM_SIGPENDING_BUMP;
46399 + case RLIMIT_MSGQUEUE:
46400 + res_add += GR_RLIM_MSGQUEUE_BUMP;
46402 + case RLIMIT_NICE:
46403 + res_add += GR_RLIM_NICE_BUMP;
46405 + case RLIMIT_RTPRIO:
46406 + res_add += GR_RLIM_RTPRIO_BUMP;
46408 + case RLIMIT_RTTIME:
46409 + res_add += GR_RLIM_RTTIME_BUMP;
46413 + acl->res[res].rlim_cur = res_add;
46415 + if (wanted > acl->res[res].rlim_max)
46416 + acl->res[res].rlim_max = res_add;
46418 + /* only log the subject filename, since resource logging is supported for
46419 + single-subject learning only */
46421 + cred = __task_cred(task);
46422 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
46423 + task->role->roletype, cred->uid, cred->gid, acl->filename,
46424 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
46425 + "", (unsigned long) res, &task->signal->saved_ip);
46426 + rcu_read_unlock();
46432 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
46434 +pax_set_initial_flags(struct linux_binprm *bprm)
46436 + struct task_struct *task = current;
46437 + struct acl_subject_label *proc;
46438 + unsigned long flags;
46440 + if (unlikely(!(gr_status & GR_READY)))
46443 + flags = pax_get_flags(task);
46445 + proc = task->acl;
46447 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
46448 + flags &= ~MF_PAX_PAGEEXEC;
46449 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
46450 + flags &= ~MF_PAX_SEGMEXEC;
46451 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
46452 + flags &= ~MF_PAX_RANDMMAP;
46453 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
46454 + flags &= ~MF_PAX_EMUTRAMP;
46455 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
46456 + flags &= ~MF_PAX_MPROTECT;
46458 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
46459 + flags |= MF_PAX_PAGEEXEC;
46460 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
46461 + flags |= MF_PAX_SEGMEXEC;
46462 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
46463 + flags |= MF_PAX_RANDMMAP;
46464 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
46465 + flags |= MF_PAX_EMUTRAMP;
46466 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
46467 + flags |= MF_PAX_MPROTECT;
46469 + pax_set_flags(task, flags);
46475 +#ifdef CONFIG_SYSCTL
46476 +/* Eric Biederman likes breaking userland ABI and every inode-based security
46477 + system to save 35kb of memory */
46479 +/* we modify the passed in filename, but adjust it back before returning */
46480 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
46482 + struct name_entry *nmatch;
46483 + char *p, *lastp = NULL;
46484 + struct acl_object_label *obj = NULL, *tmp;
46485 + struct acl_subject_label *tmpsubj;
46488 + read_lock(&gr_inode_lock);
46490 + p = name + len - 1;
46492 + nmatch = lookup_name_entry(name);
46493 + if (lastp != NULL)
46496 + if (nmatch == NULL)
46497 + goto next_component;
46498 + tmpsubj = current->acl;
46500 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
46501 + if (obj != NULL) {
46502 + tmp = obj->globbed;
46504 + if (!glob_match(tmp->filename, name)) {
46512 + } while ((tmpsubj = tmpsubj->parent_subject));
46518 + while (*p != '/')
46530 + read_unlock(&gr_inode_lock);
46531 + /* obj returned will always be non-null */
46535 +/* returns 0 when allowing, non-zero on error
46536 + op of 0 is used for readdir, so we don't log the names of hidden files
46539 +gr_handle_sysctl(const struct ctl_table *table, const int op)
46541 + struct ctl_table *tmp;
46542 + const char *proc_sys = "/proc/sys";
46544 + struct acl_object_label *obj;
46545 + unsigned short len = 0, pos = 0, depth = 0, i;
46549 + if (unlikely(!(gr_status & GR_READY)))
46552 + /* for now, ignore operations on non-sysctl entries if it's not a
46554 + if (table->child != NULL && op != 0)
46558 + /* it's only a read if it's an entry, read on dirs is for readdir */
46559 + if (op & MAY_READ)
46561 + if (op & MAY_WRITE)
46562 + mode |= GR_WRITE;
46564 + preempt_disable();
46566 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
46568 + /* it's only a read/write if it's an actual entry, not a dir
46569 + (which are opened for readdir)
46572 + /* convert the requested sysctl entry into a pathname */
46574 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
46575 + len += strlen(tmp->procname);
46580 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
46585 + memset(path, 0, PAGE_SIZE);
46587 + memcpy(path, proc_sys, strlen(proc_sys));
46589 + pos += strlen(proc_sys);
46591 + for (; depth > 0; depth--) {
46594 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
46595 + if (depth == i) {
46596 + memcpy(path + pos, tmp->procname,
46597 + strlen(tmp->procname));
46598 + pos += strlen(tmp->procname);
46604 + obj = gr_lookup_by_name(path, pos);
46605 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
46607 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
46608 + ((err & mode) != mode))) {
46609 + __u32 new_mode = mode;
46611 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
46614 + gr_log_learn_sysctl(path, new_mode);
46615 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
46616 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
46618 + } else if (!(err & GR_FIND)) {
46620 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
46621 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
46622 + path, (mode & GR_READ) ? " reading" : "",
46623 + (mode & GR_WRITE) ? " writing" : "");
46625 + } else if ((err & mode) != mode) {
46627 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
46628 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
46629 + path, (mode & GR_READ) ? " reading" : "",
46630 + (mode & GR_WRITE) ? " writing" : "");
46636 + preempt_enable();
46643 +gr_handle_proc_ptrace(struct task_struct *task)
46645 + struct file *filp;
46646 + struct task_struct *tmp = task;
46647 + struct task_struct *curtemp = current;
46650 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
46651 + if (unlikely(!(gr_status & GR_READY)))
46655 + read_lock(&tasklist_lock);
46656 + read_lock(&grsec_exec_file_lock);
46657 + filp = task->exec_file;
46659 + while (tmp->pid > 0) {
46660 + if (tmp == curtemp)
46662 + tmp = tmp->real_parent;
46665 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
46666 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
46667 + read_unlock(&grsec_exec_file_lock);
46668 + read_unlock(&tasklist_lock);
46672 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
46673 + if (!(gr_status & GR_READY)) {
46674 + read_unlock(&grsec_exec_file_lock);
46675 + read_unlock(&tasklist_lock);
46680 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
46681 + read_unlock(&grsec_exec_file_lock);
46682 + read_unlock(&tasklist_lock);
46684 + if (retmode & GR_NOPTRACE)
46687 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
46688 + && (current->acl != task->acl || (current->acl != current->role->root_label
46689 + && current->pid != task->pid)))
46695 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
46697 + if (unlikely(!(gr_status & GR_READY)))
46700 + if (!(current->role->roletype & GR_ROLE_GOD))
46703 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
46704 + p->role->rolename, gr_task_roletype_to_char(p),
46705 + p->acl->filename);
46709 +gr_handle_ptrace(struct task_struct *task, const long request)
46711 + struct task_struct *tmp = task;
46712 + struct task_struct *curtemp = current;
46715 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
46716 + if (unlikely(!(gr_status & GR_READY)))
46720 + read_lock(&tasklist_lock);
46721 + while (tmp->pid > 0) {
46722 + if (tmp == curtemp)
46724 + tmp = tmp->real_parent;
46727 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
46728 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
46729 + read_unlock(&tasklist_lock);
46730 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
46733 + read_unlock(&tasklist_lock);
46735 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
46736 + if (!(gr_status & GR_READY))
46740 + read_lock(&grsec_exec_file_lock);
46741 + if (unlikely(!task->exec_file)) {
46742 + read_unlock(&grsec_exec_file_lock);
46746 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
46747 + read_unlock(&grsec_exec_file_lock);
46749 + if (retmode & GR_NOPTRACE) {
46750 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
46754 + if (retmode & GR_PTRACERD) {
46755 + switch (request) {
46756 + case PTRACE_POKETEXT:
46757 + case PTRACE_POKEDATA:
46758 + case PTRACE_POKEUSR:
46759 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
46760 + case PTRACE_SETREGS:
46761 + case PTRACE_SETFPREGS:
46764 + case PTRACE_SETFPXREGS:
46766 +#ifdef CONFIG_ALTIVEC
46767 + case PTRACE_SETVRREGS:
46773 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
46774 + !(current->role->roletype & GR_ROLE_GOD) &&
46775 + (current->acl != task->acl)) {
46776 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
46783 +static int is_writable_mmap(const struct file *filp)
46785 + struct task_struct *task = current;
46786 + struct acl_object_label *obj, *obj2;
46788 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
46789 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
46790 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
46791 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
46792 + task->role->root_label);
46793 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
46794 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
46802 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
46806 + if (unlikely(!file || !(prot & PROT_EXEC)))
46809 + if (is_writable_mmap(file))
46813 + gr_search_file(file->f_path.dentry,
46814 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
46815 + file->f_path.mnt);
46817 + if (!gr_tpe_allow(file))
46820 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
46821 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
46823 + } else if (unlikely(!(mode & GR_EXEC))) {
46825 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
46826 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
46834 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
46838 + if (unlikely(!file || !(prot & PROT_EXEC)))
46841 + if (is_writable_mmap(file))
46845 + gr_search_file(file->f_path.dentry,
46846 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
46847 + file->f_path.mnt);
46849 + if (!gr_tpe_allow(file))
46852 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
46853 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
46855 + } else if (unlikely(!(mode & GR_EXEC))) {
46857 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
46858 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
46866 +gr_acl_handle_psacct(struct task_struct *task, const long code)
46868 + unsigned long runtime;
46869 + unsigned long cputime;
46870 + unsigned int wday, cday;
46874 + struct timespec timeval;
46876 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
46877 + !(task->acl->mode & GR_PROCACCT)))
46880 + do_posix_clock_monotonic_gettime(&timeval);
46881 + runtime = timeval.tv_sec - task->start_time.tv_sec;
46882 + wday = runtime / (3600 * 24);
46883 + runtime -= wday * (3600 * 24);
46884 + whr = runtime / 3600;
46885 + runtime -= whr * 3600;
46886 + wmin = runtime / 60;
46887 + runtime -= wmin * 60;
46890 + cputime = (task->utime + task->stime) / HZ;
46891 + cday = cputime / (3600 * 24);
46892 + cputime -= cday * (3600 * 24);
46893 + chr = cputime / 3600;
46894 + cputime -= chr * 3600;
46895 + cmin = cputime / 60;
46896 + cputime -= cmin * 60;
46899 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
46904 +void gr_set_kernel_label(struct task_struct *task)
46906 + if (gr_status & GR_READY) {
46907 + task->role = kernel_role;
46908 + task->acl = kernel_role->root_label;
46913 +#ifdef CONFIG_TASKSTATS
46914 +int gr_is_taskstats_denied(int pid)
46916 + struct task_struct *task;
46917 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46918 + const struct cred *cred;
46922 + /* restrict taskstats viewing to un-chrooted root users
46923 + who have the 'view' subject flag if the RBAC system is enabled
46927 + read_lock(&tasklist_lock);
46928 + task = find_task_by_vpid(pid);
46930 +#ifdef CONFIG_GRKERNSEC_CHROOT
46931 + if (proc_is_chrooted(task))
46934 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46935 + cred = __task_cred(task);
46936 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46937 + if (cred->uid != 0)
46939 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46940 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
46944 + if (gr_status & GR_READY) {
46945 + if (!(task->acl->mode & GR_VIEW))
46951 + read_unlock(&tasklist_lock);
46952 + rcu_read_unlock();
46958 +/* AUXV entries are filled via a descendant of search_binary_handler
46959 + after we've already applied the subject for the target
46961 +int gr_acl_enable_at_secure(void)
46963 + if (unlikely(!(gr_status & GR_READY)))
46966 + if (current->acl->mode & GR_ATSECURE)
46972 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
46974 + struct task_struct *task = current;
46975 + struct dentry *dentry = file->f_path.dentry;
46976 + struct vfsmount *mnt = file->f_path.mnt;
46977 + struct acl_object_label *obj, *tmp;
46978 + struct acl_subject_label *subj;
46979 + unsigned int bufsize;
46982 + dev_t dev = __get_dev(dentry);
46984 + if (unlikely(!(gr_status & GR_READY)))
46987 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
46990 + /* ignore Eric Biederman */
46991 + if (IS_PRIVATE(dentry->d_inode))
46994 + subj = task->acl;
46996 + obj = lookup_acl_obj_label(ino, dev, subj);
46998 + return (obj->mode & GR_FIND) ? 1 : 0;
46999 + } while ((subj = subj->parent_subject));
47001 + /* this is purely an optimization since we're looking for an object
47002 + for the directory we're doing a readdir on
47003 + if it's possible for any globbed object to match the entry we're
47004 + filling into the directory, then the object we find here will be
47005 + an anchor point with attached globbed objects
47007 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
47008 + if (obj->globbed == NULL)
47009 + return (obj->mode & GR_FIND) ? 1 : 0;
47011 + is_not_root = ((obj->filename[0] == '/') &&
47012 + (obj->filename[1] == '\0')) ? 0 : 1;
47013 + bufsize = PAGE_SIZE - namelen - is_not_root;
47015 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
47016 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
47019 + preempt_disable();
47020 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
47023 + bufsize = strlen(path);
47025 + /* if base is "/", don't append an additional slash */
47027 + *(path + bufsize) = '/';
47028 + memcpy(path + bufsize + is_not_root, name, namelen);
47029 + *(path + bufsize + namelen + is_not_root) = '\0';
47031 + tmp = obj->globbed;
47033 + if (!glob_match(tmp->filename, path)) {
47034 + preempt_enable();
47035 + return (tmp->mode & GR_FIND) ? 1 : 0;
47039 + preempt_enable();
47040 + return (obj->mode & GR_FIND) ? 1 : 0;
47043 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
47044 +EXPORT_SYMBOL(gr_acl_is_enabled);
47046 +EXPORT_SYMBOL(gr_learn_resource);
47047 +EXPORT_SYMBOL(gr_set_kernel_label);
47048 +#ifdef CONFIG_SECURITY
47049 +EXPORT_SYMBOL(gr_check_user_change);
47050 +EXPORT_SYMBOL(gr_check_group_change);
47053 diff -urNp linux-2.6.38.6/grsecurity/gracl_cap.c linux-2.6.38.6/grsecurity/gracl_cap.c
47054 --- linux-2.6.38.6/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
47055 +++ linux-2.6.38.6/grsecurity/gracl_cap.c 2011-04-28 19:34:15.000000000 -0400
47057 +#include <linux/kernel.h>
47058 +#include <linux/module.h>
47059 +#include <linux/sched.h>
47060 +#include <linux/gracl.h>
47061 +#include <linux/grsecurity.h>
47062 +#include <linux/grinternal.h>
47064 +static const char *captab_log[] = {
47066 + "CAP_DAC_OVERRIDE",
47067 + "CAP_DAC_READ_SEARCH",
47074 + "CAP_LINUX_IMMUTABLE",
47075 + "CAP_NET_BIND_SERVICE",
47076 + "CAP_NET_BROADCAST",
47081 + "CAP_SYS_MODULE",
47083 + "CAP_SYS_CHROOT",
47084 + "CAP_SYS_PTRACE",
47089 + "CAP_SYS_RESOURCE",
47091 + "CAP_SYS_TTY_CONFIG",
47094 + "CAP_AUDIT_WRITE",
47095 + "CAP_AUDIT_CONTROL",
47097 + "CAP_MAC_OVERRIDE",
47102 +EXPORT_SYMBOL(gr_is_capable);
47103 +EXPORT_SYMBOL(gr_is_capable_nolog);
47106 +gr_is_capable(const int cap)
47108 + struct task_struct *task = current;
47109 + const struct cred *cred = current_cred();
47110 + struct acl_subject_label *curracl;
47111 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
47112 + kernel_cap_t cap_audit = __cap_empty_set;
47114 + if (!gr_acl_is_enabled())
47117 + curracl = task->acl;
47119 + cap_drop = curracl->cap_lower;
47120 + cap_mask = curracl->cap_mask;
47121 + cap_audit = curracl->cap_invert_audit;
47123 + while ((curracl = curracl->parent_subject)) {
47124 + /* if the cap isn't specified in the current computed mask but is specified in the
47125 + current level subject, and is lowered in the current level subject, then add
47126 + it to the set of dropped capabilities
47127 + otherwise, add the current level subject's mask to the current computed mask
47129 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
47130 + cap_raise(cap_mask, cap);
47131 + if (cap_raised(curracl->cap_lower, cap))
47132 + cap_raise(cap_drop, cap);
47133 + if (cap_raised(curracl->cap_invert_audit, cap))
47134 + cap_raise(cap_audit, cap);
47138 + if (!cap_raised(cap_drop, cap)) {
47139 + if (cap_raised(cap_audit, cap))
47140 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
47144 + curracl = task->acl;
47146 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
47147 + && cap_raised(cred->cap_effective, cap)) {
47148 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
47149 + task->role->roletype, cred->uid,
47150 + cred->gid, task->exec_file ?
47151 + gr_to_filename(task->exec_file->f_path.dentry,
47152 + task->exec_file->f_path.mnt) : curracl->filename,
47153 + curracl->filename, 0UL,
47154 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
47158 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
47159 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
47164 +gr_is_capable_nolog(const int cap)
47166 + struct acl_subject_label *curracl;
47167 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
47169 + if (!gr_acl_is_enabled())
47172 + curracl = current->acl;
47174 + cap_drop = curracl->cap_lower;
47175 + cap_mask = curracl->cap_mask;
47177 + while ((curracl = curracl->parent_subject)) {
47178 + /* if the cap isn't specified in the current computed mask but is specified in the
47179 + current level subject, and is lowered in the current level subject, then add
47180 + it to the set of dropped capabilities
47181 + otherwise, add the current level subject's mask to the current computed mask
47183 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
47184 + cap_raise(cap_mask, cap);
47185 + if (cap_raised(curracl->cap_lower, cap))
47186 + cap_raise(cap_drop, cap);
47190 + if (!cap_raised(cap_drop, cap))
47196 diff -urNp linux-2.6.38.6/grsecurity/gracl_fs.c linux-2.6.38.6/grsecurity/gracl_fs.c
47197 --- linux-2.6.38.6/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
47198 +++ linux-2.6.38.6/grsecurity/gracl_fs.c 2011-04-28 19:34:15.000000000 -0400
47200 +#include <linux/kernel.h>
47201 +#include <linux/sched.h>
47202 +#include <linux/types.h>
47203 +#include <linux/fs.h>
47204 +#include <linux/file.h>
47205 +#include <linux/stat.h>
47206 +#include <linux/grsecurity.h>
47207 +#include <linux/grinternal.h>
47208 +#include <linux/gracl.h>
47211 +gr_acl_handle_hidden_file(const struct dentry * dentry,
47212 + const struct vfsmount * mnt)
47216 + if (unlikely(!dentry->d_inode))
47220 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
47222 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
47223 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
47225 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
47226 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
47228 + } else if (unlikely(!(mode & GR_FIND)))
47235 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
47238 + __u32 reqmode = GR_FIND;
47241 + if (unlikely(!dentry->d_inode))
47244 + if (unlikely(fmode & O_APPEND))
47245 + reqmode |= GR_APPEND;
47246 + else if (unlikely(fmode & FMODE_WRITE))
47247 + reqmode |= GR_WRITE;
47248 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
47249 + reqmode |= GR_READ;
47250 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
47251 + reqmode &= ~GR_READ;
47253 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
47256 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
47257 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
47258 + reqmode & GR_READ ? " reading" : "",
47259 + reqmode & GR_WRITE ? " writing" : reqmode &
47260 + GR_APPEND ? " appending" : "");
47263 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
47265 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
47266 + reqmode & GR_READ ? " reading" : "",
47267 + reqmode & GR_WRITE ? " writing" : reqmode &
47268 + GR_APPEND ? " appending" : "");
47270 + } else if (unlikely((mode & reqmode) != reqmode))
47277 +gr_acl_handle_creat(const struct dentry * dentry,
47278 + const struct dentry * p_dentry,
47279 + const struct vfsmount * p_mnt, const int fmode,
47282 + __u32 reqmode = GR_WRITE | GR_CREATE;
47285 + if (unlikely(fmode & O_APPEND))
47286 + reqmode |= GR_APPEND;
47287 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
47288 + reqmode |= GR_READ;
47289 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
47290 + reqmode |= GR_SETID;
47293 + gr_check_create(dentry, p_dentry, p_mnt,
47294 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
47296 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
47297 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
47298 + reqmode & GR_READ ? " reading" : "",
47299 + reqmode & GR_WRITE ? " writing" : reqmode &
47300 + GR_APPEND ? " appending" : "");
47303 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
47305 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
47306 + reqmode & GR_READ ? " reading" : "",
47307 + reqmode & GR_WRITE ? " writing" : reqmode &
47308 + GR_APPEND ? " appending" : "");
47310 + } else if (unlikely((mode & reqmode) != reqmode))
47317 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
47320 + __u32 mode, reqmode = GR_FIND;
47322 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
47323 + reqmode |= GR_EXEC;
47324 + if (fmode & S_IWOTH)
47325 + reqmode |= GR_WRITE;
47326 + if (fmode & S_IROTH)
47327 + reqmode |= GR_READ;
47330 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
47333 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
47334 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
47335 + reqmode & GR_READ ? " reading" : "",
47336 + reqmode & GR_WRITE ? " writing" : "",
47337 + reqmode & GR_EXEC ? " executing" : "");
47340 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
47342 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
47343 + reqmode & GR_READ ? " reading" : "",
47344 + reqmode & GR_WRITE ? " writing" : "",
47345 + reqmode & GR_EXEC ? " executing" : "");
47347 + } else if (unlikely((mode & reqmode) != reqmode))
47353 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
47357 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
47359 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
47360 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
47362 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
47363 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
47365 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
47368 + return (reqmode);
47372 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
47374 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
47378 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
47380 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
47384 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
47386 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
47390 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
47392 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
47396 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
47399 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
47402 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
47403 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
47404 + GR_FCHMOD_ACL_MSG);
47406 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
47411 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
47414 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
47415 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
47416 + GR_CHMOD_ACL_MSG);
47418 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
47423 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
47425 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
47429 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
47431 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
47435 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
47437 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
47441 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
47443 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
47444 + GR_UNIXCONNECT_ACL_MSG);
47447 +/* hardlinks require at minimum create permission,
47448 + any additional privilege required is based on the
47449 + privilege of the file being linked to
47452 +gr_acl_handle_link(const struct dentry * new_dentry,
47453 + const struct dentry * parent_dentry,
47454 + const struct vfsmount * parent_mnt,
47455 + const struct dentry * old_dentry,
47456 + const struct vfsmount * old_mnt, const char *to)
47459 + __u32 needmode = GR_CREATE | GR_LINK;
47460 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
47463 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
47466 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
47467 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
47469 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
47470 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
47472 + } else if (unlikely((mode & needmode) != needmode))
47479 +gr_acl_handle_symlink(const struct dentry * new_dentry,
47480 + const struct dentry * parent_dentry,
47481 + const struct vfsmount * parent_mnt, const char *from)
47483 + __u32 needmode = GR_WRITE | GR_CREATE;
47487 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
47488 + GR_CREATE | GR_AUDIT_CREATE |
47489 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
47491 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
47492 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
47494 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
47495 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
47497 + } else if (unlikely((mode & needmode) != needmode))
47500 + return (GR_WRITE | GR_CREATE);
47503 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
47507 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
47509 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
47510 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
47512 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
47513 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
47515 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
47518 + return (reqmode);
47522 +gr_acl_handle_mknod(const struct dentry * new_dentry,
47523 + const struct dentry * parent_dentry,
47524 + const struct vfsmount * parent_mnt,
47527 + __u32 reqmode = GR_WRITE | GR_CREATE;
47528 + if (unlikely(mode & (S_ISUID | S_ISGID)))
47529 + reqmode |= GR_SETID;
47531 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
47532 + reqmode, GR_MKNOD_ACL_MSG);
47536 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
47537 + const struct dentry *parent_dentry,
47538 + const struct vfsmount *parent_mnt)
47540 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
47541 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
47544 +#define RENAME_CHECK_SUCCESS(old, new) \
47545 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
47546 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
47549 +gr_acl_handle_rename(struct dentry *new_dentry,
47550 + struct dentry *parent_dentry,
47551 + const struct vfsmount *parent_mnt,
47552 + struct dentry *old_dentry,
47553 + struct inode *old_parent_inode,
47554 + struct vfsmount *old_mnt, const char *newname)
47556 + __u32 comp1, comp2;
47559 + if (unlikely(!gr_acl_is_enabled()))
47562 + if (!new_dentry->d_inode) {
47563 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
47564 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
47565 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
47566 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
47567 + GR_DELETE | GR_AUDIT_DELETE |
47568 + GR_AUDIT_READ | GR_AUDIT_WRITE |
47569 + GR_SUPPRESS, old_mnt);
47571 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
47572 + GR_CREATE | GR_DELETE |
47573 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
47574 + GR_AUDIT_READ | GR_AUDIT_WRITE |
47575 + GR_SUPPRESS, parent_mnt);
47577 + gr_search_file(old_dentry,
47578 + GR_READ | GR_WRITE | GR_AUDIT_READ |
47579 + GR_DELETE | GR_AUDIT_DELETE |
47580 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
47583 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
47584 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
47585 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
47586 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
47587 + && !(comp2 & GR_SUPPRESS)) {
47588 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
47590 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
47597 +gr_acl_handle_exit(void)
47601 + struct file *exec_file;
47603 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
47604 + !(current->role->roletype & GR_ROLE_PERSIST))) {
47605 + id = current->acl_role_id;
47606 + rolename = current->role->rolename;
47608 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
47611 + write_lock(&grsec_exec_file_lock);
47612 + exec_file = current->exec_file;
47613 + current->exec_file = NULL;
47614 + write_unlock(&grsec_exec_file_lock);
47621 +gr_acl_handle_procpidmem(const struct task_struct *task)
47623 + if (unlikely(!gr_acl_is_enabled()))
47626 + if (task != current && task->acl->mode & GR_PROTPROCFD)
47631 diff -urNp linux-2.6.38.6/grsecurity/gracl_ip.c linux-2.6.38.6/grsecurity/gracl_ip.c
47632 --- linux-2.6.38.6/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
47633 +++ linux-2.6.38.6/grsecurity/gracl_ip.c 2011-04-28 19:34:15.000000000 -0400
47635 +#include <linux/kernel.h>
47636 +#include <asm/uaccess.h>
47637 +#include <asm/errno.h>
47638 +#include <net/sock.h>
47639 +#include <linux/file.h>
47640 +#include <linux/fs.h>
47641 +#include <linux/net.h>
47642 +#include <linux/in.h>
47643 +#include <linux/skbuff.h>
47644 +#include <linux/ip.h>
47645 +#include <linux/udp.h>
47646 +#include <linux/smp_lock.h>
47647 +#include <linux/types.h>
47648 +#include <linux/sched.h>
47649 +#include <linux/netdevice.h>
47650 +#include <linux/inetdevice.h>
47651 +#include <linux/gracl.h>
47652 +#include <linux/grsecurity.h>
47653 +#include <linux/grinternal.h>
47655 +#define GR_BIND 0x01
47656 +#define GR_CONNECT 0x02
47657 +#define GR_INVERT 0x04
47658 +#define GR_BINDOVERRIDE 0x08
47659 +#define GR_CONNECTOVERRIDE 0x10
47660 +#define GR_SOCK_FAMILY 0x20
47662 +static const char * gr_protocols[IPPROTO_MAX] = {
47663 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
47664 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
47665 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
47666 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
47667 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
47668 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
47669 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
47670 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
47671 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
47672 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
47673 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
47674 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
47675 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
47676 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
47677 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
47678 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
47679 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
47680 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
47681 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
47682 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
47683 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
47684 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
47685 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
47686 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
47687 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
47688 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
47689 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
47690 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
47691 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
47692 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
47693 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
47694 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
47697 +static const char * gr_socktypes[SOCK_MAX] = {
47698 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
47699 + "unknown:7", "unknown:8", "unknown:9", "packet"
47702 +static const char * gr_sockfamilies[AF_MAX+1] = {
47703 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
47704 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
47705 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
47706 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
47710 +gr_proto_to_name(unsigned char proto)
47712 + return gr_protocols[proto];
47716 +gr_socktype_to_name(unsigned char type)
47718 + return gr_socktypes[type];
47722 +gr_sockfamily_to_name(unsigned char family)
47724 + return gr_sockfamilies[family];
47728 +gr_search_socket(const int domain, const int type, const int protocol)
47730 + struct acl_subject_label *curr;
47731 + const struct cred *cred = current_cred();
47733 + if (unlikely(!gr_acl_is_enabled()))
47736 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
47737 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
47738 + goto exit; // let the kernel handle it
47740 + curr = current->acl;
47742 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
47743 + /* the family is allowed, if this is PF_INET allow it only if
47744 + the extra sock type/protocol checks pass */
47745 + if (domain == PF_INET)
47749 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
47750 + __u32 fakeip = 0;
47751 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
47752 + current->role->roletype, cred->uid,
47753 + cred->gid, current->exec_file ?
47754 + gr_to_filename(current->exec_file->f_path.dentry,
47755 + current->exec_file->f_path.mnt) :
47756 + curr->filename, curr->filename,
47757 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
47758 + ¤t->signal->saved_ip);
47765 + /* the rest of this checking is for IPv4 only */
47769 + if ((curr->ip_type & (1 << type)) &&
47770 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
47773 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
47774 + /* we don't place acls on raw sockets , and sometimes
47775 + dgram/ip sockets are opened for ioctl and not
47776 + bind/connect, so we'll fake a bind learn log */
47777 + if (type == SOCK_RAW || type == SOCK_PACKET) {
47778 + __u32 fakeip = 0;
47779 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
47780 + current->role->roletype, cred->uid,
47781 + cred->gid, current->exec_file ?
47782 + gr_to_filename(current->exec_file->f_path.dentry,
47783 + current->exec_file->f_path.mnt) :
47784 + curr->filename, curr->filename,
47785 + &fakeip, 0, type,
47786 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
47787 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
47788 + __u32 fakeip = 0;
47789 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
47790 + current->role->roletype, cred->uid,
47791 + cred->gid, current->exec_file ?
47792 + gr_to_filename(current->exec_file->f_path.dentry,
47793 + current->exec_file->f_path.mnt) :
47794 + curr->filename, curr->filename,
47795 + &fakeip, 0, type,
47796 + protocol, GR_BIND, ¤t->signal->saved_ip);
47798 + /* we'll log when they use connect or bind */
47803 + if (domain == PF_INET)
47804 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
47805 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
47807 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
47808 + gr_socktype_to_name(type), protocol);
47815 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
47817 + if ((ip->mode & mode) &&
47818 + (ip_port >= ip->low) &&
47819 + (ip_port <= ip->high) &&
47820 + ((ntohl(ip_addr) & our_netmask) ==
47821 + (ntohl(our_addr) & our_netmask))
47822 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
47823 + && (ip->type & (1 << type))) {
47824 + if (ip->mode & GR_INVERT)
47825 + return 2; // specifically denied
47827 + return 1; // allowed
47830 + return 0; // not specifically allowed, may continue parsing
47834 +gr_search_connectbind(const int full_mode, struct sock *sk,
47835 + struct sockaddr_in *addr, const int type)
47837 + char iface[IFNAMSIZ] = {0};
47838 + struct acl_subject_label *curr;
47839 + struct acl_ip_label *ip;
47840 + struct inet_sock *isk;
47841 + struct net_device *dev;
47842 + struct in_device *idev;
47845 + int mode = full_mode & (GR_BIND | GR_CONNECT);
47846 + __u32 ip_addr = 0;
47848 + __u32 our_netmask;
47850 + __u16 ip_port = 0;
47851 + const struct cred *cred = current_cred();
47853 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
47856 + curr = current->acl;
47857 + isk = inet_sk(sk);
47859 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
47860 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
47861 + addr->sin_addr.s_addr = curr->inaddr_any_override;
47862 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
47863 + struct sockaddr_in saddr;
47866 + saddr.sin_family = AF_INET;
47867 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
47868 + saddr.sin_port = isk->inet_sport;
47870 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
47874 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
47882 + ip_addr = addr->sin_addr.s_addr;
47883 + ip_port = ntohs(addr->sin_port);
47885 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
47886 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
47887 + current->role->roletype, cred->uid,
47888 + cred->gid, current->exec_file ?
47889 + gr_to_filename(current->exec_file->f_path.dentry,
47890 + current->exec_file->f_path.mnt) :
47891 + curr->filename, curr->filename,
47892 + &ip_addr, ip_port, type,
47893 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
47897 + for (i = 0; i < curr->ip_num; i++) {
47898 + ip = *(curr->ips + i);
47899 + if (ip->iface != NULL) {
47900 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
47901 + p = strchr(iface, ':');
47904 + dev = dev_get_by_name(sock_net(sk), iface);
47907 + idev = in_dev_get(dev);
47908 + if (idev == NULL) {
47914 + if (!strcmp(ip->iface, ifa->ifa_label)) {
47915 + our_addr = ifa->ifa_address;
47916 + our_netmask = 0xffffffff;
47917 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
47919 + rcu_read_unlock();
47920 + in_dev_put(idev);
47923 + } else if (ret == 2) {
47924 + rcu_read_unlock();
47925 + in_dev_put(idev);
47930 + } endfor_ifa(idev);
47931 + rcu_read_unlock();
47932 + in_dev_put(idev);
47935 + our_addr = ip->addr;
47936 + our_netmask = ip->netmask;
47937 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
47940 + else if (ret == 2)
47946 + if (mode == GR_BIND)
47947 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
47948 + else if (mode == GR_CONNECT)
47949 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
47955 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
47957 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
47961 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
47963 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
47966 +int gr_search_listen(struct socket *sock)
47968 + struct sock *sk = sock->sk;
47969 + struct sockaddr_in addr;
47971 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
47972 + addr.sin_port = inet_sk(sk)->inet_sport;
47974 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
47977 +int gr_search_accept(struct socket *sock)
47979 + struct sock *sk = sock->sk;
47980 + struct sockaddr_in addr;
47982 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
47983 + addr.sin_port = inet_sk(sk)->inet_sport;
47985 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
47989 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
47992 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
47994 + struct sockaddr_in sin;
47995 + const struct inet_sock *inet = inet_sk(sk);
47997 + sin.sin_addr.s_addr = inet->inet_daddr;
47998 + sin.sin_port = inet->inet_dport;
48000 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
48005 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
48007 + struct sockaddr_in sin;
48009 + if (unlikely(skb->len < sizeof (struct udphdr)))
48010 + return 0; // skip this packet
48012 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
48013 + sin.sin_port = udp_hdr(skb)->source;
48015 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
48017 diff -urNp linux-2.6.38.6/grsecurity/gracl_learn.c linux-2.6.38.6/grsecurity/gracl_learn.c
48018 --- linux-2.6.38.6/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
48019 +++ linux-2.6.38.6/grsecurity/gracl_learn.c 2011-04-28 19:34:15.000000000 -0400
48021 +#include <linux/kernel.h>
48022 +#include <linux/mm.h>
48023 +#include <linux/sched.h>
48024 +#include <linux/poll.h>
48025 +#include <linux/smp_lock.h>
48026 +#include <linux/string.h>
48027 +#include <linux/file.h>
48028 +#include <linux/types.h>
48029 +#include <linux/vmalloc.h>
48030 +#include <linux/grinternal.h>
48032 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
48033 + size_t count, loff_t *ppos);
48034 +extern int gr_acl_is_enabled(void);
48036 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
48037 +static int gr_learn_attached;
48039 +/* use a 512k buffer */
48040 +#define LEARN_BUFFER_SIZE (512 * 1024)
48042 +static DEFINE_SPINLOCK(gr_learn_lock);
48043 +static DEFINE_MUTEX(gr_learn_user_mutex);
48045 +/* we need to maintain two buffers, so that the kernel context of grlearn
48046 + uses a semaphore around the userspace copying, and the other kernel contexts
48047 + use a spinlock when copying into the buffer, since they cannot sleep
48049 +static char *learn_buffer;
48050 +static char *learn_buffer_user;
48051 +static int learn_buffer_len;
48052 +static int learn_buffer_user_len;
48055 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
48057 + DECLARE_WAITQUEUE(wait, current);
48058 + ssize_t retval = 0;
48060 + add_wait_queue(&learn_wait, &wait);
48061 + set_current_state(TASK_INTERRUPTIBLE);
48063 + mutex_lock(&gr_learn_user_mutex);
48064 + spin_lock(&gr_learn_lock);
48065 + if (learn_buffer_len)
48067 + spin_unlock(&gr_learn_lock);
48068 + mutex_unlock(&gr_learn_user_mutex);
48069 + if (file->f_flags & O_NONBLOCK) {
48070 + retval = -EAGAIN;
48073 + if (signal_pending(current)) {
48074 + retval = -ERESTARTSYS;
48081 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
48082 + learn_buffer_user_len = learn_buffer_len;
48083 + retval = learn_buffer_len;
48084 + learn_buffer_len = 0;
48086 + spin_unlock(&gr_learn_lock);
48088 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
48089 + retval = -EFAULT;
48091 + mutex_unlock(&gr_learn_user_mutex);
48093 + set_current_state(TASK_RUNNING);
48094 + remove_wait_queue(&learn_wait, &wait);
48098 +static unsigned int
48099 +poll_learn(struct file * file, poll_table * wait)
48101 + poll_wait(file, &learn_wait, wait);
48103 + if (learn_buffer_len)
48104 + return (POLLIN | POLLRDNORM);
48110 +gr_clear_learn_entries(void)
48114 + mutex_lock(&gr_learn_user_mutex);
48115 + if (learn_buffer != NULL) {
48116 + spin_lock(&gr_learn_lock);
48117 + tmp = learn_buffer;
48118 + learn_buffer = NULL;
48119 + spin_unlock(&gr_learn_lock);
48120 + vfree(learn_buffer);
48122 + if (learn_buffer_user != NULL) {
48123 + vfree(learn_buffer_user);
48124 + learn_buffer_user = NULL;
48126 + learn_buffer_len = 0;
48127 + mutex_unlock(&gr_learn_user_mutex);
48133 +gr_add_learn_entry(const char *fmt, ...)
48136 + unsigned int len;
48138 + if (!gr_learn_attached)
48141 + spin_lock(&gr_learn_lock);
48143 + /* leave a gap at the end so we know when it's "full" but don't have to
48144 + compute the exact length of the string we're trying to append
48146 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
48147 + spin_unlock(&gr_learn_lock);
48148 + wake_up_interruptible(&learn_wait);
48151 + if (learn_buffer == NULL) {
48152 + spin_unlock(&gr_learn_lock);
48156 + va_start(args, fmt);
48157 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
48160 + learn_buffer_len += len + 1;
48162 + spin_unlock(&gr_learn_lock);
48163 + wake_up_interruptible(&learn_wait);
48169 +open_learn(struct inode *inode, struct file *file)
48171 + if (file->f_mode & FMODE_READ && gr_learn_attached)
48173 + if (file->f_mode & FMODE_READ) {
48175 + mutex_lock(&gr_learn_user_mutex);
48176 + if (learn_buffer == NULL)
48177 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
48178 + if (learn_buffer_user == NULL)
48179 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
48180 + if (learn_buffer == NULL) {
48181 + retval = -ENOMEM;
48184 + if (learn_buffer_user == NULL) {
48185 + retval = -ENOMEM;
48188 + learn_buffer_len = 0;
48189 + learn_buffer_user_len = 0;
48190 + gr_learn_attached = 1;
48192 + mutex_unlock(&gr_learn_user_mutex);
48199 +close_learn(struct inode *inode, struct file *file)
48203 + if (file->f_mode & FMODE_READ) {
48204 + mutex_lock(&gr_learn_user_mutex);
48205 + if (learn_buffer != NULL) {
48206 + spin_lock(&gr_learn_lock);
48207 + tmp = learn_buffer;
48208 + learn_buffer = NULL;
48209 + spin_unlock(&gr_learn_lock);
48212 + if (learn_buffer_user != NULL) {
48213 + vfree(learn_buffer_user);
48214 + learn_buffer_user = NULL;
48216 + learn_buffer_len = 0;
48217 + learn_buffer_user_len = 0;
48218 + gr_learn_attached = 0;
48219 + mutex_unlock(&gr_learn_user_mutex);
48225 +const struct file_operations grsec_fops = {
48226 + .read = read_learn,
48227 + .write = write_grsec_handler,
48228 + .open = open_learn,
48229 + .release = close_learn,
48230 + .poll = poll_learn,
48232 diff -urNp linux-2.6.38.6/grsecurity/gracl_res.c linux-2.6.38.6/grsecurity/gracl_res.c
48233 --- linux-2.6.38.6/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
48234 +++ linux-2.6.38.6/grsecurity/gracl_res.c 2011-04-28 19:34:15.000000000 -0400
48236 +#include <linux/kernel.h>
48237 +#include <linux/sched.h>
48238 +#include <linux/gracl.h>
48239 +#include <linux/grinternal.h>
48241 +static const char *restab_log[] = {
48242 + [RLIMIT_CPU] = "RLIMIT_CPU",
48243 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
48244 + [RLIMIT_DATA] = "RLIMIT_DATA",
48245 + [RLIMIT_STACK] = "RLIMIT_STACK",
48246 + [RLIMIT_CORE] = "RLIMIT_CORE",
48247 + [RLIMIT_RSS] = "RLIMIT_RSS",
48248 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
48249 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
48250 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
48251 + [RLIMIT_AS] = "RLIMIT_AS",
48252 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
48253 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
48254 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
48255 + [RLIMIT_NICE] = "RLIMIT_NICE",
48256 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
48257 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
48258 + [GR_CRASH_RES] = "RLIMIT_CRASH"
48262 +gr_log_resource(const struct task_struct *task,
48263 + const int res, const unsigned long wanted, const int gt)
48265 + const struct cred *cred;
48266 + unsigned long rlim;
48268 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
48271 + // not yet supported resource
48272 + if (unlikely(!restab_log[res]))
48275 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
48276 + rlim = task_rlimit_max(task, res);
48278 + rlim = task_rlimit(task, res);
48280 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
48284 + cred = __task_cred(task);
48286 + if (res == RLIMIT_NPROC &&
48287 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
48288 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
48289 + goto out_rcu_unlock;
48290 + else if (res == RLIMIT_MEMLOCK &&
48291 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
48292 + goto out_rcu_unlock;
48293 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
48294 + goto out_rcu_unlock;
48295 + rcu_read_unlock();
48297 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
48301 + rcu_read_unlock();
48304 diff -urNp linux-2.6.38.6/grsecurity/gracl_segv.c linux-2.6.38.6/grsecurity/gracl_segv.c
48305 --- linux-2.6.38.6/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
48306 +++ linux-2.6.38.6/grsecurity/gracl_segv.c 2011-04-28 19:34:15.000000000 -0400
48308 +#include <linux/kernel.h>
48309 +#include <linux/mm.h>
48310 +#include <asm/uaccess.h>
48311 +#include <asm/errno.h>
48312 +#include <asm/mman.h>
48313 +#include <net/sock.h>
48314 +#include <linux/file.h>
48315 +#include <linux/fs.h>
48316 +#include <linux/net.h>
48317 +#include <linux/in.h>
48318 +#include <linux/smp_lock.h>
48319 +#include <linux/slab.h>
48320 +#include <linux/types.h>
48321 +#include <linux/sched.h>
48322 +#include <linux/timer.h>
48323 +#include <linux/gracl.h>
48324 +#include <linux/grsecurity.h>
48325 +#include <linux/grinternal.h>
48327 +static struct crash_uid *uid_set;
48328 +static unsigned short uid_used;
48329 +static DEFINE_SPINLOCK(gr_uid_lock);
48330 +extern rwlock_t gr_inode_lock;
48331 +extern struct acl_subject_label *
48332 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
48333 + struct acl_role_label *role);
48335 +#ifdef CONFIG_BTRFS_FS
48336 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
48337 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
48340 +static inline dev_t __get_dev(const struct dentry *dentry)
48342 +#ifdef CONFIG_BTRFS_FS
48343 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
48344 + return get_btrfs_dev_from_inode(dentry->d_inode);
48347 + return dentry->d_inode->i_sb->s_dev;
48351 +gr_init_uidset(void)
48354 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
48357 + return uid_set ? 1 : 0;
48361 +gr_free_uidset(void)
48370 +gr_find_uid(const uid_t uid)
48372 + struct crash_uid *tmp = uid_set;
48374 + int low = 0, high = uid_used - 1, mid;
48376 + while (high >= low) {
48377 + mid = (low + high) >> 1;
48378 + buid = tmp[mid].uid;
48390 +static __inline__ void
48391 +gr_insertsort(void)
48393 + unsigned short i, j;
48394 + struct crash_uid index;
48396 + for (i = 1; i < uid_used; i++) {
48397 + index = uid_set[i];
48399 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
48400 + uid_set[j] = uid_set[j - 1];
48403 + uid_set[j] = index;
48409 +static __inline__ void
48410 +gr_insert_uid(const uid_t uid, const unsigned long expires)
48414 + if (uid_used == GR_UIDTABLE_MAX)
48417 + loc = gr_find_uid(uid);
48420 + uid_set[loc].expires = expires;
48424 + uid_set[uid_used].uid = uid;
48425 + uid_set[uid_used].expires = expires;
48434 +gr_remove_uid(const unsigned short loc)
48436 + unsigned short i;
48438 + for (i = loc + 1; i < uid_used; i++)
48439 + uid_set[i - 1] = uid_set[i];
48447 +gr_check_crash_uid(const uid_t uid)
48452 + if (unlikely(!gr_acl_is_enabled()))
48455 + spin_lock(&gr_uid_lock);
48456 + loc = gr_find_uid(uid);
48461 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
48462 + gr_remove_uid(loc);
48467 + spin_unlock(&gr_uid_lock);
48471 +static __inline__ int
48472 +proc_is_setxid(const struct cred *cred)
48474 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
48475 + cred->uid != cred->fsuid)
48477 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
48478 + cred->gid != cred->fsgid)
48484 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
48487 +gr_handle_crash(struct task_struct *task, const int sig)
48489 + struct acl_subject_label *curr;
48490 + struct acl_subject_label *curr2;
48491 + struct task_struct *tsk, *tsk2;
48492 + const struct cred *cred;
48493 + const struct cred *cred2;
48495 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
48498 + if (unlikely(!gr_acl_is_enabled()))
48501 + curr = task->acl;
48503 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
48506 + if (time_before_eq(curr->expires, get_seconds())) {
48507 + curr->expires = 0;
48508 + curr->crashes = 0;
48513 + if (!curr->expires)
48514 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
48516 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
48517 + time_after(curr->expires, get_seconds())) {
48519 + cred = __task_cred(task);
48520 + if (cred->uid && proc_is_setxid(cred)) {
48521 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
48522 + spin_lock(&gr_uid_lock);
48523 + gr_insert_uid(cred->uid, curr->expires);
48524 + spin_unlock(&gr_uid_lock);
48525 + curr->expires = 0;
48526 + curr->crashes = 0;
48527 + read_lock(&tasklist_lock);
48528 + do_each_thread(tsk2, tsk) {
48529 + cred2 = __task_cred(tsk);
48530 + if (tsk != task && cred2->uid == cred->uid)
48531 + gr_fake_force_sig(SIGKILL, tsk);
48532 + } while_each_thread(tsk2, tsk);
48533 + read_unlock(&tasklist_lock);
48535 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
48536 + read_lock(&tasklist_lock);
48537 + do_each_thread(tsk2, tsk) {
48538 + if (likely(tsk != task)) {
48539 + curr2 = tsk->acl;
48541 + if (curr2->device == curr->device &&
48542 + curr2->inode == curr->inode)
48543 + gr_fake_force_sig(SIGKILL, tsk);
48545 + } while_each_thread(tsk2, tsk);
48546 + read_unlock(&tasklist_lock);
48548 + rcu_read_unlock();
48555 +gr_check_crash_exec(const struct file *filp)
48557 + struct acl_subject_label *curr;
48559 + if (unlikely(!gr_acl_is_enabled()))
48562 + read_lock(&gr_inode_lock);
48563 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
48564 + __get_dev(filp->f_path.dentry),
48566 + read_unlock(&gr_inode_lock);
48568 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
48569 + (!curr->crashes && !curr->expires))
48572 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
48573 + time_after(curr->expires, get_seconds()))
48575 + else if (time_before_eq(curr->expires, get_seconds())) {
48576 + curr->crashes = 0;
48577 + curr->expires = 0;
48584 +gr_handle_alertkill(struct task_struct *task)
48586 + struct acl_subject_label *curracl;
48588 + struct task_struct *p, *p2;
48590 + if (unlikely(!gr_acl_is_enabled()))
48593 + curracl = task->acl;
48594 + curr_ip = task->signal->curr_ip;
48596 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
48597 + read_lock(&tasklist_lock);
48598 + do_each_thread(p2, p) {
48599 + if (p->signal->curr_ip == curr_ip)
48600 + gr_fake_force_sig(SIGKILL, p);
48601 + } while_each_thread(p2, p);
48602 + read_unlock(&tasklist_lock);
48603 + } else if (curracl->mode & GR_KILLPROC)
48604 + gr_fake_force_sig(SIGKILL, task);
48608 diff -urNp linux-2.6.38.6/grsecurity/gracl_shm.c linux-2.6.38.6/grsecurity/gracl_shm.c
48609 --- linux-2.6.38.6/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
48610 +++ linux-2.6.38.6/grsecurity/gracl_shm.c 2011-04-28 19:34:15.000000000 -0400
48612 +#include <linux/kernel.h>
48613 +#include <linux/mm.h>
48614 +#include <linux/sched.h>
48615 +#include <linux/file.h>
48616 +#include <linux/ipc.h>
48617 +#include <linux/gracl.h>
48618 +#include <linux/grsecurity.h>
48619 +#include <linux/grinternal.h>
48622 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
48623 + const time_t shm_createtime, const uid_t cuid, const int shmid)
48625 + struct task_struct *task;
48627 + if (!gr_acl_is_enabled())
48631 + read_lock(&tasklist_lock);
48633 + task = find_task_by_vpid(shm_cprid);
48635 + if (unlikely(!task))
48636 + task = find_task_by_vpid(shm_lapid);
48638 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
48639 + (task->pid == shm_lapid)) &&
48640 + (task->acl->mode & GR_PROTSHM) &&
48641 + (task->acl != current->acl))) {
48642 + read_unlock(&tasklist_lock);
48643 + rcu_read_unlock();
48644 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
48647 + read_unlock(&tasklist_lock);
48648 + rcu_read_unlock();
48652 diff -urNp linux-2.6.38.6/grsecurity/grsec_chdir.c linux-2.6.38.6/grsecurity/grsec_chdir.c
48653 --- linux-2.6.38.6/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
48654 +++ linux-2.6.38.6/grsecurity/grsec_chdir.c 2011-04-28 19:34:15.000000000 -0400
48656 +#include <linux/kernel.h>
48657 +#include <linux/sched.h>
48658 +#include <linux/fs.h>
48659 +#include <linux/file.h>
48660 +#include <linux/grsecurity.h>
48661 +#include <linux/grinternal.h>
48664 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
48666 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
48667 + if ((grsec_enable_chdir && grsec_enable_group &&
48668 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
48669 + !grsec_enable_group)) {
48670 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
48675 diff -urNp linux-2.6.38.6/grsecurity/grsec_chroot.c linux-2.6.38.6/grsecurity/grsec_chroot.c
48676 --- linux-2.6.38.6/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
48677 +++ linux-2.6.38.6/grsecurity/grsec_chroot.c 2011-04-28 19:34:15.000000000 -0400
48679 +#include <linux/kernel.h>
48680 +#include <linux/module.h>
48681 +#include <linux/sched.h>
48682 +#include <linux/file.h>
48683 +#include <linux/fs.h>
48684 +#include <linux/mount.h>
48685 +#include <linux/types.h>
48686 +#include <linux/pid_namespace.h>
48687 +#include <linux/grsecurity.h>
48688 +#include <linux/grinternal.h>
48690 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
48692 +#ifdef CONFIG_GRKERNSEC
48693 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
48694 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
48695 + task->gr_is_chrooted = 1;
48697 + task->gr_is_chrooted = 0;
48699 + task->gr_chroot_dentry = path->dentry;
48704 +void gr_clear_chroot_entries(struct task_struct *task)
48706 +#ifdef CONFIG_GRKERNSEC
48707 + task->gr_is_chrooted = 0;
48708 + task->gr_chroot_dentry = NULL;
48714 +gr_handle_chroot_unix(struct pid *pid)
48716 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
48717 + struct task_struct *p;
48719 + if (unlikely(!grsec_enable_chroot_unix))
48722 + if (likely(!proc_is_chrooted(current)))
48726 + read_lock(&tasklist_lock);
48727 + p = pid_task(pid, PIDTYPE_PID);
48728 + if (unlikely(p && !have_same_root(current, p))) {
48729 + read_unlock(&tasklist_lock);
48730 + rcu_read_unlock();
48731 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
48734 + read_unlock(&tasklist_lock);
48735 + rcu_read_unlock();
48741 +gr_handle_chroot_nice(void)
48743 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
48744 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
48745 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
48753 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
48755 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
48756 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
48757 + && proc_is_chrooted(current)) {
48758 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
48766 +gr_handle_chroot_rawio(const struct inode *inode)
48768 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
48769 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
48770 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
48777 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
48779 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
48780 + struct task_struct *p;
48782 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
48785 + read_lock(&tasklist_lock);
48786 + do_each_pid_task(pid, type, p) {
48787 + if (!have_same_root(current, p)) {
48791 + } while_each_pid_task(pid, type, p);
48793 + read_unlock(&tasklist_lock);
48800 +gr_pid_is_chrooted(struct task_struct *p)
48802 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
48803 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
48806 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
48807 + !have_same_root(current, p)) {
48814 +EXPORT_SYMBOL(gr_pid_is_chrooted);
48816 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
48817 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
48819 + struct path path, currentroot;
48822 + path.dentry = (struct dentry *)u_dentry;
48823 + path.mnt = (struct vfsmount *)u_mnt;
48824 + get_fs_root(current->fs, ¤troot);
48825 + if (path_is_under(&path, ¤troot))
48827 + path_put(¤troot);
48834 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
48836 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
48837 + if (!grsec_enable_chroot_fchdir)
48840 + if (!proc_is_chrooted(current))
48842 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
48843 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
48851 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
48852 + const time_t shm_createtime)
48854 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
48855 + struct pid *pid = NULL;
48856 + time_t starttime;
48858 + if (unlikely(!grsec_enable_chroot_shmat))
48861 + if (likely(!proc_is_chrooted(current)))
48865 + read_lock(&tasklist_lock);
48867 + pid = find_vpid(shm_cprid);
48869 + struct task_struct *p;
48870 + p = pid_task(pid, PIDTYPE_PID);
48873 + starttime = p->start_time.tv_sec;
48874 + if (unlikely(!have_same_root(current, p) &&
48875 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
48876 + read_unlock(&tasklist_lock);
48877 + rcu_read_unlock();
48878 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
48882 + pid = find_vpid(shm_lapid);
48884 + struct task_struct *p;
48885 + p = pid_task(pid, PIDTYPE_PID);
48888 + if (unlikely(!have_same_root(current, p))) {
48889 + read_unlock(&tasklist_lock);
48890 + rcu_read_unlock();
48891 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
48897 + read_unlock(&tasklist_lock);
48898 + rcu_read_unlock();
48904 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
48906 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
48907 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
48908 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
48914 +gr_handle_chroot_mknod(const struct dentry *dentry,
48915 + const struct vfsmount *mnt, const int mode)
48917 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
48918 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
48919 + proc_is_chrooted(current)) {
48920 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
48928 +gr_handle_chroot_mount(const struct dentry *dentry,
48929 + const struct vfsmount *mnt, const char *dev_name)
48931 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
48932 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
48933 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
48941 +gr_handle_chroot_pivot(void)
48943 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
48944 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
48945 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
48953 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
48955 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
48956 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
48957 + !gr_is_outside_chroot(dentry, mnt)) {
48958 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
48966 +gr_handle_chroot_caps(struct path *path)
48968 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
48969 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
48970 + (init_task.fs->root.dentry != path->dentry) &&
48971 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
48973 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
48974 + const struct cred *old = current_cred();
48975 + struct cred *new = prepare_creds();
48979 + new->cap_permitted = cap_drop(old->cap_permitted,
48981 + new->cap_inheritable = cap_drop(old->cap_inheritable,
48983 + new->cap_effective = cap_drop(old->cap_effective,
48986 + commit_creds(new);
48995 +gr_handle_chroot_sysctl(const int op)
48997 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
48998 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
48999 + proc_is_chrooted(current))
49006 +gr_handle_chroot_chdir(struct path *path)
49008 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
49009 + if (grsec_enable_chroot_chdir)
49010 + set_fs_pwd(current->fs, path);
49016 +gr_handle_chroot_chmod(const struct dentry *dentry,
49017 + const struct vfsmount *mnt, const int mode)
49019 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
49020 + /* allow chmod +s on directories, but not files */
49021 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
49022 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
49023 + proc_is_chrooted(current)) {
49024 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
49031 +#ifdef CONFIG_SECURITY
49032 +EXPORT_SYMBOL(gr_handle_chroot_caps);
49034 diff -urNp linux-2.6.38.6/grsecurity/grsec_disabled.c linux-2.6.38.6/grsecurity/grsec_disabled.c
49035 --- linux-2.6.38.6/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
49036 +++ linux-2.6.38.6/grsecurity/grsec_disabled.c 2011-04-28 19:34:15.000000000 -0400
49038 +#include <linux/kernel.h>
49039 +#include <linux/module.h>
49040 +#include <linux/sched.h>
49041 +#include <linux/file.h>
49042 +#include <linux/fs.h>
49043 +#include <linux/kdev_t.h>
49044 +#include <linux/net.h>
49045 +#include <linux/in.h>
49046 +#include <linux/ip.h>
49047 +#include <linux/skbuff.h>
49048 +#include <linux/sysctl.h>
49050 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
49052 +pax_set_initial_flags(struct linux_binprm *bprm)
49058 +#ifdef CONFIG_SYSCTL
49060 +gr_handle_sysctl(const struct ctl_table * table, const int op)
49066 +#ifdef CONFIG_TASKSTATS
49067 +int gr_is_taskstats_denied(int pid)
49074 +gr_acl_is_enabled(void)
49080 +gr_handle_rawio(const struct inode *inode)
49086 +gr_acl_handle_psacct(struct task_struct *task, const long code)
49092 +gr_handle_ptrace(struct task_struct *task, const long request)
49098 +gr_handle_proc_ptrace(struct task_struct *task)
49104 +gr_learn_resource(const struct task_struct *task,
49105 + const int res, const unsigned long wanted, const int gt)
49111 +gr_set_acls(const int type)
49117 +gr_check_hidden_task(const struct task_struct *tsk)
49123 +gr_check_protected_task(const struct task_struct *task)
49129 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
49135 +gr_copy_label(struct task_struct *tsk)
49141 +gr_set_pax_flags(struct task_struct *task)
49147 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
49148 + const int unsafe_share)
49154 +gr_handle_delete(const ino_t ino, const dev_t dev)
49160 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
49166 +gr_handle_crash(struct task_struct *task, const int sig)
49172 +gr_check_crash_exec(const struct file *filp)
49178 +gr_check_crash_uid(const uid_t uid)
49184 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
49185 + struct dentry *old_dentry,
49186 + struct dentry *new_dentry,
49187 + struct vfsmount *mnt, const __u8 replace)
49193 +gr_search_socket(const int family, const int type, const int protocol)
49199 +gr_search_connectbind(const int mode, const struct socket *sock,
49200 + const struct sockaddr_in *addr)
49206 +gr_is_capable(const int cap)
49212 +gr_is_capable_nolog(const int cap)
49218 +gr_handle_alertkill(struct task_struct *task)
49224 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
49230 +gr_acl_handle_hidden_file(const struct dentry * dentry,
49231 + const struct vfsmount * mnt)
49237 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
49244 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
49250 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
49256 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
49257 + unsigned int *vm_flags)
49263 +gr_acl_handle_truncate(const struct dentry * dentry,
49264 + const struct vfsmount * mnt)
49270 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
49276 +gr_acl_handle_access(const struct dentry * dentry,
49277 + const struct vfsmount * mnt, const int fmode)
49283 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
49290 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
49297 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
49303 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
49309 +grsecurity_init(void)
49315 +gr_acl_handle_mknod(const struct dentry * new_dentry,
49316 + const struct dentry * parent_dentry,
49317 + const struct vfsmount * parent_mnt,
49324 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
49325 + const struct dentry * parent_dentry,
49326 + const struct vfsmount * parent_mnt)
49332 +gr_acl_handle_symlink(const struct dentry * new_dentry,
49333 + const struct dentry * parent_dentry,
49334 + const struct vfsmount * parent_mnt, const char *from)
49340 +gr_acl_handle_link(const struct dentry * new_dentry,
49341 + const struct dentry * parent_dentry,
49342 + const struct vfsmount * parent_mnt,
49343 + const struct dentry * old_dentry,
49344 + const struct vfsmount * old_mnt, const char *to)
49350 +gr_acl_handle_rename(const struct dentry *new_dentry,
49351 + const struct dentry *parent_dentry,
49352 + const struct vfsmount *parent_mnt,
49353 + const struct dentry *old_dentry,
49354 + const struct inode *old_parent_inode,
49355 + const struct vfsmount *old_mnt, const char *newname)
49361 +gr_acl_handle_filldir(const struct file *file, const char *name,
49362 + const int namelen, const ino_t ino)
49368 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49369 + const time_t shm_createtime, const uid_t cuid, const int shmid)
49375 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
49381 +gr_search_accept(const struct socket *sock)
49387 +gr_search_listen(const struct socket *sock)
49393 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
49399 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
49405 +gr_acl_handle_creat(const struct dentry * dentry,
49406 + const struct dentry * p_dentry,
49407 + const struct vfsmount * p_mnt, const int fmode,
49414 +gr_acl_handle_exit(void)
49420 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
49426 +gr_set_role_label(const uid_t uid, const gid_t gid)
49432 +gr_acl_handle_procpidmem(const struct task_struct *task)
49438 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
49444 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
49450 +gr_set_kernel_label(struct task_struct *task)
49456 +gr_check_user_change(int real, int effective, int fs)
49462 +gr_check_group_change(int real, int effective, int fs)
49467 +int gr_acl_enable_at_secure(void)
49472 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
49474 + return dentry->d_inode->i_sb->s_dev;
49477 +EXPORT_SYMBOL(gr_is_capable);
49478 +EXPORT_SYMBOL(gr_is_capable_nolog);
49479 +EXPORT_SYMBOL(gr_learn_resource);
49480 +EXPORT_SYMBOL(gr_set_kernel_label);
49481 +#ifdef CONFIG_SECURITY
49482 +EXPORT_SYMBOL(gr_check_user_change);
49483 +EXPORT_SYMBOL(gr_check_group_change);
49485 diff -urNp linux-2.6.38.6/grsecurity/grsec_exec.c linux-2.6.38.6/grsecurity/grsec_exec.c
49486 --- linux-2.6.38.6/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
49487 +++ linux-2.6.38.6/grsecurity/grsec_exec.c 2011-04-28 19:34:15.000000000 -0400
49489 +#include <linux/kernel.h>
49490 +#include <linux/sched.h>
49491 +#include <linux/file.h>
49492 +#include <linux/binfmts.h>
49493 +#include <linux/smp_lock.h>
49494 +#include <linux/fs.h>
49495 +#include <linux/types.h>
49496 +#include <linux/grdefs.h>
49497 +#include <linux/grinternal.h>
49498 +#include <linux/capability.h>
49499 +#include <linux/compat.h>
49501 +#include <asm/uaccess.h>
49503 +#ifdef CONFIG_GRKERNSEC_EXECLOG
49504 +static char gr_exec_arg_buf[132];
49505 +static DEFINE_MUTEX(gr_exec_arg_mutex);
49509 +gr_handle_nproc(void)
49511 +#ifdef CONFIG_GRKERNSEC_EXECVE
49512 + const struct cred *cred = current_cred();
49513 + if (grsec_enable_execve && cred->user &&
49514 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
49515 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
49516 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
49524 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
49526 +#ifdef CONFIG_GRKERNSEC_EXECLOG
49527 + char *grarg = gr_exec_arg_buf;
49528 + unsigned int i, x, execlen = 0;
49531 + if (!((grsec_enable_execlog && grsec_enable_group &&
49532 + in_group_p(grsec_audit_gid))
49533 + || (grsec_enable_execlog && !grsec_enable_group)))
49536 + mutex_lock(&gr_exec_arg_mutex);
49537 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
49539 + if (unlikely(argv == NULL))
49542 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
49543 + const char __user *p;
49544 + unsigned int len;
49546 + if (copy_from_user(&p, argv + i, sizeof(p)))
49550 + len = strnlen_user(p, 128 - execlen);
49551 + if (len > 128 - execlen)
49552 + len = 128 - execlen;
49553 + else if (len > 0)
49555 + if (copy_from_user(grarg + execlen, p, len))
49558 + /* rewrite unprintable characters */
49559 + for (x = 0; x < len; x++) {
49560 + c = *(grarg + execlen + x);
49561 + if (c < 32 || c > 126)
49562 + *(grarg + execlen + x) = ' ';
49566 + *(grarg + execlen) = ' ';
49567 + *(grarg + execlen + 1) = '\0';
49572 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
49573 + bprm->file->f_path.mnt, grarg);
49574 + mutex_unlock(&gr_exec_arg_mutex);
49579 +#ifdef CONFIG_COMPAT
49581 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
49583 +#ifdef CONFIG_GRKERNSEC_EXECLOG
49584 + char *grarg = gr_exec_arg_buf;
49585 + unsigned int i, x, execlen = 0;
49588 + if (!((grsec_enable_execlog && grsec_enable_group &&
49589 + in_group_p(grsec_audit_gid))
49590 + || (grsec_enable_execlog && !grsec_enable_group)))
49593 + mutex_lock(&gr_exec_arg_mutex);
49594 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
49596 + if (unlikely(argv == NULL))
49599 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
49601 + unsigned int len;
49603 + if (get_user(p, argv + i))
49605 + len = strnlen_user(compat_ptr(p), 128 - execlen);
49606 + if (len > 128 - execlen)
49607 + len = 128 - execlen;
49608 + else if (len > 0)
49612 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
49615 + /* rewrite unprintable characters */
49616 + for (x = 0; x < len; x++) {
49617 + c = *(grarg + execlen + x);
49618 + if (c < 32 || c > 126)
49619 + *(grarg + execlen + x) = ' ';
49623 + *(grarg + execlen) = ' ';
49624 + *(grarg + execlen + 1) = '\0';
49629 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
49630 + bprm->file->f_path.mnt, grarg);
49631 + mutex_unlock(&gr_exec_arg_mutex);
49636 diff -urNp linux-2.6.38.6/grsecurity/grsec_fifo.c linux-2.6.38.6/grsecurity/grsec_fifo.c
49637 --- linux-2.6.38.6/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
49638 +++ linux-2.6.38.6/grsecurity/grsec_fifo.c 2011-04-28 19:34:15.000000000 -0400
49640 +#include <linux/kernel.h>
49641 +#include <linux/sched.h>
49642 +#include <linux/fs.h>
49643 +#include <linux/file.h>
49644 +#include <linux/grinternal.h>
49647 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
49648 + const struct dentry *dir, const int flag, const int acc_mode)
49650 +#ifdef CONFIG_GRKERNSEC_FIFO
49651 + const struct cred *cred = current_cred();
49653 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
49654 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
49655 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
49656 + (cred->fsuid != dentry->d_inode->i_uid)) {
49657 + if (!inode_permission(dentry->d_inode, acc_mode))
49658 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
49664 diff -urNp linux-2.6.38.6/grsecurity/grsec_fork.c linux-2.6.38.6/grsecurity/grsec_fork.c
49665 --- linux-2.6.38.6/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
49666 +++ linux-2.6.38.6/grsecurity/grsec_fork.c 2011-04-28 19:34:15.000000000 -0400
49668 +#include <linux/kernel.h>
49669 +#include <linux/sched.h>
49670 +#include <linux/grsecurity.h>
49671 +#include <linux/grinternal.h>
49672 +#include <linux/errno.h>
49675 +gr_log_forkfail(const int retval)
49677 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
49678 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
49679 + switch (retval) {
49681 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
49684 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
49691 diff -urNp linux-2.6.38.6/grsecurity/grsec_init.c linux-2.6.38.6/grsecurity/grsec_init.c
49692 --- linux-2.6.38.6/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
49693 +++ linux-2.6.38.6/grsecurity/grsec_init.c 2011-04-28 19:34:15.000000000 -0400
49695 +#include <linux/kernel.h>
49696 +#include <linux/sched.h>
49697 +#include <linux/mm.h>
49698 +#include <linux/smp_lock.h>
49699 +#include <linux/gracl.h>
49700 +#include <linux/slab.h>
49701 +#include <linux/vmalloc.h>
49702 +#include <linux/percpu.h>
49703 +#include <linux/module.h>
49705 +int grsec_enable_link;
49706 +int grsec_enable_dmesg;
49707 +int grsec_enable_harden_ptrace;
49708 +int grsec_enable_fifo;
49709 +int grsec_enable_execve;
49710 +int grsec_enable_execlog;
49711 +int grsec_enable_signal;
49712 +int grsec_enable_forkfail;
49713 +int grsec_enable_audit_ptrace;
49714 +int grsec_enable_time;
49715 +int grsec_enable_audit_textrel;
49716 +int grsec_enable_group;
49717 +int grsec_audit_gid;
49718 +int grsec_enable_chdir;
49719 +int grsec_enable_mount;
49720 +int grsec_enable_rofs;
49721 +int grsec_enable_chroot_findtask;
49722 +int grsec_enable_chroot_mount;
49723 +int grsec_enable_chroot_shmat;
49724 +int grsec_enable_chroot_fchdir;
49725 +int grsec_enable_chroot_double;
49726 +int grsec_enable_chroot_pivot;
49727 +int grsec_enable_chroot_chdir;
49728 +int grsec_enable_chroot_chmod;
49729 +int grsec_enable_chroot_mknod;
49730 +int grsec_enable_chroot_nice;
49731 +int grsec_enable_chroot_execlog;
49732 +int grsec_enable_chroot_caps;
49733 +int grsec_enable_chroot_sysctl;
49734 +int grsec_enable_chroot_unix;
49735 +int grsec_enable_tpe;
49736 +int grsec_tpe_gid;
49737 +int grsec_enable_blackhole;
49738 +#ifdef CONFIG_IPV6_MODULE
49739 +EXPORT_SYMBOL(grsec_enable_blackhole);
49741 +int grsec_lastack_retries;
49742 +int grsec_enable_tpe_all;
49743 +int grsec_enable_tpe_invert;
49744 +int grsec_enable_socket_all;
49745 +int grsec_socket_all_gid;
49746 +int grsec_enable_socket_client;
49747 +int grsec_socket_client_gid;
49748 +int grsec_enable_socket_server;
49749 +int grsec_socket_server_gid;
49750 +int grsec_resource_logging;
49751 +int grsec_disable_privio;
49752 +int grsec_enable_log_rwxmaps;
49755 +DEFINE_SPINLOCK(grsec_alert_lock);
49756 +unsigned long grsec_alert_wtime = 0;
49757 +unsigned long grsec_alert_fyet = 0;
49759 +DEFINE_SPINLOCK(grsec_audit_lock);
49761 +DEFINE_RWLOCK(grsec_exec_file_lock);
49763 +char *gr_shared_page[4];
49765 +char *gr_alert_log_fmt;
49766 +char *gr_audit_log_fmt;
49767 +char *gr_alert_log_buf;
49768 +char *gr_audit_log_buf;
49770 +extern struct gr_arg *gr_usermode;
49771 +extern unsigned char *gr_system_salt;
49772 +extern unsigned char *gr_system_sum;
49775 +grsecurity_init(void)
49778 + /* create the per-cpu shared pages */
49781 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
49784 + for (j = 0; j < 4; j++) {
49785 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
49786 + if (gr_shared_page[j] == NULL) {
49787 + panic("Unable to allocate grsecurity shared page");
49792 + /* allocate log buffers */
49793 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
49794 + if (!gr_alert_log_fmt) {
49795 + panic("Unable to allocate grsecurity alert log format buffer");
49798 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
49799 + if (!gr_audit_log_fmt) {
49800 + panic("Unable to allocate grsecurity audit log format buffer");
49803 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
49804 + if (!gr_alert_log_buf) {
49805 + panic("Unable to allocate grsecurity alert log buffer");
49808 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
49809 + if (!gr_audit_log_buf) {
49810 + panic("Unable to allocate grsecurity audit log buffer");
49814 + /* allocate memory for authentication structure */
49815 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
49816 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
49817 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
49819 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
49820 + panic("Unable to allocate grsecurity authentication structure");
49825 +#ifdef CONFIG_GRKERNSEC_IO
49826 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
49827 + grsec_disable_privio = 1;
49828 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
49829 + grsec_disable_privio = 1;
49831 + grsec_disable_privio = 0;
49835 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
49836 + /* for backward compatibility, tpe_invert always defaults to on if
49837 + enabled in the kernel
49839 + grsec_enable_tpe_invert = 1;
49842 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
49843 +#ifndef CONFIG_GRKERNSEC_SYSCTL
49847 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
49848 + grsec_enable_audit_textrel = 1;
49850 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
49851 + grsec_enable_log_rwxmaps = 1;
49853 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
49854 + grsec_enable_group = 1;
49855 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
49857 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
49858 + grsec_enable_chdir = 1;
49860 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
49861 + grsec_enable_harden_ptrace = 1;
49863 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
49864 + grsec_enable_mount = 1;
49866 +#ifdef CONFIG_GRKERNSEC_LINK
49867 + grsec_enable_link = 1;
49869 +#ifdef CONFIG_GRKERNSEC_DMESG
49870 + grsec_enable_dmesg = 1;
49872 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
49873 + grsec_enable_blackhole = 1;
49874 + grsec_lastack_retries = 4;
49876 +#ifdef CONFIG_GRKERNSEC_FIFO
49877 + grsec_enable_fifo = 1;
49879 +#ifdef CONFIG_GRKERNSEC_EXECVE
49880 + grsec_enable_execve = 1;
49882 +#ifdef CONFIG_GRKERNSEC_EXECLOG
49883 + grsec_enable_execlog = 1;
49885 +#ifdef CONFIG_GRKERNSEC_SIGNAL
49886 + grsec_enable_signal = 1;
49888 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
49889 + grsec_enable_forkfail = 1;
49891 +#ifdef CONFIG_GRKERNSEC_TIME
49892 + grsec_enable_time = 1;
49894 +#ifdef CONFIG_GRKERNSEC_RESLOG
49895 + grsec_resource_logging = 1;
49897 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
49898 + grsec_enable_chroot_findtask = 1;
49900 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
49901 + grsec_enable_chroot_unix = 1;
49903 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
49904 + grsec_enable_chroot_mount = 1;
49906 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
49907 + grsec_enable_chroot_fchdir = 1;
49909 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
49910 + grsec_enable_chroot_shmat = 1;
49912 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
49913 + grsec_enable_audit_ptrace = 1;
49915 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
49916 + grsec_enable_chroot_double = 1;
49918 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
49919 + grsec_enable_chroot_pivot = 1;
49921 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
49922 + grsec_enable_chroot_chdir = 1;
49924 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
49925 + grsec_enable_chroot_chmod = 1;
49927 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
49928 + grsec_enable_chroot_mknod = 1;
49930 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
49931 + grsec_enable_chroot_nice = 1;
49933 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
49934 + grsec_enable_chroot_execlog = 1;
49936 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
49937 + grsec_enable_chroot_caps = 1;
49939 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
49940 + grsec_enable_chroot_sysctl = 1;
49942 +#ifdef CONFIG_GRKERNSEC_TPE
49943 + grsec_enable_tpe = 1;
49944 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
49945 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
49946 + grsec_enable_tpe_all = 1;
49949 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
49950 + grsec_enable_socket_all = 1;
49951 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
49953 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
49954 + grsec_enable_socket_client = 1;
49955 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
49957 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
49958 + grsec_enable_socket_server = 1;
49959 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
49965 diff -urNp linux-2.6.38.6/grsecurity/grsec_link.c linux-2.6.38.6/grsecurity/grsec_link.c
49966 --- linux-2.6.38.6/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
49967 +++ linux-2.6.38.6/grsecurity/grsec_link.c 2011-04-28 19:34:15.000000000 -0400
49969 +#include <linux/kernel.h>
49970 +#include <linux/sched.h>
49971 +#include <linux/fs.h>
49972 +#include <linux/file.h>
49973 +#include <linux/grinternal.h>
49976 +gr_handle_follow_link(const struct inode *parent,
49977 + const struct inode *inode,
49978 + const struct dentry *dentry, const struct vfsmount *mnt)
49980 +#ifdef CONFIG_GRKERNSEC_LINK
49981 + const struct cred *cred = current_cred();
49983 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
49984 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
49985 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
49986 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
49994 +gr_handle_hardlink(const struct dentry *dentry,
49995 + const struct vfsmount *mnt,
49996 + struct inode *inode, const int mode, const char *to)
49998 +#ifdef CONFIG_GRKERNSEC_LINK
49999 + const struct cred *cred = current_cred();
50001 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
50002 + (!S_ISREG(mode) || (mode & S_ISUID) ||
50003 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
50004 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
50005 + !capable(CAP_FOWNER) && cred->uid) {
50006 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
50012 diff -urNp linux-2.6.38.6/grsecurity/grsec_log.c linux-2.6.38.6/grsecurity/grsec_log.c
50013 --- linux-2.6.38.6/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
50014 +++ linux-2.6.38.6/grsecurity/grsec_log.c 2011-05-10 21:15:15.000000000 -0400
50016 +#include <linux/kernel.h>
50017 +#include <linux/sched.h>
50018 +#include <linux/file.h>
50019 +#include <linux/tty.h>
50020 +#include <linux/fs.h>
50021 +#include <linux/grinternal.h>
50023 +#ifdef CONFIG_TREE_PREEMPT_RCU
50024 +#define DISABLE_PREEMPT() preempt_disable()
50025 +#define ENABLE_PREEMPT() preempt_enable()
50027 +#define DISABLE_PREEMPT()
50028 +#define ENABLE_PREEMPT()
50031 +#define BEGIN_LOCKS(x) \
50032 + DISABLE_PREEMPT(); \
50033 + rcu_read_lock(); \
50034 + read_lock(&tasklist_lock); \
50035 + read_lock(&grsec_exec_file_lock); \
50036 + if (x != GR_DO_AUDIT) \
50037 + spin_lock(&grsec_alert_lock); \
50039 + spin_lock(&grsec_audit_lock)
50041 +#define END_LOCKS(x) \
50042 + if (x != GR_DO_AUDIT) \
50043 + spin_unlock(&grsec_alert_lock); \
50045 + spin_unlock(&grsec_audit_lock); \
50046 + read_unlock(&grsec_exec_file_lock); \
50047 + read_unlock(&tasklist_lock); \
50048 + rcu_read_unlock(); \
50049 + ENABLE_PREEMPT(); \
50050 + if (x == GR_DONT_AUDIT) \
50051 + gr_handle_alertkill(current)
50058 +extern char *gr_alert_log_fmt;
50059 +extern char *gr_audit_log_fmt;
50060 +extern char *gr_alert_log_buf;
50061 +extern char *gr_audit_log_buf;
50063 +static int gr_log_start(int audit)
50065 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
50066 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
50067 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
50069 + if (audit == GR_DO_AUDIT)
50072 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
50073 + grsec_alert_wtime = jiffies;
50074 + grsec_alert_fyet = 0;
50075 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
50076 + grsec_alert_fyet++;
50077 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
50078 + grsec_alert_wtime = jiffies;
50079 + grsec_alert_fyet++;
50080 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
50082 + } else return FLOODING;
50085 + memset(buf, 0, PAGE_SIZE);
50086 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
50087 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
50088 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
50089 + } else if (current->signal->curr_ip) {
50090 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
50091 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
50092 + } else if (gr_acl_is_enabled()) {
50093 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
50094 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
50096 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
50097 + strcpy(buf, fmt);
50100 + return NO_FLOODING;
50103 +static void gr_log_middle(int audit, const char *msg, va_list ap)
50104 + __attribute__ ((format (printf, 2, 0)));
50106 +static void gr_log_middle(int audit, const char *msg, va_list ap)
50108 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
50109 + unsigned int len = strlen(buf);
50111 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
50116 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
50117 + __attribute__ ((format (printf, 2, 3)));
50119 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
50121 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
50122 + unsigned int len = strlen(buf);
50125 + va_start(ap, msg);
50126 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
50132 +static void gr_log_end(int audit)
50134 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
50135 + unsigned int len = strlen(buf);
50137 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
50138 + printk("%s\n", buf);
50143 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
50146 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
50147 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
50148 + void *voidptr = NULL;
50149 + int num1 = 0, num2 = 0;
50150 + unsigned long ulong1 = 0, ulong2 = 0;
50151 + struct dentry *dentry = NULL;
50152 + struct vfsmount *mnt = NULL;
50153 + struct file *file = NULL;
50154 + struct task_struct *task = NULL;
50155 + const struct cred *cred, *pcred;
50158 + BEGIN_LOCKS(audit);
50159 + logtype = gr_log_start(audit);
50160 + if (logtype == FLOODING) {
50161 + END_LOCKS(audit);
50164 + va_start(ap, argtypes);
50165 + switch (argtypes) {
50166 + case GR_TTYSNIFF:
50167 + task = va_arg(ap, struct task_struct *);
50168 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
50170 + case GR_SYSCTL_HIDDEN:
50171 + str1 = va_arg(ap, char *);
50172 + gr_log_middle_varargs(audit, msg, result, str1);
50175 + dentry = va_arg(ap, struct dentry *);
50176 + mnt = va_arg(ap, struct vfsmount *);
50177 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
50179 + case GR_RBAC_STR:
50180 + dentry = va_arg(ap, struct dentry *);
50181 + mnt = va_arg(ap, struct vfsmount *);
50182 + str1 = va_arg(ap, char *);
50183 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
50185 + case GR_STR_RBAC:
50186 + str1 = va_arg(ap, char *);
50187 + dentry = va_arg(ap, struct dentry *);
50188 + mnt = va_arg(ap, struct vfsmount *);
50189 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
50191 + case GR_RBAC_MODE2:
50192 + dentry = va_arg(ap, struct dentry *);
50193 + mnt = va_arg(ap, struct vfsmount *);
50194 + str1 = va_arg(ap, char *);
50195 + str2 = va_arg(ap, char *);
50196 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
50198 + case GR_RBAC_MODE3:
50199 + dentry = va_arg(ap, struct dentry *);
50200 + mnt = va_arg(ap, struct vfsmount *);
50201 + str1 = va_arg(ap, char *);
50202 + str2 = va_arg(ap, char *);
50203 + str3 = va_arg(ap, char *);
50204 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
50206 + case GR_FILENAME:
50207 + dentry = va_arg(ap, struct dentry *);
50208 + mnt = va_arg(ap, struct vfsmount *);
50209 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
50211 + case GR_STR_FILENAME:
50212 + str1 = va_arg(ap, char *);
50213 + dentry = va_arg(ap, struct dentry *);
50214 + mnt = va_arg(ap, struct vfsmount *);
50215 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
50217 + case GR_FILENAME_STR:
50218 + dentry = va_arg(ap, struct dentry *);
50219 + mnt = va_arg(ap, struct vfsmount *);
50220 + str1 = va_arg(ap, char *);
50221 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
50223 + case GR_FILENAME_TWO_INT:
50224 + dentry = va_arg(ap, struct dentry *);
50225 + mnt = va_arg(ap, struct vfsmount *);
50226 + num1 = va_arg(ap, int);
50227 + num2 = va_arg(ap, int);
50228 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
50230 + case GR_FILENAME_TWO_INT_STR:
50231 + dentry = va_arg(ap, struct dentry *);
50232 + mnt = va_arg(ap, struct vfsmount *);
50233 + num1 = va_arg(ap, int);
50234 + num2 = va_arg(ap, int);
50235 + str1 = va_arg(ap, char *);
50236 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
50239 + file = va_arg(ap, struct file *);
50240 + ulong1 = va_arg(ap, unsigned long);
50241 + ulong2 = va_arg(ap, unsigned long);
50242 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
50245 + task = va_arg(ap, struct task_struct *);
50246 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
50248 + case GR_RESOURCE:
50249 + task = va_arg(ap, struct task_struct *);
50250 + cred = __task_cred(task);
50251 + pcred = __task_cred(task->real_parent);
50252 + ulong1 = va_arg(ap, unsigned long);
50253 + str1 = va_arg(ap, char *);
50254 + ulong2 = va_arg(ap, unsigned long);
50255 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
50258 + task = va_arg(ap, struct task_struct *);
50259 + cred = __task_cred(task);
50260 + pcred = __task_cred(task->real_parent);
50261 + str1 = va_arg(ap, char *);
50262 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
50265 + str1 = va_arg(ap, char *);
50266 + voidptr = va_arg(ap, void *);
50267 + gr_log_middle_varargs(audit, msg, str1, voidptr);
50270 + task = va_arg(ap, struct task_struct *);
50271 + cred = __task_cred(task);
50272 + pcred = __task_cred(task->real_parent);
50273 + num1 = va_arg(ap, int);
50274 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
50277 + task = va_arg(ap, struct task_struct *);
50278 + cred = __task_cred(task);
50279 + pcred = __task_cred(task->real_parent);
50280 + ulong1 = va_arg(ap, unsigned long);
50281 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
50284 + task = va_arg(ap, struct task_struct *);
50285 + cred = __task_cred(task);
50286 + pcred = __task_cred(task->real_parent);
50287 + ulong1 = va_arg(ap, unsigned long);
50288 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
50291 + file = va_arg(ap, struct file *);
50292 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
50296 + unsigned int wday, cday;
50300 + char cur_tty[64] = { 0 };
50301 + char parent_tty[64] = { 0 };
50303 + task = va_arg(ap, struct task_struct *);
50304 + wday = va_arg(ap, unsigned int);
50305 + cday = va_arg(ap, unsigned int);
50306 + whr = va_arg(ap, int);
50307 + chr = va_arg(ap, int);
50308 + wmin = va_arg(ap, int);
50309 + cmin = va_arg(ap, int);
50310 + wsec = va_arg(ap, int);
50311 + csec = va_arg(ap, int);
50312 + ulong1 = va_arg(ap, unsigned long);
50313 + cred = __task_cred(task);
50314 + pcred = __task_cred(task->real_parent);
50316 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
50320 + gr_log_middle(audit, msg, ap);
50323 + gr_log_end(audit);
50324 + END_LOCKS(audit);
50326 diff -urNp linux-2.6.38.6/grsecurity/grsec_mem.c linux-2.6.38.6/grsecurity/grsec_mem.c
50327 --- linux-2.6.38.6/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
50328 +++ linux-2.6.38.6/grsecurity/grsec_mem.c 2011-04-28 19:34:15.000000000 -0400
50330 +#include <linux/kernel.h>
50331 +#include <linux/sched.h>
50332 +#include <linux/mm.h>
50333 +#include <linux/mman.h>
50334 +#include <linux/grinternal.h>
50337 +gr_handle_ioperm(void)
50339 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
50344 +gr_handle_iopl(void)
50346 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
50351 +gr_handle_mem_readwrite(u64 from, u64 to)
50353 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
50358 +gr_handle_vm86(void)
50360 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
50363 diff -urNp linux-2.6.38.6/grsecurity/grsec_mount.c linux-2.6.38.6/grsecurity/grsec_mount.c
50364 --- linux-2.6.38.6/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
50365 +++ linux-2.6.38.6/grsecurity/grsec_mount.c 2011-04-28 19:34:15.000000000 -0400
50367 +#include <linux/kernel.h>
50368 +#include <linux/sched.h>
50369 +#include <linux/mount.h>
50370 +#include <linux/grsecurity.h>
50371 +#include <linux/grinternal.h>
50374 +gr_log_remount(const char *devname, const int retval)
50376 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
50377 + if (grsec_enable_mount && (retval >= 0))
50378 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
50384 +gr_log_unmount(const char *devname, const int retval)
50386 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
50387 + if (grsec_enable_mount && (retval >= 0))
50388 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
50394 +gr_log_mount(const char *from, const char *to, const int retval)
50396 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
50397 + if (grsec_enable_mount && (retval >= 0))
50398 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
50404 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
50406 +#ifdef CONFIG_GRKERNSEC_ROFS
50407 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
50408 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
50417 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
50419 +#ifdef CONFIG_GRKERNSEC_ROFS
50420 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
50421 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
50422 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
50429 diff -urNp linux-2.6.38.6/grsecurity/grsec_pax.c linux-2.6.38.6/grsecurity/grsec_pax.c
50430 --- linux-2.6.38.6/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
50431 +++ linux-2.6.38.6/grsecurity/grsec_pax.c 2011-04-28 19:34:15.000000000 -0400
50433 +#include <linux/kernel.h>
50434 +#include <linux/sched.h>
50435 +#include <linux/mm.h>
50436 +#include <linux/file.h>
50437 +#include <linux/grinternal.h>
50438 +#include <linux/grsecurity.h>
50441 +gr_log_textrel(struct vm_area_struct * vma)
50443 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
50444 + if (grsec_enable_audit_textrel)
50445 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
50451 +gr_log_rwxmmap(struct file *file)
50453 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
50454 + if (grsec_enable_log_rwxmaps)
50455 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
50461 +gr_log_rwxmprotect(struct file *file)
50463 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
50464 + if (grsec_enable_log_rwxmaps)
50465 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
50469 diff -urNp linux-2.6.38.6/grsecurity/grsec_ptrace.c linux-2.6.38.6/grsecurity/grsec_ptrace.c
50470 --- linux-2.6.38.6/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
50471 +++ linux-2.6.38.6/grsecurity/grsec_ptrace.c 2011-04-28 19:34:15.000000000 -0400
50473 +#include <linux/kernel.h>
50474 +#include <linux/sched.h>
50475 +#include <linux/grinternal.h>
50476 +#include <linux/grsecurity.h>
50479 +gr_audit_ptrace(struct task_struct *task)
50481 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
50482 + if (grsec_enable_audit_ptrace)
50483 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
50487 diff -urNp linux-2.6.38.6/grsecurity/grsec_sig.c linux-2.6.38.6/grsecurity/grsec_sig.c
50488 --- linux-2.6.38.6/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
50489 +++ linux-2.6.38.6/grsecurity/grsec_sig.c 2011-05-17 17:30:33.000000000 -0400
50491 +#include <linux/kernel.h>
50492 +#include <linux/sched.h>
50493 +#include <linux/delay.h>
50494 +#include <linux/grsecurity.h>
50495 +#include <linux/grinternal.h>
50496 +#include <linux/hardirq.h>
50498 +char *signames[] = {
50499 + [SIGSEGV] = "Segmentation fault",
50500 + [SIGILL] = "Illegal instruction",
50501 + [SIGABRT] = "Abort",
50502 + [SIGBUS] = "Invalid alignment/Bus error"
50506 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
50508 +#ifdef CONFIG_GRKERNSEC_SIGNAL
50509 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
50510 + (sig == SIGABRT) || (sig == SIGBUS))) {
50511 + if (t->pid == current->pid) {
50512 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
50514 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
50522 +gr_handle_signal(const struct task_struct *p, const int sig)
50524 +#ifdef CONFIG_GRKERNSEC
50525 + if (current->pid > 1 && gr_check_protected_task(p)) {
50526 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
50528 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
50535 +#ifdef CONFIG_GRKERNSEC
50536 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
50538 +int gr_fake_force_sig(int sig, struct task_struct *t)
50540 + unsigned long int flags;
50541 + int ret, blocked, ignored;
50542 + struct k_sigaction *action;
50544 + spin_lock_irqsave(&t->sighand->siglock, flags);
50545 + action = &t->sighand->action[sig-1];
50546 + ignored = action->sa.sa_handler == SIG_IGN;
50547 + blocked = sigismember(&t->blocked, sig);
50548 + if (blocked || ignored) {
50549 + action->sa.sa_handler = SIG_DFL;
50551 + sigdelset(&t->blocked, sig);
50552 + recalc_sigpending_and_wake(t);
50555 + if (action->sa.sa_handler == SIG_DFL)
50556 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
50557 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
50559 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
50565 +#ifdef CONFIG_GRKERNSEC_BRUTE
50566 +#define GR_USER_BAN_TIME (15 * 60)
50568 +static int __get_dumpable(unsigned long mm_flags)
50572 + ret = mm_flags & MMF_DUMPABLE_MASK;
50573 + return (ret >= 2) ? 2 : ret;
50577 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
50579 +#ifdef CONFIG_GRKERNSEC_BRUTE
50583 + read_lock(&tasklist_lock);
50584 + read_lock(&grsec_exec_file_lock);
50585 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
50586 + p->real_parent->brute = 1;
50588 + const struct cred *cred = __task_cred(p), *cred2;
50589 + struct task_struct *tsk, *tsk2;
50591 + if (!__get_dumpable(mm_flags) && cred->uid) {
50592 + struct user_struct *user;
50596 + /* this is put upon execution past expiration */
50597 + user = find_user(uid);
50598 + if (user == NULL)
50600 + user->banned = 1;
50601 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
50602 + if (user->ban_expires == ~0UL)
50603 + user->ban_expires--;
50605 + do_each_thread(tsk2, tsk) {
50606 + cred2 = __task_cred(tsk);
50607 + if (tsk != p && cred2->uid == uid)
50608 + gr_fake_force_sig(SIGKILL, tsk);
50609 + } while_each_thread(tsk2, tsk);
50613 + read_unlock(&grsec_exec_file_lock);
50614 + read_unlock(&tasklist_lock);
50615 + rcu_read_unlock();
50618 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
50624 +void gr_handle_brute_check(void)
50626 +#ifdef CONFIG_GRKERNSEC_BRUTE
50627 + if (current->brute)
50628 + msleep(30 * 1000);
50633 +void gr_handle_kernel_exploit(void)
50635 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
50636 + const struct cred *cred;
50637 + struct task_struct *tsk, *tsk2;
50638 + struct user_struct *user;
50641 + if (in_irq() || in_serving_softirq() || in_nmi())
50642 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
50644 + uid = current_uid();
50647 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
50649 + /* kill all the processes of this user, hold a reference
50650 + to their creds struct, and prevent them from creating
50651 + another process until system reset
50653 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
50654 + /* we intentionally leak this ref */
50655 + user = get_uid(current->cred->user);
50657 + user->banned = 1;
50658 + user->ban_expires = ~0UL;
50661 + read_lock(&tasklist_lock);
50662 + do_each_thread(tsk2, tsk) {
50663 + cred = __task_cred(tsk);
50664 + if (cred->uid == uid)
50665 + gr_fake_force_sig(SIGKILL, tsk);
50666 + } while_each_thread(tsk2, tsk);
50667 + read_unlock(&tasklist_lock);
50672 +int __gr_process_user_ban(struct user_struct *user)
50674 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
50675 + if (unlikely(user->banned)) {
50676 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
50677 + user->banned = 0;
50678 + user->ban_expires = 0;
50687 +int gr_process_user_ban(void)
50689 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
50690 + return __gr_process_user_ban(current->cred->user);
50694 diff -urNp linux-2.6.38.6/grsecurity/grsec_sock.c linux-2.6.38.6/grsecurity/grsec_sock.c
50695 --- linux-2.6.38.6/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
50696 +++ linux-2.6.38.6/grsecurity/grsec_sock.c 2011-04-28 19:34:15.000000000 -0400
50698 +#include <linux/kernel.h>
50699 +#include <linux/module.h>
50700 +#include <linux/sched.h>
50701 +#include <linux/file.h>
50702 +#include <linux/net.h>
50703 +#include <linux/in.h>
50704 +#include <linux/ip.h>
50705 +#include <net/sock.h>
50706 +#include <net/inet_sock.h>
50707 +#include <linux/grsecurity.h>
50708 +#include <linux/grinternal.h>
50709 +#include <linux/gracl.h>
50711 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
50712 +EXPORT_SYMBOL(gr_cap_rtnetlink);
50714 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
50715 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
50717 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
50718 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
50720 +#ifdef CONFIG_UNIX_MODULE
50721 +EXPORT_SYMBOL(gr_acl_handle_unix);
50722 +EXPORT_SYMBOL(gr_acl_handle_mknod);
50723 +EXPORT_SYMBOL(gr_handle_chroot_unix);
50724 +EXPORT_SYMBOL(gr_handle_create);
50727 +#ifdef CONFIG_GRKERNSEC
50728 +#define gr_conn_table_size 32749
50729 +struct conn_table_entry {
50730 + struct conn_table_entry *next;
50731 + struct signal_struct *sig;
50734 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
50735 +DEFINE_SPINLOCK(gr_conn_table_lock);
50737 +extern const char * gr_socktype_to_name(unsigned char type);
50738 +extern const char * gr_proto_to_name(unsigned char proto);
50739 +extern const char * gr_sockfamily_to_name(unsigned char family);
50741 +static __inline__ int
50742 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
50744 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
50747 +static __inline__ int
50748 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
50749 + __u16 sport, __u16 dport)
50751 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
50752 + sig->gr_sport == sport && sig->gr_dport == dport))
50758 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
50760 + struct conn_table_entry **match;
50761 + unsigned int index;
50763 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
50764 + sig->gr_sport, sig->gr_dport,
50765 + gr_conn_table_size);
50767 + newent->sig = sig;
50769 + match = &gr_conn_table[index];
50770 + newent->next = *match;
50776 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
50778 + struct conn_table_entry *match, *last = NULL;
50779 + unsigned int index;
50781 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
50782 + sig->gr_sport, sig->gr_dport,
50783 + gr_conn_table_size);
50785 + match = gr_conn_table[index];
50786 + while (match && !conn_match(match->sig,
50787 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
50788 + sig->gr_dport)) {
50790 + match = match->next;
50795 + last->next = match->next;
50797 + gr_conn_table[index] = NULL;
50804 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
50805 + __u16 sport, __u16 dport)
50807 + struct conn_table_entry *match;
50808 + unsigned int index;
50810 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
50812 + match = gr_conn_table[index];
50813 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
50814 + match = match->next;
50817 + return match->sig;
50824 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
50826 +#ifdef CONFIG_GRKERNSEC
50827 + struct signal_struct *sig = task->signal;
50828 + struct conn_table_entry *newent;
50830 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
50831 + if (newent == NULL)
50833 + /* no bh lock needed since we are called with bh disabled */
50834 + spin_lock(&gr_conn_table_lock);
50835 + gr_del_task_from_ip_table_nolock(sig);
50836 + sig->gr_saddr = inet->inet_rcv_saddr;
50837 + sig->gr_daddr = inet->inet_daddr;
50838 + sig->gr_sport = inet->inet_sport;
50839 + sig->gr_dport = inet->inet_dport;
50840 + gr_add_to_task_ip_table_nolock(sig, newent);
50841 + spin_unlock(&gr_conn_table_lock);
50846 +void gr_del_task_from_ip_table(struct task_struct *task)
50848 +#ifdef CONFIG_GRKERNSEC
50849 + spin_lock_bh(&gr_conn_table_lock);
50850 + gr_del_task_from_ip_table_nolock(task->signal);
50851 + spin_unlock_bh(&gr_conn_table_lock);
50857 +gr_attach_curr_ip(const struct sock *sk)
50859 +#ifdef CONFIG_GRKERNSEC
50860 + struct signal_struct *p, *set;
50861 + const struct inet_sock *inet = inet_sk(sk);
50863 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
50866 + set = current->signal;
50868 + spin_lock_bh(&gr_conn_table_lock);
50869 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
50870 + inet->inet_dport, inet->inet_sport);
50871 + if (unlikely(p != NULL)) {
50872 + set->curr_ip = p->curr_ip;
50873 + set->used_accept = 1;
50874 + gr_del_task_from_ip_table_nolock(p);
50875 + spin_unlock_bh(&gr_conn_table_lock);
50878 + spin_unlock_bh(&gr_conn_table_lock);
50880 + set->curr_ip = inet->inet_daddr;
50881 + set->used_accept = 1;
50887 +gr_handle_sock_all(const int family, const int type, const int protocol)
50889 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
50890 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
50891 + (family != AF_UNIX)) {
50892 + if (family == AF_INET)
50893 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
50895 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
50903 +gr_handle_sock_server(const struct sockaddr *sck)
50905 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
50906 + if (grsec_enable_socket_server &&
50907 + in_group_p(grsec_socket_server_gid) &&
50908 + sck && (sck->sa_family != AF_UNIX) &&
50909 + (sck->sa_family != AF_LOCAL)) {
50910 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
50918 +gr_handle_sock_server_other(const struct sock *sck)
50920 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
50921 + if (grsec_enable_socket_server &&
50922 + in_group_p(grsec_socket_server_gid) &&
50923 + sck && (sck->sk_family != AF_UNIX) &&
50924 + (sck->sk_family != AF_LOCAL)) {
50925 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
50933 +gr_handle_sock_client(const struct sockaddr *sck)
50935 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
50936 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
50937 + sck && (sck->sa_family != AF_UNIX) &&
50938 + (sck->sa_family != AF_LOCAL)) {
50939 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
50947 +gr_cap_rtnetlink(struct sock *sock)
50949 +#ifdef CONFIG_GRKERNSEC
50950 + if (!gr_acl_is_enabled())
50951 + return current_cap();
50952 + else if (sock->sk_protocol == NETLINK_ISCSI &&
50953 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
50954 + gr_is_capable(CAP_SYS_ADMIN))
50955 + return current_cap();
50956 + else if (sock->sk_protocol == NETLINK_AUDIT &&
50957 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
50958 + gr_is_capable(CAP_AUDIT_WRITE) &&
50959 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
50960 + gr_is_capable(CAP_AUDIT_CONTROL))
50961 + return current_cap();
50962 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
50963 + ((sock->sk_protocol == NETLINK_ROUTE) ?
50964 + gr_is_capable_nolog(CAP_NET_ADMIN) :
50965 + gr_is_capable(CAP_NET_ADMIN)))
50966 + return current_cap();
50968 + return __cap_empty_set;
50970 + return current_cap();
50973 diff -urNp linux-2.6.38.6/grsecurity/grsec_sysctl.c linux-2.6.38.6/grsecurity/grsec_sysctl.c
50974 --- linux-2.6.38.6/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
50975 +++ linux-2.6.38.6/grsecurity/grsec_sysctl.c 2011-04-28 19:34:15.000000000 -0400
50977 +#include <linux/kernel.h>
50978 +#include <linux/sched.h>
50979 +#include <linux/sysctl.h>
50980 +#include <linux/grsecurity.h>
50981 +#include <linux/grinternal.h>
50984 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
50986 +#ifdef CONFIG_GRKERNSEC_SYSCTL
50987 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
50988 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
50995 +#ifdef CONFIG_GRKERNSEC_ROFS
50996 +static int __maybe_unused one = 1;
50999 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
51000 +struct ctl_table grsecurity_table[] = {
51001 +#ifdef CONFIG_GRKERNSEC_SYSCTL
51002 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
51003 +#ifdef CONFIG_GRKERNSEC_IO
51005 + .procname = "disable_priv_io",
51006 + .data = &grsec_disable_privio,
51007 + .maxlen = sizeof(int),
51009 + .proc_handler = &proc_dointvec,
51013 +#ifdef CONFIG_GRKERNSEC_LINK
51015 + .procname = "linking_restrictions",
51016 + .data = &grsec_enable_link,
51017 + .maxlen = sizeof(int),
51019 + .proc_handler = &proc_dointvec,
51022 +#ifdef CONFIG_GRKERNSEC_FIFO
51024 + .procname = "fifo_restrictions",
51025 + .data = &grsec_enable_fifo,
51026 + .maxlen = sizeof(int),
51028 + .proc_handler = &proc_dointvec,
51031 +#ifdef CONFIG_GRKERNSEC_EXECVE
51033 + .procname = "execve_limiting",
51034 + .data = &grsec_enable_execve,
51035 + .maxlen = sizeof(int),
51037 + .proc_handler = &proc_dointvec,
51040 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51042 + .procname = "ip_blackhole",
51043 + .data = &grsec_enable_blackhole,
51044 + .maxlen = sizeof(int),
51046 + .proc_handler = &proc_dointvec,
51049 + .procname = "lastack_retries",
51050 + .data = &grsec_lastack_retries,
51051 + .maxlen = sizeof(int),
51053 + .proc_handler = &proc_dointvec,
51056 +#ifdef CONFIG_GRKERNSEC_EXECLOG
51058 + .procname = "exec_logging",
51059 + .data = &grsec_enable_execlog,
51060 + .maxlen = sizeof(int),
51062 + .proc_handler = &proc_dointvec,
51065 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
51067 + .procname = "rwxmap_logging",
51068 + .data = &grsec_enable_log_rwxmaps,
51069 + .maxlen = sizeof(int),
51071 + .proc_handler = &proc_dointvec,
51074 +#ifdef CONFIG_GRKERNSEC_SIGNAL
51076 + .procname = "signal_logging",
51077 + .data = &grsec_enable_signal,
51078 + .maxlen = sizeof(int),
51080 + .proc_handler = &proc_dointvec,
51083 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
51085 + .procname = "forkfail_logging",
51086 + .data = &grsec_enable_forkfail,
51087 + .maxlen = sizeof(int),
51089 + .proc_handler = &proc_dointvec,
51092 +#ifdef CONFIG_GRKERNSEC_TIME
51094 + .procname = "timechange_logging",
51095 + .data = &grsec_enable_time,
51096 + .maxlen = sizeof(int),
51098 + .proc_handler = &proc_dointvec,
51101 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
51103 + .procname = "chroot_deny_shmat",
51104 + .data = &grsec_enable_chroot_shmat,
51105 + .maxlen = sizeof(int),
51107 + .proc_handler = &proc_dointvec,
51110 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
51112 + .procname = "chroot_deny_unix",
51113 + .data = &grsec_enable_chroot_unix,
51114 + .maxlen = sizeof(int),
51116 + .proc_handler = &proc_dointvec,
51119 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
51121 + .procname = "chroot_deny_mount",
51122 + .data = &grsec_enable_chroot_mount,
51123 + .maxlen = sizeof(int),
51125 + .proc_handler = &proc_dointvec,
51128 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
51130 + .procname = "chroot_deny_fchdir",
51131 + .data = &grsec_enable_chroot_fchdir,
51132 + .maxlen = sizeof(int),
51134 + .proc_handler = &proc_dointvec,
51137 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
51139 + .procname = "chroot_deny_chroot",
51140 + .data = &grsec_enable_chroot_double,
51141 + .maxlen = sizeof(int),
51143 + .proc_handler = &proc_dointvec,
51146 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
51148 + .procname = "chroot_deny_pivot",
51149 + .data = &grsec_enable_chroot_pivot,
51150 + .maxlen = sizeof(int),
51152 + .proc_handler = &proc_dointvec,
51155 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
51157 + .procname = "chroot_enforce_chdir",
51158 + .data = &grsec_enable_chroot_chdir,
51159 + .maxlen = sizeof(int),
51161 + .proc_handler = &proc_dointvec,
51164 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
51166 + .procname = "chroot_deny_chmod",
51167 + .data = &grsec_enable_chroot_chmod,
51168 + .maxlen = sizeof(int),
51170 + .proc_handler = &proc_dointvec,
51173 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
51175 + .procname = "chroot_deny_mknod",
51176 + .data = &grsec_enable_chroot_mknod,
51177 + .maxlen = sizeof(int),
51179 + .proc_handler = &proc_dointvec,
51182 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
51184 + .procname = "chroot_restrict_nice",
51185 + .data = &grsec_enable_chroot_nice,
51186 + .maxlen = sizeof(int),
51188 + .proc_handler = &proc_dointvec,
51191 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
51193 + .procname = "chroot_execlog",
51194 + .data = &grsec_enable_chroot_execlog,
51195 + .maxlen = sizeof(int),
51197 + .proc_handler = &proc_dointvec,
51200 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
51202 + .procname = "chroot_caps",
51203 + .data = &grsec_enable_chroot_caps,
51204 + .maxlen = sizeof(int),
51206 + .proc_handler = &proc_dointvec,
51209 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
51211 + .procname = "chroot_deny_sysctl",
51212 + .data = &grsec_enable_chroot_sysctl,
51213 + .maxlen = sizeof(int),
51215 + .proc_handler = &proc_dointvec,
51218 +#ifdef CONFIG_GRKERNSEC_TPE
51220 + .procname = "tpe",
51221 + .data = &grsec_enable_tpe,
51222 + .maxlen = sizeof(int),
51224 + .proc_handler = &proc_dointvec,
51227 + .procname = "tpe_gid",
51228 + .data = &grsec_tpe_gid,
51229 + .maxlen = sizeof(int),
51231 + .proc_handler = &proc_dointvec,
51234 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
51236 + .procname = "tpe_invert",
51237 + .data = &grsec_enable_tpe_invert,
51238 + .maxlen = sizeof(int),
51240 + .proc_handler = &proc_dointvec,
51243 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
51245 + .procname = "tpe_restrict_all",
51246 + .data = &grsec_enable_tpe_all,
51247 + .maxlen = sizeof(int),
51249 + .proc_handler = &proc_dointvec,
51252 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
51254 + .procname = "socket_all",
51255 + .data = &grsec_enable_socket_all,
51256 + .maxlen = sizeof(int),
51258 + .proc_handler = &proc_dointvec,
51261 + .procname = "socket_all_gid",
51262 + .data = &grsec_socket_all_gid,
51263 + .maxlen = sizeof(int),
51265 + .proc_handler = &proc_dointvec,
51268 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
51270 + .procname = "socket_client",
51271 + .data = &grsec_enable_socket_client,
51272 + .maxlen = sizeof(int),
51274 + .proc_handler = &proc_dointvec,
51277 + .procname = "socket_client_gid",
51278 + .data = &grsec_socket_client_gid,
51279 + .maxlen = sizeof(int),
51281 + .proc_handler = &proc_dointvec,
51284 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
51286 + .procname = "socket_server",
51287 + .data = &grsec_enable_socket_server,
51288 + .maxlen = sizeof(int),
51290 + .proc_handler = &proc_dointvec,
51293 + .procname = "socket_server_gid",
51294 + .data = &grsec_socket_server_gid,
51295 + .maxlen = sizeof(int),
51297 + .proc_handler = &proc_dointvec,
51300 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
51302 + .procname = "audit_group",
51303 + .data = &grsec_enable_group,
51304 + .maxlen = sizeof(int),
51306 + .proc_handler = &proc_dointvec,
51309 + .procname = "audit_gid",
51310 + .data = &grsec_audit_gid,
51311 + .maxlen = sizeof(int),
51313 + .proc_handler = &proc_dointvec,
51316 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
51318 + .procname = "audit_chdir",
51319 + .data = &grsec_enable_chdir,
51320 + .maxlen = sizeof(int),
51322 + .proc_handler = &proc_dointvec,
51325 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
51327 + .procname = "audit_mount",
51328 + .data = &grsec_enable_mount,
51329 + .maxlen = sizeof(int),
51331 + .proc_handler = &proc_dointvec,
51334 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
51336 + .procname = "audit_textrel",
51337 + .data = &grsec_enable_audit_textrel,
51338 + .maxlen = sizeof(int),
51340 + .proc_handler = &proc_dointvec,
51343 +#ifdef CONFIG_GRKERNSEC_DMESG
51345 + .procname = "dmesg",
51346 + .data = &grsec_enable_dmesg,
51347 + .maxlen = sizeof(int),
51349 + .proc_handler = &proc_dointvec,
51352 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
51354 + .procname = "chroot_findtask",
51355 + .data = &grsec_enable_chroot_findtask,
51356 + .maxlen = sizeof(int),
51358 + .proc_handler = &proc_dointvec,
51361 +#ifdef CONFIG_GRKERNSEC_RESLOG
51363 + .procname = "resource_logging",
51364 + .data = &grsec_resource_logging,
51365 + .maxlen = sizeof(int),
51367 + .proc_handler = &proc_dointvec,
51370 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
51372 + .procname = "audit_ptrace",
51373 + .data = &grsec_enable_audit_ptrace,
51374 + .maxlen = sizeof(int),
51376 + .proc_handler = &proc_dointvec,
51379 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
51381 + .procname = "harden_ptrace",
51382 + .data = &grsec_enable_harden_ptrace,
51383 + .maxlen = sizeof(int),
51385 + .proc_handler = &proc_dointvec,
51389 + .procname = "grsec_lock",
51390 + .data = &grsec_lock,
51391 + .maxlen = sizeof(int),
51393 + .proc_handler = &proc_dointvec,
51396 +#ifdef CONFIG_GRKERNSEC_ROFS
51398 + .procname = "romount_protect",
51399 + .data = &grsec_enable_rofs,
51400 + .maxlen = sizeof(int),
51402 + .proc_handler = &proc_dointvec_minmax,
51410 diff -urNp linux-2.6.38.6/grsecurity/grsec_time.c linux-2.6.38.6/grsecurity/grsec_time.c
51411 --- linux-2.6.38.6/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
51412 +++ linux-2.6.38.6/grsecurity/grsec_time.c 2011-04-28 19:34:15.000000000 -0400
51414 +#include <linux/kernel.h>
51415 +#include <linux/sched.h>
51416 +#include <linux/grinternal.h>
51417 +#include <linux/module.h>
51420 +gr_log_timechange(void)
51422 +#ifdef CONFIG_GRKERNSEC_TIME
51423 + if (grsec_enable_time)
51424 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
51429 +EXPORT_SYMBOL(gr_log_timechange);
51430 diff -urNp linux-2.6.38.6/grsecurity/grsec_tpe.c linux-2.6.38.6/grsecurity/grsec_tpe.c
51431 --- linux-2.6.38.6/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
51432 +++ linux-2.6.38.6/grsecurity/grsec_tpe.c 2011-04-28 19:34:15.000000000 -0400
51434 +#include <linux/kernel.h>
51435 +#include <linux/sched.h>
51436 +#include <linux/file.h>
51437 +#include <linux/fs.h>
51438 +#include <linux/grinternal.h>
51440 +extern int gr_acl_tpe_check(void);
51443 +gr_tpe_allow(const struct file *file)
51445 +#ifdef CONFIG_GRKERNSEC
51446 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
51447 + const struct cred *cred = current_cred();
51449 + if (cred->uid && ((grsec_enable_tpe &&
51450 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
51451 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
51452 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
51454 + in_group_p(grsec_tpe_gid)
51456 + ) || gr_acl_tpe_check()) &&
51457 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
51458 + (inode->i_mode & S_IWOTH))))) {
51459 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
51462 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
51463 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
51464 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
51465 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
51466 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
51473 diff -urNp linux-2.6.38.6/grsecurity/grsum.c linux-2.6.38.6/grsecurity/grsum.c
51474 --- linux-2.6.38.6/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
51475 +++ linux-2.6.38.6/grsecurity/grsum.c 2011-04-28 19:34:15.000000000 -0400
51477 +#include <linux/err.h>
51478 +#include <linux/kernel.h>
51479 +#include <linux/sched.h>
51480 +#include <linux/mm.h>
51481 +#include <linux/scatterlist.h>
51482 +#include <linux/crypto.h>
51483 +#include <linux/gracl.h>
51486 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
51487 +#error "crypto and sha256 must be built into the kernel"
51491 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
51494 + struct crypto_hash *tfm;
51495 + struct hash_desc desc;
51496 + struct scatterlist sg;
51497 + unsigned char temp_sum[GR_SHA_LEN];
51498 + volatile int retval = 0;
51499 + volatile int dummy = 0;
51502 + sg_init_table(&sg, 1);
51504 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
51505 + if (IS_ERR(tfm)) {
51506 + /* should never happen, since sha256 should be built in */
51513 + crypto_hash_init(&desc);
51516 + sg_set_buf(&sg, p, GR_SALT_LEN);
51517 + crypto_hash_update(&desc, &sg, sg.length);
51520 + sg_set_buf(&sg, p, strlen(p));
51522 + crypto_hash_update(&desc, &sg, sg.length);
51524 + crypto_hash_final(&desc, temp_sum);
51526 + memset(entry->pw, 0, GR_PW_LEN);
51528 + for (i = 0; i < GR_SHA_LEN; i++)
51529 + if (sum[i] != temp_sum[i])
51532 + dummy = 1; // waste a cycle
51534 + crypto_free_hash(tfm);
51538 diff -urNp linux-2.6.38.6/grsecurity/Kconfig linux-2.6.38.6/grsecurity/Kconfig
51539 --- linux-2.6.38.6/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
51540 +++ linux-2.6.38.6/grsecurity/Kconfig 2011-04-28 19:34:15.000000000 -0400
51543 +# grecurity configuration
51549 + bool "Grsecurity"
51551 + select CRYPTO_SHA256
51553 + If you say Y here, you will be able to configure many features
51554 + that will enhance the security of your system. It is highly
51555 + recommended that you say Y here and read through the help
51556 + for each option so that you fully understand the features and
51557 + can evaluate their usefulness for your machine.
51560 + prompt "Security Level"
51561 + depends on GRKERNSEC
51562 + default GRKERNSEC_CUSTOM
51564 +config GRKERNSEC_LOW
51566 + select GRKERNSEC_LINK
51567 + select GRKERNSEC_FIFO
51568 + select GRKERNSEC_EXECVE
51569 + select GRKERNSEC_RANDNET
51570 + select GRKERNSEC_DMESG
51571 + select GRKERNSEC_CHROOT
51572 + select GRKERNSEC_CHROOT_CHDIR
51575 + If you choose this option, several of the grsecurity options will
51576 + be enabled that will give you greater protection against a number
51577 + of attacks, while assuring that none of your software will have any
51578 + conflicts with the additional security measures. If you run a lot
51579 + of unusual software, or you are having problems with the higher
51580 + security levels, you should say Y here. With this option, the
51581 + following features are enabled:
51583 + - Linking restrictions
51584 + - FIFO restrictions
51585 + - Enforcing RLIMIT_NPROC on execve
51586 + - Restricted dmesg
51587 + - Enforced chdir("/") on chroot
51588 + - Runtime module disabling
51590 +config GRKERNSEC_MEDIUM
51593 + select PAX_EI_PAX
51594 + select PAX_PT_PAX_FLAGS
51595 + select PAX_HAVE_ACL_FLAGS
51596 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
51597 + select GRKERNSEC_CHROOT
51598 + select GRKERNSEC_CHROOT_SYSCTL
51599 + select GRKERNSEC_LINK
51600 + select GRKERNSEC_FIFO
51601 + select GRKERNSEC_EXECVE
51602 + select GRKERNSEC_DMESG
51603 + select GRKERNSEC_RANDNET
51604 + select GRKERNSEC_FORKFAIL
51605 + select GRKERNSEC_TIME
51606 + select GRKERNSEC_SIGNAL
51607 + select GRKERNSEC_CHROOT
51608 + select GRKERNSEC_CHROOT_UNIX
51609 + select GRKERNSEC_CHROOT_MOUNT
51610 + select GRKERNSEC_CHROOT_PIVOT
51611 + select GRKERNSEC_CHROOT_DOUBLE
51612 + select GRKERNSEC_CHROOT_CHDIR
51613 + select GRKERNSEC_CHROOT_MKNOD
51614 + select GRKERNSEC_PROC
51615 + select GRKERNSEC_PROC_USERGROUP
51616 + select PAX_RANDUSTACK
51618 + select PAX_RANDMMAP
51619 + select PAX_REFCOUNT if (X86 || SPARC64)
51620 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
51623 + If you say Y here, several features in addition to those included
51624 + in the low additional security level will be enabled. These
51625 + features provide even more security to your system, though in rare
51626 + cases they may be incompatible with very old or poorly written
51627 + software. If you enable this option, make sure that your auth
51628 + service (identd) is running as gid 1001. With this option,
51629 + the following features (in addition to those provided in the
51630 + low additional security level) will be enabled:
51632 + - Failed fork logging
51633 + - Time change logging
51635 + - Deny mounts in chroot
51636 + - Deny double chrooting
51637 + - Deny sysctl writes in chroot
51638 + - Deny mknod in chroot
51639 + - Deny access to abstract AF_UNIX sockets out of chroot
51640 + - Deny pivot_root in chroot
51641 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
51642 + - /proc restrictions with special GID set to 10 (usually wheel)
51643 + - Address Space Layout Randomization (ASLR)
51644 + - Prevent exploitation of most refcount overflows
51645 + - Bounds checking of copying between the kernel and userland
51647 +config GRKERNSEC_HIGH
51649 + select GRKERNSEC_LINK
51650 + select GRKERNSEC_FIFO
51651 + select GRKERNSEC_EXECVE
51652 + select GRKERNSEC_DMESG
51653 + select GRKERNSEC_FORKFAIL
51654 + select GRKERNSEC_TIME
51655 + select GRKERNSEC_SIGNAL
51656 + select GRKERNSEC_CHROOT
51657 + select GRKERNSEC_CHROOT_SHMAT
51658 + select GRKERNSEC_CHROOT_UNIX
51659 + select GRKERNSEC_CHROOT_MOUNT
51660 + select GRKERNSEC_CHROOT_FCHDIR
51661 + select GRKERNSEC_CHROOT_PIVOT
51662 + select GRKERNSEC_CHROOT_DOUBLE
51663 + select GRKERNSEC_CHROOT_CHDIR
51664 + select GRKERNSEC_CHROOT_MKNOD
51665 + select GRKERNSEC_CHROOT_CAPS
51666 + select GRKERNSEC_CHROOT_SYSCTL
51667 + select GRKERNSEC_CHROOT_FINDTASK
51668 + select GRKERNSEC_SYSFS_RESTRICT
51669 + select GRKERNSEC_PROC
51670 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
51671 + select GRKERNSEC_HIDESYM
51672 + select GRKERNSEC_BRUTE
51673 + select GRKERNSEC_PROC_USERGROUP
51674 + select GRKERNSEC_KMEM
51675 + select GRKERNSEC_RESLOG
51676 + select GRKERNSEC_RANDNET
51677 + select GRKERNSEC_PROC_ADD
51678 + select GRKERNSEC_CHROOT_CHMOD
51679 + select GRKERNSEC_CHROOT_NICE
51680 + select GRKERNSEC_AUDIT_MOUNT
51681 + select GRKERNSEC_MODHARDEN if (MODULES)
51682 + select GRKERNSEC_HARDEN_PTRACE
51683 + select GRKERNSEC_VM86 if (X86_32)
51684 + select GRKERNSEC_KERN_LOCKOUT if (X86)
51686 + select PAX_RANDUSTACK
51688 + select PAX_RANDMMAP
51689 + select PAX_NOEXEC
51690 + select PAX_MPROTECT
51691 + select PAX_EI_PAX
51692 + select PAX_PT_PAX_FLAGS
51693 + select PAX_HAVE_ACL_FLAGS
51694 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
51695 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
51696 + select PAX_RANDKSTACK if (X86_TSC && X86)
51697 + select PAX_SEGMEXEC if (X86_32)
51698 + select PAX_PAGEEXEC
51699 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
51700 + select PAX_EMUTRAMP if (PARISC)
51701 + select PAX_EMUSIGRT if (PARISC)
51702 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
51703 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
51704 + select PAX_REFCOUNT if (X86 || SPARC64)
51705 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
51707 + If you say Y here, many of the features of grsecurity will be
51708 + enabled, which will protect you against many kinds of attacks
51709 + against your system. The heightened security comes at a cost
51710 + of an increased chance of incompatibilities with rare software
51711 + on your machine. Since this security level enables PaX, you should
51712 + view <http://pax.grsecurity.net> and read about the PaX
51713 + project. While you are there, download chpax and run it on
51714 + binaries that cause problems with PaX. Also remember that
51715 + since the /proc restrictions are enabled, you must run your
51716 + identd as gid 1001. This security level enables the following
51717 + features in addition to those listed in the low and medium
51720 + - Additional /proc restrictions
51721 + - Chmod restrictions in chroot
51722 + - No signals, ptrace, or viewing of processes outside of chroot
51723 + - Capability restrictions in chroot
51724 + - Deny fchdir out of chroot
51725 + - Priority restrictions in chroot
51726 + - Segmentation-based implementation of PaX
51727 + - Mprotect restrictions
51728 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
51729 + - Kernel stack randomization
51730 + - Mount/unmount/remount logging
51731 + - Kernel symbol hiding
51732 + - Prevention of memory exhaustion-based exploits
51733 + - Hardening of module auto-loading
51734 + - Ptrace restrictions
51735 + - Restricted vm86 mode
51736 + - Restricted sysfs/debugfs
51737 + - Active kernel exploit response
51739 +config GRKERNSEC_CUSTOM
51742 + If you say Y here, you will be able to configure every grsecurity
51743 + option, which allows you to enable many more features that aren't
51744 + covered in the basic security levels. These additional features
51745 + include TPE, socket restrictions, and the sysctl system for
51746 + grsecurity. It is advised that you read through the help for
51747 + each option to determine its usefulness in your situation.
51751 +menu "Address Space Protection"
51752 +depends on GRKERNSEC
51754 +config GRKERNSEC_KMEM
51755 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
51756 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
51758 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
51759 + be written to via mmap or otherwise to modify the running kernel.
51760 + /dev/port will also not be allowed to be opened. If you have module
51761 + support disabled, enabling this will close up four ways that are
51762 + currently used to insert malicious code into the running kernel.
51763 + Even with all these features enabled, we still highly recommend that
51764 + you use the RBAC system, as it is still possible for an attacker to
51765 + modify the running kernel through privileged I/O granted by ioperm/iopl.
51766 + If you are not using XFree86, you may be able to stop this additional
51767 + case by enabling the 'Disable privileged I/O' option. Though nothing
51768 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
51769 + but only to video memory, which is the only writing we allow in this
51770 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
51771 + not be allowed to mprotect it with PROT_WRITE later.
51772 + It is highly recommended that you say Y here if you meet all the
51773 + conditions above.
51775 +config GRKERNSEC_VM86
51776 + bool "Restrict VM86 mode"
51777 + depends on X86_32
51780 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
51781 + make use of a special execution mode on 32bit x86 processors called
51782 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
51783 + video cards and will still work with this option enabled. The purpose
51784 + of the option is to prevent exploitation of emulation errors in
51785 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
51786 + Nearly all users should be able to enable this option.
51788 +config GRKERNSEC_IO
51789 + bool "Disable privileged I/O"
51792 + select RTC_INTF_DEV
51793 + select RTC_DRV_CMOS
51796 + If you say Y here, all ioperm and iopl calls will return an error.
51797 + Ioperm and iopl can be used to modify the running kernel.
51798 + Unfortunately, some programs need this access to operate properly,
51799 + the most notable of which are XFree86 and hwclock. hwclock can be
51800 + remedied by having RTC support in the kernel, so real-time
51801 + clock support is enabled if this option is enabled, to ensure
51802 + that hwclock operates correctly. XFree86 still will not
51803 + operate correctly with this option enabled, so DO NOT CHOOSE Y
51804 + IF YOU USE XFree86. If you use XFree86 and you still want to
51805 + protect your kernel against modification, use the RBAC system.
51807 +config GRKERNSEC_PROC_MEMMAP
51808 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
51809 + default y if (PAX_NOEXEC || PAX_ASLR)
51810 + depends on PAX_NOEXEC || PAX_ASLR
51812 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
51813 + give no information about the addresses of its mappings if
51814 + PaX features that rely on random addresses are enabled on the task.
51815 + If you use PaX it is greatly recommended that you say Y here as it
51816 + closes up a hole that makes the full ASLR useless for suid
51819 +config GRKERNSEC_BRUTE
51820 + bool "Deter exploit bruteforcing"
51822 + If you say Y here, attempts to bruteforce exploits against forking
51823 + daemons such as apache or sshd, as well as against suid/sgid binaries
51824 + will be deterred. When a child of a forking daemon is killed by PaX
51825 + or crashes due to an illegal instruction or other suspicious signal,
51826 + the parent process will be delayed 30 seconds upon every subsequent
51827 + fork until the administrator is able to assess the situation and
51828 + restart the daemon.
51829 + In the suid/sgid case, the attempt is logged, the user has all their
51830 + processes terminated, and they are prevented from executing any further
51831 + processes for 15 minutes.
51832 + It is recommended that you also enable signal logging in the auditing
51833 + section so that logs are generated when a process triggers a suspicious
51836 +config GRKERNSEC_MODHARDEN
51837 + bool "Harden module auto-loading"
51838 + depends on MODULES
51840 + If you say Y here, module auto-loading in response to use of some
51841 + feature implemented by an unloaded module will be restricted to
51842 + root users. Enabling this option helps defend against attacks
51843 + by unprivileged users who abuse the auto-loading behavior to
51844 + cause a vulnerable module to load that is then exploited.
51846 + If this option prevents a legitimate use of auto-loading for a
51847 + non-root user, the administrator can execute modprobe manually
51848 + with the exact name of the module mentioned in the alert log.
51849 + Alternatively, the administrator can add the module to the list
51850 + of modules loaded at boot by modifying init scripts.
51852 + Modification of init scripts will most likely be needed on
51853 + Ubuntu servers with encrypted home directory support enabled,
51854 + as the first non-root user logging in will cause the ecb(aes),
51855 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
51857 +config GRKERNSEC_HIDESYM
51858 + bool "Hide kernel symbols"
51860 + If you say Y here, getting information on loaded modules, and
51861 + displaying all kernel symbols through a syscall will be restricted
51862 + to users with CAP_SYS_MODULE. For software compatibility reasons,
51863 + /proc/kallsyms will be restricted to the root user. The RBAC
51864 + system can hide that entry even from root.
51866 + This option also prevents leaking of kernel addresses through
51867 + several /proc entries.
51869 + Note that this option is only effective provided the following
51870 + conditions are met:
51871 + 1) The kernel using grsecurity is not precompiled by some distribution
51872 + 2) You have also enabled GRKERNSEC_DMESG
51873 + 3) You are using the RBAC system and hiding other files such as your
51874 + kernel image and System.map. Alternatively, enabling this option
51875 + causes the permissions on /boot, /lib/modules, and the kernel
51876 + source directory to change at compile time to prevent
51877 + reading by non-root users.
51878 + If the above conditions are met, this option will aid in providing a
51879 + useful protection against local kernel exploitation of overflows
51880 + and arbitrary read/write vulnerabilities.
51882 +config GRKERNSEC_KERN_LOCKOUT
51883 + bool "Active kernel exploit response"
51886 + If you say Y here, when a PaX alert is triggered due to suspicious
51887 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
51888 + or an OOPs occurs due to bad memory accesses, instead of just
51889 + terminating the offending process (and potentially allowing
51890 + a subsequent exploit from the same user), we will take one of two
51892 + If the user was root, we will panic the system
51893 + If the user was non-root, we will log the attempt, terminate
51894 + all processes owned by the user, then prevent them from creating
51895 + any new processes until the system is restarted
51896 + This deters repeated kernel exploitation/bruteforcing attempts
51897 + and is useful for later forensics.
51900 +menu "Role Based Access Control Options"
51901 +depends on GRKERNSEC
51903 +config GRKERNSEC_RBAC_DEBUG
51906 +config GRKERNSEC_NO_RBAC
51907 + bool "Disable RBAC system"
51909 + If you say Y here, the /dev/grsec device will be removed from the kernel,
51910 + preventing the RBAC system from being enabled. You should only say Y
51911 + here if you have no intention of using the RBAC system, so as to prevent
51912 + an attacker with root access from misusing the RBAC system to hide files
51913 + and processes when loadable module support and /dev/[k]mem have been
51916 +config GRKERNSEC_ACL_HIDEKERN
51917 + bool "Hide kernel processes"
51919 + If you say Y here, all kernel threads will be hidden to all
51920 + processes but those whose subject has the "view hidden processes"
51923 +config GRKERNSEC_ACL_MAXTRIES
51924 + int "Maximum tries before password lockout"
51927 + This option enforces the maximum number of times a user can attempt
51928 + to authorize themselves with the grsecurity RBAC system before being
51929 + denied the ability to attempt authorization again for a specified time.
51930 + The lower the number, the harder it will be to brute-force a password.
51932 +config GRKERNSEC_ACL_TIMEOUT
51933 + int "Time to wait after max password tries, in seconds"
51936 + This option specifies the time the user must wait after attempting to
51937 + authorize to the RBAC system with the maximum number of invalid
51938 + passwords. The higher the number, the harder it will be to brute-force
51942 +menu "Filesystem Protections"
51943 +depends on GRKERNSEC
51945 +config GRKERNSEC_PROC
51946 + bool "Proc restrictions"
51948 + If you say Y here, the permissions of the /proc filesystem
51949 + will be altered to enhance system security and privacy. You MUST
51950 + choose either a user only restriction or a user and group restriction.
51951 + Depending upon the option you choose, you can either restrict users to
51952 + see only the processes they themselves run, or choose a group that can
51953 + view all processes and files normally restricted to root if you choose
51954 + the "restrict to user only" option. NOTE: If you're running identd as
51955 + a non-root user, you will have to run it as the group you specify here.
51957 +config GRKERNSEC_PROC_USER
51958 + bool "Restrict /proc to user only"
51959 + depends on GRKERNSEC_PROC
51961 + If you say Y here, non-root users will only be able to view their own
51962 + processes, and restricts them from viewing network-related information,
51963 + and viewing kernel symbol and module information.
51965 +config GRKERNSEC_PROC_USERGROUP
51966 + bool "Allow special group"
51967 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
51969 + If you say Y here, you will be able to select a group that will be
51970 + able to view all processes and network-related information. If you've
51971 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
51972 + remain hidden. This option is useful if you want to run identd as
51975 +config GRKERNSEC_PROC_GID
51976 + int "GID for special group"
51977 + depends on GRKERNSEC_PROC_USERGROUP
51980 +config GRKERNSEC_PROC_ADD
51981 + bool "Additional restrictions"
51982 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
51984 + If you say Y here, additional restrictions will be placed on
51985 + /proc that keep normal users from viewing device information and
51986 + slabinfo information that could be useful for exploits.
51988 +config GRKERNSEC_LINK
51989 + bool "Linking restrictions"
51991 + If you say Y here, /tmp race exploits will be prevented, since users
51992 + will no longer be able to follow symlinks owned by other users in
51993 + world-writable +t directories (e.g. /tmp), unless the owner of the
51994 + symlink is the owner of the directory. users will also not be
51995 + able to hardlink to files they do not own. If the sysctl option is
51996 + enabled, a sysctl option with name "linking_restrictions" is created.
51998 +config GRKERNSEC_FIFO
51999 + bool "FIFO restrictions"
52001 + If you say Y here, users will not be able to write to FIFOs they don't
52002 + own in world-writable +t directories (e.g. /tmp), unless the owner of
52003 + the FIFO is the same owner of the directory it's held in. If the sysctl
52004 + option is enabled, a sysctl option with name "fifo_restrictions" is
52007 +config GRKERNSEC_SYSFS_RESTRICT
52008 + bool "Sysfs/debugfs restriction"
52011 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
52012 + any filesystem normally mounted under it (e.g. debugfs) will only
52013 + be accessible by root. These filesystems generally provide access
52014 + to hardware and debug information that isn't appropriate for unprivileged
52015 + users of the system. Sysfs and debugfs have also become a large source
52016 + of new vulnerabilities, ranging from infoleaks to local compromise.
52017 + There has been very little oversight with an eye toward security involved
52018 + in adding new exporters of information to these filesystems, so their
52019 + use is discouraged.
52020 + This option is equivalent to a chmod 0700 of the mount paths.
52022 +config GRKERNSEC_ROFS
52023 + bool "Runtime read-only mount protection"
52025 + If you say Y here, a sysctl option with name "romount_protect" will
52026 + be created. By setting this option to 1 at runtime, filesystems
52027 + will be protected in the following ways:
52028 + * No new writable mounts will be allowed
52029 + * Existing read-only mounts won't be able to be remounted read/write
52030 + * Write operations will be denied on all block devices
52031 + This option acts independently of grsec_lock: once it is set to 1,
52032 + it cannot be turned off. Therefore, please be mindful of the resulting
52033 + behavior if this option is enabled in an init script on a read-only
52034 + filesystem. This feature is mainly intended for secure embedded systems.
52036 +config GRKERNSEC_CHROOT
52037 + bool "Chroot jail restrictions"
52039 + If you say Y here, you will be able to choose several options that will
52040 + make breaking out of a chrooted jail much more difficult. If you
52041 + encounter no software incompatibilities with the following options, it
52042 + is recommended that you enable each one.
52044 +config GRKERNSEC_CHROOT_MOUNT
52045 + bool "Deny mounts"
52046 + depends on GRKERNSEC_CHROOT
52048 + If you say Y here, processes inside a chroot will not be able to
52049 + mount or remount filesystems. If the sysctl option is enabled, a
52050 + sysctl option with name "chroot_deny_mount" is created.
52052 +config GRKERNSEC_CHROOT_DOUBLE
52053 + bool "Deny double-chroots"
52054 + depends on GRKERNSEC_CHROOT
52056 + If you say Y here, processes inside a chroot will not be able to chroot
52057 + again outside the chroot. This is a widely used method of breaking
52058 + out of a chroot jail and should not be allowed. If the sysctl
52059 + option is enabled, a sysctl option with name
52060 + "chroot_deny_chroot" is created.
52062 +config GRKERNSEC_CHROOT_PIVOT
52063 + bool "Deny pivot_root in chroot"
52064 + depends on GRKERNSEC_CHROOT
52066 + If you say Y here, processes inside a chroot will not be able to use
52067 + a function called pivot_root() that was introduced in Linux 2.3.41. It
52068 + works similar to chroot in that it changes the root filesystem. This
52069 + function could be misused in a chrooted process to attempt to break out
52070 + of the chroot, and therefore should not be allowed. If the sysctl
52071 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
52074 +config GRKERNSEC_CHROOT_CHDIR
52075 + bool "Enforce chdir(\"/\") on all chroots"
52076 + depends on GRKERNSEC_CHROOT
52078 + If you say Y here, the current working directory of all newly-chrooted
52079 + applications will be set to the the root directory of the chroot.
52080 + The man page on chroot(2) states:
52081 + Note that this call does not change the current working
52082 + directory, so that `.' can be outside the tree rooted at
52083 + `/'. In particular, the super-user can escape from a
52084 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
52086 + It is recommended that you say Y here, since it's not known to break
52087 + any software. If the sysctl option is enabled, a sysctl option with
52088 + name "chroot_enforce_chdir" is created.
52090 +config GRKERNSEC_CHROOT_CHMOD
52091 + bool "Deny (f)chmod +s"
52092 + depends on GRKERNSEC_CHROOT
52094 + If you say Y here, processes inside a chroot will not be able to chmod
52095 + or fchmod files to make them have suid or sgid bits. This protects
52096 + against another published method of breaking a chroot. If the sysctl
52097 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
52100 +config GRKERNSEC_CHROOT_FCHDIR
52101 + bool "Deny fchdir out of chroot"
52102 + depends on GRKERNSEC_CHROOT
52104 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
52105 + to a file descriptor of the chrooting process that points to a directory
52106 + outside the filesystem will be stopped. If the sysctl option
52107 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
52109 +config GRKERNSEC_CHROOT_MKNOD
52110 + bool "Deny mknod"
52111 + depends on GRKERNSEC_CHROOT
52113 + If you say Y here, processes inside a chroot will not be allowed to
52114 + mknod. The problem with using mknod inside a chroot is that it
52115 + would allow an attacker to create a device entry that is the same
52116 + as one on the physical root of your system, which could range from
52117 + anything from the console device to a device for your harddrive (which
52118 + they could then use to wipe the drive or steal data). It is recommended
52119 + that you say Y here, unless you run into software incompatibilities.
52120 + If the sysctl option is enabled, a sysctl option with name
52121 + "chroot_deny_mknod" is created.
52123 +config GRKERNSEC_CHROOT_SHMAT
52124 + bool "Deny shmat() out of chroot"
52125 + depends on GRKERNSEC_CHROOT
52127 + If you say Y here, processes inside a chroot will not be able to attach
52128 + to shared memory segments that were created outside of the chroot jail.
52129 + It is recommended that you say Y here. If the sysctl option is enabled,
52130 + a sysctl option with name "chroot_deny_shmat" is created.
52132 +config GRKERNSEC_CHROOT_UNIX
52133 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
52134 + depends on GRKERNSEC_CHROOT
52136 + If you say Y here, processes inside a chroot will not be able to
52137 + connect to abstract (meaning not belonging to a filesystem) Unix
52138 + domain sockets that were bound outside of a chroot. It is recommended
52139 + that you say Y here. If the sysctl option is enabled, a sysctl option
52140 + with name "chroot_deny_unix" is created.
52142 +config GRKERNSEC_CHROOT_FINDTASK
52143 + bool "Protect outside processes"
52144 + depends on GRKERNSEC_CHROOT
52146 + If you say Y here, processes inside a chroot will not be able to
52147 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
52148 + getsid, or view any process outside of the chroot. If the sysctl
52149 + option is enabled, a sysctl option with name "chroot_findtask" is
52152 +config GRKERNSEC_CHROOT_NICE
52153 + bool "Restrict priority changes"
52154 + depends on GRKERNSEC_CHROOT
52156 + If you say Y here, processes inside a chroot will not be able to raise
52157 + the priority of processes in the chroot, or alter the priority of
52158 + processes outside the chroot. This provides more security than simply
52159 + removing CAP_SYS_NICE from the process' capability set. If the
52160 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
52163 +config GRKERNSEC_CHROOT_SYSCTL
52164 + bool "Deny sysctl writes"
52165 + depends on GRKERNSEC_CHROOT
52167 + If you say Y here, an attacker in a chroot will not be able to
52168 + write to sysctl entries, either by sysctl(2) or through a /proc
52169 + interface. It is strongly recommended that you say Y here. If the
52170 + sysctl option is enabled, a sysctl option with name
52171 + "chroot_deny_sysctl" is created.
52173 +config GRKERNSEC_CHROOT_CAPS
52174 + bool "Capability restrictions"
52175 + depends on GRKERNSEC_CHROOT
52177 + If you say Y here, the capabilities on all root processes within a
52178 + chroot jail will be lowered to stop module insertion, raw i/o,
52179 + system and net admin tasks, rebooting the system, modifying immutable
52180 + files, modifying IPC owned by another, and changing the system time.
52181 + This is left an option because it can break some apps. Disable this
52182 + if your chrooted apps are having problems performing those kinds of
52183 + tasks. If the sysctl option is enabled, a sysctl option with
52184 + name "chroot_caps" is created.
52187 +menu "Kernel Auditing"
52188 +depends on GRKERNSEC
52190 +config GRKERNSEC_AUDIT_GROUP
52191 + bool "Single group for auditing"
52193 + If you say Y here, the exec, chdir, and (un)mount logging features
52194 + will only operate on a group you specify. This option is recommended
52195 + if you only want to watch certain users instead of having a large
52196 + amount of logs from the entire system. If the sysctl option is enabled,
52197 + a sysctl option with name "audit_group" is created.
52199 +config GRKERNSEC_AUDIT_GID
52200 + int "GID for auditing"
52201 + depends on GRKERNSEC_AUDIT_GROUP
52204 +config GRKERNSEC_EXECLOG
52205 + bool "Exec logging"
52207 + If you say Y here, all execve() calls will be logged (since the
52208 + other exec*() calls are frontends to execve(), all execution
52209 + will be logged). Useful for shell-servers that like to keep track
52210 + of their users. If the sysctl option is enabled, a sysctl option with
52211 + name "exec_logging" is created.
52212 + WARNING: This option when enabled will produce a LOT of logs, especially
52213 + on an active system.
52215 +config GRKERNSEC_RESLOG
52216 + bool "Resource logging"
52218 + If you say Y here, all attempts to overstep resource limits will
52219 + be logged with the resource name, the requested size, and the current
52220 + limit. It is highly recommended that you say Y here. If the sysctl
52221 + option is enabled, a sysctl option with name "resource_logging" is
52222 + created. If the RBAC system is enabled, the sysctl value is ignored.
52224 +config GRKERNSEC_CHROOT_EXECLOG
52225 + bool "Log execs within chroot"
52227 + If you say Y here, all executions inside a chroot jail will be logged
52228 + to syslog. This can cause a large amount of logs if certain
52229 + applications (eg. djb's daemontools) are installed on the system, and
52230 + is therefore left as an option. If the sysctl option is enabled, a
52231 + sysctl option with name "chroot_execlog" is created.
52233 +config GRKERNSEC_AUDIT_PTRACE
52234 + bool "Ptrace logging"
52236 + If you say Y here, all attempts to attach to a process via ptrace
52237 + will be logged. If the sysctl option is enabled, a sysctl option
52238 + with name "audit_ptrace" is created.
52240 +config GRKERNSEC_AUDIT_CHDIR
52241 + bool "Chdir logging"
52243 + If you say Y here, all chdir() calls will be logged. If the sysctl
52244 + option is enabled, a sysctl option with name "audit_chdir" is created.
52246 +config GRKERNSEC_AUDIT_MOUNT
52247 + bool "(Un)Mount logging"
52249 + If you say Y here, all mounts and unmounts will be logged. If the
52250 + sysctl option is enabled, a sysctl option with name "audit_mount" is
52253 +config GRKERNSEC_SIGNAL
52254 + bool "Signal logging"
52256 + If you say Y here, certain important signals will be logged, such as
52257 + SIGSEGV, which will as a result inform you of when a error in a program
52258 + occurred, which in some cases could mean a possible exploit attempt.
52259 + If the sysctl option is enabled, a sysctl option with name
52260 + "signal_logging" is created.
52262 +config GRKERNSEC_FORKFAIL
52263 + bool "Fork failure logging"
52265 + If you say Y here, all failed fork() attempts will be logged.
52266 + This could suggest a fork bomb, or someone attempting to overstep
52267 + their process limit. If the sysctl option is enabled, a sysctl option
52268 + with name "forkfail_logging" is created.
52270 +config GRKERNSEC_TIME
52271 + bool "Time change logging"
52273 + If you say Y here, any changes of the system clock will be logged.
52274 + If the sysctl option is enabled, a sysctl option with name
52275 + "timechange_logging" is created.
52277 +config GRKERNSEC_PROC_IPADDR
52278 + bool "/proc/<pid>/ipaddr support"
52280 + If you say Y here, a new entry will be added to each /proc/<pid>
52281 + directory that contains the IP address of the person using the task.
52282 + The IP is carried across local TCP and AF_UNIX stream sockets.
52283 + This information can be useful for IDS/IPSes to perform remote response
52284 + to a local attack. The entry is readable by only the owner of the
52285 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
52286 + the RBAC system), and thus does not create privacy concerns.
52288 +config GRKERNSEC_RWXMAP_LOG
52289 + bool 'Denied RWX mmap/mprotect logging'
52290 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
52292 + If you say Y here, calls to mmap() and mprotect() with explicit
52293 + usage of PROT_WRITE and PROT_EXEC together will be logged when
52294 + denied by the PAX_MPROTECT feature. If the sysctl option is
52295 + enabled, a sysctl option with name "rwxmap_logging" is created.
52297 +config GRKERNSEC_AUDIT_TEXTREL
52298 + bool 'ELF text relocations logging (READ HELP)'
52299 + depends on PAX_MPROTECT
52301 + If you say Y here, text relocations will be logged with the filename
52302 + of the offending library or binary. The purpose of the feature is
52303 + to help Linux distribution developers get rid of libraries and
52304 + binaries that need text relocations which hinder the future progress
52305 + of PaX. Only Linux distribution developers should say Y here, and
52306 + never on a production machine, as this option creates an information
52307 + leak that could aid an attacker in defeating the randomization of
52308 + a single memory region. If the sysctl option is enabled, a sysctl
52309 + option with name "audit_textrel" is created.
52313 +menu "Executable Protections"
52314 +depends on GRKERNSEC
52316 +config GRKERNSEC_EXECVE
52317 + bool "Enforce RLIMIT_NPROC on execs"
52319 + If you say Y here, users with a resource limit on processes will
52320 + have the value checked during execve() calls. The current system
52321 + only checks the system limit during fork() calls. If the sysctl option
52322 + is enabled, a sysctl option with name "execve_limiting" is created.
52324 +config GRKERNSEC_DMESG
52325 + bool "Dmesg(8) restriction"
52327 + If you say Y here, non-root users will not be able to use dmesg(8)
52328 + to view up to the last 4kb of messages in the kernel's log buffer.
52329 + The kernel's log buffer often contains kernel addresses and other
52330 + identifying information useful to an attacker in fingerprinting a
52331 + system for a targeted exploit.
52332 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
52335 +config GRKERNSEC_HARDEN_PTRACE
52336 + bool "Deter ptrace-based process snooping"
52338 + If you say Y here, TTY sniffers and other malicious monitoring
52339 + programs implemented through ptrace will be defeated. If you
52340 + have been using the RBAC system, this option has already been
52341 + enabled for several years for all users, with the ability to make
52342 + fine-grained exceptions.
52344 + This option only affects the ability of non-root users to ptrace
52345 + processes that are not a descendent of the ptracing process.
52346 + This means that strace ./binary and gdb ./binary will still work,
52347 + but attaching to arbitrary processes will not. If the sysctl
52348 + option is enabled, a sysctl option with name "harden_ptrace" is
52351 +config GRKERNSEC_TPE
52352 + bool "Trusted Path Execution (TPE)"
52354 + If you say Y here, you will be able to choose a gid to add to the
52355 + supplementary groups of users you want to mark as "untrusted."
52356 + These users will not be able to execute any files that are not in
52357 + root-owned directories writable only by root. If the sysctl option
52358 + is enabled, a sysctl option with name "tpe" is created.
52360 +config GRKERNSEC_TPE_ALL
52361 + bool "Partially restrict all non-root users"
52362 + depends on GRKERNSEC_TPE
52364 + If you say Y here, all non-root users will be covered under
52365 + a weaker TPE restriction. This is separate from, and in addition to,
52366 + the main TPE options that you have selected elsewhere. Thus, if a
52367 + "trusted" GID is chosen, this restriction applies to even that GID.
52368 + Under this restriction, all non-root users will only be allowed to
52369 + execute files in directories they own that are not group or
52370 + world-writable, or in directories owned by root and writable only by
52371 + root. If the sysctl option is enabled, a sysctl option with name
52372 + "tpe_restrict_all" is created.
52374 +config GRKERNSEC_TPE_INVERT
52375 + bool "Invert GID option"
52376 + depends on GRKERNSEC_TPE
52378 + If you say Y here, the group you specify in the TPE configuration will
52379 + decide what group TPE restrictions will be *disabled* for. This
52380 + option is useful if you want TPE restrictions to be applied to most
52381 + users on the system. If the sysctl option is enabled, a sysctl option
52382 + with name "tpe_invert" is created. Unlike other sysctl options, this
52383 + entry will default to on for backward-compatibility.
52385 +config GRKERNSEC_TPE_GID
52386 + int "GID for untrusted users"
52387 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
52390 + Setting this GID determines what group TPE restrictions will be
52391 + *enabled* for. If the sysctl option is enabled, a sysctl option
52392 + with name "tpe_gid" is created.
52394 +config GRKERNSEC_TPE_GID
52395 + int "GID for trusted users"
52396 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
52399 + Setting this GID determines what group TPE restrictions will be
52400 + *disabled* for. If the sysctl option is enabled, a sysctl option
52401 + with name "tpe_gid" is created.
52404 +menu "Network Protections"
52405 +depends on GRKERNSEC
52407 +config GRKERNSEC_RANDNET
52408 + bool "Larger entropy pools"
52410 + If you say Y here, the entropy pools used for many features of Linux
52411 + and grsecurity will be doubled in size. Since several grsecurity
52412 + features use additional randomness, it is recommended that you say Y
52413 + here. Saying Y here has a similar effect as modifying
52414 + /proc/sys/kernel/random/poolsize.
52416 +config GRKERNSEC_BLACKHOLE
52417 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
52419 + If you say Y here, neither TCP resets nor ICMP
52420 + destination-unreachable packets will be sent in response to packets
52421 + sent to ports for which no associated listening process exists.
52422 + This feature supports both IPV4 and IPV6 and exempts the
52423 + loopback interface from blackholing. Enabling this feature
52424 + makes a host more resilient to DoS attacks and reduces network
52425 + visibility against scanners.
52427 + The blackhole feature as-implemented is equivalent to the FreeBSD
52428 + blackhole feature, as it prevents RST responses to all packets, not
52429 + just SYNs. Under most application behavior this causes no
52430 + problems, but applications (like haproxy) may not close certain
52431 + connections in a way that cleanly terminates them on the remote
52432 + end, leaving the remote host in LAST_ACK state. Because of this
52433 + side-effect and to prevent intentional LAST_ACK DoSes, this
52434 + feature also adds automatic mitigation against such attacks.
52435 + The mitigation drastically reduces the amount of time a socket
52436 + can spend in LAST_ACK state. If you're using haproxy and not
52437 + all servers it connects to have this option enabled, consider
52438 + disabling this feature on the haproxy host.
52440 + If the sysctl option is enabled, two sysctl options with names
52441 + "ip_blackhole" and "lastack_retries" will be created.
52442 + While "ip_blackhole" takes the standard zero/non-zero on/off
52443 + toggle, "lastack_retries" uses the same kinds of values as
52444 + "tcp_retries1" and "tcp_retries2". The default value of 4
52445 + prevents a socket from lasting more than 45 seconds in LAST_ACK
52448 +config GRKERNSEC_SOCKET
52449 + bool "Socket restrictions"
52451 + If you say Y here, you will be able to choose from several options.
52452 + If you assign a GID on your system and add it to the supplementary
52453 + groups of users you want to restrict socket access to, this patch
52454 + will perform up to three things, based on the option(s) you choose.
52456 +config GRKERNSEC_SOCKET_ALL
52457 + bool "Deny any sockets to group"
52458 + depends on GRKERNSEC_SOCKET
52460 + If you say Y here, you will be able to choose a GID of whose users will
52461 + be unable to connect to other hosts from your machine or run server
52462 + applications from your machine. If the sysctl option is enabled, a
52463 + sysctl option with name "socket_all" is created.
52465 +config GRKERNSEC_SOCKET_ALL_GID
52466 + int "GID to deny all sockets for"
52467 + depends on GRKERNSEC_SOCKET_ALL
52470 + Here you can choose the GID to disable socket access for. Remember to
52471 + add the users you want socket access disabled for to the GID
52472 + specified here. If the sysctl option is enabled, a sysctl option
52473 + with name "socket_all_gid" is created.
52475 +config GRKERNSEC_SOCKET_CLIENT
52476 + bool "Deny client sockets to group"
52477 + depends on GRKERNSEC_SOCKET
52479 + If you say Y here, you will be able to choose a GID of whose users will
52480 + be unable to connect to other hosts from your machine, but will be
52481 + able to run servers. If this option is enabled, all users in the group
52482 + you specify will have to use passive mode when initiating ftp transfers
52483 + from the shell on your machine. If the sysctl option is enabled, a
52484 + sysctl option with name "socket_client" is created.
52486 +config GRKERNSEC_SOCKET_CLIENT_GID
52487 + int "GID to deny client sockets for"
52488 + depends on GRKERNSEC_SOCKET_CLIENT
52491 + Here you can choose the GID to disable client socket access for.
52492 + Remember to add the users you want client socket access disabled for to
52493 + the GID specified here. If the sysctl option is enabled, a sysctl
52494 + option with name "socket_client_gid" is created.
52496 +config GRKERNSEC_SOCKET_SERVER
52497 + bool "Deny server sockets to group"
52498 + depends on GRKERNSEC_SOCKET
52500 + If you say Y here, you will be able to choose a GID of whose users will
52501 + be unable to run server applications from your machine. If the sysctl
52502 + option is enabled, a sysctl option with name "socket_server" is created.
52504 +config GRKERNSEC_SOCKET_SERVER_GID
52505 + int "GID to deny server sockets for"
52506 + depends on GRKERNSEC_SOCKET_SERVER
52509 + Here you can choose the GID to disable server socket access for.
52510 + Remember to add the users you want server socket access disabled for to
52511 + the GID specified here. If the sysctl option is enabled, a sysctl
52512 + option with name "socket_server_gid" is created.
52515 +menu "Sysctl support"
52516 +depends on GRKERNSEC && SYSCTL
52518 +config GRKERNSEC_SYSCTL
52519 + bool "Sysctl support"
52521 + If you say Y here, you will be able to change the options that
52522 + grsecurity runs with at bootup, without having to recompile your
52523 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
52524 + to enable (1) or disable (0) various features. All the sysctl entries
52525 + are mutable until the "grsec_lock" entry is set to a non-zero value.
52526 + All features enabled in the kernel configuration are disabled at boot
52527 + if you do not say Y to the "Turn on features by default" option.
52528 + All options should be set at startup, and the grsec_lock entry should
52529 + be set to a non-zero value after all the options are set.
52530 + *THIS IS EXTREMELY IMPORTANT*
52532 +config GRKERNSEC_SYSCTL_DISTRO
52533 + bool "Extra sysctl support for distro makers (READ HELP)"
52534 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
52536 + If you say Y here, additional sysctl options will be created
52537 + for features that affect processes running as root. Therefore,
52538 + it is critical when using this option that the grsec_lock entry be
52539 + enabled after boot. Only distros with prebuilt kernel packages
52540 + with this option enabled that can ensure grsec_lock is enabled
52541 + after boot should use this option.
52542 + *Failure to set grsec_lock after boot makes all grsec features
52543 + this option covers useless*
52545 + Currently this option creates the following sysctl entries:
52546 + "Disable Privileged I/O": "disable_priv_io"
52548 +config GRKERNSEC_SYSCTL_ON
52549 + bool "Turn on features by default"
52550 + depends on GRKERNSEC_SYSCTL
52552 + If you say Y here, instead of having all features enabled in the
52553 + kernel configuration disabled at boot time, the features will be
52554 + enabled at boot time. It is recommended you say Y here unless
52555 + there is some reason you would want all sysctl-tunable features to
52556 + be disabled by default. As mentioned elsewhere, it is important
52557 + to enable the grsec_lock entry once you have finished modifying
52558 + the sysctl entries.
52561 +menu "Logging Options"
52562 +depends on GRKERNSEC
52564 +config GRKERNSEC_FLOODTIME
52565 + int "Seconds in between log messages (minimum)"
52568 + This option allows you to enforce the number of seconds between
52569 + grsecurity log messages. The default should be suitable for most
52570 + people, however, if you choose to change it, choose a value small enough
52571 + to allow informative logs to be produced, but large enough to
52572 + prevent flooding.
52574 +config GRKERNSEC_FLOODBURST
52575 + int "Number of messages in a burst (maximum)"
52578 + This option allows you to choose the maximum number of messages allowed
52579 + within the flood time interval you chose in a separate option. The
52580 + default should be suitable for most people, however if you find that
52581 + many of your logs are being interpreted as flooding, you may want to
52582 + raise this value.
52587 diff -urNp linux-2.6.38.6/grsecurity/Makefile linux-2.6.38.6/grsecurity/Makefile
52588 --- linux-2.6.38.6/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
52589 +++ linux-2.6.38.6/grsecurity/Makefile 2011-04-28 19:34:15.000000000 -0400
52591 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
52592 +# during 2001-2009 it has been completely redesigned by Brad Spengler
52593 +# into an RBAC system
52595 +# All code in this directory and various hooks inserted throughout the kernel
52596 +# are copyright Brad Spengler - Open Source Security, Inc., and released
52597 +# under the GPL v2 or higher
52599 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
52600 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
52601 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
52603 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
52604 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
52605 + gracl_learn.o grsec_log.o
52606 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
52608 +ifndef CONFIG_GRKERNSEC
52609 +obj-y += grsec_disabled.o
52612 +ifdef CONFIG_GRKERNSEC_HIDESYM
52613 +extra-y := grsec_hidesym.o
52614 +$(obj)/grsec_hidesym.o:
52615 + @-chmod -f 500 /boot
52616 + @-chmod -f 500 /lib/modules
52618 + @echo ' grsec: protected kernel image paths'
52620 diff -urNp linux-2.6.38.6/include/acpi/acpi_drivers.h linux-2.6.38.6/include/acpi/acpi_drivers.h
52621 --- linux-2.6.38.6/include/acpi/acpi_drivers.h 2011-03-14 21:20:32.000000000 -0400
52622 +++ linux-2.6.38.6/include/acpi/acpi_drivers.h 2011-04-28 19:34:15.000000000 -0400
52623 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
52625 -------------------------------------------------------------------------- */
52626 struct acpi_dock_ops {
52627 - acpi_notify_handler handler;
52628 - acpi_notify_handler uevent;
52629 + const acpi_notify_handler handler;
52630 + const acpi_notify_handler uevent;
52633 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
52634 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
52635 extern int register_dock_notifier(struct notifier_block *nb);
52636 extern void unregister_dock_notifier(struct notifier_block *nb);
52637 extern int register_hotplug_dock_device(acpi_handle handle,
52638 - struct acpi_dock_ops *ops,
52639 + const struct acpi_dock_ops *ops,
52641 extern void unregister_hotplug_dock_device(acpi_handle handle);
52643 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
52646 static inline int register_hotplug_dock_device(acpi_handle handle,
52647 - struct acpi_dock_ops *ops,
52648 + const struct acpi_dock_ops *ops,
52652 diff -urNp linux-2.6.38.6/include/asm-generic/atomic-long.h linux-2.6.38.6/include/asm-generic/atomic-long.h
52653 --- linux-2.6.38.6/include/asm-generic/atomic-long.h 2011-03-14 21:20:32.000000000 -0400
52654 +++ linux-2.6.38.6/include/asm-generic/atomic-long.h 2011-05-16 21:47:08.000000000 -0400
52657 typedef atomic64_t atomic_long_t;
52659 +#ifdef CONFIG_PAX_REFCOUNT
52660 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
52662 +typedef atomic64_t atomic_long_unchecked_t;
52665 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
52667 static inline long atomic_long_read(atomic_long_t *l)
52668 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
52669 return (long)atomic64_read(v);
52672 +#ifdef CONFIG_PAX_REFCOUNT
52673 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
52675 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
52677 + return (long)atomic64_read_unchecked(v);
52681 static inline void atomic_long_set(atomic_long_t *l, long i)
52683 atomic64_t *v = (atomic64_t *)l;
52684 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
52685 atomic64_set(v, i);
52688 +#ifdef CONFIG_PAX_REFCOUNT
52689 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
52691 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
52693 + atomic64_set_unchecked(v, i);
52697 static inline void atomic_long_inc(atomic_long_t *l)
52699 atomic64_t *v = (atomic64_t *)l;
52700 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
52704 +#ifdef CONFIG_PAX_REFCOUNT
52705 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
52707 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
52709 + atomic64_inc_unchecked(v);
52713 static inline void atomic_long_dec(atomic_long_t *l)
52715 atomic64_t *v = (atomic64_t *)l;
52716 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
52720 +#ifdef CONFIG_PAX_REFCOUNT
52721 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
52723 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
52725 + atomic64_dec_unchecked(v);
52729 static inline void atomic_long_add(long i, atomic_long_t *l)
52731 atomic64_t *v = (atomic64_t *)l;
52732 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
52733 atomic64_add(i, v);
52736 +#ifdef CONFIG_PAX_REFCOUNT
52737 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
52739 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
52741 + atomic64_add_unchecked(i, v);
52745 static inline void atomic_long_sub(long i, atomic_long_t *l)
52747 atomic64_t *v = (atomic64_t *)l;
52748 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
52749 atomic64_sub(i, v);
52752 +#ifdef CONFIG_PAX_REFCOUNT
52753 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
52755 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
52757 + atomic64_sub_unchecked(i, v);
52761 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
52763 atomic64_t *v = (atomic64_t *)l;
52764 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
52765 return (long)atomic64_inc_return(v);
52768 +#ifdef CONFIG_PAX_REFCOUNT
52769 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
52771 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
52773 + return (long)atomic64_inc_return_unchecked(v);
52777 static inline long atomic_long_dec_return(atomic_long_t *l)
52779 atomic64_t *v = (atomic64_t *)l;
52780 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
52782 typedef atomic_t atomic_long_t;
52784 +#ifdef CONFIG_PAX_REFCOUNT
52785 +typedef atomic_unchecked_t atomic_long_unchecked_t;
52787 +typedef atomic_t atomic_long_unchecked_t;
52790 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
52791 static inline long atomic_long_read(atomic_long_t *l)
52793 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
52794 return (long)atomic_read(v);
52797 +#ifdef CONFIG_PAX_REFCOUNT
52798 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
52800 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
52802 + return (long)atomic_read_unchecked(v);
52806 static inline void atomic_long_set(atomic_long_t *l, long i)
52808 atomic_t *v = (atomic_t *)l;
52809 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
52813 +#ifdef CONFIG_PAX_REFCOUNT
52814 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
52816 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
52818 + atomic_set_unchecked(v, i);
52822 static inline void atomic_long_inc(atomic_long_t *l)
52824 atomic_t *v = (atomic_t *)l;
52825 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
52829 +#ifdef CONFIG_PAX_REFCOUNT
52830 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
52832 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
52834 + atomic_inc_unchecked(v);
52838 static inline void atomic_long_dec(atomic_long_t *l)
52840 atomic_t *v = (atomic_t *)l;
52841 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
52845 +#ifdef CONFIG_PAX_REFCOUNT
52846 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
52848 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
52850 + atomic_dec_unchecked(v);
52854 static inline void atomic_long_add(long i, atomic_long_t *l)
52856 atomic_t *v = (atomic_t *)l;
52857 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
52861 +#ifdef CONFIG_PAX_REFCOUNT
52862 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
52864 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
52866 + atomic_add_unchecked(i, v);
52870 static inline void atomic_long_sub(long i, atomic_long_t *l)
52872 atomic_t *v = (atomic_t *)l;
52873 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
52877 +#ifdef CONFIG_PAX_REFCOUNT
52878 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
52880 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
52882 + atomic_sub_unchecked(i, v);
52886 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
52888 atomic_t *v = (atomic_t *)l;
52889 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
52890 return (long)atomic_inc_return(v);
52893 +#ifdef CONFIG_PAX_REFCOUNT
52894 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
52896 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
52898 + return (long)atomic_inc_return_unchecked(v);
52902 static inline long atomic_long_dec_return(atomic_long_t *l)
52904 atomic_t *v = (atomic_t *)l;
52905 @@ -255,4 +393,49 @@ static inline long atomic_long_add_unles
52907 #endif /* BITS_PER_LONG == 64 */
52909 +#ifdef CONFIG_PAX_REFCOUNT
52910 +static inline void pax_refcount_needs_these_functions(void)
52912 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
52913 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
52914 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
52915 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
52916 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
52917 + atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
52918 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
52919 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
52920 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
52921 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
52922 + atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
52924 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
52925 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
52926 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
52927 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
52928 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
52929 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
52930 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
52933 +#define atomic_read_unchecked(v) atomic_read(v)
52934 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
52935 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
52936 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
52937 +#define atomic_inc_unchecked(v) atomic_inc(v)
52938 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
52939 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
52940 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
52941 +#define atomic_dec_unchecked(v) atomic_dec(v)
52942 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
52943 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
52945 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
52946 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
52947 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
52948 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
52949 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
52950 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
52951 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
52954 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
52955 diff -urNp linux-2.6.38.6/include/asm-generic/cache.h linux-2.6.38.6/include/asm-generic/cache.h
52956 --- linux-2.6.38.6/include/asm-generic/cache.h 2011-03-14 21:20:32.000000000 -0400
52957 +++ linux-2.6.38.6/include/asm-generic/cache.h 2011-04-28 19:57:25.000000000 -0400
52959 * cache lines need to provide their own cache.h.
52962 -#define L1_CACHE_SHIFT 5
52963 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
52964 +#define L1_CACHE_SHIFT 5U
52965 +#define L1_CACHE_BYTES (1U << L1_CACHE_SHIFT)
52967 #endif /* __ASM_GENERIC_CACHE_H */
52968 diff -urNp linux-2.6.38.6/include/asm-generic/dma-mapping-common.h linux-2.6.38.6/include/asm-generic/dma-mapping-common.h
52969 --- linux-2.6.38.6/include/asm-generic/dma-mapping-common.h 2011-03-14 21:20:32.000000000 -0400
52970 +++ linux-2.6.38.6/include/asm-generic/dma-mapping-common.h 2011-04-28 19:34:15.000000000 -0400
52971 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
52972 enum dma_data_direction dir,
52973 struct dma_attrs *attrs)
52975 - struct dma_map_ops *ops = get_dma_ops(dev);
52976 + const struct dma_map_ops *ops = get_dma_ops(dev);
52979 kmemcheck_mark_initialized(ptr, size);
52980 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
52981 enum dma_data_direction dir,
52982 struct dma_attrs *attrs)
52984 - struct dma_map_ops *ops = get_dma_ops(dev);
52985 + const struct dma_map_ops *ops = get_dma_ops(dev);
52987 BUG_ON(!valid_dma_direction(dir));
52988 if (ops->unmap_page)
52989 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
52990 int nents, enum dma_data_direction dir,
52991 struct dma_attrs *attrs)
52993 - struct dma_map_ops *ops = get_dma_ops(dev);
52994 + const struct dma_map_ops *ops = get_dma_ops(dev);
52996 struct scatterlist *s;
52998 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
52999 int nents, enum dma_data_direction dir,
53000 struct dma_attrs *attrs)
53002 - struct dma_map_ops *ops = get_dma_ops(dev);
53003 + const struct dma_map_ops *ops = get_dma_ops(dev);
53005 BUG_ON(!valid_dma_direction(dir));
53006 debug_dma_unmap_sg(dev, sg, nents, dir);
53007 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
53008 size_t offset, size_t size,
53009 enum dma_data_direction dir)
53011 - struct dma_map_ops *ops = get_dma_ops(dev);
53012 + const struct dma_map_ops *ops = get_dma_ops(dev);
53015 kmemcheck_mark_initialized(page_address(page) + offset, size);
53016 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
53017 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
53018 size_t size, enum dma_data_direction dir)
53020 - struct dma_map_ops *ops = get_dma_ops(dev);
53021 + const struct dma_map_ops *ops = get_dma_ops(dev);
53023 BUG_ON(!valid_dma_direction(dir));
53024 if (ops->unmap_page)
53025 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
53027 enum dma_data_direction dir)
53029 - struct dma_map_ops *ops = get_dma_ops(dev);
53030 + const struct dma_map_ops *ops = get_dma_ops(dev);
53032 BUG_ON(!valid_dma_direction(dir));
53033 if (ops->sync_single_for_cpu)
53034 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
53035 dma_addr_t addr, size_t size,
53036 enum dma_data_direction dir)
53038 - struct dma_map_ops *ops = get_dma_ops(dev);
53039 + const struct dma_map_ops *ops = get_dma_ops(dev);
53041 BUG_ON(!valid_dma_direction(dir));
53042 if (ops->sync_single_for_device)
53043 @@ -139,7 +139,7 @@ static inline void
53044 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
53045 int nelems, enum dma_data_direction dir)
53047 - struct dma_map_ops *ops = get_dma_ops(dev);
53048 + const struct dma_map_ops *ops = get_dma_ops(dev);
53050 BUG_ON(!valid_dma_direction(dir));
53051 if (ops->sync_sg_for_cpu)
53052 @@ -151,7 +151,7 @@ static inline void
53053 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
53054 int nelems, enum dma_data_direction dir)
53056 - struct dma_map_ops *ops = get_dma_ops(dev);
53057 + const struct dma_map_ops *ops = get_dma_ops(dev);
53059 BUG_ON(!valid_dma_direction(dir));
53060 if (ops->sync_sg_for_device)
53061 diff -urNp linux-2.6.38.6/include/asm-generic/futex.h linux-2.6.38.6/include/asm-generic/futex.h
53062 --- linux-2.6.38.6/include/asm-generic/futex.h 2011-03-14 21:20:32.000000000 -0400
53063 +++ linux-2.6.38.6/include/asm-generic/futex.h 2011-04-28 19:34:15.000000000 -0400
53065 #include <asm/errno.h>
53068 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
53069 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
53071 int op = (encoded_op >> 28) & 7;
53072 int cmp = (encoded_op >> 24) & 15;
53073 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
53077 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
53078 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
53082 diff -urNp linux-2.6.38.6/include/asm-generic/int-l64.h linux-2.6.38.6/include/asm-generic/int-l64.h
53083 --- linux-2.6.38.6/include/asm-generic/int-l64.h 2011-03-14 21:20:32.000000000 -0400
53084 +++ linux-2.6.38.6/include/asm-generic/int-l64.h 2011-04-28 19:34:15.000000000 -0400
53085 @@ -46,6 +46,8 @@ typedef unsigned int u32;
53086 typedef signed long s64;
53087 typedef unsigned long u64;
53089 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
53092 #define U8_C(x) x ## U
53094 diff -urNp linux-2.6.38.6/include/asm-generic/int-ll64.h linux-2.6.38.6/include/asm-generic/int-ll64.h
53095 --- linux-2.6.38.6/include/asm-generic/int-ll64.h 2011-03-14 21:20:32.000000000 -0400
53096 +++ linux-2.6.38.6/include/asm-generic/int-ll64.h 2011-04-28 19:34:15.000000000 -0400
53097 @@ -51,6 +51,8 @@ typedef unsigned int u32;
53098 typedef signed long long s64;
53099 typedef unsigned long long u64;
53101 +typedef unsigned long long intoverflow_t;
53104 #define U8_C(x) x ## U
53106 diff -urNp linux-2.6.38.6/include/asm-generic/kmap_types.h linux-2.6.38.6/include/asm-generic/kmap_types.h
53107 --- linux-2.6.38.6/include/asm-generic/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
53108 +++ linux-2.6.38.6/include/asm-generic/kmap_types.h 2011-04-28 19:34:15.000000000 -0400
53109 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
53111 KMAP_D(18) KM_NMI_PTE,
53113 +KMAP_D(20) KM_CLEARPAGE,
53115 * Remember to update debug_kmap_atomic() when adding new kmap types!
53117 -KMAP_D(20) KM_TYPE_NR
53118 +KMAP_D(21) KM_TYPE_NR
53122 diff -urNp linux-2.6.38.6/include/asm-generic/pgtable.h linux-2.6.38.6/include/asm-generic/pgtable.h
53123 --- linux-2.6.38.6/include/asm-generic/pgtable.h 2011-03-14 21:20:32.000000000 -0400
53124 +++ linux-2.6.38.6/include/asm-generic/pgtable.h 2011-04-28 19:34:15.000000000 -0400
53125 @@ -447,6 +447,14 @@ static inline int pmd_write(pmd_t pmd)
53126 #endif /* __HAVE_ARCH_PMD_WRITE */
53129 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
53130 +static inline unsigned long pax_open_kernel(void) { return 0; }
53133 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
53134 +static inline unsigned long pax_close_kernel(void) { return 0; }
53137 #endif /* !__ASSEMBLY__ */
53139 #endif /* _ASM_GENERIC_PGTABLE_H */
53140 diff -urNp linux-2.6.38.6/include/asm-generic/pgtable-nopmd.h linux-2.6.38.6/include/asm-generic/pgtable-nopmd.h
53141 --- linux-2.6.38.6/include/asm-generic/pgtable-nopmd.h 2011-03-14 21:20:32.000000000 -0400
53142 +++ linux-2.6.38.6/include/asm-generic/pgtable-nopmd.h 2011-04-28 19:34:15.000000000 -0400
53144 #ifndef _PGTABLE_NOPMD_H
53145 #define _PGTABLE_NOPMD_H
53147 -#ifndef __ASSEMBLY__
53149 #include <asm-generic/pgtable-nopud.h>
53153 #define __PAGETABLE_PMD_FOLDED
53155 +#define PMD_SHIFT PUD_SHIFT
53156 +#define PTRS_PER_PMD 1
53157 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
53158 +#define PMD_MASK (~(PMD_SIZE-1))
53160 +#ifndef __ASSEMBLY__
53165 * Having the pmd type consist of a pud gets the size right, and allows
53166 * us to conceptually access the pud entry that this pmd is folded into
53167 @@ -16,11 +21,6 @@ struct mm_struct;
53169 typedef struct { pud_t pud; } pmd_t;
53171 -#define PMD_SHIFT PUD_SHIFT
53172 -#define PTRS_PER_PMD 1
53173 -#define PMD_SIZE (1UL << PMD_SHIFT)
53174 -#define PMD_MASK (~(PMD_SIZE-1))
53177 * The "pud_xxx()" functions here are trivial for a folded two-level
53178 * setup: the pmd is never bad, and a pmd always exists (as it's folded
53179 diff -urNp linux-2.6.38.6/include/asm-generic/pgtable-nopud.h linux-2.6.38.6/include/asm-generic/pgtable-nopud.h
53180 --- linux-2.6.38.6/include/asm-generic/pgtable-nopud.h 2011-03-14 21:20:32.000000000 -0400
53181 +++ linux-2.6.38.6/include/asm-generic/pgtable-nopud.h 2011-04-28 19:34:15.000000000 -0400
53183 #ifndef _PGTABLE_NOPUD_H
53184 #define _PGTABLE_NOPUD_H
53186 -#ifndef __ASSEMBLY__
53188 #define __PAGETABLE_PUD_FOLDED
53190 +#define PUD_SHIFT PGDIR_SHIFT
53191 +#define PTRS_PER_PUD 1
53192 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
53193 +#define PUD_MASK (~(PUD_SIZE-1))
53195 +#ifndef __ASSEMBLY__
53198 * Having the pud type consist of a pgd gets the size right, and allows
53199 * us to conceptually access the pgd entry that this pud is folded into
53202 typedef struct { pgd_t pgd; } pud_t;
53204 -#define PUD_SHIFT PGDIR_SHIFT
53205 -#define PTRS_PER_PUD 1
53206 -#define PUD_SIZE (1UL << PUD_SHIFT)
53207 -#define PUD_MASK (~(PUD_SIZE-1))
53210 * The "pgd_xxx()" functions here are trivial for a folded two-level
53211 * setup: the pud is never bad, and a pud always exists (as it's folded
53212 diff -urNp linux-2.6.38.6/include/asm-generic/vmlinux.lds.h linux-2.6.38.6/include/asm-generic/vmlinux.lds.h
53213 --- linux-2.6.38.6/include/asm-generic/vmlinux.lds.h 2011-03-14 21:20:32.000000000 -0400
53214 +++ linux-2.6.38.6/include/asm-generic/vmlinux.lds.h 2011-04-28 19:34:15.000000000 -0400
53215 @@ -213,6 +213,7 @@
53216 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
53217 VMLINUX_SYMBOL(__start_rodata) = .; \
53218 *(.rodata) *(.rodata.*) \
53219 + *(.data..read_only) \
53220 *(__vermagic) /* Kernel version magic */ \
53222 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
53223 @@ -696,14 +697,15 @@
53224 * section in the linker script will go there too. @phdr should have
53227 - * Note that this macros defines __per_cpu_load as an absolute symbol.
53228 + * Note that this macros defines per_cpu_load as an absolute symbol.
53229 * If there is no need to put the percpu section at a predetermined
53230 * address, use PERCPU().
53232 #define PERCPU_VADDR(vaddr, phdr) \
53233 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
53234 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
53235 + per_cpu_load = .; \
53236 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
53238 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
53239 VMLINUX_SYMBOL(__per_cpu_start) = .; \
53240 *(.data..percpu..first) \
53241 . = ALIGN(PAGE_SIZE); \
53242 @@ -713,7 +715,7 @@
53243 *(.data..percpu..shared_aligned) \
53244 VMLINUX_SYMBOL(__per_cpu_end) = .; \
53246 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
53247 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
53250 * PERCPU - define output section for percpu area, simple version
53251 diff -urNp linux-2.6.38.6/include/drm/drmP.h linux-2.6.38.6/include/drm/drmP.h
53252 --- linux-2.6.38.6/include/drm/drmP.h 2011-03-14 21:20:32.000000000 -0400
53253 +++ linux-2.6.38.6/include/drm/drmP.h 2011-04-28 19:34:15.000000000 -0400
53255 #include <linux/workqueue.h>
53256 #include <linux/poll.h>
53257 #include <asm/pgalloc.h>
53258 +#include <asm/local.h>
53261 #include <linux/idr.h>
53262 @@ -881,7 +882,7 @@ struct drm_driver {
53263 void (*vgaarb_irq)(struct drm_device *dev, bool state);
53265 /* Driver private ops for this object */
53266 - struct vm_operations_struct *gem_vm_ops;
53267 + const struct vm_operations_struct *gem_vm_ops;
53271 @@ -894,7 +895,7 @@ struct drm_driver {
53273 struct drm_ioctl_desc *ioctls;
53275 - struct file_operations fops;
53276 + const struct file_operations fops;
53277 struct pci_driver pci_driver;
53278 struct platform_device *platform_device;
53279 /* List of devices hanging off this driver */
53280 @@ -991,7 +992,7 @@ struct drm_device {
53282 /** \name Usage Counters */
53284 - int open_count; /**< Outstanding files open */
53285 + local_t open_count; /**< Outstanding files open */
53286 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
53287 atomic_t vma_count; /**< Outstanding vma areas open */
53288 int buf_use; /**< Buffers in use -- cannot alloc */
53289 @@ -1002,7 +1003,7 @@ struct drm_device {
53291 unsigned long counters;
53292 enum drm_stat_type types[15];
53293 - atomic_t counts[15];
53294 + atomic_unchecked_t counts[15];
53297 struct list_head filelist;
53298 @@ -1101,7 +1102,7 @@ struct drm_device {
53299 struct platform_device *platformdev; /**< Platform device struture */
53301 struct drm_sg_mem *sg; /**< Scatter gather memory */
53302 - unsigned int num_crtcs; /**< Number of CRTCs on this device */
53303 + unsigned int num_crtcs; /**< Number of CRTCs on this device */
53304 void *dev_private; /**< device private data */
53306 struct address_space *dev_mapping;
53307 diff -urNp linux-2.6.38.6/include/linux/a.out.h linux-2.6.38.6/include/linux/a.out.h
53308 --- linux-2.6.38.6/include/linux/a.out.h 2011-03-14 21:20:32.000000000 -0400
53309 +++ linux-2.6.38.6/include/linux/a.out.h 2011-04-28 19:34:15.000000000 -0400
53310 @@ -39,6 +39,14 @@ enum machine_type {
53311 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
53314 +/* Constants for the N_FLAGS field */
53315 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
53316 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
53317 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
53318 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
53319 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
53320 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
53322 #if !defined (N_MAGIC)
53323 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
53325 diff -urNp linux-2.6.38.6/include/linux/atmdev.h linux-2.6.38.6/include/linux/atmdev.h
53326 --- linux-2.6.38.6/include/linux/atmdev.h 2011-04-18 17:27:18.000000000 -0400
53327 +++ linux-2.6.38.6/include/linux/atmdev.h 2011-04-28 19:34:15.000000000 -0400
53328 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
53331 struct k_atm_aal_stats {
53332 -#define __HANDLE_ITEM(i) atomic_t i
53333 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
53335 #undef __HANDLE_ITEM
53337 diff -urNp linux-2.6.38.6/include/linux/binfmts.h linux-2.6.38.6/include/linux/binfmts.h
53338 --- linux-2.6.38.6/include/linux/binfmts.h 2011-03-14 21:20:32.000000000 -0400
53339 +++ linux-2.6.38.6/include/linux/binfmts.h 2011-04-28 19:34:15.000000000 -0400
53340 @@ -92,6 +92,7 @@ struct linux_binfmt {
53341 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
53342 int (*load_shlib)(struct file *);
53343 int (*core_dump)(struct coredump_params *cprm);
53344 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
53345 unsigned long min_coredump; /* minimal dump size */
53348 diff -urNp linux-2.6.38.6/include/linux/blkdev.h linux-2.6.38.6/include/linux/blkdev.h
53349 --- linux-2.6.38.6/include/linux/blkdev.h 2011-03-14 21:20:32.000000000 -0400
53350 +++ linux-2.6.38.6/include/linux/blkdev.h 2011-04-28 19:34:15.000000000 -0400
53351 @@ -1247,22 +1247,22 @@ queue_max_integrity_segments(struct requ
53352 #endif /* CONFIG_BLK_DEV_INTEGRITY */
53354 struct block_device_operations {
53355 - int (*open) (struct block_device *, fmode_t);
53356 - int (*release) (struct gendisk *, fmode_t);
53357 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
53358 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
53359 - int (*direct_access) (struct block_device *, sector_t,
53360 + int (* const open) (struct block_device *, fmode_t);
53361 + int (* const release) (struct gendisk *, fmode_t);
53362 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
53363 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
53364 + int (* const direct_access) (struct block_device *, sector_t,
53365 void **, unsigned long *);
53366 - unsigned int (*check_events) (struct gendisk *disk,
53367 + unsigned int (* const check_events) (struct gendisk *disk,
53368 unsigned int clearing);
53369 /* ->media_changed() is DEPRECATED, use ->check_events() instead */
53370 - int (*media_changed) (struct gendisk *);
53371 - void (*unlock_native_capacity) (struct gendisk *);
53372 - int (*revalidate_disk) (struct gendisk *);
53373 - int (*getgeo)(struct block_device *, struct hd_geometry *);
53374 + int (* const media_changed) (struct gendisk *);
53375 + void (* const unlock_native_capacity) (struct gendisk *);
53376 + int (* const revalidate_disk) (struct gendisk *);
53377 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
53378 /* this callback is with swap_lock and sometimes page table lock held */
53379 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
53380 - struct module *owner;
53381 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
53382 + struct module * const owner;
53385 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
53386 diff -urNp linux-2.6.38.6/include/linux/blktrace_api.h linux-2.6.38.6/include/linux/blktrace_api.h
53387 --- linux-2.6.38.6/include/linux/blktrace_api.h 2011-03-14 21:20:32.000000000 -0400
53388 +++ linux-2.6.38.6/include/linux/blktrace_api.h 2011-04-28 19:57:25.000000000 -0400
53389 @@ -161,7 +161,7 @@ struct blk_trace {
53390 struct dentry *dir;
53391 struct dentry *dropped_file;
53392 struct dentry *msg_file;
53393 - atomic_t dropped;
53394 + atomic_unchecked_t dropped;
53397 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
53398 diff -urNp linux-2.6.38.6/include/linux/byteorder/little_endian.h linux-2.6.38.6/include/linux/byteorder/little_endian.h
53399 --- linux-2.6.38.6/include/linux/byteorder/little_endian.h 2011-03-14 21:20:32.000000000 -0400
53400 +++ linux-2.6.38.6/include/linux/byteorder/little_endian.h 2011-04-28 19:34:15.000000000 -0400
53401 @@ -42,51 +42,51 @@
53403 static inline __le64 __cpu_to_le64p(const __u64 *p)
53405 - return (__force __le64)*p;
53406 + return (__force const __le64)*p;
53408 static inline __u64 __le64_to_cpup(const __le64 *p)
53410 - return (__force __u64)*p;
53411 + return (__force const __u64)*p;
53413 static inline __le32 __cpu_to_le32p(const __u32 *p)
53415 - return (__force __le32)*p;
53416 + return (__force const __le32)*p;
53418 static inline __u32 __le32_to_cpup(const __le32 *p)
53420 - return (__force __u32)*p;
53421 + return (__force const __u32)*p;
53423 static inline __le16 __cpu_to_le16p(const __u16 *p)
53425 - return (__force __le16)*p;
53426 + return (__force const __le16)*p;
53428 static inline __u16 __le16_to_cpup(const __le16 *p)
53430 - return (__force __u16)*p;
53431 + return (__force const __u16)*p;
53433 static inline __be64 __cpu_to_be64p(const __u64 *p)
53435 - return (__force __be64)__swab64p(p);
53436 + return (__force const __be64)__swab64p(p);
53438 static inline __u64 __be64_to_cpup(const __be64 *p)
53440 - return __swab64p((__u64 *)p);
53441 + return __swab64p((const __u64 *)p);
53443 static inline __be32 __cpu_to_be32p(const __u32 *p)
53445 - return (__force __be32)__swab32p(p);
53446 + return (__force const __be32)__swab32p(p);
53448 static inline __u32 __be32_to_cpup(const __be32 *p)
53450 - return __swab32p((__u32 *)p);
53451 + return __swab32p((const __u32 *)p);
53453 static inline __be16 __cpu_to_be16p(const __u16 *p)
53455 - return (__force __be16)__swab16p(p);
53456 + return (__force const __be16)__swab16p(p);
53458 static inline __u16 __be16_to_cpup(const __be16 *p)
53460 - return __swab16p((__u16 *)p);
53461 + return __swab16p((const __u16 *)p);
53463 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
53464 #define __le64_to_cpus(x) do { (void)(x); } while (0)
53465 diff -urNp linux-2.6.38.6/include/linux/cache.h linux-2.6.38.6/include/linux/cache.h
53466 --- linux-2.6.38.6/include/linux/cache.h 2011-03-14 21:20:32.000000000 -0400
53467 +++ linux-2.6.38.6/include/linux/cache.h 2011-04-28 19:34:15.000000000 -0400
53469 #define __read_mostly
53472 +#ifndef __read_only
53473 +#define __read_only __read_mostly
53476 #ifndef ____cacheline_aligned
53477 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
53479 diff -urNp linux-2.6.38.6/include/linux/capability.h linux-2.6.38.6/include/linux/capability.h
53480 --- linux-2.6.38.6/include/linux/capability.h 2011-03-14 21:20:32.000000000 -0400
53481 +++ linux-2.6.38.6/include/linux/capability.h 2011-04-28 19:34:15.000000000 -0400
53482 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
53483 (security_real_capable_noaudit((t), (cap)) == 0)
53485 extern int capable(int cap);
53486 +int capable_nolog(int cap);
53488 /* audit system wants to get cap info from files as well */
53490 diff -urNp linux-2.6.38.6/include/linux/compiler-gcc4.h linux-2.6.38.6/include/linux/compiler-gcc4.h
53491 --- linux-2.6.38.6/include/linux/compiler-gcc4.h 2011-03-14 21:20:32.000000000 -0400
53492 +++ linux-2.6.38.6/include/linux/compiler-gcc4.h 2011-04-28 19:34:15.000000000 -0400
53497 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
53498 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
53499 +#define __bos0(ptr) __bos((ptr), 0)
53500 +#define __bos1(ptr) __bos((ptr), 1)
53503 #if __GNUC_MINOR__ > 0
53504 diff -urNp linux-2.6.38.6/include/linux/compiler.h linux-2.6.38.6/include/linux/compiler.h
53505 --- linux-2.6.38.6/include/linux/compiler.h 2011-03-14 21:20:32.000000000 -0400
53506 +++ linux-2.6.38.6/include/linux/compiler.h 2011-04-28 19:34:15.000000000 -0400
53507 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
53511 +#ifndef __alloc_size
53512 +#define __alloc_size
53527 /* Simple shorthand for a section definition */
53529 # define __section(S) __attribute__ ((__section__(#S)))
53530 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
53531 * use is to mediate communication between process-level code and irq/NMI
53532 * handlers, all running on the same CPU.
53534 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
53535 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
53536 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
53538 #endif /* __LINUX_COMPILER_H */
53539 diff -urNp linux-2.6.38.6/include/linux/cpuset.h linux-2.6.38.6/include/linux/cpuset.h
53540 --- linux-2.6.38.6/include/linux/cpuset.h 2011-03-14 21:20:32.000000000 -0400
53541 +++ linux-2.6.38.6/include/linux/cpuset.h 2011-04-28 19:34:15.000000000 -0400
53542 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
53546 - --ACCESS_ONCE(current->mems_allowed_change_disable);
53547 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
53550 static inline void set_mems_allowed(nodemask_t nodemask)
53551 diff -urNp linux-2.6.38.6/include/linux/decompress/mm.h linux-2.6.38.6/include/linux/decompress/mm.h
53552 --- linux-2.6.38.6/include/linux/decompress/mm.h 2011-03-14 21:20:32.000000000 -0400
53553 +++ linux-2.6.38.6/include/linux/decompress/mm.h 2011-04-28 19:34:15.000000000 -0400
53554 @@ -77,7 +77,7 @@ static void free(void *where)
53555 * warnings when not needed (indeed large_malloc / large_free are not
53556 * needed by inflate */
53558 -#define malloc(a) kmalloc(a, GFP_KERNEL)
53559 +#define malloc(a) kmalloc((a), GFP_KERNEL)
53560 #define free(a) kfree(a)
53562 #define large_malloc(a) vmalloc(a)
53563 diff -urNp linux-2.6.38.6/include/linux/dma-mapping.h linux-2.6.38.6/include/linux/dma-mapping.h
53564 --- linux-2.6.38.6/include/linux/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
53565 +++ linux-2.6.38.6/include/linux/dma-mapping.h 2011-04-28 19:34:15.000000000 -0400
53566 @@ -16,40 +16,40 @@ enum dma_data_direction {
53569 struct dma_map_ops {
53570 - void* (*alloc_coherent)(struct device *dev, size_t size,
53571 + void* (* const alloc_coherent)(struct device *dev, size_t size,
53572 dma_addr_t *dma_handle, gfp_t gfp);
53573 - void (*free_coherent)(struct device *dev, size_t size,
53574 + void (* const free_coherent)(struct device *dev, size_t size,
53575 void *vaddr, dma_addr_t dma_handle);
53576 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
53577 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
53578 unsigned long offset, size_t size,
53579 enum dma_data_direction dir,
53580 struct dma_attrs *attrs);
53581 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
53582 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
53583 size_t size, enum dma_data_direction dir,
53584 struct dma_attrs *attrs);
53585 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
53586 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
53587 int nents, enum dma_data_direction dir,
53588 struct dma_attrs *attrs);
53589 - void (*unmap_sg)(struct device *dev,
53590 + void (* const unmap_sg)(struct device *dev,
53591 struct scatterlist *sg, int nents,
53592 enum dma_data_direction dir,
53593 struct dma_attrs *attrs);
53594 - void (*sync_single_for_cpu)(struct device *dev,
53595 + void (* const sync_single_for_cpu)(struct device *dev,
53596 dma_addr_t dma_handle, size_t size,
53597 enum dma_data_direction dir);
53598 - void (*sync_single_for_device)(struct device *dev,
53599 + void (* const sync_single_for_device)(struct device *dev,
53600 dma_addr_t dma_handle, size_t size,
53601 enum dma_data_direction dir);
53602 - void (*sync_sg_for_cpu)(struct device *dev,
53603 + void (* const sync_sg_for_cpu)(struct device *dev,
53604 struct scatterlist *sg, int nents,
53605 enum dma_data_direction dir);
53606 - void (*sync_sg_for_device)(struct device *dev,
53607 + void (* const sync_sg_for_device)(struct device *dev,
53608 struct scatterlist *sg, int nents,
53609 enum dma_data_direction dir);
53610 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
53611 - int (*dma_supported)(struct device *dev, u64 mask);
53612 - int (*set_dma_mask)(struct device *dev, u64 mask);
53614 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
53615 + int (* const dma_supported)(struct device *dev, u64 mask);
53616 + int (* set_dma_mask)(struct device *dev, u64 mask);
53617 + const int is_phys;
53620 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
53621 diff -urNp linux-2.6.38.6/include/linux/elf.h linux-2.6.38.6/include/linux/elf.h
53622 --- linux-2.6.38.6/include/linux/elf.h 2011-03-14 21:20:32.000000000 -0400
53623 +++ linux-2.6.38.6/include/linux/elf.h 2011-04-28 19:34:15.000000000 -0400
53624 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
53625 #define PT_GNU_EH_FRAME 0x6474e550
53627 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
53628 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
53630 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
53632 +/* Constants for the e_flags field */
53633 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
53634 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
53635 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
53636 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
53637 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
53638 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
53641 * Extended Numbering
53642 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
53643 #define DT_DEBUG 21
53644 #define DT_TEXTREL 22
53645 #define DT_JMPREL 23
53646 +#define DT_FLAGS 30
53647 + #define DF_TEXTREL 0x00000004
53648 #define DT_ENCODING 32
53649 #define OLD_DT_LOOS 0x60000000
53650 #define DT_LOOS 0x6000000d
53651 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
53655 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
53656 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
53657 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
53658 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
53659 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
53660 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
53661 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
53662 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
53663 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
53664 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
53665 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
53666 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
53668 typedef struct elf32_phdr{
53670 Elf32_Off p_offset;
53671 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
53677 #define ELFMAG0 0x7f /* EI_MAG */
53678 #define ELFMAG1 'E'
53679 #define ELFMAG2 'L'
53680 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
53681 #define elf_note elf32_note
53682 #define elf_addr_t Elf32_Off
53683 #define Elf_Half Elf32_Half
53684 +#define elf_dyn Elf32_Dyn
53688 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
53689 #define elf_note elf64_note
53690 #define elf_addr_t Elf64_Off
53691 #define Elf_Half Elf64_Half
53692 +#define elf_dyn Elf64_Dyn
53696 diff -urNp linux-2.6.38.6/include/linux/fscache-cache.h linux-2.6.38.6/include/linux/fscache-cache.h
53697 --- linux-2.6.38.6/include/linux/fscache-cache.h 2011-03-14 21:20:32.000000000 -0400
53698 +++ linux-2.6.38.6/include/linux/fscache-cache.h 2011-04-28 19:57:25.000000000 -0400
53699 @@ -113,7 +113,7 @@ struct fscache_operation {
53703 -extern atomic_t fscache_op_debug_id;
53704 +extern atomic_unchecked_t fscache_op_debug_id;
53705 extern void fscache_op_work_func(struct work_struct *work);
53707 extern void fscache_enqueue_operation(struct fscache_operation *);
53708 @@ -133,7 +133,7 @@ static inline void fscache_operation_ini
53710 INIT_WORK(&op->work, fscache_op_work_func);
53711 atomic_set(&op->usage, 1);
53712 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
53713 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
53714 op->processor = processor;
53715 op->release = release;
53716 INIT_LIST_HEAD(&op->pend_link);
53717 diff -urNp linux-2.6.38.6/include/linux/fs.h linux-2.6.38.6/include/linux/fs.h
53718 --- linux-2.6.38.6/include/linux/fs.h 2011-03-14 21:20:32.000000000 -0400
53719 +++ linux-2.6.38.6/include/linux/fs.h 2011-04-28 19:34:15.000000000 -0400
53720 @@ -105,6 +105,11 @@ struct inodes_stat_t {
53721 /* File was opened by fanotify and shouldn't generate fanotify events */
53722 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
53724 +/* Hack for grsec so as not to require read permission simply to execute
53727 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
53730 * The below are the various read and write types that we support. Some of
53731 * them include behavioral modifiers that send information down to the
53732 @@ -581,42 +586,42 @@ typedef int (*read_actor_t)(read_descrip
53733 unsigned long, unsigned long);
53735 struct address_space_operations {
53736 - int (*writepage)(struct page *page, struct writeback_control *wbc);
53737 - int (*readpage)(struct file *, struct page *);
53738 - void (*sync_page)(struct page *);
53739 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
53740 + int (* const readpage)(struct file *, struct page *);
53741 + void (* const sync_page)(struct page *);
53743 /* Write back some dirty pages from this mapping. */
53744 - int (*writepages)(struct address_space *, struct writeback_control *);
53745 + int (* const writepages)(struct address_space *, struct writeback_control *);
53747 /* Set a page dirty. Return true if this dirtied it */
53748 - int (*set_page_dirty)(struct page *page);
53749 + int (* const set_page_dirty)(struct page *page);
53751 - int (*readpages)(struct file *filp, struct address_space *mapping,
53752 + int (* const readpages)(struct file *filp, struct address_space *mapping,
53753 struct list_head *pages, unsigned nr_pages);
53755 - int (*write_begin)(struct file *, struct address_space *mapping,
53756 + int (* const write_begin)(struct file *, struct address_space *mapping,
53757 loff_t pos, unsigned len, unsigned flags,
53758 struct page **pagep, void **fsdata);
53759 - int (*write_end)(struct file *, struct address_space *mapping,
53760 + int (* const write_end)(struct file *, struct address_space *mapping,
53761 loff_t pos, unsigned len, unsigned copied,
53762 struct page *page, void *fsdata);
53764 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
53765 - sector_t (*bmap)(struct address_space *, sector_t);
53766 - void (*invalidatepage) (struct page *, unsigned long);
53767 - int (*releasepage) (struct page *, gfp_t);
53768 - void (*freepage)(struct page *);
53769 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
53770 + sector_t (* const bmap)(struct address_space *, sector_t);
53771 + void (* const invalidatepage) (struct page *, unsigned long);
53772 + int (* const releasepage) (struct page *, gfp_t);
53773 + void (* const freepage)(struct page *);
53774 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
53775 loff_t offset, unsigned long nr_segs);
53776 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
53777 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
53778 void **, unsigned long *);
53779 /* migrate the contents of a page to the specified target */
53780 - int (*migratepage) (struct address_space *,
53781 + int (* const migratepage) (struct address_space *,
53782 struct page *, struct page *);
53783 - int (*launder_page) (struct page *);
53784 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
53785 + int (* const launder_page) (struct page *);
53786 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
53788 - int (*error_remove_page)(struct address_space *, struct page *);
53789 + int (* const error_remove_page)(struct address_space *, struct page *);
53793 @@ -1059,17 +1064,17 @@ static inline int file_check_writeable(s
53794 typedef struct files_struct *fl_owner_t;
53796 struct file_lock_operations {
53797 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
53798 - void (*fl_release_private)(struct file_lock *);
53799 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
53800 + void (* const fl_release_private)(struct file_lock *);
53803 struct lock_manager_operations {
53804 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
53805 - void (*fl_notify)(struct file_lock *); /* unblock callback */
53806 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
53807 - void (*fl_release_private)(struct file_lock *);
53808 - void (*fl_break)(struct file_lock *);
53809 - int (*fl_change)(struct file_lock **, int);
53810 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
53811 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
53812 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
53813 + void (* const fl_release_private)(struct file_lock *);
53814 + void (* const fl_break)(struct file_lock *);
53815 + int (* const fl_change)(struct file_lock **, int);
53818 struct lock_manager {
53819 diff -urNp linux-2.6.38.6/include/linux/fs_struct.h linux-2.6.38.6/include/linux/fs_struct.h
53820 --- linux-2.6.38.6/include/linux/fs_struct.h 2011-03-14 21:20:32.000000000 -0400
53821 +++ linux-2.6.38.6/include/linux/fs_struct.h 2011-04-28 19:34:15.000000000 -0400
53823 #include <linux/seqlock.h>
53831 diff -urNp linux-2.6.38.6/include/linux/ftrace_event.h linux-2.6.38.6/include/linux/ftrace_event.h
53832 --- linux-2.6.38.6/include/linux/ftrace_event.h 2011-03-14 21:20:32.000000000 -0400
53833 +++ linux-2.6.38.6/include/linux/ftrace_event.h 2011-05-02 19:07:09.000000000 -0400
53834 @@ -236,7 +236,7 @@ extern int trace_define_field(struct ftr
53835 extern int trace_add_event_call(struct ftrace_event_call *call);
53836 extern void trace_remove_event_call(struct ftrace_event_call *call);
53838 -#define is_signed_type(type) (((type)(-1)) < 0)
53839 +#define is_signed_type(type) (((type)(-1)) < (type)1)
53841 int trace_set_clr_event(const char *system, const char *event, int set);
53843 diff -urNp linux-2.6.38.6/include/linux/genhd.h linux-2.6.38.6/include/linux/genhd.h
53844 --- linux-2.6.38.6/include/linux/genhd.h 2011-03-14 21:20:32.000000000 -0400
53845 +++ linux-2.6.38.6/include/linux/genhd.h 2011-04-28 19:34:15.000000000 -0400
53846 @@ -183,7 +183,7 @@ struct gendisk {
53847 struct kobject *slave_dir;
53849 struct timer_rand_state *random;
53850 - atomic_t sync_io; /* RAID */
53851 + atomic_unchecked_t sync_io; /* RAID */
53852 struct disk_events *ev;
53853 #ifdef CONFIG_BLK_DEV_INTEGRITY
53854 struct blk_integrity *integrity;
53855 diff -urNp linux-2.6.38.6/include/linux/gracl.h linux-2.6.38.6/include/linux/gracl.h
53856 --- linux-2.6.38.6/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
53857 +++ linux-2.6.38.6/include/linux/gracl.h 2011-04-28 19:34:15.000000000 -0400
53862 +#include <linux/grdefs.h>
53863 +#include <linux/resource.h>
53864 +#include <linux/capability.h>
53865 +#include <linux/dcache.h>
53866 +#include <asm/resource.h>
53868 +/* Major status information */
53870 +#define GR_VERSION "grsecurity 2.2.2"
53871 +#define GRSECURITY_VERSION 0x2202
53882 + GR_SPROLEPAM = 8,
53885 +/* Password setup definitions
53886 + * kernel/grhash.c */
53889 + GR_SALT_LEN = 16,
53894 + GR_SPROLE_LEN = 64,
53903 +#define GR_NLIMITS 32
53905 +/* Begin Data Structures */
53907 +struct sprole_pw {
53908 + unsigned char *rolename;
53909 + unsigned char salt[GR_SALT_LEN];
53910 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
53913 +struct name_entry {
53920 + struct name_entry *prev;
53921 + struct name_entry *next;
53924 +struct inodev_entry {
53925 + struct name_entry *nentry;
53926 + struct inodev_entry *prev;
53927 + struct inodev_entry *next;
53930 +struct acl_role_db {
53931 + struct acl_role_label **r_hash;
53935 +struct inodev_db {
53936 + struct inodev_entry **i_hash;
53941 + struct name_entry **n_hash;
53945 +struct crash_uid {
53947 + unsigned long expires;
53950 +struct gr_hash_struct {
53952 + void **nametable;
53954 + __u32 table_size;
53959 +/* Userspace Grsecurity ACL data structures */
53961 +struct acl_subject_label {
53966 + kernel_cap_t cap_mask;
53967 + kernel_cap_t cap_lower;
53968 + kernel_cap_t cap_invert_audit;
53970 + struct rlimit res[GR_NLIMITS];
53973 + __u8 user_trans_type;
53974 + __u8 group_trans_type;
53975 + uid_t *user_transitions;
53976 + gid_t *group_transitions;
53977 + __u16 user_trans_num;
53978 + __u16 group_trans_num;
53980 + __u32 sock_families[2];
53981 + __u32 ip_proto[8];
53983 + struct acl_ip_label **ips;
53985 + __u32 inaddr_any_override;
53988 + unsigned long expires;
53990 + struct acl_subject_label *parent_subject;
53991 + struct gr_hash_struct *hash;
53992 + struct acl_subject_label *prev;
53993 + struct acl_subject_label *next;
53995 + struct acl_object_label **obj_hash;
53996 + __u32 obj_hash_size;
54000 +struct role_allowed_ip {
54004 + struct role_allowed_ip *prev;
54005 + struct role_allowed_ip *next;
54008 +struct role_transition {
54011 + struct role_transition *prev;
54012 + struct role_transition *next;
54015 +struct acl_role_label {
54020 + __u16 auth_attempts;
54021 + unsigned long expires;
54023 + struct acl_subject_label *root_label;
54024 + struct gr_hash_struct *hash;
54026 + struct acl_role_label *prev;
54027 + struct acl_role_label *next;
54029 + struct role_transition *transitions;
54030 + struct role_allowed_ip *allowed_ips;
54031 + uid_t *domain_children;
54032 + __u16 domain_child_num;
54034 + struct acl_subject_label **subj_hash;
54035 + __u32 subj_hash_size;
54038 +struct user_acl_role_db {
54039 + struct acl_role_label **r_table;
54040 + __u32 num_pointers; /* Number of allocations to track */
54041 + __u32 num_roles; /* Number of roles */
54042 + __u32 num_domain_children; /* Number of domain children */
54043 + __u32 num_subjects; /* Number of subjects */
54044 + __u32 num_objects; /* Number of objects */
54047 +struct acl_object_label {
54053 + struct acl_subject_label *nested;
54054 + struct acl_object_label *globbed;
54056 + /* next two structures not used */
54058 + struct acl_object_label *prev;
54059 + struct acl_object_label *next;
54062 +struct acl_ip_label {
54071 + /* next two structures not used */
54073 + struct acl_ip_label *prev;
54074 + struct acl_ip_label *next;
54078 + struct user_acl_role_db role_db;
54079 + unsigned char pw[GR_PW_LEN];
54080 + unsigned char salt[GR_SALT_LEN];
54081 + unsigned char sum[GR_SHA_LEN];
54082 + unsigned char sp_role[GR_SPROLE_LEN];
54083 + struct sprole_pw *sprole_pws;
54084 + dev_t segv_device;
54085 + ino_t segv_inode;
54087 + __u16 num_sprole_pws;
54091 +struct gr_arg_wrapper {
54092 + struct gr_arg *arg;
54097 +struct subject_map {
54098 + struct acl_subject_label *user;
54099 + struct acl_subject_label *kernel;
54100 + struct subject_map *prev;
54101 + struct subject_map *next;
54104 +struct acl_subj_map_db {
54105 + struct subject_map **s_hash;
54109 +/* End Data Structures Section */
54111 +/* Hash functions generated by empirical testing by Brad Spengler
54112 + Makes good use of the low bits of the inode. Generally 0-1 times
54113 + in loop for successful match. 0-3 for unsuccessful match.
54114 + Shift/add algorithm with modulus of table size and an XOR*/
54116 +static __inline__ unsigned int
54117 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
54119 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
54122 + static __inline__ unsigned int
54123 +shash(const struct acl_subject_label *userp, const unsigned int sz)
54125 + return ((const unsigned long)userp % sz);
54128 +static __inline__ unsigned int
54129 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
54131 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
54134 +static __inline__ unsigned int
54135 +nhash(const char *name, const __u16 len, const unsigned int sz)
54137 + return full_name_hash((const unsigned char *)name, len) % sz;
54140 +#define FOR_EACH_ROLE_START(role) \
54141 + role = role_list; \
54144 +#define FOR_EACH_ROLE_END(role) \
54145 + role = role->prev; \
54148 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
54151 + while (iter < role->subj_hash_size) { \
54152 + if (subj == NULL) \
54153 + subj = role->subj_hash[iter]; \
54154 + if (subj == NULL) { \
54159 +#define FOR_EACH_SUBJECT_END(subj,iter) \
54160 + subj = subj->next; \
54161 + if (subj == NULL) \
54166 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
54167 + subj = role->hash->first; \
54168 + while (subj != NULL) {
54170 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
54171 + subj = subj->next; \
54176 diff -urNp linux-2.6.38.6/include/linux/gralloc.h linux-2.6.38.6/include/linux/gralloc.h
54177 --- linux-2.6.38.6/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
54178 +++ linux-2.6.38.6/include/linux/gralloc.h 2011-04-28 19:34:15.000000000 -0400
54180 +#ifndef __GRALLOC_H
54181 +#define __GRALLOC_H
54183 +void acl_free_all(void);
54184 +int acl_alloc_stack_init(unsigned long size);
54185 +void *acl_alloc(unsigned long len);
54186 +void *acl_alloc_num(unsigned long num, unsigned long len);
54189 diff -urNp linux-2.6.38.6/include/linux/grdefs.h linux-2.6.38.6/include/linux/grdefs.h
54190 --- linux-2.6.38.6/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
54191 +++ linux-2.6.38.6/include/linux/grdefs.h 2011-04-28 19:34:15.000000000 -0400
54196 +/* Begin grsecurity status declarations */
54200 + GR_STATUS_INIT = 0x00 // disabled state
54203 +/* Begin ACL declarations */
54208 + GR_ROLE_USER = 0x0001,
54209 + GR_ROLE_GROUP = 0x0002,
54210 + GR_ROLE_DEFAULT = 0x0004,
54211 + GR_ROLE_SPECIAL = 0x0008,
54212 + GR_ROLE_AUTH = 0x0010,
54213 + GR_ROLE_NOPW = 0x0020,
54214 + GR_ROLE_GOD = 0x0040,
54215 + GR_ROLE_LEARN = 0x0080,
54216 + GR_ROLE_TPE = 0x0100,
54217 + GR_ROLE_DOMAIN = 0x0200,
54218 + GR_ROLE_PAM = 0x0400,
54219 + GR_ROLE_PERSIST = 0x0800
54222 +/* ACL Subject and Object mode flags */
54224 + GR_DELETED = 0x80000000
54227 +/* ACL Object-only mode flags */
54229 + GR_READ = 0x00000001,
54230 + GR_APPEND = 0x00000002,
54231 + GR_WRITE = 0x00000004,
54232 + GR_EXEC = 0x00000008,
54233 + GR_FIND = 0x00000010,
54234 + GR_INHERIT = 0x00000020,
54235 + GR_SETID = 0x00000040,
54236 + GR_CREATE = 0x00000080,
54237 + GR_DELETE = 0x00000100,
54238 + GR_LINK = 0x00000200,
54239 + GR_AUDIT_READ = 0x00000400,
54240 + GR_AUDIT_APPEND = 0x00000800,
54241 + GR_AUDIT_WRITE = 0x00001000,
54242 + GR_AUDIT_EXEC = 0x00002000,
54243 + GR_AUDIT_FIND = 0x00004000,
54244 + GR_AUDIT_INHERIT= 0x00008000,
54245 + GR_AUDIT_SETID = 0x00010000,
54246 + GR_AUDIT_CREATE = 0x00020000,
54247 + GR_AUDIT_DELETE = 0x00040000,
54248 + GR_AUDIT_LINK = 0x00080000,
54249 + GR_PTRACERD = 0x00100000,
54250 + GR_NOPTRACE = 0x00200000,
54251 + GR_SUPPRESS = 0x00400000,
54252 + GR_NOLEARN = 0x00800000,
54253 + GR_INIT_TRANSFER= 0x01000000
54256 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
54257 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
54258 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
54260 +/* ACL subject-only mode flags */
54262 + GR_KILL = 0x00000001,
54263 + GR_VIEW = 0x00000002,
54264 + GR_PROTECTED = 0x00000004,
54265 + GR_LEARN = 0x00000008,
54266 + GR_OVERRIDE = 0x00000010,
54267 + /* just a placeholder, this mode is only used in userspace */
54268 + GR_DUMMY = 0x00000020,
54269 + GR_PROTSHM = 0x00000040,
54270 + GR_KILLPROC = 0x00000080,
54271 + GR_KILLIPPROC = 0x00000100,
54272 + /* just a placeholder, this mode is only used in userspace */
54273 + GR_NOTROJAN = 0x00000200,
54274 + GR_PROTPROCFD = 0x00000400,
54275 + GR_PROCACCT = 0x00000800,
54276 + GR_RELAXPTRACE = 0x00001000,
54277 + GR_NESTED = 0x00002000,
54278 + GR_INHERITLEARN = 0x00004000,
54279 + GR_PROCFIND = 0x00008000,
54280 + GR_POVERRIDE = 0x00010000,
54281 + GR_KERNELAUTH = 0x00020000,
54282 + GR_ATSECURE = 0x00040000
54286 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
54287 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
54288 + GR_PAX_ENABLE_MPROTECT = 0x0004,
54289 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
54290 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
54291 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
54292 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
54293 + GR_PAX_DISABLE_MPROTECT = 0x0400,
54294 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
54295 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
54299 + GR_ID_USER = 0x01,
54300 + GR_ID_GROUP = 0x02,
54304 + GR_ID_ALLOW = 0x01,
54305 + GR_ID_DENY = 0x02,
54308 +#define GR_CRASH_RES 31
54309 +#define GR_UIDTABLE_MAX 500
54311 +/* begin resource learning section */
54313 + GR_RLIM_CPU_BUMP = 60,
54314 + GR_RLIM_FSIZE_BUMP = 50000,
54315 + GR_RLIM_DATA_BUMP = 10000,
54316 + GR_RLIM_STACK_BUMP = 1000,
54317 + GR_RLIM_CORE_BUMP = 10000,
54318 + GR_RLIM_RSS_BUMP = 500000,
54319 + GR_RLIM_NPROC_BUMP = 1,
54320 + GR_RLIM_NOFILE_BUMP = 5,
54321 + GR_RLIM_MEMLOCK_BUMP = 50000,
54322 + GR_RLIM_AS_BUMP = 500000,
54323 + GR_RLIM_LOCKS_BUMP = 2,
54324 + GR_RLIM_SIGPENDING_BUMP = 5,
54325 + GR_RLIM_MSGQUEUE_BUMP = 10000,
54326 + GR_RLIM_NICE_BUMP = 1,
54327 + GR_RLIM_RTPRIO_BUMP = 1,
54328 + GR_RLIM_RTTIME_BUMP = 1000000
54332 diff -urNp linux-2.6.38.6/include/linux/grinternal.h linux-2.6.38.6/include/linux/grinternal.h
54333 --- linux-2.6.38.6/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
54334 +++ linux-2.6.38.6/include/linux/grinternal.h 2011-04-28 19:34:15.000000000 -0400
54336 +#ifndef __GRINTERNAL_H
54337 +#define __GRINTERNAL_H
54339 +#ifdef CONFIG_GRKERNSEC
54341 +#include <linux/fs.h>
54342 +#include <linux/mnt_namespace.h>
54343 +#include <linux/nsproxy.h>
54344 +#include <linux/gracl.h>
54345 +#include <linux/grdefs.h>
54346 +#include <linux/grmsg.h>
54348 +void gr_add_learn_entry(const char *fmt, ...)
54349 + __attribute__ ((format (printf, 1, 2)));
54350 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
54351 + const struct vfsmount *mnt);
54352 +__u32 gr_check_create(const struct dentry *new_dentry,
54353 + const struct dentry *parent,
54354 + const struct vfsmount *mnt, const __u32 mode);
54355 +int gr_check_protected_task(const struct task_struct *task);
54356 +__u32 to_gr_audit(const __u32 reqmode);
54357 +int gr_set_acls(const int type);
54358 +int gr_apply_subject_to_task(struct task_struct *task);
54359 +int gr_acl_is_enabled(void);
54360 +char gr_roletype_to_char(void);
54362 +void gr_handle_alertkill(struct task_struct *task);
54363 +char *gr_to_filename(const struct dentry *dentry,
54364 + const struct vfsmount *mnt);
54365 +char *gr_to_filename1(const struct dentry *dentry,
54366 + const struct vfsmount *mnt);
54367 +char *gr_to_filename2(const struct dentry *dentry,
54368 + const struct vfsmount *mnt);
54369 +char *gr_to_filename3(const struct dentry *dentry,
54370 + const struct vfsmount *mnt);
54372 +extern int grsec_enable_harden_ptrace;
54373 +extern int grsec_enable_link;
54374 +extern int grsec_enable_fifo;
54375 +extern int grsec_enable_execve;
54376 +extern int grsec_enable_shm;
54377 +extern int grsec_enable_execlog;
54378 +extern int grsec_enable_signal;
54379 +extern int grsec_enable_audit_ptrace;
54380 +extern int grsec_enable_forkfail;
54381 +extern int grsec_enable_time;
54382 +extern int grsec_enable_rofs;
54383 +extern int grsec_enable_chroot_shmat;
54384 +extern int grsec_enable_chroot_findtask;
54385 +extern int grsec_enable_chroot_mount;
54386 +extern int grsec_enable_chroot_double;
54387 +extern int grsec_enable_chroot_pivot;
54388 +extern int grsec_enable_chroot_chdir;
54389 +extern int grsec_enable_chroot_chmod;
54390 +extern int grsec_enable_chroot_mknod;
54391 +extern int grsec_enable_chroot_fchdir;
54392 +extern int grsec_enable_chroot_nice;
54393 +extern int grsec_enable_chroot_execlog;
54394 +extern int grsec_enable_chroot_caps;
54395 +extern int grsec_enable_chroot_sysctl;
54396 +extern int grsec_enable_chroot_unix;
54397 +extern int grsec_enable_tpe;
54398 +extern int grsec_tpe_gid;
54399 +extern int grsec_enable_tpe_all;
54400 +extern int grsec_enable_tpe_invert;
54401 +extern int grsec_enable_socket_all;
54402 +extern int grsec_socket_all_gid;
54403 +extern int grsec_enable_socket_client;
54404 +extern int grsec_socket_client_gid;
54405 +extern int grsec_enable_socket_server;
54406 +extern int grsec_socket_server_gid;
54407 +extern int grsec_audit_gid;
54408 +extern int grsec_enable_group;
54409 +extern int grsec_enable_audit_textrel;
54410 +extern int grsec_enable_log_rwxmaps;
54411 +extern int grsec_enable_mount;
54412 +extern int grsec_enable_chdir;
54413 +extern int grsec_resource_logging;
54414 +extern int grsec_enable_blackhole;
54415 +extern int grsec_lastack_retries;
54416 +extern int grsec_lock;
54418 +extern spinlock_t grsec_alert_lock;
54419 +extern unsigned long grsec_alert_wtime;
54420 +extern unsigned long grsec_alert_fyet;
54422 +extern spinlock_t grsec_audit_lock;
54424 +extern rwlock_t grsec_exec_file_lock;
54426 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
54427 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
54428 + (tsk)->exec_file->f_vfsmnt) : "/")
54430 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
54431 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
54432 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
54434 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
54435 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
54436 + (tsk)->exec_file->f_vfsmnt) : "/")
54438 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
54439 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
54440 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
54442 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
54444 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
54446 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
54447 + (task)->pid, (cred)->uid, \
54448 + (cred)->euid, (cred)->gid, (cred)->egid, \
54449 + gr_parent_task_fullpath(task), \
54450 + (task)->real_parent->comm, (task)->real_parent->pid, \
54451 + (pcred)->uid, (pcred)->euid, \
54452 + (pcred)->gid, (pcred)->egid
54454 +#define GR_CHROOT_CAPS {{ \
54455 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
54456 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
54457 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
54458 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
54459 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
54460 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
54462 +#define security_learn(normal_msg,args...) \
54464 + read_lock(&grsec_exec_file_lock); \
54465 + gr_add_learn_entry(normal_msg "\n", ## args); \
54466 + read_unlock(&grsec_exec_file_lock); \
54472 + /* used for non-audit messages that we shouldn't kill the task on */
54473 + GR_DONT_AUDIT_GOOD
54484 + GR_SYSCTL_HIDDEN,
54487 + GR_ONE_INT_TWO_STR,
54494 + GR_FIVE_INT_TWO_STR,
54500 + GR_FILENAME_TWO_INT,
54501 + GR_FILENAME_TWO_INT_STR,
54514 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
54515 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
54516 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
54517 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
54518 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
54519 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
54520 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
54521 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
54522 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
54523 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
54524 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
54525 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
54526 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
54527 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
54528 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
54529 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
54530 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
54531 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
54532 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
54533 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
54534 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
54535 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
54536 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
54537 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
54538 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
54539 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
54540 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
54541 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
54542 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
54543 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
54544 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
54545 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
54546 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
54547 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
54548 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
54550 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
54555 diff -urNp linux-2.6.38.6/include/linux/grmsg.h linux-2.6.38.6/include/linux/grmsg.h
54556 --- linux-2.6.38.6/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
54557 +++ linux-2.6.38.6/include/linux/grmsg.h 2011-04-28 19:34:15.000000000 -0400
54559 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
54560 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
54561 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
54562 +#define GR_STOPMOD_MSG "denied modification of module state by "
54563 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
54564 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
54565 +#define GR_IOPERM_MSG "denied use of ioperm() by "
54566 +#define GR_IOPL_MSG "denied use of iopl() by "
54567 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
54568 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
54569 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
54570 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
54571 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
54572 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
54573 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
54574 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
54575 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
54576 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
54577 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
54578 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
54579 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
54580 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
54581 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
54582 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
54583 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
54584 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
54585 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
54586 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
54587 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
54588 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
54589 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
54590 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
54591 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
54592 +#define GR_NPROC_MSG "denied overstep of process limit by "
54593 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
54594 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
54595 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
54596 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
54597 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
54598 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
54599 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
54600 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
54601 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
54602 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
54603 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
54604 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
54605 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
54606 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
54607 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
54608 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
54609 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
54610 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
54611 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
54612 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
54613 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
54614 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
54615 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
54616 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
54617 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
54618 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
54619 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
54620 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
54621 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
54622 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
54623 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
54624 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
54625 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
54626 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
54627 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
54628 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
54629 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
54630 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
54631 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
54632 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
54633 +#define GR_NICE_CHROOT_MSG "denied priority change by "
54634 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
54635 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
54636 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
54637 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
54638 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
54639 +#define GR_TIME_MSG "time set by "
54640 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
54641 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
54642 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
54643 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
54644 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
54645 +#define GR_BIND_MSG "denied bind() by "
54646 +#define GR_CONNECT_MSG "denied connect() by "
54647 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
54648 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
54649 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
54650 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
54651 +#define GR_CAP_ACL_MSG "use of %s denied for "
54652 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
54653 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
54654 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
54655 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
54656 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
54657 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
54658 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
54659 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
54660 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
54661 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
54662 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
54663 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
54664 +#define GR_VM86_MSG "denied use of vm86 by "
54665 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
54666 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
54667 diff -urNp linux-2.6.38.6/include/linux/grsecurity.h linux-2.6.38.6/include/linux/grsecurity.h
54668 --- linux-2.6.38.6/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
54669 +++ linux-2.6.38.6/include/linux/grsecurity.h 2011-04-28 19:34:15.000000000 -0400
54671 +#ifndef GR_SECURITY_H
54672 +#define GR_SECURITY_H
54673 +#include <linux/fs.h>
54674 +#include <linux/fs_struct.h>
54675 +#include <linux/binfmts.h>
54676 +#include <linux/gracl.h>
54677 +#include <linux/compat.h>
54679 +/* notify of brain-dead configs */
54680 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
54681 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
54683 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
54684 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
54686 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
54687 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
54689 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
54690 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
54692 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
54693 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
54696 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
54697 +void gr_handle_brute_check(void);
54698 +void gr_handle_kernel_exploit(void);
54699 +int gr_process_user_ban(void);
54701 +char gr_roletype_to_char(void);
54703 +int gr_acl_enable_at_secure(void);
54705 +int gr_check_user_change(int real, int effective, int fs);
54706 +int gr_check_group_change(int real, int effective, int fs);
54708 +void gr_del_task_from_ip_table(struct task_struct *p);
54710 +int gr_pid_is_chrooted(struct task_struct *p);
54711 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
54712 +int gr_handle_chroot_nice(void);
54713 +int gr_handle_chroot_sysctl(const int op);
54714 +int gr_handle_chroot_setpriority(struct task_struct *p,
54715 + const int niceval);
54716 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
54717 +int gr_handle_chroot_chroot(const struct dentry *dentry,
54718 + const struct vfsmount *mnt);
54719 +int gr_handle_chroot_caps(struct path *path);
54720 +void gr_handle_chroot_chdir(struct path *path);
54721 +int gr_handle_chroot_chmod(const struct dentry *dentry,
54722 + const struct vfsmount *mnt, const int mode);
54723 +int gr_handle_chroot_mknod(const struct dentry *dentry,
54724 + const struct vfsmount *mnt, const int mode);
54725 +int gr_handle_chroot_mount(const struct dentry *dentry,
54726 + const struct vfsmount *mnt,
54727 + const char *dev_name);
54728 +int gr_handle_chroot_pivot(void);
54729 +int gr_handle_chroot_unix(struct pid *pid);
54731 +int gr_handle_rawio(const struct inode *inode);
54732 +int gr_handle_nproc(void);
54734 +void gr_handle_ioperm(void);
54735 +void gr_handle_iopl(void);
54737 +int gr_tpe_allow(const struct file *file);
54739 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
54740 +void gr_clear_chroot_entries(struct task_struct *task);
54742 +void gr_log_forkfail(const int retval);
54743 +void gr_log_timechange(void);
54744 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
54745 +void gr_log_chdir(const struct dentry *dentry,
54746 + const struct vfsmount *mnt);
54747 +void gr_log_chroot_exec(const struct dentry *dentry,
54748 + const struct vfsmount *mnt);
54749 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
54750 +#ifdef CONFIG_COMPAT
54751 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
54753 +void gr_log_remount(const char *devname, const int retval);
54754 +void gr_log_unmount(const char *devname, const int retval);
54755 +void gr_log_mount(const char *from, const char *to, const int retval);
54756 +void gr_log_textrel(struct vm_area_struct *vma);
54757 +void gr_log_rwxmmap(struct file *file);
54758 +void gr_log_rwxmprotect(struct file *file);
54760 +int gr_handle_follow_link(const struct inode *parent,
54761 + const struct inode *inode,
54762 + const struct dentry *dentry,
54763 + const struct vfsmount *mnt);
54764 +int gr_handle_fifo(const struct dentry *dentry,
54765 + const struct vfsmount *mnt,
54766 + const struct dentry *dir, const int flag,
54767 + const int acc_mode);
54768 +int gr_handle_hardlink(const struct dentry *dentry,
54769 + const struct vfsmount *mnt,
54770 + struct inode *inode,
54771 + const int mode, const char *to);
54773 +int gr_is_capable(const int cap);
54774 +int gr_is_capable_nolog(const int cap);
54775 +void gr_learn_resource(const struct task_struct *task, const int limit,
54776 + const unsigned long wanted, const int gt);
54777 +void gr_copy_label(struct task_struct *tsk);
54778 +void gr_handle_crash(struct task_struct *task, const int sig);
54779 +int gr_handle_signal(const struct task_struct *p, const int sig);
54780 +int gr_check_crash_uid(const uid_t uid);
54781 +int gr_check_protected_task(const struct task_struct *task);
54782 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
54783 +int gr_acl_handle_mmap(const struct file *file,
54784 + const unsigned long prot);
54785 +int gr_acl_handle_mprotect(const struct file *file,
54786 + const unsigned long prot);
54787 +int gr_check_hidden_task(const struct task_struct *tsk);
54788 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
54789 + const struct vfsmount *mnt);
54790 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
54791 + const struct vfsmount *mnt);
54792 +__u32 gr_acl_handle_access(const struct dentry *dentry,
54793 + const struct vfsmount *mnt, const int fmode);
54794 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
54795 + const struct vfsmount *mnt, mode_t mode);
54796 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
54797 + const struct vfsmount *mnt, mode_t mode);
54798 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
54799 + const struct vfsmount *mnt);
54800 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
54801 + const struct vfsmount *mnt);
54802 +int gr_handle_ptrace(struct task_struct *task, const long request);
54803 +int gr_handle_proc_ptrace(struct task_struct *task);
54804 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
54805 + const struct vfsmount *mnt);
54806 +int gr_check_crash_exec(const struct file *filp);
54807 +int gr_acl_is_enabled(void);
54808 +void gr_set_kernel_label(struct task_struct *task);
54809 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
54810 + const gid_t gid);
54811 +int gr_set_proc_label(const struct dentry *dentry,
54812 + const struct vfsmount *mnt,
54813 + const int unsafe_share);
54814 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
54815 + const struct vfsmount *mnt);
54816 +__u32 gr_acl_handle_open(const struct dentry *dentry,
54817 + const struct vfsmount *mnt, const int fmode);
54818 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
54819 + const struct dentry *p_dentry,
54820 + const struct vfsmount *p_mnt, const int fmode,
54821 + const int imode);
54822 +void gr_handle_create(const struct dentry *dentry,
54823 + const struct vfsmount *mnt);
54824 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
54825 + const struct dentry *parent_dentry,
54826 + const struct vfsmount *parent_mnt,
54828 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
54829 + const struct dentry *parent_dentry,
54830 + const struct vfsmount *parent_mnt);
54831 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
54832 + const struct vfsmount *mnt);
54833 +void gr_handle_delete(const ino_t ino, const dev_t dev);
54834 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
54835 + const struct vfsmount *mnt);
54836 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
54837 + const struct dentry *parent_dentry,
54838 + const struct vfsmount *parent_mnt,
54839 + const char *from);
54840 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
54841 + const struct dentry *parent_dentry,
54842 + const struct vfsmount *parent_mnt,
54843 + const struct dentry *old_dentry,
54844 + const struct vfsmount *old_mnt, const char *to);
54845 +int gr_acl_handle_rename(struct dentry *new_dentry,
54846 + struct dentry *parent_dentry,
54847 + const struct vfsmount *parent_mnt,
54848 + struct dentry *old_dentry,
54849 + struct inode *old_parent_inode,
54850 + struct vfsmount *old_mnt, const char *newname);
54851 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
54852 + struct dentry *old_dentry,
54853 + struct dentry *new_dentry,
54854 + struct vfsmount *mnt, const __u8 replace);
54855 +__u32 gr_check_link(const struct dentry *new_dentry,
54856 + const struct dentry *parent_dentry,
54857 + const struct vfsmount *parent_mnt,
54858 + const struct dentry *old_dentry,
54859 + const struct vfsmount *old_mnt);
54860 +int gr_acl_handle_filldir(const struct file *file, const char *name,
54861 + const unsigned int namelen, const ino_t ino);
54863 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
54864 + const struct vfsmount *mnt);
54865 +void gr_acl_handle_exit(void);
54866 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
54867 +int gr_acl_handle_procpidmem(const struct task_struct *task);
54868 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
54869 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
54870 +void gr_audit_ptrace(struct task_struct *task);
54871 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
54873 +#ifdef CONFIG_GRKERNSEC
54874 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
54875 +void gr_handle_vm86(void);
54876 +void gr_handle_mem_readwrite(u64 from, u64 to);
54878 +extern int grsec_enable_dmesg;
54879 +extern int grsec_disable_privio;
54883 diff -urNp linux-2.6.38.6/include/linux/grsock.h linux-2.6.38.6/include/linux/grsock.h
54884 --- linux-2.6.38.6/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
54885 +++ linux-2.6.38.6/include/linux/grsock.h 2011-04-28 19:34:15.000000000 -0400
54887 +#ifndef __GRSOCK_H
54888 +#define __GRSOCK_H
54890 +extern void gr_attach_curr_ip(const struct sock *sk);
54891 +extern int gr_handle_sock_all(const int family, const int type,
54892 + const int protocol);
54893 +extern int gr_handle_sock_server(const struct sockaddr *sck);
54894 +extern int gr_handle_sock_server_other(const struct sock *sck);
54895 +extern int gr_handle_sock_client(const struct sockaddr *sck);
54896 +extern int gr_search_connect(struct socket * sock,
54897 + struct sockaddr_in * addr);
54898 +extern int gr_search_bind(struct socket * sock,
54899 + struct sockaddr_in * addr);
54900 +extern int gr_search_listen(struct socket * sock);
54901 +extern int gr_search_accept(struct socket * sock);
54902 +extern int gr_search_socket(const int domain, const int type,
54903 + const int protocol);
54906 diff -urNp linux-2.6.38.6/include/linux/highmem.h linux-2.6.38.6/include/linux/highmem.h
54907 --- linux-2.6.38.6/include/linux/highmem.h 2011-03-14 21:20:32.000000000 -0400
54908 +++ linux-2.6.38.6/include/linux/highmem.h 2011-04-28 19:34:15.000000000 -0400
54909 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
54910 kunmap_atomic(kaddr, KM_USER0);
54913 +static inline void sanitize_highpage(struct page *page)
54916 + unsigned long flags;
54918 + local_irq_save(flags);
54919 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
54920 + clear_page(kaddr);
54921 + kunmap_atomic(kaddr, KM_CLEARPAGE);
54922 + local_irq_restore(flags);
54925 static inline void zero_user_segments(struct page *page,
54926 unsigned start1, unsigned end1,
54927 unsigned start2, unsigned end2)
54928 diff -urNp linux-2.6.38.6/include/linux/i2o.h linux-2.6.38.6/include/linux/i2o.h
54929 --- linux-2.6.38.6/include/linux/i2o.h 2011-03-14 21:20:32.000000000 -0400
54930 +++ linux-2.6.38.6/include/linux/i2o.h 2011-04-28 19:57:25.000000000 -0400
54931 @@ -564,7 +564,7 @@ struct i2o_controller {
54932 struct i2o_device *exec; /* Executive */
54933 #if BITS_PER_LONG == 64
54934 spinlock_t context_list_lock; /* lock for context_list */
54935 - atomic_t context_list_counter; /* needed for unique contexts */
54936 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
54937 struct list_head context_list; /* list of context id's
54940 diff -urNp linux-2.6.38.6/include/linux/init.h linux-2.6.38.6/include/linux/init.h
54941 --- linux-2.6.38.6/include/linux/init.h 2011-03-14 21:20:32.000000000 -0400
54942 +++ linux-2.6.38.6/include/linux/init.h 2011-04-28 19:34:15.000000000 -0400
54943 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
54945 /* Each module must use one module_init(). */
54946 #define module_init(initfn) \
54947 - static inline initcall_t __inittest(void) \
54948 + static inline __used initcall_t __inittest(void) \
54949 { return initfn; } \
54950 int init_module(void) __attribute__((alias(#initfn)));
54952 /* This is only required if you want to be unloadable. */
54953 #define module_exit(exitfn) \
54954 - static inline exitcall_t __exittest(void) \
54955 + static inline __used exitcall_t __exittest(void) \
54956 { return exitfn; } \
54957 void cleanup_module(void) __attribute__((alias(#exitfn)));
54959 diff -urNp linux-2.6.38.6/include/linux/init_task.h linux-2.6.38.6/include/linux/init_task.h
54960 --- linux-2.6.38.6/include/linux/init_task.h 2011-03-14 21:20:32.000000000 -0400
54961 +++ linux-2.6.38.6/include/linux/init_task.h 2011-04-30 19:59:43.000000000 -0400
54962 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
54967 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
54969 +#define INIT_TASK_THREAD_INFO
54973 * Because of the reduced scope of CAP_SETPCAP when filesystem
54974 * capabilities are in effect, it is safe to allow CAP_SETPCAP to
54975 @@ -163,6 +169,7 @@ extern struct cred init_cred;
54976 RCU_INIT_POINTER(.cred, &init_cred), \
54977 .comm = "swapper", \
54978 .thread = INIT_THREAD, \
54979 + INIT_TASK_THREAD_INFO \
54981 .files = &init_files, \
54982 .signal = &init_signals, \
54983 diff -urNp linux-2.6.38.6/include/linux/interrupt.h linux-2.6.38.6/include/linux/interrupt.h
54984 --- linux-2.6.38.6/include/linux/interrupt.h 2011-03-14 21:20:32.000000000 -0400
54985 +++ linux-2.6.38.6/include/linux/interrupt.h 2011-04-28 19:34:15.000000000 -0400
54986 @@ -393,7 +393,7 @@ enum
54987 /* map softirq index to softirq name. update 'softirq_to_name' in
54988 * kernel/softirq.c when adding a new softirq.
54990 -extern char *softirq_to_name[NR_SOFTIRQS];
54991 +extern const char * const softirq_to_name[NR_SOFTIRQS];
54993 /* softirq mask and active fields moved to irq_cpustat_t in
54994 * asm/hardirq.h to get better cache usage. KAO
54995 @@ -401,12 +401,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
54997 struct softirq_action
54999 - void (*action)(struct softirq_action *);
55000 + void (*action)(void);
55003 asmlinkage void do_softirq(void);
55004 asmlinkage void __do_softirq(void);
55005 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
55006 +extern void open_softirq(int nr, void (*action)(void));
55007 extern void softirq_init(void);
55008 static inline void __raise_softirq_irqoff(unsigned int nr)
55010 diff -urNp linux-2.6.38.6/include/linux/kallsyms.h linux-2.6.38.6/include/linux/kallsyms.h
55011 --- linux-2.6.38.6/include/linux/kallsyms.h 2011-03-14 21:20:32.000000000 -0400
55012 +++ linux-2.6.38.6/include/linux/kallsyms.h 2011-04-28 19:34:15.000000000 -0400
55017 -#ifdef CONFIG_KALLSYMS
55018 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
55019 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
55020 /* Lookup the address for a symbol. Returns 0 if not found. */
55021 unsigned long kallsyms_lookup_name(const char *name);
55023 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
55024 /* Stupid that this does nothing, but I didn't create this mess. */
55025 #define __print_symbol(fmt, addr)
55026 #endif /*CONFIG_KALLSYMS*/
55027 +#else /* when included by kallsyms.c, vsnprintf.c, or
55028 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
55029 +extern void __print_symbol(const char *fmt, unsigned long address);
55030 +extern int sprint_symbol(char *buffer, unsigned long address);
55031 +const char *kallsyms_lookup(unsigned long addr,
55032 + unsigned long *symbolsize,
55033 + unsigned long *offset,
55034 + char **modname, char *namebuf);
55037 /* This macro allows us to keep printk typechecking */
55038 static void __check_printsym_format(const char *fmt, ...)
55039 diff -urNp linux-2.6.38.6/include/linux/kgdb.h linux-2.6.38.6/include/linux/kgdb.h
55040 --- linux-2.6.38.6/include/linux/kgdb.h 2011-03-14 21:20:32.000000000 -0400
55041 +++ linux-2.6.38.6/include/linux/kgdb.h 2011-04-28 19:57:25.000000000 -0400
55042 @@ -53,7 +53,7 @@ extern int kgdb_connected;
55043 extern int kgdb_io_module_registered;
55045 extern atomic_t kgdb_setting_breakpoint;
55046 -extern atomic_t kgdb_cpu_doing_single_step;
55047 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
55049 extern struct task_struct *kgdb_usethread;
55050 extern struct task_struct *kgdb_contthread;
55051 @@ -269,22 +269,22 @@ struct kgdb_arch {
55055 - int (*read_char) (void);
55056 - void (*write_char) (u8);
55057 - void (*flush) (void);
55058 - int (*init) (void);
55059 - void (*pre_exception) (void);
55060 - void (*post_exception) (void);
55061 + int (* const read_char) (void);
55062 + void (* const write_char) (u8);
55063 + void (* const flush) (void);
55064 + int (* const init) (void);
55065 + void (* const pre_exception) (void);
55066 + void (* const post_exception) (void);
55070 -extern struct kgdb_arch arch_kgdb_ops;
55071 +extern const struct kgdb_arch arch_kgdb_ops;
55073 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
55075 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
55076 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
55077 -extern struct kgdb_io *dbg_io_ops;
55078 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
55079 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
55080 +extern const struct kgdb_io *dbg_io_ops;
55082 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
55083 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
55084 diff -urNp linux-2.6.38.6/include/linux/kmod.h linux-2.6.38.6/include/linux/kmod.h
55085 --- linux-2.6.38.6/include/linux/kmod.h 2011-03-14 21:20:32.000000000 -0400
55086 +++ linux-2.6.38.6/include/linux/kmod.h 2011-04-28 19:34:15.000000000 -0400
55087 @@ -33,6 +33,8 @@ extern char modprobe_path[]; /* for sysc
55088 * usually useless though. */
55089 extern int __request_module(bool wait, const char *name, ...) \
55090 __attribute__((format(printf, 2, 3)));
55091 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
55092 + __attribute__((format(printf, 3, 4)));
55093 #define request_module(mod...) __request_module(true, mod)
55094 #define request_module_nowait(mod...) __request_module(false, mod)
55095 #define try_then_request_module(x, mod...) \
55096 diff -urNp linux-2.6.38.6/include/linux/kvm_host.h linux-2.6.38.6/include/linux/kvm_host.h
55097 --- linux-2.6.38.6/include/linux/kvm_host.h 2011-03-14 21:20:32.000000000 -0400
55098 +++ linux-2.6.38.6/include/linux/kvm_host.h 2011-04-28 19:34:15.000000000 -0400
55099 @@ -288,7 +288,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
55100 void vcpu_load(struct kvm_vcpu *vcpu);
55101 void vcpu_put(struct kvm_vcpu *vcpu);
55103 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
55104 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
55105 struct module *module);
55106 void kvm_exit(void);
55108 @@ -428,7 +428,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
55109 struct kvm_guest_debug *dbg);
55110 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
55112 -int kvm_arch_init(void *opaque);
55113 +int kvm_arch_init(const void *opaque);
55114 void kvm_arch_exit(void);
55116 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
55117 diff -urNp linux-2.6.38.6/include/linux/libata.h linux-2.6.38.6/include/linux/libata.h
55118 --- linux-2.6.38.6/include/linux/libata.h 2011-05-10 22:06:27.000000000 -0400
55119 +++ linux-2.6.38.6/include/linux/libata.h 2011-05-10 22:06:56.000000000 -0400
55120 @@ -531,11 +531,11 @@ struct ata_ioports {
55124 - struct device *dev;
55125 + struct device *dev;
55126 void __iomem * const *iomap;
55127 unsigned int n_ports;
55128 void *private_data;
55129 - struct ata_port_operations *ops;
55130 + const struct ata_port_operations *ops;
55131 unsigned long flags;
55133 struct mutex eh_mutex;
55134 @@ -726,7 +726,7 @@ struct ata_link {
55137 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
55138 - struct ata_port_operations *ops;
55139 + const struct ata_port_operations *ops;
55141 /* Flags owned by the EH context. Only EH should touch these once the
55143 @@ -914,7 +914,7 @@ struct ata_port_info {
55144 unsigned long pio_mask;
55145 unsigned long mwdma_mask;
55146 unsigned long udma_mask;
55147 - struct ata_port_operations *port_ops;
55148 + const struct ata_port_operations *port_ops;
55149 void *private_data;
55152 @@ -938,7 +938,7 @@ extern const unsigned long sata_deb_timi
55153 extern const unsigned long sata_deb_timing_hotplug[];
55154 extern const unsigned long sata_deb_timing_long[];
55156 -extern struct ata_port_operations ata_dummy_port_ops;
55157 +extern const struct ata_port_operations ata_dummy_port_ops;
55158 extern const struct ata_port_info ata_dummy_port_info;
55160 static inline const unsigned long *
55161 @@ -984,7 +984,7 @@ extern int ata_host_activate(struct ata_
55162 struct scsi_host_template *sht);
55163 extern void ata_host_detach(struct ata_host *host);
55164 extern void ata_host_init(struct ata_host *, struct device *,
55165 - unsigned long, struct ata_port_operations *);
55166 + unsigned long, const struct ata_port_operations *);
55167 extern int ata_scsi_detect(struct scsi_host_template *sht);
55168 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
55169 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
55170 diff -urNp linux-2.6.38.6/include/linux/lockd/bind.h linux-2.6.38.6/include/linux/lockd/bind.h
55171 --- linux-2.6.38.6/include/linux/lockd/bind.h 2011-03-14 21:20:32.000000000 -0400
55172 +++ linux-2.6.38.6/include/linux/lockd/bind.h 2011-04-28 19:34:15.000000000 -0400
55173 @@ -23,13 +23,13 @@ struct svc_rqst;
55174 * This is the set of functions for lockd->nfsd communication
55176 struct nlmsvc_binding {
55177 - __be32 (*fopen)(struct svc_rqst *,
55178 + __be32 (* const fopen)(struct svc_rqst *,
55181 - void (*fclose)(struct file *);
55182 + void (* const fclose)(struct file *);
55185 -extern struct nlmsvc_binding * nlmsvc_ops;
55186 +extern const struct nlmsvc_binding * nlmsvc_ops;
55189 * Similar to nfs_client_initdata, but without the NFS-specific
55190 diff -urNp linux-2.6.38.6/include/linux/mm.h linux-2.6.38.6/include/linux/mm.h
55191 --- linux-2.6.38.6/include/linux/mm.h 2011-05-10 22:06:27.000000000 -0400
55192 +++ linux-2.6.38.6/include/linux/mm.h 2011-05-10 22:06:56.000000000 -0400
55193 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
55195 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
55196 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
55198 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
55199 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
55200 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
55202 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
55205 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
55206 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
55208 @@ -993,12 +1000,6 @@ int set_page_dirty(struct page *page);
55209 int set_page_dirty_lock(struct page *page);
55210 int clear_page_dirty_for_io(struct page *page);
55212 -/* Is the vma a continuation of the stack vma above it? */
55213 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
55215 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
55218 extern unsigned long move_page_tables(struct vm_area_struct *vma,
55219 unsigned long old_addr, struct vm_area_struct *new_vma,
55220 unsigned long new_addr, unsigned long len);
55221 @@ -1150,6 +1151,15 @@ struct shrinker {
55222 extern void register_shrinker(struct shrinker *);
55223 extern void unregister_shrinker(struct shrinker *);
55226 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
55228 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
55230 + return __pgprot(0);
55234 int vma_wants_writenotify(struct vm_area_struct *vma);
55236 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
55237 @@ -1439,6 +1449,7 @@ out:
55240 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
55241 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
55243 extern unsigned long do_brk(unsigned long, unsigned long);
55245 @@ -1495,6 +1506,10 @@ extern struct vm_area_struct * find_vma(
55246 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
55247 struct vm_area_struct **pprev);
55249 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
55250 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
55251 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
55253 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
55254 NULL if none. Assume start_addr < end_addr. */
55255 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
55256 @@ -1511,15 +1526,6 @@ static inline unsigned long vma_pages(st
55257 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
55261 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
55263 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
55265 - return __pgprot(0);
55269 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
55270 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
55271 unsigned long pfn, unsigned long size, pgprot_t);
55272 @@ -1628,7 +1634,7 @@ extern int unpoison_memory(unsigned long
55273 extern int sysctl_memory_failure_early_kill;
55274 extern int sysctl_memory_failure_recovery;
55275 extern void shake_page(struct page *p, int access);
55276 -extern atomic_long_t mce_bad_pages;
55277 +extern atomic_long_unchecked_t mce_bad_pages;
55278 extern int soft_offline_page(struct page *page, int flags);
55279 #ifdef CONFIG_MEMORY_FAILURE
55280 int is_hwpoison_address(unsigned long addr);
55281 @@ -1650,5 +1656,11 @@ extern void copy_user_huge_page(struct p
55282 unsigned int pages_per_huge_page);
55283 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
55285 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
55286 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
55288 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
55291 #endif /* __KERNEL__ */
55292 #endif /* _LINUX_MM_H */
55293 diff -urNp linux-2.6.38.6/include/linux/mm_types.h linux-2.6.38.6/include/linux/mm_types.h
55294 --- linux-2.6.38.6/include/linux/mm_types.h 2011-03-14 21:20:32.000000000 -0400
55295 +++ linux-2.6.38.6/include/linux/mm_types.h 2011-04-28 19:34:15.000000000 -0400
55296 @@ -183,6 +183,8 @@ struct vm_area_struct {
55298 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
55301 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
55304 struct core_thread {
55305 @@ -315,6 +317,24 @@ struct mm_struct {
55307 /* How many tasks sharing this mm are OOM_DISABLE */
55308 atomic_t oom_disable_count;
55310 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
55311 + unsigned long pax_flags;
55314 +#ifdef CONFIG_PAX_DLRESOLVE
55315 + unsigned long call_dl_resolve;
55318 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
55319 + unsigned long call_syscall;
55322 +#ifdef CONFIG_PAX_ASLR
55323 + unsigned long delta_mmap; /* randomized offset */
55324 + unsigned long delta_stack; /* randomized offset */
55329 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
55330 diff -urNp linux-2.6.38.6/include/linux/mmu_notifier.h linux-2.6.38.6/include/linux/mmu_notifier.h
55331 --- linux-2.6.38.6/include/linux/mmu_notifier.h 2011-03-14 21:20:32.000000000 -0400
55332 +++ linux-2.6.38.6/include/linux/mmu_notifier.h 2011-04-28 19:34:15.000000000 -0400
55333 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
55335 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
55339 struct vm_area_struct *___vma = __vma; \
55340 unsigned long ___address = __address; \
55341 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
55342 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
55343 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
55348 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
55349 diff -urNp linux-2.6.38.6/include/linux/mmzone.h linux-2.6.38.6/include/linux/mmzone.h
55350 --- linux-2.6.38.6/include/linux/mmzone.h 2011-03-14 21:20:32.000000000 -0400
55351 +++ linux-2.6.38.6/include/linux/mmzone.h 2011-04-28 19:34:15.000000000 -0400
55352 @@ -355,7 +355,7 @@ struct zone {
55353 unsigned long flags; /* zone flags, see below */
55355 /* Zone statistics */
55356 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55357 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55360 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
55361 diff -urNp linux-2.6.38.6/include/linux/mod_devicetable.h linux-2.6.38.6/include/linux/mod_devicetable.h
55362 --- linux-2.6.38.6/include/linux/mod_devicetable.h 2011-03-14 21:20:32.000000000 -0400
55363 +++ linux-2.6.38.6/include/linux/mod_devicetable.h 2011-04-28 19:34:15.000000000 -0400
55365 typedef unsigned long kernel_ulong_t;
55368 -#define PCI_ANY_ID (~0)
55369 +#define PCI_ANY_ID ((__u16)~0)
55371 struct pci_device_id {
55372 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
55373 @@ -131,7 +131,7 @@ struct usb_device_id {
55374 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
55375 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
55377 -#define HID_ANY_ID (~0)
55378 +#define HID_ANY_ID (~0U)
55380 struct hid_device_id {
55382 diff -urNp linux-2.6.38.6/include/linux/module.h linux-2.6.38.6/include/linux/module.h
55383 --- linux-2.6.38.6/include/linux/module.h 2011-03-14 21:20:32.000000000 -0400
55384 +++ linux-2.6.38.6/include/linux/module.h 2011-04-28 19:34:15.000000000 -0400
55385 @@ -324,19 +324,16 @@ struct module
55388 /* If this is non-NULL, vfree after init() returns */
55389 - void *module_init;
55390 + void *module_init_rx, *module_init_rw;
55392 /* Here is the actual code + data, vfree'd on unload. */
55393 - void *module_core;
55394 + void *module_core_rx, *module_core_rw;
55396 /* Here are the sizes of the init and core sections */
55397 - unsigned int init_size, core_size;
55398 + unsigned int init_size_rw, core_size_rw;
55400 /* The size of the executable code in each section. */
55401 - unsigned int init_text_size, core_text_size;
55403 - /* Size of RO sections of the module (text+rodata) */
55404 - unsigned int init_ro_size, core_ro_size;
55405 + unsigned int init_size_rx, core_size_rx;
55407 /* Arch-specific module values */
55408 struct mod_arch_specific arch;
55409 @@ -441,16 +438,46 @@ bool is_module_address(unsigned long add
55410 bool is_module_percpu_address(unsigned long addr);
55411 bool is_module_text_address(unsigned long addr);
55413 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
55416 +#ifdef CONFIG_PAX_KERNEXEC
55417 + if (ktla_ktva(addr) >= (unsigned long)start &&
55418 + ktla_ktva(addr) < (unsigned long)start + size)
55422 + return ((void *)addr >= start && (void *)addr < start + size);
55425 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
55427 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
55430 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
55432 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
55435 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
55437 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
55440 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
55442 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
55445 static inline int within_module_core(unsigned long addr, struct module *mod)
55447 - return (unsigned long)mod->module_core <= addr &&
55448 - addr < (unsigned long)mod->module_core + mod->core_size;
55449 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
55452 static inline int within_module_init(unsigned long addr, struct module *mod)
55454 - return (unsigned long)mod->module_init <= addr &&
55455 - addr < (unsigned long)mod->module_init + mod->init_size;
55456 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
55459 /* Search for module by name: must hold module_mutex. */
55460 diff -urNp linux-2.6.38.6/include/linux/moduleloader.h linux-2.6.38.6/include/linux/moduleloader.h
55461 --- linux-2.6.38.6/include/linux/moduleloader.h 2011-03-14 21:20:32.000000000 -0400
55462 +++ linux-2.6.38.6/include/linux/moduleloader.h 2011-04-28 19:34:15.000000000 -0400
55463 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
55464 sections. Returns NULL on failure. */
55465 void *module_alloc(unsigned long size);
55467 +#ifdef CONFIG_PAX_KERNEXEC
55468 +void *module_alloc_exec(unsigned long size);
55470 +#define module_alloc_exec(x) module_alloc(x)
55473 /* Free memory returned from module_alloc. */
55474 void module_free(struct module *mod, void *module_region);
55476 +#ifdef CONFIG_PAX_KERNEXEC
55477 +void module_free_exec(struct module *mod, void *module_region);
55479 +#define module_free_exec(x, y) module_free((x), (y))
55482 /* Apply the given relocation to the (simplified) ELF. Return -error
55484 int apply_relocate(Elf_Shdr *sechdrs,
55485 diff -urNp linux-2.6.38.6/include/linux/moduleparam.h linux-2.6.38.6/include/linux/moduleparam.h
55486 --- linux-2.6.38.6/include/linux/moduleparam.h 2011-03-14 21:20:32.000000000 -0400
55487 +++ linux-2.6.38.6/include/linux/moduleparam.h 2011-04-28 19:34:15.000000000 -0400
55488 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
55489 * @len is usually just sizeof(string).
55491 #define module_param_string(name, string, len, perm) \
55492 - static const struct kparam_string __param_string_##name \
55493 + static const struct kparam_string __param_string_##name __used \
55494 = { len, string }; \
55495 __module_param_call(MODULE_PARAM_PREFIX, name, \
55496 ¶m_ops_string, \
55497 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
55498 * module_param_named() for why this might be necessary.
55500 #define module_param_array_named(name, array, type, nump, perm) \
55501 - static const struct kparam_array __param_arr_##name \
55502 + static const struct kparam_array __param_arr_##name __used \
55503 = { ARRAY_SIZE(array), nump, ¶m_ops_##type, \
55504 sizeof(array[0]), array }; \
55505 __module_param_call(MODULE_PARAM_PREFIX, name, \
55506 diff -urNp linux-2.6.38.6/include/linux/mutex.h linux-2.6.38.6/include/linux/mutex.h
55507 --- linux-2.6.38.6/include/linux/mutex.h 2011-03-14 21:20:32.000000000 -0400
55508 +++ linux-2.6.38.6/include/linux/mutex.h 2011-04-28 19:34:15.000000000 -0400
55509 @@ -51,7 +51,7 @@ struct mutex {
55510 spinlock_t wait_lock;
55511 struct list_head wait_list;
55512 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
55513 - struct thread_info *owner;
55514 + struct task_struct *owner;
55516 #ifdef CONFIG_DEBUG_MUTEXES
55518 diff -urNp linux-2.6.38.6/include/linux/namei.h linux-2.6.38.6/include/linux/namei.h
55519 --- linux-2.6.38.6/include/linux/namei.h 2011-03-14 21:20:32.000000000 -0400
55520 +++ linux-2.6.38.6/include/linux/namei.h 2011-04-28 19:34:15.000000000 -0400
55521 @@ -25,7 +25,7 @@ struct nameidata {
55525 - char *saved_names[MAX_NESTED_LINKS + 1];
55526 + const char *saved_names[MAX_NESTED_LINKS + 1];
55530 @@ -88,12 +88,12 @@ extern int follow_up(struct path *);
55531 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
55532 extern void unlock_rename(struct dentry *, struct dentry *);
55534 -static inline void nd_set_link(struct nameidata *nd, char *path)
55535 +static inline void nd_set_link(struct nameidata *nd, const char *path)
55537 nd->saved_names[nd->depth] = path;
55540 -static inline char *nd_get_link(struct nameidata *nd)
55541 +static inline const char *nd_get_link(const struct nameidata *nd)
55543 return nd->saved_names[nd->depth];
55545 diff -urNp linux-2.6.38.6/include/linux/netfilter/xt_gradm.h linux-2.6.38.6/include/linux/netfilter/xt_gradm.h
55546 --- linux-2.6.38.6/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
55547 +++ linux-2.6.38.6/include/linux/netfilter/xt_gradm.h 2011-04-28 19:34:15.000000000 -0400
55549 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
55550 +#define _LINUX_NETFILTER_XT_GRADM_H 1
55552 +struct xt_gradm_mtinfo {
55558 diff -urNp linux-2.6.38.6/include/linux/oprofile.h linux-2.6.38.6/include/linux/oprofile.h
55559 --- linux-2.6.38.6/include/linux/oprofile.h 2011-03-14 21:20:32.000000000 -0400
55560 +++ linux-2.6.38.6/include/linux/oprofile.h 2011-04-28 19:34:15.000000000 -0400
55561 @@ -132,9 +132,9 @@ int oprofilefs_create_ulong(struct super
55562 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
55563 char const * name, ulong * val);
55565 -/** Create a file for read-only access to an atomic_t. */
55566 +/** Create a file for read-only access to an atomic_unchecked_t. */
55567 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
55568 - char const * name, atomic_t * val);
55569 + char const * name, atomic_unchecked_t * val);
55571 /** create a directory */
55572 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
55573 diff -urNp linux-2.6.38.6/include/linux/padata.h linux-2.6.38.6/include/linux/padata.h
55574 --- linux-2.6.38.6/include/linux/padata.h 2011-03-14 21:20:32.000000000 -0400
55575 +++ linux-2.6.38.6/include/linux/padata.h 2011-04-28 19:57:25.000000000 -0400
55576 @@ -129,7 +129,7 @@ struct parallel_data {
55577 struct padata_instance *pinst;
55578 struct padata_parallel_queue __percpu *pqueue;
55579 struct padata_serial_queue __percpu *squeue;
55581 + atomic_unchecked_t seq_nr;
55582 atomic_t reorder_objects;
55584 unsigned int max_seq_nr;
55585 diff -urNp linux-2.6.38.6/include/linux/perf_event.h linux-2.6.38.6/include/linux/perf_event.h
55586 --- linux-2.6.38.6/include/linux/perf_event.h 2011-04-22 19:20:59.000000000 -0400
55587 +++ linux-2.6.38.6/include/linux/perf_event.h 2011-04-28 19:57:25.000000000 -0400
55588 @@ -732,8 +732,8 @@ struct perf_event {
55590 enum perf_event_active_state state;
55591 unsigned int attach_state;
55593 - atomic64_t child_count;
55594 + local64_t count; /* PaX: fix it one day */
55595 + atomic64_unchecked_t child_count;
55598 * These are the total time in nanoseconds that the event
55599 @@ -784,8 +784,8 @@ struct perf_event {
55600 * These accumulate total time (in nanoseconds) that children
55601 * events have been enabled and running, respectively.
55603 - atomic64_t child_total_time_enabled;
55604 - atomic64_t child_total_time_running;
55605 + atomic64_unchecked_t child_total_time_enabled;
55606 + atomic64_unchecked_t child_total_time_running;
55609 * Protect attach/detach and child_list:
55610 diff -urNp linux-2.6.38.6/include/linux/pipe_fs_i.h linux-2.6.38.6/include/linux/pipe_fs_i.h
55611 --- linux-2.6.38.6/include/linux/pipe_fs_i.h 2011-03-14 21:20:32.000000000 -0400
55612 +++ linux-2.6.38.6/include/linux/pipe_fs_i.h 2011-04-28 19:34:15.000000000 -0400
55613 @@ -46,9 +46,9 @@ struct pipe_buffer {
55614 struct pipe_inode_info {
55615 wait_queue_head_t wait;
55616 unsigned int nrbufs, curbuf, buffers;
55617 - unsigned int readers;
55618 - unsigned int writers;
55619 - unsigned int waiting_writers;
55620 + atomic_t readers;
55621 + atomic_t writers;
55622 + atomic_t waiting_writers;
55623 unsigned int r_counter;
55624 unsigned int w_counter;
55625 struct page *tmp_page;
55626 diff -urNp linux-2.6.38.6/include/linux/pm_runtime.h linux-2.6.38.6/include/linux/pm_runtime.h
55627 --- linux-2.6.38.6/include/linux/pm_runtime.h 2011-03-14 21:20:32.000000000 -0400
55628 +++ linux-2.6.38.6/include/linux/pm_runtime.h 2011-04-28 19:34:15.000000000 -0400
55629 @@ -89,7 +89,7 @@ static inline bool pm_runtime_enabled(st
55631 static inline void pm_runtime_mark_last_busy(struct device *dev)
55633 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
55634 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
55637 #else /* !CONFIG_PM_RUNTIME */
55638 diff -urNp linux-2.6.38.6/include/linux/poison.h linux-2.6.38.6/include/linux/poison.h
55639 --- linux-2.6.38.6/include/linux/poison.h 2011-03-14 21:20:32.000000000 -0400
55640 +++ linux-2.6.38.6/include/linux/poison.h 2011-04-28 19:34:15.000000000 -0400
55642 * under normal circumstances, used to verify that nobody uses
55643 * non-initialized list entries.
55645 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
55646 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
55647 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
55648 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
55650 /********** include/linux/timer.h **********/
55652 diff -urNp linux-2.6.38.6/include/linux/proc_fs.h linux-2.6.38.6/include/linux/proc_fs.h
55653 --- linux-2.6.38.6/include/linux/proc_fs.h 2011-03-14 21:20:32.000000000 -0400
55654 +++ linux-2.6.38.6/include/linux/proc_fs.h 2011-04-28 19:34:15.000000000 -0400
55655 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
55656 return proc_create_data(name, mode, parent, proc_fops, NULL);
55659 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
55660 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
55662 +#ifdef CONFIG_GRKERNSEC_PROC_USER
55663 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
55664 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
55665 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
55667 + return proc_create_data(name, mode, parent, proc_fops, NULL);
55672 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
55673 mode_t mode, struct proc_dir_entry *base,
55674 read_proc_t *read_proc, void * data)
55675 diff -urNp linux-2.6.38.6/include/linux/ptrace.h linux-2.6.38.6/include/linux/ptrace.h
55676 --- linux-2.6.38.6/include/linux/ptrace.h 2011-03-14 21:20:32.000000000 -0400
55677 +++ linux-2.6.38.6/include/linux/ptrace.h 2011-04-28 19:34:15.000000000 -0400
55678 @@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
55679 extern void exit_ptrace(struct task_struct *tracer);
55680 #define PTRACE_MODE_READ 1
55681 #define PTRACE_MODE_ATTACH 2
55682 -/* Returns 0 on success, -errno on denial. */
55683 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
55684 /* Returns true on success, false on denial. */
55685 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
55686 +/* Returns true on success, false on denial. */
55687 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
55689 static inline int ptrace_reparented(struct task_struct *child)
55691 diff -urNp linux-2.6.38.6/include/linux/random.h linux-2.6.38.6/include/linux/random.h
55692 --- linux-2.6.38.6/include/linux/random.h 2011-03-14 21:20:32.000000000 -0400
55693 +++ linux-2.6.38.6/include/linux/random.h 2011-04-28 19:34:15.000000000 -0400
55694 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
55696 u32 prandom32(struct rnd_state *);
55698 +static inline unsigned long pax_get_random_long(void)
55700 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
55704 * Handle minimum values for seeds
55706 static inline u32 __seed(u32 x, u32 m)
55708 - return (x < m) ? x + m : x;
55709 + return (x <= m) ? x + m + 1 : x;
55713 diff -urNp linux-2.6.38.6/include/linux/reiserfs_fs.h linux-2.6.38.6/include/linux/reiserfs_fs.h
55714 --- linux-2.6.38.6/include/linux/reiserfs_fs.h 2011-03-14 21:20:32.000000000 -0400
55715 +++ linux-2.6.38.6/include/linux/reiserfs_fs.h 2011-04-28 19:34:15.000000000 -0400
55716 @@ -1403,7 +1403,7 @@ static inline loff_t max_reiserfs_offset
55717 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
55719 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
55720 -#define get_generation(s) atomic_read (&fs_generation(s))
55721 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
55722 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
55723 #define __fs_changed(gen,s) (gen != get_generation (s))
55724 #define fs_changed(gen,s) \
55725 @@ -1615,24 +1615,24 @@ static inline struct super_block *sb_fro
55728 struct item_operations {
55729 - int (*bytes_number) (struct item_head * ih, int block_size);
55730 - void (*decrement_key) (struct cpu_key *);
55731 - int (*is_left_mergeable) (struct reiserfs_key * ih,
55732 + int (* const bytes_number) (struct item_head * ih, int block_size);
55733 + void (* const decrement_key) (struct cpu_key *);
55734 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
55735 unsigned long bsize);
55736 - void (*print_item) (struct item_head *, char *item);
55737 - void (*check_item) (struct item_head *, char *item);
55738 + void (* const print_item) (struct item_head *, char *item);
55739 + void (* const check_item) (struct item_head *, char *item);
55741 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
55742 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
55743 int is_affected, int insert_size);
55744 - int (*check_left) (struct virtual_item * vi, int free,
55745 + int (* const check_left) (struct virtual_item * vi, int free,
55746 int start_skip, int end_skip);
55747 - int (*check_right) (struct virtual_item * vi, int free);
55748 - int (*part_size) (struct virtual_item * vi, int from, int to);
55749 - int (*unit_num) (struct virtual_item * vi);
55750 - void (*print_vi) (struct virtual_item * vi);
55751 + int (* const check_right) (struct virtual_item * vi, int free);
55752 + int (* const part_size) (struct virtual_item * vi, int from, int to);
55753 + int (* const unit_num) (struct virtual_item * vi);
55754 + void (* const print_vi) (struct virtual_item * vi);
55757 -extern struct item_operations *item_ops[TYPE_ANY + 1];
55758 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
55760 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
55761 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
55762 diff -urNp linux-2.6.38.6/include/linux/reiserfs_fs_sb.h linux-2.6.38.6/include/linux/reiserfs_fs_sb.h
55763 --- linux-2.6.38.6/include/linux/reiserfs_fs_sb.h 2011-03-14 21:20:32.000000000 -0400
55764 +++ linux-2.6.38.6/include/linux/reiserfs_fs_sb.h 2011-04-28 19:34:15.000000000 -0400
55765 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
55766 /* Comment? -Hans */
55767 wait_queue_head_t s_wait;
55768 /* To be obsoleted soon by per buffer seals.. -Hans */
55769 - atomic_t s_generation_counter; // increased by one every time the
55770 + atomic_unchecked_t s_generation_counter; // increased by one every time the
55771 // tree gets re-balanced
55772 unsigned long s_properties; /* File system properties. Currently holds
55773 on-disk FS format */
55774 diff -urNp linux-2.6.38.6/include/linux/rmap.h linux-2.6.38.6/include/linux/rmap.h
55775 --- linux-2.6.38.6/include/linux/rmap.h 2011-03-14 21:20:32.000000000 -0400
55776 +++ linux-2.6.38.6/include/linux/rmap.h 2011-04-28 19:34:15.000000000 -0400
55777 @@ -145,8 +145,8 @@ static inline void anon_vma_unlock(struc
55778 void anon_vma_init(void); /* create anon_vma_cachep */
55779 int anon_vma_prepare(struct vm_area_struct *);
55780 void unlink_anon_vmas(struct vm_area_struct *);
55781 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
55782 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
55783 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
55784 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
55785 void __anon_vma_link(struct vm_area_struct *);
55786 void anon_vma_free(struct anon_vma *);
55788 diff -urNp linux-2.6.38.6/include/linux/sched.h linux-2.6.38.6/include/linux/sched.h
55789 --- linux-2.6.38.6/include/linux/sched.h 2011-04-22 19:20:59.000000000 -0400
55790 +++ linux-2.6.38.6/include/linux/sched.h 2011-05-16 21:50:36.000000000 -0400
55791 @@ -99,6 +99,7 @@ struct robust_list_head;
55794 struct perf_event_context;
55795 +struct linux_binprm;
55798 * List of flags we want to share for kernel threads,
55799 @@ -359,7 +360,7 @@ extern signed long schedule_timeout_inte
55800 extern signed long schedule_timeout_killable(signed long timeout);
55801 extern signed long schedule_timeout_uninterruptible(signed long timeout);
55802 asmlinkage void schedule(void);
55803 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
55804 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
55807 struct user_namespace;
55808 @@ -380,10 +381,13 @@ struct user_namespace;
55809 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
55811 extern int sysctl_max_map_count;
55812 +extern unsigned long sysctl_heap_stack_gap;
55814 #include <linux/aio.h>
55817 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
55818 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
55819 extern void arch_pick_mmap_layout(struct mm_struct *mm);
55820 extern unsigned long
55821 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
55822 @@ -628,6 +632,17 @@ struct signal_struct {
55823 #ifdef CONFIG_TASKSTATS
55824 struct taskstats *stats;
55827 +#ifdef CONFIG_GRKERNSEC
55834 + u8 used_accept:1;
55837 #ifdef CONFIG_AUDIT
55838 unsigned audit_tty;
55839 struct tty_audit_buf *tty_audit_buf;
55840 @@ -700,6 +715,11 @@ struct user_struct {
55841 struct key *session_keyring; /* UID's default session keyring */
55844 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
55845 + unsigned int banned;
55846 + unsigned long ban_expires;
55849 /* Hash table maintenance information */
55850 struct hlist_node uidhash_node;
55852 @@ -1310,8 +1330,8 @@ struct task_struct {
55853 struct list_head thread_group;
55855 struct completion *vfork_done; /* for vfork() */
55856 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
55857 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
55858 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
55859 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
55861 cputime_t utime, stime, utimescaled, stimescaled;
55863 @@ -1327,13 +1347,6 @@ struct task_struct {
55864 struct task_cputime cputime_expires;
55865 struct list_head cpu_timers[3];
55867 -/* process credentials */
55868 - const struct cred __rcu *real_cred; /* objective and real subjective task
55869 - * credentials (COW) */
55870 - const struct cred __rcu *cred; /* effective (overridable) subjective task
55871 - * credentials (COW) */
55872 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
55874 char comm[TASK_COMM_LEN]; /* executable name excluding path
55875 - access with [gs]et_task_comm (which lock
55876 it with task_lock())
55877 @@ -1350,8 +1363,16 @@ struct task_struct {
55879 /* CPU-specific state of this task */
55880 struct thread_struct thread;
55881 +/* thread_info moved to task_struct */
55883 + struct thread_info tinfo;
55885 /* filesystem information */
55886 struct fs_struct *fs;
55888 + const struct cred __rcu *cred; /* effective (overridable) subjective task
55889 + * credentials (COW) */
55891 /* open file information */
55892 struct files_struct *files;
55894 @@ -1398,6 +1419,11 @@ struct task_struct {
55895 struct rt_mutex_waiter *pi_blocked_on;
55898 +/* process credentials */
55899 + const struct cred __rcu *real_cred; /* objective and real subjective task
55900 + * credentials (COW) */
55901 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
55903 #ifdef CONFIG_DEBUG_MUTEXES
55904 /* mutex deadlock detection */
55905 struct mutex_waiter *blocked_on;
55906 @@ -1502,6 +1528,21 @@ struct task_struct {
55907 unsigned long default_timer_slack_ns;
55909 struct list_head *scm_work_list;
55911 +#ifdef CONFIG_GRKERNSEC
55913 + struct dentry *gr_chroot_dentry;
55914 + struct acl_subject_label *acl;
55915 + struct acl_role_label *role;
55916 + struct file *exec_file;
55918 + /* is this the task that authenticated to the special role */
55922 + u8 gr_is_chrooted;
55925 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
55926 /* Index of current stored address in ret_stack */
55927 int curr_ret_stack;
55928 @@ -1533,6 +1574,62 @@ struct task_struct {
55932 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
55933 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
55934 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
55935 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
55936 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
55937 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
55939 +#ifdef CONFIG_PAX_SOFTMODE
55940 +extern unsigned int pax_softmode;
55943 +extern int pax_check_flags(unsigned long *);
55945 +/* if tsk != current then task_lock must be held on it */
55946 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
55947 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
55949 + if (likely(tsk->mm))
55950 + return tsk->mm->pax_flags;
55955 +/* if tsk != current then task_lock must be held on it */
55956 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
55958 + if (likely(tsk->mm)) {
55959 + tsk->mm->pax_flags = flags;
55966 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
55967 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
55968 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
55969 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
55972 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
55973 +void pax_report_insns(void *pc, void *sp);
55974 +void pax_report_refcount_overflow(struct pt_regs *regs);
55975 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type);
55977 +static inline void pax_track_stack(void)
55980 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
55981 + if (current_thread_info()->lowest_stack > current_stack_pointer &&
55982 + (unsigned long)task_stack_page(current) < current_stack_pointer)
55983 + current_thread_info()->lowest_stack = current_stack_pointer;
55988 /* Future-safe accessor for struct task_struct's cpus_allowed. */
55989 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
55991 @@ -2002,7 +2099,9 @@ void yield(void);
55992 extern struct exec_domain default_exec_domain;
55994 union thread_union {
55995 +#ifndef CONFIG_X86
55996 struct thread_info thread_info;
55998 unsigned long stack[THREAD_SIZE/sizeof(long)];
56001 @@ -2172,7 +2271,7 @@ extern void __cleanup_sighand(struct sig
56002 extern void exit_itimers(struct signal_struct *);
56003 extern void flush_itimer_signals(void);
56005 -extern NORET_TYPE void do_group_exit(int);
56006 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
56008 extern void daemonize(const char *, ...);
56009 extern int allow_signal(int);
56010 @@ -2313,13 +2412,17 @@ static inline unsigned long *end_of_stac
56014 -static inline int object_is_on_stack(void *obj)
56015 +static inline int object_starts_on_stack(void *obj)
56017 - void *stack = task_stack_page(current);
56018 + const void *stack = task_stack_page(current);
56020 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
56023 +#ifdef CONFIG_PAX_USERCOPY
56024 +extern int object_is_on_stack(const void *obj, unsigned long len);
56027 extern void thread_info_cache_init(void);
56029 #ifdef CONFIG_DEBUG_STACK_USAGE
56030 diff -urNp linux-2.6.38.6/include/linux/screen_info.h linux-2.6.38.6/include/linux/screen_info.h
56031 --- linux-2.6.38.6/include/linux/screen_info.h 2011-03-14 21:20:32.000000000 -0400
56032 +++ linux-2.6.38.6/include/linux/screen_info.h 2011-04-28 19:34:15.000000000 -0400
56033 @@ -43,7 +43,8 @@ struct screen_info {
56034 __u16 pages; /* 0x32 */
56035 __u16 vesa_attributes; /* 0x34 */
56036 __u32 capabilities; /* 0x36 */
56037 - __u8 _reserved[6]; /* 0x3a */
56038 + __u16 vesapm_size; /* 0x3a */
56039 + __u8 _reserved[4]; /* 0x3c */
56040 } __attribute__((packed));
56042 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
56043 diff -urNp linux-2.6.38.6/include/linux/security.h linux-2.6.38.6/include/linux/security.h
56044 --- linux-2.6.38.6/include/linux/security.h 2011-03-14 21:20:32.000000000 -0400
56045 +++ linux-2.6.38.6/include/linux/security.h 2011-04-28 19:34:15.000000000 -0400
56047 #include <linux/key.h>
56048 #include <linux/xfrm.h>
56049 #include <linux/slab.h>
56050 +#include <linux/grsecurity.h>
56051 #include <net/flow.h>
56053 /* Maximum number of letters for an LSM name string */
56054 diff -urNp linux-2.6.38.6/include/linux/shm.h linux-2.6.38.6/include/linux/shm.h
56055 --- linux-2.6.38.6/include/linux/shm.h 2011-03-14 21:20:32.000000000 -0400
56056 +++ linux-2.6.38.6/include/linux/shm.h 2011-04-28 19:34:15.000000000 -0400
56057 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
56060 struct user_struct *mlock_user;
56061 +#ifdef CONFIG_GRKERNSEC
56062 + time_t shm_createtime;
56067 /* shm_mode upper byte flags */
56068 diff -urNp linux-2.6.38.6/include/linux/skbuff.h linux-2.6.38.6/include/linux/skbuff.h
56069 --- linux-2.6.38.6/include/linux/skbuff.h 2011-03-14 21:20:32.000000000 -0400
56070 +++ linux-2.6.38.6/include/linux/skbuff.h 2011-04-28 19:57:25.000000000 -0400
56071 @@ -589,7 +589,7 @@ static inline struct skb_shared_hwtstamp
56073 static inline int skb_queue_empty(const struct sk_buff_head *list)
56075 - return list->next == (struct sk_buff *)list;
56076 + return list->next == (const struct sk_buff *)list;
56080 @@ -602,7 +602,7 @@ static inline int skb_queue_empty(const
56081 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
56082 const struct sk_buff *skb)
56084 - return skb->next == (struct sk_buff *)list;
56085 + return skb->next == (const struct sk_buff *)list;
56089 @@ -615,7 +615,7 @@ static inline bool skb_queue_is_last(con
56090 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
56091 const struct sk_buff *skb)
56093 - return skb->prev == (struct sk_buff *)list;
56094 + return skb->prev == (const struct sk_buff *)list;
56098 @@ -1432,7 +1432,7 @@ static inline int pskb_network_may_pull(
56099 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
56101 #ifndef NET_SKB_PAD
56102 -#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
56103 +#define NET_SKB_PAD max(_AC(32,U), L1_CACHE_BYTES)
56106 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
56107 diff -urNp linux-2.6.38.6/include/linux/slab_def.h linux-2.6.38.6/include/linux/slab_def.h
56108 --- linux-2.6.38.6/include/linux/slab_def.h 2011-03-14 21:20:32.000000000 -0400
56109 +++ linux-2.6.38.6/include/linux/slab_def.h 2011-04-28 19:57:25.000000000 -0400
56110 @@ -96,10 +96,10 @@ struct kmem_cache {
56111 unsigned long node_allocs;
56112 unsigned long node_frees;
56113 unsigned long node_overflow;
56114 - atomic_t allochit;
56115 - atomic_t allocmiss;
56116 - atomic_t freehit;
56117 - atomic_t freemiss;
56118 + atomic_unchecked_t allochit;
56119 + atomic_unchecked_t allocmiss;
56120 + atomic_unchecked_t freehit;
56121 + atomic_unchecked_t freemiss;
56124 * If debugging is enabled, then the allocator can add additional
56125 diff -urNp linux-2.6.38.6/include/linux/slab.h linux-2.6.38.6/include/linux/slab.h
56126 --- linux-2.6.38.6/include/linux/slab.h 2011-03-14 21:20:32.000000000 -0400
56127 +++ linux-2.6.38.6/include/linux/slab.h 2011-04-28 19:34:15.000000000 -0400
56128 @@ -11,12 +11,20 @@
56130 #include <linux/gfp.h>
56131 #include <linux/types.h>
56132 +#include <linux/err.h>
56135 * Flags to pass to kmem_cache_create().
56136 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
56138 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
56140 +#ifdef CONFIG_PAX_USERCOPY
56141 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
56143 +#define SLAB_USERCOPY 0x00000000UL
56146 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
56147 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
56148 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
56149 @@ -87,10 +95,13 @@
56150 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
56151 * Both make kfree a no-op.
56153 -#define ZERO_SIZE_PTR ((void *)16)
56154 +#define ZERO_SIZE_PTR \
56156 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
56157 + (void *)(-MAX_ERRNO-1L); \
56160 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
56161 - (unsigned long)ZERO_SIZE_PTR)
56162 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
56165 * struct kmem_cache related prototypes
56166 @@ -142,6 +153,7 @@ void * __must_check krealloc(const void
56167 void kfree(const void *);
56168 void kzfree(const void *);
56169 size_t ksize(const void *);
56170 +void check_object_size(const void *ptr, unsigned long n, bool to);
56173 * Allocator specific definitions. These are mainly used to establish optimized
56174 @@ -334,4 +346,37 @@ static inline void *kzalloc_node(size_t
56176 void __init kmem_cache_init_late(void);
56178 +#define kmalloc(x, y) \
56180 + void *___retval; \
56181 + intoverflow_t ___x = (intoverflow_t)x; \
56182 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
56183 + ___retval = NULL; \
56185 + ___retval = kmalloc((size_t)___x, (y)); \
56189 +#define kmalloc_node(x, y, z) \
56191 + void *___retval; \
56192 + intoverflow_t ___x = (intoverflow_t)x; \
56193 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
56194 + ___retval = NULL; \
56196 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
56200 +#define kzalloc(x, y) \
56202 + void *___retval; \
56203 + intoverflow_t ___x = (intoverflow_t)x; \
56204 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
56205 + ___retval = NULL; \
56207 + ___retval = kzalloc((size_t)___x, (y)); \
56211 #endif /* _LINUX_SLAB_H */
56212 diff -urNp linux-2.6.38.6/include/linux/slub_def.h linux-2.6.38.6/include/linux/slub_def.h
56213 --- linux-2.6.38.6/include/linux/slub_def.h 2011-03-14 21:20:32.000000000 -0400
56214 +++ linux-2.6.38.6/include/linux/slub_def.h 2011-04-28 19:34:15.000000000 -0400
56215 @@ -79,7 +79,7 @@ struct kmem_cache {
56216 struct kmem_cache_order_objects max;
56217 struct kmem_cache_order_objects min;
56218 gfp_t allocflags; /* gfp flags to use on each alloc */
56219 - int refcount; /* Refcount for slab cache destroy */
56220 + atomic_t refcount; /* Refcount for slab cache destroy */
56221 void (*ctor)(void *);
56222 int inuse; /* Offset to metadata */
56223 int align; /* Alignment */
56224 diff -urNp linux-2.6.38.6/include/linux/sonet.h linux-2.6.38.6/include/linux/sonet.h
56225 --- linux-2.6.38.6/include/linux/sonet.h 2011-03-14 21:20:32.000000000 -0400
56226 +++ linux-2.6.38.6/include/linux/sonet.h 2011-04-28 19:34:15.000000000 -0400
56227 @@ -61,7 +61,7 @@ struct sonet_stats {
56228 #include <asm/atomic.h>
56230 struct k_sonet_stats {
56231 -#define __HANDLE_ITEM(i) atomic_t i
56232 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
56234 #undef __HANDLE_ITEM
56236 diff -urNp linux-2.6.38.6/include/linux/sunrpc/clnt.h linux-2.6.38.6/include/linux/sunrpc/clnt.h
56237 --- linux-2.6.38.6/include/linux/sunrpc/clnt.h 2011-03-14 21:20:32.000000000 -0400
56238 +++ linux-2.6.38.6/include/linux/sunrpc/clnt.h 2011-04-28 19:34:15.000000000 -0400
56239 @@ -168,9 +168,9 @@ static inline unsigned short rpc_get_por
56241 switch (sap->sa_family) {
56243 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
56244 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
56246 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
56247 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
56251 @@ -203,7 +203,7 @@ static inline bool __rpc_cmp_addr4(const
56252 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
56253 const struct sockaddr *src)
56255 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
56256 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
56257 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
56259 dsin->sin_family = ssin->sin_family;
56260 @@ -300,7 +300,7 @@ static inline u32 rpc_get_scope_id(const
56261 if (sa->sa_family != AF_INET6)
56264 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
56265 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
56268 #endif /* __KERNEL__ */
56269 diff -urNp linux-2.6.38.6/include/linux/sunrpc/svc_rdma.h linux-2.6.38.6/include/linux/sunrpc/svc_rdma.h
56270 --- linux-2.6.38.6/include/linux/sunrpc/svc_rdma.h 2011-03-14 21:20:32.000000000 -0400
56271 +++ linux-2.6.38.6/include/linux/sunrpc/svc_rdma.h 2011-04-28 19:57:25.000000000 -0400
56272 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
56273 extern unsigned int svcrdma_max_requests;
56274 extern unsigned int svcrdma_max_req_size;
56276 -extern atomic_t rdma_stat_recv;
56277 -extern atomic_t rdma_stat_read;
56278 -extern atomic_t rdma_stat_write;
56279 -extern atomic_t rdma_stat_sq_starve;
56280 -extern atomic_t rdma_stat_rq_starve;
56281 -extern atomic_t rdma_stat_rq_poll;
56282 -extern atomic_t rdma_stat_rq_prod;
56283 -extern atomic_t rdma_stat_sq_poll;
56284 -extern atomic_t rdma_stat_sq_prod;
56285 +extern atomic_unchecked_t rdma_stat_recv;
56286 +extern atomic_unchecked_t rdma_stat_read;
56287 +extern atomic_unchecked_t rdma_stat_write;
56288 +extern atomic_unchecked_t rdma_stat_sq_starve;
56289 +extern atomic_unchecked_t rdma_stat_rq_starve;
56290 +extern atomic_unchecked_t rdma_stat_rq_poll;
56291 +extern atomic_unchecked_t rdma_stat_rq_prod;
56292 +extern atomic_unchecked_t rdma_stat_sq_poll;
56293 +extern atomic_unchecked_t rdma_stat_sq_prod;
56295 #define RPCRDMA_VERSION 1
56297 diff -urNp linux-2.6.38.6/include/linux/suspend.h linux-2.6.38.6/include/linux/suspend.h
56298 --- linux-2.6.38.6/include/linux/suspend.h 2011-03-14 21:20:32.000000000 -0400
56299 +++ linux-2.6.38.6/include/linux/suspend.h 2011-04-28 19:34:15.000000000 -0400
56300 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
56301 * which require special recovery actions in that situation.
56303 struct platform_suspend_ops {
56304 - int (*valid)(suspend_state_t state);
56305 - int (*begin)(suspend_state_t state);
56306 - int (*prepare)(void);
56307 - int (*prepare_late)(void);
56308 - int (*enter)(suspend_state_t state);
56309 - void (*wake)(void);
56310 - void (*finish)(void);
56311 - void (*end)(void);
56312 - void (*recover)(void);
56313 + int (* const valid)(suspend_state_t state);
56314 + int (* const begin)(suspend_state_t state);
56315 + int (* const prepare)(void);
56316 + int (* const prepare_late)(void);
56317 + int (* const enter)(suspend_state_t state);
56318 + void (* const wake)(void);
56319 + void (* const finish)(void);
56320 + void (* const end)(void);
56321 + void (* const recover)(void);
56324 #ifdef CONFIG_SUSPEND
56325 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
56326 * platforms which require special recovery actions in that situation.
56328 struct platform_hibernation_ops {
56329 - int (*begin)(void);
56330 - void (*end)(void);
56331 - int (*pre_snapshot)(void);
56332 - void (*finish)(void);
56333 - int (*prepare)(void);
56334 - int (*enter)(void);
56335 - void (*leave)(void);
56336 - int (*pre_restore)(void);
56337 - void (*restore_cleanup)(void);
56338 - void (*recover)(void);
56339 + int (* const begin)(void);
56340 + void (* const end)(void);
56341 + int (* const pre_snapshot)(void);
56342 + void (* const finish)(void);
56343 + int (* const prepare)(void);
56344 + int (* const enter)(void);
56345 + void (* const leave)(void);
56346 + int (* const pre_restore)(void);
56347 + void (* const restore_cleanup)(void);
56348 + void (* const recover)(void);
56351 #ifdef CONFIG_HIBERNATION
56352 diff -urNp linux-2.6.38.6/include/linux/sysctl.h linux-2.6.38.6/include/linux/sysctl.h
56353 --- linux-2.6.38.6/include/linux/sysctl.h 2011-03-14 21:20:32.000000000 -0400
56354 +++ linux-2.6.38.6/include/linux/sysctl.h 2011-04-28 19:34:15.000000000 -0400
56355 @@ -155,7 +155,11 @@ enum
56356 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
56360 +#ifdef CONFIG_PAX_SOFTMODE
56362 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
56366 /* CTL_VM names: */
56368 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
56370 extern int proc_dostring(struct ctl_table *, int,
56371 void __user *, size_t *, loff_t *);
56372 +extern int proc_dostring_modpriv(struct ctl_table *, int,
56373 + void __user *, size_t *, loff_t *);
56374 extern int proc_dointvec(struct ctl_table *, int,
56375 void __user *, size_t *, loff_t *);
56376 extern int proc_dointvec_minmax(struct ctl_table *, int,
56377 diff -urNp linux-2.6.38.6/include/linux/sysfs.h linux-2.6.38.6/include/linux/sysfs.h
56378 --- linux-2.6.38.6/include/linux/sysfs.h 2011-03-14 21:20:32.000000000 -0400
56379 +++ linux-2.6.38.6/include/linux/sysfs.h 2011-04-28 19:34:15.000000000 -0400
56380 @@ -110,8 +110,8 @@ struct bin_attribute {
56381 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
56384 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
56385 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
56386 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
56387 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
56390 struct sysfs_dirent;
56391 diff -urNp linux-2.6.38.6/include/linux/tty.h linux-2.6.38.6/include/linux/tty.h
56392 --- linux-2.6.38.6/include/linux/tty.h 2011-03-14 21:20:32.000000000 -0400
56393 +++ linux-2.6.38.6/include/linux/tty.h 2011-04-28 19:34:15.000000000 -0400
56395 #include <linux/tty_driver.h>
56396 #include <linux/tty_ldisc.h>
56397 #include <linux/mutex.h>
56398 +#include <linux/poll.h>
56399 +#include <linux/smp_lock.h>
56401 #include <asm/system.h>
56403 @@ -465,7 +467,6 @@ extern int tty_perform_flush(struct tty_
56404 extern dev_t tty_devnum(struct tty_struct *tty);
56405 extern void proc_clear_tty(struct task_struct *p);
56406 extern struct tty_struct *get_current_tty(void);
56407 -extern void tty_default_fops(struct file_operations *fops);
56408 extern struct tty_struct *alloc_tty_struct(void);
56409 extern int tty_add_file(struct tty_struct *tty, struct file *file);
56410 extern void free_tty_struct(struct tty_struct *tty);
56411 @@ -528,6 +529,18 @@ extern void tty_ldisc_begin(void);
56412 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
56413 extern void tty_ldisc_enable(struct tty_struct *tty);
56416 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
56417 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
56418 +extern unsigned int tty_poll(struct file *, poll_table *);
56419 +#ifdef CONFIG_COMPAT
56420 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
56421 + unsigned long arg);
56423 +#define tty_compat_ioctl NULL
56425 +extern int tty_release(struct inode *, struct file *);
56426 +extern int tty_fasync(int fd, struct file *filp, int on);
56429 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
56430 diff -urNp linux-2.6.38.6/include/linux/tty_ldisc.h linux-2.6.38.6/include/linux/tty_ldisc.h
56431 --- linux-2.6.38.6/include/linux/tty_ldisc.h 2011-03-14 21:20:32.000000000 -0400
56432 +++ linux-2.6.38.6/include/linux/tty_ldisc.h 2011-04-28 19:34:15.000000000 -0400
56433 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
56435 struct module *owner;
56438 + atomic_t refcount;
56442 diff -urNp linux-2.6.38.6/include/linux/types.h linux-2.6.38.6/include/linux/types.h
56443 --- linux-2.6.38.6/include/linux/types.h 2011-03-14 21:20:32.000000000 -0400
56444 +++ linux-2.6.38.6/include/linux/types.h 2011-04-28 19:34:15.000000000 -0400
56445 @@ -207,10 +207,26 @@ typedef struct {
56449 +#ifdef CONFIG_PAX_REFCOUNT
56452 +} atomic_unchecked_t;
56454 +typedef atomic_t atomic_unchecked_t;
56457 #ifdef CONFIG_64BIT
56462 +#ifdef CONFIG_PAX_REFCOUNT
56465 +} atomic64_unchecked_t;
56467 +typedef atomic64_t atomic64_unchecked_t;
56472 diff -urNp linux-2.6.38.6/include/linux/uaccess.h linux-2.6.38.6/include/linux/uaccess.h
56473 --- linux-2.6.38.6/include/linux/uaccess.h 2011-03-14 21:20:32.000000000 -0400
56474 +++ linux-2.6.38.6/include/linux/uaccess.h 2011-04-28 19:34:15.000000000 -0400
56475 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
56477 mm_segment_t old_fs = get_fs(); \
56479 - set_fs(KERNEL_DS); \
56480 pagefault_disable(); \
56481 + set_fs(KERNEL_DS); \
56482 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
56483 - pagefault_enable(); \
56485 + pagefault_enable(); \
56489 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
56490 * Safely read from address @src to the buffer at @dst. If a kernel fault
56491 * happens, handle that and return -EFAULT.
56493 -extern long probe_kernel_read(void *dst, void *src, size_t size);
56494 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
56495 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
56496 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
56499 * probe_kernel_write(): safely attempt to write to a location
56500 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
56501 * Safely write to address @dst from the buffer at @src. If a kernel fault
56502 * happens, handle that and return -EFAULT.
56504 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
56505 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
56506 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
56507 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
56509 #endif /* __LINUX_UACCESS_H__ */
56510 diff -urNp linux-2.6.38.6/include/linux/unaligned/access_ok.h linux-2.6.38.6/include/linux/unaligned/access_ok.h
56511 --- linux-2.6.38.6/include/linux/unaligned/access_ok.h 2011-03-14 21:20:32.000000000 -0400
56512 +++ linux-2.6.38.6/include/linux/unaligned/access_ok.h 2011-04-28 19:34:15.000000000 -0400
56515 static inline u16 get_unaligned_le16(const void *p)
56517 - return le16_to_cpup((__le16 *)p);
56518 + return le16_to_cpup((const __le16 *)p);
56521 static inline u32 get_unaligned_le32(const void *p)
56523 - return le32_to_cpup((__le32 *)p);
56524 + return le32_to_cpup((const __le32 *)p);
56527 static inline u64 get_unaligned_le64(const void *p)
56529 - return le64_to_cpup((__le64 *)p);
56530 + return le64_to_cpup((const __le64 *)p);
56533 static inline u16 get_unaligned_be16(const void *p)
56535 - return be16_to_cpup((__be16 *)p);
56536 + return be16_to_cpup((const __be16 *)p);
56539 static inline u32 get_unaligned_be32(const void *p)
56541 - return be32_to_cpup((__be32 *)p);
56542 + return be32_to_cpup((const __be32 *)p);
56545 static inline u64 get_unaligned_be64(const void *p)
56547 - return be64_to_cpup((__be64 *)p);
56548 + return be64_to_cpup((const __be64 *)p);
56551 static inline void put_unaligned_le16(u16 val, void *p)
56552 diff -urNp linux-2.6.38.6/include/linux/usb/hcd.h linux-2.6.38.6/include/linux/usb/hcd.h
56553 --- linux-2.6.38.6/include/linux/usb/hcd.h 2011-04-18 17:27:14.000000000 -0400
56554 +++ linux-2.6.38.6/include/linux/usb/hcd.h 2011-04-28 19:34:15.000000000 -0400
56555 @@ -589,7 +589,7 @@ struct usb_mon_operations {
56556 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
56559 -extern struct usb_mon_operations *mon_ops;
56560 +extern const struct usb_mon_operations *mon_ops;
56562 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
56564 @@ -611,7 +611,7 @@ static inline void usbmon_urb_complete(s
56565 (*mon_ops->urb_complete)(bus, urb, status);
56568 -int usb_mon_register(struct usb_mon_operations *ops);
56569 +int usb_mon_register(const struct usb_mon_operations *ops);
56570 void usb_mon_deregister(void);
56573 diff -urNp linux-2.6.38.6/include/linux/vmalloc.h linux-2.6.38.6/include/linux/vmalloc.h
56574 --- linux-2.6.38.6/include/linux/vmalloc.h 2011-03-14 21:20:32.000000000 -0400
56575 +++ linux-2.6.38.6/include/linux/vmalloc.h 2011-04-28 19:34:15.000000000 -0400
56576 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
56577 #define VM_MAP 0x00000004 /* vmap()ed pages */
56578 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
56579 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
56581 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
56582 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
56585 /* bits [20..32] reserved for arch specific ioremap internals */
56588 @@ -123,4 +128,103 @@ struct vm_struct **pcpu_get_vm_areas(con
56589 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
56592 +#define vmalloc(x) \
56594 + void *___retval; \
56595 + intoverflow_t ___x = (intoverflow_t)x; \
56596 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
56597 + ___retval = NULL; \
56599 + ___retval = vmalloc((unsigned long)___x); \
56603 +#define vzalloc(x) \
56605 + void *___retval; \
56606 + intoverflow_t ___x = (intoverflow_t)x; \
56607 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
56608 + ___retval = NULL; \
56610 + ___retval = vzalloc((unsigned long)___x); \
56614 +#define __vmalloc(x, y, z) \
56616 + void *___retval; \
56617 + intoverflow_t ___x = (intoverflow_t)x; \
56618 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
56619 + ___retval = NULL; \
56621 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
56625 +#define vmalloc_user(x) \
56627 + void *___retval; \
56628 + intoverflow_t ___x = (intoverflow_t)x; \
56629 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
56630 + ___retval = NULL; \
56632 + ___retval = vmalloc_user((unsigned long)___x); \
56636 +#define vmalloc_exec(x) \
56638 + void *___retval; \
56639 + intoverflow_t ___x = (intoverflow_t)x; \
56640 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
56641 + ___retval = NULL; \
56643 + ___retval = vmalloc_exec((unsigned long)___x); \
56647 +#define vmalloc_node(x, y) \
56649 + void *___retval; \
56650 + intoverflow_t ___x = (intoverflow_t)x; \
56651 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
56652 + ___retval = NULL; \
56654 + ___retval = vmalloc_node((unsigned long)___x, (y));\
56658 +#define vzalloc_node(x, y) \
56660 + void *___retval; \
56661 + intoverflow_t ___x = (intoverflow_t)x; \
56662 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
56663 + ___retval = NULL; \
56665 + ___retval = vzalloc_node((unsigned long)___x, (y));\
56669 +#define vmalloc_32(x) \
56671 + void *___retval; \
56672 + intoverflow_t ___x = (intoverflow_t)x; \
56673 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
56674 + ___retval = NULL; \
56676 + ___retval = vmalloc_32((unsigned long)___x); \
56680 +#define vmalloc_32_user(x) \
56682 +void *___retval; \
56683 + intoverflow_t ___x = (intoverflow_t)x; \
56684 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
56685 + ___retval = NULL; \
56687 + ___retval = vmalloc_32_user((unsigned long)___x);\
56691 #endif /* _LINUX_VMALLOC_H */
56692 diff -urNp linux-2.6.38.6/include/linux/vmstat.h linux-2.6.38.6/include/linux/vmstat.h
56693 --- linux-2.6.38.6/include/linux/vmstat.h 2011-03-14 21:20:32.000000000 -0400
56694 +++ linux-2.6.38.6/include/linux/vmstat.h 2011-04-28 19:34:15.000000000 -0400
56695 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
56697 * Zone based page accounting with per cpu differentials.
56699 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
56700 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
56702 static inline void zone_page_state_add(long x, struct zone *zone,
56703 enum zone_stat_item item)
56705 - atomic_long_add(x, &zone->vm_stat[item]);
56706 - atomic_long_add(x, &vm_stat[item]);
56707 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
56708 + atomic_long_add_unchecked(x, &vm_stat[item]);
56711 static inline unsigned long global_page_state(enum zone_stat_item item)
56713 - long x = atomic_long_read(&vm_stat[item]);
56714 + long x = atomic_long_read_unchecked(&vm_stat[item]);
56718 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
56719 static inline unsigned long zone_page_state(struct zone *zone,
56720 enum zone_stat_item item)
56722 - long x = atomic_long_read(&zone->vm_stat[item]);
56723 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
56727 @@ -179,7 +179,7 @@ static inline unsigned long zone_page_st
56728 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
56729 enum zone_stat_item item)
56731 - long x = atomic_long_read(&zone->vm_stat[item]);
56732 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
56736 @@ -273,8 +273,8 @@ static inline void __mod_zone_page_state
56738 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
56740 - atomic_long_inc(&zone->vm_stat[item]);
56741 - atomic_long_inc(&vm_stat[item]);
56742 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
56743 + atomic_long_inc_unchecked(&vm_stat[item]);
56746 static inline void __inc_zone_page_state(struct page *page,
56747 @@ -285,8 +285,8 @@ static inline void __inc_zone_page_state
56749 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
56751 - atomic_long_dec(&zone->vm_stat[item]);
56752 - atomic_long_dec(&vm_stat[item]);
56753 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
56754 + atomic_long_dec_unchecked(&vm_stat[item]);
56757 static inline void __dec_zone_page_state(struct page *page,
56758 diff -urNp linux-2.6.38.6/include/media/v4l2-device.h linux-2.6.38.6/include/media/v4l2-device.h
56759 --- linux-2.6.38.6/include/media/v4l2-device.h 2011-03-14 21:20:32.000000000 -0400
56760 +++ linux-2.6.38.6/include/media/v4l2-device.h 2011-04-28 19:57:25.000000000 -0400
56761 @@ -77,7 +77,7 @@ int __must_check v4l2_device_register(st
56762 this function returns 0. If the name ends with a digit (e.g. cx18),
56763 then the name will be set to cx18-0 since cx180 looks really odd. */
56764 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
56765 - atomic_t *instance);
56766 + atomic_unchecked_t *instance);
56768 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
56769 Since the parent disappears this ensures that v4l2_dev doesn't have an
56770 diff -urNp linux-2.6.38.6/include/net/caif/cfctrl.h linux-2.6.38.6/include/net/caif/cfctrl.h
56771 --- linux-2.6.38.6/include/net/caif/cfctrl.h 2011-03-14 21:20:32.000000000 -0400
56772 +++ linux-2.6.38.6/include/net/caif/cfctrl.h 2011-04-28 19:57:25.000000000 -0400
56773 @@ -101,8 +101,8 @@ struct cfctrl_request_info {
56775 struct cfsrvl serv;
56776 struct cfctrl_rsp res;
56777 - atomic_t req_seq_no;
56778 - atomic_t rsp_seq_no;
56779 + atomic_unchecked_t req_seq_no;
56780 + atomic_unchecked_t rsp_seq_no;
56781 struct list_head list;
56782 /* Protects from simultaneous access to first_req list */
56783 spinlock_t info_list_lock;
56784 diff -urNp linux-2.6.38.6/include/net/flow.h linux-2.6.38.6/include/net/flow.h
56785 --- linux-2.6.38.6/include/net/flow.h 2011-03-14 21:20:32.000000000 -0400
56786 +++ linux-2.6.38.6/include/net/flow.h 2011-04-28 19:57:25.000000000 -0400
56787 @@ -109,7 +109,7 @@ extern struct flow_cache_object *flow_ca
56788 u8 dir, flow_resolve_t resolver, void *ctx);
56790 extern void flow_cache_flush(void);
56791 -extern atomic_t flow_cache_genid;
56792 +extern atomic_unchecked_t flow_cache_genid;
56794 static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2)
56796 diff -urNp linux-2.6.38.6/include/net/inetpeer.h linux-2.6.38.6/include/net/inetpeer.h
56797 --- linux-2.6.38.6/include/net/inetpeer.h 2011-03-14 21:20:32.000000000 -0400
56798 +++ linux-2.6.38.6/include/net/inetpeer.h 2011-04-28 19:34:15.000000000 -0400
56799 @@ -38,8 +38,8 @@ struct inet_peer {
56803 - atomic_t rid; /* Frag reception counter */
56804 - atomic_t ip_id_count; /* IP ID for the next packet */
56805 + atomic_unchecked_t rid; /* Frag reception counter */
56806 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
56808 __u32 tcp_ts_stamp;
56810 @@ -88,7 +88,7 @@ static inline __u16 inet_getid(struct in
56813 inet_peer_refcheck(p);
56814 - return atomic_add_return(more, &p->ip_id_count) - more;
56815 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
56818 #endif /* _NET_INETPEER_H */
56819 diff -urNp linux-2.6.38.6/include/net/ip_vs.h linux-2.6.38.6/include/net/ip_vs.h
56820 --- linux-2.6.38.6/include/net/ip_vs.h 2011-03-14 21:20:32.000000000 -0400
56821 +++ linux-2.6.38.6/include/net/ip_vs.h 2011-04-28 19:57:25.000000000 -0400
56822 @@ -404,7 +404,7 @@ struct ip_vs_conn {
56823 struct ip_vs_conn *control; /* Master control connection */
56824 atomic_t n_control; /* Number of controlled ones */
56825 struct ip_vs_dest *dest; /* real server */
56826 - atomic_t in_pkts; /* incoming packet counter */
56827 + atomic_unchecked_t in_pkts; /* incoming packet counter */
56829 /* packet transmitter for different forwarding methods. If it
56830 mangles the packet, it must return NF_DROP or better NF_STOLEN,
56831 @@ -513,7 +513,7 @@ struct ip_vs_dest {
56832 union nf_inet_addr addr; /* IP address of the server */
56833 __be16 port; /* port number of the server */
56834 volatile unsigned flags; /* dest status flags */
56835 - atomic_t conn_flags; /* flags to copy to conn */
56836 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
56837 atomic_t weight; /* server weight */
56839 atomic_t refcnt; /* reference counter */
56840 diff -urNp linux-2.6.38.6/include/net/irda/ircomm_tty.h linux-2.6.38.6/include/net/irda/ircomm_tty.h
56841 --- linux-2.6.38.6/include/net/irda/ircomm_tty.h 2011-03-14 21:20:32.000000000 -0400
56842 +++ linux-2.6.38.6/include/net/irda/ircomm_tty.h 2011-04-28 19:34:15.000000000 -0400
56844 #include <linux/termios.h>
56845 #include <linux/timer.h>
56846 #include <linux/tty.h> /* struct tty_struct */
56847 +#include <asm/local.h>
56849 #include <net/irda/irias_object.h>
56850 #include <net/irda/ircomm_core.h>
56851 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
56852 unsigned short close_delay;
56853 unsigned short closing_wait; /* time to wait before closing */
56856 - int blocked_open; /* # of blocked opens */
56857 + local_t open_count;
56858 + local_t blocked_open; /* # of blocked opens */
56860 /* Protect concurent access to :
56861 * o self->open_count
56862 diff -urNp linux-2.6.38.6/include/net/iucv/af_iucv.h linux-2.6.38.6/include/net/iucv/af_iucv.h
56863 --- linux-2.6.38.6/include/net/iucv/af_iucv.h 2011-03-14 21:20:32.000000000 -0400
56864 +++ linux-2.6.38.6/include/net/iucv/af_iucv.h 2011-04-28 19:57:25.000000000 -0400
56865 @@ -87,7 +87,7 @@ struct iucv_sock {
56866 struct iucv_sock_list {
56867 struct hlist_head head;
56869 - atomic_t autobind_name;
56870 + atomic_unchecked_t autobind_name;
56873 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
56874 diff -urNp linux-2.6.38.6/include/net/neighbour.h linux-2.6.38.6/include/net/neighbour.h
56875 --- linux-2.6.38.6/include/net/neighbour.h 2011-03-14 21:20:32.000000000 -0400
56876 +++ linux-2.6.38.6/include/net/neighbour.h 2011-04-28 19:34:15.000000000 -0400
56877 @@ -118,12 +118,12 @@ struct neighbour {
56881 - void (*solicit)(struct neighbour *, struct sk_buff*);
56882 - void (*error_report)(struct neighbour *, struct sk_buff*);
56883 - int (*output)(struct sk_buff*);
56884 - int (*connected_output)(struct sk_buff*);
56885 - int (*hh_output)(struct sk_buff*);
56886 - int (*queue_xmit)(struct sk_buff*);
56887 + void (* const solicit)(struct neighbour *, struct sk_buff*);
56888 + void (* const error_report)(struct neighbour *, struct sk_buff*);
56889 + int (* const output)(struct sk_buff*);
56890 + int (* const connected_output)(struct sk_buff*);
56891 + int (* const hh_output)(struct sk_buff*);
56892 + int (* const queue_xmit)(struct sk_buff*);
56895 struct pneigh_entry {
56896 diff -urNp linux-2.6.38.6/include/net/netlink.h linux-2.6.38.6/include/net/netlink.h
56897 --- linux-2.6.38.6/include/net/netlink.h 2011-03-14 21:20:32.000000000 -0400
56898 +++ linux-2.6.38.6/include/net/netlink.h 2011-04-28 19:34:15.000000000 -0400
56899 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
56900 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
56903 - skb_trim(skb, (unsigned char *) mark - skb->data);
56904 + skb_trim(skb, (const unsigned char *) mark - skb->data);
56908 diff -urNp linux-2.6.38.6/include/net/netns/ipv4.h linux-2.6.38.6/include/net/netns/ipv4.h
56909 --- linux-2.6.38.6/include/net/netns/ipv4.h 2011-03-14 21:20:32.000000000 -0400
56910 +++ linux-2.6.38.6/include/net/netns/ipv4.h 2011-04-28 19:57:25.000000000 -0400
56911 @@ -55,7 +55,7 @@ struct netns_ipv4 {
56912 int sysctl_rt_cache_rebuild_count;
56913 int current_rt_cache_rebuild_count;
56915 - atomic_t rt_genid;
56916 + atomic_unchecked_t rt_genid;
56918 #ifdef CONFIG_IP_MROUTE
56919 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
56920 diff -urNp linux-2.6.38.6/include/net/sctp/sctp.h linux-2.6.38.6/include/net/sctp/sctp.h
56921 --- linux-2.6.38.6/include/net/sctp/sctp.h 2011-03-14 21:20:32.000000000 -0400
56922 +++ linux-2.6.38.6/include/net/sctp/sctp.h 2011-04-28 19:34:15.000000000 -0400
56923 @@ -316,9 +316,9 @@ do { \
56925 #else /* SCTP_DEBUG */
56927 -#define SCTP_DEBUG_PRINTK(whatever...)
56928 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
56929 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
56930 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
56931 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
56932 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
56933 #define SCTP_ENABLE_DEBUG
56934 #define SCTP_DISABLE_DEBUG
56935 #define SCTP_ASSERT(expr, str, func)
56936 diff -urNp linux-2.6.38.6/include/net/sock.h linux-2.6.38.6/include/net/sock.h
56937 --- linux-2.6.38.6/include/net/sock.h 2011-03-14 21:20:32.000000000 -0400
56938 +++ linux-2.6.38.6/include/net/sock.h 2011-04-28 19:57:25.000000000 -0400
56939 @@ -277,7 +277,7 @@ struct sock {
56943 - atomic_t sk_drops;
56944 + atomic_unchecked_t sk_drops;
56947 struct sk_filter __rcu *sk_filter;
56948 diff -urNp linux-2.6.38.6/include/net/tcp.h linux-2.6.38.6/include/net/tcp.h
56949 --- linux-2.6.38.6/include/net/tcp.h 2011-03-14 21:20:32.000000000 -0400
56950 +++ linux-2.6.38.6/include/net/tcp.h 2011-04-28 19:34:15.000000000 -0400
56951 @@ -1382,7 +1382,7 @@ enum tcp_seq_states {
56952 struct tcp_seq_afinfo {
56954 sa_family_t family;
56955 - struct file_operations seq_fops;
56956 + struct file_operations seq_fops; /* cannot be const */
56957 struct seq_operations seq_ops;
56960 diff -urNp linux-2.6.38.6/include/net/udp.h linux-2.6.38.6/include/net/udp.h
56961 --- linux-2.6.38.6/include/net/udp.h 2011-03-14 21:20:32.000000000 -0400
56962 +++ linux-2.6.38.6/include/net/udp.h 2011-04-28 19:34:15.000000000 -0400
56963 @@ -223,7 +223,7 @@ struct udp_seq_afinfo {
56965 sa_family_t family;
56966 struct udp_table *udp_table;
56967 - struct file_operations seq_fops;
56968 + struct file_operations seq_fops; /* cannot be const */
56969 struct seq_operations seq_ops;
56972 diff -urNp linux-2.6.38.6/include/net/xfrm.h linux-2.6.38.6/include/net/xfrm.h
56973 --- linux-2.6.38.6/include/net/xfrm.h 2011-03-14 21:20:32.000000000 -0400
56974 +++ linux-2.6.38.6/include/net/xfrm.h 2011-04-28 19:57:25.000000000 -0400
56975 @@ -484,7 +484,7 @@ struct xfrm_policy {
56976 struct timer_list timer;
56978 struct flow_cache_object flo;
56980 + atomic_unchecked_t genid;
56983 struct xfrm_mark mark;
56984 diff -urNp linux-2.6.38.6/include/scsi/scsi_device.h linux-2.6.38.6/include/scsi/scsi_device.h
56985 --- linux-2.6.38.6/include/scsi/scsi_device.h 2011-04-18 17:27:18.000000000 -0400
56986 +++ linux-2.6.38.6/include/scsi/scsi_device.h 2011-04-28 19:57:25.000000000 -0400
56987 @@ -161,9 +161,9 @@ struct scsi_device {
56988 unsigned int max_device_blocked; /* what device_blocked counts down from */
56989 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
56991 - atomic_t iorequest_cnt;
56992 - atomic_t iodone_cnt;
56993 - atomic_t ioerr_cnt;
56994 + atomic_unchecked_t iorequest_cnt;
56995 + atomic_unchecked_t iodone_cnt;
56996 + atomic_unchecked_t ioerr_cnt;
56998 struct device sdev_gendev,
57000 diff -urNp linux-2.6.38.6/include/sound/ac97_codec.h linux-2.6.38.6/include/sound/ac97_codec.h
57001 --- linux-2.6.38.6/include/sound/ac97_codec.h 2011-03-14 21:20:32.000000000 -0400
57002 +++ linux-2.6.38.6/include/sound/ac97_codec.h 2011-04-28 19:34:15.000000000 -0400
57003 @@ -419,15 +419,15 @@
57006 struct snd_ac97_build_ops {
57007 - int (*build_3d) (struct snd_ac97 *ac97);
57008 - int (*build_specific) (struct snd_ac97 *ac97);
57009 - int (*build_spdif) (struct snd_ac97 *ac97);
57010 - int (*build_post_spdif) (struct snd_ac97 *ac97);
57011 + int (* const build_3d) (struct snd_ac97 *ac97);
57012 + int (* const build_specific) (struct snd_ac97 *ac97);
57013 + int (* const build_spdif) (struct snd_ac97 *ac97);
57014 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
57016 - void (*suspend) (struct snd_ac97 *ac97);
57017 - void (*resume) (struct snd_ac97 *ac97);
57018 + void (* const suspend) (struct snd_ac97 *ac97);
57019 + void (* const resume) (struct snd_ac97 *ac97);
57021 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
57022 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
57025 struct snd_ac97_bus_ops {
57026 diff -urNp linux-2.6.38.6/include/sound/ymfpci.h linux-2.6.38.6/include/sound/ymfpci.h
57027 --- linux-2.6.38.6/include/sound/ymfpci.h 2011-03-14 21:20:32.000000000 -0400
57028 +++ linux-2.6.38.6/include/sound/ymfpci.h 2011-04-28 19:57:25.000000000 -0400
57029 @@ -358,7 +358,7 @@ struct snd_ymfpci {
57030 spinlock_t reg_lock;
57031 spinlock_t voice_lock;
57032 wait_queue_head_t interrupt_sleep;
57033 - atomic_t interrupt_sleep_count;
57034 + atomic_unchecked_t interrupt_sleep_count;
57035 struct snd_info_entry *proc_entry;
57036 const struct firmware *dsp_microcode;
57037 const struct firmware *controller_microcode;
57038 diff -urNp linux-2.6.38.6/include/target/target_core_base.h linux-2.6.38.6/include/target/target_core_base.h
57039 --- linux-2.6.38.6/include/target/target_core_base.h 2011-03-14 21:20:32.000000000 -0400
57040 +++ linux-2.6.38.6/include/target/target_core_base.h 2011-04-28 19:57:25.000000000 -0400
57041 @@ -431,8 +431,8 @@ struct se_transport_task {
57042 atomic_t t_task_cdbs_left;
57043 atomic_t t_task_cdbs_ex_left;
57044 atomic_t t_task_cdbs_timeout_left;
57045 - atomic_t t_task_cdbs_sent;
57046 - atomic_t t_transport_aborted;
57047 + atomic_unchecked_t t_task_cdbs_sent;
57048 + atomic_unchecked_t t_transport_aborted;
57049 atomic_t t_transport_active;
57050 atomic_t t_transport_complete;
57051 atomic_t t_transport_queue_active;
57052 @@ -753,7 +753,7 @@ struct se_device {
57053 atomic_t active_cmds;
57054 atomic_t simple_cmds;
57055 atomic_t depth_left;
57056 - atomic_t dev_ordered_id;
57057 + atomic_unchecked_t dev_ordered_id;
57058 atomic_t dev_tur_active;
57059 atomic_t execute_tasks;
57060 atomic_t dev_status_thr_count;
57061 diff -urNp linux-2.6.38.6/include/trace/events/irq.h linux-2.6.38.6/include/trace/events/irq.h
57062 --- linux-2.6.38.6/include/trace/events/irq.h 2011-03-14 21:20:32.000000000 -0400
57063 +++ linux-2.6.38.6/include/trace/events/irq.h 2011-04-28 19:34:15.000000000 -0400
57064 @@ -36,7 +36,7 @@ struct softirq_action;
57066 TRACE_EVENT(irq_handler_entry,
57068 - TP_PROTO(int irq, struct irqaction *action),
57069 + TP_PROTO(int irq, const struct irqaction *action),
57071 TP_ARGS(irq, action),
57073 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
57075 TRACE_EVENT(irq_handler_exit,
57077 - TP_PROTO(int irq, struct irqaction *action, int ret),
57078 + TP_PROTO(int irq, const struct irqaction *action, int ret),
57080 TP_ARGS(irq, action, ret),
57082 diff -urNp linux-2.6.38.6/include/video/udlfb.h linux-2.6.38.6/include/video/udlfb.h
57083 --- linux-2.6.38.6/include/video/udlfb.h 2011-03-14 21:20:32.000000000 -0400
57084 +++ linux-2.6.38.6/include/video/udlfb.h 2011-04-28 19:57:25.000000000 -0400
57085 @@ -51,10 +51,10 @@ struct dlfb_data {
57087 u32 pseudo_palette[256];
57088 /* blit-only rendering path metrics, exposed through sysfs */
57089 - atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
57090 - atomic_t bytes_identical; /* saved effort with backbuffer comparison */
57091 - atomic_t bytes_sent; /* to usb, after compression including overhead */
57092 - atomic_t cpu_kcycles_used; /* transpired during pixel processing */
57093 + atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
57094 + atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
57095 + atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
57096 + atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
57099 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
57100 diff -urNp linux-2.6.38.6/include/video/uvesafb.h linux-2.6.38.6/include/video/uvesafb.h
57101 --- linux-2.6.38.6/include/video/uvesafb.h 2011-03-14 21:20:32.000000000 -0400
57102 +++ linux-2.6.38.6/include/video/uvesafb.h 2011-04-28 19:34:15.000000000 -0400
57103 @@ -177,6 +177,7 @@ struct uvesafb_par {
57104 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
57105 u8 pmi_setpal; /* PMI for palette changes */
57106 u16 *pmi_base; /* protected mode interface location */
57107 + u8 *pmi_code; /* protected mode code location */
57110 u8 *vbe_state_orig; /*
57111 diff -urNp linux-2.6.38.6/init/do_mounts.c linux-2.6.38.6/init/do_mounts.c
57112 --- linux-2.6.38.6/init/do_mounts.c 2011-03-14 21:20:32.000000000 -0400
57113 +++ linux-2.6.38.6/init/do_mounts.c 2011-04-28 19:34:15.000000000 -0400
57114 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
57116 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
57118 - int err = sys_mount(name, "/root", fs, flags, data);
57119 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
57123 @@ -382,18 +382,18 @@ void __init change_floppy(char *fmt, ...
57124 va_start(args, fmt);
57125 vsprintf(buf, fmt, args);
57127 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
57128 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
57130 sys_ioctl(fd, FDEJECT, 0);
57133 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
57134 - fd = sys_open("/dev/console", O_RDWR, 0);
57135 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
57137 sys_ioctl(fd, TCGETS, (long)&termios);
57138 termios.c_lflag &= ~ICANON;
57139 sys_ioctl(fd, TCSETSF, (long)&termios);
57140 - sys_read(fd, &c, 1);
57141 + sys_read(fd, (char __user *)&c, 1);
57142 termios.c_lflag |= ICANON;
57143 sys_ioctl(fd, TCSETSF, (long)&termios);
57145 @@ -487,6 +487,6 @@ void __init prepare_namespace(void)
57148 devtmpfs_mount("dev");
57149 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
57150 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
57151 sys_chroot((const char __user __force *)".");
57153 diff -urNp linux-2.6.38.6/init/do_mounts.h linux-2.6.38.6/init/do_mounts.h
57154 --- linux-2.6.38.6/init/do_mounts.h 2011-03-14 21:20:32.000000000 -0400
57155 +++ linux-2.6.38.6/init/do_mounts.h 2011-04-28 19:34:15.000000000 -0400
57156 @@ -15,15 +15,15 @@ extern int root_mountflags;
57158 static inline int create_dev(char *name, dev_t dev)
57160 - sys_unlink(name);
57161 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
57162 + sys_unlink((__force char __user *)name);
57163 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
57166 #if BITS_PER_LONG == 32
57167 static inline u32 bstat(char *name)
57169 struct stat64 stat;
57170 - if (sys_stat64(name, &stat) != 0)
57171 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
57173 if (!S_ISBLK(stat.st_mode))
57175 diff -urNp linux-2.6.38.6/init/do_mounts_initrd.c linux-2.6.38.6/init/do_mounts_initrd.c
57176 --- linux-2.6.38.6/init/do_mounts_initrd.c 2011-03-14 21:20:32.000000000 -0400
57177 +++ linux-2.6.38.6/init/do_mounts_initrd.c 2011-04-28 19:34:15.000000000 -0400
57178 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
57179 create_dev("/dev/root.old", Root_RAM0);
57180 /* mount initrd on rootfs' /root */
57181 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
57182 - sys_mkdir("/old", 0700);
57183 - root_fd = sys_open("/", 0, 0);
57184 - old_fd = sys_open("/old", 0, 0);
57185 + sys_mkdir((__force const char __user *)"/old", 0700);
57186 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
57187 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
57188 /* move initrd over / and chdir/chroot in initrd root */
57189 - sys_chdir("/root");
57190 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
57192 + sys_chdir((__force const char __user *)"/root");
57193 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
57194 + sys_chroot((__force const char __user *)".");
57197 * In case that a resume from disk is carried out by linuxrc or one of
57198 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
57200 /* move initrd to rootfs' /old */
57201 sys_fchdir(old_fd);
57202 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
57203 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
57204 /* switch root and cwd back to / of rootfs */
57205 sys_fchdir(root_fd);
57207 + sys_chroot((__force const char __user *)".");
57209 sys_close(root_fd);
57211 if (new_decode_dev(real_root_dev) == Root_RAM0) {
57212 - sys_chdir("/old");
57213 + sys_chdir((__force const char __user *)"/old");
57217 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
57220 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
57221 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
57222 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
57226 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
57227 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
57228 if (error == -ENOENT)
57229 printk("/initrd does not exist. Ignored.\n");
57231 printk("failed\n");
57232 printk(KERN_NOTICE "Unmounting old root\n");
57233 - sys_umount("/old", MNT_DETACH);
57234 + sys_umount((__force char __user *)"/old", MNT_DETACH);
57235 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
57238 @@ -116,11 +116,11 @@ int __init initrd_load(void)
57239 * mounted in the normal path.
57241 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
57242 - sys_unlink("/initrd.image");
57243 + sys_unlink((__force const char __user *)"/initrd.image");
57248 - sys_unlink("/initrd.image");
57249 + sys_unlink((__force const char __user *)"/initrd.image");
57252 diff -urNp linux-2.6.38.6/init/do_mounts_md.c linux-2.6.38.6/init/do_mounts_md.c
57253 --- linux-2.6.38.6/init/do_mounts_md.c 2011-03-14 21:20:32.000000000 -0400
57254 +++ linux-2.6.38.6/init/do_mounts_md.c 2011-04-28 19:34:15.000000000 -0400
57255 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
57256 partitioned ? "_d" : "", minor,
57257 md_setup_args[ent].device_names);
57259 - fd = sys_open(name, 0, 0);
57260 + fd = sys_open((__force char __user *)name, 0, 0);
57262 printk(KERN_ERR "md: open failed - cannot start "
57263 "array %s\n", name);
57264 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
57268 - fd = sys_open(name, 0, 0);
57269 + fd = sys_open((__force char __user *)name, 0, 0);
57270 sys_ioctl(fd, BLKRRPART, 0);
57273 diff -urNp linux-2.6.38.6/init/initramfs.c linux-2.6.38.6/init/initramfs.c
57274 --- linux-2.6.38.6/init/initramfs.c 2011-03-14 21:20:32.000000000 -0400
57275 +++ linux-2.6.38.6/init/initramfs.c 2011-04-28 19:34:15.000000000 -0400
57276 @@ -74,7 +74,7 @@ static void __init free_hash(void)
57280 -static long __init do_utime(char __user *filename, time_t mtime)
57281 +static long __init do_utime(__force char __user *filename, time_t mtime)
57283 struct timespec t[2];
57285 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
57286 struct dir_entry *de, *tmp;
57287 list_for_each_entry_safe(de, tmp, &dir_list, list) {
57288 list_del(&de->list);
57289 - do_utime(de->name, de->mtime);
57290 + do_utime((__force char __user *)de->name, de->mtime);
57294 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
57296 char *old = find_link(major, minor, ino, mode, collected);
57298 - return (sys_link(old, collected) < 0) ? -1 : 1;
57299 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
57303 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
57307 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
57308 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
57309 if (S_ISDIR(st.st_mode))
57311 + sys_rmdir((__force char __user *)path);
57313 - sys_unlink(path);
57314 + sys_unlink((__force char __user *)path);
57318 @@ -305,7 +305,7 @@ static int __init do_name(void)
57319 int openflags = O_WRONLY|O_CREAT;
57321 openflags |= O_TRUNC;
57322 - wfd = sys_open(collected, openflags, mode);
57323 + wfd = sys_open((__force char __user *)collected, openflags, mode);
57326 sys_fchown(wfd, uid, gid);
57327 @@ -317,17 +317,17 @@ static int __init do_name(void)
57330 } else if (S_ISDIR(mode)) {
57331 - sys_mkdir(collected, mode);
57332 - sys_chown(collected, uid, gid);
57333 - sys_chmod(collected, mode);
57334 + sys_mkdir((__force char __user *)collected, mode);
57335 + sys_chown((__force char __user *)collected, uid, gid);
57336 + sys_chmod((__force char __user *)collected, mode);
57337 dir_add(collected, mtime);
57338 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
57339 S_ISFIFO(mode) || S_ISSOCK(mode)) {
57340 if (maybe_link() == 0) {
57341 - sys_mknod(collected, mode, rdev);
57342 - sys_chown(collected, uid, gid);
57343 - sys_chmod(collected, mode);
57344 - do_utime(collected, mtime);
57345 + sys_mknod((__force char __user *)collected, mode, rdev);
57346 + sys_chown((__force char __user *)collected, uid, gid);
57347 + sys_chmod((__force char __user *)collected, mode);
57348 + do_utime((__force char __user *)collected, mtime);
57352 @@ -336,15 +336,15 @@ static int __init do_name(void)
57353 static int __init do_copy(void)
57355 if (count >= body_len) {
57356 - sys_write(wfd, victim, body_len);
57357 + sys_write(wfd, (__force char __user *)victim, body_len);
57359 - do_utime(vcollected, mtime);
57360 + do_utime((__force char __user *)vcollected, mtime);
57366 - sys_write(wfd, victim, count);
57367 + sys_write(wfd, (__force char __user *)victim, count);
57371 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
57373 collected[N_ALIGN(name_len) + body_len] = '\0';
57374 clean_path(collected, 0);
57375 - sys_symlink(collected + N_ALIGN(name_len), collected);
57376 - sys_lchown(collected, uid, gid);
57377 - do_utime(collected, mtime);
57378 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
57379 + sys_lchown((__force char __user *)collected, uid, gid);
57380 + do_utime((__force char __user *)collected, mtime);
57382 next_state = Reset;
57384 diff -urNp linux-2.6.38.6/init/Kconfig linux-2.6.38.6/init/Kconfig
57385 --- linux-2.6.38.6/init/Kconfig 2011-05-10 22:06:27.000000000 -0400
57386 +++ linux-2.6.38.6/init/Kconfig 2011-05-10 22:06:56.000000000 -0400
57387 @@ -1185,7 +1185,7 @@ config SLUB_DEBUG
57390 bool "Disable heap randomization"
57394 Randomizing heap placement makes heap exploits harder, but it
57395 also breaks ancient binaries (including anything libc5 based).
57396 diff -urNp linux-2.6.38.6/init/main.c linux-2.6.38.6/init/main.c
57397 --- linux-2.6.38.6/init/main.c 2011-03-14 21:20:32.000000000 -0400
57398 +++ linux-2.6.38.6/init/main.c 2011-04-28 19:34:15.000000000 -0400
57399 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
57400 extern void tc_init(void);
57403 +extern void grsecurity_init(void);
57406 * Debug helper: via this flag we know that we are in 'early bootup code'
57407 * where only the boot processor is running with IRQ disabled. This means
57408 @@ -206,6 +208,47 @@ static int __init set_reset_devices(char
57410 __setup("reset_devices", set_reset_devices);
57412 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
57413 +extern char pax_enter_kernel_user[];
57414 +extern char pax_exit_kernel_user[];
57415 +extern pgdval_t clone_pgd_mask;
57418 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
57419 +static int __init setup_pax_nouderef(char *str)
57421 +#ifdef CONFIG_X86_32
57422 + unsigned int cpu;
57424 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
57425 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
57426 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
57427 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
57428 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
57430 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
57432 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
57433 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
57434 + clone_pgd_mask = ~(pgdval_t)0UL;
57439 +early_param("pax_nouderef", setup_pax_nouderef);
57442 +#ifdef CONFIG_PAX_SOFTMODE
57443 +unsigned int pax_softmode;
57445 +static int __init setup_pax_softmode(char *str)
57447 + get_option(&str, &pax_softmode);
57450 +__setup("pax_softmode=", setup_pax_softmode);
57453 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
57454 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
57455 static const char *panic_later, *panic_param;
57456 @@ -751,6 +794,7 @@ int __init_or_module do_one_initcall(ini
57458 int count = preempt_count();
57460 + const char *msg1 = "", *msg2 = "";
57462 if (initcall_debug)
57463 ret = do_one_initcall_debug(fn);
57464 @@ -763,15 +807,15 @@ int __init_or_module do_one_initcall(ini
57465 sprintf(msgbuf, "error code %d ", ret);
57467 if (preempt_count() != count) {
57468 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
57469 + msg1 = " preemption imbalance";
57470 preempt_count() = count;
57472 if (irqs_disabled()) {
57473 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
57474 + msg2 = " disabled interrupts";
57475 local_irq_enable();
57478 - printk("initcall %pF returned with %s\n", fn, msgbuf);
57479 + if (msgbuf[0] || *msg1 || *msg2) {
57480 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
57484 @@ -898,7 +942,7 @@ static int __init kernel_init(void * unu
57487 /* Open the /dev/console on the rootfs, this should never fail */
57488 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
57489 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
57490 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
57493 @@ -911,11 +955,13 @@ static int __init kernel_init(void * unu
57494 if (!ramdisk_execute_command)
57495 ramdisk_execute_command = "/init";
57497 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
57498 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
57499 ramdisk_execute_command = NULL;
57500 prepare_namespace();
57503 + grsecurity_init();
57506 * Ok, we have completed the initial bootup, and
57507 * we're essentially up and running. Get rid of the
57508 diff -urNp linux-2.6.38.6/ipc/mqueue.c linux-2.6.38.6/ipc/mqueue.c
57509 --- linux-2.6.38.6/ipc/mqueue.c 2011-03-14 21:20:32.000000000 -0400
57510 +++ linux-2.6.38.6/ipc/mqueue.c 2011-04-28 19:34:15.000000000 -0400
57511 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
57512 mq_bytes = (mq_msg_tblsz +
57513 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
57515 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
57516 spin_lock(&mq_lock);
57517 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
57518 u->mq_bytes + mq_bytes >
57519 diff -urNp linux-2.6.38.6/ipc/sem.c linux-2.6.38.6/ipc/sem.c
57520 --- linux-2.6.38.6/ipc/sem.c 2011-03-14 21:20:32.000000000 -0400
57521 +++ linux-2.6.38.6/ipc/sem.c 2011-05-16 21:47:08.000000000 -0400
57522 @@ -854,6 +854,8 @@ static int semctl_main(struct ipc_namesp
57524 struct list_head tasks;
57526 + pax_track_stack();
57528 sma = sem_lock_check(ns, semid);
57530 return PTR_ERR(sma);
57531 @@ -1299,6 +1301,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
57532 struct ipc_namespace *ns;
57533 struct list_head tasks;
57535 + pax_track_stack();
57537 ns = current->nsproxy->ipc_ns;
57539 if (nsops < 1 || semid < 0)
57540 diff -urNp linux-2.6.38.6/ipc/shm.c linux-2.6.38.6/ipc/shm.c
57541 --- linux-2.6.38.6/ipc/shm.c 2011-03-14 21:20:32.000000000 -0400
57542 +++ linux-2.6.38.6/ipc/shm.c 2011-04-28 19:34:15.000000000 -0400
57543 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
57544 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
57547 +#ifdef CONFIG_GRKERNSEC
57548 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57549 + const time_t shm_createtime, const uid_t cuid,
57550 + const int shmid);
57551 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57552 + const time_t shm_createtime);
57555 void shm_init_ns(struct ipc_namespace *ns)
57557 ns->shm_ctlmax = SHMMAX;
57558 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
57559 shp->shm_lprid = 0;
57560 shp->shm_atim = shp->shm_dtim = 0;
57561 shp->shm_ctim = get_seconds();
57562 +#ifdef CONFIG_GRKERNSEC
57564 + struct timespec timeval;
57565 + do_posix_clock_monotonic_gettime(&timeval);
57567 + shp->shm_createtime = timeval.tv_sec;
57570 shp->shm_segsz = size;
57571 shp->shm_nattch = 0;
57572 shp->shm_file = file;
57573 @@ -761,8 +777,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
57577 - struct file *uninitialized_var(shm_file);
57579 lru_add_drain_all(); /* drain pagevecs to lru lists */
57581 shp = shm_lock_check(ns, shmid);
57582 @@ -895,9 +909,21 @@ long do_shmat(int shmid, char __user *sh
57586 +#ifdef CONFIG_GRKERNSEC
57587 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
57588 + shp->shm_perm.cuid, shmid) ||
57589 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
57595 path = shp->shm_file->f_path;
57598 +#ifdef CONFIG_GRKERNSEC
57599 + shp->shm_lapid = current->pid;
57601 size = i_size_read(path.dentry->d_inode);
57604 diff -urNp linux-2.6.38.6/kernel/acct.c linux-2.6.38.6/kernel/acct.c
57605 --- linux-2.6.38.6/kernel/acct.c 2011-03-14 21:20:32.000000000 -0400
57606 +++ linux-2.6.38.6/kernel/acct.c 2011-04-28 19:34:15.000000000 -0400
57607 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
57609 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
57610 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
57611 - file->f_op->write(file, (char *)&ac,
57612 + file->f_op->write(file, (__force char __user *)&ac,
57613 sizeof(acct_t), &file->f_pos);
57614 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
57616 diff -urNp linux-2.6.38.6/kernel/audit.c linux-2.6.38.6/kernel/audit.c
57617 --- linux-2.6.38.6/kernel/audit.c 2011-03-14 21:20:32.000000000 -0400
57618 +++ linux-2.6.38.6/kernel/audit.c 2011-04-28 19:57:25.000000000 -0400
57619 @@ -110,7 +110,7 @@ u32 audit_sig_sid = 0;
57620 3) suppressed due to audit_rate_limit
57621 4) suppressed due to audit_backlog_limit
57623 -static atomic_t audit_lost = ATOMIC_INIT(0);
57624 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
57626 /* The netlink socket. */
57627 static struct sock *audit_sock;
57628 @@ -232,7 +232,7 @@ void audit_log_lost(const char *message)
57632 - atomic_inc(&audit_lost);
57633 + atomic_inc_unchecked(&audit_lost);
57635 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
57637 @@ -251,7 +251,7 @@ void audit_log_lost(const char *message)
57638 printk(KERN_WARNING
57639 "audit: audit_lost=%d audit_rate_limit=%d "
57640 "audit_backlog_limit=%d\n",
57641 - atomic_read(&audit_lost),
57642 + atomic_read_unchecked(&audit_lost),
57644 audit_backlog_limit);
57645 audit_panic(message);
57646 @@ -684,7 +684,7 @@ static int audit_receive_msg(struct sk_b
57647 status_set.pid = audit_pid;
57648 status_set.rate_limit = audit_rate_limit;
57649 status_set.backlog_limit = audit_backlog_limit;
57650 - status_set.lost = atomic_read(&audit_lost);
57651 + status_set.lost = atomic_read_unchecked(&audit_lost);
57652 status_set.backlog = skb_queue_len(&audit_skb_queue);
57653 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
57654 &status_set, sizeof(status_set));
57655 diff -urNp linux-2.6.38.6/kernel/auditsc.c linux-2.6.38.6/kernel/auditsc.c
57656 --- linux-2.6.38.6/kernel/auditsc.c 2011-03-14 21:20:32.000000000 -0400
57657 +++ linux-2.6.38.6/kernel/auditsc.c 2011-04-28 19:57:25.000000000 -0400
57658 @@ -2111,7 +2111,7 @@ int auditsc_get_stamp(struct audit_conte
57661 /* global counter which is incremented every time something logs in */
57662 -static atomic_t session_id = ATOMIC_INIT(0);
57663 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
57666 * audit_set_loginuid - set a task's audit_context loginuid
57667 @@ -2124,7 +2124,7 @@ static atomic_t session_id = ATOMIC_INIT
57669 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
57671 - unsigned int sessionid = atomic_inc_return(&session_id);
57672 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
57673 struct audit_context *context = task->audit_context;
57675 if (context && context->in_syscall) {
57676 diff -urNp linux-2.6.38.6/kernel/capability.c linux-2.6.38.6/kernel/capability.c
57677 --- linux-2.6.38.6/kernel/capability.c 2011-03-14 21:20:32.000000000 -0400
57678 +++ linux-2.6.38.6/kernel/capability.c 2011-04-28 19:34:15.000000000 -0400
57679 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
57680 * before modification is attempted and the application
57683 + if (tocopy > ARRAY_SIZE(kdata))
57686 if (copy_to_user(dataptr, kdata, tocopy
57687 * sizeof(struct __user_cap_data_struct))) {
57689 @@ -306,10 +309,26 @@ int capable(int cap)
57693 - if (security_capable(current_cred(), cap) == 0) {
57694 + if (security_capable(current_cred(), cap) == 0 && gr_is_capable(cap)) {
57695 current->flags |= PF_SUPERPRIV;
57701 +int capable_nolog(int cap)
57703 + if (unlikely(!cap_valid(cap))) {
57704 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
57708 + if (security_capable(current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
57709 + current->flags |= PF_SUPERPRIV;
57715 EXPORT_SYMBOL(capable);
57716 +EXPORT_SYMBOL(capable_nolog);
57717 diff -urNp linux-2.6.38.6/kernel/cgroup.c linux-2.6.38.6/kernel/cgroup.c
57718 --- linux-2.6.38.6/kernel/cgroup.c 2011-04-18 17:27:16.000000000 -0400
57719 +++ linux-2.6.38.6/kernel/cgroup.c 2011-05-16 21:47:09.000000000 -0400
57720 @@ -598,6 +598,8 @@ static struct css_set *find_css_set(
57721 struct hlist_head *hhead;
57722 struct cg_cgroup_link *link;
57724 + pax_track_stack();
57726 /* First see if we already have a cgroup group that matches
57727 * the desired set */
57728 read_lock(&css_set_lock);
57729 diff -urNp linux-2.6.38.6/kernel/compat.c linux-2.6.38.6/kernel/compat.c
57730 --- linux-2.6.38.6/kernel/compat.c 2011-03-14 21:20:32.000000000 -0400
57731 +++ linux-2.6.38.6/kernel/compat.c 2011-04-28 19:34:15.000000000 -0400
57734 #include <linux/linkage.h>
57735 #include <linux/compat.h>
57736 +#include <linux/module.h>
57737 #include <linux/errno.h>
57738 #include <linux/time.h>
57739 #include <linux/signal.h>
57740 diff -urNp linux-2.6.38.6/kernel/configs.c linux-2.6.38.6/kernel/configs.c
57741 --- linux-2.6.38.6/kernel/configs.c 2011-03-14 21:20:32.000000000 -0400
57742 +++ linux-2.6.38.6/kernel/configs.c 2011-04-28 19:34:15.000000000 -0400
57743 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
57744 struct proc_dir_entry *entry;
57746 /* create the current config file */
57747 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
57748 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
57749 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
57750 + &ikconfig_file_ops);
57751 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
57752 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
57753 + &ikconfig_file_ops);
57756 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
57757 &ikconfig_file_ops);
57763 diff -urNp linux-2.6.38.6/kernel/cred.c linux-2.6.38.6/kernel/cred.c
57764 --- linux-2.6.38.6/kernel/cred.c 2011-03-14 21:20:32.000000000 -0400
57765 +++ linux-2.6.38.6/kernel/cred.c 2011-05-17 19:31:43.000000000 -0400
57766 @@ -157,6 +157,8 @@ static void put_cred_rcu(struct rcu_head
57768 void __put_cred(struct cred *cred)
57770 + pax_track_stack();
57772 kdebug("__put_cred(%p{%d,%d})", cred,
57773 atomic_read(&cred->usage),
57774 read_cred_subscribers(cred));
57775 @@ -181,6 +183,8 @@ void exit_creds(struct task_struct *tsk)
57779 + pax_track_stack();
57781 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
57782 atomic_read(&tsk->cred->usage),
57783 read_cred_subscribers(tsk->cred));
57784 @@ -219,6 +223,8 @@ const struct cred *get_task_cred(struct
57786 const struct cred *cred;
57788 + pax_track_stack();
57793 @@ -238,6 +244,8 @@ struct cred *cred_alloc_blank(void)
57797 + pax_track_stack();
57799 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
57802 @@ -332,6 +342,8 @@ struct cred *prepare_exec_creds(void)
57803 struct thread_group_cred *tgcred = NULL;
57806 + pax_track_stack();
57809 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
57811 @@ -384,6 +396,8 @@ int copy_creds(struct task_struct *p, un
57815 + pax_track_stack();
57819 !p->cred->thread_keyring &&
57820 @@ -469,6 +483,8 @@ int commit_creds(struct cred *new)
57821 struct task_struct *task = current;
57822 const struct cred *old = task->real_cred;
57824 + pax_track_stack();
57826 kdebug("commit_creds(%p{%d,%d})", new,
57827 atomic_read(&new->usage),
57828 read_cred_subscribers(new));
57829 @@ -483,6 +499,8 @@ int commit_creds(struct cred *new)
57831 get_cred(new); /* we will require a ref for the subj creds too */
57833 + gr_set_role_label(task, new->uid, new->gid);
57835 /* dumpability changes */
57836 if (old->euid != new->euid ||
57837 old->egid != new->egid ||
57838 @@ -545,6 +563,8 @@ EXPORT_SYMBOL(commit_creds);
57840 void abort_creds(struct cred *new)
57842 + pax_track_stack();
57844 kdebug("abort_creds(%p{%d,%d})", new,
57845 atomic_read(&new->usage),
57846 read_cred_subscribers(new));
57847 @@ -568,6 +588,8 @@ const struct cred *override_creds(const
57849 const struct cred *old = current->cred;
57851 + pax_track_stack();
57853 kdebug("override_creds(%p{%d,%d})", new,
57854 atomic_read(&new->usage),
57855 read_cred_subscribers(new));
57856 @@ -597,6 +619,8 @@ void revert_creds(const struct cred *old
57858 const struct cred *override = current->cred;
57860 + pax_track_stack();
57862 kdebug("revert_creds(%p{%d,%d})", old,
57863 atomic_read(&old->usage),
57864 read_cred_subscribers(old));
57865 @@ -643,6 +667,8 @@ struct cred *prepare_kernel_cred(struct
57866 const struct cred *old;
57869 + pax_track_stack();
57871 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
57874 @@ -697,6 +723,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
57876 int set_security_override(struct cred *new, u32 secid)
57878 + pax_track_stack();
57880 return security_kernel_act_as(new, secid);
57882 EXPORT_SYMBOL(set_security_override);
57883 @@ -716,6 +744,8 @@ int set_security_override_from_ctx(struc
57887 + pax_track_stack();
57889 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
57892 --- linux-2.6.38/kernel/cred.c~ 2011-05-18 10:48:25.661292226 +0200
57893 +++ linux-2.6.38/kernel/cred.c 2011-05-18 10:51:03.218531815 +0200
57894 @@ -301,6 +301,8 @@
57897 struct cred *prepare_creds(void)
57900 + pax_track_stack();
57901 validate_process_creds();
57903 diff -urNp linux-2.6.38.6/kernel/debug/debug_core.c linux-2.6.38.6/kernel/debug/debug_core.c
57904 --- linux-2.6.38.6/kernel/debug/debug_core.c 2011-03-14 21:20:32.000000000 -0400
57905 +++ linux-2.6.38.6/kernel/debug/debug_core.c 2011-04-28 19:57:25.000000000 -0400
57906 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
57907 /* Guard for recursive entry */
57908 static int exception_level;
57910 -struct kgdb_io *dbg_io_ops;
57911 +const struct kgdb_io *dbg_io_ops;
57912 static DEFINE_SPINLOCK(kgdb_registration_lock);
57914 /* kgdb console driver is loaded */
57915 @@ -119,7 +119,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_loc
57917 static atomic_t masters_in_kgdb;
57918 static atomic_t slaves_in_kgdb;
57919 -static atomic_t kgdb_break_tasklet_var;
57920 +static atomic_unchecked_t kgdb_break_tasklet_var;
57921 atomic_t kgdb_setting_breakpoint;
57923 struct task_struct *kgdb_usethread;
57924 @@ -129,7 +129,7 @@ int kgdb_single_step;
57925 static pid_t kgdb_sstep_pid;
57927 /* to keep track of the CPU which is doing the single stepping*/
57928 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
57929 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
57932 * If you are debugging a problem where roundup (the collection of
57933 @@ -542,7 +542,7 @@ return_normal:
57934 * kernel will only try for the value of sstep_tries before
57935 * giving up and continuing on.
57937 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
57938 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
57939 (kgdb_info[cpu].task &&
57940 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
57941 atomic_set(&kgdb_active, -1);
57942 @@ -636,8 +636,8 @@ cpu_master_loop:
57946 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
57947 - int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
57948 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
57949 + int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
57950 if (kgdb_info[sstep_cpu].task)
57951 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
57953 @@ -834,18 +834,18 @@ static void kgdb_unregister_callbacks(vo
57954 static void kgdb_tasklet_bpt(unsigned long ing)
57957 - atomic_set(&kgdb_break_tasklet_var, 0);
57958 + atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
57961 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
57963 void kgdb_schedule_breakpoint(void)
57965 - if (atomic_read(&kgdb_break_tasklet_var) ||
57966 + if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
57967 atomic_read(&kgdb_active) != -1 ||
57968 atomic_read(&kgdb_setting_breakpoint))
57970 - atomic_inc(&kgdb_break_tasklet_var);
57971 + atomic_inc_unchecked(&kgdb_break_tasklet_var);
57972 tasklet_schedule(&kgdb_tasklet_breakpoint);
57974 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
57975 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
57977 * Register it with the KGDB core.
57979 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
57980 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
57984 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
57986 * Unregister it with the KGDB core.
57988 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
57989 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
57991 BUG_ON(kgdb_connected);
57993 diff -urNp linux-2.6.38.6/kernel/debug/kdb/kdb_main.c linux-2.6.38.6/kernel/debug/kdb/kdb_main.c
57994 --- linux-2.6.38.6/kernel/debug/kdb/kdb_main.c 2011-03-14 21:20:32.000000000 -0400
57995 +++ linux-2.6.38.6/kernel/debug/kdb/kdb_main.c 2011-04-28 19:34:15.000000000 -0400
57996 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
57997 list_for_each_entry(mod, kdb_modules, list) {
57999 kdb_printf("%-20s%8u 0x%p ", mod->name,
58000 - mod->core_size, (void *)mod);
58001 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
58002 #ifdef CONFIG_MODULE_UNLOAD
58003 kdb_printf("%4d ", module_refcount(mod));
58005 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
58006 kdb_printf(" (Loading)");
58008 kdb_printf(" (Live)");
58009 - kdb_printf(" 0x%p", mod->module_core);
58010 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
58012 #ifdef CONFIG_MODULE_UNLOAD
58014 diff -urNp linux-2.6.38.6/kernel/exit.c linux-2.6.38.6/kernel/exit.c
58015 --- linux-2.6.38.6/kernel/exit.c 2011-03-14 21:20:32.000000000 -0400
58016 +++ linux-2.6.38.6/kernel/exit.c 2011-04-28 19:34:15.000000000 -0400
58018 #include <asm/pgtable.h>
58019 #include <asm/mmu_context.h>
58021 +#ifdef CONFIG_GRKERNSEC
58022 +extern rwlock_t grsec_exec_file_lock;
58025 static void exit_mm(struct task_struct * tsk);
58027 static void __unhash_process(struct task_struct *p, bool group_dead)
58028 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
58029 struct task_struct *leader;
58032 + gr_del_task_from_ip_table(p);
58034 tracehook_prepare_release_task(p);
58035 /* don't need to get the RCU readlock here - the process is dead and
58036 * can't be modifying its own credentials. But shut RCU-lockdep up */
58037 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
58039 write_lock_irq(&tasklist_lock);
58041 +#ifdef CONFIG_GRKERNSEC
58042 + write_lock(&grsec_exec_file_lock);
58043 + if (current->exec_file) {
58044 + fput(current->exec_file);
58045 + current->exec_file = NULL;
58047 + write_unlock(&grsec_exec_file_lock);
58050 ptrace_unlink(current);
58051 /* Reparent to init */
58052 current->real_parent = current->parent = kthreadd_task;
58053 list_move_tail(¤t->sibling, ¤t->real_parent->children);
58055 + gr_set_kernel_label(current);
58057 /* Set the exit signal to SIGCHLD so we signal init on exit */
58058 current->exit_signal = SIGCHLD;
58060 @@ -394,7 +411,7 @@ int allow_signal(int sig)
58061 * know it'll be handled, so that they don't get converted to
58062 * SIGKILL or just silently dropped.
58064 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
58065 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
58066 recalc_sigpending();
58067 spin_unlock_irq(¤t->sighand->siglock);
58069 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
58070 vsnprintf(current->comm, sizeof(current->comm), name, args);
58073 +#ifdef CONFIG_GRKERNSEC
58074 + write_lock(&grsec_exec_file_lock);
58075 + if (current->exec_file) {
58076 + fput(current->exec_file);
58077 + current->exec_file = NULL;
58079 + write_unlock(&grsec_exec_file_lock);
58082 + gr_set_kernel_label(current);
58085 * If we were started as result of loading a module, close all of the
58086 * user space pages. We don't need them, and if we didn't close them
58087 @@ -905,17 +933,17 @@ NORET_TYPE void do_exit(long code)
58088 struct task_struct *tsk = current;
58091 - profile_task_exit(tsk);
58093 - WARN_ON(atomic_read(&tsk->fs_excl));
58096 + * Check this first since set_fs() below depends on
58097 + * current_thread_info(), which we better not access when we're in
58098 + * interrupt context. Other than that, we want to do the set_fs()
58099 + * as early as possible.
58101 if (unlikely(in_interrupt()))
58102 panic("Aiee, killing interrupt handler!");
58103 - if (unlikely(!tsk->pid))
58104 - panic("Attempted to kill the idle task!");
58107 - * If do_exit is called because this processes oopsed, it's possible
58108 + * If do_exit is called because this processes Oops'ed, it's possible
58109 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
58110 * continuing. Amongst other possible reasons, this is to prevent
58111 * mm_release()->clear_child_tid() from writing to a user-controlled
58112 @@ -923,6 +951,13 @@ NORET_TYPE void do_exit(long code)
58116 + profile_task_exit(tsk);
58118 + WARN_ON(atomic_read(&tsk->fs_excl));
58120 + if (unlikely(!tsk->pid))
58121 + panic("Attempted to kill the idle task!");
58123 tracehook_report_exit(&code);
58125 validate_creds_for_do_exit(tsk);
58126 @@ -983,6 +1018,9 @@ NORET_TYPE void do_exit(long code)
58127 tsk->exit_code = code;
58128 taskstats_exit(tsk, group_dead);
58130 + gr_acl_handle_psacct(tsk, code);
58131 + gr_acl_handle_exit();
58136 diff -urNp linux-2.6.38.6/kernel/fork.c linux-2.6.38.6/kernel/fork.c
58137 --- linux-2.6.38.6/kernel/fork.c 2011-03-14 21:20:32.000000000 -0400
58138 +++ linux-2.6.38.6/kernel/fork.c 2011-04-28 19:34:15.000000000 -0400
58139 @@ -280,7 +280,7 @@ static struct task_struct *dup_task_stru
58140 *stackend = STACK_END_MAGIC; /* for overflow detection */
58142 #ifdef CONFIG_CC_STACKPROTECTOR
58143 - tsk->stack_canary = get_random_int();
58144 + tsk->stack_canary = pax_get_random_long();
58147 /* One for us, one for whoever does the "release_task()" (usually parent) */
58148 @@ -302,13 +302,78 @@ out:
58152 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
58154 + struct vm_area_struct *tmp;
58155 + unsigned long charge;
58156 + struct mempolicy *pol;
58157 + struct file *file;
58160 + if (mpnt->vm_flags & VM_ACCOUNT) {
58161 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
58162 + if (security_vm_enough_memory(len))
58166 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
58171 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
58172 + pol = mpol_dup(vma_policy(mpnt));
58174 + goto fail_nomem_policy;
58175 + vma_set_policy(tmp, pol);
58176 + if (anon_vma_fork(tmp, mpnt))
58177 + goto fail_nomem_anon_vma_fork;
58178 + tmp->vm_flags &= ~VM_LOCKED;
58179 + tmp->vm_next = tmp->vm_prev = NULL;
58180 + tmp->vm_mirror = NULL;
58181 + file = tmp->vm_file;
58183 + struct inode *inode = file->f_path.dentry->d_inode;
58184 + struct address_space *mapping = file->f_mapping;
58187 + if (tmp->vm_flags & VM_DENYWRITE)
58188 + atomic_dec(&inode->i_writecount);
58189 + spin_lock(&mapping->i_mmap_lock);
58190 + if (tmp->vm_flags & VM_SHARED)
58191 + mapping->i_mmap_writable++;
58192 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
58193 + flush_dcache_mmap_lock(mapping);
58194 + /* insert tmp into the share list, just after mpnt */
58195 + vma_prio_tree_add(tmp, mpnt);
58196 + flush_dcache_mmap_unlock(mapping);
58197 + spin_unlock(&mapping->i_mmap_lock);
58201 + * Clear hugetlb-related page reserves for children. This only
58202 + * affects MAP_PRIVATE mappings. Faults generated by the child
58203 + * are not guaranteed to succeed, even if read-only
58205 + if (is_vm_hugetlb_page(tmp))
58206 + reset_vma_resv_huge_pages(tmp);
58210 +fail_nomem_anon_vma_fork:
58212 +fail_nomem_policy:
58213 + kmem_cache_free(vm_area_cachep, tmp);
58215 + vm_unacct_memory(charge);
58219 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
58221 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
58222 struct rb_node **rb_link, *rb_parent;
58224 - unsigned long charge;
58225 - struct mempolicy *pol;
58227 down_write(&oldmm->mmap_sem);
58228 flush_cache_dup_mm(oldmm);
58229 @@ -320,8 +385,8 @@ static int dup_mmap(struct mm_struct *mm
58232 mm->mmap_cache = NULL;
58233 - mm->free_area_cache = oldmm->mmap_base;
58234 - mm->cached_hole_size = ~0UL;
58235 + mm->free_area_cache = oldmm->free_area_cache;
58236 + mm->cached_hole_size = oldmm->cached_hole_size;
58238 cpumask_clear(mm_cpumask(mm));
58239 mm->mm_rb = RB_ROOT;
58240 @@ -337,8 +402,6 @@ static int dup_mmap(struct mm_struct *mm
58243 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
58244 - struct file *file;
58246 if (mpnt->vm_flags & VM_DONTCOPY) {
58247 long pages = vma_pages(mpnt);
58248 mm->total_vm -= pages;
58249 @@ -346,56 +409,13 @@ static int dup_mmap(struct mm_struct *mm
58254 - if (mpnt->vm_flags & VM_ACCOUNT) {
58255 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
58256 - if (security_vm_enough_memory(len))
58260 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
58264 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
58265 - pol = mpol_dup(vma_policy(mpnt));
58266 - retval = PTR_ERR(pol);
58268 - goto fail_nomem_policy;
58269 - vma_set_policy(tmp, pol);
58271 - if (anon_vma_fork(tmp, mpnt))
58272 - goto fail_nomem_anon_vma_fork;
58273 - tmp->vm_flags &= ~VM_LOCKED;
58274 - tmp->vm_next = tmp->vm_prev = NULL;
58275 - file = tmp->vm_file;
58277 - struct inode *inode = file->f_path.dentry->d_inode;
58278 - struct address_space *mapping = file->f_mapping;
58281 - if (tmp->vm_flags & VM_DENYWRITE)
58282 - atomic_dec(&inode->i_writecount);
58283 - spin_lock(&mapping->i_mmap_lock);
58284 - if (tmp->vm_flags & VM_SHARED)
58285 - mapping->i_mmap_writable++;
58286 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
58287 - flush_dcache_mmap_lock(mapping);
58288 - /* insert tmp into the share list, just after mpnt */
58289 - vma_prio_tree_add(tmp, mpnt);
58290 - flush_dcache_mmap_unlock(mapping);
58291 - spin_unlock(&mapping->i_mmap_lock);
58292 + tmp = dup_vma(mm, mpnt);
58294 + retval = -ENOMEM;
58299 - * Clear hugetlb-related page reserves for children. This only
58300 - * affects MAP_PRIVATE mappings. Faults generated by the child
58301 - * are not guaranteed to succeed, even if read-only
58303 - if (is_vm_hugetlb_page(tmp))
58304 - reset_vma_resv_huge_pages(tmp);
58307 * Link in the new vma and copy the page table entries.
58310 @@ -416,6 +436,31 @@ static int dup_mmap(struct mm_struct *mm
58315 +#ifdef CONFIG_PAX_SEGMEXEC
58316 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
58317 + struct vm_area_struct *mpnt_m;
58319 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
58320 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
58322 + if (!mpnt->vm_mirror)
58325 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
58326 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
58327 + mpnt->vm_mirror = mpnt_m;
58329 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
58330 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
58331 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
58332 + mpnt->vm_mirror->vm_mirror = mpnt;
58339 /* a new mm has just been created */
58340 arch_dup_mmap(oldmm, mm);
58342 @@ -424,14 +469,6 @@ out:
58343 flush_tlb_mm(oldmm);
58344 up_write(&oldmm->mmap_sem);
58346 -fail_nomem_anon_vma_fork:
58348 -fail_nomem_policy:
58349 - kmem_cache_free(vm_area_cachep, tmp);
58351 - retval = -ENOMEM;
58352 - vm_unacct_memory(charge);
58356 static inline int mm_alloc_pgd(struct mm_struct * mm)
58357 @@ -778,13 +815,14 @@ static int copy_fs(unsigned long clone_f
58358 spin_unlock(&fs->lock);
58362 + atomic_inc(&fs->users);
58363 spin_unlock(&fs->lock);
58366 tsk->fs = copy_fs_struct(fs);
58369 + gr_set_chroot_entries(tsk, &tsk->fs->root);
58373 @@ -1042,10 +1080,13 @@ static struct task_struct *copy_process(
58375 if (!vx_nproc_avail(1))
58376 goto bad_fork_free;
58378 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
58380 if (atomic_read(&p->real_cred->user->processes) >=
58381 task_rlimit(p, RLIMIT_NPROC)) {
58382 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
58383 - p->real_cred->user != INIT_USER)
58384 + if (p->real_cred->user != INIT_USER &&
58385 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
58386 goto bad_fork_free;
58389 @@ -1199,6 +1240,8 @@ static struct task_struct *copy_process(
58390 goto bad_fork_free_pid;
58393 + gr_copy_label(p);
58395 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
58397 * Clear TID on mm_release()?
58398 @@ -1356,6 +1399,8 @@ bad_fork_cleanup_count:
58402 + gr_log_forkfail(retval);
58404 return ERR_PTR(retval);
58407 @@ -1444,6 +1489,8 @@ long do_fork(unsigned long clone_flags,
58408 if (clone_flags & CLONE_PARENT_SETTID)
58409 put_user(nr, parent_tidptr);
58411 + gr_handle_brute_check();
58413 if (clone_flags & CLONE_VFORK) {
58414 p->vfork_done = &vfork;
58415 init_completion(&vfork);
58416 @@ -1559,7 +1606,7 @@ static int unshare_fs(unsigned long unsh
58419 /* don't need lock here; in the worst case we'll do useless copy */
58420 - if (fs->users == 1)
58421 + if (atomic_read(&fs->users) == 1)
58424 *new_fsp = copy_fs_struct(fs);
58425 @@ -1682,7 +1729,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
58427 spin_lock(&fs->lock);
58428 current->fs = new_fs;
58430 + gr_set_chroot_entries(current, ¤t->fs->root);
58431 + if (atomic_dec_return(&fs->users))
58435 diff -urNp linux-2.6.38.6/kernel/futex.c linux-2.6.38.6/kernel/futex.c
58436 --- linux-2.6.38.6/kernel/futex.c 2011-04-22 19:20:59.000000000 -0400
58437 +++ linux-2.6.38.6/kernel/futex.c 2011-05-16 21:47:08.000000000 -0400
58439 #include <linux/mount.h>
58440 #include <linux/pagemap.h>
58441 #include <linux/syscalls.h>
58442 +#include <linux/ptrace.h>
58443 #include <linux/signal.h>
58444 #include <linux/module.h>
58445 #include <linux/magic.h>
58446 @@ -236,6 +237,11 @@ get_futex_key(u32 __user *uaddr, int fsh
58447 struct page *page, *page_head;
58450 +#ifdef CONFIG_PAX_SEGMEXEC
58451 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
58456 * The futex address must be "naturally" aligned.
58458 @@ -1833,6 +1839,8 @@ static int futex_wait(u32 __user *uaddr,
58459 struct futex_q q = futex_q_init;
58462 + pax_track_stack();
58467 @@ -2232,6 +2240,8 @@ static int futex_wait_requeue_pi(u32 __u
58468 struct futex_q q = futex_q_init;
58471 + pax_track_stack();
58476 @@ -2404,7 +2414,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
58478 struct robust_list_head __user *head;
58480 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
58481 const struct cred *cred = current_cred(), *pcred;
58484 if (!futex_cmpxchg_enabled)
58486 @@ -2420,11 +2432,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
58490 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58491 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
58494 pcred = __task_cred(p);
58495 if (cred->euid != pcred->euid &&
58496 cred->euid != pcred->uid &&
58497 !capable(CAP_SYS_PTRACE))
58500 head = p->robust_list;
58503 @@ -2667,6 +2684,7 @@ static int __init futex_init(void)
58507 + mm_segment_t oldfs;
58510 * This will fail and we want it. Some arch implementations do
58511 @@ -2678,7 +2696,10 @@ static int __init futex_init(void)
58512 * implementation, the non-functional ones will return
58515 + oldfs = get_fs();
58517 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
58519 if (curval == -EFAULT)
58520 futex_cmpxchg_enabled = 1;
58522 diff -urNp linux-2.6.38.6/kernel/futex_compat.c linux-2.6.38.6/kernel/futex_compat.c
58523 --- linux-2.6.38.6/kernel/futex_compat.c 2011-03-14 21:20:32.000000000 -0400
58524 +++ linux-2.6.38.6/kernel/futex_compat.c 2011-04-28 19:34:15.000000000 -0400
58526 #include <linux/compat.h>
58527 #include <linux/nsproxy.h>
58528 #include <linux/futex.h>
58529 +#include <linux/ptrace.h>
58531 #include <asm/uaccess.h>
58533 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
58535 struct compat_robust_list_head __user *head;
58537 - const struct cred *cred = current_cred(), *pcred;
58538 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
58539 + const struct cred *cred = current_cred();
58540 + const struct cred *pcred;
58543 if (!futex_cmpxchg_enabled)
58545 @@ -152,11 +156,16 @@ compat_sys_get_robust_list(int pid, comp
58549 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
58550 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
58553 pcred = __task_cred(p);
58554 if (cred->euid != pcred->euid &&
58555 cred->euid != pcred->uid &&
58556 !capable(CAP_SYS_PTRACE))
58559 head = p->compat_robust_list;
58562 diff -urNp linux-2.6.38.6/kernel/gcov/base.c linux-2.6.38.6/kernel/gcov/base.c
58563 --- linux-2.6.38.6/kernel/gcov/base.c 2011-03-14 21:20:32.000000000 -0400
58564 +++ linux-2.6.38.6/kernel/gcov/base.c 2011-04-28 19:34:15.000000000 -0400
58565 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
58568 #ifdef CONFIG_MODULES
58569 -static inline int within(void *addr, void *start, unsigned long size)
58571 - return ((addr >= start) && (addr < start + size));
58574 /* Update list and generate events when modules are unloaded. */
58575 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
58577 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
58579 /* Remove entries located in module from linked list. */
58580 for (info = gcov_info_head; info; info = info->next) {
58581 - if (within(info, mod->module_core, mod->core_size)) {
58582 + if (within_module_core_rw((unsigned long)info, mod)) {
58584 prev->next = info->next;
58586 diff -urNp linux-2.6.38.6/kernel/hrtimer.c linux-2.6.38.6/kernel/hrtimer.c
58587 --- linux-2.6.38.6/kernel/hrtimer.c 2011-03-14 21:20:32.000000000 -0400
58588 +++ linux-2.6.38.6/kernel/hrtimer.c 2011-04-28 19:34:15.000000000 -0400
58589 @@ -1371,7 +1371,7 @@ void hrtimer_peek_ahead_timers(void)
58590 local_irq_restore(flags);
58593 -static void run_hrtimer_softirq(struct softirq_action *h)
58594 +static void run_hrtimer_softirq(void)
58596 hrtimer_peek_ahead_timers();
58598 diff -urNp linux-2.6.38.6/kernel/jump_label.c linux-2.6.38.6/kernel/jump_label.c
58599 --- linux-2.6.38.6/kernel/jump_label.c 2011-03-14 21:20:32.000000000 -0400
58600 +++ linux-2.6.38.6/kernel/jump_label.c 2011-04-28 19:34:15.000000000 -0400
58601 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
58602 mutex_unlock(&jump_label_mutex);
58605 +static void jump_label_swap(void *a, void *b, int size)
58607 + struct jump_entry t;
58609 + t = *(struct jump_entry *)a;
58610 + pax_open_kernel();
58611 + *(struct jump_entry *)a = *(struct jump_entry *)b;
58612 + *(struct jump_entry *)b = t;
58613 + pax_close_kernel();
58616 static int jump_label_cmp(const void *a, const void *b)
58618 const struct jump_entry *jea = a;
58619 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
58621 size = (((unsigned long)stop - (unsigned long)start)
58622 / sizeof(struct jump_entry));
58623 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
58624 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
58627 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
58628 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
58629 count = e_module->nr_entries;
58630 iter = e_module->table;
58632 - if (within_module_init(iter->code, mod))
58633 + if (within_module_init(iter->code, mod)) {
58634 + pax_open_kernel();
58636 + pax_close_kernel();
58641 diff -urNp linux-2.6.38.6/kernel/kallsyms.c linux-2.6.38.6/kernel/kallsyms.c
58642 --- linux-2.6.38.6/kernel/kallsyms.c 2011-03-14 21:20:32.000000000 -0400
58643 +++ linux-2.6.38.6/kernel/kallsyms.c 2011-04-28 19:34:15.000000000 -0400
58645 * Changed the compression method from stem compression to "table lookup"
58646 * compression (see scripts/kallsyms.c for a more complete description)
58648 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58649 +#define __INCLUDED_BY_HIDESYM 1
58651 #include <linux/kallsyms.h>
58652 #include <linux/module.h>
58653 #include <linux/init.h>
58654 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
58656 static inline int is_kernel_inittext(unsigned long addr)
58658 + if (system_state != SYSTEM_BOOTING)
58661 if (addr >= (unsigned long)_sinittext
58662 && addr <= (unsigned long)_einittext)
58667 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
58668 +#ifdef CONFIG_MODULES
58669 +static inline int is_module_text(unsigned long addr)
58671 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
58674 + addr = ktla_ktva(addr);
58675 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
58678 +static inline int is_module_text(unsigned long addr)
58685 static inline int is_kernel_text(unsigned long addr)
58687 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
58688 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
58690 static inline int is_kernel(unsigned long addr)
58693 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
58694 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
58697 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
58699 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
58703 return in_gate_area_no_task(addr);
58706 static int is_ksym_addr(unsigned long addr)
58709 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
58710 + if (is_module_text(addr))
58715 return is_kernel(addr);
58717 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
58719 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
58721 - iter->name[0] = '\0';
58722 iter->nameoff = get_symbol_offset(new_pos);
58723 iter->pos = new_pos;
58725 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
58727 struct kallsym_iter *iter = m->private;
58729 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58730 + if (current_uid())
58734 /* Some debugging symbols have no name. Ignore them. */
58735 if (!iter->name[0])
58737 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
58738 struct kallsym_iter *iter;
58741 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
58742 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
58745 reset_iter(iter, 0);
58746 diff -urNp linux-2.6.38.6/kernel/kmod.c linux-2.6.38.6/kernel/kmod.c
58747 --- linux-2.6.38.6/kernel/kmod.c 2011-03-14 21:20:32.000000000 -0400
58748 +++ linux-2.6.38.6/kernel/kmod.c 2011-04-28 19:34:15.000000000 -0400
58749 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
58750 * If module auto-loading support is disabled then this function
58751 * becomes a no-operation.
58753 -int __request_module(bool wait, const char *fmt, ...)
58754 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
58757 char module_name[MODULE_NAME_LEN];
58758 unsigned int max_modprobes;
58760 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
58761 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
58762 static char *envp[] = { "HOME=/",
58764 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
58765 @@ -80,9 +79,7 @@ int __request_module(bool wait, const ch
58766 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
58767 static int kmod_loop_msg;
58769 - va_start(args, fmt);
58770 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
58772 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
58773 if (ret >= MODULE_NAME_LEN)
58774 return -ENAMETOOLONG;
58776 @@ -90,6 +87,20 @@ int __request_module(bool wait, const ch
58780 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
58781 + if (!current_uid()) {
58782 + /* hack to workaround consolekit/udisks stupidity */
58783 + read_lock(&tasklist_lock);
58784 + if (!strcmp(current->comm, "mount") &&
58785 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
58786 + read_unlock(&tasklist_lock);
58787 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
58790 + read_unlock(&tasklist_lock);
58794 /* If modprobe needs a service that is in a module, we get a recursive
58795 * loop. Limit the number of running kmod threads to max_threads/2 or
58796 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
58797 @@ -123,6 +134,47 @@ int __request_module(bool wait, const ch
58798 atomic_dec(&kmod_concurrent);
58802 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
58807 + va_start(args, fmt);
58808 + ret = ____request_module(wait, module_param, fmt, args);
58814 +int __request_module(bool wait, const char *fmt, ...)
58819 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
58820 + if (current_uid()) {
58821 + char module_param[MODULE_NAME_LEN];
58823 + memset(module_param, 0, sizeof(module_param));
58825 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
58827 + va_start(args, fmt);
58828 + ret = ____request_module(wait, module_param, fmt, args);
58835 + va_start(args, fmt);
58836 + ret = ____request_module(wait, NULL, fmt, args);
58842 EXPORT_SYMBOL(__request_module);
58843 #endif /* CONFIG_MODULES */
58845 diff -urNp linux-2.6.38.6/kernel/kprobes.c linux-2.6.38.6/kernel/kprobes.c
58846 --- linux-2.6.38.6/kernel/kprobes.c 2011-03-14 21:20:32.000000000 -0400
58847 +++ linux-2.6.38.6/kernel/kprobes.c 2011-04-28 19:34:15.000000000 -0400
58848 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
58849 * kernel image and loaded module images reside. This is required
58850 * so x86_64 can correctly handle the %rip-relative fixups.
58852 - kip->insns = module_alloc(PAGE_SIZE);
58853 + kip->insns = module_alloc_exec(PAGE_SIZE);
58857 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
58859 if (!list_is_singular(&kip->list)) {
58860 list_del(&kip->list);
58861 - module_free(NULL, kip->insns);
58862 + module_free_exec(NULL, kip->insns);
58866 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
58869 unsigned long offset = 0, size = 0;
58870 - char *modname, namebuf[128];
58871 + char *modname, namebuf[KSYM_NAME_LEN];
58872 const char *symbol_name;
58874 struct kprobe_blackpoint *kb;
58875 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
58876 const char *sym = NULL;
58877 unsigned int i = *(loff_t *) v;
58878 unsigned long offset = 0;
58879 - char *modname, namebuf[128];
58880 + char *modname, namebuf[KSYM_NAME_LEN];
58882 head = &kprobe_table[i];
58884 diff -urNp linux-2.6.38.6/kernel/lockdep.c linux-2.6.38.6/kernel/lockdep.c
58885 --- linux-2.6.38.6/kernel/lockdep.c 2011-03-14 21:20:32.000000000 -0400
58886 +++ linux-2.6.38.6/kernel/lockdep.c 2011-04-28 19:34:15.000000000 -0400
58887 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
58888 end = (unsigned long) &_end,
58889 addr = (unsigned long) obj;
58891 +#ifdef CONFIG_PAX_KERNEXEC
58892 + start = ktla_ktva(start);
58898 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
58899 if (!static_obj(lock->key)) {
58901 printk("INFO: trying to register non-static key.\n");
58902 + printk("lock:%pS key:%pS.\n", lock, lock->key);
58903 printk("the code is fine but needs lockdep annotation.\n");
58904 printk("turning off the locking correctness validator.\n");
58906 @@ -2752,7 +2757,7 @@ static int __lock_acquire(struct lockdep
58910 - atomic_inc((atomic_t *)&class->ops);
58911 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
58912 if (very_verbose(class)) {
58913 printk("\nacquire class [%p] %s", class->key, class->name);
58914 if (class->name_version > 1)
58915 diff -urNp linux-2.6.38.6/kernel/lockdep_proc.c linux-2.6.38.6/kernel/lockdep_proc.c
58916 --- linux-2.6.38.6/kernel/lockdep_proc.c 2011-03-14 21:20:32.000000000 -0400
58917 +++ linux-2.6.38.6/kernel/lockdep_proc.c 2011-04-28 19:34:15.000000000 -0400
58918 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
58920 static void print_name(struct seq_file *m, struct lock_class *class)
58923 + char str[KSYM_NAME_LEN];
58924 const char *name = class->name;
58927 diff -urNp linux-2.6.38.6/kernel/module.c linux-2.6.38.6/kernel/module.c
58928 --- linux-2.6.38.6/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
58929 +++ linux-2.6.38.6/kernel/module.c 2011-04-29 18:46:41.000000000 -0400
58931 #include <linux/kmemleak.h>
58932 #include <linux/jump_label.h>
58933 #include <linux/pfn.h>
58934 +#include <linux/grsecurity.h>
58936 #define CREATE_TRACE_POINTS
58937 #include <trace/events/module.h>
58938 @@ -118,7 +119,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
58940 /* Bounds of module allocation, for speeding __module_address.
58941 * Protected by module_mutex. */
58942 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
58943 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
58944 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
58946 int register_module_notifier(struct notifier_block * nb)
58948 @@ -282,7 +284,7 @@ bool each_symbol(bool (*fn)(const struct
58951 list_for_each_entry_rcu(mod, &modules, list) {
58952 - struct symsearch arr[] = {
58953 + struct symsearch modarr[] = {
58954 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
58955 NOT_GPL_ONLY, false },
58956 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
58957 @@ -304,7 +306,7 @@ bool each_symbol(bool (*fn)(const struct
58961 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
58962 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
58966 @@ -415,7 +417,7 @@ static inline void __percpu *mod_percpu(
58967 static int percpu_modalloc(struct module *mod,
58968 unsigned long size, unsigned long align)
58970 - if (align > PAGE_SIZE) {
58971 + if (align-1 >= PAGE_SIZE) {
58972 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
58973 mod->name, align, PAGE_SIZE);
58975 @@ -1143,7 +1145,7 @@ resolve_symbol_wait(struct module *mod,
58977 #ifdef CONFIG_SYSFS
58979 -#ifdef CONFIG_KALLSYMS
58980 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
58981 static inline bool sect_empty(const Elf_Shdr *sect)
58983 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
58984 @@ -1612,17 +1614,17 @@ void unset_section_ro_nx(struct module *
58986 unsigned long total_pages;
58988 - if (mod->module_core == module_region) {
58989 + if (mod->module_core_rx == module_region) {
58990 /* Set core as NX+RW */
58991 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_core, mod->core_size);
58992 - set_memory_nx((unsigned long)mod->module_core, total_pages);
58993 - set_memory_rw((unsigned long)mod->module_core, total_pages);
58994 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_core_rx, mod->core_size_rx);
58995 + set_memory_nx((unsigned long)mod->module_core_rx, total_pages);
58996 + set_memory_rw((unsigned long)mod->module_core_rx, total_pages);
58998 - } else if (mod->module_init == module_region) {
58999 + } else if (mod->module_init_rx == module_region) {
59000 /* Set init as NX+RW */
59001 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_init, mod->init_size);
59002 - set_memory_nx((unsigned long)mod->module_init, total_pages);
59003 - set_memory_rw((unsigned long)mod->module_init, total_pages);
59004 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_init_rx, mod->init_size_rx);
59005 + set_memory_nx((unsigned long)mod->module_init_rx, total_pages);
59006 + set_memory_rw((unsigned long)mod->module_init_rx, total_pages);
59010 @@ -1633,14 +1635,14 @@ void set_all_modules_text_rw()
59012 mutex_lock(&module_mutex);
59013 list_for_each_entry_rcu(mod, &modules, list) {
59014 - if ((mod->module_core) && (mod->core_text_size)) {
59015 - set_page_attributes(mod->module_core,
59016 - mod->module_core + mod->core_text_size,
59017 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
59018 + set_page_attributes(mod->module_core_rx,
59019 + mod->module_core_rx + mod->core_size_rx,
59022 - if ((mod->module_init) && (mod->init_text_size)) {
59023 - set_page_attributes(mod->module_init,
59024 - mod->module_init + mod->init_text_size,
59025 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
59026 + set_page_attributes(mod->module_init_rx,
59027 + mod->module_init_rx + mod->init_size_rx,
59031 @@ -1654,14 +1656,14 @@ void set_all_modules_text_ro()
59033 mutex_lock(&module_mutex);
59034 list_for_each_entry_rcu(mod, &modules, list) {
59035 - if ((mod->module_core) && (mod->core_text_size)) {
59036 - set_page_attributes(mod->module_core,
59037 - mod->module_core + mod->core_text_size,
59038 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
59039 + set_page_attributes(mod->module_core_rx,
59040 + mod->module_core_rx + mod->core_size_rx,
59043 - if ((mod->module_init) && (mod->init_text_size)) {
59044 - set_page_attributes(mod->module_init,
59045 - mod->module_init + mod->init_text_size,
59046 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
59047 + set_page_attributes(mod->module_init_rx,
59048 + mod->module_init_rx + mod->init_size_rx,
59052 @@ -1696,17 +1698,20 @@ static void free_module(struct module *m
59053 destroy_params(mod->kp, mod->num_kp);
59055 /* This may be NULL, but that's OK */
59056 - unset_section_ro_nx(mod, mod->module_init);
59057 - module_free(mod, mod->module_init);
59058 + unset_section_ro_nx(mod, mod->module_init_rx);
59059 + module_free(mod, mod->module_init_rw);
59060 + module_free_exec(mod, mod->module_init_rx);
59062 percpu_modfree(mod);
59064 /* Free lock-classes: */
59065 - lockdep_free_key_range(mod->module_core, mod->core_size);
59066 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
59067 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
59069 /* Finally, free the core (containing the module structure) */
59070 - unset_section_ro_nx(mod, mod->module_core);
59071 - module_free(mod, mod->module_core);
59072 + unset_section_ro_nx(mod, mod->module_core_rx);
59073 + module_free_exec(mod, mod->module_core_rx);
59074 + module_free(mod, mod->module_core_rw);
59077 update_protections(current->mm);
59078 @@ -1775,10 +1780,31 @@ static int simplify_symbols(struct modul
59081 const struct kernel_symbol *ksym;
59082 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
59083 + int is_fs_load = 0;
59084 + int register_filesystem_found = 0;
59087 + p = strstr(mod->args, "grsec_modharden_fs");
59089 + char *endptr = p + strlen("grsec_modharden_fs");
59090 + /* copy \0 as well */
59091 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
59096 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
59097 const char *name = info->strtab + sym[i].st_name;
59099 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
59100 + /* it's a real shame this will never get ripped and copied
59103 + if (is_fs_load && !strcmp(name, "register_filesystem"))
59104 + register_filesystem_found = 1;
59107 switch (sym[i].st_shndx) {
59109 /* We compiled with -fno-common. These are not
59110 @@ -1799,7 +1825,9 @@ static int simplify_symbols(struct modul
59111 ksym = resolve_symbol_wait(mod, info, name);
59112 /* Ok if resolved. */
59113 if (ksym && !IS_ERR(ksym)) {
59114 + pax_open_kernel();
59115 sym[i].st_value = ksym->value;
59116 + pax_close_kernel();
59120 @@ -1818,11 +1846,20 @@ static int simplify_symbols(struct modul
59121 secbase = (unsigned long)mod_percpu(mod);
59123 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
59124 + pax_open_kernel();
59125 sym[i].st_value += secbase;
59126 + pax_close_kernel();
59131 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
59132 + if (is_fs_load && !register_filesystem_found) {
59133 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
59141 @@ -1906,22 +1943,12 @@ static void layout_sections(struct modul
59142 || s->sh_entsize != ~0UL
59143 || strstarts(sname, ".init"))
59145 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
59146 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
59147 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
59149 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
59150 DEBUGP("\t%s\n", name);
59153 - case 0: /* executable */
59154 - mod->core_size = debug_align(mod->core_size);
59155 - mod->core_text_size = mod->core_size;
59157 - case 1: /* RO: text and ro-data */
59158 - mod->core_size = debug_align(mod->core_size);
59159 - mod->core_ro_size = mod->core_size;
59161 - case 3: /* whole core */
59162 - mod->core_size = debug_align(mod->core_size);
59167 DEBUGP("Init section allocation order:\n");
59168 @@ -1935,23 +1962,13 @@ static void layout_sections(struct modul
59169 || s->sh_entsize != ~0UL
59170 || !strstarts(sname, ".init"))
59172 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
59173 - | INIT_OFFSET_MASK);
59174 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
59175 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
59177 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
59178 + s->sh_entsize |= INIT_OFFSET_MASK;
59179 DEBUGP("\t%s\n", sname);
59182 - case 0: /* executable */
59183 - mod->init_size = debug_align(mod->init_size);
59184 - mod->init_text_size = mod->init_size;
59186 - case 1: /* RO: text and ro-data */
59187 - mod->init_size = debug_align(mod->init_size);
59188 - mod->init_ro_size = mod->init_size;
59190 - case 3: /* whole init */
59191 - mod->init_size = debug_align(mod->init_size);
59197 @@ -2119,7 +2136,7 @@ static void layout_symtab(struct module
59199 /* Put symbol section at end of init part of module. */
59200 symsect->sh_flags |= SHF_ALLOC;
59201 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
59202 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
59203 info->index.sym) | INIT_OFFSET_MASK;
59204 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
59206 @@ -2136,19 +2153,19 @@ static void layout_symtab(struct module
59209 /* Append room for core symbols at end of core part. */
59210 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
59211 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
59212 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
59213 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
59215 /* Put string table section at end of init part of module. */
59216 strsect->sh_flags |= SHF_ALLOC;
59217 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
59218 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
59219 info->index.str) | INIT_OFFSET_MASK;
59220 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
59222 /* Append room for core symbols' strings at end of core part. */
59223 - info->stroffs = mod->core_size;
59224 + info->stroffs = mod->core_size_rx;
59225 __set_bit(0, info->strmap);
59226 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
59227 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
59230 static void add_kallsyms(struct module *mod, const struct load_info *info)
59231 @@ -2164,11 +2181,13 @@ static void add_kallsyms(struct module *
59232 /* Make sure we get permanent strtab: don't use info->strtab. */
59233 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
59235 + pax_open_kernel();
59237 /* Set types up while we still have access to sections. */
59238 for (i = 0; i < mod->num_symtab; i++)
59239 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
59241 - mod->core_symtab = dst = mod->module_core + info->symoffs;
59242 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
59245 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
59246 @@ -2181,10 +2200,12 @@ static void add_kallsyms(struct module *
59248 mod->core_num_syms = ndst;
59250 - mod->core_strtab = s = mod->module_core + info->stroffs;
59251 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
59252 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
59253 if (test_bit(i, info->strmap))
59254 *++s = mod->strtab[i];
59256 + pax_close_kernel();
59259 static inline void layout_symtab(struct module *mod, struct load_info *info)
59260 @@ -2213,17 +2234,33 @@ static void dynamic_debug_remove(struct
59261 ddebug_remove_module(debug->modname);
59264 -static void *module_alloc_update_bounds(unsigned long size)
59265 +static void *module_alloc_update_bounds_rw(unsigned long size)
59267 void *ret = module_alloc(size);
59270 mutex_lock(&module_mutex);
59271 /* Update module bounds. */
59272 - if ((unsigned long)ret < module_addr_min)
59273 - module_addr_min = (unsigned long)ret;
59274 - if ((unsigned long)ret + size > module_addr_max)
59275 - module_addr_max = (unsigned long)ret + size;
59276 + if ((unsigned long)ret < module_addr_min_rw)
59277 + module_addr_min_rw = (unsigned long)ret;
59278 + if ((unsigned long)ret + size > module_addr_max_rw)
59279 + module_addr_max_rw = (unsigned long)ret + size;
59280 + mutex_unlock(&module_mutex);
59285 +static void *module_alloc_update_bounds_rx(unsigned long size)
59287 + void *ret = module_alloc_exec(size);
59290 + mutex_lock(&module_mutex);
59291 + /* Update module bounds. */
59292 + if ((unsigned long)ret < module_addr_min_rx)
59293 + module_addr_min_rx = (unsigned long)ret;
59294 + if ((unsigned long)ret + size > module_addr_max_rx)
59295 + module_addr_max_rx = (unsigned long)ret + size;
59296 mutex_unlock(&module_mutex);
59299 @@ -2516,7 +2553,7 @@ static int move_module(struct module *mo
59302 /* Do the allocs. */
59303 - ptr = module_alloc_update_bounds(mod->core_size);
59304 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
59306 * The pointer to this block is stored in the module structure
59307 * which is inside the block. Just mark it as not being a
59308 @@ -2526,23 +2563,50 @@ static int move_module(struct module *mo
59312 - memset(ptr, 0, mod->core_size);
59313 - mod->module_core = ptr;
59314 + memset(ptr, 0, mod->core_size_rw);
59315 + mod->module_core_rw = ptr;
59317 - ptr = module_alloc_update_bounds(mod->init_size);
59318 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
59320 * The pointer to this block is stored in the module structure
59321 * which is inside the block. This block doesn't need to be
59322 * scanned as it contains data and code that will be freed
59323 * after the module is initialized.
59325 - kmemleak_ignore(ptr);
59326 - if (!ptr && mod->init_size) {
59327 - module_free(mod, mod->module_core);
59328 + kmemleak_not_leak(ptr);
59329 + if (!ptr && mod->init_size_rw) {
59330 + module_free(mod, mod->module_core_rw);
59333 - memset(ptr, 0, mod->init_size);
59334 - mod->module_init = ptr;
59335 + memset(ptr, 0, mod->init_size_rw);
59336 + mod->module_init_rw = ptr;
59338 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
59339 + kmemleak_not_leak(ptr);
59341 + module_free(mod, mod->module_init_rw);
59342 + module_free(mod, mod->module_core_rw);
59346 + pax_open_kernel();
59347 + memset(ptr, 0, mod->core_size_rx);
59348 + pax_close_kernel();
59349 + mod->module_core_rx = ptr;
59351 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
59352 + kmemleak_not_leak(ptr);
59353 + if (!ptr && mod->init_size_rx) {
59354 + module_free_exec(mod, mod->module_core_rx);
59355 + module_free(mod, mod->module_init_rw);
59356 + module_free(mod, mod->module_core_rw);
59360 + pax_open_kernel();
59361 + memset(ptr, 0, mod->init_size_rx);
59362 + pax_close_kernel();
59363 + mod->module_init_rx = ptr;
59365 /* Transfer each section which specifies SHF_ALLOC */
59366 DEBUGP("final section addresses:\n");
59367 @@ -2553,16 +2617,45 @@ static int move_module(struct module *mo
59368 if (!(shdr->sh_flags & SHF_ALLOC))
59371 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
59372 - dest = mod->module_init
59373 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
59375 - dest = mod->module_core + shdr->sh_entsize;
59376 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
59377 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
59378 + dest = mod->module_init_rw
59379 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
59381 + dest = mod->module_init_rx
59382 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
59384 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
59385 + dest = mod->module_core_rw + shdr->sh_entsize;
59387 + dest = mod->module_core_rx + shdr->sh_entsize;
59390 + if (shdr->sh_type != SHT_NOBITS) {
59392 +#ifdef CONFIG_PAX_KERNEXEC
59393 +#ifdef CONFIG_X86_64
59394 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
59395 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
59397 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
59398 + pax_open_kernel();
59399 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
59400 + pax_close_kernel();
59404 - if (shdr->sh_type != SHT_NOBITS)
59405 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
59407 /* Update sh_addr to point to copy in image. */
59408 - shdr->sh_addr = (unsigned long)dest;
59410 +#ifdef CONFIG_PAX_KERNEXEC
59411 + if (shdr->sh_flags & SHF_EXECINSTR)
59412 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
59416 + shdr->sh_addr = (unsigned long)dest;
59417 DEBUGP("\t0x%lx %s\n",
59418 shdr->sh_addr, info->secstrings + shdr->sh_name);
59420 @@ -2613,12 +2706,12 @@ static void flush_module_icache(const st
59421 * Do it before processing of module parameters, so the module
59422 * can provide parameter accessor functions of its own.
59424 - if (mod->module_init)
59425 - flush_icache_range((unsigned long)mod->module_init,
59426 - (unsigned long)mod->module_init
59427 - + mod->init_size);
59428 - flush_icache_range((unsigned long)mod->module_core,
59429 - (unsigned long)mod->module_core + mod->core_size);
59430 + if (mod->module_init_rx)
59431 + flush_icache_range((unsigned long)mod->module_init_rx,
59432 + (unsigned long)mod->module_init_rx
59433 + + mod->init_size_rx);
59434 + flush_icache_range((unsigned long)mod->module_core_rx,
59435 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
59439 @@ -2690,8 +2783,10 @@ static void module_deallocate(struct mod
59441 kfree(info->strmap);
59442 percpu_modfree(mod);
59443 - module_free(mod, mod->module_init);
59444 - module_free(mod, mod->module_core);
59445 + module_free_exec(mod, mod->module_init_rx);
59446 + module_free_exec(mod, mod->module_core_rx);
59447 + module_free(mod, mod->module_init_rw);
59448 + module_free(mod, mod->module_core_rw);
59451 static int post_relocation(struct module *mod, const struct load_info *info)
59452 @@ -2748,9 +2843,38 @@ static struct module *load_module(void _
59456 + /* Now copy in args */
59457 + mod->args = strndup_user(uargs, ~0UL >> 1);
59458 + if (IS_ERR(mod->args)) {
59459 + err = PTR_ERR(mod->args);
59460 + goto free_unload;
59463 /* Set up MODINFO_ATTR fields */
59464 setup_modinfo(mod, &info);
59466 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
59470 + if (strstr(mod->args, "grsec_modharden_netdev")) {
59471 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
59473 + goto free_modinfo;
59474 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
59475 + p += strlen("grsec_modharden_normal");
59476 + p2 = strstr(p, "_");
59479 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
59483 + goto free_modinfo;
59488 /* Fix up syms, so that st_value is a pointer to location. */
59489 err = simplify_symbols(mod, &info);
59491 @@ -2766,13 +2890,6 @@ static struct module *load_module(void _
59493 flush_module_icache(mod);
59495 - /* Now copy in args */
59496 - mod->args = strndup_user(uargs, ~0UL >> 1);
59497 - if (IS_ERR(mod->args)) {
59498 - err = PTR_ERR(mod->args);
59499 - goto free_arch_cleanup;
59502 /* Mark state as coming so strong_try_module_get() ignores us. */
59503 mod->state = MODULE_STATE_COMING;
59505 @@ -2832,11 +2949,10 @@ static struct module *load_module(void _
59507 mutex_unlock(&module_mutex);
59508 synchronize_sched();
59509 - kfree(mod->args);
59510 - free_arch_cleanup:
59511 module_arch_cleanup(mod);
59514 + kfree(mod->args);
59516 module_unload_free(mod);
59518 @@ -2877,16 +2993,16 @@ SYSCALL_DEFINE3(init_module, void __user
59519 MODULE_STATE_COMING, mod);
59521 /* Set RO and NX regions for core */
59522 - set_section_ro_nx(mod->module_core,
59523 - mod->core_text_size,
59524 - mod->core_ro_size,
59526 + set_section_ro_nx(mod->module_core_rx,
59527 + mod->core_size_rx,
59528 + mod->core_size_rx,
59529 + mod->core_size_rx);
59531 /* Set RO and NX regions for init */
59532 - set_section_ro_nx(mod->module_init,
59533 - mod->init_text_size,
59534 - mod->init_ro_size,
59536 + set_section_ro_nx(mod->module_init_rx,
59537 + mod->init_size_rx,
59538 + mod->init_size_rx,
59539 + mod->init_size_rx);
59542 /* Start the module */
59543 @@ -2931,11 +3047,13 @@ SYSCALL_DEFINE3(init_module, void __user
59544 mod->symtab = mod->core_symtab;
59545 mod->strtab = mod->core_strtab;
59547 - unset_section_ro_nx(mod, mod->module_init);
59548 - module_free(mod, mod->module_init);
59549 - mod->module_init = NULL;
59550 - mod->init_size = 0;
59551 - mod->init_text_size = 0;
59552 + unset_section_ro_nx(mod, mod->module_init_rx);
59553 + module_free(mod, mod->module_init_rw);
59554 + module_free_exec(mod, mod->module_init_rx);
59555 + mod->module_init_rw = NULL;
59556 + mod->module_init_rx = NULL;
59557 + mod->init_size_rw = 0;
59558 + mod->init_size_rx = 0;
59559 mutex_unlock(&module_mutex);
59562 @@ -2966,10 +3084,16 @@ static const char *get_ksymbol(struct mo
59563 unsigned long nextval;
59565 /* At worse, next value is at end of module */
59566 - if (within_module_init(addr, mod))
59567 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
59568 + if (within_module_init_rx(addr, mod))
59569 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
59570 + else if (within_module_init_rw(addr, mod))
59571 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
59572 + else if (within_module_core_rx(addr, mod))
59573 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
59574 + else if (within_module_core_rw(addr, mod))
59575 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
59577 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
59580 /* Scan for closest preceeding symbol, and next symbol. (ELF
59581 starts real symbols at 1). */
59582 @@ -3215,7 +3339,7 @@ static int m_show(struct seq_file *m, vo
59585 seq_printf(m, "%s %u",
59586 - mod->name, mod->init_size + mod->core_size);
59587 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
59588 print_unload_info(m, mod);
59590 /* Informative for users. */
59591 @@ -3224,7 +3348,7 @@ static int m_show(struct seq_file *m, vo
59592 mod->state == MODULE_STATE_COMING ? "Loading":
59594 /* Used by oprofile and other similar tools. */
59595 - seq_printf(m, " 0x%p", mod->module_core);
59596 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
59600 @@ -3260,7 +3384,17 @@ static const struct file_operations proc
59602 static int __init proc_modules_init(void)
59604 +#ifndef CONFIG_GRKERNSEC_HIDESYM
59605 +#ifdef CONFIG_GRKERNSEC_PROC_USER
59606 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
59607 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
59608 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
59610 proc_create("modules", 0, NULL, &proc_modules_operations);
59613 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
59617 module_init(proc_modules_init);
59618 @@ -3319,12 +3453,12 @@ struct module *__module_address(unsigned
59620 struct module *mod;
59622 - if (addr < module_addr_min || addr > module_addr_max)
59623 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
59624 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
59627 list_for_each_entry_rcu(mod, &modules, list)
59628 - if (within_module_core(addr, mod)
59629 - || within_module_init(addr, mod))
59630 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
59634 @@ -3358,11 +3492,20 @@ bool is_module_text_address(unsigned lon
59636 struct module *__module_text_address(unsigned long addr)
59638 - struct module *mod = __module_address(addr);
59639 + struct module *mod;
59641 +#ifdef CONFIG_X86_32
59642 + addr = ktla_ktva(addr);
59645 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
59648 + mod = __module_address(addr);
59651 /* Make sure it's within the text section. */
59652 - if (!within(addr, mod->module_init, mod->init_text_size)
59653 - && !within(addr, mod->module_core, mod->core_text_size))
59654 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
59658 diff -urNp linux-2.6.38.6/kernel/mutex.c linux-2.6.38.6/kernel/mutex.c
59659 --- linux-2.6.38.6/kernel/mutex.c 2011-03-14 21:20:32.000000000 -0400
59660 +++ linux-2.6.38.6/kernel/mutex.c 2011-04-28 19:34:15.000000000 -0400
59661 @@ -160,7 +160,7 @@ __mutex_lock_common(struct mutex *lock,
59665 - struct thread_info *owner;
59666 + struct task_struct *owner;
59669 * If we own the BKL, then don't spin. The owner of
59670 @@ -205,7 +205,7 @@ __mutex_lock_common(struct mutex *lock,
59671 spin_lock_mutex(&lock->wait_lock, flags);
59673 debug_mutex_lock_common(lock, &waiter);
59674 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
59675 + debug_mutex_add_waiter(lock, &waiter, task);
59677 /* add waiting tasks to the end of the waitqueue (FIFO): */
59678 list_add_tail(&waiter.list, &lock->wait_list);
59679 @@ -234,8 +234,7 @@ __mutex_lock_common(struct mutex *lock,
59680 * TASK_UNINTERRUPTIBLE case.)
59682 if (unlikely(signal_pending_state(state, task))) {
59683 - mutex_remove_waiter(lock, &waiter,
59684 - task_thread_info(task));
59685 + mutex_remove_waiter(lock, &waiter, task);
59686 mutex_release(&lock->dep_map, 1, ip);
59687 spin_unlock_mutex(&lock->wait_lock, flags);
59689 @@ -256,7 +255,7 @@ __mutex_lock_common(struct mutex *lock,
59691 lock_acquired(&lock->dep_map, ip);
59692 /* got the lock - rejoice! */
59693 - mutex_remove_waiter(lock, &waiter, current_thread_info());
59694 + mutex_remove_waiter(lock, &waiter, current);
59695 mutex_set_owner(lock);
59697 /* set it to 0 if there are no waiters left: */
59698 diff -urNp linux-2.6.38.6/kernel/mutex-debug.c linux-2.6.38.6/kernel/mutex-debug.c
59699 --- linux-2.6.38.6/kernel/mutex-debug.c 2011-03-14 21:20:32.000000000 -0400
59700 +++ linux-2.6.38.6/kernel/mutex-debug.c 2011-04-28 19:34:15.000000000 -0400
59701 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
59704 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
59705 - struct thread_info *ti)
59706 + struct task_struct *task)
59708 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
59710 /* Mark the current thread as blocked on the lock: */
59711 - ti->task->blocked_on = waiter;
59712 + task->blocked_on = waiter;
59715 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
59716 - struct thread_info *ti)
59717 + struct task_struct *task)
59719 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
59720 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
59721 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
59722 - ti->task->blocked_on = NULL;
59723 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
59724 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter->task);
59725 + task->blocked_on = NULL;
59727 list_del_init(&waiter->list);
59728 waiter->task = NULL;
59729 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
59732 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
59733 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
59734 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
59735 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
59736 mutex_clear_owner(lock);
59738 diff -urNp linux-2.6.38.6/kernel/mutex-debug.h linux-2.6.38.6/kernel/mutex-debug.h
59739 --- linux-2.6.38.6/kernel/mutex-debug.h 2011-03-14 21:20:32.000000000 -0400
59740 +++ linux-2.6.38.6/kernel/mutex-debug.h 2011-04-28 19:34:15.000000000 -0400
59741 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
59742 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
59743 extern void debug_mutex_add_waiter(struct mutex *lock,
59744 struct mutex_waiter *waiter,
59745 - struct thread_info *ti);
59746 + struct task_struct *task);
59747 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
59748 - struct thread_info *ti);
59749 + struct task_struct *task);
59750 extern void debug_mutex_unlock(struct mutex *lock);
59751 extern void debug_mutex_init(struct mutex *lock, const char *name,
59752 struct lock_class_key *key);
59754 static inline void mutex_set_owner(struct mutex *lock)
59756 - lock->owner = current_thread_info();
59757 + lock->owner = current;
59760 static inline void mutex_clear_owner(struct mutex *lock)
59761 diff -urNp linux-2.6.38.6/kernel/mutex.h linux-2.6.38.6/kernel/mutex.h
59762 --- linux-2.6.38.6/kernel/mutex.h 2011-03-14 21:20:32.000000000 -0400
59763 +++ linux-2.6.38.6/kernel/mutex.h 2011-04-28 19:34:15.000000000 -0400
59766 static inline void mutex_set_owner(struct mutex *lock)
59768 - lock->owner = current_thread_info();
59769 + lock->owner = current;
59772 static inline void mutex_clear_owner(struct mutex *lock)
59773 diff -urNp linux-2.6.38.6/kernel/padata.c linux-2.6.38.6/kernel/padata.c
59774 --- linux-2.6.38.6/kernel/padata.c 2011-03-14 21:20:32.000000000 -0400
59775 +++ linux-2.6.38.6/kernel/padata.c 2011-04-28 19:57:25.000000000 -0400
59776 @@ -132,10 +132,10 @@ int padata_do_parallel(struct padata_ins
59778 padata->cb_cpu = cb_cpu;
59780 - if (unlikely(atomic_read(&pd->seq_nr) == pd->max_seq_nr))
59781 - atomic_set(&pd->seq_nr, -1);
59782 + if (unlikely(atomic_read_unchecked(&pd->seq_nr) == pd->max_seq_nr))
59783 + atomic_set_unchecked(&pd->seq_nr, -1);
59785 - padata->seq_nr = atomic_inc_return(&pd->seq_nr);
59786 + padata->seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
59788 target_cpu = padata_cpu_hash(padata);
59789 queue = per_cpu_ptr(pd->pqueue, target_cpu);
59790 @@ -444,7 +444,7 @@ static struct parallel_data *padata_allo
59791 padata_init_pqueues(pd);
59792 padata_init_squeues(pd);
59793 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
59794 - atomic_set(&pd->seq_nr, -1);
59795 + atomic_set_unchecked(&pd->seq_nr, -1);
59796 atomic_set(&pd->reorder_objects, 0);
59797 atomic_set(&pd->refcnt, 0);
59799 diff -urNp linux-2.6.38.6/kernel/panic.c linux-2.6.38.6/kernel/panic.c
59800 --- linux-2.6.38.6/kernel/panic.c 2011-03-14 21:20:32.000000000 -0400
59801 +++ linux-2.6.38.6/kernel/panic.c 2011-04-28 19:34:15.000000000 -0400
59802 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
59805 printk(KERN_WARNING "------------[ cut here ]------------\n");
59806 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
59807 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
59808 board = dmi_get_system_info(DMI_PRODUCT_NAME);
59810 printk(KERN_WARNING "Hardware name: %s\n", board);
59811 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
59813 void __stack_chk_fail(void)
59815 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
59817 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
59818 __builtin_return_address(0));
59820 EXPORT_SYMBOL(__stack_chk_fail);
59821 diff -urNp linux-2.6.38.6/kernel/perf_event.c linux-2.6.38.6/kernel/perf_event.c
59822 --- linux-2.6.38.6/kernel/perf_event.c 2011-04-18 17:27:18.000000000 -0400
59823 +++ linux-2.6.38.6/kernel/perf_event.c 2011-04-28 19:57:25.000000000 -0400
59824 @@ -70,7 +70,7 @@ int sysctl_perf_event_mlock __read_mostl
59826 int sysctl_perf_event_sample_rate __read_mostly = 100000;
59828 -static atomic64_t perf_event_id;
59829 +static atomic64_unchecked_t perf_event_id;
59831 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
59832 enum event_type_t event_type);
59833 @@ -1923,7 +1923,7 @@ static void __perf_event_read(void *info
59835 static inline u64 perf_event_count(struct perf_event *event)
59837 - return local64_read(&event->count) + atomic64_read(&event->child_count);
59838 + return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
59841 static u64 perf_event_read(struct perf_event *event)
59842 @@ -2442,9 +2442,9 @@ u64 perf_event_read_value(struct perf_ev
59843 mutex_lock(&event->child_mutex);
59844 total += perf_event_read(event);
59845 *enabled += event->total_time_enabled +
59846 - atomic64_read(&event->child_total_time_enabled);
59847 + atomic64_read_unchecked(&event->child_total_time_enabled);
59848 *running += event->total_time_running +
59849 - atomic64_read(&event->child_total_time_running);
59850 + atomic64_read_unchecked(&event->child_total_time_running);
59852 list_for_each_entry(child, &event->child_list, child_list) {
59853 total += perf_event_read(child);
59854 @@ -2807,10 +2807,10 @@ void perf_event_update_userpage(struct p
59855 userpg->offset -= local64_read(&event->hw.prev_count);
59857 userpg->time_enabled = event->total_time_enabled +
59858 - atomic64_read(&event->child_total_time_enabled);
59859 + atomic64_read_unchecked(&event->child_total_time_enabled);
59861 userpg->time_running = event->total_time_running +
59862 - atomic64_read(&event->child_total_time_running);
59863 + atomic64_read_unchecked(&event->child_total_time_running);
59867 @@ -3607,11 +3607,11 @@ static void perf_output_read_one(struct
59868 values[n++] = perf_event_count(event);
59869 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
59870 values[n++] = enabled +
59871 - atomic64_read(&event->child_total_time_enabled);
59872 + atomic64_read_unchecked(&event->child_total_time_enabled);
59874 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
59875 values[n++] = running +
59876 - atomic64_read(&event->child_total_time_running);
59877 + atomic64_read_unchecked(&event->child_total_time_running);
59879 if (read_format & PERF_FORMAT_ID)
59880 values[n++] = primary_event_id(event);
59881 @@ -5597,7 +5597,7 @@ perf_event_alloc(struct perf_event_attr
59882 event->parent = parent_event;
59884 event->ns = get_pid_ns(current->nsproxy->pid_ns);
59885 - event->id = atomic64_inc_return(&perf_event_id);
59886 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
59888 event->state = PERF_EVENT_STATE_INACTIVE;
59890 @@ -6095,10 +6095,10 @@ static void sync_child_event(struct perf
59892 * Add back the child's count to the parent's count:
59894 - atomic64_add(child_val, &parent_event->child_count);
59895 - atomic64_add(child_event->total_time_enabled,
59896 + atomic64_add_unchecked(child_val, &parent_event->child_count);
59897 + atomic64_add_unchecked(child_event->total_time_enabled,
59898 &parent_event->child_total_time_enabled);
59899 - atomic64_add(child_event->total_time_running,
59900 + atomic64_add_unchecked(child_event->total_time_running,
59901 &parent_event->child_total_time_running);
59904 diff -urNp linux-2.6.38.6/kernel/pid.c linux-2.6.38.6/kernel/pid.c
59905 --- linux-2.6.38.6/kernel/pid.c 2011-04-22 19:20:59.000000000 -0400
59906 +++ linux-2.6.38.6/kernel/pid.c 2011-04-28 19:34:15.000000000 -0400
59908 #include <linux/rculist.h>
59909 #include <linux/bootmem.h>
59910 #include <linux/hash.h>
59911 +#include <linux/security.h>
59912 #include <linux/pid_namespace.h>
59913 #include <linux/init_task.h>
59914 #include <linux/syscalls.h>
59915 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
59917 int pid_max = PID_MAX_DEFAULT;
59919 -#define RESERVED_PIDS 300
59920 +#define RESERVED_PIDS 500
59922 int pid_max_min = RESERVED_PIDS + 1;
59923 int pid_max_max = PID_MAX_LIMIT;
59924 @@ -419,8 +420,15 @@ EXPORT_SYMBOL(pid_task);
59926 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
59928 + struct task_struct *task;
59930 rcu_lockdep_assert(rcu_read_lock_held());
59931 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
59932 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
59934 + if (gr_pid_is_chrooted(task))
59940 struct task_struct *find_task_by_vpid(pid_t vnr)
59941 diff -urNp linux-2.6.38.6/kernel/posix-cpu-timers.c linux-2.6.38.6/kernel/posix-cpu-timers.c
59942 --- linux-2.6.38.6/kernel/posix-cpu-timers.c 2011-03-14 21:20:32.000000000 -0400
59943 +++ linux-2.6.38.6/kernel/posix-cpu-timers.c 2011-04-28 19:34:15.000000000 -0400
59945 #include <linux/posix-timers.h>
59946 #include <linux/errno.h>
59947 #include <linux/math64.h>
59948 +#include <linux/security.h>
59949 #include <asm/uaccess.h>
59950 #include <linux/kernel_stat.h>
59951 #include <trace/events/timer.h>
59952 diff -urNp linux-2.6.38.6/kernel/posix-timers.c linux-2.6.38.6/kernel/posix-timers.c
59953 --- linux-2.6.38.6/kernel/posix-timers.c 2011-03-14 21:20:32.000000000 -0400
59954 +++ linux-2.6.38.6/kernel/posix-timers.c 2011-05-16 21:47:09.000000000 -0400
59956 #include <linux/compiler.h>
59957 #include <linux/idr.h>
59958 #include <linux/posix-timers.h>
59959 +#include <linux/grsecurity.h>
59960 #include <linux/syscalls.h>
59961 #include <linux/wait.h>
59962 #include <linux/workqueue.h>
59963 @@ -302,6 +303,8 @@ static __init int init_posix_timers(void
59964 .nsleep = no_nsleep,
59967 + pax_track_stack();
59969 register_posix_clock(CLOCK_REALTIME, &clock_realtime);
59970 register_posix_clock(CLOCK_MONOTONIC, &clock_monotonic);
59971 register_posix_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
59972 @@ -955,6 +958,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
59973 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
59976 + /* only the CLOCK_REALTIME clock can be set, all other clocks
59977 + have their clock_set fptr set to a nosettime dummy function
59978 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
59979 + call common_clock_set, which calls do_sys_settimeofday, which
59983 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
59986 diff -urNp linux-2.6.38.6/kernel/power/poweroff.c linux-2.6.38.6/kernel/power/poweroff.c
59987 --- linux-2.6.38.6/kernel/power/poweroff.c 2011-03-14 21:20:32.000000000 -0400
59988 +++ linux-2.6.38.6/kernel/power/poweroff.c 2011-04-28 19:34:15.000000000 -0400
59989 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
59990 .enable_mask = SYSRQ_ENABLE_BOOT,
59993 -static int pm_sysrq_init(void)
59994 +static int __init pm_sysrq_init(void)
59996 register_sysrq_key('o', &sysrq_poweroff_op);
59998 diff -urNp linux-2.6.38.6/kernel/power/process.c linux-2.6.38.6/kernel/power/process.c
59999 --- linux-2.6.38.6/kernel/power/process.c 2011-03-14 21:20:32.000000000 -0400
60000 +++ linux-2.6.38.6/kernel/power/process.c 2011-04-28 19:34:15.000000000 -0400
60001 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
60002 u64 elapsed_csecs64;
60003 unsigned int elapsed_csecs;
60004 bool wakeup = false;
60005 + bool timedout = false;
60007 do_gettimeofday(&start);
60009 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
60013 + if (time_after(jiffies, end_time))
60015 read_lock(&tasklist_lock);
60016 do_each_thread(g, p) {
60017 if (frozen(p) || !freezable(p))
60018 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
60019 * try_to_stop() after schedule() in ptrace/signal
60020 * stop sees TIF_FREEZE.
60022 - if (!task_is_stopped_or_traced(p) &&
60023 - !freezer_should_skip(p))
60024 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
60027 + printk(KERN_ERR "Task refusing to freeze:\n");
60028 + sched_show_task(p);
60031 } while_each_thread(g, p);
60032 read_unlock(&tasklist_lock);
60034 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
60038 - if (!todo || time_after(jiffies, end_time))
60039 + if (!todo || timedout)
60042 if (pm_wakeup_pending()) {
60043 diff -urNp linux-2.6.38.6/kernel/printk.c linux-2.6.38.6/kernel/printk.c
60044 --- linux-2.6.38.6/kernel/printk.c 2011-03-14 21:20:32.000000000 -0400
60045 +++ linux-2.6.38.6/kernel/printk.c 2011-04-28 19:34:15.000000000 -0400
60046 @@ -279,12 +279,17 @@ static int check_syslog_permissions(int
60047 if (from_file && type != SYSLOG_ACTION_OPEN)
60050 +#ifdef CONFIG_GRKERNSEC_DMESG
60051 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
60055 if (syslog_action_restricted(type)) {
60056 if (vx_capable(CAP_SYSLOG, VXC_SYSLOG))
60058 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
60059 if (capable(CAP_SYS_ADMIN)) {
60060 - WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
60061 + printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
60062 "but no CAP_SYSLOG (deprecated).\n");
60065 diff -urNp linux-2.6.38.6/kernel/profile.c linux-2.6.38.6/kernel/profile.c
60066 --- linux-2.6.38.6/kernel/profile.c 2011-03-14 21:20:32.000000000 -0400
60067 +++ linux-2.6.38.6/kernel/profile.c 2011-04-28 19:57:25.000000000 -0400
60068 @@ -39,7 +39,7 @@ struct profile_hit {
60069 /* Oprofile timer tick hook */
60070 static int (*timer_hook)(struct pt_regs *) __read_mostly;
60072 -static atomic_t *prof_buffer;
60073 +static atomic_unchecked_t *prof_buffer;
60074 static unsigned long prof_len, prof_shift;
60076 int prof_on __read_mostly;
60077 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
60081 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
60082 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
60083 hits[i].hits = hits[i].pc = 0;
60086 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
60087 * Add the current hit(s) and flush the write-queue out
60088 * to the global buffer:
60090 - atomic_add(nr_hits, &prof_buffer[pc]);
60091 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
60092 for (i = 0; i < NR_PROFILE_HIT; ++i) {
60093 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
60094 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
60095 hits[i].pc = hits[i].hits = 0;
60098 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
60099 if (prof_on != type || !prof_buffer)
60101 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
60102 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
60103 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
60105 #endif /* !CONFIG_SMP */
60106 EXPORT_SYMBOL_GPL(profile_hits);
60107 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
60109 buf++; p++; count--; read++;
60111 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
60112 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
60113 if (copy_to_user(buf, (void *)pnt, count))
60116 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
60119 profile_discard_flip_buffers();
60120 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
60121 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
60125 diff -urNp linux-2.6.38.6/kernel/ptrace.c linux-2.6.38.6/kernel/ptrace.c
60126 --- linux-2.6.38.6/kernel/ptrace.c 2011-03-14 21:20:32.000000000 -0400
60127 +++ linux-2.6.38.6/kernel/ptrace.c 2011-04-28 19:34:15.000000000 -0400
60128 @@ -116,7 +116,8 @@ int ptrace_check_attach(struct task_stru
60132 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
60133 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
60134 + unsigned int log)
60136 const struct cred *cred = current_cred(), *tcred;
60138 @@ -140,7 +141,9 @@ int __ptrace_may_access(struct task_stru
60139 cred->gid != tcred->egid ||
60140 cred->gid != tcred->sgid ||
60141 cred->gid != tcred->gid) &&
60142 - !capable(CAP_SYS_PTRACE)) {
60143 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
60144 + (log && !capable(CAP_SYS_PTRACE)))
60149 @@ -148,7 +151,9 @@ int __ptrace_may_access(struct task_stru
60152 dumpable = get_dumpable(task->mm);
60153 - if (!dumpable && !capable(CAP_SYS_PTRACE))
60155 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
60156 + (log && !capable(CAP_SYS_PTRACE))))
60159 return security_ptrace_access_check(task, mode);
60160 @@ -158,7 +163,16 @@ bool ptrace_may_access(struct task_struc
60164 - err = __ptrace_may_access(task, mode);
60165 + err = __ptrace_may_access(task, mode, 0);
60166 + task_unlock(task);
60170 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
60174 + err = __ptrace_may_access(task, mode, 1);
60178 @@ -185,7 +199,7 @@ static int ptrace_attach(struct task_str
60182 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
60183 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
60187 @@ -198,7 +212,7 @@ static int ptrace_attach(struct task_str
60188 goto unlock_tasklist;
60190 task->ptrace = PT_PTRACED;
60191 - if (capable(CAP_SYS_PTRACE))
60192 + if (capable_nolog(CAP_SYS_PTRACE))
60193 task->ptrace |= PT_PTRACE_CAP;
60195 __ptrace_link(task, current);
60196 @@ -369,7 +383,7 @@ int ptrace_readdata(struct task_struct *
60200 - if (copy_to_user(dst, buf, retval))
60201 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
60205 @@ -565,7 +579,7 @@ int ptrace_request(struct task_struct *c
60209 - void __user *datavp = (void __user *) data;
60210 + void __user *datavp = (__force void __user *) data;
60211 unsigned long __user *datalp = datavp;
60214 @@ -713,14 +727,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
60215 if (!vx_check(vx_task_xid(child), VS_WATCH_P | VS_IDENT))
60216 goto out_put_task_struct;
60218 + if (gr_handle_ptrace(child, request)) {
60220 + goto out_put_task_struct;
60223 if (request == PTRACE_ATTACH) {
60224 ret = ptrace_attach(child);
60226 * Some architectures need to do book-keeping after
60231 arch_ptrace_attach(child);
60232 + gr_audit_ptrace(child);
60234 goto out_put_task_struct;
60237 @@ -855,14 +876,21 @@ asmlinkage long compat_sys_ptrace(compat
60241 + if (gr_handle_ptrace(child, request)) {
60243 + goto out_put_task_struct;
60246 if (request == PTRACE_ATTACH) {
60247 ret = ptrace_attach(child);
60249 * Some architectures need to do book-keeping after
60254 arch_ptrace_attach(child);
60255 + gr_audit_ptrace(child);
60257 goto out_put_task_struct;
60260 diff -urNp linux-2.6.38.6/kernel/rcutorture.c linux-2.6.38.6/kernel/rcutorture.c
60261 --- linux-2.6.38.6/kernel/rcutorture.c 2011-03-14 21:20:32.000000000 -0400
60262 +++ linux-2.6.38.6/kernel/rcutorture.c 2011-04-28 19:57:25.000000000 -0400
60263 @@ -139,12 +139,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
60265 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
60267 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
60268 -static atomic_t n_rcu_torture_alloc;
60269 -static atomic_t n_rcu_torture_alloc_fail;
60270 -static atomic_t n_rcu_torture_free;
60271 -static atomic_t n_rcu_torture_mberror;
60272 -static atomic_t n_rcu_torture_error;
60273 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
60274 +static atomic_unchecked_t n_rcu_torture_alloc;
60275 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
60276 +static atomic_unchecked_t n_rcu_torture_free;
60277 +static atomic_unchecked_t n_rcu_torture_mberror;
60278 +static atomic_unchecked_t n_rcu_torture_error;
60279 static long n_rcu_torture_boost_ktrerror;
60280 static long n_rcu_torture_boost_rterror;
60281 static long n_rcu_torture_boost_allocerror;
60282 @@ -226,11 +226,11 @@ rcu_torture_alloc(void)
60284 spin_lock_bh(&rcu_torture_lock);
60285 if (list_empty(&rcu_torture_freelist)) {
60286 - atomic_inc(&n_rcu_torture_alloc_fail);
60287 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
60288 spin_unlock_bh(&rcu_torture_lock);
60291 - atomic_inc(&n_rcu_torture_alloc);
60292 + atomic_inc_unchecked(&n_rcu_torture_alloc);
60293 p = rcu_torture_freelist.next;
60295 spin_unlock_bh(&rcu_torture_lock);
60296 @@ -243,7 +243,7 @@ rcu_torture_alloc(void)
60298 rcu_torture_free(struct rcu_torture *p)
60300 - atomic_inc(&n_rcu_torture_free);
60301 + atomic_inc_unchecked(&n_rcu_torture_free);
60302 spin_lock_bh(&rcu_torture_lock);
60303 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
60304 spin_unlock_bh(&rcu_torture_lock);
60305 @@ -363,7 +363,7 @@ rcu_torture_cb(struct rcu_head *p)
60306 i = rp->rtort_pipe_count;
60307 if (i > RCU_TORTURE_PIPE_LEN)
60308 i = RCU_TORTURE_PIPE_LEN;
60309 - atomic_inc(&rcu_torture_wcount[i]);
60310 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
60311 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
60312 rp->rtort_mbtest = 0;
60313 rcu_torture_free(rp);
60314 @@ -410,7 +410,7 @@ static void rcu_sync_torture_deferred_fr
60315 i = rp->rtort_pipe_count;
60316 if (i > RCU_TORTURE_PIPE_LEN)
60317 i = RCU_TORTURE_PIPE_LEN;
60318 - atomic_inc(&rcu_torture_wcount[i]);
60319 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
60320 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
60321 rp->rtort_mbtest = 0;
60322 list_del(&rp->rtort_free);
60323 @@ -883,7 +883,7 @@ rcu_torture_writer(void *arg)
60324 i = old_rp->rtort_pipe_count;
60325 if (i > RCU_TORTURE_PIPE_LEN)
60326 i = RCU_TORTURE_PIPE_LEN;
60327 - atomic_inc(&rcu_torture_wcount[i]);
60328 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
60329 old_rp->rtort_pipe_count++;
60330 cur_ops->deferred_free(old_rp);
60332 @@ -952,7 +952,7 @@ static void rcu_torture_timer(unsigned l
60335 if (p->rtort_mbtest == 0)
60336 - atomic_inc(&n_rcu_torture_mberror);
60337 + atomic_inc_unchecked(&n_rcu_torture_mberror);
60338 spin_lock(&rand_lock);
60339 cur_ops->read_delay(&rand);
60340 n_rcu_torture_timers++;
60341 @@ -1014,7 +1014,7 @@ rcu_torture_reader(void *arg)
60344 if (p->rtort_mbtest == 0)
60345 - atomic_inc(&n_rcu_torture_mberror);
60346 + atomic_inc_unchecked(&n_rcu_torture_mberror);
60347 cur_ops->read_delay(&rand);
60349 pipe_count = p->rtort_pipe_count;
60350 @@ -1073,10 +1073,10 @@ rcu_torture_printk(char *page)
60351 rcu_torture_current,
60352 rcu_torture_current_version,
60353 list_empty(&rcu_torture_freelist),
60354 - atomic_read(&n_rcu_torture_alloc),
60355 - atomic_read(&n_rcu_torture_alloc_fail),
60356 - atomic_read(&n_rcu_torture_free),
60357 - atomic_read(&n_rcu_torture_mberror),
60358 + atomic_read_unchecked(&n_rcu_torture_alloc),
60359 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
60360 + atomic_read_unchecked(&n_rcu_torture_free),
60361 + atomic_read_unchecked(&n_rcu_torture_mberror),
60362 n_rcu_torture_boost_ktrerror,
60363 n_rcu_torture_boost_rterror,
60364 n_rcu_torture_boost_allocerror,
60365 @@ -1084,7 +1084,7 @@ rcu_torture_printk(char *page)
60366 n_rcu_torture_boost_failure,
60367 n_rcu_torture_boosts,
60368 n_rcu_torture_timers);
60369 - if (atomic_read(&n_rcu_torture_mberror) != 0 ||
60370 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
60371 n_rcu_torture_boost_ktrerror != 0 ||
60372 n_rcu_torture_boost_rterror != 0 ||
60373 n_rcu_torture_boost_allocerror != 0 ||
60374 @@ -1094,7 +1094,7 @@ rcu_torture_printk(char *page)
60375 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
60377 cnt += sprintf(&page[cnt], "!!! ");
60378 - atomic_inc(&n_rcu_torture_error);
60379 + atomic_inc_unchecked(&n_rcu_torture_error);
60382 cnt += sprintf(&page[cnt], "Reader Pipe: ");
60383 @@ -1108,7 +1108,7 @@ rcu_torture_printk(char *page)
60384 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
60385 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
60386 cnt += sprintf(&page[cnt], " %d",
60387 - atomic_read(&rcu_torture_wcount[i]));
60388 + atomic_read_unchecked(&rcu_torture_wcount[i]));
60390 cnt += sprintf(&page[cnt], "\n");
60391 if (cur_ops->stats)
60392 @@ -1416,7 +1416,7 @@ rcu_torture_cleanup(void)
60394 if (cur_ops->cleanup)
60395 cur_ops->cleanup();
60396 - if (atomic_read(&n_rcu_torture_error))
60397 + if (atomic_read_unchecked(&n_rcu_torture_error))
60398 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
60400 rcu_torture_print_module_parms(cur_ops, "End of test: SUCCESS");
60401 @@ -1480,11 +1480,11 @@ rcu_torture_init(void)
60403 rcu_torture_current = NULL;
60404 rcu_torture_current_version = 0;
60405 - atomic_set(&n_rcu_torture_alloc, 0);
60406 - atomic_set(&n_rcu_torture_alloc_fail, 0);
60407 - atomic_set(&n_rcu_torture_free, 0);
60408 - atomic_set(&n_rcu_torture_mberror, 0);
60409 - atomic_set(&n_rcu_torture_error, 0);
60410 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
60411 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
60412 + atomic_set_unchecked(&n_rcu_torture_free, 0);
60413 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
60414 + atomic_set_unchecked(&n_rcu_torture_error, 0);
60415 n_rcu_torture_boost_ktrerror = 0;
60416 n_rcu_torture_boost_rterror = 0;
60417 n_rcu_torture_boost_allocerror = 0;
60418 @@ -1492,7 +1492,7 @@ rcu_torture_init(void)
60419 n_rcu_torture_boost_failure = 0;
60420 n_rcu_torture_boosts = 0;
60421 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
60422 - atomic_set(&rcu_torture_wcount[i], 0);
60423 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
60424 for_each_possible_cpu(cpu) {
60425 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
60426 per_cpu(rcu_torture_count, cpu)[i] = 0;
60427 diff -urNp linux-2.6.38.6/kernel/rcutree.c linux-2.6.38.6/kernel/rcutree.c
60428 --- linux-2.6.38.6/kernel/rcutree.c 2011-03-14 21:20:32.000000000 -0400
60429 +++ linux-2.6.38.6/kernel/rcutree.c 2011-04-28 19:34:15.000000000 -0400
60430 @@ -1389,7 +1389,7 @@ __rcu_process_callbacks(struct rcu_state
60432 * Do softirq processing for the current CPU.
60434 -static void rcu_process_callbacks(struct softirq_action *unused)
60435 +static void rcu_process_callbacks(void)
60438 * Memory references from any prior RCU read-side critical sections
60439 diff -urNp linux-2.6.38.6/kernel/rcutree_plugin.h linux-2.6.38.6/kernel/rcutree_plugin.h
60440 --- linux-2.6.38.6/kernel/rcutree_plugin.h 2011-03-14 21:20:32.000000000 -0400
60441 +++ linux-2.6.38.6/kernel/rcutree_plugin.h 2011-04-28 19:57:25.000000000 -0400
60442 @@ -730,7 +730,7 @@ void synchronize_rcu_expedited(void)
60444 /* Clean up and exit. */
60445 smp_mb(); /* ensure expedited GP seen before counter increment. */
60446 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
60447 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
60449 mutex_unlock(&sync_rcu_preempt_exp_mutex);
60451 @@ -1025,8 +1025,8 @@ EXPORT_SYMBOL_GPL(synchronize_sched_expe
60453 #else /* #ifndef CONFIG_SMP */
60455 -static atomic_t sync_sched_expedited_started = ATOMIC_INIT(0);
60456 -static atomic_t sync_sched_expedited_done = ATOMIC_INIT(0);
60457 +static atomic_unchecked_t sync_sched_expedited_started = ATOMIC_INIT(0);
60458 +static atomic_unchecked_t sync_sched_expedited_done = ATOMIC_INIT(0);
60460 static int synchronize_sched_expedited_cpu_stop(void *data)
60462 @@ -1081,7 +1081,7 @@ void synchronize_sched_expedited(void)
60463 int firstsnap, s, snap, trycount = 0;
60465 /* Note that atomic_inc_return() implies full memory barrier. */
60466 - firstsnap = snap = atomic_inc_return(&sync_sched_expedited_started);
60467 + firstsnap = snap = atomic_inc_return_unchecked(&sync_sched_expedited_started);
60471 @@ -1102,7 +1102,7 @@ void synchronize_sched_expedited(void)
60474 /* Check to see if someone else did our work for us. */
60475 - s = atomic_read(&sync_sched_expedited_done);
60476 + s = atomic_read_unchecked(&sync_sched_expedited_done);
60477 if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) {
60478 smp_mb(); /* ensure test happens before caller kfree */
60480 @@ -1117,7 +1117,7 @@ void synchronize_sched_expedited(void)
60481 * grace period works for us.
60484 - snap = atomic_read(&sync_sched_expedited_started) - 1;
60485 + snap = atomic_read_unchecked(&sync_sched_expedited_started) - 1;
60486 smp_mb(); /* ensure read is before try_stop_cpus(). */
60489 @@ -1128,12 +1128,12 @@ void synchronize_sched_expedited(void)
60490 * than we did beat us to the punch.
60493 - s = atomic_read(&sync_sched_expedited_done);
60494 + s = atomic_read_unchecked(&sync_sched_expedited_done);
60495 if (UINT_CMP_GE((unsigned)s, (unsigned)snap)) {
60496 smp_mb(); /* ensure test happens before caller kfree */
60499 - } while (atomic_cmpxchg(&sync_sched_expedited_done, s, snap) != s);
60500 + } while (atomic_cmpxchg_unchecked(&sync_sched_expedited_done, s, snap) != s);
60504 diff -urNp linux-2.6.38.6/kernel/relay.c linux-2.6.38.6/kernel/relay.c
60505 --- linux-2.6.38.6/kernel/relay.c 2011-03-14 21:20:32.000000000 -0400
60506 +++ linux-2.6.38.6/kernel/relay.c 2011-05-16 21:47:09.000000000 -0400
60507 @@ -1236,6 +1236,8 @@ static ssize_t subbuf_splice_actor(struc
60511 + pax_track_stack();
60513 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
60515 if (splice_grow_spd(pipe, &spd))
60516 diff -urNp linux-2.6.38.6/kernel/resource.c linux-2.6.38.6/kernel/resource.c
60517 --- linux-2.6.38.6/kernel/resource.c 2011-03-14 21:20:32.000000000 -0400
60518 +++ linux-2.6.38.6/kernel/resource.c 2011-04-28 19:34:15.000000000 -0400
60519 @@ -133,8 +133,18 @@ static const struct file_operations proc
60521 static int __init ioresources_init(void)
60523 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
60524 +#ifdef CONFIG_GRKERNSEC_PROC_USER
60525 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
60526 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
60527 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
60528 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
60529 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
60532 proc_create("ioports", 0, NULL, &proc_ioports_operations);
60533 proc_create("iomem", 0, NULL, &proc_iomem_operations);
60537 __initcall(ioresources_init);
60538 diff -urNp linux-2.6.38.6/kernel/rtmutex.c linux-2.6.38.6/kernel/rtmutex.c
60539 --- linux-2.6.38.6/kernel/rtmutex.c 2011-03-14 21:20:32.000000000 -0400
60540 +++ linux-2.6.38.6/kernel/rtmutex.c 2011-04-28 19:34:15.000000000 -0400
60541 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
60543 raw_spin_lock_irqsave(&pendowner->pi_lock, flags);
60545 - WARN_ON(!pendowner->pi_blocked_on);
60546 + BUG_ON(!pendowner->pi_blocked_on);
60547 WARN_ON(pendowner->pi_blocked_on != waiter);
60548 WARN_ON(pendowner->pi_blocked_on->lock != lock);
60550 diff -urNp linux-2.6.38.6/kernel/rtmutex-tester.c linux-2.6.38.6/kernel/rtmutex-tester.c
60551 --- linux-2.6.38.6/kernel/rtmutex-tester.c 2011-03-14 21:20:32.000000000 -0400
60552 +++ linux-2.6.38.6/kernel/rtmutex-tester.c 2011-04-28 19:57:25.000000000 -0400
60554 #define MAX_RT_TEST_MUTEXES 8
60556 static spinlock_t rttest_lock;
60557 -static atomic_t rttest_event;
60558 +static atomic_unchecked_t rttest_event;
60560 struct test_thread_data {
60562 @@ -64,7 +64,7 @@ static int handle_op(struct test_thread_
60564 case RTTEST_LOCKCONT:
60565 td->mutexes[td->opdata] = 1;
60566 - td->event = atomic_add_return(1, &rttest_event);
60567 + td->event = atomic_add_return_unchecked(1, &rttest_event);
60571 @@ -84,7 +84,7 @@ static int handle_op(struct test_thread_
60574 case RTTEST_RESETEVENT:
60575 - atomic_set(&rttest_event, 0);
60576 + atomic_set_unchecked(&rttest_event, 0);
60580 @@ -101,9 +101,9 @@ static int handle_op(struct test_thread_
60583 td->mutexes[id] = 1;
60584 - td->event = atomic_add_return(1, &rttest_event);
60585 + td->event = atomic_add_return_unchecked(1, &rttest_event);
60586 rt_mutex_lock(&mutexes[id]);
60587 - td->event = atomic_add_return(1, &rttest_event);
60588 + td->event = atomic_add_return_unchecked(1, &rttest_event);
60589 td->mutexes[id] = 4;
60592 @@ -114,9 +114,9 @@ static int handle_op(struct test_thread_
60595 td->mutexes[id] = 1;
60596 - td->event = atomic_add_return(1, &rttest_event);
60597 + td->event = atomic_add_return_unchecked(1, &rttest_event);
60598 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
60599 - td->event = atomic_add_return(1, &rttest_event);
60600 + td->event = atomic_add_return_unchecked(1, &rttest_event);
60601 td->mutexes[id] = ret ? 0 : 4;
60602 return ret ? -EINTR : 0;
60604 @@ -125,9 +125,9 @@ static int handle_op(struct test_thread_
60605 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
60608 - td->event = atomic_add_return(1, &rttest_event);
60609 + td->event = atomic_add_return_unchecked(1, &rttest_event);
60610 rt_mutex_unlock(&mutexes[id]);
60611 - td->event = atomic_add_return(1, &rttest_event);
60612 + td->event = atomic_add_return_unchecked(1, &rttest_event);
60613 td->mutexes[id] = 0;
60616 @@ -193,7 +193,7 @@ void schedule_rt_mutex_test(struct rt_mu
60619 td->mutexes[dat] = 2;
60620 - td->event = atomic_add_return(1, &rttest_event);
60621 + td->event = atomic_add_return_unchecked(1, &rttest_event);
60624 case RTTEST_LOCKBKL:
60625 @@ -214,7 +214,7 @@ void schedule_rt_mutex_test(struct rt_mu
60628 td->mutexes[dat] = 3;
60629 - td->event = atomic_add_return(1, &rttest_event);
60630 + td->event = atomic_add_return_unchecked(1, &rttest_event);
60633 case RTTEST_LOCKNOWAIT:
60634 @@ -226,7 +226,7 @@ void schedule_rt_mutex_test(struct rt_mu
60637 td->mutexes[dat] = 1;
60638 - td->event = atomic_add_return(1, &rttest_event);
60639 + td->event = atomic_add_return_unchecked(1, &rttest_event);
60642 case RTTEST_LOCKBKL:
60643 diff -urNp linux-2.6.38.6/kernel/sched_autogroup.c linux-2.6.38.6/kernel/sched_autogroup.c
60644 --- linux-2.6.38.6/kernel/sched_autogroup.c 2011-03-14 21:20:32.000000000 -0400
60645 +++ linux-2.6.38.6/kernel/sched_autogroup.c 2011-04-28 19:57:25.000000000 -0400
60648 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
60649 static struct autogroup autogroup_default;
60650 -static atomic_t autogroup_seq_nr;
60651 +static atomic_unchecked_t autogroup_seq_nr;
60653 static void __init autogroup_init(struct task_struct *init_task)
60655 @@ -79,7 +79,7 @@ static inline struct autogroup *autogrou
60657 kref_init(&ag->kref);
60658 init_rwsem(&ag->lock);
60659 - ag->id = atomic_inc_return(&autogroup_seq_nr);
60660 + ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
60662 #ifdef CONFIG_RT_GROUP_SCHED
60664 diff -urNp linux-2.6.38.6/kernel/sched.c linux-2.6.38.6/kernel/sched.c
60665 --- linux-2.6.38.6/kernel/sched.c 2011-04-18 17:27:14.000000000 -0400
60666 +++ linux-2.6.38.6/kernel/sched.c 2011-04-28 19:34:15.000000000 -0400
60667 @@ -4024,7 +4024,7 @@ EXPORT_SYMBOL(schedule);
60668 * Look out! "owner" is an entirely speculative pointer
60669 * access and not reliable.
60671 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
60672 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
60676 @@ -4038,10 +4038,10 @@ int mutex_spin_on_owner(struct mutex *lo
60677 * DEBUG_PAGEALLOC could have unmapped it if
60678 * the mutex owner just released it and exited.
60680 - if (probe_kernel_address(&owner->cpu, cpu))
60681 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
60684 - cpu = owner->cpu;
60685 + cpu = task_thread_info(owner)->cpu;
60689 @@ -4078,7 +4078,7 @@ int mutex_spin_on_owner(struct mutex *lo
60691 * Is that owner really running on that cpu?
60693 - if (task_thread_info(rq->curr) != owner || need_resched())
60694 + if (rq->curr != owner || need_resched())
60697 arch_mutex_cpu_relax();
60698 @@ -4638,6 +4638,8 @@ int can_nice(const struct task_struct *p
60699 /* convert nice value [19,-20] to rlimit style value [1,40] */
60700 int nice_rlim = 20 - nice;
60702 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
60704 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
60705 capable(CAP_SYS_NICE));
60707 @@ -4671,7 +4673,8 @@ SYSCALL_DEFINE1(nice, int, increment)
60711 - if (increment < 0 && !can_nice(current, nice))
60712 + if (increment < 0 && (!can_nice(current, nice) ||
60713 + gr_handle_chroot_nice()))
60714 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
60716 retval = security_task_setnice(current, nice);
60717 @@ -4814,6 +4817,7 @@ recheck:
60718 unsigned long rlim_rtprio =
60719 task_rlimit(p, RLIMIT_RTPRIO);
60721 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
60722 /* can't set/change the rt policy */
60723 if (policy != p->policy && !rlim_rtprio)
60725 @@ -6942,7 +6946,7 @@ static void init_sched_groups_power(int
60729 - WARN_ON(!sd || !sd->groups);
60730 + BUG_ON(!sd || !sd->groups);
60732 if (cpu != group_first_cpu(sd->groups))
60734 diff -urNp linux-2.6.38.6/kernel/sched_fair.c linux-2.6.38.6/kernel/sched_fair.c
60735 --- linux-2.6.38.6/kernel/sched_fair.c 2011-04-22 19:20:59.000000000 -0400
60736 +++ linux-2.6.38.6/kernel/sched_fair.c 2011-04-28 19:34:15.000000000 -0400
60737 @@ -3957,7 +3957,7 @@ static void nohz_idle_balance(int this_c
60738 * run_rebalance_domains is triggered when needed from the scheduler tick.
60739 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
60741 -static void run_rebalance_domains(struct softirq_action *h)
60742 +static void run_rebalance_domains(void)
60744 int this_cpu = smp_processor_id();
60745 struct rq *this_rq = cpu_rq(this_cpu);
60746 diff -urNp linux-2.6.38.6/kernel/signal.c linux-2.6.38.6/kernel/signal.c
60747 --- linux-2.6.38.6/kernel/signal.c 2011-04-18 17:27:18.000000000 -0400
60748 +++ linux-2.6.38.6/kernel/signal.c 2011-04-28 19:34:15.000000000 -0400
60749 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
60751 int print_fatal_signals __read_mostly;
60753 -static void __user *sig_handler(struct task_struct *t, int sig)
60754 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
60756 return t->sighand->action[sig - 1].sa.sa_handler;
60759 -static int sig_handler_ignored(void __user *handler, int sig)
60760 +static int sig_handler_ignored(__sighandler_t handler, int sig)
60762 /* Is it explicitly or implicitly ignored? */
60763 return handler == SIG_IGN ||
60764 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
60765 static int sig_task_ignored(struct task_struct *t, int sig,
60766 int from_ancestor_ns)
60768 - void __user *handler;
60769 + __sighandler_t handler;
60771 handler = sig_handler(t, sig);
60773 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
60774 atomic_inc(&user->sigpending);
60777 + if (!override_rlimit)
60778 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
60780 if (override_rlimit ||
60781 atomic_read(&user->sigpending) <=
60782 task_rlimit(t, RLIMIT_SIGPENDING)) {
60783 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
60785 int unhandled_signal(struct task_struct *tsk, int sig)
60787 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
60788 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
60789 if (is_global_init(tsk))
60791 if (handler != SIG_IGN && handler != SIG_DFL)
60792 @@ -705,6 +708,10 @@ static int check_kill_permission(int sig
60793 sig, info, t, vx_task_xid(t), t->pid, current->xid);
60797 + if (gr_handle_signal(t, sig))
60801 return security_task_kill(t, info, sig, 0);
60803 @@ -1025,7 +1032,7 @@ __group_send_sig_info(int sig, struct si
60804 return send_signal(sig, info, p, 1);
60809 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
60811 return send_signal(sig, info, t, 0);
60812 @@ -1062,6 +1068,7 @@ force_sig_info(int sig, struct siginfo *
60813 unsigned long int flags;
60814 int ret, blocked, ignored;
60815 struct k_sigaction *action;
60816 + int is_unhandled = 0;
60818 spin_lock_irqsave(&t->sighand->siglock, flags);
60819 action = &t->sighand->action[sig-1];
60820 @@ -1076,9 +1083,18 @@ force_sig_info(int sig, struct siginfo *
60822 if (action->sa.sa_handler == SIG_DFL)
60823 t->signal->flags &= ~SIGNAL_UNKILLABLE;
60824 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
60825 + is_unhandled = 1;
60826 ret = specific_send_sig_info(sig, info, t);
60827 spin_unlock_irqrestore(&t->sighand->siglock, flags);
60829 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
60830 + normal operation */
60831 + if (is_unhandled) {
60832 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
60833 + gr_handle_crash(t, sig);
60839 @@ -1137,8 +1153,11 @@ int group_send_sig_info(int sig, struct
60840 ret = check_kill_permission(sig, info, p);
60844 + if (!ret && sig) {
60845 ret = do_send_sig_info(sig, info, p, true);
60847 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
60852 diff -urNp linux-2.6.38.6/kernel/smp.c linux-2.6.38.6/kernel/smp.c
60853 --- linux-2.6.38.6/kernel/smp.c 2011-04-18 17:27:14.000000000 -0400
60854 +++ linux-2.6.38.6/kernel/smp.c 2011-04-28 19:34:15.000000000 -0400
60855 @@ -583,22 +583,22 @@ int smp_call_function(smp_call_func_t fu
60857 EXPORT_SYMBOL(smp_call_function);
60859 -void ipi_call_lock(void)
60860 +void ipi_call_lock(void) __acquires(call_function.lock)
60862 raw_spin_lock(&call_function.lock);
60865 -void ipi_call_unlock(void)
60866 +void ipi_call_unlock(void) __releases(call_function.lock)
60868 raw_spin_unlock(&call_function.lock);
60871 -void ipi_call_lock_irq(void)
60872 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
60874 raw_spin_lock_irq(&call_function.lock);
60877 -void ipi_call_unlock_irq(void)
60878 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
60880 raw_spin_unlock_irq(&call_function.lock);
60882 diff -urNp linux-2.6.38.6/kernel/softirq.c linux-2.6.38.6/kernel/softirq.c
60883 --- linux-2.6.38.6/kernel/softirq.c 2011-03-14 21:20:32.000000000 -0400
60884 +++ linux-2.6.38.6/kernel/softirq.c 2011-04-28 19:34:15.000000000 -0400
60885 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
60887 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
60889 -char *softirq_to_name[NR_SOFTIRQS] = {
60890 +const char * const softirq_to_name[NR_SOFTIRQS] = {
60891 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
60892 "TASKLET", "SCHED", "HRTIMER", "RCU"
60894 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
60896 asmlinkage void __do_softirq(void)
60898 - struct softirq_action *h;
60899 + const struct softirq_action *h;
60901 int max_restart = MAX_SOFTIRQ_RESTART;
60903 @@ -235,7 +235,7 @@ restart:
60904 kstat_incr_softirqs_this_cpu(vec_nr);
60906 trace_softirq_entry(vec_nr);
60909 trace_softirq_exit(vec_nr);
60910 if (unlikely(prev_count != preempt_count())) {
60911 printk(KERN_ERR "huh, entered softirq %u %s %p"
60912 @@ -365,7 +365,7 @@ void raise_softirq(unsigned int nr)
60913 local_irq_restore(flags);
60916 -void open_softirq(int nr, void (*action)(struct softirq_action *))
60917 +void open_softirq(int nr, void (*action)(void))
60919 softirq_vec[nr].action = action;
60921 @@ -421,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
60923 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
60925 -static void tasklet_action(struct softirq_action *a)
60926 +static void tasklet_action(void)
60928 struct tasklet_struct *list;
60930 @@ -456,7 +456,7 @@ static void tasklet_action(struct softir
60934 -static void tasklet_hi_action(struct softirq_action *a)
60935 +static void tasklet_hi_action(void)
60937 struct tasklet_struct *list;
60939 diff -urNp linux-2.6.38.6/kernel/sys.c linux-2.6.38.6/kernel/sys.c
60940 --- linux-2.6.38.6/kernel/sys.c 2011-03-14 21:20:32.000000000 -0400
60941 +++ linux-2.6.38.6/kernel/sys.c 2011-04-28 19:34:15.000000000 -0400
60942 @@ -136,6 +136,12 @@ static int set_one_prio(struct task_stru
60947 + if (gr_handle_chroot_setpriority(p, niceval)) {
60952 no_nice = security_task_setnice(p, niceval);
60955 @@ -517,6 +523,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
60959 + if (gr_check_group_change(new->gid, new->egid, -1))
60962 if (rgid != (gid_t) -1 ||
60963 (egid != (gid_t) -1 && egid != old->gid))
60964 new->sgid = new->egid;
60965 @@ -546,6 +555,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
60966 old = current_cred();
60970 + if (gr_check_group_change(gid, gid, gid))
60973 if (capable(CAP_SETGID))
60974 new->gid = new->egid = new->sgid = new->fsgid = gid;
60975 else if (gid == old->gid || gid == old->sgid)
60976 @@ -626,6 +639,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
60980 + if (gr_check_user_change(new->uid, new->euid, -1))
60983 if (new->uid != old->uid) {
60984 retval = set_user(new);
60986 @@ -670,6 +686,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
60987 old = current_cred();
60991 + if (gr_check_crash_uid(uid))
60993 + if (gr_check_user_change(uid, uid, uid))
60996 if (capable(CAP_SETUID)) {
60997 new->suid = new->uid = uid;
60998 if (uid != old->uid) {
60999 @@ -724,6 +746,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
61003 + if (gr_check_user_change(ruid, euid, -1))
61006 if (ruid != (uid_t) -1) {
61008 if (ruid != old->uid) {
61009 @@ -788,6 +813,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
61013 + if (gr_check_group_change(rgid, egid, -1))
61016 if (rgid != (gid_t) -1)
61018 if (egid != (gid_t) -1)
61019 @@ -834,6 +862,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
61020 old = current_cred();
61021 old_fsuid = old->fsuid;
61023 + if (gr_check_user_change(-1, -1, uid))
61026 if (uid == old->uid || uid == old->euid ||
61027 uid == old->suid || uid == old->fsuid ||
61028 capable(CAP_SETUID)) {
61029 @@ -844,6 +875,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
61037 @@ -870,12 +902,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
61038 if (gid == old->gid || gid == old->egid ||
61039 gid == old->sgid || gid == old->fsgid ||
61040 capable(CAP_SETGID)) {
61041 + if (gr_check_group_change(-1, -1, gid))
61044 if (gid != old_fsgid) {
61054 @@ -1616,7 +1652,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
61055 error = get_dumpable(me->mm);
61057 case PR_SET_DUMPABLE:
61058 - if (arg2 < 0 || arg2 > 1) {
61063 diff -urNp linux-2.6.38.6/kernel/sysctl.c linux-2.6.38.6/kernel/sysctl.c
61064 --- linux-2.6.38.6/kernel/sysctl.c 2011-04-18 17:27:16.000000000 -0400
61065 +++ linux-2.6.38.6/kernel/sysctl.c 2011-04-28 19:34:15.000000000 -0400
61069 #if defined(CONFIG_SYSCTL)
61070 +#include <linux/grsecurity.h>
61071 +#include <linux/grinternal.h>
61073 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
61074 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
61076 +extern int gr_handle_chroot_sysctl(const int op);
61078 /* External variables not in a header file. */
61079 extern int sysctl_overcommit_memory;
61080 @@ -195,6 +202,7 @@ static int sysrq_sysctl_handler(ctl_tabl
61084 +extern struct ctl_table grsecurity_table[];
61086 static struct ctl_table root_table[];
61087 static struct ctl_table_root sysctl_table_root;
61088 @@ -224,6 +232,20 @@ extern struct ctl_table epoll_table[];
61089 int sysctl_legacy_va_layout;
61092 +#ifdef CONFIG_PAX_SOFTMODE
61093 +static ctl_table pax_table[] = {
61095 + .procname = "softmode",
61096 + .data = &pax_softmode,
61097 + .maxlen = sizeof(unsigned int),
61099 + .proc_handler = &proc_dointvec,
61106 /* The default sysctl tables: */
61108 static struct ctl_table root_table[] = {
61109 @@ -270,6 +292,22 @@ static int max_extfrag_threshold = 1000;
61112 static struct ctl_table kern_table[] = {
61113 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
61115 + .procname = "grsecurity",
61117 + .child = grsecurity_table,
61121 +#ifdef CONFIG_PAX_SOFTMODE
61123 + .procname = "pax",
61125 + .child = pax_table,
61130 .procname = "sched_child_runs_first",
61131 .data = &sysctl_sched_child_runs_first,
61132 @@ -551,7 +589,7 @@ static struct ctl_table kern_table[] = {
61133 .data = &modprobe_path,
61134 .maxlen = KMOD_PATH_LEN,
61136 - .proc_handler = proc_dostring,
61137 + .proc_handler = proc_dostring_modpriv,
61140 .procname = "modules_disabled",
61141 @@ -713,16 +751,20 @@ static struct ctl_table kern_table[] = {
61147 .procname = "kptr_restrict",
61148 .data = &kptr_restrict,
61149 .maxlen = sizeof(int),
61151 .proc_handler = proc_dmesg_restrict,
61152 +#ifdef CONFIG_GRKERNSEC_HIDESYM
61161 .procname = "ngroups_max",
61162 .data = &ngroups_max,
61163 @@ -1187,6 +1229,13 @@ static struct ctl_table vm_table[] = {
61164 .proc_handler = proc_dointvec_minmax,
61168 + .procname = "heap_stack_gap",
61169 + .data = &sysctl_heap_stack_gap,
61170 + .maxlen = sizeof(sysctl_heap_stack_gap),
61172 + .proc_handler = proc_doulongvec_minmax,
61176 .procname = "nr_trim_pages",
61177 @@ -1698,6 +1747,16 @@ int sysctl_perm(struct ctl_table_root *r
61181 + if (table->parent != NULL && table->parent->procname != NULL &&
61182 + table->procname != NULL &&
61183 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
61185 + if (gr_handle_chroot_sysctl(op))
61187 + error = gr_handle_sysctl(table, op);
61191 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
61194 @@ -2105,6 +2164,16 @@ int proc_dostring(struct ctl_table *tabl
61195 buffer, lenp, ppos);
61198 +int proc_dostring_modpriv(struct ctl_table *table, int write,
61199 + void __user *buffer, size_t *lenp, loff_t *ppos)
61201 + if (write && !capable(CAP_SYS_MODULE))
61204 + return _proc_do_string(table->data, table->maxlen, write,
61205 + buffer, lenp, ppos);
61208 static size_t proc_skip_spaces(char **buf)
61211 @@ -2210,6 +2279,8 @@ static int proc_put_long(void __user **b
61215 + if (len > sizeof(tmp))
61216 + len = sizeof(tmp);
61217 if (copy_to_user(*buf, tmp, len))
61220 @@ -2526,8 +2597,11 @@ static int __do_proc_doulongvec_minmax(v
61223 val = convdiv * (*i) / convmul;
61226 err = proc_put_char(&buffer, &left, '\t');
61230 err = proc_put_long(&buffer, &left, val, false);
61233 @@ -2922,6 +2996,12 @@ int proc_dostring(struct ctl_table *tabl
61237 +int proc_dostring_modpriv(struct ctl_table *table, int write,
61238 + void __user *buffer, size_t *lenp, loff_t *ppos)
61243 int proc_dointvec(struct ctl_table *table, int write,
61244 void __user *buffer, size_t *lenp, loff_t *ppos)
61246 @@ -2978,6 +3058,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
61247 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
61248 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
61249 EXPORT_SYMBOL(proc_dostring);
61250 +EXPORT_SYMBOL(proc_dostring_modpriv);
61251 EXPORT_SYMBOL(proc_doulongvec_minmax);
61252 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
61253 EXPORT_SYMBOL(register_sysctl_table);
61254 diff -urNp linux-2.6.38.6/kernel/sysctl_check.c linux-2.6.38.6/kernel/sysctl_check.c
61255 --- linux-2.6.38.6/kernel/sysctl_check.c 2011-03-14 21:20:32.000000000 -0400
61256 +++ linux-2.6.38.6/kernel/sysctl_check.c 2011-04-28 19:34:15.000000000 -0400
61257 @@ -131,6 +131,7 @@ int sysctl_check_table(struct nsproxy *n
61258 set_fail(&fail, table, "Directory with extra2");
61260 if ((table->proc_handler == proc_dostring) ||
61261 + (table->proc_handler == proc_dostring_modpriv) ||
61262 (table->proc_handler == proc_dointvec) ||
61263 (table->proc_handler == proc_dointvec_minmax) ||
61264 (table->proc_handler == proc_dointvec_jiffies) ||
61265 diff -urNp linux-2.6.38.6/kernel/taskstats.c linux-2.6.38.6/kernel/taskstats.c
61266 --- linux-2.6.38.6/kernel/taskstats.c 2011-03-14 21:20:32.000000000 -0400
61267 +++ linux-2.6.38.6/kernel/taskstats.c 2011-04-28 19:34:15.000000000 -0400
61269 #include <linux/cgroup.h>
61270 #include <linux/fs.h>
61271 #include <linux/file.h>
61272 +#include <linux/grsecurity.h>
61273 #include <net/genetlink.h>
61274 #include <asm/atomic.h>
61276 +extern int gr_is_taskstats_denied(int pid);
61279 * Maximum length of a cpumask that can be specified in
61280 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
61281 @@ -549,6 +552,9 @@ err:
61283 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
61285 + if (gr_is_taskstats_denied(current->pid))
61288 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
61289 return cmd_attr_register_cpumask(info);
61290 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
61291 diff -urNp linux-2.6.38.6/kernel/time/tick-broadcast.c linux-2.6.38.6/kernel/time/tick-broadcast.c
61292 --- linux-2.6.38.6/kernel/time/tick-broadcast.c 2011-03-14 21:20:32.000000000 -0400
61293 +++ linux-2.6.38.6/kernel/time/tick-broadcast.c 2011-04-28 19:34:15.000000000 -0400
61294 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
61295 * then clear the broadcast bit.
61297 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
61298 - int cpu = smp_processor_id();
61299 + cpu = smp_processor_id();
61301 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
61302 tick_broadcast_clear_oneshot(cpu);
61303 diff -urNp linux-2.6.38.6/kernel/time/timekeeping.c linux-2.6.38.6/kernel/time/timekeeping.c
61304 --- linux-2.6.38.6/kernel/time/timekeeping.c 2011-03-14 21:20:32.000000000 -0400
61305 +++ linux-2.6.38.6/kernel/time/timekeeping.c 2011-04-28 19:34:15.000000000 -0400
61307 #include <linux/init.h>
61308 #include <linux/mm.h>
61309 #include <linux/sched.h>
61310 +#include <linux/grsecurity.h>
61311 #include <linux/sysdev.h>
61312 #include <linux/clocksource.h>
61313 #include <linux/jiffies.h>
61314 @@ -361,6 +362,8 @@ int do_settimeofday(struct timespec *tv)
61315 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
61318 + gr_log_timechange();
61320 write_seqlock_irqsave(&xtime_lock, flags);
61322 timekeeping_forward_now();
61323 diff -urNp linux-2.6.38.6/kernel/time/timer_list.c linux-2.6.38.6/kernel/time/timer_list.c
61324 --- linux-2.6.38.6/kernel/time/timer_list.c 2011-03-14 21:20:32.000000000 -0400
61325 +++ linux-2.6.38.6/kernel/time/timer_list.c 2011-04-28 19:34:15.000000000 -0400
61326 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
61328 static void print_name_offset(struct seq_file *m, void *sym)
61330 +#ifdef CONFIG_GRKERNSEC_HIDESYM
61331 + SEQ_printf(m, "<%p>", NULL);
61333 char symname[KSYM_NAME_LEN];
61335 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
61336 SEQ_printf(m, "<%pK>", sym);
61338 SEQ_printf(m, "%s", symname);
61343 @@ -112,7 +116,11 @@ next_one:
61345 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
61347 +#ifdef CONFIG_GRKERNSEC_HIDESYM
61348 + SEQ_printf(m, " .base: %p\n", NULL);
61350 SEQ_printf(m, " .base: %pK\n", base);
61352 SEQ_printf(m, " .index: %d\n",
61354 SEQ_printf(m, " .resolution: %Lu nsecs\n",
61355 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
61357 struct proc_dir_entry *pe;
61359 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
61360 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
61362 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
61367 diff -urNp linux-2.6.38.6/kernel/time/timer_stats.c linux-2.6.38.6/kernel/time/timer_stats.c
61368 --- linux-2.6.38.6/kernel/time/timer_stats.c 2011-03-14 21:20:32.000000000 -0400
61369 +++ linux-2.6.38.6/kernel/time/timer_stats.c 2011-04-28 19:57:25.000000000 -0400
61370 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
61371 static unsigned long nr_entries;
61372 static struct entry entries[MAX_ENTRIES];
61374 -static atomic_t overflow_count;
61375 +static atomic_unchecked_t overflow_count;
61378 * The entries are in a hash-table, for fast lookup:
61379 @@ -140,7 +140,7 @@ static void reset_entries(void)
61381 memset(entries, 0, sizeof(entries));
61382 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
61383 - atomic_set(&overflow_count, 0);
61384 + atomic_set_unchecked(&overflow_count, 0);
61387 static struct entry *alloc_entry(void)
61388 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
61392 - atomic_inc(&overflow_count);
61393 + atomic_inc_unchecked(&overflow_count);
61396 raw_spin_unlock_irqrestore(lock, flags);
61397 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
61399 static void print_name_offset(struct seq_file *m, unsigned long addr)
61401 +#ifdef CONFIG_GRKERNSEC_HIDESYM
61402 + seq_printf(m, "<%p>", NULL);
61404 char symname[KSYM_NAME_LEN];
61406 if (lookup_symbol_name(addr, symname) < 0)
61407 seq_printf(m, "<%p>", (void *)addr);
61409 seq_printf(m, "%s", symname);
61413 static int tstats_show(struct seq_file *m, void *v)
61414 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
61416 seq_puts(m, "Timer Stats Version: v0.2\n");
61417 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
61418 - if (atomic_read(&overflow_count))
61419 + if (atomic_read_unchecked(&overflow_count))
61420 seq_printf(m, "Overflow: %d entries\n",
61421 - atomic_read(&overflow_count));
61422 + atomic_read_unchecked(&overflow_count));
61424 for (i = 0; i < nr_entries; i++) {
61425 entry = entries + i;
61426 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
61428 struct proc_dir_entry *pe;
61430 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
61431 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
61433 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
61438 diff -urNp linux-2.6.38.6/kernel/time.c linux-2.6.38.6/kernel/time.c
61439 --- linux-2.6.38.6/kernel/time.c 2011-03-14 21:20:32.000000000 -0400
61440 +++ linux-2.6.38.6/kernel/time.c 2011-04-28 19:34:15.000000000 -0400
61441 @@ -163,6 +163,11 @@ int do_sys_settimeofday(struct timespec
61445 + /* we log in do_settimeofday called below, so don't log twice
61448 + gr_log_timechange();
61450 /* SMP safe, global irq locking makes it work. */
61452 update_vsyscall_tz();
61453 diff -urNp linux-2.6.38.6/kernel/timer.c linux-2.6.38.6/kernel/timer.c
61454 --- linux-2.6.38.6/kernel/timer.c 2011-03-14 21:20:32.000000000 -0400
61455 +++ linux-2.6.38.6/kernel/timer.c 2011-04-28 19:34:15.000000000 -0400
61456 @@ -1276,7 +1276,7 @@ void update_process_times(int user_tick)
61458 * This function runs timers and the timer-tq in bottom half context.
61460 -static void run_timer_softirq(struct softirq_action *h)
61461 +static void run_timer_softirq(void)
61463 struct tvec_base *base = __this_cpu_read(tvec_bases);
61465 diff -urNp linux-2.6.38.6/kernel/trace/blktrace.c linux-2.6.38.6/kernel/trace/blktrace.c
61466 --- linux-2.6.38.6/kernel/trace/blktrace.c 2011-03-14 21:20:32.000000000 -0400
61467 +++ linux-2.6.38.6/kernel/trace/blktrace.c 2011-04-28 19:57:25.000000000 -0400
61468 @@ -321,7 +321,7 @@ static ssize_t blk_dropped_read(struct f
61469 struct blk_trace *bt = filp->private_data;
61472 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
61473 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
61475 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
61477 @@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(str
61480 bt = buf->chan->private_data;
61481 - atomic_inc(&bt->dropped);
61482 + atomic_inc_unchecked(&bt->dropped);
61486 @@ -487,7 +487,7 @@ int do_blk_trace_setup(struct request_qu
61490 - atomic_set(&bt->dropped, 0);
61491 + atomic_set_unchecked(&bt->dropped, 0);
61494 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
61495 diff -urNp linux-2.6.38.6/kernel/trace/ftrace.c linux-2.6.38.6/kernel/trace/ftrace.c
61496 --- linux-2.6.38.6/kernel/trace/ftrace.c 2011-04-18 17:27:14.000000000 -0400
61497 +++ linux-2.6.38.6/kernel/trace/ftrace.c 2011-04-28 19:34:15.000000000 -0400
61498 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
61502 + ret = ftrace_arch_code_modify_prepare();
61503 + FTRACE_WARN_ON(ret);
61507 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
61508 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
61510 ftrace_bug(ret, ip);
61511 rec->flags |= FTRACE_FL_FAILED;
61515 + return ret ? 0 : 1;
61519 diff -urNp linux-2.6.38.6/kernel/trace/ring_buffer.c linux-2.6.38.6/kernel/trace/ring_buffer.c
61520 --- linux-2.6.38.6/kernel/trace/ring_buffer.c 2011-03-14 21:20:32.000000000 -0400
61521 +++ linux-2.6.38.6/kernel/trace/ring_buffer.c 2011-04-28 19:34:15.000000000 -0400
61522 @@ -669,7 +669,7 @@ static struct list_head *rb_list_head(st
61523 * the reader page). But if the next page is a header page,
61524 * its flags will be non zero.
61528 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
61529 struct buffer_page *page, struct list_head *list)
61531 diff -urNp linux-2.6.38.6/kernel/trace/trace.c linux-2.6.38.6/kernel/trace/trace.c
61532 --- linux-2.6.38.6/kernel/trace/trace.c 2011-03-14 21:20:32.000000000 -0400
61533 +++ linux-2.6.38.6/kernel/trace/trace.c 2011-05-16 21:47:08.000000000 -0400
61534 @@ -3316,6 +3316,8 @@ static ssize_t tracing_splice_read_pipe(
61538 + pax_track_stack();
61540 if (splice_grow_spd(pipe, &spd))
61543 @@ -3799,6 +3801,8 @@ tracing_buffers_splice_read(struct file
61544 int entries, size, i;
61547 + pax_track_stack();
61549 if (splice_grow_spd(pipe, &spd))
61552 @@ -3967,10 +3971,9 @@ static const struct file_operations trac
61556 -static struct dentry *d_tracer;
61558 struct dentry *tracing_init_dentry(void)
61560 + static struct dentry *d_tracer;
61564 @@ -3990,10 +3993,9 @@ struct dentry *tracing_init_dentry(void)
61568 -static struct dentry *d_percpu;
61570 struct dentry *tracing_dentry_percpu(void)
61572 + static struct dentry *d_percpu;
61574 struct dentry *d_tracer;
61576 diff -urNp linux-2.6.38.6/kernel/trace/trace_events.c linux-2.6.38.6/kernel/trace/trace_events.c
61577 --- linux-2.6.38.6/kernel/trace/trace_events.c 2011-03-14 21:20:32.000000000 -0400
61578 +++ linux-2.6.38.6/kernel/trace/trace_events.c 2011-04-28 19:34:15.000000000 -0400
61579 @@ -1240,10 +1240,10 @@ static LIST_HEAD(ftrace_module_file_list
61580 struct ftrace_module_file_ops {
61581 struct list_head list;
61582 struct module *mod;
61583 - struct file_operations id;
61584 - struct file_operations enable;
61585 - struct file_operations format;
61586 - struct file_operations filter;
61587 + struct file_operations id; /* cannot be const, see trace_create_file_ops() */
61588 + struct file_operations enable; /* cannot be const, see trace_create_file_ops() */
61589 + struct file_operations format; /* cannot be const, see trace_create_file_ops() */
61590 + struct file_operations filter; /* cannot be const, see trace_create_file_ops() */
61593 static struct ftrace_module_file_ops *
61594 diff -urNp linux-2.6.38.6/kernel/trace/trace_mmiotrace.c linux-2.6.38.6/kernel/trace/trace_mmiotrace.c
61595 --- linux-2.6.38.6/kernel/trace/trace_mmiotrace.c 2011-03-14 21:20:32.000000000 -0400
61596 +++ linux-2.6.38.6/kernel/trace/trace_mmiotrace.c 2011-04-28 19:57:25.000000000 -0400
61597 @@ -24,7 +24,7 @@ struct header_iter {
61598 static struct trace_array *mmio_trace_array;
61599 static bool overrun_detected;
61600 static unsigned long prev_overruns;
61601 -static atomic_t dropped_count;
61602 +static atomic_unchecked_t dropped_count;
61604 static void mmio_reset_data(struct trace_array *tr)
61606 @@ -127,7 +127,7 @@ static void mmio_close(struct trace_iter
61608 static unsigned long count_overruns(struct trace_iterator *iter)
61610 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
61611 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
61612 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
61614 if (over > prev_overruns)
61615 @@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct
61616 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
61617 sizeof(*entry), 0, pc);
61619 - atomic_inc(&dropped_count);
61620 + atomic_inc_unchecked(&dropped_count);
61623 entry = ring_buffer_event_data(event);
61624 @@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct
61625 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
61626 sizeof(*entry), 0, pc);
61628 - atomic_inc(&dropped_count);
61629 + atomic_inc_unchecked(&dropped_count);
61632 entry = ring_buffer_event_data(event);
61633 diff -urNp linux-2.6.38.6/kernel/trace/trace_output.c linux-2.6.38.6/kernel/trace/trace_output.c
61634 --- linux-2.6.38.6/kernel/trace/trace_output.c 2011-03-14 21:20:32.000000000 -0400
61635 +++ linux-2.6.38.6/kernel/trace/trace_output.c 2011-04-28 19:34:15.000000000 -0400
61636 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
61638 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
61640 - p = mangle_path(s->buffer + s->len, p, "\n");
61641 + p = mangle_path(s->buffer + s->len, p, "\n\\");
61643 s->len = p - s->buffer;
61645 diff -urNp linux-2.6.38.6/kernel/trace/trace_stack.c linux-2.6.38.6/kernel/trace/trace_stack.c
61646 --- linux-2.6.38.6/kernel/trace/trace_stack.c 2011-03-14 21:20:32.000000000 -0400
61647 +++ linux-2.6.38.6/kernel/trace/trace_stack.c 2011-04-28 19:34:15.000000000 -0400
61648 @@ -50,7 +50,7 @@ static inline void check_stack(void)
61651 /* we do not handle interrupt stacks yet */
61652 - if (!object_is_on_stack(&this_size))
61653 + if (!object_starts_on_stack(&this_size))
61656 local_irq_save(flags);
61657 diff -urNp linux-2.6.38.6/kernel/trace/trace_workqueue.c linux-2.6.38.6/kernel/trace/trace_workqueue.c
61658 --- linux-2.6.38.6/kernel/trace/trace_workqueue.c 2011-03-14 21:20:32.000000000 -0400
61659 +++ linux-2.6.38.6/kernel/trace/trace_workqueue.c 2011-04-28 19:34:15.000000000 -0400
61660 @@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
61663 /* Can be inserted from interrupt or user context, need to be atomic */
61664 - atomic_t inserted;
61665 + atomic_unchecked_t inserted;
61667 * Don't need to be atomic, works are serialized in a single workqueue thread
61669 @@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
61670 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
61671 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
61672 if (node->pid == wq_thread->pid) {
61673 - atomic_inc(&node->inserted);
61674 + atomic_inc_unchecked(&node->inserted);
61678 @@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
61679 tsk = get_pid_task(pid, PIDTYPE_PID);
61681 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
61682 - atomic_read(&cws->inserted), cws->executed,
61683 + atomic_read_unchecked(&cws->inserted), cws->executed,
61685 put_task_struct(tsk);
61687 diff -urNp linux-2.6.38.6/lib/bug.c linux-2.6.38.6/lib/bug.c
61688 --- linux-2.6.38.6/lib/bug.c 2011-03-14 21:20:32.000000000 -0400
61689 +++ linux-2.6.38.6/lib/bug.c 2011-04-28 19:34:15.000000000 -0400
61690 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
61691 return BUG_TRAP_TYPE_NONE;
61693 bug = find_bug(bugaddr);
61695 + return BUG_TRAP_TYPE_NONE;
61699 diff -urNp linux-2.6.38.6/lib/debugobjects.c linux-2.6.38.6/lib/debugobjects.c
61700 --- linux-2.6.38.6/lib/debugobjects.c 2011-03-14 21:20:32.000000000 -0400
61701 +++ linux-2.6.38.6/lib/debugobjects.c 2011-04-28 19:34:15.000000000 -0400
61702 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
61706 - is_on_stack = object_is_on_stack(addr);
61707 + is_on_stack = object_starts_on_stack(addr);
61708 if (is_on_stack == onstack)
61711 diff -urNp linux-2.6.38.6/lib/dma-debug.c linux-2.6.38.6/lib/dma-debug.c
61712 --- linux-2.6.38.6/lib/dma-debug.c 2011-03-14 21:20:32.000000000 -0400
61713 +++ linux-2.6.38.6/lib/dma-debug.c 2011-04-28 19:34:15.000000000 -0400
61714 @@ -862,7 +862,7 @@ out:
61716 static void check_for_stack(struct device *dev, void *addr)
61718 - if (object_is_on_stack(addr))
61719 + if (object_starts_on_stack(addr))
61720 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
61721 "stack [addr=%p]\n", addr);
61723 diff -urNp linux-2.6.38.6/lib/inflate.c linux-2.6.38.6/lib/inflate.c
61724 --- linux-2.6.38.6/lib/inflate.c 2011-03-14 21:20:32.000000000 -0400
61725 +++ linux-2.6.38.6/lib/inflate.c 2011-04-28 19:34:15.000000000 -0400
61726 @@ -269,7 +269,7 @@ static void free(void *where)
61727 malloc_ptr = free_mem_ptr;
61730 -#define malloc(a) kmalloc(a, GFP_KERNEL)
61731 +#define malloc(a) kmalloc((a), GFP_KERNEL)
61732 #define free(a) kfree(a)
61735 diff -urNp linux-2.6.38.6/lib/Kconfig.debug linux-2.6.38.6/lib/Kconfig.debug
61736 --- linux-2.6.38.6/lib/Kconfig.debug 2011-04-22 19:20:59.000000000 -0400
61737 +++ linux-2.6.38.6/lib/Kconfig.debug 2011-04-28 19:34:15.000000000 -0400
61738 @@ -1066,6 +1066,7 @@ config LATENCYTOP
61739 depends on DEBUG_KERNEL
61740 depends on STACKTRACE_SUPPORT
61742 + depends on !GRKERNSEC_HIDESYM
61743 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
61745 select KALLSYMS_ALL
61746 diff -urNp linux-2.6.38.6/lib/kref.c linux-2.6.38.6/lib/kref.c
61747 --- linux-2.6.38.6/lib/kref.c 2011-03-14 21:20:32.000000000 -0400
61748 +++ linux-2.6.38.6/lib/kref.c 2011-04-28 19:34:15.000000000 -0400
61749 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
61751 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
61753 - WARN_ON(release == NULL);
61754 + BUG_ON(release == NULL);
61755 WARN_ON(release == (void (*)(struct kref *))kfree);
61757 if (atomic_dec_and_test(&kref->refcount)) {
61758 diff -urNp linux-2.6.38.6/lib/radix-tree.c linux-2.6.38.6/lib/radix-tree.c
61759 --- linux-2.6.38.6/lib/radix-tree.c 2011-03-14 21:20:32.000000000 -0400
61760 +++ linux-2.6.38.6/lib/radix-tree.c 2011-04-28 19:34:15.000000000 -0400
61761 @@ -80,7 +80,7 @@ struct radix_tree_preload {
61763 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
61765 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
61766 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
61768 static inline void *ptr_to_indirect(void *ptr)
61770 diff -urNp linux-2.6.38.6/lib/vsprintf.c linux-2.6.38.6/lib/vsprintf.c
61771 --- linux-2.6.38.6/lib/vsprintf.c 2011-04-22 19:20:59.000000000 -0400
61772 +++ linux-2.6.38.6/lib/vsprintf.c 2011-04-28 19:34:15.000000000 -0400
61774 * - scnprintf and vscnprintf
61777 +#ifdef CONFIG_GRKERNSEC_HIDESYM
61778 +#define __INCLUDED_BY_HIDESYM 1
61780 #include <stdarg.h>
61781 #include <linux/module.h>
61782 #include <linux/types.h>
61783 @@ -433,7 +436,7 @@ char *symbol_string(char *buf, char *end
61784 unsigned long value = (unsigned long) ptr;
61785 #ifdef CONFIG_KALLSYMS
61786 char sym[KSYM_SYMBOL_LEN];
61787 - if (ext != 'f' && ext != 's')
61788 + if (ext != 'f' && ext != 's' && ext != 'a')
61789 sprint_symbol(sym, value);
61791 kallsyms_lookup(value, NULL, NULL, NULL, sym);
61792 @@ -795,7 +798,11 @@ char *uuid_string(char *buf, char *end,
61793 return string(buf, end, uuid, spec);
61796 +#ifdef CONFIG_GRKERNSEC_HIDESYM
61797 +int kptr_restrict = 2;
61799 int kptr_restrict = 1;
61803 * Show a '%p' thing. A kernel extension is that the '%p' is followed
61804 @@ -808,6 +815,8 @@ int kptr_restrict = 1;
61805 * - 'f' For simple symbolic function names without offset
61806 * - 'S' For symbolic direct pointers with offset
61807 * - 's' For symbolic direct pointers without offset
61808 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
61809 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
61810 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
61811 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
61812 * - 'M' For a 6-byte MAC address, it prints the address in the
61813 @@ -852,12 +861,12 @@ char *pointer(const char *fmt, char *buf
61817 - * Print (null) with the same width as a pointer so it makes
61818 + * Print (nil) with the same width as a pointer so it makes
61819 * tabular output look nice.
61821 if (spec.field_width == -1)
61822 spec.field_width = 2 * sizeof(void *);
61823 - return string(buf, end, "(null)", spec);
61824 + return string(buf, end, "(nil)", spec);
61828 @@ -867,6 +876,13 @@ char *pointer(const char *fmt, char *buf
61832 +#ifdef CONFIG_GRKERNSEC_HIDESYM
61835 + return symbol_string(buf, end, ptr, spec, *fmt);
61839 return symbol_string(buf, end, ptr, spec, *fmt);
61842 @@ -1631,11 +1647,11 @@ int bstr_printf(char *buf, size_t size,
61843 typeof(type) value; \
61844 if (sizeof(type) == 8) { \
61845 args = PTR_ALIGN(args, sizeof(u32)); \
61846 - *(u32 *)&value = *(u32 *)args; \
61847 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
61848 + *(u32 *)&value = *(const u32 *)args; \
61849 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
61851 args = PTR_ALIGN(args, sizeof(type)); \
61852 - value = *(typeof(type) *)args; \
61853 + value = *(const typeof(type) *)args; \
61855 args += sizeof(type); \
61857 @@ -1698,7 +1714,7 @@ int bstr_printf(char *buf, size_t size,
61858 case FORMAT_TYPE_STR: {
61859 const char *str_arg = args;
61860 args += strlen(str_arg) + 1;
61861 - str = string(str, end, (char *)str_arg, spec);
61862 + str = string(str, end, str_arg, spec);
61866 diff -urNp linux-2.6.38.6/localversion-grsec linux-2.6.38.6/localversion-grsec
61867 --- linux-2.6.38.6/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
61868 +++ linux-2.6.38.6/localversion-grsec 2011-04-28 19:34:15.000000000 -0400
61871 diff -urNp linux-2.6.38.6/Makefile linux-2.6.38.6/Makefile
61872 --- linux-2.6.38.6/Makefile 2011-05-10 22:06:29.000000000 -0400
61873 +++ linux-2.6.38.6/Makefile 2011-05-16 21:47:08.000000000 -0400
61874 @@ -233,8 +233,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
61878 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
61879 -HOSTCXXFLAGS = -O2
61880 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-empty-body -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
61881 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
61883 # Decide whether to build built-in, modular, or both.
61884 # Normally, just do built-in.
61885 @@ -352,6 +352,7 @@ LINUXINCLUDE := -I$(srctree)/arch/$(h
61886 KBUILD_CPPFLAGS := -D__KERNEL__
61888 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
61889 + -W -Wno-empty-body -Wno-unused-parameter -Wno-missing-field-initializers \
61890 -fno-strict-aliasing -fno-common \
61891 -Werror-implicit-function-declaration \
61892 -Wno-format-security \
61893 @@ -681,7 +682,7 @@ export mod_strip_cmd
61896 ifeq ($(KBUILD_EXTMOD),)
61897 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
61898 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
61900 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
61901 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
61902 diff -urNp linux-2.6.38.6/mm/bootmem.c linux-2.6.38.6/mm/bootmem.c
61903 --- linux-2.6.38.6/mm/bootmem.c 2011-03-14 21:20:32.000000000 -0400
61904 +++ linux-2.6.38.6/mm/bootmem.c 2011-04-28 19:34:15.000000000 -0400
61905 @@ -201,19 +201,30 @@ static void __init __free_pages_memory(u
61906 unsigned long __init free_all_memory_core_early(int nodeid)
61910 + u64 start, end, startrange, endrange;
61911 unsigned long count = 0;
61912 - struct range *range = NULL;
61913 + struct range *range = NULL, rangerange = { 0, 0 };
61916 nr_range = get_free_all_memory_range(&range, nodeid);
61917 + startrange = __pa(range) >> PAGE_SHIFT;
61918 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
61920 for (i = 0; i < nr_range; i++) {
61921 start = range[i].start;
61922 end = range[i].end;
61923 + if (start <= endrange && startrange < end) {
61924 + BUG_ON(rangerange.start | rangerange.end);
61925 + rangerange = range[i];
61928 count += end - start;
61929 __free_pages_memory(start, end);
61931 + start = rangerange.start;
61932 + end = rangerange.end;
61933 + count += end - start;
61934 + __free_pages_memory(start, end);
61938 diff -urNp linux-2.6.38.6/mm/filemap.c linux-2.6.38.6/mm/filemap.c
61939 --- linux-2.6.38.6/mm/filemap.c 2011-03-14 21:20:32.000000000 -0400
61940 +++ linux-2.6.38.6/mm/filemap.c 2011-04-28 19:34:15.000000000 -0400
61941 @@ -1664,7 +1664,7 @@ int generic_file_mmap(struct file * file
61942 struct address_space *mapping = file->f_mapping;
61944 if (!mapping->a_ops->readpage)
61947 file_accessed(file);
61948 vma->vm_ops = &generic_file_vm_ops;
61949 vma->vm_flags |= VM_CAN_NONLINEAR;
61950 @@ -2060,6 +2060,7 @@ inline int generic_write_checks(struct f
61951 *pos = i_size_read(inode);
61953 if (limit != RLIM_INFINITY) {
61954 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
61955 if (*pos >= limit) {
61956 send_sig(SIGXFSZ, current, 0);
61958 diff -urNp linux-2.6.38.6/mm/fremap.c linux-2.6.38.6/mm/fremap.c
61959 --- linux-2.6.38.6/mm/fremap.c 2011-03-14 21:20:32.000000000 -0400
61960 +++ linux-2.6.38.6/mm/fremap.c 2011-04-28 19:34:15.000000000 -0400
61961 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
61963 vma = find_vma(mm, start);
61965 +#ifdef CONFIG_PAX_SEGMEXEC
61966 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
61971 * Make sure the vma is shared, that it supports prefaulting,
61972 * and that the remapped range is valid and fully within
61973 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
61975 * drop PG_Mlocked flag for over-mapped range
61977 - unsigned int saved_flags = vma->vm_flags;
61978 + unsigned long saved_flags = vma->vm_flags;
61979 munlock_vma_pages_range(vma, start, start + size);
61980 vma->vm_flags = saved_flags;
61982 diff -urNp linux-2.6.38.6/mm/highmem.c linux-2.6.38.6/mm/highmem.c
61983 --- linux-2.6.38.6/mm/highmem.c 2011-03-14 21:20:32.000000000 -0400
61984 +++ linux-2.6.38.6/mm/highmem.c 2011-04-28 19:34:15.000000000 -0400
61985 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
61986 * So no dangers, even with speculative execution.
61988 page = pte_page(pkmap_page_table[i]);
61989 + pax_open_kernel();
61990 pte_clear(&init_mm, (unsigned long)page_address(page),
61991 &pkmap_page_table[i]);
61993 + pax_close_kernel();
61994 set_page_address(page, NULL);
61997 @@ -186,9 +187,11 @@ start:
62000 vaddr = PKMAP_ADDR(last_pkmap_nr);
62002 + pax_open_kernel();
62003 set_pte_at(&init_mm, vaddr,
62004 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
62006 + pax_close_kernel();
62007 pkmap_count[last_pkmap_nr] = 1;
62008 set_page_address(page, (void *)vaddr);
62010 diff -urNp linux-2.6.38.6/mm/huge_memory.c linux-2.6.38.6/mm/huge_memory.c
62011 --- linux-2.6.38.6/mm/huge_memory.c 2011-05-10 22:06:27.000000000 -0400
62012 +++ linux-2.6.38.6/mm/huge_memory.c 2011-05-10 22:06:56.000000000 -0400
62013 @@ -698,7 +698,7 @@ out:
62014 * run pte_offset_map on the pmd, if an huge pmd could
62015 * materialize from under us from a different thread.
62017 - if (unlikely(__pte_alloc(mm, vma, pmd, address)))
62018 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
62019 return VM_FAULT_OOM;
62020 /* if an huge pmd materialized from under us just retry later */
62021 if (unlikely(pmd_trans_huge(*pmd)))
62022 diff -urNp linux-2.6.38.6/mm/hugetlb.c linux-2.6.38.6/mm/hugetlb.c
62023 --- linux-2.6.38.6/mm/hugetlb.c 2011-03-14 21:20:32.000000000 -0400
62024 +++ linux-2.6.38.6/mm/hugetlb.c 2011-04-28 19:34:15.000000000 -0400
62025 @@ -2333,6 +2333,27 @@ static int unmap_ref_private(struct mm_s
62029 +#ifdef CONFIG_PAX_SEGMEXEC
62030 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
62032 + struct mm_struct *mm = vma->vm_mm;
62033 + struct vm_area_struct *vma_m;
62034 + unsigned long address_m;
62037 + vma_m = pax_find_mirror_vma(vma);
62041 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
62042 + address_m = address + SEGMEXEC_TASK_SIZE;
62043 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
62044 + get_page(page_m);
62045 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
62046 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
62051 * Hugetlb_cow() should be called with page lock of the original hugepage held.
62053 @@ -2434,6 +2455,11 @@ retry_avoidcopy:
62054 make_huge_pte(vma, new_page, 1));
62055 page_remove_rmap(old_page);
62056 hugepage_add_new_anon_rmap(new_page, vma, address);
62058 +#ifdef CONFIG_PAX_SEGMEXEC
62059 + pax_mirror_huge_pte(vma, address, new_page);
62062 /* Make the old page be freed below */
62063 new_page = old_page;
62064 mmu_notifier_invalidate_range_end(mm,
62065 @@ -2585,6 +2611,10 @@ retry:
62066 && (vma->vm_flags & VM_SHARED)));
62067 set_huge_pte_at(mm, address, ptep, new_pte);
62069 +#ifdef CONFIG_PAX_SEGMEXEC
62070 + pax_mirror_huge_pte(vma, address, page);
62073 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
62074 /* Optimization, do the COW without a second fault */
62075 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
62076 @@ -2614,6 +2644,10 @@ int hugetlb_fault(struct mm_struct *mm,
62077 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
62078 struct hstate *h = hstate_vma(vma);
62080 +#ifdef CONFIG_PAX_SEGMEXEC
62081 + struct vm_area_struct *vma_m;
62084 ptep = huge_pte_offset(mm, address);
62086 entry = huge_ptep_get(ptep);
62087 @@ -2625,6 +2659,26 @@ int hugetlb_fault(struct mm_struct *mm,
62088 VM_FAULT_SET_HINDEX(h - hstates);
62091 +#ifdef CONFIG_PAX_SEGMEXEC
62092 + vma_m = pax_find_mirror_vma(vma);
62094 + unsigned long address_m;
62096 + if (vma->vm_start > vma_m->vm_start) {
62097 + address_m = address;
62098 + address -= SEGMEXEC_TASK_SIZE;
62100 + h = hstate_vma(vma);
62102 + address_m = address + SEGMEXEC_TASK_SIZE;
62104 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
62105 + return VM_FAULT_OOM;
62106 + address_m &= HPAGE_MASK;
62107 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
62111 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
62113 return VM_FAULT_OOM;
62114 diff -urNp linux-2.6.38.6/mm/Kconfig linux-2.6.38.6/mm/Kconfig
62115 --- linux-2.6.38.6/mm/Kconfig 2011-03-14 21:20:32.000000000 -0400
62116 +++ linux-2.6.38.6/mm/Kconfig 2011-04-28 19:34:15.000000000 -0400
62117 @@ -240,7 +240,7 @@ config KSM
62118 config DEFAULT_MMAP_MIN_ADDR
62119 int "Low address space to protect from user allocation"
62124 This is the portion of low virtual memory which should be protected
62125 from userspace allocation. Keeping a user from writing to low pages
62126 diff -urNp linux-2.6.38.6/mm/kmemleak.c linux-2.6.38.6/mm/kmemleak.c
62127 --- linux-2.6.38.6/mm/kmemleak.c 2011-03-14 21:20:32.000000000 -0400
62128 +++ linux-2.6.38.6/mm/kmemleak.c 2011-04-28 19:34:15.000000000 -0400
62129 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
62131 for (i = 0; i < object->trace_len; i++) {
62132 void *ptr = (void *)object->trace[i];
62133 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
62134 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
62138 diff -urNp linux-2.6.38.6/mm/maccess.c linux-2.6.38.6/mm/maccess.c
62139 --- linux-2.6.38.6/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
62140 +++ linux-2.6.38.6/mm/maccess.c 2011-04-28 19:34:15.000000000 -0400
62141 @@ -15,10 +15,10 @@
62142 * happens, handle that and return -EFAULT.
62145 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
62146 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
62147 __attribute__((alias("__probe_kernel_read")));
62149 -long __probe_kernel_read(void *dst, void *src, size_t size)
62150 +long __probe_kernel_read(void *dst, const void *src, size_t size)
62153 mm_segment_t old_fs = get_fs();
62154 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
62155 * Safely write to address @dst from the buffer at @src. If a kernel fault
62156 * happens, handle that and return -EFAULT.
62158 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
62159 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
62160 __attribute__((alias("__probe_kernel_write")));
62162 -long __probe_kernel_write(void *dst, void *src, size_t size)
62163 +long __probe_kernel_write(void *dst, const void *src, size_t size)
62166 mm_segment_t old_fs = get_fs();
62167 diff -urNp linux-2.6.38.6/mm/madvise.c linux-2.6.38.6/mm/madvise.c
62168 --- linux-2.6.38.6/mm/madvise.c 2011-03-14 21:20:32.000000000 -0400
62169 +++ linux-2.6.38.6/mm/madvise.c 2011-04-28 19:34:15.000000000 -0400
62170 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
62172 unsigned long new_flags = vma->vm_flags;
62174 +#ifdef CONFIG_PAX_SEGMEXEC
62175 + struct vm_area_struct *vma_m;
62178 switch (behavior) {
62180 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
62181 @@ -110,6 +114,13 @@ success:
62183 * vm_flags is protected by the mmap_sem held in write mode.
62186 +#ifdef CONFIG_PAX_SEGMEXEC
62187 + vma_m = pax_find_mirror_vma(vma);
62189 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
62192 vma->vm_flags = new_flags;
62195 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
62196 struct vm_area_struct ** prev,
62197 unsigned long start, unsigned long end)
62200 +#ifdef CONFIG_PAX_SEGMEXEC
62201 + struct vm_area_struct *vma_m;
62205 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
62207 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
62208 zap_page_range(vma, start, end - start, &details);
62210 zap_page_range(vma, start, end - start, NULL);
62212 +#ifdef CONFIG_PAX_SEGMEXEC
62213 + vma_m = pax_find_mirror_vma(vma);
62215 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
62216 + struct zap_details details = {
62217 + .nonlinear_vma = vma_m,
62218 + .last_index = ULONG_MAX,
62220 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
62222 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
62229 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
62233 +#ifdef CONFIG_PAX_SEGMEXEC
62234 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
62235 + if (end > SEGMEXEC_TASK_SIZE)
62240 + if (end > TASK_SIZE)
62246 diff -urNp linux-2.6.38.6/mm/memory.c linux-2.6.38.6/mm/memory.c
62247 --- linux-2.6.38.6/mm/memory.c 2011-05-10 22:06:29.000000000 -0400
62248 +++ linux-2.6.38.6/mm/memory.c 2011-05-10 22:09:01.000000000 -0400
62249 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
62252 pmd = pmd_offset(pud, start);
62254 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
62256 pmd_free_tlb(tlb, pmd, start);
62261 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
62262 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
62263 if (end - 1 > ceiling - 1)
62266 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
62267 pud = pud_offset(pgd, start);
62269 pud_free_tlb(tlb, pud, start);
62275 @@ -1410,13 +1417,6 @@ no_page_table:
62279 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
62281 - return (vma->vm_flags & VM_GROWSDOWN) &&
62282 - (vma->vm_start == addr) &&
62283 - !vma_stack_continue(vma->vm_prev, addr);
62286 int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
62287 unsigned long start, int nr_pages, unsigned int gup_flags,
62288 struct page **pages, struct vm_area_struct **vmas,
62289 @@ -1440,10 +1440,10 @@ int __get_user_pages(struct task_struct
62290 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
62294 + while (nr_pages) {
62295 struct vm_area_struct *vma;
62297 - vma = find_extend_vma(mm, start);
62298 + vma = find_vma(mm, start);
62299 if (!vma && in_gate_area(tsk, start)) {
62300 unsigned long pg = start & PAGE_MASK;
62302 @@ -1491,7 +1491,7 @@ int __get_user_pages(struct task_struct
62307 + if (!vma || start < vma->vm_start ||
62308 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
62309 !(vm_flags & vma->vm_flags))
62310 return i ? : -EFAULT;
62311 @@ -1502,12 +1502,6 @@ int __get_user_pages(struct task_struct
62316 - * For mlock, just skip the stack guard page.
62318 - if ((gup_flags & FOLL_MLOCK) && stack_guard_page(vma, start))
62323 unsigned int foll_flags = gup_flags;
62324 @@ -1584,7 +1578,7 @@ next_page:
62325 start += PAGE_SIZE;
62327 } while (nr_pages && start < vma->vm_end);
62328 - } while (nr_pages);
62333 @@ -1733,6 +1727,10 @@ static int insert_page(struct vm_area_st
62334 page_add_file_rmap(page);
62335 set_pte_at(mm, addr, pte, mk_pte(page, prot));
62337 +#ifdef CONFIG_PAX_SEGMEXEC
62338 + pax_mirror_file_pte(vma, addr, page, ptl);
62342 pte_unmap_unlock(pte, ptl);
62344 @@ -1767,10 +1765,22 @@ out:
62345 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
62349 +#ifdef CONFIG_PAX_SEGMEXEC
62350 + struct vm_area_struct *vma_m;
62353 if (addr < vma->vm_start || addr >= vma->vm_end)
62355 if (!page_count(page))
62358 +#ifdef CONFIG_PAX_SEGMEXEC
62359 + vma_m = pax_find_mirror_vma(vma);
62361 + vma_m->vm_flags |= VM_INSERTPAGE;
62364 vma->vm_flags |= VM_INSERTPAGE;
62365 return insert_page(vma, addr, page, vma->vm_page_prot);
62367 @@ -1856,6 +1866,7 @@ int vm_insert_mixed(struct vm_area_struc
62370 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
62371 + BUG_ON(vma->vm_mirror);
62373 if (addr < vma->vm_start || addr >= vma->vm_end)
62375 @@ -2171,6 +2182,186 @@ static inline void cow_user_page(struct
62376 copy_user_highpage(dst, src, va, vma);
62379 +#ifdef CONFIG_PAX_SEGMEXEC
62380 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
62382 + struct mm_struct *mm = vma->vm_mm;
62384 + pte_t *pte, entry;
62386 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
62388 + if (!pte_present(entry)) {
62389 + if (!pte_none(entry)) {
62390 + BUG_ON(pte_file(entry));
62391 + free_swap_and_cache(pte_to_swp_entry(entry));
62392 + pte_clear_not_present_full(mm, address, pte, 0);
62395 + struct page *page;
62397 + flush_cache_page(vma, address, pte_pfn(entry));
62398 + entry = ptep_clear_flush(vma, address, pte);
62399 + BUG_ON(pte_dirty(entry));
62400 + page = vm_normal_page(vma, address, entry);
62402 + update_hiwater_rss(mm);
62403 + if (PageAnon(page))
62404 + dec_mm_counter_fast(mm, MM_ANONPAGES);
62406 + dec_mm_counter_fast(mm, MM_FILEPAGES);
62407 + page_remove_rmap(page);
62408 + page_cache_release(page);
62411 + pte_unmap_unlock(pte, ptl);
62414 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
62416 + * the ptl of the lower mapped page is held on entry and is not released on exit
62417 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
62419 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
62421 + struct mm_struct *mm = vma->vm_mm;
62422 + unsigned long address_m;
62423 + spinlock_t *ptl_m;
62424 + struct vm_area_struct *vma_m;
62426 + pte_t *pte_m, entry_m;
62428 + BUG_ON(!page_m || !PageAnon(page_m));
62430 + vma_m = pax_find_mirror_vma(vma);
62434 + BUG_ON(!PageLocked(page_m));
62435 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
62436 + address_m = address + SEGMEXEC_TASK_SIZE;
62437 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
62438 + pte_m = pte_offset_map(pmd_m, address_m);
62439 + ptl_m = pte_lockptr(mm, pmd_m);
62440 + if (ptl != ptl_m) {
62441 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
62442 + if (!pte_none(*pte_m))
62446 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
62447 + page_cache_get(page_m);
62448 + page_add_anon_rmap(page_m, vma_m, address_m);
62449 + inc_mm_counter_fast(mm, MM_ANONPAGES);
62450 + set_pte_at(mm, address_m, pte_m, entry_m);
62451 + update_mmu_cache(vma_m, address_m, entry_m);
62453 + if (ptl != ptl_m)
62454 + spin_unlock(ptl_m);
62455 + pte_unmap(pte_m);
62456 + unlock_page(page_m);
62459 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
62461 + struct mm_struct *mm = vma->vm_mm;
62462 + unsigned long address_m;
62463 + spinlock_t *ptl_m;
62464 + struct vm_area_struct *vma_m;
62466 + pte_t *pte_m, entry_m;
62468 + BUG_ON(!page_m || PageAnon(page_m));
62470 + vma_m = pax_find_mirror_vma(vma);
62474 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
62475 + address_m = address + SEGMEXEC_TASK_SIZE;
62476 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
62477 + pte_m = pte_offset_map(pmd_m, address_m);
62478 + ptl_m = pte_lockptr(mm, pmd_m);
62479 + if (ptl != ptl_m) {
62480 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
62481 + if (!pte_none(*pte_m))
62485 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
62486 + page_cache_get(page_m);
62487 + page_add_file_rmap(page_m);
62488 + inc_mm_counter_fast(mm, MM_FILEPAGES);
62489 + set_pte_at(mm, address_m, pte_m, entry_m);
62490 + update_mmu_cache(vma_m, address_m, entry_m);
62492 + if (ptl != ptl_m)
62493 + spin_unlock(ptl_m);
62494 + pte_unmap(pte_m);
62497 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
62499 + struct mm_struct *mm = vma->vm_mm;
62500 + unsigned long address_m;
62501 + spinlock_t *ptl_m;
62502 + struct vm_area_struct *vma_m;
62504 + pte_t *pte_m, entry_m;
62506 + vma_m = pax_find_mirror_vma(vma);
62510 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
62511 + address_m = address + SEGMEXEC_TASK_SIZE;
62512 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
62513 + pte_m = pte_offset_map(pmd_m, address_m);
62514 + ptl_m = pte_lockptr(mm, pmd_m);
62515 + if (ptl != ptl_m) {
62516 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
62517 + if (!pte_none(*pte_m))
62521 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
62522 + set_pte_at(mm, address_m, pte_m, entry_m);
62524 + if (ptl != ptl_m)
62525 + spin_unlock(ptl_m);
62526 + pte_unmap(pte_m);
62529 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
62531 + struct page *page_m;
62534 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
62538 + page_m = vm_normal_page(vma, address, entry);
62540 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
62541 + else if (PageAnon(page_m)) {
62542 + if (pax_find_mirror_vma(vma)) {
62543 + pte_unmap_unlock(pte, ptl);
62544 + lock_page(page_m);
62545 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
62546 + if (pte_same(entry, *pte))
62547 + pax_mirror_anon_pte(vma, address, page_m, ptl);
62549 + unlock_page(page_m);
62552 + pax_mirror_file_pte(vma, address, page_m, ptl);
62555 + pte_unmap_unlock(pte, ptl);
62560 * This routine handles present pages, when users try to write
62561 * to a shared page. It is done by copying the page to a new address
62562 @@ -2382,6 +2573,12 @@ gotten:
62564 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
62565 if (likely(pte_same(*page_table, orig_pte))) {
62567 +#ifdef CONFIG_PAX_SEGMEXEC
62568 + if (pax_find_mirror_vma(vma))
62569 + BUG_ON(!trylock_page(new_page));
62573 if (!PageAnon(old_page)) {
62574 dec_mm_counter_fast(mm, MM_FILEPAGES);
62575 @@ -2433,6 +2630,10 @@ gotten:
62576 page_remove_rmap(old_page);
62579 +#ifdef CONFIG_PAX_SEGMEXEC
62580 + pax_mirror_anon_pte(vma, address, new_page, ptl);
62583 /* Free the old page.. */
62584 new_page = old_page;
62585 ret |= VM_FAULT_WRITE;
62586 @@ -2843,6 +3044,11 @@ static int do_swap_page(struct mm_struct
62588 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
62589 try_to_free_swap(page);
62591 +#ifdef CONFIG_PAX_SEGMEXEC
62592 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
62598 @@ -2866,6 +3072,11 @@ static int do_swap_page(struct mm_struct
62600 /* No need to invalidate - it was non-present before */
62601 update_mmu_cache(vma, address, page_table);
62603 +#ifdef CONFIG_PAX_SEGMEXEC
62604 + pax_mirror_anon_pte(vma, address, page, ptl);
62608 pte_unmap_unlock(page_table, ptl);
62610 @@ -2885,40 +3096,6 @@ out_release:
62614 - * This is like a special single-page "expand_{down|up}wards()",
62615 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
62616 - * doesn't hit another vma.
62618 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
62620 - address &= PAGE_MASK;
62621 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
62622 - struct vm_area_struct *prev = vma->vm_prev;
62625 - * Is there a mapping abutting this one below?
62627 - * That's only ok if it's the same stack mapping
62628 - * that has gotten split..
62630 - if (prev && prev->vm_end == address)
62631 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
62633 - expand_stack(vma, address - PAGE_SIZE);
62635 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
62636 - struct vm_area_struct *next = vma->vm_next;
62638 - /* As VM_GROWSDOWN but s/below/above/ */
62639 - if (next && next->vm_start == address + PAGE_SIZE)
62640 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
62642 - expand_upwards(vma, address + PAGE_SIZE);
62648 * We enter with non-exclusive mmap_sem (to exclude vma changes,
62649 * but allow concurrent faults), and pte mapped but not yet locked.
62650 * We return with mmap_sem still held, but pte unmapped and unlocked.
62651 @@ -2927,27 +3104,23 @@ static int do_anonymous_page(struct mm_s
62652 unsigned long address, pte_t *page_table, pmd_t *pmd,
62653 unsigned int flags)
62655 - struct page *page;
62656 + struct page *page = NULL;
62660 - pte_unmap(page_table);
62662 - /* Check if we need to add a guard page to the stack */
62663 - if (check_stack_guard_page(vma, address) < 0)
62664 - return VM_FAULT_SIGBUS;
62666 - /* Use the zero-page for reads */
62667 if (!(flags & FAULT_FLAG_WRITE)) {
62668 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
62669 vma->vm_page_prot));
62670 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
62671 + ptl = pte_lockptr(mm, pmd);
62673 if (!pte_none(*page_table))
62678 /* Allocate our own private page. */
62679 + pte_unmap(page_table);
62681 if (unlikely(anon_vma_prepare(vma)))
62683 page = alloc_zeroed_user_highpage_movable(vma, address);
62684 @@ -2966,6 +3139,11 @@ static int do_anonymous_page(struct mm_s
62685 if (!pte_none(*page_table))
62688 +#ifdef CONFIG_PAX_SEGMEXEC
62689 + if (pax_find_mirror_vma(vma))
62690 + BUG_ON(!trylock_page(page));
62693 inc_mm_counter_fast(mm, MM_ANONPAGES);
62694 page_add_new_anon_rmap(page, vma, address);
62696 @@ -2973,6 +3151,12 @@ setpte:
62698 /* No need to invalidate - it was non-present before */
62699 update_mmu_cache(vma, address, page_table);
62701 +#ifdef CONFIG_PAX_SEGMEXEC
62703 + pax_mirror_anon_pte(vma, address, page, ptl);
62707 pte_unmap_unlock(page_table, ptl);
62709 @@ -3110,6 +3294,12 @@ static int __do_fault(struct mm_struct *
62711 /* Only go through if we didn't race with anybody else... */
62712 if (likely(pte_same(*page_table, orig_pte))) {
62714 +#ifdef CONFIG_PAX_SEGMEXEC
62715 + if (anon && pax_find_mirror_vma(vma))
62716 + BUG_ON(!trylock_page(page));
62719 flush_icache_page(vma, page);
62720 entry = mk_pte(page, vma->vm_page_prot);
62721 if (flags & FAULT_FLAG_WRITE)
62722 @@ -3129,6 +3319,14 @@ static int __do_fault(struct mm_struct *
62724 /* no need to invalidate: a not-present page won't be cached */
62725 update_mmu_cache(vma, address, page_table);
62727 +#ifdef CONFIG_PAX_SEGMEXEC
62729 + pax_mirror_anon_pte(vma, address, page, ptl);
62731 + pax_mirror_file_pte(vma, address, page, ptl);
62736 mem_cgroup_uncharge_page(page);
62737 @@ -3276,6 +3474,12 @@ int handle_pte_fault(struct mm_struct *m
62738 if (flags & FAULT_FLAG_WRITE)
62739 flush_tlb_fix_spurious_fault(vma, address);
62742 +#ifdef CONFIG_PAX_SEGMEXEC
62743 + pax_mirror_pte(vma, address, pte, pmd, ptl);
62748 pte_unmap_unlock(pte, ptl);
62750 @@ -3292,6 +3496,10 @@ int handle_mm_fault(struct mm_struct *mm
62754 +#ifdef CONFIG_PAX_SEGMEXEC
62755 + struct vm_area_struct *vma_m;
62758 __set_current_state(TASK_RUNNING);
62760 count_vm_event(PGFAULT);
62761 @@ -3302,6 +3510,34 @@ int handle_mm_fault(struct mm_struct *mm
62762 if (unlikely(is_vm_hugetlb_page(vma)))
62763 return hugetlb_fault(mm, vma, address, flags);
62765 +#ifdef CONFIG_PAX_SEGMEXEC
62766 + vma_m = pax_find_mirror_vma(vma);
62768 + unsigned long address_m;
62773 + if (vma->vm_start > vma_m->vm_start) {
62774 + address_m = address;
62775 + address -= SEGMEXEC_TASK_SIZE;
62778 + address_m = address + SEGMEXEC_TASK_SIZE;
62780 + pgd_m = pgd_offset(mm, address_m);
62781 + pud_m = pud_alloc(mm, pgd_m, address_m);
62783 + return VM_FAULT_OOM;
62784 + pmd_m = pmd_alloc(mm, pud_m, address_m);
62786 + return VM_FAULT_OOM;
62787 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
62788 + return VM_FAULT_OOM;
62789 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
62793 pgd = pgd_offset(mm, address);
62794 pud = pud_alloc(mm, pgd, address);
62796 @@ -3331,7 +3567,7 @@ int handle_mm_fault(struct mm_struct *mm
62797 * run pte_offset_map on the pmd, if an huge pmd could
62798 * materialize from under us from a different thread.
62800 - if (unlikely(pmd_none(*pmd)) && __pte_alloc(mm, vma, pmd, address))
62801 + if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
62802 return VM_FAULT_OOM;
62803 /* if an huge pmd materialized from under us just retry later */
62804 if (unlikely(pmd_trans_huge(*pmd)))
62805 @@ -3435,7 +3671,7 @@ static int __init gate_vma_init(void)
62806 gate_vma.vm_start = FIXADDR_USER_START;
62807 gate_vma.vm_end = FIXADDR_USER_END;
62808 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
62809 - gate_vma.vm_page_prot = __P101;
62810 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
62812 * Make sure the vDSO gets into every core dump.
62813 * Dumping its contents makes post-mortem fully interpretable later
62814 diff -urNp linux-2.6.38.6/mm/memory-failure.c linux-2.6.38.6/mm/memory-failure.c
62815 --- linux-2.6.38.6/mm/memory-failure.c 2011-03-14 21:20:32.000000000 -0400
62816 +++ linux-2.6.38.6/mm/memory-failure.c 2011-04-28 19:34:15.000000000 -0400
62817 @@ -58,7 +58,7 @@ int sysctl_memory_failure_early_kill __r
62819 int sysctl_memory_failure_recovery __read_mostly = 1;
62821 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
62822 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
62824 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
62826 @@ -1012,7 +1012,7 @@ int __memory_failure(unsigned long pfn,
62829 nr_pages = 1 << compound_trans_order(hpage);
62830 - atomic_long_add(nr_pages, &mce_bad_pages);
62831 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
62834 * We need/can do nothing about count=0 pages.
62835 @@ -1042,7 +1042,7 @@ int __memory_failure(unsigned long pfn,
62836 if (!PageHWPoison(hpage)
62837 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
62838 || (p != hpage && TestSetPageHWPoison(hpage))) {
62839 - atomic_long_sub(nr_pages, &mce_bad_pages);
62840 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
62843 set_page_hwpoison_huge_page(hpage);
62844 @@ -1100,7 +1100,7 @@ int __memory_failure(unsigned long pfn,
62846 if (hwpoison_filter(p)) {
62847 if (TestClearPageHWPoison(p))
62848 - atomic_long_sub(nr_pages, &mce_bad_pages);
62849 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
62850 unlock_page(hpage);
62853 @@ -1226,7 +1226,7 @@ int unpoison_memory(unsigned long pfn)
62856 if (TestClearPageHWPoison(p))
62857 - atomic_long_sub(nr_pages, &mce_bad_pages);
62858 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
62859 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
62862 @@ -1240,7 +1240,7 @@ int unpoison_memory(unsigned long pfn)
62864 if (TestClearPageHWPoison(page)) {
62865 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
62866 - atomic_long_sub(nr_pages, &mce_bad_pages);
62867 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
62869 if (PageHuge(page))
62870 clear_page_hwpoison_huge_page(page);
62871 @@ -1353,7 +1353,7 @@ static int soft_offline_huge_page(struct
62874 if (!PageHWPoison(hpage))
62875 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
62876 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
62877 set_page_hwpoison_huge_page(hpage);
62878 dequeue_hwpoisoned_huge_page(hpage);
62879 /* keep elevated page count for bad page */
62880 @@ -1482,7 +1482,7 @@ int soft_offline_page(struct page *page,
62884 - atomic_long_add(1, &mce_bad_pages);
62885 + atomic_long_add_unchecked(1, &mce_bad_pages);
62886 SetPageHWPoison(page);
62887 /* keep elevated page count for bad page */
62889 diff -urNp linux-2.6.38.6/mm/mempolicy.c linux-2.6.38.6/mm/mempolicy.c
62890 --- linux-2.6.38.6/mm/mempolicy.c 2011-03-14 21:20:32.000000000 -0400
62891 +++ linux-2.6.38.6/mm/mempolicy.c 2011-04-28 19:34:15.000000000 -0400
62892 @@ -643,6 +643,10 @@ static int mbind_range(struct mm_struct
62893 unsigned long vmstart;
62894 unsigned long vmend;
62896 +#ifdef CONFIG_PAX_SEGMEXEC
62897 + struct vm_area_struct *vma_m;
62900 vma = find_vma_prev(mm, start, &prev);
62901 if (!vma || vma->vm_start > start)
62903 @@ -673,6 +677,16 @@ static int mbind_range(struct mm_struct
62904 err = policy_vma(vma, new_pol);
62908 +#ifdef CONFIG_PAX_SEGMEXEC
62909 + vma_m = pax_find_mirror_vma(vma);
62911 + err = policy_vma(vma_m, new_pol);
62920 @@ -1106,6 +1120,17 @@ static long do_mbind(unsigned long start
62925 +#ifdef CONFIG_PAX_SEGMEXEC
62926 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
62927 + if (end > SEGMEXEC_TASK_SIZE)
62932 + if (end > TASK_SIZE)
62938 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
62942 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
62943 + if (mm != current->mm &&
62944 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
62951 * Check if this process has the right to modify the specified
62952 * process. The right exists if the process has administrative
62953 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
62955 tcred = __task_cred(task);
62956 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
62957 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
62958 - !capable(CAP_SYS_NICE)) {
62959 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
62963 @@ -2635,7 +2667,7 @@ int show_numa_map(struct seq_file *m, vo
62966 seq_printf(m, " file=");
62967 - seq_path(m, &file->f_path, "\n\t= ");
62968 + seq_path(m, &file->f_path, "\n\t\\= ");
62969 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
62970 seq_printf(m, " heap");
62971 } else if (vma->vm_start <= mm->start_stack &&
62972 diff -urNp linux-2.6.38.6/mm/migrate.c linux-2.6.38.6/mm/migrate.c
62973 --- linux-2.6.38.6/mm/migrate.c 2011-03-14 21:20:32.000000000 -0400
62974 +++ linux-2.6.38.6/mm/migrate.c 2011-05-16 21:47:09.000000000 -0400
62975 @@ -1115,6 +1115,8 @@ static int do_pages_move(struct mm_struc
62976 unsigned long chunk_start;
62979 + pax_track_stack();
62981 task_nodes = cpuset_mems_allowed(task);
62984 @@ -1299,6 +1301,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
62988 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
62989 + if (mm != current->mm &&
62990 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
62997 * Check if this process has the right to modify the specified
62998 * process. The right exists if the process has administrative
62999 @@ -1308,8 +1318,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
63001 tcred = __task_cred(task);
63002 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
63003 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
63004 - !capable(CAP_SYS_NICE)) {
63005 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
63009 diff -urNp linux-2.6.38.6/mm/mlock.c linux-2.6.38.6/mm/mlock.c
63010 --- linux-2.6.38.6/mm/mlock.c 2011-05-10 22:06:29.000000000 -0400
63011 +++ linux-2.6.38.6/mm/mlock.c 2011-05-10 22:09:01.000000000 -0400
63013 #include <linux/pagemap.h>
63014 #include <linux/mempolicy.h>
63015 #include <linux/syscalls.h>
63016 +#include <linux/security.h>
63017 #include <linux/sched.h>
63018 #include <linux/module.h>
63019 #include <linux/rmap.h>
63020 @@ -377,6 +378,9 @@ static int do_mlock(unsigned long start,
63024 + if (end > TASK_SIZE)
63027 vma = find_vma_prev(current->mm, start, &prev);
63028 if (!vma || vma->vm_start > start)
63030 @@ -387,6 +391,11 @@ static int do_mlock(unsigned long start,
63031 for (nstart = start ; ; ) {
63032 unsigned int newflags;
63034 +#ifdef CONFIG_PAX_SEGMEXEC
63035 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
63039 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
63041 newflags = vma->vm_flags | VM_LOCKED;
63042 @@ -492,6 +501,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
63043 lock_limit >>= PAGE_SHIFT;
63045 /* check against resource limits */
63046 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
63047 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
63048 error = do_mlock(start, len, 1);
63049 up_write(¤t->mm->mmap_sem);
63050 @@ -515,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
63051 static int do_mlockall(int flags)
63053 struct vm_area_struct * vma, * prev = NULL;
63054 - unsigned int def_flags = 0;
63056 if (flags & MCL_FUTURE)
63057 - def_flags = VM_LOCKED;
63058 - current->mm->def_flags = def_flags;
63059 + current->mm->def_flags |= VM_LOCKED;
63061 + current->mm->def_flags &= ~VM_LOCKED;
63062 if (flags == MCL_FUTURE)
63065 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
63066 - unsigned int newflags;
63067 + unsigned long newflags;
63069 +#ifdef CONFIG_PAX_SEGMEXEC
63070 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
63074 + BUG_ON(vma->vm_end > TASK_SIZE);
63075 newflags = vma->vm_flags | VM_LOCKED;
63076 if (!(flags & MCL_CURRENT))
63077 newflags &= ~VM_LOCKED;
63078 @@ -557,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
63079 lock_limit >>= PAGE_SHIFT;
63082 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
63083 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
63084 capable(CAP_IPC_LOCK))
63085 ret = do_mlockall(flags);
63086 diff -urNp linux-2.6.38.6/mm/mmap.c linux-2.6.38.6/mm/mmap.c
63087 --- linux-2.6.38.6/mm/mmap.c 2011-04-22 19:20:59.000000000 -0400
63088 +++ linux-2.6.38.6/mm/mmap.c 2011-04-28 19:34:15.000000000 -0400
63090 #define arch_rebalance_pgtables(addr, len) (addr)
63093 +static inline void verify_mm_writelocked(struct mm_struct *mm)
63095 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
63096 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
63097 + up_read(&mm->mmap_sem);
63103 static void unmap_region(struct mm_struct *mm,
63104 struct vm_area_struct *vma, struct vm_area_struct *prev,
63105 unsigned long start, unsigned long end);
63106 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
63107 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
63110 -pgprot_t protection_map[16] = {
63111 +pgprot_t protection_map[16] __read_only = {
63112 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
63113 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
63116 pgprot_t vm_get_page_prot(unsigned long vm_flags)
63118 - return __pgprot(pgprot_val(protection_map[vm_flags &
63119 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
63120 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
63121 pgprot_val(arch_vm_get_page_prot(vm_flags)));
63123 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
63124 + if (!(__supported_pte_mask & _PAGE_NX) &&
63125 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
63126 + (vm_flags & (VM_READ | VM_WRITE)))
63127 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
63132 EXPORT_SYMBOL(vm_get_page_prot);
63134 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
63135 int sysctl_overcommit_ratio = 50; /* default is 50% */
63136 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
63137 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
63138 struct percpu_counter vm_committed_as;
63141 @@ -232,6 +252,7 @@ static struct vm_area_struct *remove_vma
63142 struct vm_area_struct *next = vma->vm_next;
63145 + BUG_ON(vma->vm_mirror);
63146 if (vma->vm_ops && vma->vm_ops->close)
63147 vma->vm_ops->close(vma);
63148 if (vma->vm_file) {
63149 @@ -276,6 +297,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
63150 * not page aligned -Ram Gupta
63152 rlim = rlimit(RLIMIT_DATA);
63153 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
63154 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
63155 (mm->end_data - mm->start_data) > rlim)
63157 @@ -719,6 +741,12 @@ static int
63158 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
63159 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
63162 +#ifdef CONFIG_PAX_SEGMEXEC
63163 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
63167 if (is_mergeable_vma(vma, file, vm_flags) &&
63168 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
63169 if (vma->vm_pgoff == vm_pgoff)
63170 @@ -738,6 +766,12 @@ static int
63171 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
63172 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
63175 +#ifdef CONFIG_PAX_SEGMEXEC
63176 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
63180 if (is_mergeable_vma(vma, file, vm_flags) &&
63181 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
63183 @@ -780,13 +814,20 @@ can_vma_merge_after(struct vm_area_struc
63184 struct vm_area_struct *vma_merge(struct mm_struct *mm,
63185 struct vm_area_struct *prev, unsigned long addr,
63186 unsigned long end, unsigned long vm_flags,
63187 - struct anon_vma *anon_vma, struct file *file,
63188 + struct anon_vma *anon_vma, struct file *file,
63189 pgoff_t pgoff, struct mempolicy *policy)
63191 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
63192 struct vm_area_struct *area, *next;
63195 +#ifdef CONFIG_PAX_SEGMEXEC
63196 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
63197 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
63199 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
63203 * We later require that vma->vm_flags == vm_flags,
63204 * so this tests vma->vm_flags & VM_SPECIAL, too.
63205 @@ -802,6 +843,15 @@ struct vm_area_struct *vma_merge(struct
63206 if (next && next->vm_end == end) /* cases 6, 7, 8 */
63207 next = next->vm_next;
63209 +#ifdef CONFIG_PAX_SEGMEXEC
63211 + prev_m = pax_find_mirror_vma(prev);
63213 + area_m = pax_find_mirror_vma(area);
63215 + next_m = pax_find_mirror_vma(next);
63219 * Can it merge with the predecessor?
63221 @@ -821,9 +871,24 @@ struct vm_area_struct *vma_merge(struct
63223 err = vma_adjust(prev, prev->vm_start,
63224 next->vm_end, prev->vm_pgoff, NULL);
63225 - } else /* cases 2, 5, 7 */
63227 +#ifdef CONFIG_PAX_SEGMEXEC
63228 + if (!err && prev_m)
63229 + err = vma_adjust(prev_m, prev_m->vm_start,
63230 + next_m->vm_end, prev_m->vm_pgoff, NULL);
63233 + } else { /* cases 2, 5, 7 */
63234 err = vma_adjust(prev, prev->vm_start,
63235 end, prev->vm_pgoff, NULL);
63237 +#ifdef CONFIG_PAX_SEGMEXEC
63238 + if (!err && prev_m)
63239 + err = vma_adjust(prev_m, prev_m->vm_start,
63240 + end_m, prev_m->vm_pgoff, NULL);
63246 khugepaged_enter_vma_merge(prev);
63247 @@ -837,12 +902,27 @@ struct vm_area_struct *vma_merge(struct
63248 mpol_equal(policy, vma_policy(next)) &&
63249 can_vma_merge_before(next, vm_flags,
63250 anon_vma, file, pgoff+pglen)) {
63251 - if (prev && addr < prev->vm_end) /* case 4 */
63252 + if (prev && addr < prev->vm_end) { /* case 4 */
63253 err = vma_adjust(prev, prev->vm_start,
63254 addr, prev->vm_pgoff, NULL);
63255 - else /* cases 3, 8 */
63257 +#ifdef CONFIG_PAX_SEGMEXEC
63258 + if (!err && prev_m)
63259 + err = vma_adjust(prev_m, prev_m->vm_start,
63260 + addr_m, prev_m->vm_pgoff, NULL);
63263 + } else { /* cases 3, 8 */
63264 err = vma_adjust(area, addr, next->vm_end,
63265 next->vm_pgoff - pglen, NULL);
63267 +#ifdef CONFIG_PAX_SEGMEXEC
63268 + if (!err && area_m)
63269 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
63270 + next_m->vm_pgoff - pglen, NULL);
63276 khugepaged_enter_vma_merge(area);
63277 @@ -958,14 +1038,11 @@ none:
63278 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
63279 struct file *file, long pages)
63281 - const unsigned long stack_flags
63282 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
63285 mm->shared_vm += pages;
63286 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
63287 mm->exec_vm += pages;
63288 - } else if (flags & stack_flags)
63289 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
63290 mm->stack_vm += pages;
63291 if (flags & (VM_RESERVED|VM_IO))
63292 mm->reserved_vm += pages;
63293 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
63294 * (the exception is when the underlying filesystem is noexec
63295 * mounted, in which case we dont add PROT_EXEC.)
63297 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
63298 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
63299 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
63302 @@ -1018,7 +1095,7 @@ unsigned long do_mmap_pgoff(struct file
63303 /* Obtain the address to map to. we verify (or select) it and ensure
63304 * that it represents a valid section of the address space.
63306 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
63307 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
63308 if (addr & ~PAGE_MASK)
63311 @@ -1029,6 +1106,36 @@ unsigned long do_mmap_pgoff(struct file
63312 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
63313 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
63315 +#ifdef CONFIG_PAX_MPROTECT
63316 + if (mm->pax_flags & MF_PAX_MPROTECT) {
63317 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
63318 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
63319 + gr_log_rwxmmap(file);
63321 +#ifdef CONFIG_PAX_EMUPLT
63322 + vm_flags &= ~VM_EXEC;
63329 + if (!(vm_flags & VM_EXEC))
63330 + vm_flags &= ~VM_MAYEXEC;
63332 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
63333 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
63336 + vm_flags &= ~VM_MAYWRITE;
63340 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
63341 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
63342 + vm_flags &= ~VM_PAGEEXEC;
63345 if (flags & MAP_LOCKED)
63346 if (!can_do_mlock())
63348 @@ -1040,6 +1147,7 @@ unsigned long do_mmap_pgoff(struct file
63349 locked += mm->locked_vm;
63350 lock_limit = rlimit(RLIMIT_MEMLOCK);
63351 lock_limit >>= PAGE_SHIFT;
63352 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
63353 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
63356 @@ -1110,6 +1218,9 @@ unsigned long do_mmap_pgoff(struct file
63360 + if (!gr_acl_handle_mmap(file, prot))
63363 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
63365 EXPORT_SYMBOL(do_mmap_pgoff);
63366 @@ -1187,10 +1298,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
63368 int vma_wants_writenotify(struct vm_area_struct *vma)
63370 - unsigned int vm_flags = vma->vm_flags;
63371 + unsigned long vm_flags = vma->vm_flags;
63373 /* If it was private or non-writable, the write bit is already clear */
63374 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
63375 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
63378 /* The backer wishes to know when pages are first written to? */
63379 @@ -1239,14 +1350,24 @@ unsigned long mmap_region(struct file *f
63380 unsigned long charged = 0;
63381 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
63383 +#ifdef CONFIG_PAX_SEGMEXEC
63384 + struct vm_area_struct *vma_m = NULL;
63388 + * mm->mmap_sem is required to protect against another thread
63389 + * changing the mappings in case we sleep.
63391 + verify_mm_writelocked(mm);
63393 /* Clear old maps */
63396 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
63397 if (vma && vma->vm_start < addr + len) {
63398 if (do_munmap(mm, addr, len))
63400 - goto munmap_back;
63401 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
63402 + BUG_ON(vma && vma->vm_start < addr + len);
63405 /* Check against address space limit. */
63406 @@ -1295,6 +1416,16 @@ munmap_back:
63410 +#ifdef CONFIG_PAX_SEGMEXEC
63411 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
63412 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
63421 vma->vm_start = addr;
63422 vma->vm_end = addr + len;
63423 @@ -1318,6 +1449,19 @@ munmap_back:
63424 error = file->f_op->mmap(file, vma);
63426 goto unmap_and_free_vma;
63428 +#ifdef CONFIG_PAX_SEGMEXEC
63429 + if (vma_m && (vm_flags & VM_EXECUTABLE))
63430 + added_exe_file_vma(mm);
63433 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
63434 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
63435 + vma->vm_flags |= VM_PAGEEXEC;
63436 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
63440 if (vm_flags & VM_EXECUTABLE)
63441 added_exe_file_vma(mm);
63443 @@ -1353,6 +1497,11 @@ munmap_back:
63444 vma_link(mm, vma, prev, rb_link, rb_parent);
63445 file = vma->vm_file;
63447 +#ifdef CONFIG_PAX_SEGMEXEC
63449 + BUG_ON(pax_mirror_vma(vma_m, vma));
63452 /* Once vma denies write, undo our temporary denial count */
63453 if (correct_wcount)
63454 atomic_inc(&inode->i_writecount);
63455 @@ -1361,6 +1510,7 @@ out:
63457 mm->total_vm += len >> PAGE_SHIFT;
63458 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
63459 + track_exec_limit(mm, addr, addr + len, vm_flags);
63460 if (vm_flags & VM_LOCKED) {
63461 if (!mlock_vma_pages_range(vma, addr, addr + len))
63462 mm->locked_vm += (len >> PAGE_SHIFT);
63463 @@ -1378,6 +1528,12 @@ unmap_and_free_vma:
63464 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
63468 +#ifdef CONFIG_PAX_SEGMEXEC
63470 + kmem_cache_free(vm_area_cachep, vma_m);
63473 kmem_cache_free(vm_area_cachep, vma);
63476 @@ -1385,6 +1541,44 @@ unacct_error:
63480 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
63483 +#ifdef CONFIG_STACK_GROWSUP
63484 + if (addr > sysctl_heap_stack_gap)
63485 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
63487 + vma = find_vma(current->mm, 0);
63488 + if (vma && (vma->vm_flags & VM_GROWSUP))
63494 + if (addr + len > vma->vm_start)
63497 + if (vma->vm_flags & VM_GROWSDOWN)
63498 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
63499 +#ifdef CONFIG_STACK_GROWSUP
63500 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
63501 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
63507 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
63509 + if (vma->vm_start < len)
63511 + if (!(vma->vm_flags & VM_GROWSDOWN))
63512 + return vma->vm_start - len;
63513 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
63514 + return vma->vm_start - len - sysctl_heap_stack_gap;
63518 /* Get an address range which is currently unmapped.
63519 * For shmat() with addr=0.
63521 @@ -1411,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp
63522 if (flags & MAP_FIXED)
63525 +#ifdef CONFIG_PAX_RANDMMAP
63526 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
63530 addr = PAGE_ALIGN(addr);
63531 - vma = find_vma(mm, addr);
63532 - if (TASK_SIZE - len >= addr &&
63533 - (!vma || addr + len <= vma->vm_start))
63535 + if (TASK_SIZE - len >= addr) {
63536 + vma = find_vma(mm, addr);
63537 + if (check_heap_stack_gap(vma, addr, len))
63541 if (len > mm->cached_hole_size) {
63542 - start_addr = addr = mm->free_area_cache;
63543 + start_addr = addr = mm->free_area_cache;
63545 - start_addr = addr = TASK_UNMAPPED_BASE;
63546 - mm->cached_hole_size = 0;
63547 + start_addr = addr = mm->mmap_base;
63548 + mm->cached_hole_size = 0;
63552 @@ -1433,34 +1632,40 @@ full_search:
63553 * Start a new search - just in case we missed
63556 - if (start_addr != TASK_UNMAPPED_BASE) {
63557 - addr = TASK_UNMAPPED_BASE;
63558 - start_addr = addr;
63559 + if (start_addr != mm->mmap_base) {
63560 + start_addr = addr = mm->mmap_base;
63561 mm->cached_hole_size = 0;
63566 - if (!vma || addr + len <= vma->vm_start) {
63568 - * Remember the place where we stopped the search:
63570 - mm->free_area_cache = addr + len;
63573 + if (check_heap_stack_gap(vma, addr, len))
63575 if (addr + mm->cached_hole_size < vma->vm_start)
63576 mm->cached_hole_size = vma->vm_start - addr;
63577 addr = vma->vm_end;
63581 + * Remember the place where we stopped the search:
63583 + mm->free_area_cache = addr + len;
63588 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
63591 +#ifdef CONFIG_PAX_SEGMEXEC
63592 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
63597 * Is this a new hole at the lowest possible address?
63599 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
63600 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
63601 mm->free_area_cache = addr;
63602 mm->cached_hole_size = ~0UL;
63604 @@ -1478,7 +1683,7 @@ arch_get_unmapped_area_topdown(struct fi
63606 struct vm_area_struct *vma;
63607 struct mm_struct *mm = current->mm;
63608 - unsigned long addr = addr0;
63609 + unsigned long base = mm->mmap_base, addr = addr0;
63611 /* requested length too big for entire address space */
63612 if (len > TASK_SIZE)
63613 @@ -1487,13 +1692,18 @@ arch_get_unmapped_area_topdown(struct fi
63614 if (flags & MAP_FIXED)
63617 +#ifdef CONFIG_PAX_RANDMMAP
63618 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
63621 /* requesting a specific address */
63623 addr = PAGE_ALIGN(addr);
63624 - vma = find_vma(mm, addr);
63625 - if (TASK_SIZE - len >= addr &&
63626 - (!vma || addr + len <= vma->vm_start))
63628 + if (TASK_SIZE - len >= addr) {
63629 + vma = find_vma(mm, addr);
63630 + if (check_heap_stack_gap(vma, addr, len))
63635 /* check if free_area_cache is useful for us */
63636 @@ -1508,7 +1718,7 @@ arch_get_unmapped_area_topdown(struct fi
63637 /* make sure it can fit in the remaining address space */
63639 vma = find_vma(mm, addr-len);
63640 - if (!vma || addr <= vma->vm_start)
63641 + if (check_heap_stack_gap(vma, addr - len, len))
63642 /* remember the address as a hint for next time */
63643 return (mm->free_area_cache = addr-len);
63645 @@ -1525,7 +1735,7 @@ arch_get_unmapped_area_topdown(struct fi
63646 * return with success:
63648 vma = find_vma(mm, addr);
63649 - if (!vma || addr+len <= vma->vm_start)
63650 + if (check_heap_stack_gap(vma, addr, len))
63651 /* remember the address as a hint for next time */
63652 return (mm->free_area_cache = addr);
63654 @@ -1534,8 +1744,8 @@ arch_get_unmapped_area_topdown(struct fi
63655 mm->cached_hole_size = vma->vm_start - addr;
63657 /* try just below the current vma->vm_start */
63658 - addr = vma->vm_start-len;
63659 - } while (len < vma->vm_start);
63660 + addr = skip_heap_stack_gap(vma, len);
63661 + } while (!IS_ERR_VALUE(addr));
63665 @@ -1544,13 +1754,21 @@ bottomup:
63666 * can happen with large stack limits and large mmap()
63669 + mm->mmap_base = TASK_UNMAPPED_BASE;
63671 +#ifdef CONFIG_PAX_RANDMMAP
63672 + if (mm->pax_flags & MF_PAX_RANDMMAP)
63673 + mm->mmap_base += mm->delta_mmap;
63676 + mm->free_area_cache = mm->mmap_base;
63677 mm->cached_hole_size = ~0UL;
63678 - mm->free_area_cache = TASK_UNMAPPED_BASE;
63679 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
63681 * Restore the topdown base:
63683 - mm->free_area_cache = mm->mmap_base;
63684 + mm->mmap_base = base;
63685 + mm->free_area_cache = base;
63686 mm->cached_hole_size = ~0UL;
63689 @@ -1559,6 +1777,12 @@ bottomup:
63691 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
63694 +#ifdef CONFIG_PAX_SEGMEXEC
63695 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
63700 * Is this a new hole at the highest possible address?
63702 @@ -1566,8 +1790,10 @@ void arch_unmap_area_topdown(struct mm_s
63703 mm->free_area_cache = addr;
63705 /* dont allow allocations above current base */
63706 - if (mm->free_area_cache > mm->mmap_base)
63707 + if (mm->free_area_cache > mm->mmap_base) {
63708 mm->free_area_cache = mm->mmap_base;
63709 + mm->cached_hole_size = ~0UL;
63714 @@ -1675,6 +1901,28 @@ out:
63715 return prev ? prev->vm_next : vma;
63718 +#ifdef CONFIG_PAX_SEGMEXEC
63719 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
63721 + struct vm_area_struct *vma_m;
63723 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
63724 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
63725 + BUG_ON(vma->vm_mirror);
63728 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
63729 + vma_m = vma->vm_mirror;
63730 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
63731 + BUG_ON(vma->vm_file != vma_m->vm_file);
63732 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
63733 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
63734 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
63735 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
63741 * Verify that the stack growth is acceptable and
63742 * update accounting. This is shared with both the
63743 @@ -1691,6 +1939,7 @@ static int acct_stack_growth(struct vm_a
63746 /* Stack limit test */
63747 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
63748 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
63751 @@ -1701,6 +1950,7 @@ static int acct_stack_growth(struct vm_a
63752 locked = mm->locked_vm + grow;
63753 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
63754 limit >>= PAGE_SHIFT;
63755 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
63756 if (locked > limit && !capable(CAP_IPC_LOCK))
63759 @@ -1731,37 +1981,48 @@ static int acct_stack_growth(struct vm_a
63760 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
63761 * vma is the last one with address > vma->vm_end. Have to extend vma.
63763 +#ifndef CONFIG_IA64
63766 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
63771 if (!(vma->vm_flags & VM_GROWSUP))
63774 + /* Also guard against wrapping around to address 0. */
63775 + if (address < PAGE_ALIGN(address+1))
63776 + address = PAGE_ALIGN(address+1);
63781 * We must make sure the anon_vma is allocated
63782 * so that the anon_vma locking is not a noop.
63784 if (unlikely(anon_vma_prepare(vma)))
63786 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
63787 + if (locknext && anon_vma_prepare(vma->vm_next))
63789 vma_lock_anon_vma(vma);
63791 + vma_lock_anon_vma(vma->vm_next);
63794 * vma->vm_start/vm_end cannot change under us because the caller
63795 * is required to hold the mmap_sem in read mode. We need the
63796 - * anon_vma lock to serialize against concurrent expand_stacks.
63797 - * Also guard against wrapping around to address 0.
63798 + * anon_vma locks to serialize against concurrent expand_stacks
63799 + * and expand_upwards.
63801 - if (address < PAGE_ALIGN(address+4))
63802 - address = PAGE_ALIGN(address+4);
63804 - vma_unlock_anon_vma(vma);
63809 /* Somebody else might have raced and expanded it already */
63810 - if (address > vma->vm_end) {
63811 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
63813 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
63814 unsigned long size, grow;
63816 size = address - vma->vm_start;
63817 @@ -1773,6 +2034,8 @@ int expand_upwards(struct vm_area_struct
63818 perf_event_mmap(vma);
63822 + vma_unlock_anon_vma(vma->vm_next);
63823 vma_unlock_anon_vma(vma);
63824 khugepaged_enter_vma_merge(vma);
63826 @@ -1786,6 +2049,8 @@ static int expand_downwards(struct vm_ar
63827 unsigned long address)
63830 + bool lockprev = false;
63831 + struct vm_area_struct *prev;
63834 * We must make sure the anon_vma is allocated
63835 @@ -1799,6 +2064,15 @@ static int expand_downwards(struct vm_ar
63839 + prev = vma->vm_prev;
63840 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
63841 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
63843 + if (lockprev && anon_vma_prepare(prev))
63846 + vma_lock_anon_vma(prev);
63848 vma_lock_anon_vma(vma);
63851 @@ -1808,9 +2082,17 @@ static int expand_downwards(struct vm_ar
63854 /* Somebody else might have raced and expanded it already */
63855 - if (address < vma->vm_start) {
63856 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
63858 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
63859 unsigned long size, grow;
63861 +#ifdef CONFIG_PAX_SEGMEXEC
63862 + struct vm_area_struct *vma_m;
63864 + vma_m = pax_find_mirror_vma(vma);
63867 size = vma->vm_end - address;
63868 grow = (vma->vm_start - address) >> PAGE_SHIFT;
63870 @@ -1820,11 +2102,22 @@ static int expand_downwards(struct vm_ar
63872 vma->vm_start = address;
63873 vma->vm_pgoff -= grow;
63874 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
63876 +#ifdef CONFIG_PAX_SEGMEXEC
63878 + vma_m->vm_start -= grow << PAGE_SHIFT;
63879 + vma_m->vm_pgoff -= grow;
63883 perf_event_mmap(vma);
63887 vma_unlock_anon_vma(vma);
63889 + vma_unlock_anon_vma(prev);
63890 khugepaged_enter_vma_merge(vma);
63893 @@ -1899,6 +2192,13 @@ static void remove_vma_list(struct mm_st
63895 long nrpages = vma_pages(vma);
63897 +#ifdef CONFIG_PAX_SEGMEXEC
63898 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
63899 + vma = remove_vma(vma);
63904 mm->total_vm -= nrpages;
63905 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
63906 vma = remove_vma(vma);
63907 @@ -1944,6 +2244,16 @@ detach_vmas_to_be_unmapped(struct mm_str
63908 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
63909 vma->vm_prev = NULL;
63912 +#ifdef CONFIG_PAX_SEGMEXEC
63913 + if (vma->vm_mirror) {
63914 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
63915 + vma->vm_mirror->vm_mirror = NULL;
63916 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
63917 + vma->vm_mirror = NULL;
63921 rb_erase(&vma->vm_rb, &mm->mm_rb);
63924 @@ -1972,14 +2282,33 @@ static int __split_vma(struct mm_struct
63925 struct vm_area_struct *new;
63928 +#ifdef CONFIG_PAX_SEGMEXEC
63929 + struct vm_area_struct *vma_m, *new_m = NULL;
63930 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
63933 if (is_vm_hugetlb_page(vma) && (addr &
63934 ~(huge_page_mask(hstate_vma(vma)))))
63937 +#ifdef CONFIG_PAX_SEGMEXEC
63938 + vma_m = pax_find_mirror_vma(vma);
63941 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
63945 +#ifdef CONFIG_PAX_SEGMEXEC
63947 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
63949 + kmem_cache_free(vm_area_cachep, new);
63955 /* most fields are the same, copy all, and then fixup */
63958 @@ -1992,6 +2321,22 @@ static int __split_vma(struct mm_struct
63959 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
63962 +#ifdef CONFIG_PAX_SEGMEXEC
63965 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
63966 + new_m->vm_mirror = new;
63967 + new->vm_mirror = new_m;
63970 + new_m->vm_end = addr_m;
63972 + new_m->vm_start = addr_m;
63973 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
63978 pol = mpol_dup(vma_policy(vma));
63980 err = PTR_ERR(pol);
63981 @@ -2017,6 +2362,42 @@ static int __split_vma(struct mm_struct
63983 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
63985 +#ifdef CONFIG_PAX_SEGMEXEC
63986 + if (!err && vma_m) {
63987 + if (anon_vma_clone(new_m, vma_m))
63988 + goto out_free_mpol;
63991 + vma_set_policy(new_m, pol);
63993 + if (new_m->vm_file) {
63994 + get_file(new_m->vm_file);
63995 + if (vma_m->vm_flags & VM_EXECUTABLE)
63996 + added_exe_file_vma(mm);
63999 + if (new_m->vm_ops && new_m->vm_ops->open)
64000 + new_m->vm_ops->open(new_m);
64003 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
64004 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
64006 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
64009 + if (new_m->vm_ops && new_m->vm_ops->close)
64010 + new_m->vm_ops->close(new_m);
64011 + if (new_m->vm_file) {
64012 + if (vma_m->vm_flags & VM_EXECUTABLE)
64013 + removed_exe_file_vma(mm);
64014 + fput(new_m->vm_file);
64024 @@ -2029,10 +2410,18 @@ static int __split_vma(struct mm_struct
64025 removed_exe_file_vma(mm);
64026 fput(new->vm_file);
64028 - unlink_anon_vmas(new);
64033 +#ifdef CONFIG_PAX_SEGMEXEC
64035 + unlink_anon_vmas(new_m);
64036 + kmem_cache_free(vm_area_cachep, new_m);
64040 + unlink_anon_vmas(new);
64041 kmem_cache_free(vm_area_cachep, new);
64044 @@ -2045,6 +2434,15 @@ static int __split_vma(struct mm_struct
64045 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
64046 unsigned long addr, int new_below)
64049 +#ifdef CONFIG_PAX_SEGMEXEC
64050 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
64051 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
64052 + if (mm->map_count >= sysctl_max_map_count-1)
64057 if (mm->map_count >= sysctl_max_map_count)
64060 @@ -2056,11 +2454,30 @@ int split_vma(struct mm_struct *mm, stru
64061 * work. This now handles partial unmappings.
64062 * Jeremy Fitzhardinge <jeremy@goop.org>
64064 +#ifdef CONFIG_PAX_SEGMEXEC
64065 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
64067 + int ret = __do_munmap(mm, start, len);
64068 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
64071 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
64074 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
64076 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
64080 struct vm_area_struct *vma, *prev, *last;
64083 + * mm->mmap_sem is required to protect against another thread
64084 + * changing the mappings in case we sleep.
64086 + verify_mm_writelocked(mm);
64088 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
64091 @@ -2134,6 +2551,8 @@ int do_munmap(struct mm_struct *mm, unsi
64092 /* Fix up all other VM information */
64093 remove_vma_list(mm, vma);
64095 + track_exec_limit(mm, start, end, 0UL);
64100 @@ -2146,22 +2565,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
64102 profile_munmap(addr);
64104 +#ifdef CONFIG_PAX_SEGMEXEC
64105 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
64106 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
64110 down_write(&mm->mmap_sem);
64111 ret = do_munmap(mm, addr, len);
64112 up_write(&mm->mmap_sem);
64116 -static inline void verify_mm_writelocked(struct mm_struct *mm)
64118 -#ifdef CONFIG_DEBUG_VM
64119 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
64121 - up_read(&mm->mmap_sem);
64127 * this is really a simplified "do_mmap". it only handles
64128 * anonymous maps. eventually we may be able to do some
64129 @@ -2175,6 +2590,7 @@ unsigned long do_brk(unsigned long addr,
64130 struct rb_node ** rb_link, * rb_parent;
64131 pgoff_t pgoff = addr >> PAGE_SHIFT;
64133 + unsigned long charged;
64135 len = PAGE_ALIGN(len);
64137 @@ -2186,16 +2602,30 @@ unsigned long do_brk(unsigned long addr,
64139 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
64141 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
64142 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
64143 + flags &= ~VM_EXEC;
64145 +#ifdef CONFIG_PAX_MPROTECT
64146 + if (mm->pax_flags & MF_PAX_MPROTECT)
64147 + flags &= ~VM_MAYEXEC;
64153 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
64154 if (error & ~PAGE_MASK)
64157 + charged = len >> PAGE_SHIFT;
64160 * mlock MCL_FUTURE?
64162 if (mm->def_flags & VM_LOCKED) {
64163 unsigned long locked, lock_limit;
64164 - locked = len >> PAGE_SHIFT;
64165 + locked = charged;
64166 locked += mm->locked_vm;
64167 lock_limit = rlimit(RLIMIT_MEMLOCK);
64168 lock_limit >>= PAGE_SHIFT;
64169 @@ -2212,22 +2642,22 @@ unsigned long do_brk(unsigned long addr,
64171 * Clear old maps. this also does some error checking for us
64174 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
64175 if (vma && vma->vm_start < addr + len) {
64176 if (do_munmap(mm, addr, len))
64178 - goto munmap_back;
64179 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
64180 + BUG_ON(vma && vma->vm_start < addr + len);
64183 /* Check against address space limits *after* clearing old maps... */
64184 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
64185 + if (!may_expand_vm(mm, charged))
64188 if (mm->map_count > sysctl_max_map_count)
64191 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
64192 + if (security_vm_enough_memory(charged))
64195 /* Can we just expand an old private anonymous mapping? */
64196 @@ -2241,7 +2671,7 @@ unsigned long do_brk(unsigned long addr,
64198 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
64200 - vm_unacct_memory(len >> PAGE_SHIFT);
64201 + vm_unacct_memory(charged);
64205 @@ -2255,11 +2685,12 @@ unsigned long do_brk(unsigned long addr,
64206 vma_link(mm, vma, prev, rb_link, rb_parent);
64208 perf_event_mmap(vma);
64209 - mm->total_vm += len >> PAGE_SHIFT;
64210 + mm->total_vm += charged;
64211 if (flags & VM_LOCKED) {
64212 if (!mlock_vma_pages_range(vma, addr, addr + len))
64213 - mm->locked_vm += (len >> PAGE_SHIFT);
64214 + mm->locked_vm += charged;
64216 + track_exec_limit(mm, addr, addr + len, flags);
64220 @@ -2306,8 +2737,10 @@ void exit_mmap(struct mm_struct *mm)
64221 * Walk the list again, actually closing and freeing it,
64222 * with preemption enabled, without holding any MM locks.
64226 + vma->vm_mirror = NULL;
64227 vma = remove_vma(vma);
64230 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
64232 @@ -2321,6 +2754,13 @@ int insert_vm_struct(struct mm_struct *
64233 struct vm_area_struct * __vma, * prev;
64234 struct rb_node ** rb_link, * rb_parent;
64236 +#ifdef CONFIG_PAX_SEGMEXEC
64237 + struct vm_area_struct *vma_m = NULL;
64240 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
64244 * The vm_pgoff of a purely anonymous vma should be irrelevant
64245 * until its first write fault, when page's anon_vma and index
64246 @@ -2343,7 +2783,22 @@ int insert_vm_struct(struct mm_struct *
64247 if ((vma->vm_flags & VM_ACCOUNT) &&
64248 security_vm_enough_memory_mm(mm, vma_pages(vma)))
64251 +#ifdef CONFIG_PAX_SEGMEXEC
64252 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
64253 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
64259 vma_link(mm, vma, prev, rb_link, rb_parent);
64261 +#ifdef CONFIG_PAX_SEGMEXEC
64263 + BUG_ON(pax_mirror_vma(vma_m, vma));
64269 @@ -2361,6 +2816,8 @@ struct vm_area_struct *copy_vma(struct v
64270 struct rb_node **rb_link, *rb_parent;
64271 struct mempolicy *pol;
64273 + BUG_ON(vma->vm_mirror);
64276 * If anonymous vma has not yet been faulted, update new pgoff
64277 * to match new location, to increase its chance of merging.
64278 @@ -2410,6 +2867,39 @@ struct vm_area_struct *copy_vma(struct v
64279 kmem_cache_free(vm_area_cachep, new_vma);
64283 +#ifdef CONFIG_PAX_SEGMEXEC
64284 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
64286 + struct vm_area_struct *prev_m;
64287 + struct rb_node **rb_link_m, *rb_parent_m;
64288 + struct mempolicy *pol_m;
64290 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
64291 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
64292 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
64294 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
64295 + if (anon_vma_clone(vma_m, vma))
64297 + pol_m = vma_policy(vma_m);
64299 + vma_set_policy(vma_m, pol_m);
64300 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
64301 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
64302 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
64303 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
64304 + if (vma_m->vm_file)
64305 + get_file(vma_m->vm_file);
64306 + if (vma_m->vm_ops && vma_m->vm_ops->open)
64307 + vma_m->vm_ops->open(vma_m);
64308 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
64309 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
64310 + vma_m->vm_mirror = vma;
64311 + vma->vm_mirror = vma_m;
64317 * Return true if the calling process may expand its vm space by the passed
64318 @@ -2421,7 +2911,7 @@ int may_expand_vm(struct mm_struct *mm,
64321 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
64323 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
64324 if (cur + npages > lim)
64327 @@ -2492,6 +2982,22 @@ int install_special_mapping(struct mm_st
64328 vma->vm_start = addr;
64329 vma->vm_end = addr + len;
64331 +#ifdef CONFIG_PAX_MPROTECT
64332 + if (mm->pax_flags & MF_PAX_MPROTECT) {
64333 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
64334 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
64336 + if (!(vm_flags & VM_EXEC))
64337 + vm_flags &= ~VM_MAYEXEC;
64339 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
64340 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
64343 + vm_flags &= ~VM_MAYWRITE;
64347 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
64348 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
64350 diff -urNp linux-2.6.38.6/mm/mprotect.c linux-2.6.38.6/mm/mprotect.c
64351 --- linux-2.6.38.6/mm/mprotect.c 2011-03-14 21:20:32.000000000 -0400
64352 +++ linux-2.6.38.6/mm/mprotect.c 2011-04-28 19:34:15.000000000 -0400
64353 @@ -23,10 +23,16 @@
64354 #include <linux/mmu_notifier.h>
64355 #include <linux/migrate.h>
64356 #include <linux/perf_event.h>
64358 +#ifdef CONFIG_PAX_MPROTECT
64359 +#include <linux/elf.h>
64362 #include <asm/uaccess.h>
64363 #include <asm/pgtable.h>
64364 #include <asm/cacheflush.h>
64365 #include <asm/tlbflush.h>
64366 +#include <asm/mmu_context.h>
64368 #ifndef pgprot_modify
64369 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
64370 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
64371 flush_tlb_range(vma, start, end);
64374 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
64375 +/* called while holding the mmap semaphor for writing except stack expansion */
64376 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
64378 + unsigned long oldlimit, newlimit = 0UL;
64380 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
64383 + spin_lock(&mm->page_table_lock);
64384 + oldlimit = mm->context.user_cs_limit;
64385 + if ((prot & VM_EXEC) && oldlimit < end)
64386 + /* USER_CS limit moved up */
64388 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
64389 + /* USER_CS limit moved down */
64390 + newlimit = start;
64393 + mm->context.user_cs_limit = newlimit;
64397 + cpus_clear(mm->context.cpu_user_cs_mask);
64398 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
64401 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
64403 + spin_unlock(&mm->page_table_lock);
64404 + if (newlimit == end) {
64405 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
64407 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
64408 + if (is_vm_hugetlb_page(vma))
64409 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
64411 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
64417 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
64418 unsigned long start, unsigned long end, unsigned long newflags)
64419 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
64421 int dirty_accountable = 0;
64423 +#ifdef CONFIG_PAX_SEGMEXEC
64424 + struct vm_area_struct *vma_m = NULL;
64425 + unsigned long start_m, end_m;
64427 + start_m = start + SEGMEXEC_TASK_SIZE;
64428 + end_m = end + SEGMEXEC_TASK_SIZE;
64431 if (newflags == oldflags) {
64436 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
64437 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
64439 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
64442 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
64447 * If we make a private mapping writable we increase our commit;
64448 * but (without finer accounting) cannot reduce our commit if we
64449 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
64453 +#ifdef CONFIG_PAX_SEGMEXEC
64454 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
64455 + if (start != vma->vm_start) {
64456 + error = split_vma(mm, vma, start, 1);
64459 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
64460 + *pprev = (*pprev)->vm_next;
64463 + if (end != vma->vm_end) {
64464 + error = split_vma(mm, vma, end, 0);
64469 + if (pax_find_mirror_vma(vma)) {
64470 + error = __do_munmap(mm, start_m, end_m - start_m);
64474 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
64479 + vma->vm_flags = newflags;
64480 + error = pax_mirror_vma(vma_m, vma);
64482 + vma->vm_flags = oldflags;
64490 * First try to merge with previous and/or next vma.
64492 @@ -204,9 +306,21 @@ success:
64493 * vm_flags and vm_page_prot are protected by the mmap_sem
64494 * held in write mode.
64497 +#ifdef CONFIG_PAX_SEGMEXEC
64498 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
64499 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
64502 vma->vm_flags = newflags;
64504 +#ifdef CONFIG_PAX_MPROTECT
64505 + if (mm->binfmt && mm->binfmt->handle_mprotect)
64506 + mm->binfmt->handle_mprotect(vma, newflags);
64509 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
64510 - vm_get_page_prot(newflags));
64511 + vm_get_page_prot(vma->vm_flags));
64513 if (vma_wants_writenotify(vma)) {
64514 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
64515 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
64520 +#ifdef CONFIG_PAX_SEGMEXEC
64521 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
64522 + if (end > SEGMEXEC_TASK_SIZE)
64527 + if (end > TASK_SIZE)
64530 if (!arch_validate_prot(prot))
64533 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
64535 * Does the application expect PROT_READ to imply PROT_EXEC:
64537 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
64538 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
64541 vm_flags = calc_vm_prot_bits(prot);
64542 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
64543 if (start > vma->vm_start)
64546 +#ifdef CONFIG_PAX_MPROTECT
64547 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
64548 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
64551 for (nstart = start ; ; ) {
64552 unsigned long newflags;
64554 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
64556 /* newflags >> 4 shift VM_MAY% in place of VM_% */
64557 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
64558 + if (prot & (PROT_WRITE | PROT_EXEC))
64559 + gr_log_rwxmprotect(vma->vm_file);
64565 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
64569 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
64570 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
64574 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
64578 if (nstart < prev->vm_end)
64579 diff -urNp linux-2.6.38.6/mm/mremap.c linux-2.6.38.6/mm/mremap.c
64580 --- linux-2.6.38.6/mm/mremap.c 2011-04-18 17:27:18.000000000 -0400
64581 +++ linux-2.6.38.6/mm/mremap.c 2011-04-28 19:34:15.000000000 -0400
64582 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
64584 pte = ptep_clear_flush(vma, old_addr, old_pte);
64585 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
64587 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
64588 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
64589 + pte = pte_exprotect(pte);
64592 set_pte_at(mm, new_addr, new_pte, pte);
64595 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
64596 if (is_vm_hugetlb_page(vma))
64599 +#ifdef CONFIG_PAX_SEGMEXEC
64600 + if (pax_find_mirror_vma(vma))
64604 /* We can't remap across vm area boundaries */
64605 if (old_len > vma->vm_end - addr)
64607 @@ -329,20 +340,25 @@ static unsigned long mremap_to(unsigned
64608 unsigned long ret = -EINVAL;
64609 unsigned long charged = 0;
64610 unsigned long map_flags;
64611 + unsigned long pax_task_size = TASK_SIZE;
64613 if (new_addr & ~PAGE_MASK)
64616 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
64617 +#ifdef CONFIG_PAX_SEGMEXEC
64618 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
64619 + pax_task_size = SEGMEXEC_TASK_SIZE;
64622 + pax_task_size -= PAGE_SIZE;
64624 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
64627 /* Check if the location we're moving into overlaps the
64628 * old location at all, and fail if it does.
64630 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
64633 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
64634 + if (addr + old_len > new_addr && new_addr + new_len > addr)
64637 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
64638 @@ -414,6 +430,7 @@ unsigned long do_mremap(unsigned long ad
64639 struct vm_area_struct *vma;
64640 unsigned long ret = -EINVAL;
64641 unsigned long charged = 0;
64642 + unsigned long pax_task_size = TASK_SIZE;
64644 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
64646 @@ -432,6 +449,17 @@ unsigned long do_mremap(unsigned long ad
64650 +#ifdef CONFIG_PAX_SEGMEXEC
64651 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
64652 + pax_task_size = SEGMEXEC_TASK_SIZE;
64655 + pax_task_size -= PAGE_SIZE;
64657 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
64658 + old_len > pax_task_size || addr > pax_task_size-old_len)
64661 if (flags & MREMAP_FIXED) {
64662 if (flags & MREMAP_MAYMOVE)
64663 ret = mremap_to(addr, old_len, new_addr, new_len);
64664 @@ -481,6 +509,7 @@ unsigned long do_mremap(unsigned long ad
64668 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
64672 @@ -507,7 +536,13 @@ unsigned long do_mremap(unsigned long ad
64673 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
64677 + map_flags = vma->vm_flags;
64678 ret = move_vma(vma, addr, old_len, new_len, new_addr);
64679 + if (!(ret & ~PAGE_MASK)) {
64680 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
64681 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
64685 if (ret & ~PAGE_MASK)
64686 diff -urNp linux-2.6.38.6/mm/nommu.c linux-2.6.38.6/mm/nommu.c
64687 --- linux-2.6.38.6/mm/nommu.c 2011-03-14 21:20:32.000000000 -0400
64688 +++ linux-2.6.38.6/mm/nommu.c 2011-04-28 19:34:15.000000000 -0400
64689 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
64690 int sysctl_overcommit_ratio = 50; /* default is 50% */
64691 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
64692 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
64693 -int heap_stack_gap = 0;
64695 atomic_long_t mmap_pages_allocated;
64697 @@ -833,15 +832,6 @@ struct vm_area_struct *find_vma(struct m
64698 EXPORT_SYMBOL(find_vma);
64702 - * - we don't extend stack VMAs under NOMMU conditions
64704 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
64706 - return find_vma(mm, addr);
64710 * expand a stack to a given address
64711 * - not supported under NOMMU conditions
64713 @@ -1563,6 +1553,7 @@ int split_vma(struct mm_struct *mm, stru
64715 /* most fields are the same, copy all, and then fixup */
64717 + INIT_LIST_HEAD(&new->anon_vma_chain);
64718 *region = *vma->vm_region;
64719 new->vm_region = region;
64721 diff -urNp linux-2.6.38.6/mm/page_alloc.c linux-2.6.38.6/mm/page_alloc.c
64722 --- linux-2.6.38.6/mm/page_alloc.c 2011-04-18 17:27:16.000000000 -0400
64723 +++ linux-2.6.38.6/mm/page_alloc.c 2011-05-16 21:47:08.000000000 -0400
64724 @@ -644,6 +644,10 @@ static bool free_pages_prepare(struct pa
64728 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
64729 + unsigned long index = 1UL << order;
64732 trace_mm_page_free_direct(page, order);
64733 kmemcheck_free_shadow(page, order);
64735 @@ -659,6 +663,12 @@ static bool free_pages_prepare(struct pa
64736 debug_check_no_obj_freed(page_address(page),
64737 PAGE_SIZE << order);
64740 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
64741 + for (; index; --index)
64742 + sanitize_highpage(page + index - 1);
64745 arch_free_page(page, order);
64746 kernel_map_pages(page, 1 << order, 0);
64748 @@ -773,8 +783,10 @@ static int prep_new_page(struct page *pa
64749 arch_alloc_page(page, order);
64750 kernel_map_pages(page, 1 << order, 1);
64752 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
64753 if (gfp_flags & __GFP_ZERO)
64754 prep_zero_page(page, order, gfp_flags);
64757 if (order && (gfp_flags & __GFP_COMP))
64758 prep_compound_page(page, order);
64759 @@ -2423,6 +2435,8 @@ void show_free_areas(void)
64763 + pax_track_stack();
64765 for_each_populated_zone(zone) {
64767 printk("%s per-cpu:\n", zone->name);
64768 diff -urNp linux-2.6.38.6/mm/percpu.c linux-2.6.38.6/mm/percpu.c
64769 --- linux-2.6.38.6/mm/percpu.c 2011-03-14 21:20:32.000000000 -0400
64770 +++ linux-2.6.38.6/mm/percpu.c 2011-04-28 19:34:15.000000000 -0400
64771 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
64772 static unsigned int pcpu_last_unit_cpu __read_mostly;
64774 /* the address of the first chunk which starts with the kernel static area */
64775 -void *pcpu_base_addr __read_mostly;
64776 +void *pcpu_base_addr __read_only;
64777 EXPORT_SYMBOL_GPL(pcpu_base_addr);
64779 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
64780 diff -urNp linux-2.6.38.6/mm/rmap.c linux-2.6.38.6/mm/rmap.c
64781 --- linux-2.6.38.6/mm/rmap.c 2011-03-14 21:20:32.000000000 -0400
64782 +++ linux-2.6.38.6/mm/rmap.c 2011-04-28 19:34:15.000000000 -0400
64783 @@ -117,6 +117,10 @@ int anon_vma_prepare(struct vm_area_stru
64784 struct anon_vma *anon_vma = vma->anon_vma;
64785 struct anon_vma_chain *avc;
64787 +#ifdef CONFIG_PAX_SEGMEXEC
64788 + struct anon_vma_chain *avc_m = NULL;
64792 if (unlikely(!anon_vma)) {
64793 struct mm_struct *mm = vma->vm_mm;
64794 @@ -126,6 +130,12 @@ int anon_vma_prepare(struct vm_area_stru
64798 +#ifdef CONFIG_PAX_SEGMEXEC
64799 + avc_m = anon_vma_chain_alloc();
64801 + goto out_enomem_free_avc;
64804 anon_vma = find_mergeable_anon_vma(vma);
64807 @@ -144,6 +154,21 @@ int anon_vma_prepare(struct vm_area_stru
64808 /* page_table_lock to protect against threads */
64809 spin_lock(&mm->page_table_lock);
64810 if (likely(!vma->anon_vma)) {
64812 +#ifdef CONFIG_PAX_SEGMEXEC
64813 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
64816 + BUG_ON(vma_m->anon_vma);
64817 + vma_m->anon_vma = anon_vma;
64818 + avc_m->anon_vma = anon_vma;
64819 + avc_m->vma = vma;
64820 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
64821 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
64826 vma->anon_vma = anon_vma;
64827 avc->anon_vma = anon_vma;
64829 @@ -157,12 +182,24 @@ int anon_vma_prepare(struct vm_area_stru
64831 if (unlikely(allocated))
64832 anon_vma_free(allocated);
64834 +#ifdef CONFIG_PAX_SEGMEXEC
64835 + if (unlikely(avc_m))
64836 + anon_vma_chain_free(avc_m);
64840 anon_vma_chain_free(avc);
64844 out_enomem_free_avc:
64846 +#ifdef CONFIG_PAX_SEGMEXEC
64848 + anon_vma_chain_free(avc_m);
64851 anon_vma_chain_free(avc);
64854 @@ -189,7 +226,7 @@ static void anon_vma_chain_link(struct v
64855 * Attach the anon_vmas from src to dst.
64856 * Returns 0 on success, -ENOMEM on failure.
64858 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
64859 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
64861 struct anon_vma_chain *avc, *pavc;
64863 @@ -211,7 +248,7 @@ int anon_vma_clone(struct vm_area_struct
64864 * the corresponding VMA in the parent process is attached to.
64865 * Returns 0 on success, non-zero on failure.
64867 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
64868 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
64870 struct anon_vma_chain *avc;
64871 struct anon_vma *anon_vma;
64872 diff -urNp linux-2.6.38.6/mm/shmem.c linux-2.6.38.6/mm/shmem.c
64873 --- linux-2.6.38.6/mm/shmem.c 2011-04-18 17:27:16.000000000 -0400
64874 +++ linux-2.6.38.6/mm/shmem.c 2011-05-16 21:47:08.000000000 -0400
64876 #include <linux/percpu_counter.h>
64877 #include <linux/swap.h>
64879 -static struct vfsmount *shm_mnt;
64880 +struct vfsmount *shm_mnt;
64882 #ifdef CONFIG_SHMEM
64884 @@ -1070,6 +1070,8 @@ static int shmem_writepage(struct page *
64887 entry = shmem_swp_entry(info, index, NULL);
64892 * The more uptodate page coming down from a stacked
64893 @@ -1153,6 +1155,8 @@ static struct page *shmem_swapin(swp_ent
64894 struct vm_area_struct pvma;
64897 + pax_track_stack();
64899 spol = mpol_cond_copy(&mpol,
64900 mpol_shared_policy_lookup(&info->policy, idx));
64902 @@ -1995,7 +1999,7 @@ static int shmem_symlink(struct inode *d
64904 info = SHMEM_I(inode);
64905 inode->i_size = len-1;
64906 - if (len <= (char *)inode - (char *)info) {
64907 + if (len <= min((char *)inode - (char *)info, 64)) {
64909 memcpy(info, symname, len);
64910 inode->i_op = &shmem_symlink_inline_operations;
64911 @@ -2341,8 +2345,7 @@ int shmem_fill_super(struct super_block
64914 /* Round up to L1_CACHE_BYTES to resist false sharing */
64915 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
64916 - L1_CACHE_BYTES), GFP_KERNEL);
64917 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
64921 diff -urNp linux-2.6.38.6/mm/slab.c linux-2.6.38.6/mm/slab.c
64922 --- linux-2.6.38.6/mm/slab.c 2011-04-18 17:27:16.000000000 -0400
64923 +++ linux-2.6.38.6/mm/slab.c 2011-04-28 19:57:25.000000000 -0400
64924 @@ -150,7 +150,7 @@
64926 /* Legal flag mask for kmem_cache_create(). */
64928 -# define CREATE_MASK (SLAB_RED_ZONE | \
64929 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
64930 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
64932 SLAB_STORE_USER | \
64933 @@ -158,7 +158,7 @@
64934 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
64935 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
64937 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
64938 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
64940 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
64941 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
64942 @@ -284,7 +284,7 @@ struct kmem_list3 {
64943 * Need this for bootstrapping a per node allocator.
64945 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
64946 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
64947 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
64948 #define CACHE_CACHE 0
64949 #define SIZE_AC MAX_NUMNODES
64950 #define SIZE_L3 (2 * MAX_NUMNODES)
64951 @@ -385,10 +385,10 @@ static void kmem_list3_init(struct kmem_
64952 if ((x)->max_freeable < i) \
64953 (x)->max_freeable = i; \
64955 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
64956 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
64957 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
64958 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
64959 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
64960 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
64961 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
64962 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
64964 #define STATS_INC_ACTIVE(x) do { } while (0)
64965 #define STATS_DEC_ACTIVE(x) do { } while (0)
64966 @@ -534,7 +534,7 @@ static inline void *index_to_obj(struct
64967 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
64969 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
64970 - const struct slab *slab, void *obj)
64971 + const struct slab *slab, const void *obj)
64973 u32 offset = (obj - slab->s_mem);
64974 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
64975 @@ -560,7 +560,7 @@ struct cache_names {
64976 static struct cache_names __initdata cache_names[] = {
64977 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
64978 #include <linux/kmalloc_sizes.h>
64984 @@ -1526,7 +1526,7 @@ void __init kmem_cache_init(void)
64985 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
64986 sizes[INDEX_AC].cs_size,
64987 ARCH_KMALLOC_MINALIGN,
64988 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
64989 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
64992 if (INDEX_AC != INDEX_L3) {
64993 @@ -1534,7 +1534,7 @@ void __init kmem_cache_init(void)
64994 kmem_cache_create(names[INDEX_L3].name,
64995 sizes[INDEX_L3].cs_size,
64996 ARCH_KMALLOC_MINALIGN,
64997 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
64998 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
65002 @@ -1552,7 +1552,7 @@ void __init kmem_cache_init(void)
65003 sizes->cs_cachep = kmem_cache_create(names->name,
65005 ARCH_KMALLOC_MINALIGN,
65006 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
65007 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
65010 #ifdef CONFIG_ZONE_DMA
65011 @@ -4275,10 +4275,10 @@ static int s_show(struct seq_file *m, vo
65015 - unsigned long allochit = atomic_read(&cachep->allochit);
65016 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
65017 - unsigned long freehit = atomic_read(&cachep->freehit);
65018 - unsigned long freemiss = atomic_read(&cachep->freemiss);
65019 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
65020 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
65021 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
65022 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
65024 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
65025 allochit, allocmiss, freehit, freemiss);
65026 @@ -4535,15 +4535,66 @@ static const struct file_operations proc
65028 static int __init slab_proc_init(void)
65030 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
65031 + mode_t gr_mode = S_IRUGO;
65033 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
65034 + gr_mode = S_IRUSR;
65037 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
65038 #ifdef CONFIG_DEBUG_SLAB_LEAK
65039 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
65040 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
65044 module_init(slab_proc_init);
65047 +void check_object_size(const void *ptr, unsigned long n, bool to)
65050 +#ifdef CONFIG_PAX_USERCOPY
65051 + struct page *page;
65052 + struct kmem_cache *cachep = NULL;
65053 + struct slab *slabp;
65054 + unsigned int objnr;
65055 + unsigned long offset;
65060 + if (ZERO_OR_NULL_PTR(ptr))
65063 + if (!virt_addr_valid(ptr))
65066 + page = virt_to_head_page(ptr);
65068 + if (!PageSlab(page)) {
65069 + if (object_is_on_stack(ptr, n) == -1)
65074 + cachep = page_get_cache(page);
65075 + if (!(cachep->flags & SLAB_USERCOPY))
65078 + slabp = page_get_slab(page);
65079 + objnr = obj_to_index(cachep, slabp, ptr);
65080 + BUG_ON(objnr >= cachep->num);
65081 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
65082 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
65086 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
65090 +EXPORT_SYMBOL(check_object_size);
65093 * ksize - get the actual amount of memory allocated for a given object
65094 * @objp: Pointer to the object
65095 diff -urNp linux-2.6.38.6/mm/slob.c linux-2.6.38.6/mm/slob.c
65096 --- linux-2.6.38.6/mm/slob.c 2011-03-14 21:20:32.000000000 -0400
65097 +++ linux-2.6.38.6/mm/slob.c 2011-04-28 19:34:15.000000000 -0400
65099 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
65100 * alloc_pages() directly, allocating compound pages so the page order
65101 * does not have to be separately tracked, and also stores the exact
65102 - * allocation size in page->private so that it can be used to accurately
65103 + * allocation size in slob_page->size so that it can be used to accurately
65104 * provide ksize(). These objects are detected in kfree() because slob_page()
65105 * is false for them.
65110 #include <linux/kernel.h>
65111 +#include <linux/sched.h>
65112 #include <linux/slab.h>
65113 #include <linux/mm.h>
65114 #include <linux/swap.h> /* struct reclaim_state */
65115 @@ -102,7 +103,8 @@ struct slob_page {
65116 unsigned long flags; /* mandatory */
65117 atomic_t _count; /* mandatory */
65118 slobidx_t units; /* free units left in page */
65119 - unsigned long pad[2];
65120 + unsigned long pad[1];
65121 + unsigned long size; /* size when >=PAGE_SIZE */
65122 slob_t *free; /* first free slob_t in page */
65123 struct list_head list; /* linked list of free pages */
65125 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
65127 static inline int is_slob_page(struct slob_page *sp)
65129 - return PageSlab((struct page *)sp);
65130 + return PageSlab((struct page *)sp) && !sp->size;
65133 static inline void set_slob_page(struct slob_page *sp)
65134 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
65136 static inline struct slob_page *slob_page(const void *addr)
65138 - return (struct slob_page *)virt_to_page(addr);
65139 + return (struct slob_page *)virt_to_head_page(addr);
65143 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
65145 * Return the size of a slob block.
65147 -static slobidx_t slob_units(slob_t *s)
65148 +static slobidx_t slob_units(const slob_t *s)
65152 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
65154 * Return the next free slob block pointer after this one.
65156 -static slob_t *slob_next(slob_t *s)
65157 +static slob_t *slob_next(const slob_t *s)
65159 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
65161 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
65163 * Returns true if s is the last free block in its page.
65165 -static int slob_last(slob_t *s)
65166 +static int slob_last(const slob_t *s)
65168 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
65170 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
65174 + set_slob_page(page);
65175 return page_address(page);
65178 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
65182 - set_slob_page(sp);
65184 spin_lock_irqsave(&slob_lock, flags);
65185 sp->units = SLOB_UNITS(PAGE_SIZE);
65188 INIT_LIST_HEAD(&sp->list);
65189 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
65190 set_slob_page_free(sp, slob_list);
65191 @@ -476,10 +479,9 @@ out:
65192 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
65195 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
65196 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
65199 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
65203 lockdep_trace_alloc(gfp);
65204 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
65209 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
65210 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
65211 + m[0].units = size;
65212 + m[1].units = align;
65213 ret = (void *)m + align;
65215 trace_kmalloc_node(_RET_IP_, ret,
65216 @@ -504,9 +509,9 @@ void *__kmalloc_node(size_t size, gfp_t
65218 ret = slob_new_pages(gfp, order, node);
65220 - struct page *page;
65221 - page = virt_to_page(ret);
65222 - page->private = size;
65223 + struct slob_page *sp;
65224 + sp = slob_page(ret);
65228 trace_kmalloc_node(_RET_IP_, ret,
65229 @@ -516,6 +521,13 @@ void *__kmalloc_node(size_t size, gfp_t
65230 kmemleak_alloc(ret, size, 1, gfp);
65234 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
65236 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
65238 + return __kmalloc_node_align(size, gfp, node, align);
65240 EXPORT_SYMBOL(__kmalloc_node);
65242 void kfree(const void *block)
65243 @@ -531,13 +543,81 @@ void kfree(const void *block)
65244 sp = slob_page(block);
65245 if (is_slob_page(sp)) {
65246 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
65247 - unsigned int *m = (unsigned int *)(block - align);
65248 - slob_free(m, *m + align);
65250 + slob_t *m = (slob_t *)(block - align);
65251 + slob_free(m, m[0].units + align);
65253 + clear_slob_page(sp);
65254 + free_slob_page(sp);
65256 put_page(&sp->page);
65259 EXPORT_SYMBOL(kfree);
65261 +void check_object_size(const void *ptr, unsigned long n, bool to)
65264 +#ifdef CONFIG_PAX_USERCOPY
65265 + struct slob_page *sp;
65266 + const slob_t *free;
65267 + const void *base;
65272 + if (ZERO_OR_NULL_PTR(ptr))
65275 + if (!virt_addr_valid(ptr))
65278 + sp = slob_page(ptr);
65279 + if (!PageSlab((struct page*)sp)) {
65280 + if (object_is_on_stack(ptr, n) == -1)
65286 + base = page_address(&sp->page);
65287 + if (base <= ptr && n <= sp->size - (ptr - base))
65292 + /* some tricky double walking to find the chunk */
65293 + base = (void *)((unsigned long)ptr & PAGE_MASK);
65296 + while (!slob_last(free) && (void *)free <= ptr) {
65297 + base = free + slob_units(free);
65298 + free = slob_next(free);
65301 + while (base < (void *)free) {
65302 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
65303 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
65306 + if (ptr < base + align)
65309 + offset = ptr - base - align;
65310 + if (offset < m) {
65311 + if (n <= m - offset)
65319 + pax_report_usercopy(ptr, n, to, NULL);
65323 +EXPORT_SYMBOL(check_object_size);
65325 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
65326 size_t ksize(const void *block)
65328 @@ -550,10 +630,10 @@ size_t ksize(const void *block)
65329 sp = slob_page(block);
65330 if (is_slob_page(sp)) {
65331 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
65332 - unsigned int *m = (unsigned int *)(block - align);
65333 - return SLOB_UNITS(*m) * SLOB_UNIT;
65334 + slob_t *m = (slob_t *)(block - align);
65335 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
65337 - return sp->page.private;
65340 EXPORT_SYMBOL(ksize);
65342 @@ -608,17 +688,25 @@ void *kmem_cache_alloc_node(struct kmem_
65346 +#ifdef CONFIG_PAX_USERCOPY
65347 + b = __kmalloc_node_align(c->size, flags, node, c->align);
65349 if (c->size < PAGE_SIZE) {
65350 b = slob_alloc(c->size, flags, c->align, node);
65351 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
65352 SLOB_UNITS(c->size) * SLOB_UNIT,
65355 + struct slob_page *sp;
65357 b = slob_new_pages(flags, get_order(c->size), node);
65358 + sp = slob_page(b);
65359 + sp->size = c->size;
65360 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
65361 PAGE_SIZE << get_order(c->size),
65368 @@ -630,10 +718,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
65370 static void __kmem_cache_free(void *b, int size)
65372 - if (size < PAGE_SIZE)
65373 + struct slob_page *sp = slob_page(b);
65375 + if (is_slob_page(sp))
65376 slob_free(b, size);
65379 + clear_slob_page(sp);
65380 + free_slob_page(sp);
65382 slob_free_pages(b, get_order(size));
65386 static void kmem_rcu_free(struct rcu_head *head)
65387 @@ -646,14 +740,23 @@ static void kmem_rcu_free(struct rcu_hea
65389 void kmem_cache_free(struct kmem_cache *c, void *b)
65391 + int size = c->size;
65393 +#ifdef CONFIG_PAX_USERCOPY
65394 + if (size + c->align < PAGE_SIZE) {
65395 + size += c->align;
65400 kmemleak_free_recursive(b, c->flags);
65401 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
65402 struct slob_rcu *slob_rcu;
65403 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
65404 - slob_rcu->size = c->size;
65405 + slob_rcu = b + (size - sizeof(struct slob_rcu));
65406 + slob_rcu->size = size;
65407 call_rcu(&slob_rcu->head, kmem_rcu_free);
65409 - __kmem_cache_free(b, c->size);
65410 + __kmem_cache_free(b, size);
65413 trace_kmem_cache_free(_RET_IP_, b);
65414 diff -urNp linux-2.6.38.6/mm/slub.c linux-2.6.38.6/mm/slub.c
65415 --- linux-2.6.38.6/mm/slub.c 2011-03-14 21:20:32.000000000 -0400
65416 +++ linux-2.6.38.6/mm/slub.c 2011-04-28 19:34:15.000000000 -0400
65417 @@ -390,7 +390,7 @@ static void print_track(const char *s, s
65421 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
65422 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
65423 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
65426 @@ -1927,6 +1927,8 @@ void kmem_cache_free(struct kmem_cache *
65428 page = virt_to_head_page(x);
65430 + BUG_ON(!PageSlab(page));
65432 slab_free(s, page, x, _RET_IP_);
65434 trace_kmem_cache_free(_RET_IP_, x);
65435 @@ -1960,7 +1962,7 @@ static int slub_min_objects;
65436 * Merge control. If this is set then no merging of slab caches will occur.
65437 * (Could be removed. This was introduced to pacify the merge skeptics.)
65439 -static int slub_nomerge;
65440 +static int slub_nomerge = 1;
65443 * Calculate the order of allocation given an slab object size.
65444 @@ -2370,7 +2372,7 @@ static int kmem_cache_open(struct kmem_c
65445 * list to avoid pounding the page allocator excessively.
65447 set_min_partial(s, ilog2(s->size));
65449 + atomic_set(&s->refcount, 1);
65451 s->remote_node_defrag_ratio = 1000;
65453 @@ -2482,8 +2484,7 @@ static inline int kmem_cache_close(struc
65454 void kmem_cache_destroy(struct kmem_cache *s)
65456 down_write(&slub_lock);
65458 - if (!s->refcount) {
65459 + if (atomic_dec_and_test(&s->refcount)) {
65460 list_del(&s->list);
65461 if (kmem_cache_close(s)) {
65462 printk(KERN_ERR "SLUB %s: %s called for cache that "
65463 @@ -2693,6 +2694,46 @@ void *__kmalloc_node(size_t size, gfp_t
65464 EXPORT_SYMBOL(__kmalloc_node);
65467 +void check_object_size(const void *ptr, unsigned long n, bool to)
65470 +#ifdef CONFIG_PAX_USERCOPY
65471 + struct page *page;
65472 + struct kmem_cache *s = NULL;
65473 + unsigned long offset;
65478 + if (ZERO_OR_NULL_PTR(ptr))
65481 + if (!virt_addr_valid(ptr))
65484 + page = virt_to_head_page(ptr);
65486 + if (!PageSlab(page)) {
65487 + if (object_is_on_stack(ptr, n) == -1)
65493 + if (!(s->flags & SLAB_USERCOPY))
65496 + offset = (ptr - page_address(page)) % s->size;
65497 + if (offset <= s->objsize && n <= s->objsize - offset)
65501 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
65505 +EXPORT_SYMBOL(check_object_size);
65507 size_t ksize(const void *object)
65510 @@ -2958,7 +2999,7 @@ static void __init kmem_cache_bootstrap_
65513 list_add(&s->list, &slab_caches);
65514 - s->refcount = -1;
65515 + atomic_set(&s->refcount, -1);
65517 for_each_node_state(node, N_NORMAL_MEMORY) {
65518 struct kmem_cache_node *n = get_node(s, node);
65519 @@ -3075,17 +3116,17 @@ void __init kmem_cache_init(void)
65521 /* Caches that are not of the two-to-the-power-of size */
65522 if (KMALLOC_MIN_SIZE <= 32) {
65523 - kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
65524 + kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
65528 if (KMALLOC_MIN_SIZE <= 64) {
65529 - kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
65530 + kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
65534 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
65535 - kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
65536 + kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
65540 @@ -3153,7 +3194,7 @@ static int slab_unmergeable(struct kmem_
65542 * We may have set a slab to be unmergeable during bootstrap.
65544 - if (s->refcount < 0)
65545 + if (atomic_read(&s->refcount) < 0)
65549 @@ -3212,7 +3253,7 @@ struct kmem_cache *kmem_cache_create(con
65550 down_write(&slub_lock);
65551 s = find_mergeable(size, align, flags, name, ctor);
65554 + atomic_inc(&s->refcount);
65556 * Adjust the object sizes so that we clear
65557 * the complete object on kzalloc.
65558 @@ -3221,7 +3262,7 @@ struct kmem_cache *kmem_cache_create(con
65559 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
65561 if (sysfs_slab_alias(s, name)) {
65563 + atomic_dec(&s->refcount);
65566 up_write(&slub_lock);
65567 @@ -3954,7 +3995,7 @@ SLAB_ATTR_RO(ctor);
65569 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
65571 - return sprintf(buf, "%d\n", s->refcount - 1);
65572 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
65574 SLAB_ATTR_RO(aliases);
65576 @@ -4691,7 +4732,13 @@ static const struct file_operations proc
65578 static int __init slab_proc_init(void)
65580 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
65581 + mode_t gr_mode = S_IRUGO;
65583 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
65584 + gr_mode = S_IRUSR;
65587 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
65590 module_init(slab_proc_init);
65591 diff -urNp linux-2.6.38.6/mm/swapfile.c linux-2.6.38.6/mm/swapfile.c
65592 --- linux-2.6.38.6/mm/swapfile.c 2011-04-18 17:27:16.000000000 -0400
65593 +++ linux-2.6.38.6/mm/swapfile.c 2011-04-28 19:57:25.000000000 -0400
65594 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(swapon_mutex);
65596 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
65597 /* Activity counter to indicate that a swapon or swapoff has occurred */
65598 -static atomic_t proc_poll_event = ATOMIC_INIT(0);
65599 +static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
65601 static inline unsigned char swap_count(unsigned char ent)
65603 @@ -1687,7 +1687,7 @@ SYSCALL_DEFINE1(swapoff, const char __us
65605 filp_close(swap_file, NULL);
65607 - atomic_inc(&proc_poll_event);
65608 + atomic_inc_unchecked(&proc_poll_event);
65609 wake_up_interruptible(&proc_poll_wait);
65612 @@ -1708,8 +1708,8 @@ static unsigned swaps_poll(struct file *
65614 poll_wait(file, &proc_poll_wait, wait);
65616 - if (s->event != atomic_read(&proc_poll_event)) {
65617 - s->event = atomic_read(&proc_poll_event);
65618 + if (s->event != atomic_read_unchecked(&proc_poll_event)) {
65619 + s->event = atomic_read_unchecked(&proc_poll_event);
65620 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
65623 @@ -1815,7 +1815,7 @@ static int swaps_open(struct inode *inod
65626 s->seq.private = s;
65627 - s->event = atomic_read(&proc_poll_event);
65628 + s->event = atomic_read_unchecked(&proc_poll_event);
65632 @@ -2131,7 +2131,7 @@ SYSCALL_DEFINE2(swapon, const char __use
65633 swap_info[prev]->next = type;
65634 spin_unlock(&swap_lock);
65635 mutex_unlock(&swapon_mutex);
65636 - atomic_inc(&proc_poll_event);
65637 + atomic_inc_unchecked(&proc_poll_event);
65638 wake_up_interruptible(&proc_poll_wait);
65641 diff -urNp linux-2.6.38.6/mm/util.c linux-2.6.38.6/mm/util.c
65642 --- linux-2.6.38.6/mm/util.c 2011-03-14 21:20:32.000000000 -0400
65643 +++ linux-2.6.38.6/mm/util.c 2011-04-28 19:34:15.000000000 -0400
65644 @@ -219,6 +219,12 @@ EXPORT_SYMBOL(strndup_user);
65645 void arch_pick_mmap_layout(struct mm_struct *mm)
65647 mm->mmap_base = TASK_UNMAPPED_BASE;
65649 +#ifdef CONFIG_PAX_RANDMMAP
65650 + if (mm->pax_flags & MF_PAX_RANDMMAP)
65651 + mm->mmap_base += mm->delta_mmap;
65654 mm->get_unmapped_area = arch_get_unmapped_area;
65655 mm->unmap_area = arch_unmap_area;
65657 diff -urNp linux-2.6.38.6/mm/vmalloc.c linux-2.6.38.6/mm/vmalloc.c
65658 --- linux-2.6.38.6/mm/vmalloc.c 2011-03-14 21:20:32.000000000 -0400
65659 +++ linux-2.6.38.6/mm/vmalloc.c 2011-04-28 19:34:15.000000000 -0400
65660 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
65662 pte = pte_offset_kernel(pmd, addr);
65664 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
65665 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
65667 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
65668 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
65669 + BUG_ON(!pte_exec(*pte));
65670 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
65676 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
65677 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
65679 } while (pte++, addr += PAGE_SIZE, addr != end);
65682 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
65683 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
65686 + int ret = -ENOMEM;
65689 * nr is a running index into the array which helps higher level
65690 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
65691 pte = pte_alloc_kernel(pmd, addr);
65695 + pax_open_kernel();
65697 struct page *page = pages[*nr];
65699 - if (WARN_ON(!pte_none(*pte)))
65701 - if (WARN_ON(!page))
65703 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
65704 + if (pgprot_val(prot) & _PAGE_NX)
65707 + if (WARN_ON(!pte_none(*pte))) {
65711 + if (WARN_ON(!page)) {
65715 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
65717 } while (pte++, addr += PAGE_SIZE, addr != end);
65721 + pax_close_kernel();
65725 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
65726 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
65727 * and fall back on vmalloc() if that fails. Others
65728 * just put it in the vmalloc space.
65730 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
65731 +#ifdef CONFIG_MODULES
65732 +#ifdef MODULES_VADDR
65733 unsigned long addr = (unsigned long)x;
65734 if (addr >= MODULES_VADDR && addr < MODULES_END)
65738 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
65739 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
65745 return is_vmalloc_addr(x);
65748 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
65750 if (!pgd_none(*pgd)) {
65751 pud_t *pud = pud_offset(pgd, addr);
65753 + if (!pud_large(*pud))
65755 if (!pud_none(*pud)) {
65756 pmd_t *pmd = pmd_offset(pud, addr);
65758 + if (!pmd_large(*pmd))
65760 if (!pmd_none(*pmd)) {
65763 @@ -1244,6 +1284,16 @@ static struct vm_struct *__get_vm_area_n
65764 struct vm_struct *area;
65766 BUG_ON(in_interrupt());
65768 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
65769 + if (flags & VM_KERNEXEC) {
65770 + if (start != VMALLOC_START || end != VMALLOC_END)
65772 + start = (unsigned long)MODULES_EXEC_VADDR;
65773 + end = (unsigned long)MODULES_EXEC_END;
65777 if (flags & VM_IOREMAP) {
65778 int bit = fls(size);
65780 @@ -1462,6 +1512,11 @@ void *vmap(struct page **pages, unsigned
65781 if (count > totalram_pages)
65784 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
65785 + if (!(pgprot_val(prot) & _PAGE_NX))
65786 + flags |= VM_KERNEXEC;
65789 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
65790 __builtin_return_address(0));
65792 @@ -1558,6 +1613,13 @@ void *__vmalloc_node_range(unsigned long
65793 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
65796 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
65797 + if (!(pgprot_val(prot) & _PAGE_NX))
65798 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
65799 + node, gfp_mask, caller);
65803 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
65806 @@ -1597,6 +1659,7 @@ static void *__vmalloc_node(unsigned lon
65807 gfp_mask, prot, node, caller);
65811 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
65813 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
65814 @@ -1620,6 +1683,7 @@ static inline void *__vmalloc_node_flags
65815 * For tight control over page level allocator and protection flags
65816 * use __vmalloc() instead.
65819 void *vmalloc(unsigned long size)
65821 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
65822 @@ -1636,6 +1700,7 @@ EXPORT_SYMBOL(vmalloc);
65823 * For tight control over page level allocator and protection flags
65824 * use __vmalloc() instead.
65827 void *vzalloc(unsigned long size)
65829 return __vmalloc_node_flags(size, -1,
65830 @@ -1650,6 +1715,7 @@ EXPORT_SYMBOL(vzalloc);
65831 * The resulting memory area is zeroed so it can be mapped to userspace
65832 * without leaking data.
65834 +#undef vmalloc_user
65835 void *vmalloc_user(unsigned long size)
65837 struct vm_struct *area;
65838 @@ -1677,6 +1743,7 @@ EXPORT_SYMBOL(vmalloc_user);
65839 * For tight control over page level allocator and protection flags
65840 * use __vmalloc() instead.
65842 +#undef vmalloc_node
65843 void *vmalloc_node(unsigned long size, int node)
65845 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
65846 @@ -1696,6 +1763,7 @@ EXPORT_SYMBOL(vmalloc_node);
65847 * For tight control over page level allocator and protection flags
65848 * use __vmalloc_node() instead.
65850 +#undef vzalloc_node
65851 void *vzalloc_node(unsigned long size, int node)
65853 return __vmalloc_node_flags(size, node,
65854 @@ -1718,10 +1786,10 @@ EXPORT_SYMBOL(vzalloc_node);
65855 * For tight control over page level allocator and protection flags
65856 * use __vmalloc() instead.
65859 +#undef vmalloc_exec
65860 void *vmalloc_exec(unsigned long size)
65862 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
65863 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
65864 -1, __builtin_return_address(0));
65867 @@ -1740,6 +1808,7 @@ void *vmalloc_exec(unsigned long size)
65868 * Allocate enough 32bit PA addressable pages to cover @size from the
65869 * page level allocator and map them into contiguous kernel virtual space.
65872 void *vmalloc_32(unsigned long size)
65874 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
65875 @@ -1754,6 +1823,7 @@ EXPORT_SYMBOL(vmalloc_32);
65876 * The resulting memory area is 32bit addressable and zeroed so it can be
65877 * mapped to userspace without leaking data.
65879 +#undef vmalloc_32_user
65880 void *vmalloc_32_user(unsigned long size)
65882 struct vm_struct *area;
65883 @@ -2018,6 +2088,8 @@ int remap_vmalloc_range(struct vm_area_s
65884 unsigned long uaddr = vma->vm_start;
65885 unsigned long usize = vma->vm_end - vma->vm_start;
65887 + BUG_ON(vma->vm_mirror);
65889 if ((PAGE_SIZE-1) & (unsigned long)addr)
65892 diff -urNp linux-2.6.38.6/mm/vmstat.c linux-2.6.38.6/mm/vmstat.c
65893 --- linux-2.6.38.6/mm/vmstat.c 2011-03-14 21:20:32.000000000 -0400
65894 +++ linux-2.6.38.6/mm/vmstat.c 2011-04-28 19:34:15.000000000 -0400
65895 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
65897 * vm_stat contains the global counters
65899 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65900 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65901 EXPORT_SYMBOL(vm_stat);
65904 @@ -451,7 +451,7 @@ void refresh_cpu_vm_stats(int cpu)
65905 v = p->vm_stat_diff[i];
65906 p->vm_stat_diff[i] = 0;
65907 local_irq_restore(flags);
65908 - atomic_long_add(v, &zone->vm_stat[i]);
65909 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
65910 global_diff[i] += v;
65912 /* 3 seconds idle till flush */
65913 @@ -489,7 +489,7 @@ void refresh_cpu_vm_stats(int cpu)
65915 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
65916 if (global_diff[i])
65917 - atomic_long_add(global_diff[i], &vm_stat[i]);
65918 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
65922 @@ -1188,10 +1188,20 @@ static int __init setup_vmstat(void)
65923 start_cpu_timer(cpu);
65925 #ifdef CONFIG_PROC_FS
65926 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
65927 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
65928 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
65929 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
65931 + mode_t gr_mode = S_IRUGO;
65932 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
65933 + gr_mode = S_IRUSR;
65935 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
65936 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
65937 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
65938 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
65940 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
65942 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
65947 diff -urNp linux-2.6.38.6/net/8021q/vlan.c linux-2.6.38.6/net/8021q/vlan.c
65948 --- linux-2.6.38.6/net/8021q/vlan.c 2011-03-14 21:20:32.000000000 -0400
65949 +++ linux-2.6.38.6/net/8021q/vlan.c 2011-04-28 19:34:15.000000000 -0400
65950 @@ -589,8 +589,7 @@ static int vlan_ioctl_handler(struct net
65952 if (!capable(CAP_NET_ADMIN))
65954 - if ((args.u.name_type >= 0) &&
65955 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
65956 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
65957 struct vlan_net *vn;
65959 vn = net_generic(net, vlan_net_id);
65960 diff -urNp linux-2.6.38.6/net/atm/atm_misc.c linux-2.6.38.6/net/atm/atm_misc.c
65961 --- linux-2.6.38.6/net/atm/atm_misc.c 2011-03-14 21:20:32.000000000 -0400
65962 +++ linux-2.6.38.6/net/atm/atm_misc.c 2011-04-28 19:34:15.000000000 -0400
65963 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
65964 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
65966 atm_return(vcc, truesize);
65967 - atomic_inc(&vcc->stats->rx_drop);
65968 + atomic_inc_unchecked(&vcc->stats->rx_drop);
65971 EXPORT_SYMBOL(atm_charge);
65972 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
65975 atm_return(vcc, guess);
65976 - atomic_inc(&vcc->stats->rx_drop);
65977 + atomic_inc_unchecked(&vcc->stats->rx_drop);
65980 EXPORT_SYMBOL(atm_alloc_charge);
65981 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
65983 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
65985 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
65986 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
65988 #undef __HANDLE_ITEM
65990 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
65992 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
65994 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
65995 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
65997 #undef __HANDLE_ITEM
65999 diff -urNp linux-2.6.38.6/net/atm/mpoa_caches.c linux-2.6.38.6/net/atm/mpoa_caches.c
66000 --- linux-2.6.38.6/net/atm/mpoa_caches.c 2011-03-14 21:20:32.000000000 -0400
66001 +++ linux-2.6.38.6/net/atm/mpoa_caches.c 2011-05-16 21:47:09.000000000 -0400
66002 @@ -255,6 +255,8 @@ static void check_resolving_entries(stru
66003 struct timeval now;
66004 struct k_message msg;
66006 + pax_track_stack();
66008 do_gettimeofday(&now);
66010 read_lock_bh(&client->ingress_lock);
66011 diff -urNp linux-2.6.38.6/net/atm/proc.c linux-2.6.38.6/net/atm/proc.c
66012 --- linux-2.6.38.6/net/atm/proc.c 2011-03-14 21:20:32.000000000 -0400
66013 +++ linux-2.6.38.6/net/atm/proc.c 2011-04-28 19:34:15.000000000 -0400
66014 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
66015 const struct k_atm_aal_stats *stats)
66017 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
66018 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
66019 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
66020 - atomic_read(&stats->rx_drop));
66021 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
66022 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
66023 + atomic_read_unchecked(&stats->rx_drop));
66026 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
66027 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
66029 struct sock *sk = sk_atm(vcc);
66031 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66032 + seq_printf(seq, "%p ", NULL);
66034 seq_printf(seq, "%p ", vcc);
66038 seq_printf(seq, "Unassigned ");
66040 @@ -218,7 +223,11 @@ static void svc_info(struct seq_file *se
66043 seq_printf(seq, sizeof(void *) == 4 ?
66044 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66045 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
66047 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
66050 seq_printf(seq, "%3d %3d %5d ",
66051 vcc->dev->number, vcc->vpi, vcc->vci);
66052 diff -urNp linux-2.6.38.6/net/atm/resources.c linux-2.6.38.6/net/atm/resources.c
66053 --- linux-2.6.38.6/net/atm/resources.c 2011-03-14 21:20:32.000000000 -0400
66054 +++ linux-2.6.38.6/net/atm/resources.c 2011-04-28 19:34:15.000000000 -0400
66055 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
66056 static void copy_aal_stats(struct k_atm_aal_stats *from,
66057 struct atm_aal_stats *to)
66059 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
66060 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
66062 #undef __HANDLE_ITEM
66064 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
66065 static void subtract_aal_stats(struct k_atm_aal_stats *from,
66066 struct atm_aal_stats *to)
66068 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
66069 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
66071 #undef __HANDLE_ITEM
66073 diff -urNp linux-2.6.38.6/net/batman-adv/hard-interface.c linux-2.6.38.6/net/batman-adv/hard-interface.c
66074 --- linux-2.6.38.6/net/batman-adv/hard-interface.c 2011-03-14 21:20:32.000000000 -0400
66075 +++ linux-2.6.38.6/net/batman-adv/hard-interface.c 2011-04-28 19:57:25.000000000 -0400
66076 @@ -325,8 +325,8 @@ int hardif_enable_interface(struct batma
66077 kref_get(&batman_if->refcount);
66078 dev_add_pack(&batman_if->batman_adv_ptype);
66080 - atomic_set(&batman_if->seqno, 1);
66081 - atomic_set(&batman_if->frag_seqno, 1);
66082 + atomic_set_unchecked(&batman_if->seqno, 1);
66083 + atomic_set_unchecked(&batman_if->frag_seqno, 1);
66084 bat_info(batman_if->soft_iface, "Adding interface: %s\n",
66085 batman_if->net_dev->name);
66087 diff -urNp linux-2.6.38.6/net/batman-adv/routing.c linux-2.6.38.6/net/batman-adv/routing.c
66088 --- linux-2.6.38.6/net/batman-adv/routing.c 2011-03-14 21:20:32.000000000 -0400
66089 +++ linux-2.6.38.6/net/batman-adv/routing.c 2011-04-28 19:57:25.000000000 -0400
66090 @@ -569,7 +569,7 @@ void receive_bat_packet(struct ethhdr *e
66093 /* could be changed by schedule_own_packet() */
66094 - if_incoming_seqno = atomic_read(&if_incoming->seqno);
66095 + if_incoming_seqno = atomic_read_unchecked(&if_incoming->seqno);
66097 has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
66099 diff -urNp linux-2.6.38.6/net/batman-adv/send.c linux-2.6.38.6/net/batman-adv/send.c
66100 --- linux-2.6.38.6/net/batman-adv/send.c 2011-03-14 21:20:32.000000000 -0400
66101 +++ linux-2.6.38.6/net/batman-adv/send.c 2011-04-28 19:57:25.000000000 -0400
66102 @@ -277,7 +277,7 @@ void schedule_own_packet(struct batman_i
66104 /* change sequence number to network order */
66105 batman_packet->seqno =
66106 - htonl((uint32_t)atomic_read(&batman_if->seqno));
66107 + htonl((uint32_t)atomic_read_unchecked(&batman_if->seqno));
66109 if (vis_server == VIS_TYPE_SERVER_SYNC)
66110 batman_packet->flags |= VIS_SERVER;
66111 @@ -291,7 +291,7 @@ void schedule_own_packet(struct batman_i
66113 batman_packet->gw_flags = 0;
66115 - atomic_inc(&batman_if->seqno);
66116 + atomic_inc_unchecked(&batman_if->seqno);
66118 slide_own_bcast_window(batman_if);
66119 send_time = own_send_time(bat_priv);
66120 diff -urNp linux-2.6.38.6/net/batman-adv/soft-interface.c linux-2.6.38.6/net/batman-adv/soft-interface.c
66121 --- linux-2.6.38.6/net/batman-adv/soft-interface.c 2011-03-14 21:20:32.000000000 -0400
66122 +++ linux-2.6.38.6/net/batman-adv/soft-interface.c 2011-04-28 19:57:25.000000000 -0400
66123 @@ -410,7 +410,7 @@ int interface_tx(struct sk_buff *skb, st
66125 /* set broadcast sequence number */
66126 bcast_packet->seqno =
66127 - htonl(atomic_inc_return(&bat_priv->bcast_seqno));
66128 + htonl(atomic_inc_return_unchecked(&bat_priv->bcast_seqno));
66130 add_bcast_packet_to_list(bat_priv, skb);
66132 @@ -603,7 +603,7 @@ struct net_device *softif_create(char *n
66133 atomic_set(&bat_priv->batman_queue_left, BATMAN_QUEUE_LEN);
66135 atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
66136 - atomic_set(&bat_priv->bcast_seqno, 1);
66137 + atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
66138 atomic_set(&bat_priv->hna_local_changed, 0);
66140 bat_priv->primary_if = NULL;
66141 diff -urNp linux-2.6.38.6/net/batman-adv/types.h linux-2.6.38.6/net/batman-adv/types.h
66142 --- linux-2.6.38.6/net/batman-adv/types.h 2011-03-14 21:20:32.000000000 -0400
66143 +++ linux-2.6.38.6/net/batman-adv/types.h 2011-04-28 19:57:25.000000000 -0400
66144 @@ -38,8 +38,8 @@ struct batman_if {
66147 struct net_device *net_dev;
66149 - atomic_t frag_seqno;
66150 + atomic_unchecked_t seqno;
66151 + atomic_unchecked_t frag_seqno;
66152 unsigned char *packet_buff;
66154 struct kobject *hardif_obj;
66155 @@ -133,7 +133,7 @@ struct bat_priv {
66156 atomic_t orig_interval; /* uint */
66157 atomic_t hop_penalty; /* uint */
66158 atomic_t log_level; /* uint */
66159 - atomic_t bcast_seqno;
66160 + atomic_unchecked_t bcast_seqno;
66161 atomic_t bcast_queue_left;
66162 atomic_t batman_queue_left;
66164 diff -urNp linux-2.6.38.6/net/batman-adv/unicast.c linux-2.6.38.6/net/batman-adv/unicast.c
66165 --- linux-2.6.38.6/net/batman-adv/unicast.c 2011-03-14 21:20:32.000000000 -0400
66166 +++ linux-2.6.38.6/net/batman-adv/unicast.c 2011-04-28 19:57:25.000000000 -0400
66167 @@ -261,9 +261,9 @@ int frag_send_skb(struct sk_buff *skb, s
66168 frag1->flags |= UNI_FRAG_HEAD;
66169 frag2->flags &= ~UNI_FRAG_HEAD;
66171 - frag1->seqno = htons((uint16_t)atomic_inc_return(
66172 + frag1->seqno = htons((uint16_t)atomic_inc_return_unchecked(
66173 &batman_if->frag_seqno));
66174 - frag2->seqno = htons((uint16_t)atomic_inc_return(
66175 + frag2->seqno = htons((uint16_t)atomic_inc_return_unchecked(
66176 &batman_if->frag_seqno));
66178 send_skb_packet(skb, batman_if, dstaddr);
66179 diff -urNp linux-2.6.38.6/net/bridge/br_multicast.c linux-2.6.38.6/net/bridge/br_multicast.c
66180 --- linux-2.6.38.6/net/bridge/br_multicast.c 2011-04-22 19:20:59.000000000 -0400
66181 +++ linux-2.6.38.6/net/bridge/br_multicast.c 2011-04-28 19:34:15.000000000 -0400
66182 @@ -1482,7 +1482,7 @@ static int br_multicast_ipv6_rcv(struct
66183 nexthdr = ip6h->nexthdr;
66184 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
66186 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
66187 + if (nexthdr != IPPROTO_ICMPV6)
66190 /* Okay, we found ICMPv6 header */
66191 diff -urNp linux-2.6.38.6/net/bridge/netfilter/ebtables.c linux-2.6.38.6/net/bridge/netfilter/ebtables.c
66192 --- linux-2.6.38.6/net/bridge/netfilter/ebtables.c 2011-04-18 17:27:18.000000000 -0400
66193 +++ linux-2.6.38.6/net/bridge/netfilter/ebtables.c 2011-05-16 21:47:08.000000000 -0400
66194 @@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
66195 tmp.valid_hooks = t->table->valid_hooks;
66197 mutex_unlock(&ebt_mutex);
66198 - if (copy_to_user(user, &tmp, *len) != 0){
66199 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
66200 BUGPRINT("c2u Didn't work\n");
66203 @@ -1779,6 +1779,8 @@ static int compat_copy_everything_to_use
66207 + pax_track_stack();
66209 memset(&tinfo, 0, sizeof(tinfo));
66211 if (cmd == EBT_SO_GET_ENTRIES) {
66212 diff -urNp linux-2.6.38.6/net/caif/caif_socket.c linux-2.6.38.6/net/caif/caif_socket.c
66213 --- linux-2.6.38.6/net/caif/caif_socket.c 2011-03-14 21:20:32.000000000 -0400
66214 +++ linux-2.6.38.6/net/caif/caif_socket.c 2011-04-28 19:57:25.000000000 -0400
66215 @@ -48,18 +48,19 @@ static struct dentry *debugfsdir;
66216 #ifdef CONFIG_DEBUG_FS
66217 struct debug_fs_counter {
66218 atomic_t caif_nr_socks;
66219 - atomic_t num_connect_req;
66220 - atomic_t num_connect_resp;
66221 - atomic_t num_connect_fail_resp;
66222 - atomic_t num_disconnect;
66223 - atomic_t num_remote_shutdown_ind;
66224 - atomic_t num_tx_flow_off_ind;
66225 - atomic_t num_tx_flow_on_ind;
66226 - atomic_t num_rx_flow_off;
66227 - atomic_t num_rx_flow_on;
66228 + atomic_unchecked_t num_connect_req;
66229 + atomic_unchecked_t num_connect_resp;
66230 + atomic_unchecked_t num_connect_fail_resp;
66231 + atomic_unchecked_t num_disconnect;
66232 + atomic_unchecked_t num_remote_shutdown_ind;
66233 + atomic_unchecked_t num_tx_flow_off_ind;
66234 + atomic_unchecked_t num_tx_flow_on_ind;
66235 + atomic_unchecked_t num_rx_flow_off;
66236 + atomic_unchecked_t num_rx_flow_on;
66238 static struct debug_fs_counter cnt;
66239 #define dbfs_atomic_inc(v) atomic_inc(v)
66240 +#define dbfs_atomic_inc_unchecked(v) atomic_inc_unchecked(v)
66241 #define dbfs_atomic_dec(v) atomic_dec(v)
66243 #define dbfs_atomic_inc(v)
66244 @@ -159,7 +160,7 @@ static int caif_queue_rcv_skb(struct soc
66245 atomic_read(&cf_sk->sk.sk_rmem_alloc),
66246 sk_rcvbuf_lowwater(cf_sk));
66247 set_rx_flow_off(cf_sk);
66248 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
66249 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
66250 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
66253 @@ -169,7 +170,7 @@ static int caif_queue_rcv_skb(struct soc
66254 if (!sk_rmem_schedule(sk, skb->truesize) && rx_flow_is_on(cf_sk)) {
66255 set_rx_flow_off(cf_sk);
66256 pr_debug("sending flow OFF due to rmem_schedule\n");
66257 - dbfs_atomic_inc(&cnt.num_rx_flow_off);
66258 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
66259 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
66262 @@ -218,21 +219,21 @@ static void caif_ctrl_cb(struct cflayer
66264 case CAIF_CTRLCMD_FLOW_ON_IND:
66265 /* OK from modem to start sending again */
66266 - dbfs_atomic_inc(&cnt.num_tx_flow_on_ind);
66267 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_on_ind);
66268 set_tx_flow_on(cf_sk);
66269 cf_sk->sk.sk_state_change(&cf_sk->sk);
66272 case CAIF_CTRLCMD_FLOW_OFF_IND:
66273 /* Modem asks us to shut up */
66274 - dbfs_atomic_inc(&cnt.num_tx_flow_off_ind);
66275 + dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_off_ind);
66276 set_tx_flow_off(cf_sk);
66277 cf_sk->sk.sk_state_change(&cf_sk->sk);
66280 case CAIF_CTRLCMD_INIT_RSP:
66281 /* We're now connected */
66282 - dbfs_atomic_inc(&cnt.num_connect_resp);
66283 + dbfs_atomic_inc_unchecked(&cnt.num_connect_resp);
66284 cf_sk->sk.sk_state = CAIF_CONNECTED;
66285 set_tx_flow_on(cf_sk);
66286 cf_sk->sk.sk_state_change(&cf_sk->sk);
66287 @@ -247,7 +248,7 @@ static void caif_ctrl_cb(struct cflayer
66289 case CAIF_CTRLCMD_INIT_FAIL_RSP:
66290 /* Connect request failed */
66291 - dbfs_atomic_inc(&cnt.num_connect_fail_resp);
66292 + dbfs_atomic_inc_unchecked(&cnt.num_connect_fail_resp);
66293 cf_sk->sk.sk_err = ECONNREFUSED;
66294 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
66295 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
66296 @@ -261,7 +262,7 @@ static void caif_ctrl_cb(struct cflayer
66298 case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
66299 /* Modem has closed this connection, or device is down. */
66300 - dbfs_atomic_inc(&cnt.num_remote_shutdown_ind);
66301 + dbfs_atomic_inc_unchecked(&cnt.num_remote_shutdown_ind);
66302 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
66303 cf_sk->sk.sk_err = ECONNRESET;
66304 set_rx_flow_on(cf_sk);
66305 @@ -281,7 +282,7 @@ static void caif_check_flow_release(stru
66308 if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
66309 - dbfs_atomic_inc(&cnt.num_rx_flow_on);
66310 + dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_on);
66311 set_rx_flow_on(cf_sk);
66312 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
66314 @@ -864,7 +865,7 @@ static int caif_connect(struct socket *s
66315 /*ifindex = id of the interface.*/
66316 cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
66318 - dbfs_atomic_inc(&cnt.num_connect_req);
66319 + dbfs_atomic_inc_unchecked(&cnt.num_connect_req);
66320 cf_sk->layer.receive = caif_sktrecv_cb;
66321 err = caif_connect_client(&cf_sk->conn_req,
66322 &cf_sk->layer, &ifindex, &headroom, &tailroom);
66323 @@ -952,7 +953,7 @@ static int caif_release(struct socket *s
66324 spin_unlock(&sk->sk_receive_queue.lock);
66327 - dbfs_atomic_inc(&cnt.num_disconnect);
66328 + dbfs_atomic_inc_unchecked(&cnt.num_disconnect);
66330 if (cf_sk->debugfs_socket_dir != NULL)
66331 debugfs_remove_recursive(cf_sk->debugfs_socket_dir);
66332 diff -urNp linux-2.6.38.6/net/caif/cfctrl.c linux-2.6.38.6/net/caif/cfctrl.c
66333 --- linux-2.6.38.6/net/caif/cfctrl.c 2011-03-14 21:20:32.000000000 -0400
66334 +++ linux-2.6.38.6/net/caif/cfctrl.c 2011-05-16 21:47:08.000000000 -0400
66336 #include <linux/stddef.h>
66337 #include <linux/spinlock.h>
66338 #include <linux/slab.h>
66339 +#include <linux/sched.h>
66340 #include <net/caif/caif_layer.h>
66341 #include <net/caif/cfpkt.h>
66342 #include <net/caif/cfctrl.h>
66343 @@ -46,8 +47,8 @@ struct cflayer *cfctrl_create(void)
66344 dev_info.id = 0xff;
66345 memset(this, 0, sizeof(*this));
66346 cfsrvl_init(&this->serv, 0, &dev_info, false);
66347 - atomic_set(&this->req_seq_no, 1);
66348 - atomic_set(&this->rsp_seq_no, 1);
66349 + atomic_set_unchecked(&this->req_seq_no, 1);
66350 + atomic_set_unchecked(&this->rsp_seq_no, 1);
66351 this->serv.layer.receive = cfctrl_recv;
66352 sprintf(this->serv.layer.name, "ctrl");
66353 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
66354 @@ -116,8 +117,8 @@ void cfctrl_insert_req(struct cfctrl *ct
66355 struct cfctrl_request_info *req)
66357 spin_lock(&ctrl->info_list_lock);
66358 - atomic_inc(&ctrl->req_seq_no);
66359 - req->sequence_no = atomic_read(&ctrl->req_seq_no);
66360 + atomic_inc_unchecked(&ctrl->req_seq_no);
66361 + req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
66362 list_add_tail(&req->list, &ctrl->list);
66363 spin_unlock(&ctrl->info_list_lock);
66365 @@ -136,7 +137,7 @@ struct cfctrl_request_info *cfctrl_remov
66367 pr_warn("Requests are not received in order\n");
66369 - atomic_set(&ctrl->rsp_seq_no,
66370 + atomic_set_unchecked(&ctrl->rsp_seq_no,
66372 list_del(&p->list);
66374 @@ -385,6 +386,7 @@ static int cfctrl_recv(struct cflayer *l
66375 struct cfctrl *cfctrl = container_obj(layer);
66376 struct cfctrl_request_info rsp, *req;
66378 + pax_track_stack();
66380 cfpkt_extr_head(pkt, &cmdrsp, 1);
66381 cmd = cmdrsp & CFCTRL_CMD_MASK;
66382 diff -urNp linux-2.6.38.6/net/can/bcm.c linux-2.6.38.6/net/can/bcm.c
66383 --- linux-2.6.38.6/net/can/bcm.c 2011-05-10 22:06:29.000000000 -0400
66384 +++ linux-2.6.38.6/net/can/bcm.c 2011-05-10 22:09:01.000000000 -0400
66385 @@ -165,9 +165,15 @@ static int bcm_proc_show(struct seq_file
66386 struct bcm_sock *bo = bcm_sk(sk);
66389 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66390 + seq_printf(m, ">>> socket %p", NULL);
66391 + seq_printf(m, " / sk %p", NULL);
66392 + seq_printf(m, " / bo %p", NULL);
66394 seq_printf(m, ">>> socket %p", sk->sk_socket);
66395 seq_printf(m, " / sk %p", sk);
66396 seq_printf(m, " / bo %p", bo);
66398 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
66399 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
66400 seq_printf(m, " <<<\n");
66401 diff -urNp linux-2.6.38.6/net/core/datagram.c linux-2.6.38.6/net/core/datagram.c
66402 --- linux-2.6.38.6/net/core/datagram.c 2011-03-14 21:20:32.000000000 -0400
66403 +++ linux-2.6.38.6/net/core/datagram.c 2011-04-28 19:57:25.000000000 -0400
66404 @@ -285,7 +285,7 @@ int skb_kill_datagram(struct sock *sk, s
66408 - atomic_inc(&sk->sk_drops);
66409 + atomic_inc_unchecked(&sk->sk_drops);
66410 sk_mem_reclaim_partial(sk);
66413 diff -urNp linux-2.6.38.6/net/core/dev.c linux-2.6.38.6/net/core/dev.c
66414 --- linux-2.6.38.6/net/core/dev.c 2011-03-14 21:20:32.000000000 -0400
66415 +++ linux-2.6.38.6/net/core/dev.c 2011-04-28 19:34:15.000000000 -0400
66416 @@ -1124,10 +1124,14 @@ void dev_load(struct net *net, const cha
66417 if (no_module && capable(CAP_NET_ADMIN))
66418 no_module = request_module("netdev-%s", name);
66419 if (no_module && capable(CAP_SYS_MODULE)) {
66420 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
66421 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
66423 if (!request_module("%s", name))
66424 pr_err("Loading kernel module for a network device "
66425 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
66426 "instead\n", name);
66430 EXPORT_SYMBOL(dev_load);
66431 @@ -2787,7 +2791,7 @@ int netif_rx_ni(struct sk_buff *skb)
66433 EXPORT_SYMBOL(netif_rx_ni);
66435 -static void net_tx_action(struct softirq_action *h)
66436 +static void net_tx_action(void)
66438 struct softnet_data *sd = &__get_cpu_var(softnet_data);
66440 @@ -3697,7 +3701,7 @@ void netif_napi_del(struct napi_struct *
66442 EXPORT_SYMBOL(netif_napi_del);
66444 -static void net_rx_action(struct softirq_action *h)
66445 +static void net_rx_action(void)
66447 struct softnet_data *sd = &__get_cpu_var(softnet_data);
66448 unsigned long time_limit = jiffies + 2;
66449 diff -urNp linux-2.6.38.6/net/core/flow.c linux-2.6.38.6/net/core/flow.c
66450 --- linux-2.6.38.6/net/core/flow.c 2011-03-14 21:20:32.000000000 -0400
66451 +++ linux-2.6.38.6/net/core/flow.c 2011-04-28 19:57:25.000000000 -0400
66452 @@ -60,7 +60,7 @@ struct flow_cache {
66453 struct timer_list rnd_timer;
66456 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
66457 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
66458 EXPORT_SYMBOL(flow_cache_genid);
66459 static struct flow_cache flow_cache_global;
66460 static struct kmem_cache *flow_cachep __read_mostly;
66461 @@ -85,7 +85,7 @@ static void flow_cache_new_hashrnd(unsig
66463 static int flow_entry_valid(struct flow_cache_entry *fle)
66465 - if (atomic_read(&flow_cache_genid) != fle->genid)
66466 + if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
66468 if (fle->object && !fle->object->ops->check(fle->object))
66470 @@ -253,7 +253,7 @@ flow_cache_lookup(struct net *net, struc
66471 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
66474 - } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
66475 + } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
66479 @@ -274,7 +274,7 @@ nocache:
66481 flo = resolver(net, key, family, dir, flo, ctx);
66483 - fle->genid = atomic_read(&flow_cache_genid);
66484 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
66488 diff -urNp linux-2.6.38.6/net/core/skbuff.c linux-2.6.38.6/net/core/skbuff.c
66489 --- linux-2.6.38.6/net/core/skbuff.c 2011-03-14 21:20:32.000000000 -0400
66490 +++ linux-2.6.38.6/net/core/skbuff.c 2011-05-16 21:47:09.000000000 -0400
66491 @@ -1543,6 +1543,8 @@ int skb_splice_bits(struct sk_buff *skb,
66492 struct sock *sk = skb->sk;
66495 + pax_track_stack();
66497 if (splice_grow_spd(pipe, &spd))
66500 diff -urNp linux-2.6.38.6/net/core/sock.c linux-2.6.38.6/net/core/sock.c
66501 --- linux-2.6.38.6/net/core/sock.c 2011-03-14 21:20:32.000000000 -0400
66502 +++ linux-2.6.38.6/net/core/sock.c 2011-04-28 19:57:25.000000000 -0400
66503 @@ -291,7 +291,7 @@ int sock_queue_rcv_skb(struct sock *sk,
66505 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
66506 (unsigned)sk->sk_rcvbuf) {
66507 - atomic_inc(&sk->sk_drops);
66508 + atomic_inc_unchecked(&sk->sk_drops);
66512 @@ -300,7 +300,7 @@ int sock_queue_rcv_skb(struct sock *sk,
66515 if (!sk_rmem_schedule(sk, skb->truesize)) {
66516 - atomic_inc(&sk->sk_drops);
66517 + atomic_inc_unchecked(&sk->sk_drops);
66521 @@ -320,7 +320,7 @@ int sock_queue_rcv_skb(struct sock *sk,
66522 skb_dst_force(skb);
66524 spin_lock_irqsave(&list->lock, flags);
66525 - skb->dropcount = atomic_read(&sk->sk_drops);
66526 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
66527 __skb_queue_tail(list, skb);
66528 spin_unlock_irqrestore(&list->lock, flags);
66530 @@ -340,7 +340,7 @@ int sk_receive_skb(struct sock *sk, stru
66533 if (sk_rcvqueues_full(sk, skb)) {
66534 - atomic_inc(&sk->sk_drops);
66535 + atomic_inc_unchecked(&sk->sk_drops);
66536 goto discard_and_relse;
66539 @@ -358,7 +358,7 @@ int sk_receive_skb(struct sock *sk, stru
66540 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
66541 } else if (sk_add_backlog(sk, skb)) {
66542 bh_unlock_sock(sk);
66543 - atomic_inc(&sk->sk_drops);
66544 + atomic_inc_unchecked(&sk->sk_drops);
66545 goto discard_and_relse;
66548 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
66552 - if (copy_to_user(optval, address, len))
66553 + if (len > sizeof(address) || copy_to_user(optval, address, len))
66557 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
66561 - if (copy_to_user(optval, &v, len))
66562 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
66565 if (put_user(len, optlen))
66566 @@ -2023,7 +2023,7 @@ void sock_init_data(struct socket *sock,
66569 atomic_set(&sk->sk_refcnt, 1);
66570 - atomic_set(&sk->sk_drops, 0);
66571 + atomic_set_unchecked(&sk->sk_drops, 0);
66573 EXPORT_SYMBOL(sock_init_data);
66575 diff -urNp linux-2.6.38.6/net/decnet/sysctl_net_decnet.c linux-2.6.38.6/net/decnet/sysctl_net_decnet.c
66576 --- linux-2.6.38.6/net/decnet/sysctl_net_decnet.c 2011-03-14 21:20:32.000000000 -0400
66577 +++ linux-2.6.38.6/net/decnet/sysctl_net_decnet.c 2011-04-28 19:34:15.000000000 -0400
66578 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
66580 if (len > *lenp) len = *lenp;
66582 - if (copy_to_user(buffer, addr, len))
66583 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
66587 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
66589 if (len > *lenp) len = *lenp;
66591 - if (copy_to_user(buffer, devname, len))
66592 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
66596 diff -urNp linux-2.6.38.6/net/econet/Kconfig linux-2.6.38.6/net/econet/Kconfig
66597 --- linux-2.6.38.6/net/econet/Kconfig 2011-03-14 21:20:32.000000000 -0400
66598 +++ linux-2.6.38.6/net/econet/Kconfig 2011-04-28 19:34:15.000000000 -0400
66602 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
66603 - depends on EXPERIMENTAL && INET
66604 + depends on EXPERIMENTAL && INET && BROKEN
66606 Econet is a fairly old and slow networking protocol mainly used by
66607 Acorn computers to access file and print servers. It uses native
66608 diff -urNp linux-2.6.38.6/net/ipv4/inet_diag.c linux-2.6.38.6/net/ipv4/inet_diag.c
66609 --- linux-2.6.38.6/net/ipv4/inet_diag.c 2011-03-14 21:20:32.000000000 -0400
66610 +++ linux-2.6.38.6/net/ipv4/inet_diag.c 2011-04-28 19:34:15.000000000 -0400
66611 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
66612 r->idiag_retrans = 0;
66614 r->id.idiag_if = sk->sk_bound_dev_if;
66616 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66617 + r->id.idiag_cookie[0] = 0;
66618 + r->id.idiag_cookie[1] = 0;
66620 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
66621 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
66624 r->id.idiag_sport = inet->inet_sport;
66625 r->id.idiag_dport = inet->inet_dport;
66626 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
66627 r->idiag_family = tw->tw_family;
66628 r->idiag_retrans = 0;
66629 r->id.idiag_if = tw->tw_bound_dev_if;
66631 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66632 + r->id.idiag_cookie[0] = 0;
66633 + r->id.idiag_cookie[1] = 0;
66635 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
66636 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
66639 r->id.idiag_sport = tw->tw_sport;
66640 r->id.idiag_dport = tw->tw_dport;
66641 r->id.idiag_src[0] = tw->tw_rcv_saddr;
66642 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
66646 +#ifndef CONFIG_GRKERNSEC_HIDESYM
66648 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
66649 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
66650 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
66651 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
66656 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
66657 @@ -582,8 +597,14 @@ static int inet_diag_fill_req(struct sk_
66658 r->idiag_retrans = req->retrans;
66660 r->id.idiag_if = sk->sk_bound_dev_if;
66662 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66663 + r->id.idiag_cookie[0] = 0;
66664 + r->id.idiag_cookie[1] = 0;
66666 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
66667 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
66670 tmo = req->expires - jiffies;
66672 diff -urNp linux-2.6.38.6/net/ipv4/inet_hashtables.c linux-2.6.38.6/net/ipv4/inet_hashtables.c
66673 --- linux-2.6.38.6/net/ipv4/inet_hashtables.c 2011-03-14 21:20:32.000000000 -0400
66674 +++ linux-2.6.38.6/net/ipv4/inet_hashtables.c 2011-04-28 19:34:15.000000000 -0400
66675 @@ -18,11 +18,14 @@
66676 #include <linux/sched.h>
66677 #include <linux/slab.h>
66678 #include <linux/wait.h>
66679 +#include <linux/security.h>
66681 #include <net/inet_connection_sock.h>
66682 #include <net/inet_hashtables.h>
66683 #include <net/route.h>
66684 #include <net/ip.h>
66686 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
66689 * Allocate and initialize a new local port bind bucket.
66690 * The bindhash mutex for snum's hash chain must be held here.
66691 @@ -529,6 +532,8 @@ ok:
66692 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
66693 spin_unlock(&head->lock);
66695 + gr_update_task_in_ip_table(current, inet_sk(sk));
66698 inet_twsk_deschedule(tw, death_row);
66700 diff -urNp linux-2.6.38.6/net/ipv4/inetpeer.c linux-2.6.38.6/net/ipv4/inetpeer.c
66701 --- linux-2.6.38.6/net/ipv4/inetpeer.c 2011-03-14 21:20:32.000000000 -0400
66702 +++ linux-2.6.38.6/net/ipv4/inetpeer.c 2011-05-16 21:47:08.000000000 -0400
66703 @@ -478,6 +478,8 @@ struct inet_peer *inet_getpeer(struct in
66704 struct inet_peer_base *base = family_to_base(daddr->family);
66705 struct inet_peer *p;
66707 + pax_track_stack();
66709 /* Look up for the address quickly, lockless.
66710 * Because of a concurrent writer, we might not find an existing entry.
66712 @@ -509,8 +511,8 @@ struct inet_peer *inet_getpeer(struct in
66715 atomic_set(&p->refcnt, 1);
66716 - atomic_set(&p->rid, 0);
66717 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->a4));
66718 + atomic_set_unchecked(&p->rid, 0);
66719 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->a4));
66720 p->tcp_ts_stamp = 0;
66721 INIT_LIST_HEAD(&p->unused);
66723 diff -urNp linux-2.6.38.6/net/ipv4/ip_fragment.c linux-2.6.38.6/net/ipv4/ip_fragment.c
66724 --- linux-2.6.38.6/net/ipv4/ip_fragment.c 2011-03-14 21:20:32.000000000 -0400
66725 +++ linux-2.6.38.6/net/ipv4/ip_fragment.c 2011-04-28 19:34:15.000000000 -0400
66726 @@ -298,7 +298,7 @@ static inline int ip_frag_too_far(struct
66730 - end = atomic_inc_return(&peer->rid);
66731 + end = atomic_inc_return_unchecked(&peer->rid);
66734 rc = qp->q.fragments && (end - start) > max;
66735 diff -urNp linux-2.6.38.6/net/ipv4/ip_sockglue.c linux-2.6.38.6/net/ipv4/ip_sockglue.c
66736 --- linux-2.6.38.6/net/ipv4/ip_sockglue.c 2011-03-14 21:20:32.000000000 -0400
66737 +++ linux-2.6.38.6/net/ipv4/ip_sockglue.c 2011-05-16 21:47:09.000000000 -0400
66738 @@ -1064,6 +1064,8 @@ static int do_ip_getsockopt(struct sock
66742 + pax_track_stack();
66744 if (level != SOL_IP)
66745 return -EOPNOTSUPP;
66747 diff -urNp linux-2.6.38.6/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.38.6/net/ipv4/netfilter/nf_nat_snmp_basic.c
66748 --- linux-2.6.38.6/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-14 21:20:32.000000000 -0400
66749 +++ linux-2.6.38.6/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-04-28 19:34:15.000000000 -0400
66750 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
66754 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
66755 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
66756 if (*octets == NULL) {
66757 if (net_ratelimit())
66758 pr_notice("OOM in bsalg (%d)\n", __LINE__);
66759 diff -urNp linux-2.6.38.6/net/ipv4/raw.c linux-2.6.38.6/net/ipv4/raw.c
66760 --- linux-2.6.38.6/net/ipv4/raw.c 2011-03-14 21:20:32.000000000 -0400
66761 +++ linux-2.6.38.6/net/ipv4/raw.c 2011-05-04 18:00:09.000000000 -0400
66762 @@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
66763 int raw_rcv(struct sock *sk, struct sk_buff *skb)
66765 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
66766 - atomic_inc(&sk->sk_drops);
66767 + atomic_inc_unchecked(&sk->sk_drops);
66769 return NET_RX_DROP;
66771 @@ -724,15 +724,19 @@ static int raw_init(struct sock *sk)
66773 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
66775 + struct icmp_filter filter;
66777 if (optlen > sizeof(struct icmp_filter))
66778 optlen = sizeof(struct icmp_filter);
66779 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
66780 + if (copy_from_user(&filter, optval, optlen))
66782 + memcpy(&raw_sk(sk)->filter, &filter, sizeof(filter));
66786 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
66788 + struct icmp_filter filter;
66789 int len, ret = -EFAULT;
66791 if (get_user(len, optlen))
66792 @@ -743,8 +747,9 @@ static int raw_geticmpfilter(struct sock
66793 if (len > sizeof(struct icmp_filter))
66794 len = sizeof(struct icmp_filter);
66796 + memcpy(&filter, &raw_sk(sk)->filter, len);
66797 if (put_user(len, optlen) ||
66798 - copy_to_user(optval, &raw_sk(sk)->filter, len))
66799 + copy_to_user(optval, &filter, len))
66803 @@ -972,7 +977,13 @@ static void raw_sock_seq_show(struct seq
66804 sk_wmem_alloc_get(sp),
66805 sk_rmem_alloc_get(sp),
66806 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
66807 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
66808 + atomic_read(&sp->sk_refcnt),
66809 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66814 + atomic_read_unchecked(&sp->sk_drops));
66817 static int raw_seq_show(struct seq_file *seq, void *v)
66818 diff -urNp linux-2.6.38.6/net/ipv4/route.c linux-2.6.38.6/net/ipv4/route.c
66819 --- linux-2.6.38.6/net/ipv4/route.c 2011-04-22 19:20:59.000000000 -0400
66820 +++ linux-2.6.38.6/net/ipv4/route.c 2011-04-28 19:57:25.000000000 -0400
66821 @@ -270,7 +270,7 @@ static inline unsigned int rt_hash(__be3
66823 static inline int rt_genid(struct net *net)
66825 - return atomic_read(&net->ipv4.rt_genid);
66826 + return atomic_read_unchecked(&net->ipv4.rt_genid);
66829 #ifdef CONFIG_PROC_FS
66830 @@ -895,7 +895,7 @@ static void rt_cache_invalidate(struct n
66831 unsigned char shuffle;
66833 get_random_bytes(&shuffle, sizeof(shuffle));
66834 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
66835 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
66839 @@ -2857,7 +2857,7 @@ static int rt_fill_info(struct net *net,
66840 expires = rt->dst.expires ? rt->dst.expires - jiffies : 0;
66842 inet_peer_refcheck(rt->peer);
66843 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
66844 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
66845 if (rt->peer->tcp_ts_stamp) {
66846 ts = rt->peer->tcp_ts;
66847 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
66848 diff -urNp linux-2.6.38.6/net/ipv4/tcp.c linux-2.6.38.6/net/ipv4/tcp.c
66849 --- linux-2.6.38.6/net/ipv4/tcp.c 2011-03-14 21:20:32.000000000 -0400
66850 +++ linux-2.6.38.6/net/ipv4/tcp.c 2011-05-16 21:47:09.000000000 -0400
66851 @@ -2121,6 +2121,8 @@ static int do_tcp_setsockopt(struct sock
66855 + pax_track_stack();
66857 /* These are data/string values, all the others are ints */
66859 case TCP_CONGESTION: {
66860 @@ -2500,6 +2502,8 @@ static int do_tcp_getsockopt(struct sock
66861 struct tcp_sock *tp = tcp_sk(sk);
66864 + pax_track_stack();
66866 if (get_user(len, optlen))
66869 diff -urNp linux-2.6.38.6/net/ipv4/tcp_ipv4.c linux-2.6.38.6/net/ipv4/tcp_ipv4.c
66870 --- linux-2.6.38.6/net/ipv4/tcp_ipv4.c 2011-03-14 21:20:32.000000000 -0400
66871 +++ linux-2.6.38.6/net/ipv4/tcp_ipv4.c 2011-04-28 19:34:15.000000000 -0400
66872 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
66873 int sysctl_tcp_low_latency __read_mostly;
66874 EXPORT_SYMBOL(sysctl_tcp_low_latency);
66876 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
66877 +extern int grsec_enable_blackhole;
66880 #ifdef CONFIG_TCP_MD5SIG
66881 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
66882 @@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
66886 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
66887 + if (!grsec_enable_blackhole)
66889 tcp_v4_send_reset(rsk, skb);
66892 @@ -1655,12 +1661,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
66893 TCP_SKB_CB(skb)->sacked = 0;
66895 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
66898 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
66901 goto no_tcp_socket;
66905 - if (sk->sk_state == TCP_TIME_WAIT)
66906 + if (sk->sk_state == TCP_TIME_WAIT) {
66907 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
66913 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
66914 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
66915 @@ -1710,6 +1723,10 @@ no_tcp_socket:
66917 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
66919 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
66920 + if (!grsec_enable_blackhole || (ret == 1 &&
66921 + (skb->dev->flags & IFF_LOOPBACK)))
66923 tcp_v4_send_reset(NULL, skb);
66926 @@ -2373,7 +2390,11 @@ static void get_openreq4(struct sock *sk
66927 0, /* non standard timer */
66928 0, /* open_requests have no inode */
66929 atomic_read(&sk->sk_refcnt),
66930 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66938 @@ -2423,7 +2444,12 @@ static void get_tcp4_sock(struct sock *s
66940 icsk->icsk_probes_out,
66942 - atomic_read(&sk->sk_refcnt), sk,
66943 + atomic_read(&sk->sk_refcnt),
66944 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66949 jiffies_to_clock_t(icsk->icsk_rto),
66950 jiffies_to_clock_t(icsk->icsk_ack.ato),
66951 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
66952 @@ -2451,7 +2477,13 @@ static void get_timewait4_sock(struct in
66953 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
66954 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
66955 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
66956 - atomic_read(&tw->tw_refcnt), tw, len);
66957 + atomic_read(&tw->tw_refcnt),
66958 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66967 diff -urNp linux-2.6.38.6/net/ipv4/tcp_minisocks.c linux-2.6.38.6/net/ipv4/tcp_minisocks.c
66968 --- linux-2.6.38.6/net/ipv4/tcp_minisocks.c 2011-03-14 21:20:32.000000000 -0400
66969 +++ linux-2.6.38.6/net/ipv4/tcp_minisocks.c 2011-04-28 19:34:15.000000000 -0400
66971 #include <net/inet_common.h>
66972 #include <net/xfrm.h>
66974 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
66975 +extern int grsec_enable_blackhole;
66978 int sysctl_tcp_syncookies __read_mostly = 1;
66979 EXPORT_SYMBOL(sysctl_tcp_syncookies);
66981 @@ -745,6 +749,10 @@ listen_overflow:
66984 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
66986 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
66987 + if (!grsec_enable_blackhole)
66989 if (!(flg & TCP_FLAG_RST))
66990 req->rsk_ops->send_reset(sk, skb);
66992 diff -urNp linux-2.6.38.6/net/ipv4/tcp_output.c linux-2.6.38.6/net/ipv4/tcp_output.c
66993 --- linux-2.6.38.6/net/ipv4/tcp_output.c 2011-03-14 21:20:32.000000000 -0400
66994 +++ linux-2.6.38.6/net/ipv4/tcp_output.c 2011-05-16 21:47:09.000000000 -0400
66995 @@ -2420,6 +2420,8 @@ struct sk_buff *tcp_make_synack(struct s
66997 int s_data_desired = 0;
66999 + pax_track_stack();
67001 if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
67002 s_data_desired = cvp->s_data_desired;
67003 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
67004 diff -urNp linux-2.6.38.6/net/ipv4/tcp_probe.c linux-2.6.38.6/net/ipv4/tcp_probe.c
67005 --- linux-2.6.38.6/net/ipv4/tcp_probe.c 2011-03-14 21:20:32.000000000 -0400
67006 +++ linux-2.6.38.6/net/ipv4/tcp_probe.c 2011-04-28 19:34:15.000000000 -0400
67007 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
67008 if (cnt + width >= len)
67011 - if (copy_to_user(buf + cnt, tbuf, width))
67012 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
67016 diff -urNp linux-2.6.38.6/net/ipv4/tcp_timer.c linux-2.6.38.6/net/ipv4/tcp_timer.c
67017 --- linux-2.6.38.6/net/ipv4/tcp_timer.c 2011-03-14 21:20:32.000000000 -0400
67018 +++ linux-2.6.38.6/net/ipv4/tcp_timer.c 2011-04-28 19:34:15.000000000 -0400
67020 #include <linux/gfp.h>
67021 #include <net/tcp.h>
67023 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67024 +extern int grsec_lastack_retries;
67027 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
67028 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
67029 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
67030 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
67034 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67035 + if ((sk->sk_state == TCP_LAST_ACK) &&
67036 + (grsec_lastack_retries > 0) &&
67037 + (grsec_lastack_retries < retry_until))
67038 + retry_until = grsec_lastack_retries;
67041 if (retransmits_timed_out(sk, retry_until,
67042 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
67043 /* Has it gone just too far? */
67044 diff -urNp linux-2.6.38.6/net/ipv4/udp.c linux-2.6.38.6/net/ipv4/udp.c
67045 --- linux-2.6.38.6/net/ipv4/udp.c 2011-03-14 21:20:32.000000000 -0400
67046 +++ linux-2.6.38.6/net/ipv4/udp.c 2011-04-28 20:09:30.000000000 -0400
67048 #include <linux/types.h>
67049 #include <linux/fcntl.h>
67050 #include <linux/module.h>
67051 +#include <linux/security.h>
67052 #include <linux/socket.h>
67053 #include <linux/sockios.h>
67054 #include <linux/igmp.h>
67055 @@ -107,6 +108,10 @@
67056 #include <net/xfrm.h>
67057 #include "udp_impl.h"
67059 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67060 +extern int grsec_enable_blackhole;
67063 struct udp_table udp_table __read_mostly;
67064 EXPORT_SYMBOL(udp_table);
67066 @@ -564,6 +569,9 @@ found:
67070 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
67071 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
67074 * This routine is called by the ICMP module when it gets some
67075 * sort of error condition. If err < 0 then the socket should
67076 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
67077 dport = usin->sin_port;
67081 + err = gr_search_udp_sendmsg(sk, usin);
67085 if (sk->sk_state != TCP_ESTABLISHED)
67086 return -EDESTADDRREQ;
67088 + err = gr_search_udp_sendmsg(sk, NULL);
67092 daddr = inet->inet_daddr;
67093 dport = inet->inet_dport;
67094 /* Open fast path for connected socket.
67095 @@ -1053,7 +1070,7 @@ static unsigned int first_packet_length(
67096 udp_lib_checksum_complete(skb)) {
67097 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
67099 - atomic_inc(&sk->sk_drops);
67100 + atomic_inc_unchecked(&sk->sk_drops);
67101 __skb_unlink(skb, rcvq);
67102 __skb_queue_tail(&list_kill, skb);
67104 @@ -1139,6 +1156,10 @@ try_again:
67108 + err = gr_search_udp_recvmsg(sk, skb);
67112 ulen = skb->len - sizeof(struct udphdr);
67115 @@ -1435,7 +1456,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
67118 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
67119 - atomic_inc(&sk->sk_drops);
67120 + atomic_inc_unchecked(&sk->sk_drops);
67124 @@ -1454,7 +1475,7 @@ static void flush_stack(struct sock **st
67125 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
67128 - atomic_inc(&sk->sk_drops);
67129 + atomic_inc_unchecked(&sk->sk_drops);
67130 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
67132 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
67133 @@ -1623,6 +1644,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
67136 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
67137 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67138 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
67140 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
67143 @@ -2050,8 +2074,13 @@ static void udp4_format_sock(struct sock
67144 sk_wmem_alloc_get(sp),
67145 sk_rmem_alloc_get(sp),
67146 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
67147 - atomic_read(&sp->sk_refcnt), sp,
67148 - atomic_read(&sp->sk_drops), len);
67149 + atomic_read(&sp->sk_refcnt),
67150 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67155 + atomic_read_unchecked(&sp->sk_drops), len);
67158 int udp4_seq_show(struct seq_file *seq, void *v)
67159 diff -urNp linux-2.6.38.6/net/ipv6/inet6_connection_sock.c linux-2.6.38.6/net/ipv6/inet6_connection_sock.c
67160 --- linux-2.6.38.6/net/ipv6/inet6_connection_sock.c 2011-03-14 21:20:32.000000000 -0400
67161 +++ linux-2.6.38.6/net/ipv6/inet6_connection_sock.c 2011-04-28 19:57:25.000000000 -0400
67162 @@ -183,7 +183,7 @@ void __inet6_csk_dst_store(struct sock *
67165 struct rt6_info *rt = (struct rt6_info *)dst;
67166 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
67167 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
67171 @@ -198,7 +198,7 @@ struct dst_entry *__inet6_csk_dst_check(
67174 struct rt6_info *rt = (struct rt6_info *)dst;
67175 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
67176 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
67177 __sk_dst_reset(sk);
67180 diff -urNp linux-2.6.38.6/net/ipv6/inet6_hashtables.c linux-2.6.38.6/net/ipv6/inet6_hashtables.c
67181 --- linux-2.6.38.6/net/ipv6/inet6_hashtables.c 2011-03-14 21:20:32.000000000 -0400
67182 +++ linux-2.6.38.6/net/ipv6/inet6_hashtables.c 2011-05-11 18:35:16.000000000 -0400
67183 @@ -124,7 +124,7 @@ out:
67185 EXPORT_SYMBOL(__inet6_lookup_established);
67187 -static int inline compute_score(struct sock *sk, struct net *net,
67188 +static inline int compute_score(struct sock *sk, struct net *net,
67189 const unsigned short hnum,
67190 const struct in6_addr *daddr,
67192 diff -urNp linux-2.6.38.6/net/ipv6/ipv6_sockglue.c linux-2.6.38.6/net/ipv6/ipv6_sockglue.c
67193 --- linux-2.6.38.6/net/ipv6/ipv6_sockglue.c 2011-03-14 21:20:32.000000000 -0400
67194 +++ linux-2.6.38.6/net/ipv6/ipv6_sockglue.c 2011-05-16 21:47:09.000000000 -0400
67195 @@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc
67197 int retv = -ENOPROTOOPT;
67199 + pax_track_stack();
67201 if (optval == NULL)
67204 @@ -919,6 +921,8 @@ static int do_ipv6_getsockopt(struct soc
67208 + pax_track_stack();
67210 if (ip6_mroute_opt(optname))
67211 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
67213 diff -urNp linux-2.6.38.6/net/ipv6/raw.c linux-2.6.38.6/net/ipv6/raw.c
67214 --- linux-2.6.38.6/net/ipv6/raw.c 2011-03-14 21:20:32.000000000 -0400
67215 +++ linux-2.6.38.6/net/ipv6/raw.c 2011-05-16 21:47:08.000000000 -0400
67216 @@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
67218 if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
67219 skb_checksum_complete(skb)) {
67220 - atomic_inc(&sk->sk_drops);
67221 + atomic_inc_unchecked(&sk->sk_drops);
67223 return NET_RX_DROP;
67225 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
67226 struct raw6_sock *rp = raw6_sk(sk);
67228 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
67229 - atomic_inc(&sk->sk_drops);
67230 + atomic_inc_unchecked(&sk->sk_drops);
67232 return NET_RX_DROP;
67234 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
67236 if (inet->hdrincl) {
67237 if (skb_checksum_complete(skb)) {
67238 - atomic_inc(&sk->sk_drops);
67239 + atomic_inc_unchecked(&sk->sk_drops);
67241 return NET_RX_DROP;
67243 @@ -602,7 +602,7 @@ out:
67247 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
67248 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
67249 struct flowi *fl, struct dst_entry **dstp,
67250 unsigned int flags)
67252 @@ -743,6 +743,8 @@ static int rawv6_sendmsg(struct kiocb *i
67256 + pax_track_stack();
67258 /* Rough check on arithmetic overflow,
67259 better check is made in ip6_append_data().
67261 @@ -919,12 +921,15 @@ do_confirm:
67262 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
67263 char __user *optval, int optlen)
67265 + struct icmp6_filter filter;
67268 case ICMPV6_FILTER:
67269 if (optlen > sizeof(struct icmp6_filter))
67270 optlen = sizeof(struct icmp6_filter);
67271 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
67272 + if (copy_from_user(&filter, optval, optlen))
67274 + memcpy(&raw6_sk(sk)->filter, &filter, optlen);
67277 return -ENOPROTOOPT;
67278 @@ -936,6 +941,7 @@ static int rawv6_seticmpfilter(struct so
67279 static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
67280 char __user *optval, int __user *optlen)
67282 + struct icmp6_filter filter;
67286 @@ -948,7 +954,8 @@ static int rawv6_geticmpfilter(struct so
67287 len = sizeof(struct icmp6_filter);
67288 if (put_user(len, optlen))
67290 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
67291 + memcpy(&filter, &raw6_sk(sk)->filter, len);
67292 + if (copy_to_user(optval, &filter, len))
67296 @@ -1262,7 +1269,13 @@ static void raw6_sock_seq_show(struct se
67300 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
67301 + atomic_read(&sp->sk_refcnt),
67302 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67307 + atomic_read_unchecked(&sp->sk_drops));
67310 static int raw6_seq_show(struct seq_file *seq, void *v)
67311 diff -urNp linux-2.6.38.6/net/ipv6/tcp_ipv6.c linux-2.6.38.6/net/ipv6/tcp_ipv6.c
67312 --- linux-2.6.38.6/net/ipv6/tcp_ipv6.c 2011-03-14 21:20:32.000000000 -0400
67313 +++ linux-2.6.38.6/net/ipv6/tcp_ipv6.c 2011-04-28 19:34:15.000000000 -0400
67314 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
67318 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67319 +extern int grsec_enable_blackhole;
67322 static void tcp_v6_hash(struct sock *sk)
67324 if (sk->sk_state != TCP_CLOSE) {
67325 @@ -1676,6 +1680,9 @@ static int tcp_v6_do_rcv(struct sock *sk
67329 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67330 + if (!grsec_enable_blackhole)
67332 tcp_v6_send_reset(sk, skb);
67335 @@ -1755,12 +1762,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
67336 TCP_SKB_CB(skb)->sacked = 0;
67338 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
67341 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67344 goto no_tcp_socket;
67348 - if (sk->sk_state == TCP_TIME_WAIT)
67349 + if (sk->sk_state == TCP_TIME_WAIT) {
67350 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67356 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
67357 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
67358 @@ -1808,6 +1823,10 @@ no_tcp_socket:
67360 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
67362 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67363 + if (!grsec_enable_blackhole || (ret == 1 &&
67364 + (skb->dev->flags & IFF_LOOPBACK)))
67366 tcp_v6_send_reset(NULL, skb);
67369 @@ -2068,7 +2087,13 @@ static void get_openreq6(struct seq_file
67371 0, /* non standard timer */
67372 0, /* open_requests have no inode */
67375 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67383 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
67384 @@ -2118,7 +2143,12 @@ static void get_tcp6_sock(struct seq_fil
67386 icsk->icsk_probes_out,
67388 - atomic_read(&sp->sk_refcnt), sp,
67389 + atomic_read(&sp->sk_refcnt),
67390 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67395 jiffies_to_clock_t(icsk->icsk_rto),
67396 jiffies_to_clock_t(icsk->icsk_ack.ato),
67397 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
67398 @@ -2153,7 +2183,13 @@ static void get_timewait6_sock(struct se
67399 dest->s6_addr32[2], dest->s6_addr32[3], destp,
67400 tw->tw_substate, 0, 0,
67401 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
67402 - atomic_read(&tw->tw_refcnt), tw);
67403 + atomic_read(&tw->tw_refcnt),
67404 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67412 static int tcp6_seq_show(struct seq_file *seq, void *v)
67413 diff -urNp linux-2.6.38.6/net/ipv6/udp.c linux-2.6.38.6/net/ipv6/udp.c
67414 --- linux-2.6.38.6/net/ipv6/udp.c 2011-03-14 21:20:32.000000000 -0400
67415 +++ linux-2.6.38.6/net/ipv6/udp.c 2011-04-28 20:09:04.000000000 -0400
67417 #include <linux/seq_file.h>
67418 #include "udp_impl.h"
67420 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67421 +extern int grsec_enable_blackhole;
67424 int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
67426 const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
67427 @@ -542,7 +546,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
67431 - atomic_inc(&sk->sk_drops);
67432 + atomic_inc_unchecked(&sk->sk_drops);
67433 drop_no_sk_drops_inc:
67434 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
67436 @@ -618,7 +622,7 @@ static void flush_stack(struct sock **st
67440 - atomic_inc(&sk->sk_drops);
67441 + atomic_inc_unchecked(&sk->sk_drops);
67442 UDP6_INC_STATS_BH(sock_net(sk),
67443 UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
67444 UDP6_INC_STATS_BH(sock_net(sk),
67445 @@ -773,6 +777,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
67446 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
67447 proto == IPPROTO_UDPLITE);
67449 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67450 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
67452 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
67455 @@ -789,7 +796,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
67456 if (!sock_owned_by_user(sk))
67457 udpv6_queue_rcv_skb(sk, skb);
67458 else if (sk_add_backlog(sk, skb)) {
67459 - atomic_inc(&sk->sk_drops);
67460 + atomic_inc_unchecked(&sk->sk_drops);
67461 bh_unlock_sock(sk);
67464 @@ -1407,8 +1414,13 @@ static void udp6_sock_seq_show(struct se
67468 - atomic_read(&sp->sk_refcnt), sp,
67469 - atomic_read(&sp->sk_drops));
67470 + atomic_read(&sp->sk_refcnt),
67471 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67476 + atomic_read_unchecked(&sp->sk_drops));
67479 int udp6_seq_show(struct seq_file *seq, void *v)
67480 diff -urNp linux-2.6.38.6/net/irda/ircomm/ircomm_tty.c linux-2.6.38.6/net/irda/ircomm/ircomm_tty.c
67481 --- linux-2.6.38.6/net/irda/ircomm/ircomm_tty.c 2011-03-14 21:20:32.000000000 -0400
67482 +++ linux-2.6.38.6/net/irda/ircomm/ircomm_tty.c 2011-04-28 19:34:15.000000000 -0400
67483 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
67484 add_wait_queue(&self->open_wait, &wait);
67486 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
67487 - __FILE__,__LINE__, tty->driver->name, self->open_count );
67488 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
67490 /* As far as I can see, we protect open_count - Jean II */
67491 spin_lock_irqsave(&self->spinlock, flags);
67492 if (!tty_hung_up_p(filp)) {
67494 - self->open_count--;
67495 + local_dec(&self->open_count);
67497 spin_unlock_irqrestore(&self->spinlock, flags);
67498 - self->blocked_open++;
67499 + local_inc(&self->blocked_open);
67502 if (tty->termios->c_cflag & CBAUD) {
67503 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
67506 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
67507 - __FILE__,__LINE__, tty->driver->name, self->open_count );
67508 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
67512 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
67514 /* ++ is not atomic, so this should be protected - Jean II */
67515 spin_lock_irqsave(&self->spinlock, flags);
67516 - self->open_count++;
67517 + local_inc(&self->open_count);
67518 spin_unlock_irqrestore(&self->spinlock, flags);
67520 - self->blocked_open--;
67521 + local_dec(&self->blocked_open);
67523 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
67524 - __FILE__,__LINE__, tty->driver->name, self->open_count);
67525 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
67528 self->flags |= ASYNC_NORMAL_ACTIVE;
67529 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
67531 /* ++ is not atomic, so this should be protected - Jean II */
67532 spin_lock_irqsave(&self->spinlock, flags);
67533 - self->open_count++;
67534 + local_inc(&self->open_count);
67536 tty->driver_data = self;
67538 spin_unlock_irqrestore(&self->spinlock, flags);
67540 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
67541 - self->line, self->open_count);
67542 + self->line, local_read(&self->open_count));
67544 /* Not really used by us, but lets do it anyway */
67545 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
67546 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
67550 - if ((tty->count == 1) && (self->open_count != 1)) {
67551 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
67553 * Uh, oh. tty->count is 1, which means that the tty
67554 * structure will be freed. state->count should always
67555 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
67557 IRDA_DEBUG(0, "%s(), bad serial port count; "
67558 "tty->count is 1, state->count is %d\n", __func__ ,
67559 - self->open_count);
67560 - self->open_count = 1;
67561 + local_read(&self->open_count));
67562 + local_set(&self->open_count, 1);
67565 - if (--self->open_count < 0) {
67566 + if (local_dec_return(&self->open_count) < 0) {
67567 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
67568 - __func__, self->line, self->open_count);
67569 - self->open_count = 0;
67570 + __func__, self->line, local_read(&self->open_count));
67571 + local_set(&self->open_count, 0);
67573 - if (self->open_count) {
67574 + if (local_read(&self->open_count)) {
67575 spin_unlock_irqrestore(&self->spinlock, flags);
67577 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
67578 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
67582 - if (self->blocked_open) {
67583 + if (local_read(&self->blocked_open)) {
67584 if (self->close_delay)
67585 schedule_timeout_interruptible(self->close_delay);
67586 wake_up_interruptible(&self->open_wait);
67587 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
67588 spin_lock_irqsave(&self->spinlock, flags);
67589 self->flags &= ~ASYNC_NORMAL_ACTIVE;
67591 - self->open_count = 0;
67592 + local_set(&self->open_count, 0);
67593 spin_unlock_irqrestore(&self->spinlock, flags);
67595 wake_up_interruptible(&self->open_wait);
67596 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
67599 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
67600 - seq_printf(m, "Open count: %d\n", self->open_count);
67601 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
67602 seq_printf(m, "Max data size: %d\n", self->max_data_size);
67603 seq_printf(m, "Max header size: %d\n", self->max_header_size);
67605 diff -urNp linux-2.6.38.6/net/iucv/af_iucv.c linux-2.6.38.6/net/iucv/af_iucv.c
67606 --- linux-2.6.38.6/net/iucv/af_iucv.c 2011-03-14 21:20:32.000000000 -0400
67607 +++ linux-2.6.38.6/net/iucv/af_iucv.c 2011-04-28 19:57:25.000000000 -0400
67608 @@ -653,10 +653,10 @@ static int iucv_sock_autobind(struct soc
67610 write_lock_bh(&iucv_sk_list.lock);
67612 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
67613 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
67614 while (__iucv_get_sock_by_name(name)) {
67615 sprintf(name, "%08x",
67616 - atomic_inc_return(&iucv_sk_list.autobind_name));
67617 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
67620 write_unlock_bh(&iucv_sk_list.lock);
67621 diff -urNp linux-2.6.38.6/net/key/af_key.c linux-2.6.38.6/net/key/af_key.c
67622 --- linux-2.6.38.6/net/key/af_key.c 2011-03-14 21:20:32.000000000 -0400
67623 +++ linux-2.6.38.6/net/key/af_key.c 2011-05-16 21:47:08.000000000 -0400
67624 @@ -2470,6 +2470,8 @@ static int pfkey_migrate(struct sock *sk
67625 struct xfrm_migrate m[XFRM_MAX_DEPTH];
67626 struct xfrm_kmaddress k;
67628 + pax_track_stack();
67630 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
67631 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
67632 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
67633 @@ -3003,10 +3005,10 @@ static int pfkey_send_policy_notify(stru
67634 static u32 get_acqseq(void)
67637 - static atomic_t acqseq;
67638 + static atomic_unchecked_t acqseq;
67641 - res = atomic_inc_return(&acqseq);
67642 + res = atomic_inc_return_unchecked(&acqseq);
67646 @@ -3644,7 +3646,11 @@ static int pfkey_seq_show(struct seq_fil
67647 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
67649 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
67650 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67655 atomic_read(&s->sk_refcnt),
67656 sk_rmem_alloc_get(s),
67657 sk_wmem_alloc_get(s),
67658 diff -urNp linux-2.6.38.6/net/mac80211/cfg.c linux-2.6.38.6/net/mac80211/cfg.c
67659 --- linux-2.6.38.6/net/mac80211/cfg.c 2011-05-10 22:06:29.000000000 -0400
67660 +++ linux-2.6.38.6/net/mac80211/cfg.c 2011-05-10 22:09:03.000000000 -0400
67661 @@ -1941,7 +1941,7 @@ static int ieee80211_get_antenna(struct
67662 return drv_get_antenna(local, tx_ant, rx_ant);
67665 -struct cfg80211_ops mac80211_config_ops = {
67666 +const struct cfg80211_ops mac80211_config_ops = {
67667 .add_virtual_intf = ieee80211_add_iface,
67668 .del_virtual_intf = ieee80211_del_iface,
67669 .change_virtual_intf = ieee80211_change_iface,
67670 diff -urNp linux-2.6.38.6/net/mac80211/cfg.h linux-2.6.38.6/net/mac80211/cfg.h
67671 --- linux-2.6.38.6/net/mac80211/cfg.h 2011-03-14 21:20:32.000000000 -0400
67672 +++ linux-2.6.38.6/net/mac80211/cfg.h 2011-04-28 19:34:15.000000000 -0400
67677 -extern struct cfg80211_ops mac80211_config_ops;
67678 +extern const struct cfg80211_ops mac80211_config_ops;
67680 #endif /* __CFG_H */
67681 diff -urNp linux-2.6.38.6/net/mac80211/debugfs_sta.c linux-2.6.38.6/net/mac80211/debugfs_sta.c
67682 --- linux-2.6.38.6/net/mac80211/debugfs_sta.c 2011-03-14 21:20:32.000000000 -0400
67683 +++ linux-2.6.38.6/net/mac80211/debugfs_sta.c 2011-05-16 21:47:09.000000000 -0400
67684 @@ -115,6 +115,8 @@ static ssize_t sta_agg_status_read(struc
67685 struct tid_ampdu_rx *tid_rx;
67686 struct tid_ampdu_tx *tid_tx;
67688 + pax_track_stack();
67692 p += scnprintf(p, sizeof(buf) + buf - p, "next dialog_token: %#02x\n",
67693 @@ -215,6 +217,8 @@ static ssize_t sta_ht_capa_read(struct f
67694 struct sta_info *sta = file->private_data;
67695 struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
67697 + pax_track_stack();
67699 p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
67700 htc->ht_supported ? "" : "not ");
67701 if (htc->ht_supported) {
67702 diff -urNp linux-2.6.38.6/net/mac80211/ieee80211_i.h linux-2.6.38.6/net/mac80211/ieee80211_i.h
67703 --- linux-2.6.38.6/net/mac80211/ieee80211_i.h 2011-03-14 21:20:32.000000000 -0400
67704 +++ linux-2.6.38.6/net/mac80211/ieee80211_i.h 2011-04-28 19:34:15.000000000 -0400
67706 #include <net/ieee80211_radiotap.h>
67707 #include <net/cfg80211.h>
67708 #include <net/mac80211.h>
67709 +#include <asm/local.h>
67711 #include "sta_info.h"
67713 @@ -716,7 +717,7 @@ struct ieee80211_local {
67714 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
67715 spinlock_t queue_stop_reason_lock;
67718 + local_t open_count;
67719 int monitors, cooked_mntrs;
67720 /* number of interfaces with corresponding FIF_ flags */
67721 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
67722 diff -urNp linux-2.6.38.6/net/mac80211/iface.c linux-2.6.38.6/net/mac80211/iface.c
67723 --- linux-2.6.38.6/net/mac80211/iface.c 2011-03-14 21:20:32.000000000 -0400
67724 +++ linux-2.6.38.6/net/mac80211/iface.c 2011-04-28 19:34:15.000000000 -0400
67725 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
67729 - if (local->open_count == 0) {
67730 + if (local_read(&local->open_count) == 0) {
67731 res = drv_start(local);
67734 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
67735 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
67737 if (!is_valid_ether_addr(dev->dev_addr)) {
67738 - if (!local->open_count)
67739 + if (!local_read(&local->open_count))
67741 return -EADDRNOTAVAIL;
67743 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
67744 mutex_unlock(&local->mtx);
67747 - local->open_count++;
67748 + local_inc(&local->open_count);
67750 if (hw_reconf_flags) {
67751 ieee80211_hw_config(local, hw_reconf_flags);
67752 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
67754 drv_remove_interface(local, &sdata->vif);
67756 - if (!local->open_count)
67757 + if (!local_read(&local->open_count))
67761 @@ -473,7 +473,7 @@ static void ieee80211_do_stop(struct iee
67765 - local->open_count--;
67766 + local_dec(&local->open_count);
67768 switch (sdata->vif.type) {
67769 case NL80211_IFTYPE_AP_VLAN:
67770 @@ -532,7 +532,7 @@ static void ieee80211_do_stop(struct iee
67772 ieee80211_recalc_ps(local, -1);
67774 - if (local->open_count == 0) {
67775 + if (local_read(&local->open_count) == 0) {
67776 if (local->ops->napi_poll)
67777 napi_disable(&local->napi);
67778 ieee80211_clear_tx_pending(local);
67779 diff -urNp linux-2.6.38.6/net/mac80211/main.c linux-2.6.38.6/net/mac80211/main.c
67780 --- linux-2.6.38.6/net/mac80211/main.c 2011-03-14 21:20:32.000000000 -0400
67781 +++ linux-2.6.38.6/net/mac80211/main.c 2011-04-28 19:34:15.000000000 -0400
67782 @@ -161,7 +161,7 @@ int ieee80211_hw_config(struct ieee80211
67783 local->hw.conf.power_level = power;
67786 - if (changed && local->open_count) {
67787 + if (changed && local_read(&local->open_count)) {
67788 ret = drv_config(local, changed);
67791 diff -urNp linux-2.6.38.6/net/mac80211/mlme.c linux-2.6.38.6/net/mac80211/mlme.c
67792 --- linux-2.6.38.6/net/mac80211/mlme.c 2011-03-14 21:20:32.000000000 -0400
67793 +++ linux-2.6.38.6/net/mac80211/mlme.c 2011-05-16 21:47:09.000000000 -0400
67794 @@ -1356,6 +1356,8 @@ static bool ieee80211_assoc_success(stru
67795 bool have_higher_than_11mbit = false;
67796 u16 ap_ht_cap_flags;
67798 + pax_track_stack();
67800 /* AssocResp and ReassocResp have identical structure */
67802 aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
67803 diff -urNp linux-2.6.38.6/net/mac80211/pm.c linux-2.6.38.6/net/mac80211/pm.c
67804 --- linux-2.6.38.6/net/mac80211/pm.c 2011-03-14 21:20:32.000000000 -0400
67805 +++ linux-2.6.38.6/net/mac80211/pm.c 2011-04-28 19:34:15.000000000 -0400
67806 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
67809 /* stop hardware - this must stop RX */
67810 - if (local->open_count)
67811 + if (local_read(&local->open_count))
67812 ieee80211_stop_device(local);
67814 local->suspended = true;
67815 diff -urNp linux-2.6.38.6/net/mac80211/rate.c linux-2.6.38.6/net/mac80211/rate.c
67816 --- linux-2.6.38.6/net/mac80211/rate.c 2011-03-14 21:20:32.000000000 -0400
67817 +++ linux-2.6.38.6/net/mac80211/rate.c 2011-04-28 19:34:15.000000000 -0400
67818 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
67822 - if (local->open_count)
67823 + if (local_read(&local->open_count))
67826 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
67827 diff -urNp linux-2.6.38.6/net/mac80211/rc80211_pid_debugfs.c linux-2.6.38.6/net/mac80211/rc80211_pid_debugfs.c
67828 --- linux-2.6.38.6/net/mac80211/rc80211_pid_debugfs.c 2011-03-14 21:20:32.000000000 -0400
67829 +++ linux-2.6.38.6/net/mac80211/rc80211_pid_debugfs.c 2011-04-28 19:34:15.000000000 -0400
67830 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
67832 spin_unlock_irqrestore(&events->lock, status);
67834 - if (copy_to_user(buf, pb, p))
67835 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
67839 diff -urNp linux-2.6.38.6/net/mac80211/tx.c linux-2.6.38.6/net/mac80211/tx.c
67840 --- linux-2.6.38.6/net/mac80211/tx.c 2011-03-14 21:20:32.000000000 -0400
67841 +++ linux-2.6.38.6/net/mac80211/tx.c 2011-04-28 19:34:15.000000000 -0400
67842 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
67843 return cpu_to_le16(dur);
67846 -static int inline is_ieee80211_device(struct ieee80211_local *local,
67847 +static inline int is_ieee80211_device(struct ieee80211_local *local,
67848 struct net_device *dev)
67850 return local == wdev_priv(dev->ieee80211_ptr);
67851 diff -urNp linux-2.6.38.6/net/mac80211/util.c linux-2.6.38.6/net/mac80211/util.c
67852 --- linux-2.6.38.6/net/mac80211/util.c 2011-03-14 21:20:32.000000000 -0400
67853 +++ linux-2.6.38.6/net/mac80211/util.c 2011-04-28 19:34:15.000000000 -0400
67854 @@ -1135,7 +1135,7 @@ int ieee80211_reconfig(struct ieee80211_
67855 local->resuming = true;
67857 /* restart hardware */
67858 - if (local->open_count) {
67859 + if (local_read(&local->open_count)) {
67861 * Upon resume hardware can sometimes be goofy due to
67862 * various platform / driver / bus issues, so restarting
67863 diff -urNp linux-2.6.38.6/net/netfilter/ipvs/ip_vs_app.c linux-2.6.38.6/net/netfilter/ipvs/ip_vs_app.c
67864 --- linux-2.6.38.6/net/netfilter/ipvs/ip_vs_app.c 2011-03-14 21:20:32.000000000 -0400
67865 +++ linux-2.6.38.6/net/netfilter/ipvs/ip_vs_app.c 2011-05-17 19:31:43.000000000 -0400
67866 @@ -565,7 +565,7 @@ static const struct file_operations ip_v
67867 .open = ip_vs_app_open,
67869 .llseek = seq_lseek,
67870 - .release = seq_release,
67871 + .release = seq_release_net,
67875 diff -urNp linux-2.6.38.6/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.38.6/net/netfilter/ipvs/ip_vs_conn.c
67876 --- linux-2.6.38.6/net/netfilter/ipvs/ip_vs_conn.c 2011-03-14 21:20:32.000000000 -0400
67877 +++ linux-2.6.38.6/net/netfilter/ipvs/ip_vs_conn.c 2011-05-17 19:31:43.000000000 -0400
67878 @@ -553,7 +553,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
67879 /* Increase the refcnt counter of the dest */
67880 atomic_inc(&dest->refcnt);
67882 - conn_flags = atomic_read(&dest->conn_flags);
67883 + conn_flags = atomic_read_unchecked(&dest->conn_flags);
67884 if (cp->protocol != IPPROTO_UDP)
67885 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
67886 /* Bind with the destination and its corresponding transmitter */
67887 @@ -840,7 +840,7 @@ ip_vs_conn_new(const struct ip_vs_conn_p
67888 atomic_set(&cp->refcnt, 1);
67890 atomic_set(&cp->n_control, 0);
67891 - atomic_set(&cp->in_pkts, 0);
67892 + atomic_set_unchecked(&cp->in_pkts, 0);
67894 atomic_inc(&ip_vs_conn_count);
67895 if (flags & IP_VS_CONN_F_NO_CPORT)
67896 @@ -1012,7 +1012,7 @@ static const struct file_operations ip_v
67897 .open = ip_vs_conn_open,
67899 .llseek = seq_lseek,
67900 - .release = seq_release,
67901 + .release = seq_release_net,
67904 static const char *ip_vs_origin_name(unsigned flags)
67905 @@ -1075,7 +1075,7 @@ static const struct file_operations ip_v
67906 .open = ip_vs_conn_sync_open,
67908 .llseek = seq_lseek,
67909 - .release = seq_release,
67910 + .release = seq_release_net,
67914 @@ -1102,7 +1102,7 @@ static inline int todrop_entry(struct ip
67916 /* Don't drop the entry if its number of incoming packets is not
67917 located in [0, 8] */
67918 - i = atomic_read(&cp->in_pkts);
67919 + i = atomic_read_unchecked(&cp->in_pkts);
67920 if (i > 8 || i < 0) return 0;
67922 if (!todrop_rate[i]) return 0;
67923 diff -urNp linux-2.6.38.6/net/netfilter/ipvs/ip_vs_core.c linux-2.6.38.6/net/netfilter/ipvs/ip_vs_core.c
67924 --- linux-2.6.38.6/net/netfilter/ipvs/ip_vs_core.c 2011-03-14 21:20:32.000000000 -0400
67925 +++ linux-2.6.38.6/net/netfilter/ipvs/ip_vs_core.c 2011-04-28 19:57:25.000000000 -0400
67926 @@ -504,7 +504,7 @@ int ip_vs_leave(struct ip_vs_service *sv
67927 ret = cp->packet_xmit(skb, cp, pp);
67928 /* do not touch skb anymore */
67930 - atomic_inc(&cp->in_pkts);
67931 + atomic_inc_unchecked(&cp->in_pkts);
67932 ip_vs_conn_put(cp);
67935 @@ -1536,7 +1536,7 @@ ip_vs_in(unsigned int hooknum, struct sk
67936 * Sync connection if it is about to close to
67937 * encorage the standby servers to update the connections timeout
67939 - pkts = atomic_add_return(1, &cp->in_pkts);
67940 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
67941 if (af == AF_INET && (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
67942 cp->protocol == IPPROTO_SCTP) {
67943 if ((cp->state == IP_VS_SCTP_S_ESTABLISHED &&
67944 diff -urNp linux-2.6.38.6/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.38.6/net/netfilter/ipvs/ip_vs_ctl.c
67945 --- linux-2.6.38.6/net/netfilter/ipvs/ip_vs_ctl.c 2011-03-14 21:20:32.000000000 -0400
67946 +++ linux-2.6.38.6/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-17 19:31:43.000000000 -0400
67947 @@ -787,7 +787,7 @@ __ip_vs_update_dest(struct ip_vs_service
67948 ip_vs_rs_hash(dest);
67949 write_unlock_bh(&__ip_vs_rs_lock);
67951 - atomic_set(&dest->conn_flags, conn_flags);
67952 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
67954 /* bind the service */
67956 @@ -1905,7 +1905,7 @@ static int ip_vs_info_seq_show(struct se
67957 " %-7s %-6d %-10d %-10d\n",
67960 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
67961 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
67962 atomic_read(&dest->weight),
67963 atomic_read(&dest->activeconns),
67964 atomic_read(&dest->inactconns));
67965 @@ -1916,7 +1916,7 @@ static int ip_vs_info_seq_show(struct se
67966 "%-7s %-6d %-10d %-10d\n",
67967 ntohl(dest->addr.ip),
67969 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
67970 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
67971 atomic_read(&dest->weight),
67972 atomic_read(&dest->activeconns),
67973 atomic_read(&dest->inactconns));
67974 @@ -1944,7 +1944,7 @@ static const struct file_operations ip_v
67975 .open = ip_vs_info_open,
67977 .llseek = seq_lseek,
67978 - .release = seq_release_private,
67979 + .release = seq_release_net,
67983 @@ -1993,7 +1993,7 @@ static const struct file_operations ip_v
67984 .open = ip_vs_stats_seq_open,
67986 .llseek = seq_lseek,
67987 - .release = single_release,
67988 + .release = single_release_net,
67992 @@ -2315,7 +2315,7 @@ __ip_vs_get_dest_entries(const struct ip
67994 entry.addr = dest->addr.ip;
67995 entry.port = dest->port;
67996 - entry.conn_flags = atomic_read(&dest->conn_flags);
67997 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
67998 entry.weight = atomic_read(&dest->weight);
67999 entry.u_threshold = dest->u_threshold;
68000 entry.l_threshold = dest->l_threshold;
68001 @@ -2376,6 +2376,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cm
68003 unsigned int copylen;
68005 + pax_track_stack();
68007 if (!capable(CAP_NET_ADMIN))
68010 @@ -2831,7 +2833,7 @@ static int ip_vs_genl_fill_dest(struct s
68011 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
68013 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
68014 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
68015 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
68016 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
68017 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
68018 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
68019 diff -urNp linux-2.6.38.6/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.38.6/net/netfilter/ipvs/ip_vs_sync.c
68020 --- linux-2.6.38.6/net/netfilter/ipvs/ip_vs_sync.c 2011-03-14 21:20:32.000000000 -0400
68021 +++ linux-2.6.38.6/net/netfilter/ipvs/ip_vs_sync.c 2011-04-28 19:57:25.000000000 -0400
68022 @@ -460,7 +460,7 @@ static void ip_vs_process_message(const
68025 memcpy(&cp->in_seq, opt, sizeof(*opt));
68026 - atomic_set(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
68027 + atomic_set_unchecked(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
68029 cp->old_state = cp->state;
68031 diff -urNp linux-2.6.38.6/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.38.6/net/netfilter/ipvs/ip_vs_xmit.c
68032 --- linux-2.6.38.6/net/netfilter/ipvs/ip_vs_xmit.c 2011-03-14 21:20:32.000000000 -0400
68033 +++ linux-2.6.38.6/net/netfilter/ipvs/ip_vs_xmit.c 2011-04-28 19:57:25.000000000 -0400
68034 @@ -1116,7 +1116,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
68037 /* do not touch skb anymore */
68038 - atomic_inc(&cp->in_pkts);
68039 + atomic_inc_unchecked(&cp->in_pkts);
68043 @@ -1230,7 +1230,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
68046 /* do not touch skb anymore */
68047 - atomic_inc(&cp->in_pkts);
68048 + atomic_inc_unchecked(&cp->in_pkts);
68052 diff -urNp linux-2.6.38.6/net/netfilter/Kconfig linux-2.6.38.6/net/netfilter/Kconfig
68053 --- linux-2.6.38.6/net/netfilter/Kconfig 2011-03-14 21:20:32.000000000 -0400
68054 +++ linux-2.6.38.6/net/netfilter/Kconfig 2011-04-28 19:34:15.000000000 -0400
68055 @@ -709,6 +709,16 @@ config NETFILTER_XT_MATCH_ESP
68057 To compile it as a module, choose M here. If unsure, say N.
68059 +config NETFILTER_XT_MATCH_GRADM
68060 + tristate '"gradm" match support'
68061 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
68062 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
68064 + The gradm match allows to match on grsecurity RBAC being enabled.
68065 + It is useful when iptables rules are applied early on bootup to
68066 + prevent connections to the machine (except from a trusted host)
68067 + while the RBAC system is disabled.
68069 config NETFILTER_XT_MATCH_HASHLIMIT
68070 tristate '"hashlimit" match support'
68071 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
68072 diff -urNp linux-2.6.38.6/net/netfilter/Makefile linux-2.6.38.6/net/netfilter/Makefile
68073 --- linux-2.6.38.6/net/netfilter/Makefile 2011-03-14 21:20:32.000000000 -0400
68074 +++ linux-2.6.38.6/net/netfilter/Makefile 2011-04-28 19:34:15.000000000 -0400
68075 @@ -74,6 +74,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) +=
68076 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
68077 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
68078 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
68079 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
68080 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
68081 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
68082 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
68083 diff -urNp linux-2.6.38.6/net/netfilter/nf_conntrack_netlink.c linux-2.6.38.6/net/netfilter/nf_conntrack_netlink.c
68084 --- linux-2.6.38.6/net/netfilter/nf_conntrack_netlink.c 2011-03-14 21:20:32.000000000 -0400
68085 +++ linux-2.6.38.6/net/netfilter/nf_conntrack_netlink.c 2011-04-28 19:34:15.000000000 -0400
68086 @@ -761,7 +761,7 @@ static const struct nla_policy tuple_nla
68088 ctnetlink_parse_tuple(const struct nlattr * const cda[],
68089 struct nf_conntrack_tuple *tuple,
68090 - enum ctattr_tuple type, u_int8_t l3num)
68091 + enum ctattr_type type, u_int8_t l3num)
68093 struct nlattr *tb[CTA_TUPLE_MAX+1];
68095 diff -urNp linux-2.6.38.6/net/netfilter/nfnetlink_log.c linux-2.6.38.6/net/netfilter/nfnetlink_log.c
68096 --- linux-2.6.38.6/net/netfilter/nfnetlink_log.c 2011-03-14 21:20:32.000000000 -0400
68097 +++ linux-2.6.38.6/net/netfilter/nfnetlink_log.c 2011-04-28 19:57:25.000000000 -0400
68098 @@ -70,7 +70,7 @@ struct nfulnl_instance {
68101 static DEFINE_SPINLOCK(instances_lock);
68102 -static atomic_t global_seq;
68103 +static atomic_unchecked_t global_seq;
68105 #define INSTANCE_BUCKETS 16
68106 static struct hlist_head instance_table[INSTANCE_BUCKETS];
68107 @@ -507,7 +507,7 @@ __build_packet_message(struct nfulnl_ins
68108 /* global sequence number */
68109 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
68110 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
68111 - htonl(atomic_inc_return(&global_seq)));
68112 + htonl(atomic_inc_return_unchecked(&global_seq)));
68115 struct nlattr *nla;
68116 diff -urNp linux-2.6.38.6/net/netfilter/nfnetlink_queue.c linux-2.6.38.6/net/netfilter/nfnetlink_queue.c
68117 --- linux-2.6.38.6/net/netfilter/nfnetlink_queue.c 2011-03-14 21:20:32.000000000 -0400
68118 +++ linux-2.6.38.6/net/netfilter/nfnetlink_queue.c 2011-04-28 19:57:25.000000000 -0400
68119 @@ -58,7 +58,7 @@ struct nfqnl_instance {
68122 unsigned int queue_total;
68123 - atomic_t id_sequence; /* 'sequence' of pkt ids */
68124 + atomic_unchecked_t id_sequence; /* 'sequence' of pkt ids */
68125 struct list_head queue_list; /* packets in queue */
68128 @@ -272,7 +272,7 @@ nfqnl_build_packet_message(struct nfqnl_
68129 nfmsg->version = NFNETLINK_V0;
68130 nfmsg->res_id = htons(queue->queue_num);
68132 - entry->id = atomic_inc_return(&queue->id_sequence);
68133 + entry->id = atomic_inc_return_unchecked(&queue->id_sequence);
68134 pmsg.packet_id = htonl(entry->id);
68135 pmsg.hw_protocol = entskb->protocol;
68136 pmsg.hook = entry->hook;
68137 @@ -863,7 +863,7 @@ static int seq_show(struct seq_file *s,
68138 inst->peer_pid, inst->queue_total,
68139 inst->copy_mode, inst->copy_range,
68140 inst->queue_dropped, inst->queue_user_dropped,
68141 - atomic_read(&inst->id_sequence), 1);
68142 + atomic_read_unchecked(&inst->id_sequence), 1);
68145 static const struct seq_operations nfqnl_seq_ops = {
68146 diff -urNp linux-2.6.38.6/net/netfilter/xt_gradm.c linux-2.6.38.6/net/netfilter/xt_gradm.c
68147 --- linux-2.6.38.6/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
68148 +++ linux-2.6.38.6/net/netfilter/xt_gradm.c 2011-04-28 19:34:15.000000000 -0400
68151 + * gradm match for netfilter
68152 + * Copyright © Zbigniew Krzystolik, 2010
68154 + * This program is free software; you can redistribute it and/or modify
68155 + * it under the terms of the GNU General Public License; either version
68156 + * 2 or 3 as published by the Free Software Foundation.
68158 +#include <linux/module.h>
68159 +#include <linux/moduleparam.h>
68160 +#include <linux/skbuff.h>
68161 +#include <linux/netfilter/x_tables.h>
68162 +#include <linux/grsecurity.h>
68163 +#include <linux/netfilter/xt_gradm.h>
68166 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
68168 + const struct xt_gradm_mtinfo *info = par->matchinfo;
68169 + bool retval = false;
68170 + if (gr_acl_is_enabled())
68172 + return retval ^ info->invflags;
68175 +static struct xt_match gradm_mt_reg __read_mostly = {
68178 + .family = NFPROTO_UNSPEC,
68179 + .match = gradm_mt,
68180 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
68181 + .me = THIS_MODULE,
68184 +static int __init gradm_mt_init(void)
68186 + return xt_register_match(&gradm_mt_reg);
68189 +static void __exit gradm_mt_exit(void)
68191 + xt_unregister_match(&gradm_mt_reg);
68194 +module_init(gradm_mt_init);
68195 +module_exit(gradm_mt_exit);
68196 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
68197 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
68198 +MODULE_LICENSE("GPL");
68199 +MODULE_ALIAS("ipt_gradm");
68200 +MODULE_ALIAS("ip6t_gradm");
68201 diff -urNp linux-2.6.38.6/net/netfilter/xt_statistic.c linux-2.6.38.6/net/netfilter/xt_statistic.c
68202 --- linux-2.6.38.6/net/netfilter/xt_statistic.c 2011-03-14 21:20:32.000000000 -0400
68203 +++ linux-2.6.38.6/net/netfilter/xt_statistic.c 2011-04-28 19:57:25.000000000 -0400
68205 #include <linux/netfilter/x_tables.h>
68207 struct xt_statistic_priv {
68209 + atomic_unchecked_t count;
68210 } ____cacheline_aligned_in_smp;
68212 MODULE_LICENSE("GPL");
68213 @@ -41,9 +41,9 @@ statistic_mt(const struct sk_buff *skb,
68215 case XT_STATISTIC_MODE_NTH:
68217 - oval = atomic_read(&info->master->count);
68218 + oval = atomic_read_unchecked(&info->master->count);
68219 nval = (oval == info->u.nth.every) ? 0 : oval + 1;
68220 - } while (atomic_cmpxchg(&info->master->count, oval, nval) != oval);
68221 + } while (atomic_cmpxchg_unchecked(&info->master->count, oval, nval) != oval);
68225 @@ -63,7 +63,7 @@ static int statistic_mt_check(const stru
68226 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
68227 if (info->master == NULL)
68229 - atomic_set(&info->master->count, info->u.nth.count);
68230 + atomic_set_unchecked(&info->master->count, info->u.nth.count);
68234 diff -urNp linux-2.6.38.6/net/netlink/af_netlink.c linux-2.6.38.6/net/netlink/af_netlink.c
68235 --- linux-2.6.38.6/net/netlink/af_netlink.c 2011-03-14 21:20:32.000000000 -0400
68236 +++ linux-2.6.38.6/net/netlink/af_netlink.c 2011-04-28 19:57:25.000000000 -0400
68237 @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock
68238 sk->sk_error_report(sk);
68241 - atomic_inc(&sk->sk_drops);
68242 + atomic_inc_unchecked(&sk->sk_drops);
68245 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
68246 @@ -2001,15 +2001,23 @@ static int netlink_seq_show(struct seq_f
68247 struct netlink_sock *nlk = nlk_sk(s);
68249 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
68250 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68257 nlk->groups ? (u32)nlk->groups[0] : 0,
68258 sk_rmem_alloc_get(s),
68259 sk_wmem_alloc_get(s),
68260 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68265 atomic_read(&s->sk_refcnt),
68266 - atomic_read(&s->sk_drops),
68267 + atomic_read_unchecked(&s->sk_drops),
68271 diff -urNp linux-2.6.38.6/net/netrom/af_netrom.c linux-2.6.38.6/net/netrom/af_netrom.c
68272 --- linux-2.6.38.6/net/netrom/af_netrom.c 2011-03-14 21:20:32.000000000 -0400
68273 +++ linux-2.6.38.6/net/netrom/af_netrom.c 2011-04-28 19:34:15.000000000 -0400
68274 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
68275 struct sock *sk = sock->sk;
68276 struct nr_sock *nr = nr_sk(sk);
68278 + memset(sax, 0, sizeof(*sax));
68281 if (sk->sk_state != TCP_ESTABLISHED) {
68282 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
68283 *uaddr_len = sizeof(struct full_sockaddr_ax25);
68285 sax->fsa_ax25.sax25_family = AF_NETROM;
68286 - sax->fsa_ax25.sax25_ndigis = 0;
68287 sax->fsa_ax25.sax25_call = nr->source_addr;
68288 *uaddr_len = sizeof(struct sockaddr_ax25);
68290 diff -urNp linux-2.6.38.6/net/packet/af_packet.c linux-2.6.38.6/net/packet/af_packet.c
68291 --- linux-2.6.38.6/net/packet/af_packet.c 2011-03-14 21:20:32.000000000 -0400
68292 +++ linux-2.6.38.6/net/packet/af_packet.c 2011-04-28 19:57:25.000000000 -0400
68293 @@ -635,14 +635,14 @@ static int packet_rcv(struct sk_buff *sk
68295 spin_lock(&sk->sk_receive_queue.lock);
68296 po->stats.tp_packets++;
68297 - skb->dropcount = atomic_read(&sk->sk_drops);
68298 + skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
68299 __skb_queue_tail(&sk->sk_receive_queue, skb);
68300 spin_unlock(&sk->sk_receive_queue.lock);
68301 sk->sk_data_ready(sk, skb->len);
68305 - po->stats.tp_drops = atomic_inc_return(&sk->sk_drops);
68306 + po->stats.tp_drops = atomic_inc_return_unchecked(&sk->sk_drops);
68309 if (skb_head != skb->data && skb_shared(skb)) {
68310 @@ -2134,7 +2134,7 @@ static int packet_getsockopt(struct sock
68311 case PACKET_HDRLEN:
68312 if (len > sizeof(int))
68314 - if (copy_from_user(&val, optval, len))
68315 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
68319 @@ -2172,7 +2172,7 @@ static int packet_getsockopt(struct sock
68321 if (put_user(len, optlen))
68323 - if (copy_to_user(optval, data, len))
68324 + if (len > sizeof(st) || copy_to_user(optval, data, len))
68328 @@ -2684,7 +2684,11 @@ static int packet_seq_show(struct seq_fi
68331 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
68332 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68337 atomic_read(&s->sk_refcnt),
68340 diff -urNp linux-2.6.38.6/net/phonet/af_phonet.c linux-2.6.38.6/net/phonet/af_phonet.c
68341 --- linux-2.6.38.6/net/phonet/af_phonet.c 2011-03-14 21:20:32.000000000 -0400
68342 +++ linux-2.6.38.6/net/phonet/af_phonet.c 2011-04-28 19:34:15.000000000 -0400
68343 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
68345 struct phonet_protocol *pp;
68347 - if (protocol >= PHONET_NPROTO)
68348 + if (protocol < 0 || protocol >= PHONET_NPROTO)
68352 @@ -463,7 +463,7 @@ int __init_or_module phonet_proto_regist
68356 - if (protocol >= PHONET_NPROTO)
68357 + if (protocol < 0 || protocol >= PHONET_NPROTO)
68360 err = proto_register(pp->prot, 1);
68361 diff -urNp linux-2.6.38.6/net/phonet/pep.c linux-2.6.38.6/net/phonet/pep.c
68362 --- linux-2.6.38.6/net/phonet/pep.c 2011-03-14 21:20:32.000000000 -0400
68363 +++ linux-2.6.38.6/net/phonet/pep.c 2011-04-28 19:57:25.000000000 -0400
68364 @@ -592,7 +592,7 @@ static int pipe_do_rcv(struct sock *sk,
68366 case PNS_PEP_CTRL_REQ:
68367 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
68368 - atomic_inc(&sk->sk_drops);
68369 + atomic_inc_unchecked(&sk->sk_drops);
68372 __skb_pull(skb, 4);
68373 @@ -612,7 +612,7 @@ static int pipe_do_rcv(struct sock *sk,
68376 if (pn->rx_credits == 0) {
68377 - atomic_inc(&sk->sk_drops);
68378 + atomic_inc_unchecked(&sk->sk_drops);
68382 diff -urNp linux-2.6.38.6/net/phonet/socket.c linux-2.6.38.6/net/phonet/socket.c
68383 --- linux-2.6.38.6/net/phonet/socket.c 2011-03-14 21:20:32.000000000 -0400
68384 +++ linux-2.6.38.6/net/phonet/socket.c 2011-04-28 20:09:57.000000000 -0400
68385 @@ -637,8 +637,13 @@ static int pn_sock_seq_show(struct seq_f
68387 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
68388 sock_i_uid(sk), sock_i_ino(sk),
68389 - atomic_read(&sk->sk_refcnt), sk,
68390 - atomic_read(&sk->sk_drops), &len);
68391 + atomic_read(&sk->sk_refcnt),
68392 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68397 + atomic_read_unchecked(&sk->sk_drops), &len);
68399 seq_printf(seq, "%*s\n", 127 - len, "");
68401 diff -urNp linux-2.6.38.6/net/rds/cong.c linux-2.6.38.6/net/rds/cong.c
68402 --- linux-2.6.38.6/net/rds/cong.c 2011-03-14 21:20:32.000000000 -0400
68403 +++ linux-2.6.38.6/net/rds/cong.c 2011-04-28 19:57:25.000000000 -0400
68405 * finds that the saved generation number is smaller than the global generation
68406 * number, it wakes up the process.
68408 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
68409 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
68412 * Congestion monitoring
68413 @@ -233,7 +233,7 @@ void rds_cong_map_updated(struct rds_con
68414 rdsdebug("waking map %p for %pI4\n",
68415 map, &map->m_addr);
68416 rds_stats_inc(s_cong_update_received);
68417 - atomic_inc(&rds_cong_generation);
68418 + atomic_inc_unchecked(&rds_cong_generation);
68419 if (waitqueue_active(&map->m_waitq))
68420 wake_up(&map->m_waitq);
68421 if (waitqueue_active(&rds_poll_waitq))
68422 @@ -259,7 +259,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
68424 int rds_cong_updated_since(unsigned long *recent)
68426 - unsigned long gen = atomic_read(&rds_cong_generation);
68427 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
68429 if (likely(*recent == gen))
68431 diff -urNp linux-2.6.38.6/net/rds/ib_cm.c linux-2.6.38.6/net/rds/ib_cm.c
68432 --- linux-2.6.38.6/net/rds/ib_cm.c 2011-03-14 21:20:32.000000000 -0400
68433 +++ linux-2.6.38.6/net/rds/ib_cm.c 2011-05-11 18:35:16.000000000 -0400
68434 @@ -720,7 +720,7 @@ void rds_ib_conn_shutdown(struct rds_con
68435 /* Clear the ACK state */
68436 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
68437 #ifdef KERNEL_HAS_ATOMIC64
68438 - atomic64_set(&ic->i_ack_next, 0);
68439 + atomic64_set_unchecked(&ic->i_ack_next, 0);
68441 ic->i_ack_next = 0;
68443 diff -urNp linux-2.6.38.6/net/rds/ib.h linux-2.6.38.6/net/rds/ib.h
68444 --- linux-2.6.38.6/net/rds/ib.h 2011-03-14 21:20:32.000000000 -0400
68445 +++ linux-2.6.38.6/net/rds/ib.h 2011-05-11 18:35:16.000000000 -0400
68446 @@ -127,7 +127,7 @@ struct rds_ib_connection {
68448 unsigned long i_ack_flags;
68449 #ifdef KERNEL_HAS_ATOMIC64
68450 - atomic64_t i_ack_next; /* next ACK to send */
68451 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
68453 spinlock_t i_ack_lock; /* protect i_ack_next */
68454 u64 i_ack_next; /* next ACK to send */
68455 diff -urNp linux-2.6.38.6/net/rds/ib_recv.c linux-2.6.38.6/net/rds/ib_recv.c
68456 --- linux-2.6.38.6/net/rds/ib_recv.c 2011-03-14 21:20:32.000000000 -0400
68457 +++ linux-2.6.38.6/net/rds/ib_recv.c 2011-05-11 18:35:16.000000000 -0400
68458 @@ -592,7 +592,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
68459 static void rds_ib_set_ack(struct rds_ib_connection *ic, u64 seq,
68462 - atomic64_set(&ic->i_ack_next, seq);
68463 + atomic64_set_unchecked(&ic->i_ack_next, seq);
68464 if (ack_required) {
68465 smp_mb__before_clear_bit();
68466 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
68467 @@ -604,7 +604,7 @@ static u64 rds_ib_get_ack(struct rds_ib_
68468 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
68469 smp_mb__after_clear_bit();
68471 - return atomic64_read(&ic->i_ack_next);
68472 + return atomic64_read_unchecked(&ic->i_ack_next);
68476 diff -urNp linux-2.6.38.6/net/rds/iw_cm.c linux-2.6.38.6/net/rds/iw_cm.c
68477 --- linux-2.6.38.6/net/rds/iw_cm.c 2011-03-14 21:20:32.000000000 -0400
68478 +++ linux-2.6.38.6/net/rds/iw_cm.c 2011-05-11 18:35:16.000000000 -0400
68479 @@ -664,7 +664,7 @@ void rds_iw_conn_shutdown(struct rds_con
68480 /* Clear the ACK state */
68481 clear_bit(IB_ACK_IN_FLIGHT, &ic->i_ack_flags);
68482 #ifdef KERNEL_HAS_ATOMIC64
68483 - atomic64_set(&ic->i_ack_next, 0);
68484 + atomic64_set_unchecked(&ic->i_ack_next, 0);
68486 ic->i_ack_next = 0;
68488 diff -urNp linux-2.6.38.6/net/rds/iw.h linux-2.6.38.6/net/rds/iw.h
68489 --- linux-2.6.38.6/net/rds/iw.h 2011-03-14 21:20:32.000000000 -0400
68490 +++ linux-2.6.38.6/net/rds/iw.h 2011-05-11 18:35:16.000000000 -0400
68491 @@ -133,7 +133,7 @@ struct rds_iw_connection {
68493 unsigned long i_ack_flags;
68494 #ifdef KERNEL_HAS_ATOMIC64
68495 - atomic64_t i_ack_next; /* next ACK to send */
68496 + atomic64_unchecked_t i_ack_next; /* next ACK to send */
68498 spinlock_t i_ack_lock; /* protect i_ack_next */
68499 u64 i_ack_next; /* next ACK to send */
68500 diff -urNp linux-2.6.38.6/net/rds/iw_rdma.c linux-2.6.38.6/net/rds/iw_rdma.c
68501 --- linux-2.6.38.6/net/rds/iw_rdma.c 2011-03-14 21:20:32.000000000 -0400
68502 +++ linux-2.6.38.6/net/rds/iw_rdma.c 2011-05-16 21:47:09.000000000 -0400
68503 @@ -182,6 +182,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
68504 struct rdma_cm_id *pcm_id;
68507 + pax_track_stack();
68509 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
68510 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
68512 diff -urNp linux-2.6.38.6/net/rds/iw_recv.c linux-2.6.38.6/net/rds/iw_recv.c
68513 --- linux-2.6.38.6/net/rds/iw_recv.c 2011-03-14 21:20:32.000000000 -0400
68514 +++ linux-2.6.38.6/net/rds/iw_recv.c 2011-05-11 18:35:16.000000000 -0400
68515 @@ -427,7 +427,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
68516 static void rds_iw_set_ack(struct rds_iw_connection *ic, u64 seq,
68519 - atomic64_set(&ic->i_ack_next, seq);
68520 + atomic64_set_unchecked(&ic->i_ack_next, seq);
68521 if (ack_required) {
68522 smp_mb__before_clear_bit();
68523 set_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
68524 @@ -439,7 +439,7 @@ static u64 rds_iw_get_ack(struct rds_iw_
68525 clear_bit(IB_ACK_REQUESTED, &ic->i_ack_flags);
68526 smp_mb__after_clear_bit();
68528 - return atomic64_read(&ic->i_ack_next);
68529 + return atomic64_read_unchecked(&ic->i_ack_next);
68533 diff -urNp linux-2.6.38.6/net/rxrpc/af_rxrpc.c linux-2.6.38.6/net/rxrpc/af_rxrpc.c
68534 --- linux-2.6.38.6/net/rxrpc/af_rxrpc.c 2011-03-14 21:20:32.000000000 -0400
68535 +++ linux-2.6.38.6/net/rxrpc/af_rxrpc.c 2011-04-28 19:57:25.000000000 -0400
68536 @@ -39,7 +39,7 @@ static const struct proto_ops rxrpc_rpc_
68537 __be32 rxrpc_epoch;
68539 /* current debugging ID */
68540 -atomic_t rxrpc_debug_id;
68541 +atomic_unchecked_t rxrpc_debug_id;
68543 /* count of skbs currently in use */
68544 atomic_t rxrpc_n_skbs;
68545 diff -urNp linux-2.6.38.6/net/rxrpc/ar-ack.c linux-2.6.38.6/net/rxrpc/ar-ack.c
68546 --- linux-2.6.38.6/net/rxrpc/ar-ack.c 2011-03-14 21:20:32.000000000 -0400
68547 +++ linux-2.6.38.6/net/rxrpc/ar-ack.c 2011-05-16 21:47:08.000000000 -0400
68548 @@ -175,7 +175,7 @@ static void rxrpc_resend(struct rxrpc_ca
68550 _enter("{%d,%d,%d,%d},",
68551 call->acks_hard, call->acks_unacked,
68552 - atomic_read(&call->sequence),
68553 + atomic_read_unchecked(&call->sequence),
68554 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
68557 @@ -199,7 +199,7 @@ static void rxrpc_resend(struct rxrpc_ca
68559 /* each Tx packet has a new serial number */
68561 - htonl(atomic_inc_return(&call->conn->serial));
68562 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
68564 hdr = (struct rxrpc_header *) txb->head;
68565 hdr->serial = sp->hdr.serial;
68566 @@ -405,7 +405,7 @@ static void rxrpc_rotate_tx_window(struc
68568 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
68570 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
68571 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
68575 @@ -631,7 +631,7 @@ process_further:
68577 latest = ntohl(sp->hdr.serial);
68578 hard = ntohl(ack.firstPacket);
68579 - tx = atomic_read(&call->sequence);
68580 + tx = atomic_read_unchecked(&call->sequence);
68582 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
68584 @@ -844,6 +844,8 @@ void rxrpc_process_call(struct work_stru
68585 u32 abort_code = RX_PROTOCOL_ERROR;
68588 + pax_track_stack();
68590 //printk("\n--------------------\n");
68591 _enter("{%d,%s,%lx} [%lu]",
68592 call->debug_id, rxrpc_call_states[call->state], call->events,
68593 @@ -1163,7 +1165,7 @@ void rxrpc_process_call(struct work_stru
68594 goto maybe_reschedule;
68596 send_ACK_with_skew:
68597 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
68598 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
68599 ntohl(ack.serial));
68601 mtu = call->conn->trans->peer->if_mtu;
68602 @@ -1175,7 +1177,7 @@ send_ACK:
68603 ackinfo.rxMTU = htonl(5692);
68604 ackinfo.jumbo_max = htonl(4);
68606 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
68607 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
68608 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
68610 ntohs(ack.maxSkew),
68611 @@ -1193,7 +1195,7 @@ send_ACK:
68613 _debug("send message");
68615 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
68616 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
68617 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
68620 diff -urNp linux-2.6.38.6/net/rxrpc/ar-call.c linux-2.6.38.6/net/rxrpc/ar-call.c
68621 --- linux-2.6.38.6/net/rxrpc/ar-call.c 2011-03-14 21:20:32.000000000 -0400
68622 +++ linux-2.6.38.6/net/rxrpc/ar-call.c 2011-04-28 19:57:25.000000000 -0400
68623 @@ -83,7 +83,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
68624 spin_lock_init(&call->lock);
68625 rwlock_init(&call->state_lock);
68626 atomic_set(&call->usage, 1);
68627 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
68628 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
68629 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
68631 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
68632 diff -urNp linux-2.6.38.6/net/rxrpc/ar-connection.c linux-2.6.38.6/net/rxrpc/ar-connection.c
68633 --- linux-2.6.38.6/net/rxrpc/ar-connection.c 2011-03-14 21:20:32.000000000 -0400
68634 +++ linux-2.6.38.6/net/rxrpc/ar-connection.c 2011-04-28 19:57:25.000000000 -0400
68635 @@ -206,7 +206,7 @@ static struct rxrpc_connection *rxrpc_al
68636 rwlock_init(&conn->lock);
68637 spin_lock_init(&conn->state_lock);
68638 atomic_set(&conn->usage, 1);
68639 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
68640 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
68641 conn->avail_calls = RXRPC_MAXCALLS;
68642 conn->size_align = 4;
68643 conn->header_size = sizeof(struct rxrpc_header);
68644 diff -urNp linux-2.6.38.6/net/rxrpc/ar-connevent.c linux-2.6.38.6/net/rxrpc/ar-connevent.c
68645 --- linux-2.6.38.6/net/rxrpc/ar-connevent.c 2011-03-14 21:20:32.000000000 -0400
68646 +++ linux-2.6.38.6/net/rxrpc/ar-connevent.c 2011-04-28 19:57:25.000000000 -0400
68647 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
68649 len = iov[0].iov_len + iov[1].iov_len;
68651 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
68652 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
68653 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
68655 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
68656 diff -urNp linux-2.6.38.6/net/rxrpc/ar-input.c linux-2.6.38.6/net/rxrpc/ar-input.c
68657 --- linux-2.6.38.6/net/rxrpc/ar-input.c 2011-03-14 21:20:32.000000000 -0400
68658 +++ linux-2.6.38.6/net/rxrpc/ar-input.c 2011-04-28 19:57:25.000000000 -0400
68659 @@ -340,9 +340,9 @@ void rxrpc_fast_process_packet(struct rx
68660 /* track the latest serial number on this connection for ACK packet
68662 serial = ntohl(sp->hdr.serial);
68663 - hi_serial = atomic_read(&call->conn->hi_serial);
68664 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
68665 while (serial > hi_serial)
68666 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
68667 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
68670 /* request ACK generation for any ACK or DATA packet that requests
68671 diff -urNp linux-2.6.38.6/net/rxrpc/ar-internal.h linux-2.6.38.6/net/rxrpc/ar-internal.h
68672 --- linux-2.6.38.6/net/rxrpc/ar-internal.h 2011-03-14 21:20:32.000000000 -0400
68673 +++ linux-2.6.38.6/net/rxrpc/ar-internal.h 2011-04-28 19:57:25.000000000 -0400
68674 @@ -272,8 +272,8 @@ struct rxrpc_connection {
68675 int error; /* error code for local abort */
68676 int debug_id; /* debug ID for printks */
68677 unsigned call_counter; /* call ID counter */
68678 - atomic_t serial; /* packet serial number counter */
68679 - atomic_t hi_serial; /* highest serial number received */
68680 + atomic_unchecked_t serial; /* packet serial number counter */
68681 + atomic_unchecked_t hi_serial; /* highest serial number received */
68682 u8 avail_calls; /* number of calls available */
68683 u8 size_align; /* data size alignment (for security) */
68684 u8 header_size; /* rxrpc + security header size */
68685 @@ -346,7 +346,7 @@ struct rxrpc_call {
68687 rwlock_t state_lock; /* lock for state transition */
68689 - atomic_t sequence; /* Tx data packet sequence counter */
68690 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
68691 u32 abort_code; /* local/remote abort code */
68692 enum { /* current state of call */
68693 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
68694 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
68696 extern atomic_t rxrpc_n_skbs;
68697 extern __be32 rxrpc_epoch;
68698 -extern atomic_t rxrpc_debug_id;
68699 +extern atomic_unchecked_t rxrpc_debug_id;
68700 extern struct workqueue_struct *rxrpc_workqueue;
68703 diff -urNp linux-2.6.38.6/net/rxrpc/ar-local.c linux-2.6.38.6/net/rxrpc/ar-local.c
68704 --- linux-2.6.38.6/net/rxrpc/ar-local.c 2011-03-14 21:20:32.000000000 -0400
68705 +++ linux-2.6.38.6/net/rxrpc/ar-local.c 2011-04-28 19:57:25.000000000 -0400
68706 @@ -45,7 +45,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
68707 spin_lock_init(&local->lock);
68708 rwlock_init(&local->services_lock);
68709 atomic_set(&local->usage, 1);
68710 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
68711 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
68712 memcpy(&local->srx, srx, sizeof(*srx));
68715 diff -urNp linux-2.6.38.6/net/rxrpc/ar-output.c linux-2.6.38.6/net/rxrpc/ar-output.c
68716 --- linux-2.6.38.6/net/rxrpc/ar-output.c 2011-03-14 21:20:32.000000000 -0400
68717 +++ linux-2.6.38.6/net/rxrpc/ar-output.c 2011-04-28 19:57:25.000000000 -0400
68718 @@ -681,9 +681,9 @@ static int rxrpc_send_data(struct kiocb
68719 sp->hdr.cid = call->cid;
68720 sp->hdr.callNumber = call->call_id;
68722 - htonl(atomic_inc_return(&call->sequence));
68723 + htonl(atomic_inc_return_unchecked(&call->sequence));
68725 - htonl(atomic_inc_return(&conn->serial));
68726 + htonl(atomic_inc_return_unchecked(&conn->serial));
68727 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
68728 sp->hdr.userStatus = 0;
68729 sp->hdr.securityIndex = conn->security_ix;
68730 diff -urNp linux-2.6.38.6/net/rxrpc/ar-peer.c linux-2.6.38.6/net/rxrpc/ar-peer.c
68731 --- linux-2.6.38.6/net/rxrpc/ar-peer.c 2011-03-14 21:20:32.000000000 -0400
68732 +++ linux-2.6.38.6/net/rxrpc/ar-peer.c 2011-04-28 19:57:25.000000000 -0400
68733 @@ -87,7 +87,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
68734 INIT_LIST_HEAD(&peer->error_targets);
68735 spin_lock_init(&peer->lock);
68736 atomic_set(&peer->usage, 1);
68737 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
68738 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
68739 memcpy(&peer->srx, srx, sizeof(*srx));
68741 rxrpc_assess_MTU_size(peer);
68742 diff -urNp linux-2.6.38.6/net/rxrpc/ar-proc.c linux-2.6.38.6/net/rxrpc/ar-proc.c
68743 --- linux-2.6.38.6/net/rxrpc/ar-proc.c 2011-03-14 21:20:32.000000000 -0400
68744 +++ linux-2.6.38.6/net/rxrpc/ar-proc.c 2011-04-28 19:57:25.000000000 -0400
68745 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
68746 atomic_read(&conn->usage),
68747 rxrpc_conn_states[conn->state],
68748 key_serial(conn->key),
68749 - atomic_read(&conn->serial),
68750 - atomic_read(&conn->hi_serial));
68751 + atomic_read_unchecked(&conn->serial),
68752 + atomic_read_unchecked(&conn->hi_serial));
68756 diff -urNp linux-2.6.38.6/net/rxrpc/ar-transport.c linux-2.6.38.6/net/rxrpc/ar-transport.c
68757 --- linux-2.6.38.6/net/rxrpc/ar-transport.c 2011-03-14 21:20:32.000000000 -0400
68758 +++ linux-2.6.38.6/net/rxrpc/ar-transport.c 2011-04-28 19:57:25.000000000 -0400
68759 @@ -47,7 +47,7 @@ static struct rxrpc_transport *rxrpc_all
68760 spin_lock_init(&trans->client_lock);
68761 rwlock_init(&trans->conn_lock);
68762 atomic_set(&trans->usage, 1);
68763 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
68764 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
68766 if (peer->srx.transport.family == AF_INET) {
68767 switch (peer->srx.transport_type) {
68768 diff -urNp linux-2.6.38.6/net/rxrpc/rxkad.c linux-2.6.38.6/net/rxrpc/rxkad.c
68769 --- linux-2.6.38.6/net/rxrpc/rxkad.c 2011-03-14 21:20:32.000000000 -0400
68770 +++ linux-2.6.38.6/net/rxrpc/rxkad.c 2011-05-16 21:47:08.000000000 -0400
68771 @@ -211,6 +211,8 @@ static int rxkad_secure_packet_encrypt(c
68775 + pax_track_stack();
68777 sp = rxrpc_skb(skb);
68780 @@ -338,6 +340,8 @@ static int rxkad_verify_packet_auth(cons
68784 + pax_track_stack();
68788 sp = rxrpc_skb(skb);
68789 @@ -610,7 +614,7 @@ static int rxkad_issue_challenge(struct
68791 len = iov[0].iov_len + iov[1].iov_len;
68793 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
68794 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
68795 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
68797 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
68798 @@ -660,7 +664,7 @@ static int rxkad_send_response(struct rx
68800 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
68802 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
68803 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
68804 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
68806 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
68807 diff -urNp linux-2.6.38.6/net/sctp/proc.c linux-2.6.38.6/net/sctp/proc.c
68808 --- linux-2.6.38.6/net/sctp/proc.c 2011-03-14 21:20:32.000000000 -0400
68809 +++ linux-2.6.38.6/net/sctp/proc.c 2011-04-28 19:34:15.000000000 -0400
68810 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
68811 sctp_for_each_hentry(epb, node, &head->chain) {
68814 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
68815 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
68816 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68821 sctp_sk(sk)->type, sk->sk_state, hash,
68822 epb->bind_addr.port,
68823 sock_i_uid(sk), sock_i_ino(sk));
68824 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
68826 "%8p %8p %-3d %-3d %-2d %-4d "
68827 "%4d %8d %8d %7d %5lu %-5d %5d ",
68828 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
68829 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68834 + sctp_sk(sk)->type, sk->sk_state,
68835 assoc->state, hash,
68837 assoc->sndbuf_used,
68838 diff -urNp linux-2.6.38.6/net/sctp/socket.c linux-2.6.38.6/net/sctp/socket.c
68839 --- linux-2.6.38.6/net/sctp/socket.c 2011-03-14 21:20:32.000000000 -0400
68840 +++ linux-2.6.38.6/net/sctp/socket.c 2011-04-28 19:34:15.000000000 -0400
68841 @@ -4435,7 +4435,7 @@ static int sctp_getsockopt_peer_addrs(st
68842 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
68843 if (space_left < addrlen)
68845 - if (copy_to_user(to, &temp, addrlen))
68846 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
68850 diff -urNp linux-2.6.38.6/net/socket.c linux-2.6.38.6/net/socket.c
68851 --- linux-2.6.38.6/net/socket.c 2011-04-18 17:27:16.000000000 -0400
68852 +++ linux-2.6.38.6/net/socket.c 2011-05-16 21:47:09.000000000 -0400
68854 #include <linux/nsproxy.h>
68855 #include <linux/magic.h>
68856 #include <linux/slab.h>
68857 +#include <linux/in.h>
68859 #include <asm/uaccess.h>
68860 #include <asm/unistd.h>
68861 @@ -105,6 +106,8 @@
68862 #include <linux/sockios.h>
68863 #include <linux/atalk.h>
68865 +#include <linux/grsock.h>
68867 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
68868 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
68869 unsigned long nr_segs, loff_t pos);
68870 @@ -326,7 +329,7 @@ static struct dentry *sockfs_mount(struc
68871 &sockfs_dentry_operations, SOCKFS_MAGIC);
68874 -static struct vfsmount *sock_mnt __read_mostly;
68875 +struct vfsmount *sock_mnt __read_mostly;
68877 static struct file_system_type sock_fs_type = {
68879 @@ -1174,6 +1177,8 @@ int __sock_create(struct net *net, int f
68880 return -EAFNOSUPPORT;
68881 if (type < 0 || type >= SOCK_MAX)
68883 + if (protocol < 0)
68888 @@ -1306,6 +1311,16 @@ SYSCALL_DEFINE3(socket, int, family, int
68889 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
68890 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
68892 + if(!gr_search_socket(family, type, protocol)) {
68893 + retval = -EACCES;
68897 + if (gr_handle_sock_all(family, type, protocol)) {
68898 + retval = -EACCES;
68902 retval = sock_create(family, type, protocol, &sock);
68905 @@ -1418,6 +1433,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
68907 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
68909 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
68913 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
68917 err = security_socket_bind(sock,
68918 (struct sockaddr *)&address,
68920 @@ -1426,6 +1449,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
68921 (struct sockaddr *)
68922 &address, addrlen);
68925 fput_light(sock->file, fput_needed);
68928 @@ -1449,10 +1473,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
68929 if ((unsigned)backlog > somaxconn)
68930 backlog = somaxconn;
68932 + if (gr_handle_sock_server_other(sock->sk)) {
68937 + err = gr_search_listen(sock);
68941 err = security_socket_listen(sock, backlog);
68943 err = sock->ops->listen(sock, backlog);
68946 fput_light(sock->file, fput_needed);
68949 @@ -1496,6 +1530,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
68950 newsock->type = sock->type;
68951 newsock->ops = sock->ops;
68953 + if (gr_handle_sock_server_other(sock->sk)) {
68955 + sock_release(newsock);
68959 + err = gr_search_accept(sock);
68961 + sock_release(newsock);
68966 * We don't need try_module_get here, as the listening socket (sock)
68967 * has the protocol module (sock->ops->owner) held.
68968 @@ -1534,6 +1580,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
68969 fd_install(newfd, newfile);
68972 + gr_attach_curr_ip(newsock->sk);
68975 fput_light(sock->file, fput_needed);
68977 @@ -1566,6 +1614,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
68980 struct socket *sock;
68981 + struct sockaddr *sck;
68982 struct sockaddr_storage address;
68983 int err, fput_needed;
68985 @@ -1576,6 +1625,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
68989 + sck = (struct sockaddr *)&address;
68991 + if (gr_handle_sock_client(sck)) {
68996 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
69001 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
69003 @@ -1877,6 +1937,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
69004 int err, ctl_len, iov_size, total_len;
69007 + pax_track_stack();
69010 if (MSG_CMSG_COMPAT & flags) {
69011 if (get_compat_msghdr(&msg_sys, msg_compat))
69012 diff -urNp linux-2.6.38.6/net/sunrpc/sched.c linux-2.6.38.6/net/sunrpc/sched.c
69013 --- linux-2.6.38.6/net/sunrpc/sched.c 2011-04-18 17:27:14.000000000 -0400
69014 +++ linux-2.6.38.6/net/sunrpc/sched.c 2011-04-28 19:34:15.000000000 -0400
69015 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
69017 static void rpc_task_set_debuginfo(struct rpc_task *task)
69019 - static atomic_t rpc_pid;
69020 + static atomic_unchecked_t rpc_pid;
69022 - task->tk_pid = atomic_inc_return(&rpc_pid);
69023 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
69026 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
69027 diff -urNp linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma.c
69028 --- linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-14 21:20:32.000000000 -0400
69029 +++ linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma.c 2011-04-28 19:57:25.000000000 -0400
69030 @@ -61,15 +61,15 @@ unsigned int svcrdma_max_req_size = RPCR
69031 static unsigned int min_max_inline = 4096;
69032 static unsigned int max_max_inline = 65536;
69034 -atomic_t rdma_stat_recv;
69035 -atomic_t rdma_stat_read;
69036 -atomic_t rdma_stat_write;
69037 -atomic_t rdma_stat_sq_starve;
69038 -atomic_t rdma_stat_rq_starve;
69039 -atomic_t rdma_stat_rq_poll;
69040 -atomic_t rdma_stat_rq_prod;
69041 -atomic_t rdma_stat_sq_poll;
69042 -atomic_t rdma_stat_sq_prod;
69043 +atomic_unchecked_t rdma_stat_recv;
69044 +atomic_unchecked_t rdma_stat_read;
69045 +atomic_unchecked_t rdma_stat_write;
69046 +atomic_unchecked_t rdma_stat_sq_starve;
69047 +atomic_unchecked_t rdma_stat_rq_starve;
69048 +atomic_unchecked_t rdma_stat_rq_poll;
69049 +atomic_unchecked_t rdma_stat_rq_prod;
69050 +atomic_unchecked_t rdma_stat_sq_poll;
69051 +atomic_unchecked_t rdma_stat_sq_prod;
69053 /* Temporary NFS request map and context caches */
69054 struct kmem_cache *svc_rdma_map_cachep;
69055 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
69059 - if (len && copy_to_user(buffer, str_buf, len))
69060 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
69064 @@ -150,63 +150,63 @@ static ctl_table svcrdma_parm_table[] =
69066 .procname = "rdma_stat_read",
69067 .data = &rdma_stat_read,
69068 - .maxlen = sizeof(atomic_t),
69069 + .maxlen = sizeof(atomic_unchecked_t),
69071 .proc_handler = read_reset_stat,
69074 .procname = "rdma_stat_recv",
69075 .data = &rdma_stat_recv,
69076 - .maxlen = sizeof(atomic_t),
69077 + .maxlen = sizeof(atomic_unchecked_t),
69079 .proc_handler = read_reset_stat,
69082 .procname = "rdma_stat_write",
69083 .data = &rdma_stat_write,
69084 - .maxlen = sizeof(atomic_t),
69085 + .maxlen = sizeof(atomic_unchecked_t),
69087 .proc_handler = read_reset_stat,
69090 .procname = "rdma_stat_sq_starve",
69091 .data = &rdma_stat_sq_starve,
69092 - .maxlen = sizeof(atomic_t),
69093 + .maxlen = sizeof(atomic_unchecked_t),
69095 .proc_handler = read_reset_stat,
69098 .procname = "rdma_stat_rq_starve",
69099 .data = &rdma_stat_rq_starve,
69100 - .maxlen = sizeof(atomic_t),
69101 + .maxlen = sizeof(atomic_unchecked_t),
69103 .proc_handler = read_reset_stat,
69106 .procname = "rdma_stat_rq_poll",
69107 .data = &rdma_stat_rq_poll,
69108 - .maxlen = sizeof(atomic_t),
69109 + .maxlen = sizeof(atomic_unchecked_t),
69111 .proc_handler = read_reset_stat,
69114 .procname = "rdma_stat_rq_prod",
69115 .data = &rdma_stat_rq_prod,
69116 - .maxlen = sizeof(atomic_t),
69117 + .maxlen = sizeof(atomic_unchecked_t),
69119 .proc_handler = read_reset_stat,
69122 .procname = "rdma_stat_sq_poll",
69123 .data = &rdma_stat_sq_poll,
69124 - .maxlen = sizeof(atomic_t),
69125 + .maxlen = sizeof(atomic_unchecked_t),
69127 .proc_handler = read_reset_stat,
69130 .procname = "rdma_stat_sq_prod",
69131 .data = &rdma_stat_sq_prod,
69132 - .maxlen = sizeof(atomic_t),
69133 + .maxlen = sizeof(atomic_unchecked_t),
69135 .proc_handler = read_reset_stat,
69137 diff -urNp linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
69138 --- linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-03-14 21:20:32.000000000 -0400
69139 +++ linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-04-28 19:57:25.000000000 -0400
69140 @@ -499,7 +499,7 @@ next_sge:
69141 svc_rdma_put_context(ctxt, 0);
69144 - atomic_inc(&rdma_stat_read);
69145 + atomic_inc_unchecked(&rdma_stat_read);
69147 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
69148 chl_map->ch[ch_no].count -= read_wr.num_sge;
69149 @@ -609,7 +609,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
69151 list_del_init(&ctxt->dto_q);
69153 - atomic_inc(&rdma_stat_rq_starve);
69154 + atomic_inc_unchecked(&rdma_stat_rq_starve);
69155 clear_bit(XPT_DATA, &xprt->xpt_flags);
69158 @@ -629,7 +629,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
69159 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
69160 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
69161 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
69162 - atomic_inc(&rdma_stat_recv);
69163 + atomic_inc_unchecked(&rdma_stat_recv);
69165 /* Build up the XDR from the receive buffers. */
69166 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
69167 diff -urNp linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_sendto.c
69168 --- linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-03-14 21:20:32.000000000 -0400
69169 +++ linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-04-28 19:57:25.000000000 -0400
69170 @@ -362,7 +362,7 @@ static int send_write(struct svcxprt_rdm
69171 write_wr.wr.rdma.remote_addr = to;
69174 - atomic_inc(&rdma_stat_write);
69175 + atomic_inc_unchecked(&rdma_stat_write);
69176 if (svc_rdma_send(xprt, &write_wr))
69179 diff -urNp linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_transport.c
69180 --- linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-03-14 21:20:32.000000000 -0400
69181 +++ linux-2.6.38.6/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-04-28 19:57:25.000000000 -0400
69182 @@ -298,7 +298,7 @@ static void rq_cq_reap(struct svcxprt_rd
69185 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
69186 - atomic_inc(&rdma_stat_rq_poll);
69187 + atomic_inc_unchecked(&rdma_stat_rq_poll);
69189 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
69190 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
69191 @@ -320,7 +320,7 @@ static void rq_cq_reap(struct svcxprt_rd
69195 - atomic_inc(&rdma_stat_rq_prod);
69196 + atomic_inc_unchecked(&rdma_stat_rq_prod);
69198 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
69200 @@ -392,7 +392,7 @@ static void sq_cq_reap(struct svcxprt_rd
69203 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
69204 - atomic_inc(&rdma_stat_sq_poll);
69205 + atomic_inc_unchecked(&rdma_stat_sq_poll);
69206 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
69207 if (wc.status != IB_WC_SUCCESS)
69208 /* Close the transport */
69209 @@ -410,7 +410,7 @@ static void sq_cq_reap(struct svcxprt_rd
69213 - atomic_inc(&rdma_stat_sq_prod);
69214 + atomic_inc_unchecked(&rdma_stat_sq_prod);
69217 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
69218 @@ -1271,7 +1271,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
69219 spin_lock_bh(&xprt->sc_lock);
69220 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
69221 spin_unlock_bh(&xprt->sc_lock);
69222 - atomic_inc(&rdma_stat_sq_starve);
69223 + atomic_inc_unchecked(&rdma_stat_sq_starve);
69225 /* See if we can opportunistically reap SQ WR to make room */
69227 diff -urNp linux-2.6.38.6/net/sysctl_net.c linux-2.6.38.6/net/sysctl_net.c
69228 --- linux-2.6.38.6/net/sysctl_net.c 2011-03-14 21:20:32.000000000 -0400
69229 +++ linux-2.6.38.6/net/sysctl_net.c 2011-04-28 19:34:15.000000000 -0400
69230 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
69231 struct ctl_table *table)
69233 /* Allow network administrator to have same access as root. */
69234 - if (capable(CAP_NET_ADMIN)) {
69235 + if (capable_nolog(CAP_NET_ADMIN)) {
69236 int mode = (table->mode >> 6) & 7;
69237 return (mode << 6) | (mode << 3) | mode;
69239 diff -urNp linux-2.6.38.6/net/unix/af_unix.c linux-2.6.38.6/net/unix/af_unix.c
69240 --- linux-2.6.38.6/net/unix/af_unix.c 2011-05-10 22:06:29.000000000 -0400
69241 +++ linux-2.6.38.6/net/unix/af_unix.c 2011-05-10 22:09:03.000000000 -0400
69242 @@ -767,6 +767,12 @@ static struct sock *unix_find_other(stru
69243 err = -ECONNREFUSED;
69244 if (!S_ISSOCK(inode->i_mode))
69247 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
69252 u = unix_find_socket_byinode(inode);
69255 @@ -787,6 +793,13 @@ static struct sock *unix_find_other(stru
69257 struct dentry *dentry;
69258 dentry = unix_sk(u)->dentry;
69260 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
69267 touch_atime(unix_sk(u)->mnt, dentry);
69269 @@ -872,11 +885,18 @@ static int unix_bind(struct socket *sock
69270 err = security_path_mknod(&nd.path, dentry, mode, 0);
69272 goto out_mknod_drop_write;
69273 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
69275 + goto out_mknod_drop_write;
69277 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
69278 out_mknod_drop_write:
69279 mnt_drop_write(nd.path.mnt);
69281 goto out_mknod_dput;
69283 + gr_handle_create(dentry, nd.path.mnt);
69285 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
69286 dput(nd.path.dentry);
69287 nd.path.dentry = dentry;
69288 @@ -894,6 +914,11 @@ out_mknod_drop_write:
69292 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
69293 + put_pid(sk->sk_peer_pid);
69294 + sk->sk_peer_pid = get_pid(task_tgid(current));
69297 list = &unix_socket_table[addr->hash];
69299 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
69300 @@ -2249,7 +2274,11 @@ static int unix_seq_show(struct seq_file
69301 unix_state_lock(s);
69303 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
69304 +#ifdef CONFIG_GRKERNSEC_HIDESYM
69309 atomic_read(&s->sk_refcnt),
69311 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
69312 diff -urNp linux-2.6.38.6/net/wireless/wext-core.c linux-2.6.38.6/net/wireless/wext-core.c
69313 --- linux-2.6.38.6/net/wireless/wext-core.c 2011-03-14 21:20:32.000000000 -0400
69314 +++ linux-2.6.38.6/net/wireless/wext-core.c 2011-04-28 19:34:15.000000000 -0400
69315 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
69318 /* Support for very large requests */
69319 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
69320 - (user_length > descr->max_tokens)) {
69321 + if (user_length > descr->max_tokens) {
69322 /* Allow userspace to GET more than max so
69323 * we can support any size GET requests.
69324 * There is still a limit : -ENOMEM.
69325 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
69329 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
69331 - * If this is a GET, but not NOMAX, it means that the extra
69332 - * data is not bounded by userspace, but by max_tokens. Thus
69333 - * set the length to max_tokens. This matches the extra data
69335 - * The driver should fill it with the number of tokens it
69336 - * provided, and it may check iwp->length rather than having
69337 - * knowledge of max_tokens. If the driver doesn't change the
69338 - * iwp->length, this ioctl just copies back max_token tokens
69339 - * filled with zeroes. Hopefully the driver isn't claiming
69340 - * them to be valid data.
69342 - iwp->length = descr->max_tokens;
69345 err = handler(dev, info, (union iwreq_data *) iwp, extra);
69347 iwp->length += essid_compat;
69348 diff -urNp linux-2.6.38.6/net/xfrm/xfrm_policy.c linux-2.6.38.6/net/xfrm/xfrm_policy.c
69349 --- linux-2.6.38.6/net/xfrm/xfrm_policy.c 2011-04-22 19:20:59.000000000 -0400
69350 +++ linux-2.6.38.6/net/xfrm/xfrm_policy.c 2011-04-28 19:57:25.000000000 -0400
69351 @@ -296,7 +296,7 @@ static void xfrm_policy_kill(struct xfrm
69353 policy->walk.dead = 1;
69355 - atomic_inc(&policy->genid);
69356 + atomic_inc_unchecked(&policy->genid);
69358 if (del_timer(&policy->timer))
69359 xfrm_pol_put(policy);
69360 @@ -575,7 +575,7 @@ int xfrm_policy_insert(int dir, struct x
69361 hlist_add_head(&policy->bydst, chain);
69362 xfrm_pol_hold(policy);
69363 net->xfrm.policy_count[dir]++;
69364 - atomic_inc(&flow_cache_genid);
69365 + atomic_inc_unchecked(&flow_cache_genid);
69367 __xfrm_policy_unlink(delpol, dir);
69368 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
69369 @@ -1507,7 +1507,7 @@ free_dst:
69375 xfrm_dst_alloc_copy(void **target, void *src, int size)
69378 @@ -1519,7 +1519,7 @@ xfrm_dst_alloc_copy(void **target, void
69384 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
69386 #ifdef CONFIG_XFRM_SUB_POLICY
69387 @@ -1531,7 +1531,7 @@ xfrm_dst_update_parent(struct dst_entry
69393 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
69395 #ifdef CONFIG_XFRM_SUB_POLICY
69396 @@ -1625,7 +1625,7 @@ xfrm_resolve_and_create_bundle(struct xf
69398 xdst->num_pols = num_pols;
69399 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
69400 - xdst->policy_genid = atomic_read(&pols[0]->genid);
69401 + xdst->policy_genid = atomic_read_unchecked(&pols[0]->genid);
69405 @@ -2319,7 +2319,7 @@ static int xfrm_bundle_ok(struct xfrm_po
69406 if (xdst->xfrm_genid != dst->xfrm->genid)
69408 if (xdst->num_pols > 0 &&
69409 - xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
69410 + xdst->policy_genid != atomic_read_unchecked(&xdst->pols[0]->genid))
69413 if (strict && fl &&
69414 @@ -2852,7 +2852,7 @@ static int xfrm_policy_migrate(struct xf
69415 sizeof(pol->xfrm_vec[i].saddr));
69416 pol->xfrm_vec[i].encap_family = mp->new_family;
69417 /* flush bundles */
69418 - atomic_inc(&pol->genid);
69419 + atomic_inc_unchecked(&pol->genid);
69423 diff -urNp linux-2.6.38.6/net/xfrm/xfrm_user.c linux-2.6.38.6/net/xfrm/xfrm_user.c
69424 --- linux-2.6.38.6/net/xfrm/xfrm_user.c 2011-03-14 21:20:32.000000000 -0400
69425 +++ linux-2.6.38.6/net/xfrm/xfrm_user.c 2011-05-16 21:47:09.000000000 -0400
69426 @@ -1309,6 +1309,8 @@ static int copy_to_user_tmpl(struct xfrm
69427 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
69430 + pax_track_stack();
69432 if (xp->xfrm_nr == 0)
69435 @@ -1957,6 +1959,8 @@ static int xfrm_do_migrate(struct sk_buf
69439 + pax_track_stack();
69441 if (attrs[XFRMA_MIGRATE] == NULL)
69444 diff -urNp linux-2.6.38.6/scripts/basic/fixdep.c linux-2.6.38.6/scripts/basic/fixdep.c
69445 --- linux-2.6.38.6/scripts/basic/fixdep.c 2011-03-14 21:20:32.000000000 -0400
69446 +++ linux-2.6.38.6/scripts/basic/fixdep.c 2011-04-28 19:34:15.000000000 -0400
69447 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
69449 static void parse_config_file(const char *map, size_t len)
69451 - const int *end = (const int *) (map + len);
69452 + const unsigned int *end = (const unsigned int *) (map + len);
69453 /* start at +1, so that p can never be < map */
69454 - const int *m = (const int *) map + 1;
69455 + const unsigned int *m = (const unsigned int *) map + 1;
69458 for (; m < end; m++) {
69459 @@ -405,7 +405,7 @@ static void print_deps(void)
69460 static void traps(void)
69462 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
69463 - int *p = (int *)test;
69464 + unsigned int *p = (unsigned int *)test;
69466 if (*p != INT_CONF) {
69467 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
69468 diff -urNp linux-2.6.38.6/scripts/mod/file2alias.c linux-2.6.38.6/scripts/mod/file2alias.c
69469 --- linux-2.6.38.6/scripts/mod/file2alias.c 2011-03-14 21:20:32.000000000 -0400
69470 +++ linux-2.6.38.6/scripts/mod/file2alias.c 2011-04-28 19:34:15.000000000 -0400
69471 @@ -72,7 +72,7 @@ static void device_id_check(const char *
69472 unsigned long size, unsigned long id_size,
69478 if (size % id_size || size < id_size) {
69479 if (cross_build != 0)
69480 @@ -102,7 +102,7 @@ static void device_id_check(const char *
69481 /* USB is special because the bcdDevice can be matched against a numeric range */
69482 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
69483 static void do_usb_entry(struct usb_device_id *id,
69484 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
69485 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
69486 unsigned char range_lo, unsigned char range_hi,
69487 unsigned char max, struct module *mod)
69489 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
69490 for (i = 0; i < count; i++) {
69491 const char *id = (char *)devs[i].id;
69492 char acpi_id[sizeof(devs[0].id)];
69496 buf_printf(&mod->dev_table_buf,
69497 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
69498 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
69500 for (j = 0; j < PNP_MAX_DEVICES; j++) {
69501 const char *id = (char *)card->devs[j].id;
69503 + unsigned int i2, j2;
69507 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
69508 /* add an individual alias for every device entry */
69510 char acpi_id[sizeof(card->devs[0].id)];
69514 buf_printf(&mod->dev_table_buf,
69515 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
69516 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
69517 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
69521 + unsigned int i, j;
69523 sprintf(alias, "dmi*");
69525 diff -urNp linux-2.6.38.6/scripts/mod/modpost.c linux-2.6.38.6/scripts/mod/modpost.c
69526 --- linux-2.6.38.6/scripts/mod/modpost.c 2011-03-14 21:20:32.000000000 -0400
69527 +++ linux-2.6.38.6/scripts/mod/modpost.c 2011-04-28 19:34:15.000000000 -0400
69528 @@ -896,6 +896,7 @@ enum mismatch {
69529 ANY_INIT_TO_ANY_EXIT,
69530 ANY_EXIT_TO_ANY_INIT,
69531 EXPORT_TO_INIT_EXIT,
69535 struct sectioncheck {
69536 @@ -1004,6 +1005,12 @@ const struct sectioncheck sectioncheck[]
69537 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
69538 .mismatch = EXPORT_TO_INIT_EXIT,
69539 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
69541 +/* Do not reference code from writable data */
69543 + .fromsec = { DATA_SECTIONS, NULL },
69544 + .tosec = { TEXT_SECTIONS, NULL },
69545 + .mismatch = DATA_TO_TEXT
69549 @@ -1126,10 +1133,10 @@ static Elf_Sym *find_elf_symbol(struct e
69551 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
69553 - if (sym->st_value == addr)
69555 /* Find a symbol nearby - addr are maybe negative */
69556 d = sym->st_value - addr;
69560 d = addr - sym->st_value;
69561 if (d < distance) {
69562 @@ -1401,6 +1408,14 @@ static void report_sec_mismatch(const ch
69563 tosym, prl_to, prl_to, tosym);
69566 + case DATA_TO_TEXT:
69569 + "The variable %s references\n"
69570 + "the %s %s%s%s\n",
69571 + fromsym, to, sec2annotation(tosec), tosym, to_p);
69575 fprintf(stderr, "\n");
69577 @@ -1724,7 +1739,7 @@ void __attribute__((format(printf, 2, 3)
69581 -void buf_write(struct buffer *buf, const char *s, int len)
69582 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
69584 if (buf->size - buf->pos < len) {
69585 buf->size += len + SZ;
69586 @@ -1936,7 +1951,7 @@ static void write_if_changed(struct buff
69587 if (fstat(fileno(file), &st) < 0)
69590 - if (st.st_size != b->pos)
69591 + if (st.st_size != (off_t)b->pos)
69594 tmp = NOFAIL(malloc(b->pos));
69595 diff -urNp linux-2.6.38.6/scripts/mod/modpost.h linux-2.6.38.6/scripts/mod/modpost.h
69596 --- linux-2.6.38.6/scripts/mod/modpost.h 2011-03-14 21:20:32.000000000 -0400
69597 +++ linux-2.6.38.6/scripts/mod/modpost.h 2011-04-28 19:34:15.000000000 -0400
69598 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
69604 + unsigned int pos;
69605 + unsigned int size;
69608 void __attribute__((format(printf, 2, 3)))
69609 buf_printf(struct buffer *buf, const char *fmt, ...);
69612 -buf_write(struct buffer *buf, const char *s, int len);
69613 +buf_write(struct buffer *buf, const char *s, unsigned int len);
69616 struct module *next;
69617 diff -urNp linux-2.6.38.6/scripts/mod/sumversion.c linux-2.6.38.6/scripts/mod/sumversion.c
69618 --- linux-2.6.38.6/scripts/mod/sumversion.c 2011-03-14 21:20:32.000000000 -0400
69619 +++ linux-2.6.38.6/scripts/mod/sumversion.c 2011-04-28 19:34:15.000000000 -0400
69620 @@ -470,7 +470,7 @@ static void write_version(const char *fi
69624 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
69625 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
69626 warn("writing sum in %s failed: %s\n",
69627 filename, strerror(errno));
69629 diff -urNp linux-2.6.38.6/scripts/pnmtologo.c linux-2.6.38.6/scripts/pnmtologo.c
69630 --- linux-2.6.38.6/scripts/pnmtologo.c 2011-03-14 21:20:32.000000000 -0400
69631 +++ linux-2.6.38.6/scripts/pnmtologo.c 2011-04-28 19:34:15.000000000 -0400
69632 @@ -237,14 +237,14 @@ static void write_header(void)
69633 fprintf(out, " * Linux logo %s\n", logoname);
69634 fputs(" */\n\n", out);
69635 fputs("#include <linux/linux_logo.h>\n\n", out);
69636 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
69637 + fprintf(out, "static unsigned char %s_data[] = {\n",
69641 static void write_footer(void)
69643 fputs("\n};\n\n", out);
69644 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
69645 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
69646 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
69647 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
69648 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
69649 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
69650 fputs("\n};\n\n", out);
69652 /* write logo clut */
69653 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
69654 + fprintf(out, "static unsigned char %s_clut[] = {\n",
69657 for (i = 0; i < logo_clutsize; i++) {
69658 diff -urNp linux-2.6.38.6/security/apparmor/lsm.c linux-2.6.38.6/security/apparmor/lsm.c
69659 --- linux-2.6.38.6/security/apparmor/lsm.c 2011-03-14 21:20:32.000000000 -0400
69660 +++ linux-2.6.38.6/security/apparmor/lsm.c 2011-04-28 19:34:15.000000000 -0400
69661 @@ -619,7 +619,7 @@ static int apparmor_task_setrlimit(struc
69665 -static struct security_operations apparmor_ops = {
69666 +static struct security_operations apparmor_ops __read_only = {
69667 .name = "apparmor",
69669 .ptrace_access_check = apparmor_ptrace_access_check,
69670 diff -urNp linux-2.6.38.6/security/commoncap.c linux-2.6.38.6/security/commoncap.c
69671 --- linux-2.6.38.6/security/commoncap.c 2011-03-14 21:20:32.000000000 -0400
69672 +++ linux-2.6.38.6/security/commoncap.c 2011-04-28 19:34:15.000000000 -0400
69674 #include <linux/prctl.h>
69675 #include <linux/securebits.h>
69676 // #include <linux/vs_context.h>
69677 +#include <net/sock.h>
69680 * If a non-root user executes a setuid-root binary in
69681 @@ -50,9 +51,11 @@ static void warn_setuid_and_fcaps_mixed(
69685 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
69687 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
69689 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
69690 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
69694 @@ -534,6 +537,9 @@ int cap_bprm_secureexec(struct linux_bin
69696 const struct cred *cred = current_cred();
69698 + if (gr_acl_enable_at_secure())
69701 if (cred->uid != 0) {
69702 if (bprm->cap_effective)
69704 diff -urNp linux-2.6.38.6/security/integrity/ima/ima_api.c linux-2.6.38.6/security/integrity/ima/ima_api.c
69705 --- linux-2.6.38.6/security/integrity/ima/ima_api.c 2011-03-14 21:20:32.000000000 -0400
69706 +++ linux-2.6.38.6/security/integrity/ima/ima_api.c 2011-04-28 19:34:15.000000000 -0400
69707 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
69710 /* can overflow, only indicator */
69711 - atomic_long_inc(&ima_htable.violations);
69712 + atomic_long_inc_unchecked(&ima_htable.violations);
69714 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
69716 diff -urNp linux-2.6.38.6/security/integrity/ima/ima_fs.c linux-2.6.38.6/security/integrity/ima/ima_fs.c
69717 --- linux-2.6.38.6/security/integrity/ima/ima_fs.c 2011-03-14 21:20:32.000000000 -0400
69718 +++ linux-2.6.38.6/security/integrity/ima/ima_fs.c 2011-04-28 19:34:15.000000000 -0400
69719 @@ -28,12 +28,12 @@
69720 static int valid_policy = 1;
69721 #define TMPBUFLEN 12
69722 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
69723 - loff_t *ppos, atomic_long_t *val)
69724 + loff_t *ppos, atomic_long_unchecked_t *val)
69726 char tmpbuf[TMPBUFLEN];
69729 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
69730 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
69731 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
69734 diff -urNp linux-2.6.38.6/security/integrity/ima/ima.h linux-2.6.38.6/security/integrity/ima/ima.h
69735 --- linux-2.6.38.6/security/integrity/ima/ima.h 2011-03-14 21:20:32.000000000 -0400
69736 +++ linux-2.6.38.6/security/integrity/ima/ima.h 2011-04-28 19:34:15.000000000 -0400
69737 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
69738 extern spinlock_t ima_queue_lock;
69740 struct ima_h_table {
69741 - atomic_long_t len; /* number of stored measurements in the list */
69742 - atomic_long_t violations;
69743 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
69744 + atomic_long_unchecked_t violations;
69745 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
69747 extern struct ima_h_table ima_htable;
69748 diff -urNp linux-2.6.38.6/security/integrity/ima/ima_queue.c linux-2.6.38.6/security/integrity/ima/ima_queue.c
69749 --- linux-2.6.38.6/security/integrity/ima/ima_queue.c 2011-03-14 21:20:32.000000000 -0400
69750 +++ linux-2.6.38.6/security/integrity/ima/ima_queue.c 2011-04-28 19:34:15.000000000 -0400
69751 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
69752 INIT_LIST_HEAD(&qe->later);
69753 list_add_tail_rcu(&qe->later, &ima_measurements);
69755 - atomic_long_inc(&ima_htable.len);
69756 + atomic_long_inc_unchecked(&ima_htable.len);
69757 key = ima_hash_key(entry->digest);
69758 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
69760 diff -urNp linux-2.6.38.6/security/Kconfig linux-2.6.38.6/security/Kconfig
69761 --- linux-2.6.38.6/security/Kconfig 2011-03-14 21:20:32.000000000 -0400
69762 +++ linux-2.6.38.6/security/Kconfig 2011-04-30 19:58:48.000000000 -0400
69765 menu "Security options"
69767 +source grsecurity/Kconfig
69771 + config ARCH_TRACK_EXEC_LIMIT
69774 + config PAX_PER_CPU_PGD
69777 + config TASK_SIZE_MAX_SHIFT
69779 + depends on X86_64
69780 + default 47 if !PAX_PER_CPU_PGD
69781 + default 42 if PAX_PER_CPU_PGD
69783 + config PAX_ENABLE_PAE
69785 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
69788 + bool "Enable various PaX features"
69789 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
69791 + This allows you to enable various PaX features. PaX adds
69792 + intrusion prevention mechanisms to the kernel that reduce
69793 + the risks posed by exploitable memory corruption bugs.
69795 +menu "PaX Control"
69798 +config PAX_SOFTMODE
69799 + bool 'Support soft mode'
69800 + select PAX_PT_PAX_FLAGS
69802 + Enabling this option will allow you to run PaX in soft mode, that
69803 + is, PaX features will not be enforced by default, only on executables
69804 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
69805 + is the only way to mark executables for soft mode use.
69807 + Soft mode can be activated by using the "pax_softmode=1" kernel command
69808 + line option on boot. Furthermore you can control various PaX features
69809 + at runtime via the entries in /proc/sys/kernel/pax.
69812 + bool 'Use legacy ELF header marking'
69814 + Enabling this option will allow you to control PaX features on
69815 + a per executable basis via the 'chpax' utility available at
69816 + http://pax.grsecurity.net/. The control flags will be read from
69817 + an otherwise reserved part of the ELF header. This marking has
69818 + numerous drawbacks (no support for soft-mode, toolchain does not
69819 + know about the non-standard use of the ELF header) therefore it
69820 + has been deprecated in favour of PT_PAX_FLAGS support.
69822 + Note that if you enable PT_PAX_FLAGS marking support as well,
69823 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
69825 +config PAX_PT_PAX_FLAGS
69826 + bool 'Use ELF program header marking'
69828 + Enabling this option will allow you to control PaX features on
69829 + a per executable basis via the 'paxctl' utility available at
69830 + http://pax.grsecurity.net/. The control flags will be read from
69831 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
69832 + has the benefits of supporting both soft mode and being fully
69833 + integrated into the toolchain (the binutils patch is available
69834 + from http://pax.grsecurity.net).
69836 + If your toolchain does not support PT_PAX_FLAGS markings,
69837 + you can create one in most cases with 'paxctl -C'.
69839 + Note that if you enable the legacy EI_PAX marking support as well,
69840 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
69843 + prompt 'MAC system integration'
69844 + default PAX_HAVE_ACL_FLAGS
69846 + Mandatory Access Control systems have the option of controlling
69847 + PaX flags on a per executable basis, choose the method supported
69848 + by your particular system.
69850 + - "none": if your MAC system does not interact with PaX,
69851 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
69852 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
69854 + NOTE: this option is for developers/integrators only.
69856 + config PAX_NO_ACL_FLAGS
69859 + config PAX_HAVE_ACL_FLAGS
69862 + config PAX_HOOK_ACL_FLAGS
69868 +menu "Non-executable pages"
69872 + bool "Enforce non-executable pages"
69873 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
69875 + By design some architectures do not allow for protecting memory
69876 + pages against execution or even if they do, Linux does not make
69877 + use of this feature. In practice this means that if a page is
69878 + readable (such as the stack or heap) it is also executable.
69880 + There is a well known exploit technique that makes use of this
69881 + fact and a common programming mistake where an attacker can
69882 + introduce code of his choice somewhere in the attacked program's
69883 + memory (typically the stack or the heap) and then execute it.
69885 + If the attacked program was running with different (typically
69886 + higher) privileges than that of the attacker, then he can elevate
69887 + his own privilege level (e.g. get a root shell, write to files for
69888 + which he does not have write access to, etc).
69890 + Enabling this option will let you choose from various features
69891 + that prevent the injection and execution of 'foreign' code in
69894 + This will also break programs that rely on the old behaviour and
69895 + expect that dynamically allocated memory via the malloc() family
69896 + of functions is executable (which it is not). Notable examples
69897 + are the XFree86 4.x server, the java runtime and wine.
69899 +config PAX_PAGEEXEC
69900 + bool "Paging based non-executable pages"
69901 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
69902 + select S390_SWITCH_AMODE if S390
69903 + select S390_EXEC_PROTECT if S390
69904 + select ARCH_TRACK_EXEC_LIMIT if X86_32
69906 + This implementation is based on the paging feature of the CPU.
69907 + On i386 without hardware non-executable bit support there is a
69908 + variable but usually low performance impact, however on Intel's
69909 + P4 core based CPUs it is very high so you should not enable this
69910 + for kernels meant to be used on such CPUs.
69912 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
69913 + with hardware non-executable bit support there is no performance
69914 + impact, on ppc the impact is negligible.
69916 + Note that several architectures require various emulations due to
69917 + badly designed userland ABIs, this will cause a performance impact
69918 + but will disappear as soon as userland is fixed. For example, ppc
69919 + userland MUST have been built with secure-plt by a recent toolchain.
69921 +config PAX_SEGMEXEC
69922 + bool "Segmentation based non-executable pages"
69923 + depends on PAX_NOEXEC && X86_32
69925 + This implementation is based on the segmentation feature of the
69926 + CPU and has a very small performance impact, however applications
69927 + will be limited to a 1.5 GB address space instead of the normal
69930 +config PAX_EMUTRAMP
69931 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
69932 + default y if PARISC
69934 + There are some programs and libraries that for one reason or
69935 + another attempt to execute special small code snippets from
69936 + non-executable memory pages. Most notable examples are the
69937 + signal handler return code generated by the kernel itself and
69938 + the GCC trampolines.
69940 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
69941 + such programs will no longer work under your kernel.
69943 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
69944 + utilities to enable trampoline emulation for the affected programs
69945 + yet still have the protection provided by the non-executable pages.
69947 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
69948 + your system will not even boot.
69950 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
69951 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
69952 + for the affected files.
69954 + NOTE: enabling this feature *may* open up a loophole in the
69955 + protection provided by non-executable pages that an attacker
69956 + could abuse. Therefore the best solution is to not have any
69957 + files on your system that would require this option. This can
69958 + be achieved by not using libc5 (which relies on the kernel
69959 + signal handler return code) and not using or rewriting programs
69960 + that make use of the nested function implementation of GCC.
69961 + Skilled users can just fix GCC itself so that it implements
69962 + nested function calls in a way that does not interfere with PaX.
69964 +config PAX_EMUSIGRT
69965 + bool "Automatically emulate sigreturn trampolines"
69966 + depends on PAX_EMUTRAMP && PARISC
69969 + Enabling this option will have the kernel automatically detect
69970 + and emulate signal return trampolines executing on the stack
69971 + that would otherwise lead to task termination.
69973 + This solution is intended as a temporary one for users with
69974 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
69975 + Modula-3 runtime, etc) or executables linked to such, basically
69976 + everything that does not specify its own SA_RESTORER function in
69977 + normal executable memory like glibc 2.1+ does.
69979 + On parisc you MUST enable this option, otherwise your system will
69982 + NOTE: this feature cannot be disabled on a per executable basis
69983 + and since it *does* open up a loophole in the protection provided
69984 + by non-executable pages, the best solution is to not have any
69985 + files on your system that would require this option.
69987 +config PAX_MPROTECT
69988 + bool "Restrict mprotect()"
69989 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
69991 + Enabling this option will prevent programs from
69992 + - changing the executable status of memory pages that were
69993 + not originally created as executable,
69994 + - making read-only executable pages writable again,
69995 + - creating executable pages from anonymous memory,
69996 + - making read-only-after-relocations (RELRO) data pages writable again.
69998 + You should say Y here to complete the protection provided by
69999 + the enforcement of non-executable pages.
70001 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
70002 + this feature on a per file basis.
70004 +config PAX_MPROTECT_COMPAT
70005 + bool "Use legacy/compat protection demoting (read help)"
70006 + depends on PAX_MPROTECT
70009 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
70010 + by sending the proper error code to the application. For some broken
70011 + userland, this can cause problems with Python or other applications. The
70012 + current implementation however allows for applications like clamav to
70013 + detect if JIT compilation/execution is allowed and to fall back gracefully
70014 + to an interpreter-based mode if it does not. While we encourage everyone
70015 + to use the current implementation as-is and push upstream to fix broken
70016 + userland (note that the RWX logging option can assist with this), in some
70017 + environments this may not be possible. Having to disable MPROTECT
70018 + completely on certain binaries reduces the security benefit of PaX,
70019 + so this option is provided for those environments to revert to the old
70022 +config PAX_ELFRELOCS
70023 + bool "Allow ELF text relocations (read help)"
70024 + depends on PAX_MPROTECT
70027 + Non-executable pages and mprotect() restrictions are effective
70028 + in preventing the introduction of new executable code into an
70029 + attacked task's address space. There remain only two venues
70030 + for this kind of attack: if the attacker can execute already
70031 + existing code in the attacked task then he can either have it
70032 + create and mmap() a file containing his code or have it mmap()
70033 + an already existing ELF library that does not have position
70034 + independent code in it and use mprotect() on it to make it
70035 + writable and copy his code there. While protecting against
70036 + the former approach is beyond PaX, the latter can be prevented
70037 + by having only PIC ELF libraries on one's system (which do not
70038 + need to relocate their code). If you are sure this is your case,
70039 + as is the case with all modern Linux distributions, then leave
70040 + this option disabled. You should say 'n' here.
70042 +config PAX_ETEXECRELOCS
70043 + bool "Allow ELF ET_EXEC text relocations"
70044 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
70045 + select PAX_ELFRELOCS
70048 + On some architectures there are incorrectly created applications
70049 + that require text relocations and would not work without enabling
70050 + this option. If you are an alpha, ia64 or parisc user, you should
70051 + enable this option and disable it once you have made sure that
70052 + none of your applications need it.
70055 + bool "Automatically emulate ELF PLT"
70056 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
70059 + Enabling this option will have the kernel automatically detect
70060 + and emulate the Procedure Linkage Table entries in ELF files.
70061 + On some architectures such entries are in writable memory, and
70062 + become non-executable leading to task termination. Therefore
70063 + it is mandatory that you enable this option on alpha, parisc,
70064 + sparc and sparc64, otherwise your system would not even boot.
70066 + NOTE: this feature *does* open up a loophole in the protection
70067 + provided by the non-executable pages, therefore the proper
70068 + solution is to modify the toolchain to produce a PLT that does
70069 + not need to be writable.
70071 +config PAX_DLRESOLVE
70072 + bool 'Emulate old glibc resolver stub'
70073 + depends on PAX_EMUPLT && SPARC
70076 + This option is needed if userland has an old glibc (before 2.4)
70077 + that puts a 'save' instruction into the runtime generated resolver
70078 + stub that needs special emulation.
70080 +config PAX_KERNEXEC
70081 + bool "Enforce non-executable kernel pages"
70082 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
70083 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
70085 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
70086 + that is, enabling this option will make it harder to inject
70087 + and execute 'foreign' code in kernel memory itself.
70089 + Note that on x86_64 kernels there is a known regression when
70090 + this feature and KVM/VMX are both enabled in the host kernel.
70092 +config PAX_KERNEXEC_MODULE_TEXT
70093 + int "Minimum amount of memory reserved for module code"
70095 + depends on PAX_KERNEXEC && X86_32 && MODULES
70097 + Due to implementation details the kernel must reserve a fixed
70098 + amount of memory for module code at compile time that cannot be
70099 + changed at runtime. Here you can specify the minimum amount
70100 + in MB that will be reserved. Due to the same implementation
70101 + details this size will always be rounded up to the next 2/4 MB
70102 + boundary (depends on PAE) so the actually available memory for
70103 + module code will usually be more than this minimum.
70105 + The default 4 MB should be enough for most users but if you have
70106 + an excessive number of modules (e.g., most distribution configs
70107 + compile many drivers as modules) or use huge modules such as
70108 + nvidia's kernel driver, you will need to adjust this amount.
70109 + A good rule of thumb is to look at your currently loaded kernel
70110 + modules and add up their sizes.
70114 +menu "Address Space Layout Randomization"
70118 + bool "Address Space Layout Randomization"
70119 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
70121 + Many if not most exploit techniques rely on the knowledge of
70122 + certain addresses in the attacked program. The following options
70123 + will allow the kernel to apply a certain amount of randomization
70124 + to specific parts of the program thereby forcing an attacker to
70125 + guess them in most cases. Any failed guess will most likely crash
70126 + the attacked program which allows the kernel to detect such attempts
70127 + and react on them. PaX itself provides no reaction mechanisms,
70128 + instead it is strongly encouraged that you make use of Nergal's
70129 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
70130 + (http://www.grsecurity.net/) built-in crash detection features or
70131 + develop one yourself.
70133 + By saying Y here you can choose to randomize the following areas:
70134 + - top of the task's kernel stack
70135 + - top of the task's userland stack
70136 + - base address for mmap() requests that do not specify one
70137 + (this includes all libraries)
70138 + - base address of the main executable
70140 + It is strongly recommended to say Y here as address space layout
70141 + randomization has negligible impact on performance yet it provides
70142 + a very effective protection.
70144 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
70145 + this feature on a per file basis.
70147 +config PAX_RANDKSTACK
70148 + bool "Randomize kernel stack base"
70149 + depends on PAX_ASLR && X86_TSC && X86
70151 + By saying Y here the kernel will randomize every task's kernel
70152 + stack on every system call. This will not only force an attacker
70153 + to guess it but also prevent him from making use of possible
70154 + leaked information about it.
70156 + Since the kernel stack is a rather scarce resource, randomization
70157 + may cause unexpected stack overflows, therefore you should very
70158 + carefully test your system. Note that once enabled in the kernel
70159 + configuration, this feature cannot be disabled on a per file basis.
70161 +config PAX_RANDUSTACK
70162 + bool "Randomize user stack base"
70163 + depends on PAX_ASLR
70165 + By saying Y here the kernel will randomize every task's userland
70166 + stack. The randomization is done in two steps where the second
70167 + one may apply a big amount of shift to the top of the stack and
70168 + cause problems for programs that want to use lots of memory (more
70169 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
70170 + For this reason the second step can be controlled by 'chpax' or
70171 + 'paxctl' on a per file basis.
70173 +config PAX_RANDMMAP
70174 + bool "Randomize mmap() base"
70175 + depends on PAX_ASLR
70177 + By saying Y here the kernel will use a randomized base address for
70178 + mmap() requests that do not specify one themselves. As a result
70179 + all dynamically loaded libraries will appear at random addresses
70180 + and therefore be harder to exploit by a technique where an attacker
70181 + attempts to execute library code for his purposes (e.g. spawn a
70182 + shell from an exploited program that is running at an elevated
70183 + privilege level).
70185 + Furthermore, if a program is relinked as a dynamic ELF file, its
70186 + base address will be randomized as well, completing the full
70187 + randomization of the address space layout. Attacking such programs
70188 + becomes a guess game. You can find an example of doing this at
70189 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
70190 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
70192 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
70193 + feature on a per file basis.
70197 +menu "Miscellaneous hardening features"
70199 +config PAX_MEMORY_SANITIZE
70200 + bool "Sanitize all freed memory"
70202 + By saying Y here the kernel will erase memory pages as soon as they
70203 + are freed. This in turn reduces the lifetime of data stored in the
70204 + pages, making it less likely that sensitive information such as
70205 + passwords, cryptographic secrets, etc stay in memory for too long.
70207 + This is especially useful for programs whose runtime is short, long
70208 + lived processes and the kernel itself benefit from this as long as
70209 + they operate on whole memory pages and ensure timely freeing of pages
70210 + that may hold sensitive information.
70212 + The tradeoff is performance impact, on a single CPU system kernel
70213 + compilation sees a 3% slowdown, other systems and workloads may vary
70214 + and you are advised to test this feature on your expected workload
70215 + before deploying it.
70217 + Note that this feature does not protect data stored in live pages,
70218 + e.g., process memory swapped to disk may stay there for a long time.
70220 +config PAX_MEMORY_STACKLEAK
70221 + bool "Sanitize kernel stack"
70224 + By saying Y here the kernel will erase the kernel stack before it
70225 + returns from a system call. This in turn reduces the information
70226 + that a kernel stack leak bug can reveal.
70228 + Note that such a bug can still leak information that was put on
70229 + the stack by the current system call (the one eventually triggering
70230 + the bug) but traces of earlier system calls on the kernel stack
70231 + cannot leak anymore.
70233 + The tradeoff is performance impact: on a single CPU system kernel
70234 + compilation sees a 1% slowdown, other systems and workloads may vary
70235 + and you are advised to test this feature on your expected workload
70236 + before deploying it.
70238 +config PAX_MEMORY_UDEREF
70239 + bool "Prevent invalid userland pointer dereference"
70240 + depends on X86 && !UML_X86 && !XEN
70241 + select PAX_PER_CPU_PGD if X86_64
70243 + By saying Y here the kernel will be prevented from dereferencing
70244 + userland pointers in contexts where the kernel expects only kernel
70245 + pointers. This is both a useful runtime debugging feature and a
70246 + security measure that prevents exploiting a class of kernel bugs.
70248 + The tradeoff is that some virtualization solutions may experience
70249 + a huge slowdown and therefore you should not enable this feature
70250 + for kernels meant to run in such environments. Whether a given VM
70251 + solution is affected or not is best determined by simply trying it
70252 + out, the performance impact will be obvious right on boot as this
70253 + mechanism engages from very early on. A good rule of thumb is that
70254 + VMs running on CPUs without hardware virtualization support (i.e.,
70255 + the majority of IA-32 CPUs) will likely experience the slowdown.
70257 +config PAX_REFCOUNT
70258 + bool "Prevent various kernel object reference counter overflows"
70259 + depends on GRKERNSEC && (X86 || SPARC64)
70261 + By saying Y here the kernel will detect and prevent overflowing
70262 + various (but not all) kinds of object reference counters. Such
70263 + overflows can normally occur due to bugs only and are often, if
70264 + not always, exploitable.
70266 + The tradeoff is that data structures protected by an overflowed
70267 + refcount will never be freed and therefore will leak memory. Note
70268 + that this leak also happens even without this protection but in
70269 + that case the overflow can eventually trigger the freeing of the
70270 + data structure while it is still being used elsewhere, resulting
70271 + in the exploitable situation that this feature prevents.
70273 + Since this has a negligible performance impact, you should enable
70276 +config PAX_USERCOPY
70277 + bool "Harden heap object copies between kernel and userland"
70278 + depends on X86 || PPC || SPARC
70279 + depends on GRKERNSEC && (SLAB || SLUB)
70281 + By saying Y here the kernel will enforce the size of heap objects
70282 + when they are copied in either direction between the kernel and
70283 + userland, even if only a part of the heap object is copied.
70285 + Specifically, this checking prevents information leaking from the
70286 + kernel heap during kernel to userland copies (if the kernel heap
70287 + object is otherwise fully initialized) and prevents kernel heap
70288 + overflows during userland to kernel copies.
70290 + Note that the current implementation provides the strictest bounds
70291 + checks for the SLUB allocator.
70293 + Enabling this option also enables per-slab cache protection against
70294 + data in a given cache being copied into/out of via userland
70295 + accessors. Though the whitelist of regions will be reduced over
70296 + time, it notably protects important data structures like task structs.
70298 + If frame pointers are enabled on x86, this option will also restrict
70299 + copies into and out of the kernel stack to local variables within a
70302 + Since this has a negligible performance impact, you should enable
70310 bool "Enable access key retention support"
70312 @@ -167,7 +709,7 @@ config INTEL_TXT
70313 config LSM_MMAP_MIN_ADDR
70314 int "Low address space for LSM to protect from user allocation"
70315 depends on SECURITY && SECURITY_SELINUX
70319 This is the portion of low virtual memory which should be protected
70320 from userspace allocation. Keeping a user from writing to low pages
70321 diff -urNp linux-2.6.38.6/security/keys/keyring.c linux-2.6.38.6/security/keys/keyring.c
70322 --- linux-2.6.38.6/security/keys/keyring.c 2011-03-14 21:20:32.000000000 -0400
70323 +++ linux-2.6.38.6/security/keys/keyring.c 2011-04-28 19:34:15.000000000 -0400
70324 @@ -213,15 +213,15 @@ static long keyring_read(const struct ke
70327 for (loop = 0; loop < klist->nkeys; loop++) {
70328 + key_serial_t serial;
70329 key = klist->keys[loop];
70330 + serial = key->serial;
70332 tmp = sizeof(key_serial_t);
70336 - if (copy_to_user(buffer,
70339 + if (copy_to_user(buffer, &serial, tmp))
70343 diff -urNp linux-2.6.38.6/security/min_addr.c linux-2.6.38.6/security/min_addr.c
70344 --- linux-2.6.38.6/security/min_addr.c 2011-03-14 21:20:32.000000000 -0400
70345 +++ linux-2.6.38.6/security/min_addr.c 2011-04-28 19:34:15.000000000 -0400
70346 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
70348 static void update_mmap_min_addr(void)
70351 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
70352 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
70353 mmap_min_addr = dac_mmap_min_addr;
70354 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
70356 mmap_min_addr = dac_mmap_min_addr;
70362 diff -urNp linux-2.6.38.6/security/security.c linux-2.6.38.6/security/security.c
70363 --- linux-2.6.38.6/security/security.c 2011-03-14 21:20:32.000000000 -0400
70364 +++ linux-2.6.38.6/security/security.c 2011-04-28 19:34:15.000000000 -0400
70365 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
70366 /* things that live in capability.c */
70367 extern void __init security_fixup_ops(struct security_operations *ops);
70369 -static struct security_operations *security_ops;
70370 -static struct security_operations default_security_ops = {
70371 +static struct security_operations *security_ops __read_only;
70372 +static struct security_operations default_security_ops __read_only = {
70376 @@ -67,7 +67,9 @@ int __init security_init(void)
70378 void reset_security_ops(void)
70380 + pax_open_kernel();
70381 security_ops = &default_security_ops;
70382 + pax_close_kernel();
70385 /* Save user chosen LSM */
70386 diff -urNp linux-2.6.38.6/security/selinux/hooks.c linux-2.6.38.6/security/selinux/hooks.c
70387 --- linux-2.6.38.6/security/selinux/hooks.c 2011-03-14 21:20:32.000000000 -0400
70388 +++ linux-2.6.38.6/security/selinux/hooks.c 2011-04-28 19:34:15.000000000 -0400
70390 #define NUM_SEL_MNT_OPTS 5
70392 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
70393 -extern struct security_operations *security_ops;
70395 /* SECMARK reference count */
70396 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
70397 @@ -5395,7 +5394,7 @@ static int selinux_key_getsecurity(struc
70401 -static struct security_operations selinux_ops = {
70402 +static struct security_operations selinux_ops __read_only = {
70405 .ptrace_access_check = selinux_ptrace_access_check,
70406 diff -urNp linux-2.6.38.6/security/selinux/ss/services.c linux-2.6.38.6/security/selinux/ss/services.c
70407 --- linux-2.6.38.6/security/selinux/ss/services.c 2011-03-14 21:20:32.000000000 -0400
70408 +++ linux-2.6.38.6/security/selinux/ss/services.c 2011-05-16 21:47:09.000000000 -0400
70409 @@ -1769,6 +1769,8 @@ int security_load_policy(void *data, siz
70411 struct policy_file file = { data, len }, *fp = &file;
70413 + pax_track_stack();
70415 if (!ss_initialized) {
70416 avtab_cache_init();
70417 rc = policydb_read(&policydb, fp);
70418 diff -urNp linux-2.6.38.6/security/smack/smack_lsm.c linux-2.6.38.6/security/smack/smack_lsm.c
70419 --- linux-2.6.38.6/security/smack/smack_lsm.c 2011-03-14 21:20:32.000000000 -0400
70420 +++ linux-2.6.38.6/security/smack/smack_lsm.c 2011-04-28 19:34:15.000000000 -0400
70421 @@ -3179,7 +3179,7 @@ static int smack_inode_getsecctx(struct
70425 -struct security_operations smack_ops = {
70426 +struct security_operations smack_ops __read_only = {
70429 .ptrace_access_check = smack_ptrace_access_check,
70430 diff -urNp linux-2.6.38.6/security/tomoyo/tomoyo.c linux-2.6.38.6/security/tomoyo/tomoyo.c
70431 --- linux-2.6.38.6/security/tomoyo/tomoyo.c 2011-03-14 21:20:32.000000000 -0400
70432 +++ linux-2.6.38.6/security/tomoyo/tomoyo.c 2011-04-28 19:34:15.000000000 -0400
70433 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
70434 * tomoyo_security_ops is a "struct security_operations" which is used for
70435 * registering TOMOYO.
70437 -static struct security_operations tomoyo_security_ops = {
70438 +static struct security_operations tomoyo_security_ops __read_only = {
70440 .cred_alloc_blank = tomoyo_cred_alloc_blank,
70441 .cred_prepare = tomoyo_cred_prepare,
70442 diff -urNp linux-2.6.38.6/sound/aoa/codecs/onyx.c linux-2.6.38.6/sound/aoa/codecs/onyx.c
70443 --- linux-2.6.38.6/sound/aoa/codecs/onyx.c 2011-03-14 21:20:32.000000000 -0400
70444 +++ linux-2.6.38.6/sound/aoa/codecs/onyx.c 2011-04-28 19:34:15.000000000 -0400
70445 @@ -54,7 +54,7 @@ struct onyx {
70450 + local_t open_count;
70451 struct codec_info *codec_info;
70453 /* mutex serializes concurrent access to the device
70454 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
70455 struct onyx *onyx = cii->codec_data;
70457 mutex_lock(&onyx->mutex);
70458 - onyx->open_count++;
70459 + local_inc(&onyx->open_count);
70460 mutex_unlock(&onyx->mutex);
70463 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
70464 struct onyx *onyx = cii->codec_data;
70466 mutex_lock(&onyx->mutex);
70467 - onyx->open_count--;
70468 - if (!onyx->open_count)
70469 + if (local_dec_and_test(&onyx->open_count))
70470 onyx->spdif_locked = onyx->analog_locked = 0;
70471 mutex_unlock(&onyx->mutex);
70473 diff -urNp linux-2.6.38.6/sound/aoa/codecs/onyx.h linux-2.6.38.6/sound/aoa/codecs/onyx.h
70474 --- linux-2.6.38.6/sound/aoa/codecs/onyx.h 2011-03-14 21:20:32.000000000 -0400
70475 +++ linux-2.6.38.6/sound/aoa/codecs/onyx.h 2011-04-28 19:34:15.000000000 -0400
70477 #include <linux/i2c.h>
70478 #include <asm/pmac_low_i2c.h>
70479 #include <asm/prom.h>
70480 +#include <asm/local.h>
70482 /* PCM3052 register definitions */
70484 diff -urNp linux-2.6.38.6/sound/drivers/mts64.c linux-2.6.38.6/sound/drivers/mts64.c
70485 --- linux-2.6.38.6/sound/drivers/mts64.c 2011-03-14 21:20:32.000000000 -0400
70486 +++ linux-2.6.38.6/sound/drivers/mts64.c 2011-04-28 19:34:15.000000000 -0400
70488 #include <sound/initval.h>
70489 #include <sound/rawmidi.h>
70490 #include <sound/control.h>
70491 +#include <asm/local.h>
70493 #define CARD_NAME "Miditerminal 4140"
70494 #define DRIVER_NAME "MTS64"
70495 @@ -66,7 +67,7 @@ struct mts64 {
70496 struct pardevice *pardev;
70497 int pardev_claimed;
70500 + local_t open_count;
70501 int current_midi_output_port;
70502 int current_midi_input_port;
70503 u8 mode[MTS64_NUM_INPUT_PORTS];
70504 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
70506 struct mts64 *mts = substream->rmidi->private_data;
70508 - if (mts->open_count == 0) {
70509 + if (local_read(&mts->open_count) == 0) {
70510 /* We don't need a spinlock here, because this is just called
70511 if the device has not been opened before.
70512 So there aren't any IRQs from the device */
70513 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
70517 - ++(mts->open_count);
70518 + local_inc(&mts->open_count);
70522 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
70523 struct mts64 *mts = substream->rmidi->private_data;
70524 unsigned long flags;
70526 - --(mts->open_count);
70527 - if (mts->open_count == 0) {
70528 + if (local_dec_return(&mts->open_count) == 0) {
70529 /* We need the spinlock_irqsave here because we can still
70530 have IRQs at this point */
70531 spin_lock_irqsave(&mts->lock, flags);
70532 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
70536 - } else if (mts->open_count < 0)
70537 - mts->open_count = 0;
70538 + } else if (local_read(&mts->open_count) < 0)
70539 + local_set(&mts->open_count, 0);
70543 diff -urNp linux-2.6.38.6/sound/drivers/portman2x4.c linux-2.6.38.6/sound/drivers/portman2x4.c
70544 --- linux-2.6.38.6/sound/drivers/portman2x4.c 2011-03-14 21:20:32.000000000 -0400
70545 +++ linux-2.6.38.6/sound/drivers/portman2x4.c 2011-04-28 19:34:15.000000000 -0400
70547 #include <sound/initval.h>
70548 #include <sound/rawmidi.h>
70549 #include <sound/control.h>
70550 +#include <asm/local.h>
70552 #define CARD_NAME "Portman 2x4"
70553 #define DRIVER_NAME "portman"
70554 @@ -84,7 +85,7 @@ struct portman {
70555 struct pardevice *pardev;
70556 int pardev_claimed;
70559 + local_t open_count;
70560 int mode[PORTMAN_NUM_INPUT_PORTS];
70561 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
70563 diff -urNp linux-2.6.38.6/sound/oss/sb_audio.c linux-2.6.38.6/sound/oss/sb_audio.c
70564 --- linux-2.6.38.6/sound/oss/sb_audio.c 2011-03-14 21:20:32.000000000 -0400
70565 +++ linux-2.6.38.6/sound/oss/sb_audio.c 2011-04-28 19:34:15.000000000 -0400
70566 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
70567 buf16 = (signed short *)(localbuf + localoffs);
70570 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
70571 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
70572 if (copy_from_user(lbuf8,
70573 userbuf+useroffs + p,
70575 diff -urNp linux-2.6.38.6/sound/oss/swarm_cs4297a.c linux-2.6.38.6/sound/oss/swarm_cs4297a.c
70576 --- linux-2.6.38.6/sound/oss/swarm_cs4297a.c 2011-03-14 21:20:32.000000000 -0400
70577 +++ linux-2.6.38.6/sound/oss/swarm_cs4297a.c 2011-04-28 19:34:15.000000000 -0400
70578 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
70580 struct cs4297a_state *s;
70584 #ifndef CONFIG_BCM_CS4297A_CSWARM
70586 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
70588 char *sb1250_duart_present;
70595 val = SOUND_MASK_LINE;
70596 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
70597 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
70598 val = initvol[i].vol;
70599 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
70602 // cs4297a_write_ac97(s, 0x18, 0x0808);
70604 // cs4297a_write_ac97(s, 0x5e, 0x180);
70605 cs4297a_write_ac97(s, 0x02, 0x0808);
70606 cs4297a_write_ac97(s, 0x18, 0x0808);
70610 list_add(&s->list, &cs4297a_devs);
70612 diff -urNp linux-2.6.38.6/sound/pci/intel8x0m.c linux-2.6.38.6/sound/pci/intel8x0m.c
70613 --- linux-2.6.38.6/sound/pci/intel8x0m.c 2011-03-14 21:20:32.000000000 -0400
70614 +++ linux-2.6.38.6/sound/pci/intel8x0m.c 2011-04-28 19:34:15.000000000 -0400
70615 @@ -1264,7 +1264,7 @@ static struct shortname_table {
70616 { 0x5455, "ALi M5455" },
70617 { 0x746d, "AMD AMD8111" },
70623 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
70624 diff -urNp linux-2.6.38.6/sound/pci/ymfpci/ymfpci_main.c linux-2.6.38.6/sound/pci/ymfpci/ymfpci_main.c
70625 --- linux-2.6.38.6/sound/pci/ymfpci/ymfpci_main.c 2011-03-14 21:20:32.000000000 -0400
70626 +++ linux-2.6.38.6/sound/pci/ymfpci/ymfpci_main.c 2011-04-28 19:57:25.000000000 -0400
70627 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
70628 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
70631 - if (atomic_read(&chip->interrupt_sleep_count)) {
70632 - atomic_set(&chip->interrupt_sleep_count, 0);
70633 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
70634 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
70635 wake_up(&chip->interrupt_sleep);
70638 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
70640 init_waitqueue_entry(&wait, current);
70641 add_wait_queue(&chip->interrupt_sleep, &wait);
70642 - atomic_inc(&chip->interrupt_sleep_count);
70643 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
70644 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
70645 remove_wait_queue(&chip->interrupt_sleep, &wait);
70647 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
70648 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
70649 spin_unlock(&chip->reg_lock);
70651 - if (atomic_read(&chip->interrupt_sleep_count)) {
70652 - atomic_set(&chip->interrupt_sleep_count, 0);
70653 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
70654 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
70655 wake_up(&chip->interrupt_sleep);
70658 @@ -2363,7 +2363,7 @@ int __devinit snd_ymfpci_create(struct s
70659 spin_lock_init(&chip->reg_lock);
70660 spin_lock_init(&chip->voice_lock);
70661 init_waitqueue_head(&chip->interrupt_sleep);
70662 - atomic_set(&chip->interrupt_sleep_count, 0);
70663 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
70667 diff -urNp linux-2.6.38.6/usr/gen_init_cpio.c linux-2.6.38.6/usr/gen_init_cpio.c
70668 --- linux-2.6.38.6/usr/gen_init_cpio.c 2011-03-14 21:20:32.000000000 -0400
70669 +++ linux-2.6.38.6/usr/gen_init_cpio.c 2011-04-28 19:34:15.000000000 -0400
70670 @@ -305,7 +305,7 @@ static int cpio_mkfile(const char *name,
70679 @@ -394,9 +394,10 @@ static char *cpio_replace_env(char *new_
70680 *env_var = *expanded = '\0';
70681 strncat(env_var, start + 2, end - start - 2);
70682 strncat(expanded, new_location, start - new_location);
70683 - strncat(expanded, getenv(env_var), PATH_MAX);
70684 - strncat(expanded, end + 1, PATH_MAX);
70685 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
70686 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
70687 strncpy(new_location, expanded, PATH_MAX);
70688 + new_location[PATH_MAX] = 0;
70692 diff -urNp linux-2.6.38.6/virt/kvm/kvm_main.c linux-2.6.38.6/virt/kvm/kvm_main.c
70693 --- linux-2.6.38.6/virt/kvm/kvm_main.c 2011-03-14 21:20:32.000000000 -0400
70694 +++ linux-2.6.38.6/virt/kvm/kvm_main.c 2011-04-28 19:57:25.000000000 -0400
70695 @@ -74,7 +74,7 @@ LIST_HEAD(vm_list);
70697 static cpumask_var_t cpus_hardware_enabled;
70698 static int kvm_usage_count = 0;
70699 -static atomic_t hardware_enable_failed;
70700 +static atomic_unchecked_t hardware_enable_failed;
70702 struct kmem_cache *kvm_vcpu_cache;
70703 EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
70704 @@ -1521,7 +1521,7 @@ static int kvm_vcpu_release(struct inode
70708 -static struct file_operations kvm_vcpu_fops = {
70709 +static struct file_operations kvm_vcpu_fops = { /* cannot be const */
70710 .release = kvm_vcpu_release,
70711 .unlocked_ioctl = kvm_vcpu_ioctl,
70712 .compat_ioctl = kvm_vcpu_ioctl,
70713 @@ -1990,7 +1990,7 @@ static int kvm_vm_mmap(struct file *file
70717 -static struct file_operations kvm_vm_fops = {
70718 +static struct file_operations kvm_vm_fops = { /* cannot be const */
70719 .release = kvm_vm_release,
70720 .unlocked_ioctl = kvm_vm_ioctl,
70721 #ifdef CONFIG_COMPAT
70722 @@ -2088,7 +2088,7 @@ out:
70726 -static struct file_operations kvm_chardev_ops = {
70727 +static struct file_operations kvm_chardev_ops = { /* cannot be const */
70728 .unlocked_ioctl = kvm_dev_ioctl,
70729 .compat_ioctl = kvm_dev_ioctl,
70730 .llseek = noop_llseek,
70731 @@ -2114,7 +2114,7 @@ static void hardware_enable_nolock(void
70734 cpumask_clear_cpu(cpu, cpus_hardware_enabled);
70735 - atomic_inc(&hardware_enable_failed);
70736 + atomic_inc_unchecked(&hardware_enable_failed);
70737 printk(KERN_INFO "kvm: enabling virtualization on "
70738 "CPU%d failed\n", cpu);
70740 @@ -2168,10 +2168,10 @@ static int hardware_enable_all(void)
70743 if (kvm_usage_count == 1) {
70744 - atomic_set(&hardware_enable_failed, 0);
70745 + atomic_set_unchecked(&hardware_enable_failed, 0);
70746 on_each_cpu(hardware_enable_nolock, NULL, 1);
70748 - if (atomic_read(&hardware_enable_failed)) {
70749 + if (atomic_read_unchecked(&hardware_enable_failed)) {
70750 hardware_disable_all_nolock();
70753 @@ -2443,7 +2443,7 @@ static void kvm_sched_out(struct preempt
70754 kvm_arch_vcpu_put(vcpu);
70757 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
70758 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
70759 struct module *module)
70762 @@ -2514,7 +2514,7 @@ int kvm_init(void *opaque, unsigned vcpu
70764 vcpu_align = __alignof__(struct kvm_vcpu);
70765 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
70767 + SLAB_USERCOPY, NULL);
70768 if (!kvm_vcpu_cache) {
70771 --- linux-2.6.38/drivers/net/mlx4/main.c~ 2011-05-18 11:19:52.808043812 +0200
70772 +++ linux-2.6.38/drivers/net/mlx4/main.c 2011-05-18 11:49:19.999433175 +0200
70774 #include <linux/pci.h>
70775 #include <linux/dma-mapping.h>
70776 #include <linux/slab.h>
70777 +#include <linux/sched.h>
70779 #include <linux/mlx4/device.h>
70780 #include <linux/mlx4/doorbell.h>
projects / packages / kernel.git / blob