1 diff -urNp linux-2.6.33/arch/alpha/include/asm/elf.h linux-2.6.33/arch/alpha/include/asm/elf.h
2 --- linux-2.6.33/arch/alpha/include/asm/elf.h 2010-02-24 13:52:17.000000000 -0500
3 +++ linux-2.6.33/arch/alpha/include/asm/elf.h 2010-03-07 12:23:35.885719847 -0500
4 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
8 +#ifdef CONFIG_PAX_ASLR
9 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
11 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18 diff -urNp linux-2.6.33/arch/alpha/include/asm/pgtable.h linux-2.6.33/arch/alpha/include/asm/pgtable.h
19 --- linux-2.6.33/arch/alpha/include/asm/pgtable.h 2010-02-24 13:52:17.000000000 -0500
20 +++ linux-2.6.33/arch/alpha/include/asm/pgtable.h 2010-03-07 12:23:35.885719847 -0500
21 @@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
26 +#ifdef CONFIG_PAX_PAGEEXEC
27 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
31 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
32 +# define PAGE_COPY_NOEXEC PAGE_COPY
33 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39 diff -urNp linux-2.6.33/arch/alpha/kernel/module.c linux-2.6.33/arch/alpha/kernel/module.c
40 --- linux-2.6.33/arch/alpha/kernel/module.c 2010-02-24 13:52:17.000000000 -0500
41 +++ linux-2.6.33/arch/alpha/kernel/module.c 2010-03-07 12:23:35.885719847 -0500
42 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46 - gp = (u64)me->module_core + me->core_size - 0x8000;
47 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
50 for (i = 0; i < n; i++) {
51 diff -urNp linux-2.6.33/arch/alpha/kernel/osf_sys.c linux-2.6.33/arch/alpha/kernel/osf_sys.c
52 --- linux-2.6.33/arch/alpha/kernel/osf_sys.c 2010-02-24 13:52:17.000000000 -0500
53 +++ linux-2.6.33/arch/alpha/kernel/osf_sys.c 2010-03-07 12:23:35.885719847 -0500
54 @@ -1205,6 +1205,10 @@ arch_get_unmapped_area(struct file *filp
55 merely specific addresses, but regions of memory -- perhaps
56 this feature should be incorporated into all ports? */
58 +#ifdef CONFIG_PAX_RANDMMAP
59 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
63 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
64 if (addr != (unsigned long) -ENOMEM)
65 @@ -1212,8 +1216,8 @@ arch_get_unmapped_area(struct file *filp
68 /* Next, try allocating at TASK_UNMAPPED_BASE. */
69 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
71 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
73 if (addr != (unsigned long) -ENOMEM)
76 diff -urNp linux-2.6.33/arch/alpha/mm/fault.c linux-2.6.33/arch/alpha/mm/fault.c
77 --- linux-2.6.33/arch/alpha/mm/fault.c 2010-02-24 13:52:17.000000000 -0500
78 +++ linux-2.6.33/arch/alpha/mm/fault.c 2010-03-07 12:23:35.885719847 -0500
79 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
83 +#ifdef CONFIG_PAX_PAGEEXEC
85 + * PaX: decide what to do with offenders (regs->pc = fault address)
87 + * returns 1 when task should be killed
88 + * 2 when patched PLT trampoline was detected
89 + * 3 when unpatched PLT trampoline was detected
91 +static int pax_handle_fetch_fault(struct pt_regs *regs)
94 +#ifdef CONFIG_PAX_EMUPLT
97 + do { /* PaX: patched PLT emulation #1 */
98 + unsigned int ldah, ldq, jmp;
100 + err = get_user(ldah, (unsigned int *)regs->pc);
101 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
102 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
107 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
108 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
109 + jmp == 0x6BFB0000U)
111 + unsigned long r27, addr;
112 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
113 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
115 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
116 + err = get_user(r27, (unsigned long *)addr);
126 + do { /* PaX: patched PLT emulation #2 */
127 + unsigned int ldah, lda, br;
129 + err = get_user(ldah, (unsigned int *)regs->pc);
130 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
131 + err |= get_user(br, (unsigned int *)(regs->pc+8));
136 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
137 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
138 + (br & 0xFFE00000U) == 0xC3E00000U)
140 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
141 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
142 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
144 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
145 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
150 + do { /* PaX: unpatched PLT emulation */
153 + err = get_user(br, (unsigned int *)regs->pc);
155 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
156 + unsigned int br2, ldq, nop, jmp;
157 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
159 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
160 + err = get_user(br2, (unsigned int *)addr);
161 + err |= get_user(ldq, (unsigned int *)(addr+4));
162 + err |= get_user(nop, (unsigned int *)(addr+8));
163 + err |= get_user(jmp, (unsigned int *)(addr+12));
164 + err |= get_user(resolver, (unsigned long *)(addr+16));
169 + if (br2 == 0xC3600000U &&
170 + ldq == 0xA77B000CU &&
171 + nop == 0x47FF041FU &&
172 + jmp == 0x6B7B0000U)
174 + regs->r28 = regs->pc+4;
175 + regs->r27 = addr+16;
176 + regs->pc = resolver;
186 +void pax_report_insns(void *pc, void *sp)
190 + printk(KERN_ERR "PAX: bytes at PC: ");
191 + for (i = 0; i < 5; i++) {
193 + if (get_user(c, (unsigned int *)pc+i))
194 + printk(KERN_CONT "???????? ");
196 + printk(KERN_CONT "%08x ", c);
203 * This routine handles page faults. It determines the address,
204 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
206 si_code = SEGV_ACCERR;
208 - if (!(vma->vm_flags & VM_EXEC))
209 + if (!(vma->vm_flags & VM_EXEC)) {
211 +#ifdef CONFIG_PAX_PAGEEXEC
212 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
215 + up_read(&mm->mmap_sem);
216 + switch (pax_handle_fetch_fault(regs)) {
218 +#ifdef CONFIG_PAX_EMUPLT
225 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
226 + do_group_exit(SIGKILL);
233 /* Allow reads even for write-only mappings */
234 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
235 diff -urNp linux-2.6.33/arch/arm/include/asm/elf.h linux-2.6.33/arch/arm/include/asm/elf.h
236 --- linux-2.6.33/arch/arm/include/asm/elf.h 2010-02-24 13:52:17.000000000 -0500
237 +++ linux-2.6.33/arch/arm/include/asm/elf.h 2010-03-07 12:23:35.885719847 -0500
238 @@ -108,7 +108,14 @@ int dump_task_regs(struct task_struct *t
239 the loader. We need to make sure that it is out of the way of the program
240 that it will "exec", and that there is sufficient room for the brk. */
242 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
243 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
245 +#ifdef CONFIG_PAX_ASLR
246 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
248 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
249 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
252 /* When the program starts, a1 contains a pointer to a function to be
253 registered with atexit, as per the SVR4 ABI. A value of 0 means we
254 diff -urNp linux-2.6.33/arch/arm/include/asm/kmap_types.h linux-2.6.33/arch/arm/include/asm/kmap_types.h
255 --- linux-2.6.33/arch/arm/include/asm/kmap_types.h 2010-02-24 13:52:17.000000000 -0500
256 +++ linux-2.6.33/arch/arm/include/asm/kmap_types.h 2010-03-07 12:23:35.885719847 -0500
257 @@ -19,6 +19,7 @@ enum km_type {
265 diff -urNp linux-2.6.33/arch/arm/include/asm/uaccess.h linux-2.6.33/arch/arm/include/asm/uaccess.h
266 --- linux-2.6.33/arch/arm/include/asm/uaccess.h 2010-02-24 13:52:17.000000000 -0500
267 +++ linux-2.6.33/arch/arm/include/asm/uaccess.h 2010-03-07 12:23:35.889620809 -0500
268 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
270 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
275 if (access_ok(VERIFY_READ, from, n))
276 n = __copy_from_user(to, from, n);
277 else /* security hole - plug it */
278 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
280 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
285 if (access_ok(VERIFY_WRITE, to, n))
286 n = __copy_to_user(to, from, n);
288 diff -urNp linux-2.6.33/arch/arm/kernel/kgdb.c linux-2.6.33/arch/arm/kernel/kgdb.c
289 --- linux-2.6.33/arch/arm/kernel/kgdb.c 2010-02-24 13:52:17.000000000 -0500
290 +++ linux-2.6.33/arch/arm/kernel/kgdb.c 2010-03-07 12:23:35.889620809 -0500
291 @@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
292 * and we handle the normal undef case within the do_undefinstr
295 -struct kgdb_arch arch_kgdb_ops = {
296 +const struct kgdb_arch arch_kgdb_ops = {
298 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
299 #else /* ! __ARMEB__ */
300 diff -urNp linux-2.6.33/arch/arm/mach-at91/pm.c linux-2.6.33/arch/arm/mach-at91/pm.c
301 --- linux-2.6.33/arch/arm/mach-at91/pm.c 2010-02-24 13:52:17.000000000 -0500
302 +++ linux-2.6.33/arch/arm/mach-at91/pm.c 2010-03-07 12:23:35.889620809 -0500
303 @@ -294,7 +294,7 @@ static void at91_pm_end(void)
307 -static struct platform_suspend_ops at91_pm_ops ={
308 +static const struct platform_suspend_ops at91_pm_ops ={
309 .valid = at91_pm_valid_state,
310 .begin = at91_pm_begin,
311 .enter = at91_pm_enter,
312 diff -urNp linux-2.6.33/arch/arm/mach-omap1/pm.c linux-2.6.33/arch/arm/mach-omap1/pm.c
313 --- linux-2.6.33/arch/arm/mach-omap1/pm.c 2010-02-24 13:52:17.000000000 -0500
314 +++ linux-2.6.33/arch/arm/mach-omap1/pm.c 2010-03-07 12:23:35.889620809 -0500
315 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
319 -static struct platform_suspend_ops omap_pm_ops ={
320 +static const struct platform_suspend_ops omap_pm_ops ={
321 .prepare = omap_pm_prepare,
322 .enter = omap_pm_enter,
323 .finish = omap_pm_finish,
324 diff -urNp linux-2.6.33/arch/arm/mach-omap2/pm24xx.c linux-2.6.33/arch/arm/mach-omap2/pm24xx.c
325 --- linux-2.6.33/arch/arm/mach-omap2/pm24xx.c 2010-02-24 13:52:17.000000000 -0500
326 +++ linux-2.6.33/arch/arm/mach-omap2/pm24xx.c 2010-03-07 12:23:35.889620809 -0500
327 @@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
331 -static struct platform_suspend_ops omap_pm_ops = {
332 +static const struct platform_suspend_ops omap_pm_ops = {
333 .prepare = omap2_pm_prepare,
334 .enter = omap2_pm_enter,
335 .finish = omap2_pm_finish,
336 diff -urNp linux-2.6.33/arch/arm/mach-omap2/pm34xx.c linux-2.6.33/arch/arm/mach-omap2/pm34xx.c
337 --- linux-2.6.33/arch/arm/mach-omap2/pm34xx.c 2010-02-24 13:52:17.000000000 -0500
338 +++ linux-2.6.33/arch/arm/mach-omap2/pm34xx.c 2010-03-07 12:23:35.889620809 -0500
339 @@ -650,7 +650,7 @@ static void omap3_pm_end(void)
343 -static struct platform_suspend_ops omap_pm_ops = {
344 +static const struct platform_suspend_ops omap_pm_ops = {
345 .begin = omap3_pm_begin,
347 .prepare = omap3_pm_prepare,
348 diff -urNp linux-2.6.33/arch/arm/mach-pnx4008/pm.c linux-2.6.33/arch/arm/mach-pnx4008/pm.c
349 --- linux-2.6.33/arch/arm/mach-pnx4008/pm.c 2010-02-24 13:52:17.000000000 -0500
350 +++ linux-2.6.33/arch/arm/mach-pnx4008/pm.c 2010-03-07 12:23:35.889620809 -0500
351 @@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
352 (state == PM_SUSPEND_MEM);
355 -static struct platform_suspend_ops pnx4008_pm_ops = {
356 +static const struct platform_suspend_ops pnx4008_pm_ops = {
357 .enter = pnx4008_pm_enter,
358 .valid = pnx4008_pm_valid,
360 diff -urNp linux-2.6.33/arch/arm/mach-pxa/pm.c linux-2.6.33/arch/arm/mach-pxa/pm.c
361 --- linux-2.6.33/arch/arm/mach-pxa/pm.c 2010-02-24 13:52:17.000000000 -0500
362 +++ linux-2.6.33/arch/arm/mach-pxa/pm.c 2010-03-07 12:23:35.889620809 -0500
363 @@ -95,7 +95,7 @@ void pxa_pm_finish(void)
364 pxa_cpu_pm_fns->finish();
367 -static struct platform_suspend_ops pxa_pm_ops = {
368 +static const struct platform_suspend_ops pxa_pm_ops = {
369 .valid = pxa_pm_valid,
370 .enter = pxa_pm_enter,
371 .prepare = pxa_pm_prepare,
372 diff -urNp linux-2.6.33/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.33/arch/arm/mach-pxa/sharpsl_pm.c
373 --- linux-2.6.33/arch/arm/mach-pxa/sharpsl_pm.c 2010-02-24 13:52:17.000000000 -0500
374 +++ linux-2.6.33/arch/arm/mach-pxa/sharpsl_pm.c 2010-03-07 12:23:35.889620809 -0500
375 @@ -892,7 +892,7 @@ static void sharpsl_apm_get_power_status
379 -static struct platform_suspend_ops sharpsl_pm_ops = {
380 +static const struct platform_suspend_ops sharpsl_pm_ops = {
381 .prepare = pxa_pm_prepare,
382 .finish = pxa_pm_finish,
383 .enter = corgi_pxa_pm_enter,
384 diff -urNp linux-2.6.33/arch/arm/mach-sa1100/pm.c linux-2.6.33/arch/arm/mach-sa1100/pm.c
385 --- linux-2.6.33/arch/arm/mach-sa1100/pm.c 2010-02-24 13:52:17.000000000 -0500
386 +++ linux-2.6.33/arch/arm/mach-sa1100/pm.c 2010-03-07 12:23:35.889620809 -0500
387 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
388 return virt_to_phys(sp);
391 -static struct platform_suspend_ops sa11x0_pm_ops = {
392 +static const struct platform_suspend_ops sa11x0_pm_ops = {
393 .enter = sa11x0_pm_enter,
394 .valid = suspend_valid_only_mem,
396 diff -urNp linux-2.6.33/arch/arm/mm/fault.c linux-2.6.33/arch/arm/mm/fault.c
397 --- linux-2.6.33/arch/arm/mm/fault.c 2010-02-24 13:52:17.000000000 -0500
398 +++ linux-2.6.33/arch/arm/mm/fault.c 2010-03-07 12:23:35.889620809 -0500
399 @@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
403 +#ifdef CONFIG_PAX_PAGEEXEC
404 + if (fsr & FSR_LNX_PF) {
405 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
406 + do_group_exit(SIGKILL);
410 tsk->thread.address = addr;
411 tsk->thread.error_code = fsr;
412 tsk->thread.trap_no = 14;
413 @@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
415 #endif /* CONFIG_MMU */
417 +#ifdef CONFIG_PAX_PAGEEXEC
418 +void pax_report_insns(void *pc, void *sp)
422 + printk(KERN_ERR "PAX: bytes at PC: ");
423 + for (i = 0; i < 20; i++) {
425 + if (get_user(c, (__force unsigned char __user *)pc+i))
426 + printk(KERN_CONT "?? ");
428 + printk(KERN_CONT "%02x ", c);
432 + printk(KERN_ERR "PAX: bytes at SP-4: ");
433 + for (i = -1; i < 20; i++) {
435 + if (get_user(c, (__force unsigned long __user *)sp+i))
436 + printk(KERN_CONT "???????? ");
438 + printk(KERN_CONT "%08lx ", c);
445 * First Level Translation Fault Handler
447 diff -urNp linux-2.6.33/arch/arm/mm/mmap.c linux-2.6.33/arch/arm/mm/mmap.c
448 --- linux-2.6.33/arch/arm/mm/mmap.c 2010-02-24 13:52:17.000000000 -0500
449 +++ linux-2.6.33/arch/arm/mm/mmap.c 2010-03-07 12:23:35.889620809 -0500
450 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
454 +#ifdef CONFIG_PAX_RANDMMAP
455 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
460 addr = COLOUR_ALIGN(addr, pgoff);
461 @@ -75,10 +79,10 @@ arch_get_unmapped_area(struct file *filp
464 if (len > mm->cached_hole_size) {
465 - start_addr = addr = mm->free_area_cache;
466 + start_addr = addr = mm->free_area_cache;
468 - start_addr = addr = TASK_UNMAPPED_BASE;
469 - mm->cached_hole_size = 0;
470 + start_addr = addr = mm->mmap_base;
471 + mm->cached_hole_size = 0;
475 @@ -94,8 +98,8 @@ full_search:
476 * Start a new search - just in case we missed
479 - if (start_addr != TASK_UNMAPPED_BASE) {
480 - start_addr = addr = TASK_UNMAPPED_BASE;
481 + if (start_addr != mm->mmap_base) {
482 + start_addr = addr = mm->mmap_base;
483 mm->cached_hole_size = 0;
486 diff -urNp linux-2.6.33/arch/arm/plat-s3c/pm.c linux-2.6.33/arch/arm/plat-s3c/pm.c
487 --- linux-2.6.33/arch/arm/plat-s3c/pm.c 2010-02-24 13:52:17.000000000 -0500
488 +++ linux-2.6.33/arch/arm/plat-s3c/pm.c 2010-03-07 12:23:35.889620809 -0500
489 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
490 s3c_pm_check_cleanup();
493 -static struct platform_suspend_ops s3c_pm_ops = {
494 +static const struct platform_suspend_ops s3c_pm_ops = {
495 .enter = s3c_pm_enter,
496 .prepare = s3c_pm_prepare,
497 .finish = s3c_pm_finish,
498 diff -urNp linux-2.6.33/arch/avr32/include/asm/elf.h linux-2.6.33/arch/avr32/include/asm/elf.h
499 --- linux-2.6.33/arch/avr32/include/asm/elf.h 2010-02-24 13:52:17.000000000 -0500
500 +++ linux-2.6.33/arch/avr32/include/asm/elf.h 2010-03-07 12:23:35.889620809 -0500
501 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
502 the loader. We need to make sure that it is out of the way of the program
503 that it will "exec", and that there is sufficient room for the brk. */
505 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
506 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
508 +#ifdef CONFIG_PAX_ASLR
509 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
511 +#define PAX_DELTA_MMAP_LEN 15
512 +#define PAX_DELTA_STACK_LEN 15
515 /* This yields a mask that user programs can use to figure out what
516 instruction set this CPU supports. This could be done in user space,
517 diff -urNp linux-2.6.33/arch/avr32/include/asm/kmap_types.h linux-2.6.33/arch/avr32/include/asm/kmap_types.h
518 --- linux-2.6.33/arch/avr32/include/asm/kmap_types.h 2010-02-24 13:52:17.000000000 -0500
519 +++ linux-2.6.33/arch/avr32/include/asm/kmap_types.h 2010-03-07 12:23:35.889620809 -0500
520 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
530 diff -urNp linux-2.6.33/arch/avr32/mach-at32ap/pm.c linux-2.6.33/arch/avr32/mach-at32ap/pm.c
531 --- linux-2.6.33/arch/avr32/mach-at32ap/pm.c 2010-02-24 13:52:17.000000000 -0500
532 +++ linux-2.6.33/arch/avr32/mach-at32ap/pm.c 2010-03-07 12:23:35.889620809 -0500
533 @@ -176,7 +176,7 @@ out:
537 -static struct platform_suspend_ops avr32_pm_ops = {
538 +static const struct platform_suspend_ops avr32_pm_ops = {
539 .valid = avr32_pm_valid_state,
540 .enter = avr32_pm_enter,
542 diff -urNp linux-2.6.33/arch/avr32/mm/fault.c linux-2.6.33/arch/avr32/mm/fault.c
543 --- linux-2.6.33/arch/avr32/mm/fault.c 2010-02-24 13:52:17.000000000 -0500
544 +++ linux-2.6.33/arch/avr32/mm/fault.c 2010-03-07 12:23:35.889620809 -0500
545 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
547 int exception_trace = 1;
549 +#ifdef CONFIG_PAX_PAGEEXEC
550 +void pax_report_insns(void *pc, void *sp)
554 + printk(KERN_ERR "PAX: bytes at PC: ");
555 + for (i = 0; i < 20; i++) {
557 + if (get_user(c, (unsigned char *)pc+i))
558 + printk(KERN_CONT "???????? ");
560 + printk(KERN_CONT "%02x ", c);
567 * This routine handles page faults. It determines the address and the
568 * problem, and then passes it off to one of the appropriate routines.
569 @@ -157,6 +174,16 @@ bad_area:
570 up_read(&mm->mmap_sem);
572 if (user_mode(regs)) {
574 +#ifdef CONFIG_PAX_PAGEEXEC
575 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
576 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
577 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
578 + do_group_exit(SIGKILL);
583 if (exception_trace && printk_ratelimit())
584 printk("%s%s[%d]: segfault at %08lx pc %08lx "
585 "sp %08lx ecr %lu\n",
586 diff -urNp linux-2.6.33/arch/blackfin/kernel/kgdb.c linux-2.6.33/arch/blackfin/kernel/kgdb.c
587 --- linux-2.6.33/arch/blackfin/kernel/kgdb.c 2010-02-24 13:52:17.000000000 -0500
588 +++ linux-2.6.33/arch/blackfin/kernel/kgdb.c 2010-03-07 12:23:35.889620809 -0500
589 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
590 return -1; /* this means that we do not want to exit from the handler */
593 -struct kgdb_arch arch_kgdb_ops = {
594 +const struct kgdb_arch arch_kgdb_ops = {
595 .gdb_bpt_instr = {0xa1},
597 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
598 diff -urNp linux-2.6.33/arch/blackfin/mach-common/pm.c linux-2.6.33/arch/blackfin/mach-common/pm.c
599 --- linux-2.6.33/arch/blackfin/mach-common/pm.c 2010-02-24 13:52:17.000000000 -0500
600 +++ linux-2.6.33/arch/blackfin/mach-common/pm.c 2010-03-07 12:23:35.889620809 -0500
601 @@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
605 -struct platform_suspend_ops bfin_pm_ops = {
606 +const struct platform_suspend_ops bfin_pm_ops = {
607 .enter = bfin_pm_enter,
608 .valid = bfin_pm_valid,
610 diff -urNp linux-2.6.33/arch/blackfin/mm/maccess.c linux-2.6.33/arch/blackfin/mm/maccess.c
611 --- linux-2.6.33/arch/blackfin/mm/maccess.c 2010-02-24 13:52:17.000000000 -0500
612 +++ linux-2.6.33/arch/blackfin/mm/maccess.c 2010-03-07 12:23:35.889620809 -0500
613 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
614 return bfin_mem_access_type(addr, size);
617 -long probe_kernel_read(void *dst, void *src, size_t size)
618 +long probe_kernel_read(void *dst, const void *src, size_t size)
620 unsigned long lsrc = (unsigned long)src;
622 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
626 -long probe_kernel_write(void *dst, void *src, size_t size)
627 +long probe_kernel_write(void *dst, const void *src, size_t size)
629 unsigned long ldst = (unsigned long)dst;
631 diff -urNp linux-2.6.33/arch/frv/include/asm/kmap_types.h linux-2.6.33/arch/frv/include/asm/kmap_types.h
632 --- linux-2.6.33/arch/frv/include/asm/kmap_types.h 2010-02-24 13:52:17.000000000 -0500
633 +++ linux-2.6.33/arch/frv/include/asm/kmap_types.h 2010-03-07 12:23:35.889620809 -0500
634 @@ -23,6 +23,7 @@ enum km_type {
642 diff -urNp linux-2.6.33/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.33/arch/ia64/hp/common/hwsw_iommu.c
643 --- linux-2.6.33/arch/ia64/hp/common/hwsw_iommu.c 2010-02-24 13:52:17.000000000 -0500
644 +++ linux-2.6.33/arch/ia64/hp/common/hwsw_iommu.c 2010-03-07 12:23:35.889620809 -0500
646 #include <linux/swiotlb.h>
647 #include <asm/machvec.h>
649 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
650 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
652 /* swiotlb declarations & definitions: */
653 extern int swiotlb_late_init_with_default_size (size_t size);
654 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
655 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
658 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
659 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
661 if (use_swiotlb(dev))
662 return &swiotlb_dma_ops;
663 diff -urNp linux-2.6.33/arch/ia64/hp/common/sba_iommu.c linux-2.6.33/arch/ia64/hp/common/sba_iommu.c
664 --- linux-2.6.33/arch/ia64/hp/common/sba_iommu.c 2010-02-24 13:52:17.000000000 -0500
665 +++ linux-2.6.33/arch/ia64/hp/common/sba_iommu.c 2010-03-07 12:23:35.889620809 -0500
666 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
670 -extern struct dma_map_ops swiotlb_dma_ops;
671 +extern const struct dma_map_ops swiotlb_dma_ops;
675 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
677 __setup("sbapagesize=",sba_page_override);
679 -struct dma_map_ops sba_dma_ops = {
680 +const struct dma_map_ops sba_dma_ops = {
681 .alloc_coherent = sba_alloc_coherent,
682 .free_coherent = sba_free_coherent,
683 .map_page = sba_map_page,
684 diff -urNp linux-2.6.33/arch/ia64/ia32/binfmt_elf32.c linux-2.6.33/arch/ia64/ia32/binfmt_elf32.c
685 --- linux-2.6.33/arch/ia64/ia32/binfmt_elf32.c 2010-02-24 13:52:17.000000000 -0500
686 +++ linux-2.6.33/arch/ia64/ia32/binfmt_elf32.c 2010-03-07 12:23:35.889620809 -0500
687 @@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
689 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
691 +#ifdef CONFIG_PAX_ASLR
692 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
694 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
695 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
698 /* Ugly but avoids duplication */
699 #include "../../../fs/binfmt_elf.c"
701 diff -urNp linux-2.6.33/arch/ia64/ia32/ia32priv.h linux-2.6.33/arch/ia64/ia32/ia32priv.h
702 --- linux-2.6.33/arch/ia64/ia32/ia32priv.h 2010-02-24 13:52:17.000000000 -0500
703 +++ linux-2.6.33/arch/ia64/ia32/ia32priv.h 2010-03-07 12:23:35.889620809 -0500
704 @@ -296,7 +296,14 @@ typedef struct compat_siginfo {
705 #define ELF_DATA ELFDATA2LSB
706 #define ELF_ARCH EM_386
708 -#define IA32_STACK_TOP IA32_PAGE_OFFSET
709 +#ifdef CONFIG_PAX_RANDUSTACK
710 +#define __IA32_DELTA_STACK (current->mm->delta_stack)
712 +#define __IA32_DELTA_STACK 0UL
715 +#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
717 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
718 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
720 diff -urNp linux-2.6.33/arch/ia64/include/asm/dma-mapping.h linux-2.6.33/arch/ia64/include/asm/dma-mapping.h
721 --- linux-2.6.33/arch/ia64/include/asm/dma-mapping.h 2010-02-24 13:52:17.000000000 -0500
722 +++ linux-2.6.33/arch/ia64/include/asm/dma-mapping.h 2010-03-07 12:23:35.889620809 -0500
725 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
727 -extern struct dma_map_ops *dma_ops;
728 +extern const struct dma_map_ops *dma_ops;
729 extern struct ia64_machine_vector ia64_mv;
730 extern void set_iommu_machvec(void);
732 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
733 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
734 dma_addr_t *daddr, gfp_t gfp)
736 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
737 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
740 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
741 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
742 static inline void dma_free_coherent(struct device *dev, size_t size,
743 void *caddr, dma_addr_t daddr)
745 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
746 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
747 debug_dma_free_coherent(dev, size, caddr, daddr);
748 ops->free_coherent(dev, size, caddr, daddr);
750 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
752 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
754 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
755 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
756 return ops->mapping_error(dev, daddr);
759 static inline int dma_supported(struct device *dev, u64 mask)
761 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
762 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
763 return ops->dma_supported(dev, mask);
766 diff -urNp linux-2.6.33/arch/ia64/include/asm/elf.h linux-2.6.33/arch/ia64/include/asm/elf.h
767 --- linux-2.6.33/arch/ia64/include/asm/elf.h 2010-02-24 13:52:17.000000000 -0500
768 +++ linux-2.6.33/arch/ia64/include/asm/elf.h 2010-03-07 12:23:35.889620809 -0500
771 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
773 +#ifdef CONFIG_PAX_ASLR
774 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
776 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
777 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
780 #define PT_IA_64_UNWIND 0x70000001
782 /* IA-64 relocations: */
783 diff -urNp linux-2.6.33/arch/ia64/include/asm/machvec.h linux-2.6.33/arch/ia64/include/asm/machvec.h
784 --- linux-2.6.33/arch/ia64/include/asm/machvec.h 2010-02-24 13:52:17.000000000 -0500
785 +++ linux-2.6.33/arch/ia64/include/asm/machvec.h 2010-03-07 12:23:35.889620809 -0500
786 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
787 /* DMA-mapping interface: */
788 typedef void ia64_mv_dma_init (void);
789 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
790 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
791 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
794 * WARNING: The legacy I/O space is _architected_. Platforms are
795 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
796 # endif /* CONFIG_IA64_GENERIC */
798 extern void swiotlb_dma_init(void);
799 -extern struct dma_map_ops *dma_get_ops(struct device *);
800 +extern const struct dma_map_ops *dma_get_ops(struct device *);
803 * Define default versions so we can extend machvec for new platforms without having
804 diff -urNp linux-2.6.33/arch/ia64/include/asm/pgtable.h linux-2.6.33/arch/ia64/include/asm/pgtable.h
805 --- linux-2.6.33/arch/ia64/include/asm/pgtable.h 2010-02-24 13:52:17.000000000 -0500
806 +++ linux-2.6.33/arch/ia64/include/asm/pgtable.h 2010-03-07 12:23:35.889620809 -0500
808 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
809 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
810 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
812 +#ifdef CONFIG_PAX_PAGEEXEC
813 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
814 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
815 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
817 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
818 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
819 +# define PAGE_COPY_NOEXEC PAGE_COPY
822 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
823 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
824 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
825 diff -urNp linux-2.6.33/arch/ia64/include/asm/uaccess.h linux-2.6.33/arch/ia64/include/asm/uaccess.h
826 --- linux-2.6.33/arch/ia64/include/asm/uaccess.h 2010-02-24 13:52:17.000000000 -0500
827 +++ linux-2.6.33/arch/ia64/include/asm/uaccess.h 2010-03-07 12:23:35.889620809 -0500
828 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
829 const void *__cu_from = (from); \
830 long __cu_len = (n); \
832 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
833 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
834 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
837 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
838 long __cu_len = (n); \
840 __chk_user_ptr(__cu_from); \
841 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
842 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
843 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
846 diff -urNp linux-2.6.33/arch/ia64/kernel/dma-mapping.c linux-2.6.33/arch/ia64/kernel/dma-mapping.c
847 --- linux-2.6.33/arch/ia64/kernel/dma-mapping.c 2010-02-24 13:52:17.000000000 -0500
848 +++ linux-2.6.33/arch/ia64/kernel/dma-mapping.c 2010-03-07 12:23:35.889620809 -0500
850 /* Set this to 1 if there is a HW IOMMU in the system */
851 int iommu_detected __read_mostly;
853 -struct dma_map_ops *dma_ops;
854 +const struct dma_map_ops *dma_ops;
855 EXPORT_SYMBOL(dma_ops);
857 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
858 @@ -16,7 +16,7 @@ static int __init dma_init(void)
860 fs_initcall(dma_init);
862 -struct dma_map_ops *dma_get_ops(struct device *dev)
863 +const struct dma_map_ops *dma_get_ops(struct device *dev)
867 diff -urNp linux-2.6.33/arch/ia64/kernel/module.c linux-2.6.33/arch/ia64/kernel/module.c
868 --- linux-2.6.33/arch/ia64/kernel/module.c 2010-02-24 13:52:17.000000000 -0500
869 +++ linux-2.6.33/arch/ia64/kernel/module.c 2010-03-07 12:23:35.895205004 -0500
870 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
872 module_free (struct module *mod, void *module_region)
874 - if (mod && mod->arch.init_unw_table &&
875 - module_region == mod->module_init) {
876 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
877 unw_remove_unwind_table(mod->arch.init_unw_table);
878 mod->arch.init_unw_table = NULL;
880 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
884 +in_init_rx (const struct module *mod, uint64_t addr)
886 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
890 +in_init_rw (const struct module *mod, uint64_t addr)
892 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
896 in_init (const struct module *mod, uint64_t addr)
898 - return addr - (uint64_t) mod->module_init < mod->init_size;
899 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
903 +in_core_rx (const struct module *mod, uint64_t addr)
905 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
909 +in_core_rw (const struct module *mod, uint64_t addr)
911 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
915 in_core (const struct module *mod, uint64_t addr)
917 - return addr - (uint64_t) mod->module_core < mod->core_size;
918 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
922 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
926 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
927 + if (in_init_rx(mod, val))
928 + val -= (uint64_t) mod->module_init_rx;
929 + else if (in_init_rw(mod, val))
930 + val -= (uint64_t) mod->module_init_rw;
931 + else if (in_core_rx(mod, val))
932 + val -= (uint64_t) mod->module_core_rx;
933 + else if (in_core_rw(mod, val))
934 + val -= (uint64_t) mod->module_core_rw;
938 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
939 * addresses have been selected...
942 - if (mod->core_size > MAX_LTOFF)
943 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
945 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
946 * at the end of the module.
948 - gp = mod->core_size - MAX_LTOFF / 2;
949 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
951 - gp = mod->core_size / 2;
952 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
953 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
954 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
956 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
958 diff -urNp linux-2.6.33/arch/ia64/kernel/pci-dma.c linux-2.6.33/arch/ia64/kernel/pci-dma.c
959 --- linux-2.6.33/arch/ia64/kernel/pci-dma.c 2010-02-24 13:52:17.000000000 -0500
960 +++ linux-2.6.33/arch/ia64/kernel/pci-dma.c 2010-03-07 12:23:35.895205004 -0500
961 @@ -43,7 +43,7 @@ struct device fallback_dev = {
962 .dma_mask = &fallback_dev.coherent_dma_mask,
965 -extern struct dma_map_ops intel_dma_ops;
966 +extern const struct dma_map_ops intel_dma_ops;
968 static int __init pci_iommu_init(void)
970 diff -urNp linux-2.6.33/arch/ia64/kernel/pci-swiotlb.c linux-2.6.33/arch/ia64/kernel/pci-swiotlb.c
971 --- linux-2.6.33/arch/ia64/kernel/pci-swiotlb.c 2010-02-24 13:52:17.000000000 -0500
972 +++ linux-2.6.33/arch/ia64/kernel/pci-swiotlb.c 2010-03-07 12:23:35.895205004 -0500
973 @@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
974 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
977 -struct dma_map_ops swiotlb_dma_ops = {
978 +const struct dma_map_ops swiotlb_dma_ops = {
979 .alloc_coherent = ia64_swiotlb_alloc_coherent,
980 .free_coherent = swiotlb_free_coherent,
981 .map_page = swiotlb_map_page,
982 diff -urNp linux-2.6.33/arch/ia64/kernel/sys_ia64.c linux-2.6.33/arch/ia64/kernel/sys_ia64.c
983 --- linux-2.6.33/arch/ia64/kernel/sys_ia64.c 2010-02-24 13:52:17.000000000 -0500
984 +++ linux-2.6.33/arch/ia64/kernel/sys_ia64.c 2010-03-07 12:23:35.895205004 -0500
985 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
986 if (REGION_NUMBER(addr) == RGN_HPAGE)
990 +#ifdef CONFIG_PAX_RANDMMAP
991 + if (mm->pax_flags & MF_PAX_RANDMMAP)
992 + addr = mm->free_area_cache;
997 addr = mm->free_area_cache;
999 @@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
1000 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1001 /* At this point: (!vma || addr < vma->vm_end). */
1002 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1003 - if (start_addr != TASK_UNMAPPED_BASE) {
1004 + if (start_addr != mm->mmap_base) {
1005 /* Start a new search --- just in case we missed some holes. */
1006 - addr = TASK_UNMAPPED_BASE;
1007 + addr = mm->mmap_base;
1011 diff -urNp linux-2.6.33/arch/ia64/kernel/topology.c linux-2.6.33/arch/ia64/kernel/topology.c
1012 --- linux-2.6.33/arch/ia64/kernel/topology.c 2010-02-24 13:52:17.000000000 -0500
1013 +++ linux-2.6.33/arch/ia64/kernel/topology.c 2010-03-07 12:23:35.895205004 -0500
1014 @@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
1018 -static struct sysfs_ops cache_sysfs_ops = {
1019 +static const struct sysfs_ops cache_sysfs_ops = {
1023 diff -urNp linux-2.6.33/arch/ia64/kernel/vmlinux.lds.S linux-2.6.33/arch/ia64/kernel/vmlinux.lds.S
1024 --- linux-2.6.33/arch/ia64/kernel/vmlinux.lds.S 2010-02-24 13:52:17.000000000 -0500
1025 +++ linux-2.6.33/arch/ia64/kernel/vmlinux.lds.S 2010-03-07 12:23:35.895205004 -0500
1026 @@ -196,7 +196,7 @@ SECTIONS
1028 . = ALIGN(PERCPU_PAGE_SIZE);
1029 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1030 - __phys_per_cpu_start = __per_cpu_load;
1031 + __phys_per_cpu_start = per_cpu_load;
1032 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1033 * into percpu page size
1035 diff -urNp linux-2.6.33/arch/ia64/mm/fault.c linux-2.6.33/arch/ia64/mm/fault.c
1036 --- linux-2.6.33/arch/ia64/mm/fault.c 2010-02-24 13:52:17.000000000 -0500
1037 +++ linux-2.6.33/arch/ia64/mm/fault.c 2010-03-07 12:23:35.895205004 -0500
1038 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1039 return pte_present(pte);
1042 +#ifdef CONFIG_PAX_PAGEEXEC
1043 +void pax_report_insns(void *pc, void *sp)
1047 + printk(KERN_ERR "PAX: bytes at PC: ");
1048 + for (i = 0; i < 8; i++) {
1050 + if (get_user(c, (unsigned int *)pc+i))
1051 + printk(KERN_CONT "???????? ");
1053 + printk(KERN_CONT "%08x ", c);
1060 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1062 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1063 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1064 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1066 - if ((vma->vm_flags & mask) != mask)
1067 + if ((vma->vm_flags & mask) != mask) {
1069 +#ifdef CONFIG_PAX_PAGEEXEC
1070 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1071 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1074 + up_read(&mm->mmap_sem);
1075 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1076 + do_group_exit(SIGKILL);
1086 * If for any reason at all we couldn't handle the fault, make
1087 diff -urNp linux-2.6.33/arch/ia64/mm/init.c linux-2.6.33/arch/ia64/mm/init.c
1088 --- linux-2.6.33/arch/ia64/mm/init.c 2010-02-24 13:52:17.000000000 -0500
1089 +++ linux-2.6.33/arch/ia64/mm/init.c 2010-03-07 12:23:35.895205004 -0500
1090 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1091 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1092 vma->vm_end = vma->vm_start + PAGE_SIZE;
1093 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1095 +#ifdef CONFIG_PAX_PAGEEXEC
1096 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1097 + vma->vm_flags &= ~VM_EXEC;
1099 +#ifdef CONFIG_PAX_MPROTECT
1100 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1101 + vma->vm_flags &= ~VM_MAYEXEC;
1107 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1108 down_write(¤t->mm->mmap_sem);
1109 if (insert_vm_struct(current->mm, vma)) {
1110 diff -urNp linux-2.6.33/arch/ia64/sn/pci/pci_dma.c linux-2.6.33/arch/ia64/sn/pci/pci_dma.c
1111 --- linux-2.6.33/arch/ia64/sn/pci/pci_dma.c 2010-02-24 13:52:17.000000000 -0500
1112 +++ linux-2.6.33/arch/ia64/sn/pci/pci_dma.c 2010-03-07 12:23:35.895205004 -0500
1113 @@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
1117 -static struct dma_map_ops sn_dma_ops = {
1118 +static const struct dma_map_ops sn_dma_ops = {
1119 .alloc_coherent = sn_dma_alloc_coherent,
1120 .free_coherent = sn_dma_free_coherent,
1121 .map_page = sn_dma_map_page,
1122 diff -urNp linux-2.6.33/arch/m32r/lib/usercopy.c linux-2.6.33/arch/m32r/lib/usercopy.c
1123 --- linux-2.6.33/arch/m32r/lib/usercopy.c 2010-02-24 13:52:17.000000000 -0500
1124 +++ linux-2.6.33/arch/m32r/lib/usercopy.c 2010-03-07 12:23:35.895205004 -0500
1127 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1133 if (access_ok(VERIFY_WRITE, to, n))
1134 __copy_user(to,from,n);
1135 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1137 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1143 if (access_ok(VERIFY_READ, from, n))
1144 __copy_user_zeroing(to,from,n);
1145 diff -urNp linux-2.6.33/arch/mips/alchemy/devboards/pm.c linux-2.6.33/arch/mips/alchemy/devboards/pm.c
1146 --- linux-2.6.33/arch/mips/alchemy/devboards/pm.c 2010-02-24 13:52:17.000000000 -0500
1147 +++ linux-2.6.33/arch/mips/alchemy/devboards/pm.c 2010-03-07 12:23:35.895205004 -0500
1148 @@ -78,7 +78,7 @@ static void db1x_pm_end(void)
1152 -static struct platform_suspend_ops db1x_pm_ops = {
1153 +static const struct platform_suspend_ops db1x_pm_ops = {
1154 .valid = suspend_valid_only_mem,
1155 .begin = db1x_pm_begin,
1156 .enter = db1x_pm_enter,
1157 diff -urNp linux-2.6.33/arch/mips/include/asm/elf.h linux-2.6.33/arch/mips/include/asm/elf.h
1158 --- linux-2.6.33/arch/mips/include/asm/elf.h 2010-02-24 13:52:17.000000000 -0500
1159 +++ linux-2.6.33/arch/mips/include/asm/elf.h 2010-03-07 12:23:35.895205004 -0500
1160 @@ -367,4 +367,11 @@ extern int dump_task_fpu(struct task_str
1161 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1164 +#ifdef CONFIG_PAX_ASLR
1165 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1167 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1168 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1171 #endif /* _ASM_ELF_H */
1172 diff -urNp linux-2.6.33/arch/mips/include/asm/page.h linux-2.6.33/arch/mips/include/asm/page.h
1173 --- linux-2.6.33/arch/mips/include/asm/page.h 2010-02-24 13:52:17.000000000 -0500
1174 +++ linux-2.6.33/arch/mips/include/asm/page.h 2010-03-07 12:23:35.895205004 -0500
1175 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1176 #ifdef CONFIG_CPU_MIPS32
1177 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1178 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1179 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1180 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1182 typedef struct { unsigned long long pte; } pte_t;
1183 #define pte_val(x) ((x).pte)
1184 diff -urNp linux-2.6.33/arch/mips/include/asm/system.h linux-2.6.33/arch/mips/include/asm/system.h
1185 --- linux-2.6.33/arch/mips/include/asm/system.h 2010-02-24 13:52:17.000000000 -0500
1186 +++ linux-2.6.33/arch/mips/include/asm/system.h 2010-03-07 12:23:35.895205004 -0500
1187 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1189 #define __ARCH_WANT_UNLOCKED_CTXSW
1191 -extern unsigned long arch_align_stack(unsigned long sp);
1192 +#define arch_align_stack(x) ((x) & ALMASK)
1194 #endif /* _ASM_SYSTEM_H */
1195 diff -urNp linux-2.6.33/arch/mips/kernel/binfmt_elfn32.c linux-2.6.33/arch/mips/kernel/binfmt_elfn32.c
1196 --- linux-2.6.33/arch/mips/kernel/binfmt_elfn32.c 2010-02-24 13:52:17.000000000 -0500
1197 +++ linux-2.6.33/arch/mips/kernel/binfmt_elfn32.c 2010-03-07 12:23:35.895205004 -0500
1198 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1199 #undef ELF_ET_DYN_BASE
1200 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1202 +#ifdef CONFIG_PAX_ASLR
1203 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1205 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1206 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1209 #include <asm/processor.h>
1210 #include <linux/module.h>
1211 #include <linux/elfcore.h>
1212 diff -urNp linux-2.6.33/arch/mips/kernel/binfmt_elfo32.c linux-2.6.33/arch/mips/kernel/binfmt_elfo32.c
1213 --- linux-2.6.33/arch/mips/kernel/binfmt_elfo32.c 2010-02-24 13:52:17.000000000 -0500
1214 +++ linux-2.6.33/arch/mips/kernel/binfmt_elfo32.c 2010-03-07 12:23:35.895205004 -0500
1215 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1216 #undef ELF_ET_DYN_BASE
1217 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1219 +#ifdef CONFIG_PAX_ASLR
1220 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1222 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1223 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1226 #include <asm/processor.h>
1229 diff -urNp linux-2.6.33/arch/mips/kernel/kgdb.c linux-2.6.33/arch/mips/kernel/kgdb.c
1230 --- linux-2.6.33/arch/mips/kernel/kgdb.c 2010-02-24 13:52:17.000000000 -0500
1231 +++ linux-2.6.33/arch/mips/kernel/kgdb.c 2010-03-07 12:23:35.895205004 -0500
1232 @@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
1236 +/* cannot be const */
1237 struct kgdb_arch arch_kgdb_ops;
1240 diff -urNp linux-2.6.33/arch/mips/kernel/process.c linux-2.6.33/arch/mips/kernel/process.c
1241 --- linux-2.6.33/arch/mips/kernel/process.c 2010-02-24 13:52:17.000000000 -0500
1242 +++ linux-2.6.33/arch/mips/kernel/process.c 2010-03-07 12:23:35.895205004 -0500
1243 @@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1249 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1250 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1252 -unsigned long arch_align_stack(unsigned long sp)
1254 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1255 - sp -= get_random_int() & ~PAGE_MASK;
1257 - return sp & ALMASK;
1259 diff -urNp linux-2.6.33/arch/mips/kernel/syscall.c linux-2.6.33/arch/mips/kernel/syscall.c
1260 --- linux-2.6.33/arch/mips/kernel/syscall.c 2010-02-24 13:52:17.000000000 -0500
1261 +++ linux-2.6.33/arch/mips/kernel/syscall.c 2010-03-07 12:23:35.895205004 -0500
1262 @@ -102,6 +102,11 @@ unsigned long arch_get_unmapped_area(str
1264 if (filp || (flags & MAP_SHARED))
1267 +#ifdef CONFIG_PAX_RANDMMAP
1268 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1273 addr = COLOUR_ALIGN(addr, pgoff);
1274 @@ -112,7 +117,7 @@ unsigned long arch_get_unmapped_area(str
1275 (!vmm || addr + len <= vmm->vm_start))
1278 - addr = TASK_UNMAPPED_BASE;
1279 + addr = current->mm->mmap_base;
1281 addr = COLOUR_ALIGN(addr, pgoff);
1283 diff -urNp linux-2.6.33/arch/mips/loongson/common/pm.c linux-2.6.33/arch/mips/loongson/common/pm.c
1284 --- linux-2.6.33/arch/mips/loongson/common/pm.c 2010-02-24 13:52:17.000000000 -0500
1285 +++ linux-2.6.33/arch/mips/loongson/common/pm.c 2010-03-07 12:23:35.895205004 -0500
1286 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1290 -static struct platform_suspend_ops loongson_pm_ops = {
1291 +static const struct platform_suspend_ops loongson_pm_ops = {
1292 .valid = loongson_pm_valid_state,
1293 .enter = loongson_pm_enter,
1295 diff -urNp linux-2.6.33/arch/mips/mm/fault.c linux-2.6.33/arch/mips/mm/fault.c
1296 --- linux-2.6.33/arch/mips/mm/fault.c 2010-02-24 13:52:17.000000000 -0500
1297 +++ linux-2.6.33/arch/mips/mm/fault.c 2010-03-07 12:23:35.895205004 -0500
1299 #include <asm/ptrace.h>
1300 #include <asm/highmem.h> /* For VMALLOC_END */
1302 +#ifdef CONFIG_PAX_PAGEEXEC
1303 +void pax_report_insns(void *pc)
1307 + printk(KERN_ERR "PAX: bytes at PC: ");
1308 + for (i = 0; i < 5; i++) {
1310 + if (get_user(c, (unsigned int *)pc+i))
1311 + printk(KERN_CONT "???????? ");
1313 + printk(KERN_CONT "%08x ", c);
1320 * This routine handles page faults. It determines the address,
1321 * and the problem, and then passes it off to one of the appropriate
1322 diff -urNp linux-2.6.33/arch/parisc/include/asm/elf.h linux-2.6.33/arch/parisc/include/asm/elf.h
1323 --- linux-2.6.33/arch/parisc/include/asm/elf.h 2010-02-24 13:52:17.000000000 -0500
1324 +++ linux-2.6.33/arch/parisc/include/asm/elf.h 2010-03-07 12:23:35.895205004 -0500
1325 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1327 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1329 +#ifdef CONFIG_PAX_ASLR
1330 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1332 +#define PAX_DELTA_MMAP_LEN 16
1333 +#define PAX_DELTA_STACK_LEN 16
1336 /* This yields a mask that user programs can use to figure out what
1337 instruction set this CPU supports. This could be done in user space,
1338 but it's not easy, and we've already done it here. */
1339 diff -urNp linux-2.6.33/arch/parisc/include/asm/pgtable.h linux-2.6.33/arch/parisc/include/asm/pgtable.h
1340 --- linux-2.6.33/arch/parisc/include/asm/pgtable.h 2010-02-24 13:52:17.000000000 -0500
1341 +++ linux-2.6.33/arch/parisc/include/asm/pgtable.h 2010-03-07 12:23:35.895205004 -0500
1342 @@ -207,6 +207,17 @@
1343 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1344 #define PAGE_COPY PAGE_EXECREAD
1345 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1347 +#ifdef CONFIG_PAX_PAGEEXEC
1348 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1349 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1350 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1352 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1353 +# define PAGE_COPY_NOEXEC PAGE_COPY
1354 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1357 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1358 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1359 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1360 diff -urNp linux-2.6.33/arch/parisc/kernel/module.c linux-2.6.33/arch/parisc/kernel/module.c
1361 --- linux-2.6.33/arch/parisc/kernel/module.c 2010-02-24 13:52:17.000000000 -0500
1362 +++ linux-2.6.33/arch/parisc/kernel/module.c 2010-03-07 12:23:35.899198434 -0500
1365 /* three functions to determine where in the module core
1366 * or init pieces the location is */
1367 +static inline int in_init_rx(struct module *me, void *loc)
1369 + return (loc >= me->module_init_rx &&
1370 + loc < (me->module_init_rx + me->init_size_rx));
1373 +static inline int in_init_rw(struct module *me, void *loc)
1375 + return (loc >= me->module_init_rw &&
1376 + loc < (me->module_init_rw + me->init_size_rw));
1379 static inline int in_init(struct module *me, void *loc)
1381 - return (loc >= me->module_init &&
1382 - loc <= (me->module_init + me->init_size));
1383 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1386 +static inline int in_core_rx(struct module *me, void *loc)
1388 + return (loc >= me->module_core_rx &&
1389 + loc < (me->module_core_rx + me->core_size_rx));
1392 +static inline int in_core_rw(struct module *me, void *loc)
1394 + return (loc >= me->module_core_rw &&
1395 + loc < (me->module_core_rw + me->core_size_rw));
1398 static inline int in_core(struct module *me, void *loc)
1400 - return (loc >= me->module_core &&
1401 - loc <= (me->module_core + me->core_size));
1402 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1405 static inline int in_local(struct module *me, void *loc)
1406 @@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1409 /* align things a bit */
1410 - me->core_size = ALIGN(me->core_size, 16);
1411 - me->arch.got_offset = me->core_size;
1412 - me->core_size += gots * sizeof(struct got_entry);
1414 - me->core_size = ALIGN(me->core_size, 16);
1415 - me->arch.fdesc_offset = me->core_size;
1416 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1417 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1418 + me->arch.got_offset = me->core_size_rw;
1419 + me->core_size_rw += gots * sizeof(struct got_entry);
1421 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1422 + me->arch.fdesc_offset = me->core_size_rw;
1423 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1425 me->arch.got_max = gots;
1426 me->arch.fdesc_max = fdescs;
1427 @@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1431 - got = me->module_core + me->arch.got_offset;
1432 + got = me->module_core_rw + me->arch.got_offset;
1433 for (i = 0; got[i].addr; i++)
1434 if (got[i].addr == value)
1436 @@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1438 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1440 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1441 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1444 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1445 @@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1447 /* Create new one */
1448 fdesc->addr = value;
1449 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1450 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1451 return (Elf_Addr)fdesc;
1453 #endif /* CONFIG_64BIT */
1454 @@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1456 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1457 end = table + sechdrs[me->arch.unwind_section].sh_size;
1458 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1459 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1461 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1462 me->arch.unwind_section, table, end, gp);
1463 diff -urNp linux-2.6.33/arch/parisc/kernel/sys_parisc.c linux-2.6.33/arch/parisc/kernel/sys_parisc.c
1464 --- linux-2.6.33/arch/parisc/kernel/sys_parisc.c 2010-02-24 13:52:17.000000000 -0500
1465 +++ linux-2.6.33/arch/parisc/kernel/sys_parisc.c 2010-03-07 12:23:35.899198434 -0500
1466 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1467 if (flags & MAP_FIXED)
1470 - addr = TASK_UNMAPPED_BASE;
1471 + addr = current->mm->mmap_base;
1474 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1475 diff -urNp linux-2.6.33/arch/parisc/kernel/traps.c linux-2.6.33/arch/parisc/kernel/traps.c
1476 --- linux-2.6.33/arch/parisc/kernel/traps.c 2010-02-24 13:52:17.000000000 -0500
1477 +++ linux-2.6.33/arch/parisc/kernel/traps.c 2010-03-07 12:23:35.899198434 -0500
1478 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1480 down_read(¤t->mm->mmap_sem);
1481 vma = find_vma(current->mm,regs->iaoq[0]);
1482 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1483 - && (vma->vm_flags & VM_EXEC)) {
1485 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1486 fault_address = regs->iaoq[0];
1487 fault_space = regs->iasq[0];
1489 diff -urNp linux-2.6.33/arch/parisc/mm/fault.c linux-2.6.33/arch/parisc/mm/fault.c
1490 --- linux-2.6.33/arch/parisc/mm/fault.c 2010-02-24 13:52:17.000000000 -0500
1491 +++ linux-2.6.33/arch/parisc/mm/fault.c 2010-03-07 12:23:35.899198434 -0500
1493 #include <linux/sched.h>
1494 #include <linux/interrupt.h>
1495 #include <linux/module.h>
1496 +#include <linux/unistd.h>
1498 #include <asm/uaccess.h>
1499 #include <asm/traps.h>
1500 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1501 static unsigned long
1502 parisc_acctyp(unsigned long code, unsigned int inst)
1504 - if (code == 6 || code == 16)
1505 + if (code == 6 || code == 7 || code == 16)
1508 switch (inst & 0xf0000000) {
1509 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1513 +#ifdef CONFIG_PAX_PAGEEXEC
1515 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1517 + * returns 1 when task should be killed
1518 + * 2 when rt_sigreturn trampoline was detected
1519 + * 3 when unpatched PLT trampoline was detected
1521 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1524 +#ifdef CONFIG_PAX_EMUPLT
1527 + do { /* PaX: unpatched PLT emulation */
1528 + unsigned int bl, depwi;
1530 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1531 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1536 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1537 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1539 + err = get_user(ldw, (unsigned int *)addr);
1540 + err |= get_user(bv, (unsigned int *)(addr+4));
1541 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1546 + if (ldw == 0x0E801096U &&
1547 + bv == 0xEAC0C000U &&
1548 + ldw2 == 0x0E881095U)
1550 + unsigned int resolver, map;
1552 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1553 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1557 + regs->gr[20] = instruction_pointer(regs)+8;
1558 + regs->gr[21] = map;
1559 + regs->gr[22] = resolver;
1560 + regs->iaoq[0] = resolver | 3UL;
1561 + regs->iaoq[1] = regs->iaoq[0] + 4;
1568 +#ifdef CONFIG_PAX_EMUTRAMP
1570 +#ifndef CONFIG_PAX_EMUSIGRT
1571 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1575 + do { /* PaX: rt_sigreturn emulation */
1576 + unsigned int ldi1, ldi2, bel, nop;
1578 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1579 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1580 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1581 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1586 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1587 + ldi2 == 0x3414015AU &&
1588 + bel == 0xE4008200U &&
1589 + nop == 0x08000240U)
1591 + regs->gr[25] = (ldi1 & 2) >> 1;
1592 + regs->gr[20] = __NR_rt_sigreturn;
1593 + regs->gr[31] = regs->iaoq[1] + 16;
1594 + regs->sr[0] = regs->iasq[1];
1595 + regs->iaoq[0] = 0x100UL;
1596 + regs->iaoq[1] = regs->iaoq[0] + 4;
1597 + regs->iasq[0] = regs->sr[2];
1598 + regs->iasq[1] = regs->sr[2];
1607 +void pax_report_insns(void *pc, void *sp)
1611 + printk(KERN_ERR "PAX: bytes at PC: ");
1612 + for (i = 0; i < 5; i++) {
1614 + if (get_user(c, (unsigned int *)pc+i))
1615 + printk(KERN_CONT "???????? ");
1617 + printk(KERN_CONT "%08x ", c);
1623 int fixup_exception(struct pt_regs *regs)
1625 const struct exception_table_entry *fix;
1626 @@ -192,8 +303,33 @@ good_area:
1628 acc_type = parisc_acctyp(code,regs->iir);
1630 - if ((vma->vm_flags & acc_type) != acc_type)
1631 + if ((vma->vm_flags & acc_type) != acc_type) {
1633 +#ifdef CONFIG_PAX_PAGEEXEC
1634 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1635 + (address & ~3UL) == instruction_pointer(regs))
1637 + up_read(&mm->mmap_sem);
1638 + switch (pax_handle_fetch_fault(regs)) {
1640 +#ifdef CONFIG_PAX_EMUPLT
1645 +#ifdef CONFIG_PAX_EMUTRAMP
1651 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1652 + do_group_exit(SIGKILL);
1660 * If for any reason at all we couldn't handle the fault, make
1661 diff -urNp linux-2.6.33/arch/powerpc/include/asm/device.h linux-2.6.33/arch/powerpc/include/asm/device.h
1662 --- linux-2.6.33/arch/powerpc/include/asm/device.h 2010-02-24 13:52:17.000000000 -0500
1663 +++ linux-2.6.33/arch/powerpc/include/asm/device.h 2010-03-07 12:23:35.899198434 -0500
1664 @@ -14,7 +14,7 @@ struct dev_archdata {
1665 struct device_node *of_node;
1667 /* DMA operations on that device */
1668 - struct dma_map_ops *dma_ops;
1669 + const struct dma_map_ops *dma_ops;
1672 * When an iommu is in use, dma_data is used as a ptr to the base of the
1673 diff -urNp linux-2.6.33/arch/powerpc/include/asm/dma-mapping.h linux-2.6.33/arch/powerpc/include/asm/dma-mapping.h
1674 --- linux-2.6.33/arch/powerpc/include/asm/dma-mapping.h 2010-02-24 13:52:17.000000000 -0500
1675 +++ linux-2.6.33/arch/powerpc/include/asm/dma-mapping.h 2010-03-07 12:23:35.899198434 -0500
1676 @@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
1678 extern struct dma_map_ops dma_iommu_ops;
1680 -extern struct dma_map_ops dma_direct_ops;
1681 +extern const struct dma_map_ops dma_direct_ops;
1683 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1684 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1686 /* We don't handle the NULL dev case for ISA for now. We could
1687 * do it via an out of line call but it is not needed for now. The
1688 @@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
1689 return dev->archdata.dma_ops;
1692 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1693 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1695 dev->archdata.dma_ops = ops;
1697 @@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
1699 static inline int dma_supported(struct device *dev, u64 mask)
1701 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1702 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1704 if (unlikely(dma_ops == NULL))
1706 @@ -132,7 +132,7 @@ static inline int dma_supported(struct d
1708 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1710 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1711 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1713 if (unlikely(dma_ops == NULL))
1715 @@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
1716 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1717 dma_addr_t *dma_handle, gfp_t flag)
1719 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1720 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1724 @@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
1725 static inline void dma_free_coherent(struct device *dev, size_t size,
1726 void *cpu_addr, dma_addr_t dma_handle)
1728 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1729 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1733 @@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
1735 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1737 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1738 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1740 if (dma_ops->mapping_error)
1741 return dma_ops->mapping_error(dev, dma_addr);
1742 diff -urNp linux-2.6.33/arch/powerpc/include/asm/elf.h linux-2.6.33/arch/powerpc/include/asm/elf.h
1743 --- linux-2.6.33/arch/powerpc/include/asm/elf.h 2010-02-24 13:52:17.000000000 -0500
1744 +++ linux-2.6.33/arch/powerpc/include/asm/elf.h 2010-03-07 12:23:35.899198434 -0500
1745 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
1746 the loader. We need to make sure that it is out of the way of the program
1747 that it will "exec", and that there is sufficient room for the brk. */
1749 -extern unsigned long randomize_et_dyn(unsigned long base);
1750 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
1751 +#define ELF_ET_DYN_BASE (0x20000000)
1753 +#ifdef CONFIG_PAX_ASLR
1754 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
1756 +#ifdef __powerpc64__
1757 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
1758 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
1760 +#define PAX_DELTA_MMAP_LEN 15
1761 +#define PAX_DELTA_STACK_LEN 15
1766 * Our registers are always unsigned longs, whether we're a 32 bit
1767 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
1768 (0x7ff >> (PAGE_SHIFT - 12)) : \
1769 (0x3ffff >> (PAGE_SHIFT - 12)))
1771 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1772 -#define arch_randomize_brk arch_randomize_brk
1774 #endif /* __KERNEL__ */
1777 diff -urNp linux-2.6.33/arch/powerpc/include/asm/iommu.h linux-2.6.33/arch/powerpc/include/asm/iommu.h
1778 --- linux-2.6.33/arch/powerpc/include/asm/iommu.h 2010-02-24 13:52:17.000000000 -0500
1779 +++ linux-2.6.33/arch/powerpc/include/asm/iommu.h 2010-03-07 12:23:35.899198434 -0500
1780 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
1781 extern void iommu_init_early_dart(void);
1782 extern void iommu_init_early_pasemi(void);
1785 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
1788 extern void pci_iommu_init(void);
1789 extern void pci_direct_iommu_init(void);
1790 diff -urNp linux-2.6.33/arch/powerpc/include/asm/kmap_types.h linux-2.6.33/arch/powerpc/include/asm/kmap_types.h
1791 --- linux-2.6.33/arch/powerpc/include/asm/kmap_types.h 2010-02-24 13:52:17.000000000 -0500
1792 +++ linux-2.6.33/arch/powerpc/include/asm/kmap_types.h 2010-03-07 12:23:35.899198434 -0500
1793 @@ -26,6 +26,7 @@ enum km_type {
1801 diff -urNp linux-2.6.33/arch/powerpc/include/asm/page_64.h linux-2.6.33/arch/powerpc/include/asm/page_64.h
1802 --- linux-2.6.33/arch/powerpc/include/asm/page_64.h 2010-02-24 13:52:17.000000000 -0500
1803 +++ linux-2.6.33/arch/powerpc/include/asm/page_64.h 2010-03-07 12:23:35.899198434 -0500
1804 @@ -180,15 +180,18 @@ do { \
1805 * stack by default, so in the absense of a PT_GNU_STACK program header
1806 * we turn execute permission off.
1808 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1809 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1810 +#define VM_STACK_DEFAULT_FLAGS32 \
1811 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1812 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1814 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1815 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1817 +#ifndef CONFIG_PAX_PAGEEXEC
1818 #define VM_STACK_DEFAULT_FLAGS \
1819 (test_thread_flag(TIF_32BIT) ? \
1820 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
1823 #include <asm-generic/getorder.h>
1825 diff -urNp linux-2.6.33/arch/powerpc/include/asm/page.h linux-2.6.33/arch/powerpc/include/asm/page.h
1826 --- linux-2.6.33/arch/powerpc/include/asm/page.h 2010-02-24 13:52:17.000000000 -0500
1827 +++ linux-2.6.33/arch/powerpc/include/asm/page.h 2010-03-07 12:23:35.899198434 -0500
1828 @@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
1829 * and needs to be executable. This means the whole heap ends
1830 * up being executable.
1832 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1833 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1834 +#define VM_DATA_DEFAULT_FLAGS32 \
1835 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1836 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1838 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1839 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1840 @@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
1841 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
1844 +#define ktla_ktva(addr) (addr)
1845 +#define ktva_ktla(addr) (addr)
1847 #ifndef __ASSEMBLY__
1849 #undef STRICT_MM_TYPECHECKS
1850 diff -urNp linux-2.6.33/arch/powerpc/include/asm/pci.h linux-2.6.33/arch/powerpc/include/asm/pci.h
1851 --- linux-2.6.33/arch/powerpc/include/asm/pci.h 2010-02-24 13:52:17.000000000 -0500
1852 +++ linux-2.6.33/arch/powerpc/include/asm/pci.h 2010-03-07 12:23:35.899198434 -0500
1853 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
1857 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1858 -extern struct dma_map_ops *get_pci_dma_ops(void);
1859 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1860 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1861 #else /* CONFIG_PCI */
1862 #define set_pci_dma_ops(d)
1863 #define get_pci_dma_ops() NULL
1864 diff -urNp linux-2.6.33/arch/powerpc/include/asm/pte-hash32.h linux-2.6.33/arch/powerpc/include/asm/pte-hash32.h
1865 --- linux-2.6.33/arch/powerpc/include/asm/pte-hash32.h 2010-02-24 13:52:17.000000000 -0500
1866 +++ linux-2.6.33/arch/powerpc/include/asm/pte-hash32.h 2010-03-07 12:23:35.899198434 -0500
1868 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
1869 #define _PAGE_USER 0x004 /* usermode access allowed */
1870 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
1871 +#define _PAGE_EXEC _PAGE_GUARDED
1872 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
1873 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
1874 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
1875 diff -urNp linux-2.6.33/arch/powerpc/include/asm/reg.h linux-2.6.33/arch/powerpc/include/asm/reg.h
1876 --- linux-2.6.33/arch/powerpc/include/asm/reg.h 2010-02-24 13:52:17.000000000 -0500
1877 +++ linux-2.6.33/arch/powerpc/include/asm/reg.h 2010-03-07 12:23:35.899198434 -0500
1879 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
1880 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
1881 #define DSISR_NOHPTE 0x40000000 /* no translation found */
1882 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
1883 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
1884 #define DSISR_ISSTORE 0x02000000 /* access was a store */
1885 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
1886 diff -urNp linux-2.6.33/arch/powerpc/include/asm/swiotlb.h linux-2.6.33/arch/powerpc/include/asm/swiotlb.h
1887 --- linux-2.6.33/arch/powerpc/include/asm/swiotlb.h 2010-02-24 13:52:17.000000000 -0500
1888 +++ linux-2.6.33/arch/powerpc/include/asm/swiotlb.h 2010-03-07 12:23:35.899198434 -0500
1891 #include <linux/swiotlb.h>
1893 -extern struct dma_map_ops swiotlb_dma_ops;
1894 +extern const struct dma_map_ops swiotlb_dma_ops;
1896 static inline void dma_mark_clean(void *addr, size_t size) {}
1898 diff -urNp linux-2.6.33/arch/powerpc/include/asm/uaccess.h linux-2.6.33/arch/powerpc/include/asm/uaccess.h
1899 --- linux-2.6.33/arch/powerpc/include/asm/uaccess.h 2010-02-24 13:52:17.000000000 -0500
1900 +++ linux-2.6.33/arch/powerpc/include/asm/uaccess.h 2010-03-07 12:23:35.899198434 -0500
1901 @@ -327,52 +327,6 @@ do { \
1902 extern unsigned long __copy_tofrom_user(void __user *to,
1903 const void __user *from, unsigned long size);
1905 -#ifndef __powerpc64__
1907 -static inline unsigned long copy_from_user(void *to,
1908 - const void __user *from, unsigned long n)
1910 - unsigned long over;
1912 - if (access_ok(VERIFY_READ, from, n))
1913 - return __copy_tofrom_user((__force void __user *)to, from, n);
1914 - if ((unsigned long)from < TASK_SIZE) {
1915 - over = (unsigned long)from + n - TASK_SIZE;
1916 - return __copy_tofrom_user((__force void __user *)to, from,
1922 -static inline unsigned long copy_to_user(void __user *to,
1923 - const void *from, unsigned long n)
1925 - unsigned long over;
1927 - if (access_ok(VERIFY_WRITE, to, n))
1928 - return __copy_tofrom_user(to, (__force void __user *)from, n);
1929 - if ((unsigned long)to < TASK_SIZE) {
1930 - over = (unsigned long)to + n - TASK_SIZE;
1931 - return __copy_tofrom_user(to, (__force void __user *)from,
1937 -#else /* __powerpc64__ */
1939 -#define __copy_in_user(to, from, size) \
1940 - __copy_tofrom_user((to), (from), (size))
1942 -extern unsigned long copy_from_user(void *to, const void __user *from,
1944 -extern unsigned long copy_to_user(void __user *to, const void *from,
1946 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
1949 -#endif /* __powerpc64__ */
1951 static inline unsigned long __copy_from_user_inatomic(void *to,
1952 const void __user *from, unsigned long n)
1954 @@ -396,6 +350,10 @@ static inline unsigned long __copy_from_
1959 + if (!__builtin_constant_p(n))
1960 + check_object_size(to, n, false);
1962 return __copy_tofrom_user((__force void __user *)to, from, n);
1965 @@ -422,6 +380,10 @@ static inline unsigned long __copy_to_us
1970 + if (!__builtin_constant_p(n))
1971 + check_object_size(from, n, true);
1973 return __copy_tofrom_user(to, (__force const void __user *)from, n);
1976 @@ -439,6 +401,92 @@ static inline unsigned long __copy_to_us
1977 return __copy_to_user_inatomic(to, from, size);
1980 +#ifndef __powerpc64__
1982 +static inline unsigned long __must_check copy_from_user(void *to,
1983 + const void __user *from, unsigned long n)
1985 + unsigned long over;
1990 + if (access_ok(VERIFY_READ, from, n)) {
1991 + if (!__builtin_constant_p(n))
1992 + check_object_size(to, n, false);
1993 + return __copy_tofrom_user((__force void __user *)to, from, n);
1995 + if ((unsigned long)from < TASK_SIZE) {
1996 + over = (unsigned long)from + n - TASK_SIZE;
1997 + if (!__builtin_constant_p(n - over))
1998 + check_object_size(to, n - over, false);
1999 + return __copy_tofrom_user((__force void __user *)to, from,
2005 +static inline unsigned long __must_check copy_to_user(void __user *to,
2006 + const void *from, unsigned long n)
2008 + unsigned long over;
2013 + if (access_ok(VERIFY_WRITE, to, n)) {
2014 + if (!__builtin_constant_p(n))
2015 + check_object_size(from, n, true);
2016 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2018 + if ((unsigned long)to < TASK_SIZE) {
2019 + over = (unsigned long)to + n - TASK_SIZE;
2020 + if (!__builtin_constant_p(n))
2021 + check_object_size(from, n - over, true);
2022 + return __copy_tofrom_user(to, (__force void __user *)from,
2028 +#else /* __powerpc64__ */
2030 +#define __copy_in_user(to, from, size) \
2031 + __copy_tofrom_user((to), (from), (size))
2033 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2035 + if ((long)n < 0 || n > INT_MAX)
2038 + if (!__builtin_constant_p(n))
2039 + check_object_size(to, n, false);
2041 + if (likely(access_ok(VERIFY_READ, from, n)))
2042 + n = __copy_from_user(to, from, n);
2048 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2050 + if ((long)n < 0 || n > INT_MAX)
2053 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2054 + if (!__builtin_constant_p(n))
2055 + check_object_size(from, n, true);
2056 + n = __copy_to_user(to, from, n);
2061 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2064 +#endif /* __powerpc64__ */
2066 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2068 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2069 diff -urNp linux-2.6.33/arch/powerpc/kernel/cacheinfo.c linux-2.6.33/arch/powerpc/kernel/cacheinfo.c
2070 --- linux-2.6.33/arch/powerpc/kernel/cacheinfo.c 2010-02-24 13:52:17.000000000 -0500
2071 +++ linux-2.6.33/arch/powerpc/kernel/cacheinfo.c 2010-03-07 12:23:35.899198434 -0500
2072 @@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
2076 -static struct sysfs_ops cache_index_ops = {
2077 +static const struct sysfs_ops cache_index_ops = {
2078 .show = cache_index_show,
2081 diff -urNp linux-2.6.33/arch/powerpc/kernel/dma.c linux-2.6.33/arch/powerpc/kernel/dma.c
2082 --- linux-2.6.33/arch/powerpc/kernel/dma.c 2010-02-24 13:52:17.000000000 -0500
2083 +++ linux-2.6.33/arch/powerpc/kernel/dma.c 2010-03-07 12:23:35.899198434 -0500
2084 @@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
2088 -struct dma_map_ops dma_direct_ops = {
2089 +const struct dma_map_ops dma_direct_ops = {
2090 .alloc_coherent = dma_direct_alloc_coherent,
2091 .free_coherent = dma_direct_free_coherent,
2092 .map_sg = dma_direct_map_sg,
2093 diff -urNp linux-2.6.33/arch/powerpc/kernel/dma-iommu.c linux-2.6.33/arch/powerpc/kernel/dma-iommu.c
2094 --- linux-2.6.33/arch/powerpc/kernel/dma-iommu.c 2010-02-24 13:52:17.000000000 -0500
2095 +++ linux-2.6.33/arch/powerpc/kernel/dma-iommu.c 2010-03-07 12:23:35.899198434 -0500
2096 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2099 /* We support DMA to/from any memory page via the iommu */
2100 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2101 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2103 struct iommu_table *tbl = get_iommu_table_base(dev);
2105 diff -urNp linux-2.6.33/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.33/arch/powerpc/kernel/dma-swiotlb.c
2106 --- linux-2.6.33/arch/powerpc/kernel/dma-swiotlb.c 2010-02-24 13:52:17.000000000 -0500
2107 +++ linux-2.6.33/arch/powerpc/kernel/dma-swiotlb.c 2010-03-07 12:23:35.899198434 -0500
2108 @@ -30,7 +30,7 @@ unsigned int ppc_swiotlb_enable;
2109 * map_page, and unmap_page on highmem, use normal dma_ops
2110 * for everything else.
2112 -struct dma_map_ops swiotlb_dma_ops = {
2113 +const struct dma_map_ops swiotlb_dma_ops = {
2114 .alloc_coherent = dma_direct_alloc_coherent,
2115 .free_coherent = dma_direct_free_coherent,
2116 .map_sg = swiotlb_map_sg_attrs,
2117 diff -urNp linux-2.6.33/arch/powerpc/kernel/exceptions-64e.S linux-2.6.33/arch/powerpc/kernel/exceptions-64e.S
2118 --- linux-2.6.33/arch/powerpc/kernel/exceptions-64e.S 2010-02-24 13:52:17.000000000 -0500
2119 +++ linux-2.6.33/arch/powerpc/kernel/exceptions-64e.S 2010-03-07 12:23:35.899198434 -0500
2120 @@ -455,6 +455,7 @@ storage_fault_common:
2123 addi r3,r1,STACK_FRAME_OVERHEAD
2127 ld r14,PACA_EXGEN+EX_R14(r13)
2128 @@ -464,8 +465,7 @@ storage_fault_common:
2131 b .ret_from_except_lite
2135 addi r3,r1,STACK_FRAME_OVERHEAD
2138 diff -urNp linux-2.6.33/arch/powerpc/kernel/exceptions-64s.S linux-2.6.33/arch/powerpc/kernel/exceptions-64s.S
2139 --- linux-2.6.33/arch/powerpc/kernel/exceptions-64s.S 2010-02-24 13:52:17.000000000 -0500
2140 +++ linux-2.6.33/arch/powerpc/kernel/exceptions-64s.S 2010-03-07 12:23:35.899198434 -0500
2141 @@ -829,10 +829,10 @@ handle_page_fault:
2144 addi r3,r1,STACK_FRAME_OVERHEAD
2151 addi r3,r1,STACK_FRAME_OVERHEAD
2153 diff -urNp linux-2.6.33/arch/powerpc/kernel/ibmebus.c linux-2.6.33/arch/powerpc/kernel/ibmebus.c
2154 --- linux-2.6.33/arch/powerpc/kernel/ibmebus.c 2010-02-24 13:52:17.000000000 -0500
2155 +++ linux-2.6.33/arch/powerpc/kernel/ibmebus.c 2010-03-07 12:23:35.903199907 -0500
2156 @@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
2160 -static struct dma_map_ops ibmebus_dma_ops = {
2161 +static const struct dma_map_ops ibmebus_dma_ops = {
2162 .alloc_coherent = ibmebus_alloc_coherent,
2163 .free_coherent = ibmebus_free_coherent,
2164 .map_sg = ibmebus_map_sg,
2165 diff -urNp linux-2.6.33/arch/powerpc/kernel/kgdb.c linux-2.6.33/arch/powerpc/kernel/kgdb.c
2166 --- linux-2.6.33/arch/powerpc/kernel/kgdb.c 2010-02-24 13:52:17.000000000 -0500
2167 +++ linux-2.6.33/arch/powerpc/kernel/kgdb.c 2010-03-07 12:23:35.903199907 -0500
2168 @@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
2169 if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
2172 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2173 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2177 @@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
2181 -struct kgdb_arch arch_kgdb_ops = {
2182 +const struct kgdb_arch arch_kgdb_ops = {
2183 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2186 diff -urNp linux-2.6.33/arch/powerpc/kernel/module_32.c linux-2.6.33/arch/powerpc/kernel/module_32.c
2187 --- linux-2.6.33/arch/powerpc/kernel/module_32.c 2010-02-24 13:52:17.000000000 -0500
2188 +++ linux-2.6.33/arch/powerpc/kernel/module_32.c 2010-03-07 12:23:35.903199907 -0500
2189 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2190 me->arch.core_plt_section = i;
2192 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2193 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2194 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2198 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2200 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2201 /* Init, or core PLT? */
2202 - if (location >= mod->module_core
2203 - && location < mod->module_core + mod->core_size)
2204 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2205 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2206 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2208 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2209 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2210 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2212 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2216 /* Find this entry, or if that fails, the next avail. entry */
2217 while (entry->jump[0]) {
2218 diff -urNp linux-2.6.33/arch/powerpc/kernel/module.c linux-2.6.33/arch/powerpc/kernel/module.c
2219 --- linux-2.6.33/arch/powerpc/kernel/module.c 2010-02-24 13:52:17.000000000 -0500
2220 +++ linux-2.6.33/arch/powerpc/kernel/module.c 2010-03-07 12:23:35.903199907 -0500
2223 LIST_HEAD(module_bug_list);
2225 +#ifdef CONFIG_PAX_KERNEXEC
2226 void *module_alloc(unsigned long size)
2231 + return vmalloc(size);
2234 +void *module_alloc_exec(unsigned long size)
2236 +void *module_alloc(unsigned long size)
2243 return vmalloc_exec(size);
2246 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2247 vfree(module_region);
2250 +#ifdef CONFIG_PAX_KERNEXEC
2251 +void module_free_exec(struct module *mod, void *module_region)
2253 + module_free(mod, module_region);
2257 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2258 const Elf_Shdr *sechdrs,
2260 diff -urNp linux-2.6.33/arch/powerpc/kernel/pci-common.c linux-2.6.33/arch/powerpc/kernel/pci-common.c
2261 --- linux-2.6.33/arch/powerpc/kernel/pci-common.c 2010-02-24 13:52:17.000000000 -0500
2262 +++ linux-2.6.33/arch/powerpc/kernel/pci-common.c 2010-03-07 12:23:35.903199907 -0500
2263 @@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
2264 unsigned int ppc_pci_flags = 0;
2267 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2268 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2270 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2271 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2273 pci_dma_ops = dma_ops;
2276 -struct dma_map_ops *get_pci_dma_ops(void)
2277 +const struct dma_map_ops *get_pci_dma_ops(void)
2281 diff -urNp linux-2.6.33/arch/powerpc/kernel/process.c linux-2.6.33/arch/powerpc/kernel/process.c
2282 --- linux-2.6.33/arch/powerpc/kernel/process.c 2010-02-24 13:52:17.000000000 -0500
2283 +++ linux-2.6.33/arch/powerpc/kernel/process.c 2010-03-07 12:23:35.903199907 -0500
2284 @@ -1141,51 +1141,3 @@ unsigned long arch_align_stack(unsigned
2285 sp -= get_random_int() & ~PAGE_MASK;
2289 -static inline unsigned long brk_rnd(void)
2291 - unsigned long rnd = 0;
2293 - /* 8MB for 32bit, 1GB for 64bit */
2294 - if (is_32bit_task())
2295 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2297 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2299 - return rnd << PAGE_SHIFT;
2302 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2304 - unsigned long base = mm->brk;
2305 - unsigned long ret;
2307 -#ifdef CONFIG_PPC_STD_MMU_64
2309 - * If we are using 1TB segments and we are allowed to randomise
2310 - * the heap, we can put it above 1TB so it is backed by a 1TB
2311 - * segment. Otherwise the heap will be in the bottom 1TB
2312 - * which always uses 256MB segments and this may result in a
2313 - * performance penalty.
2315 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2316 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2319 - ret = PAGE_ALIGN(base + brk_rnd());
2321 - if (ret < mm->brk)
2327 -unsigned long randomize_et_dyn(unsigned long base)
2329 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2336 diff -urNp linux-2.6.33/arch/powerpc/kernel/signal_32.c linux-2.6.33/arch/powerpc/kernel/signal_32.c
2337 --- linux-2.6.33/arch/powerpc/kernel/signal_32.c 2010-02-24 13:52:17.000000000 -0500
2338 +++ linux-2.6.33/arch/powerpc/kernel/signal_32.c 2010-03-07 12:23:35.903199907 -0500
2339 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2340 /* Save user registers on the stack */
2341 frame = &rt_sf->uc.uc_mcontext;
2343 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2344 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2345 if (save_user_regs(regs, frame, 0, 1))
2347 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2348 diff -urNp linux-2.6.33/arch/powerpc/kernel/signal_64.c linux-2.6.33/arch/powerpc/kernel/signal_64.c
2349 --- linux-2.6.33/arch/powerpc/kernel/signal_64.c 2010-02-24 13:52:17.000000000 -0500
2350 +++ linux-2.6.33/arch/powerpc/kernel/signal_64.c 2010-03-07 12:23:35.903199907 -0500
2351 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2352 current->thread.fpscr.val = 0;
2354 /* Set up to return from userspace. */
2355 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2356 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2357 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2359 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2360 diff -urNp linux-2.6.33/arch/powerpc/kernel/vdso.c linux-2.6.33/arch/powerpc/kernel/vdso.c
2361 --- linux-2.6.33/arch/powerpc/kernel/vdso.c 2010-02-24 13:52:17.000000000 -0500
2362 +++ linux-2.6.33/arch/powerpc/kernel/vdso.c 2010-03-07 12:23:35.903199907 -0500
2364 #include <asm/firmware.h>
2365 #include <asm/vdso.h>
2366 #include <asm/vdso_datapage.h>
2367 +#include <asm/mman.h>
2371 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2372 vdso_base = VDSO32_MBASE;
2375 - current->mm->context.vdso_base = 0;
2376 + current->mm->context.vdso_base = ~0UL;
2378 /* vDSO has a problem and was disabled, just don't "enable" it for the
2380 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2381 vdso_base = get_unmapped_area(NULL, vdso_base,
2382 (vdso_pages << PAGE_SHIFT) +
2383 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2385 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2386 if (IS_ERR_VALUE(vdso_base)) {
2389 diff -urNp linux-2.6.33/arch/powerpc/kernel/vio.c linux-2.6.33/arch/powerpc/kernel/vio.c
2390 --- linux-2.6.33/arch/powerpc/kernel/vio.c 2010-02-24 13:52:17.000000000 -0500
2391 +++ linux-2.6.33/arch/powerpc/kernel/vio.c 2010-03-07 12:23:35.903199907 -0500
2392 @@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
2393 vio_cmo_dealloc(viodev, alloc_size);
2396 -struct dma_map_ops vio_dma_mapping_ops = {
2397 +static const struct dma_map_ops vio_dma_mapping_ops = {
2398 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2399 .free_coherent = vio_dma_iommu_free_coherent,
2400 .map_sg = vio_dma_iommu_map_sg,
2401 .unmap_sg = vio_dma_iommu_unmap_sg,
2402 + .dma_supported = dma_iommu_dma_supported,
2403 .map_page = vio_dma_iommu_map_page,
2404 .unmap_page = vio_dma_iommu_unmap_page,
2406 @@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
2408 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2410 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2411 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2414 diff -urNp linux-2.6.33/arch/powerpc/lib/usercopy_64.c linux-2.6.33/arch/powerpc/lib/usercopy_64.c
2415 --- linux-2.6.33/arch/powerpc/lib/usercopy_64.c 2010-02-24 13:52:17.000000000 -0500
2416 +++ linux-2.6.33/arch/powerpc/lib/usercopy_64.c 2010-03-07 12:23:35.903199907 -0500
2418 #include <linux/module.h>
2419 #include <asm/uaccess.h>
2421 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2423 - if (likely(access_ok(VERIFY_READ, from, n)))
2424 - n = __copy_from_user(to, from, n);
2430 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2432 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2433 - n = __copy_to_user(to, from, n);
2437 unsigned long copy_in_user(void __user *to, const void __user *from,
2440 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2444 -EXPORT_SYMBOL(copy_from_user);
2445 -EXPORT_SYMBOL(copy_to_user);
2446 EXPORT_SYMBOL(copy_in_user);
2448 diff -urNp linux-2.6.33/arch/powerpc/mm/fault.c linux-2.6.33/arch/powerpc/mm/fault.c
2449 --- linux-2.6.33/arch/powerpc/mm/fault.c 2010-02-24 13:52:17.000000000 -0500
2450 +++ linux-2.6.33/arch/powerpc/mm/fault.c 2010-03-07 12:23:35.903199907 -0500
2452 #include <linux/kprobes.h>
2453 #include <linux/kdebug.h>
2454 #include <linux/perf_event.h>
2455 +#include <linux/slab.h>
2456 +#include <linux/pagemap.h>
2457 +#include <linux/compiler.h>
2458 +#include <linux/unistd.h>
2460 #include <asm/firmware.h>
2461 #include <asm/page.h>
2463 #include <asm/tlbflush.h>
2464 #include <asm/siginfo.h>
2465 #include <mm/mmu_decl.h>
2466 +#include <asm/ptrace.h>
2468 #ifdef CONFIG_KPROBES
2469 static inline int notify_page_fault(struct pt_regs *regs)
2470 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2474 +#ifdef CONFIG_PAX_PAGEEXEC
2476 + * PaX: decide what to do with offenders (regs->nip = fault address)
2478 + * returns 1 when task should be killed
2480 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2485 +void pax_report_insns(void *pc, void *sp)
2489 + printk(KERN_ERR "PAX: bytes at PC: ");
2490 + for (i = 0; i < 5; i++) {
2492 + if (get_user(c, (unsigned int __user *)pc+i))
2493 + printk(KERN_CONT "???????? ");
2495 + printk(KERN_CONT "%08x ", c);
2502 * Check whether the instruction at regs->nip is a store using
2503 * an update addressing form which will update r1.
2504 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2505 * indicate errors in DSISR but can validly be set in SRR1.
2508 - error_code &= 0x48200000;
2509 + error_code &= 0x58200000;
2511 is_write = error_code & DSISR_ISSTORE;
2513 @@ -256,7 +288,7 @@ good_area:
2514 * "undefined". Of those that can be set, this is the only
2515 * one which seems bad.
2517 - if (error_code & 0x10000000)
2518 + if (error_code & DSISR_GUARDED)
2519 /* Guarded storage error. */
2521 #endif /* CONFIG_8xx */
2522 @@ -271,7 +303,7 @@ good_area:
2523 * processors use the same I/D cache coherency mechanism
2526 - if (error_code & DSISR_PROTFAULT)
2527 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2529 #endif /* CONFIG_PPC_STD_MMU */
2531 @@ -341,6 +373,23 @@ bad_area:
2532 bad_area_nosemaphore:
2533 /* User mode accesses cause a SIGSEGV */
2534 if (user_mode(regs)) {
2536 +#ifdef CONFIG_PAX_PAGEEXEC
2537 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2538 +#ifdef CONFIG_PPC_STD_MMU
2539 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2541 + if (is_exec && regs->nip == address) {
2543 + switch (pax_handle_fetch_fault(regs)) {
2546 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2547 + do_group_exit(SIGKILL);
2552 _exception(SIGSEGV, regs, code, address);
2555 diff -urNp linux-2.6.33/arch/powerpc/mm/mmap_64.c linux-2.6.33/arch/powerpc/mm/mmap_64.c
2556 --- linux-2.6.33/arch/powerpc/mm/mmap_64.c 2010-02-24 13:52:17.000000000 -0500
2557 +++ linux-2.6.33/arch/powerpc/mm/mmap_64.c 2010-03-07 12:23:35.903199907 -0500
2558 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2560 if (mmap_is_legacy()) {
2561 mm->mmap_base = TASK_UNMAPPED_BASE;
2563 +#ifdef CONFIG_PAX_RANDMMAP
2564 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2565 + mm->mmap_base += mm->delta_mmap;
2568 mm->get_unmapped_area = arch_get_unmapped_area;
2569 mm->unmap_area = arch_unmap_area;
2571 mm->mmap_base = mmap_base();
2573 +#ifdef CONFIG_PAX_RANDMMAP
2574 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2575 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2578 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2579 mm->unmap_area = arch_unmap_area_topdown;
2581 diff -urNp linux-2.6.33/arch/powerpc/mm/slice.c linux-2.6.33/arch/powerpc/mm/slice.c
2582 --- linux-2.6.33/arch/powerpc/mm/slice.c 2010-02-24 13:52:17.000000000 -0500
2583 +++ linux-2.6.33/arch/powerpc/mm/slice.c 2010-03-07 12:23:35.903199907 -0500
2584 @@ -426,6 +426,11 @@ unsigned long slice_get_unmapped_area(un
2585 if (fixed && addr > (mm->task_size - len))
2588 +#ifdef CONFIG_PAX_RANDMMAP
2589 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2593 /* If hint, make sure it matches our alignment restrictions */
2594 if (!fixed && addr) {
2595 addr = _ALIGN_UP(addr, 1ul << pshift);
2596 diff -urNp linux-2.6.33/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.33/arch/powerpc/platforms/52xx/lite5200_pm.c
2597 --- linux-2.6.33/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-02-24 13:52:17.000000000 -0500
2598 +++ linux-2.6.33/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-03-07 12:23:35.903199907 -0500
2599 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2600 lite5200_pm_target_state = PM_SUSPEND_ON;
2603 -static struct platform_suspend_ops lite5200_pm_ops = {
2604 +static const struct platform_suspend_ops lite5200_pm_ops = {
2605 .valid = lite5200_pm_valid,
2606 .begin = lite5200_pm_begin,
2607 .prepare = lite5200_pm_prepare,
2608 diff -urNp linux-2.6.33/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.33/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2609 --- linux-2.6.33/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-02-24 13:52:17.000000000 -0500
2610 +++ linux-2.6.33/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-03-07 12:23:35.903199907 -0500
2611 @@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
2615 -static struct platform_suspend_ops mpc52xx_pm_ops = {
2616 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
2617 .valid = mpc52xx_pm_valid,
2618 .prepare = mpc52xx_pm_prepare,
2619 .enter = mpc52xx_pm_enter,
2620 diff -urNp linux-2.6.33/arch/powerpc/platforms/83xx/suspend.c linux-2.6.33/arch/powerpc/platforms/83xx/suspend.c
2621 --- linux-2.6.33/arch/powerpc/platforms/83xx/suspend.c 2010-02-24 13:52:17.000000000 -0500
2622 +++ linux-2.6.33/arch/powerpc/platforms/83xx/suspend.c 2010-03-07 12:23:35.907205393 -0500
2623 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
2627 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
2628 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2629 .valid = mpc83xx_suspend_valid,
2630 .begin = mpc83xx_suspend_begin,
2631 .enter = mpc83xx_suspend_enter,
2632 diff -urNp linux-2.6.33/arch/powerpc/platforms/cell/iommu.c linux-2.6.33/arch/powerpc/platforms/cell/iommu.c
2633 --- linux-2.6.33/arch/powerpc/platforms/cell/iommu.c 2010-02-24 13:52:17.000000000 -0500
2634 +++ linux-2.6.33/arch/powerpc/platforms/cell/iommu.c 2010-03-07 12:23:35.907205393 -0500
2635 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
2637 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
2639 -struct dma_map_ops dma_iommu_fixed_ops = {
2640 +const struct dma_map_ops dma_iommu_fixed_ops = {
2641 .alloc_coherent = dma_fixed_alloc_coherent,
2642 .free_coherent = dma_fixed_free_coherent,
2643 .map_sg = dma_fixed_map_sg,
2644 diff -urNp linux-2.6.33/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.33/arch/powerpc/platforms/ps3/system-bus.c
2645 --- linux-2.6.33/arch/powerpc/platforms/ps3/system-bus.c 2010-02-24 13:52:17.000000000 -0500
2646 +++ linux-2.6.33/arch/powerpc/platforms/ps3/system-bus.c 2010-03-07 12:23:35.907205393 -0500
2647 @@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
2648 return mask >= DMA_BIT_MASK(32);
2651 -static struct dma_map_ops ps3_sb_dma_ops = {
2652 +static const struct dma_map_ops ps3_sb_dma_ops = {
2653 .alloc_coherent = ps3_alloc_coherent,
2654 .free_coherent = ps3_free_coherent,
2655 .map_sg = ps3_sb_map_sg,
2656 @@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
2657 .unmap_page = ps3_unmap_page,
2660 -static struct dma_map_ops ps3_ioc0_dma_ops = {
2661 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
2662 .alloc_coherent = ps3_alloc_coherent,
2663 .free_coherent = ps3_free_coherent,
2664 .map_sg = ps3_ioc0_map_sg,
2665 diff -urNp linux-2.6.33/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.33/arch/powerpc/sysdev/fsl_pmc.c
2666 --- linux-2.6.33/arch/powerpc/sysdev/fsl_pmc.c 2010-02-24 13:52:17.000000000 -0500
2667 +++ linux-2.6.33/arch/powerpc/sysdev/fsl_pmc.c 2010-03-07 12:23:35.907205393 -0500
2668 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
2672 -static struct platform_suspend_ops pmc_suspend_ops = {
2673 +static const struct platform_suspend_ops pmc_suspend_ops = {
2674 .valid = pmc_suspend_valid,
2675 .enter = pmc_suspend_enter,
2677 diff -urNp linux-2.6.33/arch/s390/include/asm/elf.h linux-2.6.33/arch/s390/include/asm/elf.h
2678 --- linux-2.6.33/arch/s390/include/asm/elf.h 2010-02-24 13:52:17.000000000 -0500
2679 +++ linux-2.6.33/arch/s390/include/asm/elf.h 2010-03-07 12:23:35.907205393 -0500
2680 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
2681 that it will "exec", and that there is sufficient room for the brk. */
2682 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2684 +#ifdef CONFIG_PAX_ASLR
2685 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2687 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2688 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2691 /* This yields a mask that user programs can use to figure out what
2692 instruction set this CPU supports. */
2694 diff -urNp linux-2.6.33/arch/s390/include/asm/uaccess.h linux-2.6.33/arch/s390/include/asm/uaccess.h
2695 --- linux-2.6.33/arch/s390/include/asm/uaccess.h 2010-02-24 13:52:17.000000000 -0500
2696 +++ linux-2.6.33/arch/s390/include/asm/uaccess.h 2010-03-07 12:23:35.907205393 -0500
2697 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
2698 copy_to_user(void __user *to, const void *from, unsigned long n)
2705 if (access_ok(VERIFY_WRITE, to, n))
2706 n = __copy_to_user(to, from, n);
2708 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
2709 static inline unsigned long __must_check
2710 __copy_from_user(void *to, const void __user *from, unsigned long n)
2715 if (__builtin_constant_p(n) && (n <= 256))
2716 return uaccess.copy_from_user_small(n, from, to);
2718 @@ -285,6 +292,10 @@ static inline unsigned long __must_check
2719 copy_from_user(void *to, const void __user *from, unsigned long n)
2726 if (access_ok(VERIFY_READ, from, n))
2727 n = __copy_from_user(to, from, n);
2729 diff -urNp linux-2.6.33/arch/s390/Kconfig linux-2.6.33/arch/s390/Kconfig
2730 --- linux-2.6.33/arch/s390/Kconfig 2010-02-24 13:52:17.000000000 -0500
2731 +++ linux-2.6.33/arch/s390/Kconfig 2010-03-07 12:23:35.907205393 -0500
2732 @@ -222,13 +222,12 @@ config AUDIT_ARCH
2734 config S390_EXEC_PROTECT
2735 bool "Data execute protection"
2738 This option allows to enable a buffer overflow protection for user
2739 - space programs and it also selects the addressing mode option above.
2740 - The kernel parameter noexec=on will enable this feature and also
2741 - switch the addressing modes, default is disabled. Enabling this (via
2742 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
2743 - will reduce system performance.
2745 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
2746 + reduce system performance.
2748 comment "Code generation options"
2750 diff -urNp linux-2.6.33/arch/s390/kernel/module.c linux-2.6.33/arch/s390/kernel/module.c
2751 --- linux-2.6.33/arch/s390/kernel/module.c 2010-02-24 13:52:17.000000000 -0500
2752 +++ linux-2.6.33/arch/s390/kernel/module.c 2010-03-07 12:23:35.907205393 -0500
2753 @@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
2755 /* Increase core size by size of got & plt and set start
2756 offsets for got and plt. */
2757 - me->core_size = ALIGN(me->core_size, 4);
2758 - me->arch.got_offset = me->core_size;
2759 - me->core_size += me->arch.got_size;
2760 - me->arch.plt_offset = me->core_size;
2761 - me->core_size += me->arch.plt_size;
2762 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
2763 + me->arch.got_offset = me->core_size_rw;
2764 + me->core_size_rw += me->arch.got_size;
2765 + me->arch.plt_offset = me->core_size_rx;
2766 + me->core_size_rx += me->arch.plt_size;
2770 @@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2771 if (info->got_initialized == 0) {
2774 - gotent = me->module_core + me->arch.got_offset +
2775 + gotent = me->module_core_rw + me->arch.got_offset +
2778 info->got_initialized = 1;
2779 @@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2780 else if (r_type == R_390_GOTENT ||
2781 r_type == R_390_GOTPLTENT)
2782 *(unsigned int *) loc =
2783 - (val + (Elf_Addr) me->module_core - loc) >> 1;
2784 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2785 else if (r_type == R_390_GOT64 ||
2786 r_type == R_390_GOTPLT64)
2787 *(unsigned long *) loc = val;
2788 @@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2789 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
2790 if (info->plt_initialized == 0) {
2792 - ip = me->module_core + me->arch.plt_offset +
2793 + ip = me->module_core_rx + me->arch.plt_offset +
2795 #ifndef CONFIG_64BIT
2796 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
2797 @@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2798 val - loc + 0xffffUL < 0x1ffffeUL) ||
2799 (r_type == R_390_PLT32DBL &&
2800 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
2801 - val = (Elf_Addr) me->module_core +
2802 + val = (Elf_Addr) me->module_core_rx +
2803 me->arch.plt_offset +
2805 val += rela->r_addend - loc;
2806 @@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2807 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
2808 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
2809 val = val + rela->r_addend -
2810 - ((Elf_Addr) me->module_core + me->arch.got_offset);
2811 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
2812 if (r_type == R_390_GOTOFF16)
2813 *(unsigned short *) loc = val;
2814 else if (r_type == R_390_GOTOFF32)
2815 @@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2817 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
2818 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
2819 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
2820 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
2821 rela->r_addend - loc;
2822 if (r_type == R_390_GOTPC)
2823 *(unsigned int *) loc = val;
2824 diff -urNp linux-2.6.33/arch/s390/kernel/setup.c linux-2.6.33/arch/s390/kernel/setup.c
2825 --- linux-2.6.33/arch/s390/kernel/setup.c 2010-02-24 13:52:17.000000000 -0500
2826 +++ linux-2.6.33/arch/s390/kernel/setup.c 2010-03-07 12:23:35.907205393 -0500
2827 @@ -298,7 +298,7 @@ static int __init early_parse_mem(char *
2829 early_param("mem", early_parse_mem);
2831 -unsigned int user_mode = HOME_SPACE_MODE;
2832 +unsigned int user_mode = SECONDARY_SPACE_MODE;
2833 EXPORT_SYMBOL_GPL(user_mode);
2835 static int set_amode_and_uaccess(unsigned long user_amode,
2836 @@ -327,17 +327,6 @@ static int set_amode_and_uaccess(unsigne
2841 - * Switch kernel/user addressing modes?
2843 -static int __init early_parse_switch_amode(char *p)
2845 - if (user_mode != SECONDARY_SPACE_MODE)
2846 - user_mode = PRIMARY_SPACE_MODE;
2849 -early_param("switch_amode", early_parse_switch_amode);
2851 static int __init early_parse_user_mode(char *p)
2853 if (p && strcmp(p, "primary") == 0)
2854 @@ -354,20 +343,6 @@ static int __init early_parse_user_mode(
2856 early_param("user_mode", early_parse_user_mode);
2858 -#ifdef CONFIG_S390_EXEC_PROTECT
2860 - * Enable execute protection?
2862 -static int __init early_parse_noexec(char *p)
2864 - if (!strncmp(p, "off", 3))
2866 - user_mode = SECONDARY_SPACE_MODE;
2869 -early_param("noexec", early_parse_noexec);
2870 -#endif /* CONFIG_S390_EXEC_PROTECT */
2872 static void setup_addressing_mode(void)
2874 if (user_mode == SECONDARY_SPACE_MODE) {
2875 diff -urNp linux-2.6.33/arch/s390/mm/maccess.c linux-2.6.33/arch/s390/mm/maccess.c
2876 --- linux-2.6.33/arch/s390/mm/maccess.c 2010-02-24 13:52:17.000000000 -0500
2877 +++ linux-2.6.33/arch/s390/mm/maccess.c 2010-03-07 12:23:35.907205393 -0500
2878 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
2879 return rc ? rc : count;
2882 -long probe_kernel_write(void *dst, void *src, size_t size)
2883 +long probe_kernel_write(void *dst, const void *src, size_t size)
2887 diff -urNp linux-2.6.33/arch/s390/mm/mmap.c linux-2.6.33/arch/s390/mm/mmap.c
2888 --- linux-2.6.33/arch/s390/mm/mmap.c 2010-02-24 13:52:17.000000000 -0500
2889 +++ linux-2.6.33/arch/s390/mm/mmap.c 2010-03-07 12:23:35.907205393 -0500
2890 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
2892 if (mmap_is_legacy()) {
2893 mm->mmap_base = TASK_UNMAPPED_BASE;
2895 +#ifdef CONFIG_PAX_RANDMMAP
2896 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2897 + mm->mmap_base += mm->delta_mmap;
2900 mm->get_unmapped_area = arch_get_unmapped_area;
2901 mm->unmap_area = arch_unmap_area;
2903 mm->mmap_base = mmap_base();
2905 +#ifdef CONFIG_PAX_RANDMMAP
2906 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2907 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2910 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2911 mm->unmap_area = arch_unmap_area_topdown;
2913 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
2915 if (mmap_is_legacy()) {
2916 mm->mmap_base = TASK_UNMAPPED_BASE;
2918 +#ifdef CONFIG_PAX_RANDMMAP
2919 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2920 + mm->mmap_base += mm->delta_mmap;
2923 mm->get_unmapped_area = s390_get_unmapped_area;
2924 mm->unmap_area = arch_unmap_area;
2926 mm->mmap_base = mmap_base();
2928 +#ifdef CONFIG_PAX_RANDMMAP
2929 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2930 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2933 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
2934 mm->unmap_area = arch_unmap_area_topdown;
2936 diff -urNp linux-2.6.33/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.33/arch/sh/boards/mach-hp6xx/pm.c
2937 --- linux-2.6.33/arch/sh/boards/mach-hp6xx/pm.c 2010-02-24 13:52:17.000000000 -0500
2938 +++ linux-2.6.33/arch/sh/boards/mach-hp6xx/pm.c 2010-03-07 12:23:35.907205393 -0500
2939 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
2943 -static struct platform_suspend_ops hp6x0_pm_ops = {
2944 +static const struct platform_suspend_ops hp6x0_pm_ops = {
2945 .enter = hp6x0_pm_enter,
2946 .valid = suspend_valid_only_mem,
2948 diff -urNp linux-2.6.33/arch/sh/include/asm/dma-mapping.h linux-2.6.33/arch/sh/include/asm/dma-mapping.h
2949 --- linux-2.6.33/arch/sh/include/asm/dma-mapping.h 2010-02-24 13:52:17.000000000 -0500
2950 +++ linux-2.6.33/arch/sh/include/asm/dma-mapping.h 2010-03-07 12:23:35.907205393 -0500
2952 #ifndef __ASM_SH_DMA_MAPPING_H
2953 #define __ASM_SH_DMA_MAPPING_H
2955 -extern struct dma_map_ops *dma_ops;
2956 +extern const struct dma_map_ops *dma_ops;
2957 extern void no_iommu_init(void);
2959 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2960 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2964 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
2966 static inline int dma_supported(struct device *dev, u64 mask)
2968 - struct dma_map_ops *ops = get_dma_ops(dev);
2969 + const struct dma_map_ops *ops = get_dma_ops(dev);
2971 if (ops->dma_supported)
2972 return ops->dma_supported(dev, mask);
2973 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
2975 static inline int dma_set_mask(struct device *dev, u64 mask)
2977 - struct dma_map_ops *ops = get_dma_ops(dev);
2978 + const struct dma_map_ops *ops = get_dma_ops(dev);
2980 if (!dev->dma_mask || !dma_supported(dev, mask))
2982 @@ -59,7 +59,7 @@ static inline int dma_get_cache_alignmen
2984 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2986 - struct dma_map_ops *ops = get_dma_ops(dev);
2987 + const struct dma_map_ops *ops = get_dma_ops(dev);
2989 if (ops->mapping_error)
2990 return ops->mapping_error(dev, dma_addr);
2991 @@ -70,7 +70,7 @@ static inline int dma_mapping_error(stru
2992 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2993 dma_addr_t *dma_handle, gfp_t gfp)
2995 - struct dma_map_ops *ops = get_dma_ops(dev);
2996 + const struct dma_map_ops *ops = get_dma_ops(dev);
2999 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3000 @@ -87,7 +87,7 @@ static inline void *dma_alloc_coherent(s
3001 static inline void dma_free_coherent(struct device *dev, size_t size,
3002 void *vaddr, dma_addr_t dma_handle)
3004 - struct dma_map_ops *ops = get_dma_ops(dev);
3005 + const struct dma_map_ops *ops = get_dma_ops(dev);
3007 WARN_ON(irqs_disabled()); /* for portability */
3009 diff -urNp linux-2.6.33/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.33/arch/sh/kernel/cpu/sh4/sq.c
3010 --- linux-2.6.33/arch/sh/kernel/cpu/sh4/sq.c 2010-02-24 13:52:17.000000000 -0500
3011 +++ linux-2.6.33/arch/sh/kernel/cpu/sh4/sq.c 2010-03-07 12:23:35.909670807 -0500
3012 @@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
3016 -static struct sysfs_ops sq_sysfs_ops = {
3017 +static const struct sysfs_ops sq_sysfs_ops = {
3018 .show = sq_sysfs_show,
3019 .store = sq_sysfs_store,
3021 diff -urNp linux-2.6.33/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.33/arch/sh/kernel/cpu/shmobile/pm.c
3022 --- linux-2.6.33/arch/sh/kernel/cpu/shmobile/pm.c 2010-02-24 13:52:17.000000000 -0500
3023 +++ linux-2.6.33/arch/sh/kernel/cpu/shmobile/pm.c 2010-03-07 12:23:35.909670807 -0500
3024 @@ -140,7 +140,7 @@ static int sh_pm_enter(suspend_state_t s
3028 -static struct platform_suspend_ops sh_pm_ops = {
3029 +static const struct platform_suspend_ops sh_pm_ops = {
3030 .enter = sh_pm_enter,
3031 .valid = suspend_valid_only_mem,
3033 diff -urNp linux-2.6.33/arch/sh/kernel/dma-nommu.c linux-2.6.33/arch/sh/kernel/dma-nommu.c
3034 --- linux-2.6.33/arch/sh/kernel/dma-nommu.c 2010-02-24 13:52:17.000000000 -0500
3035 +++ linux-2.6.33/arch/sh/kernel/dma-nommu.c 2010-03-07 12:23:35.909670807 -0500
3036 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3040 -struct dma_map_ops nommu_dma_ops = {
3041 +const struct dma_map_ops nommu_dma_ops = {
3042 .alloc_coherent = dma_generic_alloc_coherent,
3043 .free_coherent = dma_generic_free_coherent,
3044 .map_page = nommu_map_page,
3045 diff -urNp linux-2.6.33/arch/sh/kernel/kgdb.c linux-2.6.33/arch/sh/kernel/kgdb.c
3046 --- linux-2.6.33/arch/sh/kernel/kgdb.c 2010-02-24 13:52:17.000000000 -0500
3047 +++ linux-2.6.33/arch/sh/kernel/kgdb.c 2010-03-07 12:23:35.909670807 -0500
3048 @@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
3052 -struct kgdb_arch arch_kgdb_ops = {
3053 +const struct kgdb_arch arch_kgdb_ops = {
3054 /* Breakpoint instruction: trapa #0x3c */
3055 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3056 .gdb_bpt_instr = { 0x3c, 0xc3 },
3057 diff -urNp linux-2.6.33/arch/sh/mm/consistent.c linux-2.6.33/arch/sh/mm/consistent.c
3058 --- linux-2.6.33/arch/sh/mm/consistent.c 2010-02-24 13:52:17.000000000 -0500
3059 +++ linux-2.6.33/arch/sh/mm/consistent.c 2010-03-07 12:23:35.909670807 -0500
3062 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3064 -struct dma_map_ops *dma_ops;
3065 +const struct dma_map_ops *dma_ops;
3066 EXPORT_SYMBOL(dma_ops);
3068 static int __init dma_init(void)
3069 diff -urNp linux-2.6.33/arch/sparc/include/asm/atomic_64.h linux-2.6.33/arch/sparc/include/asm/atomic_64.h
3070 --- linux-2.6.33/arch/sparc/include/asm/atomic_64.h 2010-02-24 13:52:17.000000000 -0500
3071 +++ linux-2.6.33/arch/sparc/include/asm/atomic_64.h 2010-03-07 12:23:35.909670807 -0500
3073 #define ATOMIC64_INIT(i) { (i) }
3075 #define atomic_read(v) ((v)->counter)
3076 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3078 + return v->counter;
3080 #define atomic64_read(v) ((v)->counter)
3081 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3083 + return v->counter;
3086 #define atomic_set(v, i) (((v)->counter) = i)
3087 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3091 #define atomic64_set(v, i) (((v)->counter) = i)
3092 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3097 extern void atomic_add(int, atomic_t *);
3098 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3099 extern void atomic64_add(int, atomic64_t *);
3100 +extern void atomic64_add_unchecked(int, atomic64_unchecked_t *);
3101 extern void atomic_sub(int, atomic_t *);
3102 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3103 extern void atomic64_sub(int, atomic64_t *);
3105 extern int atomic_add_ret(int, atomic_t *);
3106 extern int atomic64_add_ret(int, atomic64_t *);
3107 +extern int atomic64_add_ret_unchecked(int, atomic64_unchecked_t *);
3108 extern int atomic_sub_ret(int, atomic_t *);
3109 extern int atomic64_sub_ret(int, atomic64_t *);
3111 @@ -34,6 +54,7 @@ extern int atomic64_sub_ret(int, atomic6
3113 #define atomic_inc_return(v) atomic_add_ret(1, v)
3114 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3115 +#define atomic64_inc_return_unchecked(v) atomic64_add_ret_unchecked(1, v)
3117 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3118 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3119 @@ -59,7 +80,15 @@ extern int atomic64_sub_ret(int, atomic6
3120 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3122 #define atomic_inc(v) atomic_add(1, v)
3123 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3125 + atomic_add_unchecked(1, v);
3127 #define atomic64_inc(v) atomic64_add(1, v)
3128 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3130 + atomic64_add_unchecked(1, v);
3133 #define atomic_dec(v) atomic_sub(1, v)
3134 #define atomic64_dec(v) atomic64_sub(1, v)
3135 @@ -72,17 +101,28 @@ extern int atomic64_sub_ret(int, atomic6
3137 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3143 - if (unlikely(c == (u)))
3144 + if (unlikely(c == u))
3146 - old = atomic_cmpxchg((v), c, c + (a));
3148 + asm volatile("addcc %2, %0, %0\n"
3150 +#ifdef CONFIG_PAX_REFCOUNT
3155 + : "0" (c), "ir" (a)
3158 + old = atomic_cmpxchg(v, c, new);
3159 if (likely(old == c))
3167 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3168 @@ -93,17 +133,28 @@ static inline int atomic_add_unless(atom
3170 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
3174 c = atomic64_read(v);
3176 - if (unlikely(c == (u)))
3177 + if (unlikely(c == u))
3179 - old = atomic64_cmpxchg((v), c, c + (a));
3181 + asm volatile("addcc %2, %0, %0\n"
3183 +#ifdef CONFIG_PAX_REFCOUNT
3188 + : "0" (c), "ir" (a)
3191 + old = atomic64_cmpxchg(v, c, new);
3192 if (likely(old == c))
3200 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3201 diff -urNp linux-2.6.33/arch/sparc/include/asm/dma-mapping.h linux-2.6.33/arch/sparc/include/asm/dma-mapping.h
3202 --- linux-2.6.33/arch/sparc/include/asm/dma-mapping.h 2010-02-24 13:52:17.000000000 -0500
3203 +++ linux-2.6.33/arch/sparc/include/asm/dma-mapping.h 2010-03-07 12:23:35.909670807 -0500
3204 @@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
3205 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3206 #define dma_is_consistent(d, h) (1)
3208 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3209 +extern struct const dma_map_ops *dma_ops, pci32_dma_ops;
3210 extern struct bus_type pci_bus_type;
3212 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3213 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3215 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3216 if (dev->bus == &pci_bus_type)
3217 @@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
3218 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3219 dma_addr_t *dma_handle, gfp_t flag)
3221 - struct dma_map_ops *ops = get_dma_ops(dev);
3222 + const struct dma_map_ops *ops = get_dma_ops(dev);
3225 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3226 @@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
3227 static inline void dma_free_coherent(struct device *dev, size_t size,
3228 void *cpu_addr, dma_addr_t dma_handle)
3230 - struct dma_map_ops *ops = get_dma_ops(dev);
3231 + const struct dma_map_ops *ops = get_dma_ops(dev);
3233 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3234 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3235 diff -urNp linux-2.6.33/arch/sparc/include/asm/elf_32.h linux-2.6.33/arch/sparc/include/asm/elf_32.h
3236 --- linux-2.6.33/arch/sparc/include/asm/elf_32.h 2010-02-24 13:52:17.000000000 -0500
3237 +++ linux-2.6.33/arch/sparc/include/asm/elf_32.h 2010-03-07 12:23:35.909670807 -0500
3238 @@ -114,6 +114,13 @@ typedef struct {
3240 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3242 +#ifdef CONFIG_PAX_ASLR
3243 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3245 +#define PAX_DELTA_MMAP_LEN 16
3246 +#define PAX_DELTA_STACK_LEN 16
3249 /* This yields a mask that user programs can use to figure out what
3250 instruction set this cpu supports. This can NOT be done in userspace
3252 diff -urNp linux-2.6.33/arch/sparc/include/asm/elf_64.h linux-2.6.33/arch/sparc/include/asm/elf_64.h
3253 --- linux-2.6.33/arch/sparc/include/asm/elf_64.h 2010-02-24 13:52:17.000000000 -0500
3254 +++ linux-2.6.33/arch/sparc/include/asm/elf_64.h 2010-03-07 12:23:35.909670807 -0500
3255 @@ -162,6 +162,12 @@ typedef struct {
3256 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3257 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3259 +#ifdef CONFIG_PAX_ASLR
3260 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3262 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3263 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3266 /* This yields a mask that user programs can use to figure out what
3267 instruction set this cpu supports. */
3268 diff -urNp linux-2.6.33/arch/sparc/include/asm/pgtable_32.h linux-2.6.33/arch/sparc/include/asm/pgtable_32.h
3269 --- linux-2.6.33/arch/sparc/include/asm/pgtable_32.h 2010-02-24 13:52:17.000000000 -0500
3270 +++ linux-2.6.33/arch/sparc/include/asm/pgtable_32.h 2010-03-07 12:23:35.909670807 -0500
3271 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3272 BTFIXUPDEF_INT(page_none)
3273 BTFIXUPDEF_INT(page_copy)
3274 BTFIXUPDEF_INT(page_readonly)
3276 +#ifdef CONFIG_PAX_PAGEEXEC
3277 +BTFIXUPDEF_INT(page_shared_noexec)
3278 +BTFIXUPDEF_INT(page_copy_noexec)
3279 +BTFIXUPDEF_INT(page_readonly_noexec)
3282 BTFIXUPDEF_INT(page_kernel)
3284 #define PMD_SHIFT SUN4C_PMD_SHIFT
3285 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3286 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3287 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3289 +#ifdef CONFIG_PAX_PAGEEXEC
3290 +extern pgprot_t PAGE_SHARED_NOEXEC;
3291 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3292 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3294 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3295 +# define PAGE_COPY_NOEXEC PAGE_COPY
3296 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3299 extern unsigned long page_kernel;
3302 diff -urNp linux-2.6.33/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.33/arch/sparc/include/asm/pgtsrmmu.h
3303 --- linux-2.6.33/arch/sparc/include/asm/pgtsrmmu.h 2010-02-24 13:52:17.000000000 -0500
3304 +++ linux-2.6.33/arch/sparc/include/asm/pgtsrmmu.h 2010-03-07 12:23:35.909670807 -0500
3305 @@ -115,6 +115,13 @@
3306 SRMMU_EXEC | SRMMU_REF)
3307 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3308 SRMMU_EXEC | SRMMU_REF)
3310 +#ifdef CONFIG_PAX_PAGEEXEC
3311 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3312 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3313 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3316 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3317 SRMMU_DIRTY | SRMMU_REF)
3319 diff -urNp linux-2.6.33/arch/sparc/include/asm/spinlock_64.h linux-2.6.33/arch/sparc/include/asm/spinlock_64.h
3320 --- linux-2.6.33/arch/sparc/include/asm/spinlock_64.h 2010-02-24 13:52:17.000000000 -0500
3321 +++ linux-2.6.33/arch/sparc/include/asm/spinlock_64.h 2010-03-07 12:23:35.909670807 -0500
3322 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3323 __asm__ __volatile__ (
3324 "1: ldsw [%2], %0\n"
3326 -"4: add %0, 1, %1\n"
3327 +"4: addcc %0, 1, %1\n"
3329 +#ifdef CONFIG_PAX_REFCOUNT
3333 " cas [%2], %0, %1\n"
3335 " bne,pn %%icc, 1b\n"
3336 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3338 : "=&r" (tmp1), "=&r" (tmp2)
3341 + : "memory", "cc");
3344 static int inline arch_read_trylock(arch_rwlock_t *lock)
3345 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3346 "1: ldsw [%2], %0\n"
3347 " brlz,a,pn %0, 2f\n"
3350 +" addcc %0, 1, %1\n"
3352 +#ifdef CONFIG_PAX_REFCOUNT
3356 " cas [%2], %0, %1\n"
3358 " bne,pn %%icc, 1b\n"
3359 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3361 __asm__ __volatile__(
3362 "1: lduw [%2], %0\n"
3364 +" subcc %0, 1, %1\n"
3366 +#ifdef CONFIG_PAX_REFCOUNT
3370 " cas [%2], %0, %1\n"
3372 " bne,pn %%xcc, 1b\n"
3373 diff -urNp linux-2.6.33/arch/sparc/include/asm/uaccess_32.h linux-2.6.33/arch/sparc/include/asm/uaccess_32.h
3374 --- linux-2.6.33/arch/sparc/include/asm/uaccess_32.h 2010-02-24 13:52:17.000000000 -0500
3375 +++ linux-2.6.33/arch/sparc/include/asm/uaccess_32.h 2010-03-07 12:23:35.909670807 -0500
3376 @@ -249,14 +249,25 @@ extern unsigned long __copy_user(void __
3378 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3380 - if (n && __access_ok((unsigned long) to, n))
3384 + if (n && __access_ok((unsigned long) to, n)) {
3385 + if (!__builtin_constant_p(n))
3386 + check_object_size(from, n, true);
3387 return __copy_user(to, (__force void __user *) from, n);
3393 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3398 + if (!__builtin_constant_p(n))
3399 + check_object_size(from, n, true);
3401 return __copy_user(to, (__force void __user *) from, n);
3404 @@ -272,19 +283,27 @@ static inline unsigned long copy_from_us
3406 int sz = __compiletime_object_size(to);
3411 if (unlikely(sz != -1 && sz < n)) {
3412 copy_from_user_overflow();
3416 - if (n && __access_ok((unsigned long) from, n))
3417 + if (n && __access_ok((unsigned long) from, n)) {
3418 + if (!__builtin_constant_p(n))
3419 + check_object_size(to, n, false);
3420 return __copy_user((__force void __user *) to, from, n);
3426 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3431 return __copy_user((__force void __user *) to, from, n);
3434 diff -urNp linux-2.6.33/arch/sparc/include/asm/uaccess_64.h linux-2.6.33/arch/sparc/include/asm/uaccess_64.h
3435 --- linux-2.6.33/arch/sparc/include/asm/uaccess_64.h 2010-02-24 13:52:17.000000000 -0500
3436 +++ linux-2.6.33/arch/sparc/include/asm/uaccess_64.h 2010-03-07 12:23:35.909670807 -0500
3438 #include <linux/compiler.h>
3439 #include <linux/string.h>
3440 #include <linux/thread_info.h>
3441 +#include <linux/kernel.h>
3442 #include <asm/asi.h>
3443 #include <asm/system.h>
3444 #include <asm/spitfire.h>
3445 @@ -204,6 +205,7 @@ __asm__ __volatile__( \
3446 : "=r" (x) : "r" (__m(addr)), "i" (retval))
3448 extern int __get_user_bad(void);
3449 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3451 extern void copy_from_user_overflow(void)
3452 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
3453 @@ -224,6 +226,12 @@ copy_from_user(void *to, const void __us
3454 int sz = __compiletime_object_size(to);
3455 unsigned long ret = size;
3457 + if ((long)size < 0 || size > INT_MAX)
3460 + if (!__builtin_constant_p(size))
3461 + check_object_size(to, size, false);
3463 if (likely(sz == -1 || sz >= size)) {
3464 ret = ___copy_from_user(to, from, size);
3466 @@ -243,8 +251,15 @@ extern unsigned long copy_to_user_fixup(
3467 static inline unsigned long __must_check
3468 copy_to_user(void __user *to, const void *from, unsigned long size)
3470 - unsigned long ret = ___copy_to_user(to, from, size);
3471 + unsigned long ret;
3473 + if ((long)size < 0 || size > INT_MAX)
3476 + if (!__builtin_constant_p(size))
3477 + check_object_size(from, size, true);
3479 + ret = ___copy_to_user(to, from, size);
3481 ret = copy_to_user_fixup(to, from, size);
3483 diff -urNp linux-2.6.33/arch/sparc/kernel/iommu.c linux-2.6.33/arch/sparc/kernel/iommu.c
3484 --- linux-2.6.33/arch/sparc/kernel/iommu.c 2010-02-24 13:52:17.000000000 -0500
3485 +++ linux-2.6.33/arch/sparc/kernel/iommu.c 2010-03-07 12:23:35.909670807 -0500
3486 @@ -827,7 +827,7 @@ static void dma_4u_sync_sg_for_cpu(struc
3487 spin_unlock_irqrestore(&iommu->lock, flags);
3490 -static struct dma_map_ops sun4u_dma_ops = {
3491 +static const struct dma_map_ops sun4u_dma_ops = {
3492 .alloc_coherent = dma_4u_alloc_coherent,
3493 .free_coherent = dma_4u_free_coherent,
3494 .map_page = dma_4u_map_page,
3495 @@ -838,7 +838,7 @@ static struct dma_map_ops sun4u_dma_ops
3496 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3499 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3500 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3501 EXPORT_SYMBOL(dma_ops);
3503 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
3504 diff -urNp linux-2.6.33/arch/sparc/kernel/ioport.c linux-2.6.33/arch/sparc/kernel/ioport.c
3505 --- linux-2.6.33/arch/sparc/kernel/ioport.c 2010-02-24 13:52:17.000000000 -0500
3506 +++ linux-2.6.33/arch/sparc/kernel/ioport.c 2010-03-07 12:23:35.909670807 -0500
3507 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
3511 -struct dma_map_ops sbus_dma_ops = {
3512 +const struct dma_map_ops sbus_dma_ops = {
3513 .alloc_coherent = sbus_alloc_coherent,
3514 .free_coherent = sbus_free_coherent,
3515 .map_page = sbus_map_page,
3516 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
3517 .sync_sg_for_device = sbus_sync_sg_for_device,
3520 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
3521 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
3522 EXPORT_SYMBOL(dma_ops);
3524 static int __init sparc_register_ioport(void)
3525 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
3529 -struct dma_map_ops pci32_dma_ops = {
3530 +const struct dma_map_ops pci32_dma_ops = {
3531 .alloc_coherent = pci32_alloc_coherent,
3532 .free_coherent = pci32_free_coherent,
3533 .map_page = pci32_map_page,
3534 diff -urNp linux-2.6.33/arch/sparc/kernel/kgdb_32.c linux-2.6.33/arch/sparc/kernel/kgdb_32.c
3535 --- linux-2.6.33/arch/sparc/kernel/kgdb_32.c 2010-02-24 13:52:17.000000000 -0500
3536 +++ linux-2.6.33/arch/sparc/kernel/kgdb_32.c 2010-03-07 12:23:35.909670807 -0500
3537 @@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
3541 -struct kgdb_arch arch_kgdb_ops = {
3542 +const struct kgdb_arch arch_kgdb_ops = {
3543 /* Breakpoint instruction: ta 0x7d */
3544 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
3546 diff -urNp linux-2.6.33/arch/sparc/kernel/kgdb_64.c linux-2.6.33/arch/sparc/kernel/kgdb_64.c
3547 --- linux-2.6.33/arch/sparc/kernel/kgdb_64.c 2010-02-24 13:52:17.000000000 -0500
3548 +++ linux-2.6.33/arch/sparc/kernel/kgdb_64.c 2010-03-07 12:23:35.909670807 -0500
3549 @@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
3553 -struct kgdb_arch arch_kgdb_ops = {
3554 +const struct kgdb_arch arch_kgdb_ops = {
3555 /* Breakpoint instruction: ta 0x72 */
3556 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
3558 diff -urNp linux-2.6.33/arch/sparc/kernel/Makefile linux-2.6.33/arch/sparc/kernel/Makefile
3559 --- linux-2.6.33/arch/sparc/kernel/Makefile 2010-02-24 13:52:17.000000000 -0500
3560 +++ linux-2.6.33/arch/sparc/kernel/Makefile 2010-03-07 12:23:35.909670807 -0500
3565 -ccflags-y := -Werror
3566 +#ccflags-y := -Werror
3568 extra-y := head_$(BITS).o
3569 extra-y += init_task.o
3570 diff -urNp linux-2.6.33/arch/sparc/kernel/pci_sun4v.c linux-2.6.33/arch/sparc/kernel/pci_sun4v.c
3571 --- linux-2.6.33/arch/sparc/kernel/pci_sun4v.c 2010-02-24 13:52:17.000000000 -0500
3572 +++ linux-2.6.33/arch/sparc/kernel/pci_sun4v.c 2010-03-07 12:23:35.909670807 -0500
3573 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
3574 spin_unlock_irqrestore(&iommu->lock, flags);
3577 -static struct dma_map_ops sun4v_dma_ops = {
3578 +static const struct dma_map_ops sun4v_dma_ops = {
3579 .alloc_coherent = dma_4v_alloc_coherent,
3580 .free_coherent = dma_4v_free_coherent,
3581 .map_page = dma_4v_map_page,
3582 diff -urNp linux-2.6.33/arch/sparc/kernel/sys_sparc_32.c linux-2.6.33/arch/sparc/kernel/sys_sparc_32.c
3583 --- linux-2.6.33/arch/sparc/kernel/sys_sparc_32.c 2010-02-24 13:52:17.000000000 -0500
3584 +++ linux-2.6.33/arch/sparc/kernel/sys_sparc_32.c 2010-03-07 12:23:35.909670807 -0500
3585 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
3586 if (ARCH_SUN4C && len > 0x20000000)
3589 - addr = TASK_UNMAPPED_BASE;
3590 + addr = current->mm->mmap_base;
3592 if (flags & MAP_SHARED)
3593 addr = COLOUR_ALIGN(addr);
3594 diff -urNp linux-2.6.33/arch/sparc/kernel/sys_sparc_64.c linux-2.6.33/arch/sparc/kernel/sys_sparc_64.c
3595 --- linux-2.6.33/arch/sparc/kernel/sys_sparc_64.c 2010-02-24 13:52:17.000000000 -0500
3596 +++ linux-2.6.33/arch/sparc/kernel/sys_sparc_64.c 2010-03-07 12:23:35.909670807 -0500
3597 @@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
3598 /* We do not accept a shared mapping if it would violate
3599 * cache aliasing constraints.
3601 - if ((flags & MAP_SHARED) &&
3602 + if ((filp || (flags & MAP_SHARED)) &&
3603 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3606 @@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
3607 if (filp || (flags & MAP_SHARED))
3610 +#ifdef CONFIG_PAX_RANDMMAP
3611 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
3616 addr = COLOUR_ALIGN(addr, pgoff);
3617 @@ -153,9 +157,9 @@ unsigned long arch_get_unmapped_area(str
3620 if (len > mm->cached_hole_size) {
3621 - start_addr = addr = mm->free_area_cache;
3622 + start_addr = addr = mm->free_area_cache;
3624 - start_addr = addr = TASK_UNMAPPED_BASE;
3625 + start_addr = addr = mm->mmap_base;
3626 mm->cached_hole_size = 0;
3629 @@ -175,8 +179,8 @@ full_search:
3630 vma = find_vma(mm, VA_EXCLUDE_END);
3632 if (unlikely(task_size < addr)) {
3633 - if (start_addr != TASK_UNMAPPED_BASE) {
3634 - start_addr = addr = TASK_UNMAPPED_BASE;
3635 + if (start_addr != mm->mmap_base) {
3636 + start_addr = addr = mm->mmap_base;
3637 mm->cached_hole_size = 0;
3640 @@ -216,7 +220,7 @@ arch_get_unmapped_area_topdown(struct fi
3641 /* We do not accept a shared mapping if it would violate
3642 * cache aliasing constraints.
3644 - if ((flags & MAP_SHARED) &&
3645 + if ((filp || (flags & MAP_SHARED)) &&
3646 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3649 @@ -386,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
3650 gap == RLIM_INFINITY ||
3651 sysctl_legacy_va_layout) {
3652 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
3654 +#ifdef CONFIG_PAX_RANDMMAP
3655 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3656 + mm->mmap_base += mm->delta_mmap;
3659 mm->get_unmapped_area = arch_get_unmapped_area;
3660 mm->unmap_area = arch_unmap_area;
3662 @@ -398,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
3663 gap = (task_size / 6 * 5);
3665 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
3667 +#ifdef CONFIG_PAX_RANDMMAP
3668 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3669 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3672 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3673 mm->unmap_area = arch_unmap_area_topdown;
3675 diff -urNp linux-2.6.33/arch/sparc/kernel/traps_64.c linux-2.6.33/arch/sparc/kernel/traps_64.c
3676 --- linux-2.6.33/arch/sparc/kernel/traps_64.c 2010-02-24 13:52:17.000000000 -0500
3677 +++ linux-2.6.33/arch/sparc/kernel/traps_64.c 2010-03-07 12:23:35.909670807 -0500
3678 @@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
3681 if (regs->tstate & TSTATE_PRIV) {
3683 +#ifdef CONFIG_PAX_REFCOUNT
3685 + pax_report_refcount_overflow(regs);
3688 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
3689 die_if_kernel(buffer, regs);
3691 @@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
3692 void bad_trap_tl1(struct pt_regs *regs, long lvl)
3697 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
3698 0, lvl, SIGTRAP) == NOTIFY_STOP)
3701 +#ifdef CONFIG_PAX_REFCOUNT
3703 + pax_report_refcount_overflow(regs);
3706 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
3708 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
3709 diff -urNp linux-2.6.33/arch/sparc/lib/atomic_64.S linux-2.6.33/arch/sparc/lib/atomic_64.S
3710 --- linux-2.6.33/arch/sparc/lib/atomic_64.S 2010-02-24 13:52:17.000000000 -0500
3711 +++ linux-2.6.33/arch/sparc/lib/atomic_64.S 2010-03-07 12:23:35.913649556 -0500
3713 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
3717 + addcc %g1, %o0, %g7
3719 +#ifdef CONFIG_PAX_REFCOUNT
3726 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
3727 2: BACKOFF_SPIN(%o2, %o3, 1b)
3728 .size atomic_add, .-atomic_add
3730 + .globl atomic_add_unchecked
3731 + .type atomic_add_unchecked,#function
3732 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3733 + BACKOFF_SETUP(%o2)
3736 + cas [%o1], %g1, %g7
3742 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3743 + .size atomic_add_unchecked, .-atomic_add_unchecked
3746 .type atomic_sub,#function
3747 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3751 + subcc %g1, %o0, %g7
3753 +#ifdef CONFIG_PAX_REFCOUNT
3760 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
3761 2: BACKOFF_SPIN(%o2, %o3, 1b)
3762 .size atomic_sub, .-atomic_sub
3764 + .globl atomic_sub_unchecked
3765 + .type atomic_sub_unchecked,#function
3766 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
3767 + BACKOFF_SETUP(%o2)
3770 + cas [%o1], %g1, %g7
3776 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3777 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
3779 .globl atomic_add_ret
3780 .type atomic_add_ret,#function
3781 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3785 + addcc %g1, %o0, %g7
3787 +#ifdef CONFIG_PAX_REFCOUNT
3794 @@ -64,7 +109,12 @@ atomic_add_ret: /* %o0 = increment, %o1
3795 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3799 + subcc %g1, %o0, %g7
3801 +#ifdef CONFIG_PAX_REFCOUNT
3808 @@ -80,7 +130,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
3809 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
3813 + addcc %g1, %o0, %g7
3815 +#ifdef CONFIG_PAX_REFCOUNT
3819 casx [%o1], %g1, %g7
3822 @@ -90,12 +145,32 @@ atomic64_add: /* %o0 = increment, %o1 =
3823 2: BACKOFF_SPIN(%o2, %o3, 1b)
3824 .size atomic64_add, .-atomic64_add
3826 + .globl atomic64_add_unchecked
3827 + .type atomic64_add_unchecked,#function
3828 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3829 + BACKOFF_SETUP(%o2)
3831 + addcc %g1, %o0, %g7
3832 + casx [%o1], %g1, %g7
3838 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3839 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
3842 .type atomic64_sub,#function
3843 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3847 + subcc %g1, %o0, %g7
3849 +#ifdef CONFIG_PAX_REFCOUNT
3853 casx [%o1], %g1, %g7
3856 @@ -110,7 +185,12 @@ atomic64_sub: /* %o0 = decrement, %o1 =
3857 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3861 + addcc %g1, %o0, %g7
3863 +#ifdef CONFIG_PAX_REFCOUNT
3867 casx [%o1], %g1, %g7
3870 @@ -121,12 +201,33 @@ atomic64_add_ret: /* %o0 = increment, %o
3871 2: BACKOFF_SPIN(%o2, %o3, 1b)
3872 .size atomic64_add_ret, .-atomic64_add_ret
3874 + .globl atomic64_add_ret_unchecked
3875 + .type atomic64_add_ret_unchecked,#function
3876 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3877 + BACKOFF_SETUP(%o2)
3879 + addcc %g1, %o0, %g7
3880 + casx [%o1], %g1, %g7
3887 +2: BACKOFF_SPIN(%o2, %o3, 1b)
3888 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
3890 .globl atomic64_sub_ret
3891 .type atomic64_sub_ret,#function
3892 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3896 + subcc %g1, %o0, %g7
3898 +#ifdef CONFIG_PAX_REFCOUNT
3902 casx [%o1], %g1, %g7
3905 diff -urNp linux-2.6.33/arch/sparc/lib/ksyms.c linux-2.6.33/arch/sparc/lib/ksyms.c
3906 --- linux-2.6.33/arch/sparc/lib/ksyms.c 2010-02-24 13:52:17.000000000 -0500
3907 +++ linux-2.6.33/arch/sparc/lib/ksyms.c 2010-03-07 12:23:35.913649556 -0500
3908 @@ -142,8 +142,10 @@ EXPORT_SYMBOL(__downgrade_write);
3910 /* Atomic counter implementation. */
3911 EXPORT_SYMBOL(atomic_add);
3912 +EXPORT_SYMBOL(atomic_add_unchecked);
3913 EXPORT_SYMBOL(atomic_add_ret);
3914 EXPORT_SYMBOL(atomic_sub);
3915 +EXPORT_SYMBOL(atomic_sub_unchecked);
3916 EXPORT_SYMBOL(atomic_sub_ret);
3917 EXPORT_SYMBOL(atomic64_add);
3918 EXPORT_SYMBOL(atomic64_add_ret);
3919 diff -urNp linux-2.6.33/arch/sparc/lib/rwsem_64.S linux-2.6.33/arch/sparc/lib/rwsem_64.S
3920 --- linux-2.6.33/arch/sparc/lib/rwsem_64.S 2010-02-24 13:52:17.000000000 -0500
3921 +++ linux-2.6.33/arch/sparc/lib/rwsem_64.S 2010-03-07 12:23:35.913649556 -0500
3929 +#ifdef CONFIG_PAX_REFCOUNT
3936 @@ -33,7 +38,12 @@ __down_read:
3937 .globl __down_read_trylock
3938 __down_read_trylock:
3943 +#ifdef CONFIG_PAX_REFCOUNT
3950 @@ -51,7 +61,12 @@ __down_write:
3951 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
3955 + addcc %g3, %g1, %g7
3957 +#ifdef CONFIG_PAX_REFCOUNT
3964 @@ -77,7 +92,12 @@ __down_write_trylock:
3969 + addcc %g3, %g1, %g7
3971 +#ifdef CONFIG_PAX_REFCOUNT
3978 @@ -90,7 +110,12 @@ __down_write_trylock:
3985 +#ifdef CONFIG_PAX_REFCOUNT
3992 @@ -118,7 +143,12 @@ __up_write:
3993 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
3997 + subcc %g3, %g1, %g7
3999 +#ifdef CONFIG_PAX_REFCOUNT
4006 @@ -143,7 +173,12 @@ __downgrade_write:
4007 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
4011 + subcc %g3, %g1, %g7
4013 +#ifdef CONFIG_PAX_REFCOUNT
4020 diff -urNp linux-2.6.33/arch/sparc/Makefile linux-2.6.33/arch/sparc/Makefile
4021 --- linux-2.6.33/arch/sparc/Makefile 2010-02-24 13:52:17.000000000 -0500
4022 +++ linux-2.6.33/arch/sparc/Makefile 2010-03-07 12:23:35.913649556 -0500
4023 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4024 # Export what is needed by arch/sparc/boot/Makefile
4025 export VMLINUX_INIT VMLINUX_MAIN
4026 VMLINUX_INIT := $(head-y) $(init-y)
4027 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4028 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4029 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4030 VMLINUX_MAIN += $(drivers-y) $(net-y)
4032 diff -urNp linux-2.6.33/arch/sparc/mm/fault_32.c linux-2.6.33/arch/sparc/mm/fault_32.c
4033 --- linux-2.6.33/arch/sparc/mm/fault_32.c 2010-02-24 13:52:17.000000000 -0500
4034 +++ linux-2.6.33/arch/sparc/mm/fault_32.c 2010-03-07 12:23:35.913649556 -0500
4036 #include <linux/interrupt.h>
4037 #include <linux/module.h>
4038 #include <linux/kdebug.h>
4039 +#include <linux/slab.h>
4040 +#include <linux/pagemap.h>
4041 +#include <linux/compiler.h>
4043 #include <asm/system.h>
4044 #include <asm/page.h>
4045 @@ -168,6 +171,267 @@ static unsigned long compute_si_addr(str
4046 return safe_compute_effective_address(regs, insn);
4049 +#ifdef CONFIG_PAX_PAGEEXEC
4050 +#ifdef CONFIG_PAX_DLRESOLVE
4051 +static void pax_emuplt_close(struct vm_area_struct *vma)
4053 + vma->vm_mm->call_dl_resolve = 0UL;
4056 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4058 + unsigned int *kaddr;
4060 + vmf->page = alloc_page(GFP_HIGHUSER);
4062 + return VM_FAULT_OOM;
4064 + kaddr = kmap(vmf->page);
4065 + memset(kaddr, 0, PAGE_SIZE);
4066 + kaddr[0] = 0x9DE3BFA8U; /* save */
4067 + flush_dcache_page(vmf->page);
4068 + kunmap(vmf->page);
4069 + return VM_FAULT_MAJOR;
4072 +static const struct vm_operations_struct pax_vm_ops = {
4073 + .close = pax_emuplt_close,
4074 + .fault = pax_emuplt_fault
4077 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4081 + vma->vm_mm = current->mm;
4082 + vma->vm_start = addr;
4083 + vma->vm_end = addr + PAGE_SIZE;
4084 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4085 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4086 + vma->vm_ops = &pax_vm_ops;
4088 + ret = insert_vm_struct(current->mm, vma);
4092 + ++current->mm->total_vm;
4098 + * PaX: decide what to do with offenders (regs->pc = fault address)
4100 + * returns 1 when task should be killed
4101 + * 2 when patched PLT trampoline was detected
4102 + * 3 when unpatched PLT trampoline was detected
4104 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4107 +#ifdef CONFIG_PAX_EMUPLT
4110 + do { /* PaX: patched PLT emulation #1 */
4111 + unsigned int sethi1, sethi2, jmpl;
4113 + err = get_user(sethi1, (unsigned int *)regs->pc);
4114 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4115 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4120 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4121 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4122 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4124 + unsigned int addr;
4126 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4127 + addr = regs->u_regs[UREG_G1];
4128 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4130 + regs->npc = addr+4;
4135 + { /* PaX: patched PLT emulation #2 */
4138 + err = get_user(ba, (unsigned int *)regs->pc);
4140 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4141 + unsigned int addr;
4143 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4145 + regs->npc = addr+4;
4150 + do { /* PaX: patched PLT emulation #3 */
4151 + unsigned int sethi, jmpl, nop;
4153 + err = get_user(sethi, (unsigned int *)regs->pc);
4154 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4155 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4160 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4161 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4162 + nop == 0x01000000U)
4164 + unsigned int addr;
4166 + addr = (sethi & 0x003FFFFFU) << 10;
4167 + regs->u_regs[UREG_G1] = addr;
4168 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4170 + regs->npc = addr+4;
4175 + do { /* PaX: unpatched PLT emulation step 1 */
4176 + unsigned int sethi, ba, nop;
4178 + err = get_user(sethi, (unsigned int *)regs->pc);
4179 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4180 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4185 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4186 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4187 + nop == 0x01000000U)
4189 + unsigned int addr, save, call;
4191 + if ((ba & 0xFFC00000U) == 0x30800000U)
4192 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4194 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4196 + err = get_user(save, (unsigned int *)addr);
4197 + err |= get_user(call, (unsigned int *)(addr+4));
4198 + err |= get_user(nop, (unsigned int *)(addr+8));
4202 +#ifdef CONFIG_PAX_DLRESOLVE
4203 + if (save == 0x9DE3BFA8U &&
4204 + (call & 0xC0000000U) == 0x40000000U &&
4205 + nop == 0x01000000U)
4207 + struct vm_area_struct *vma;
4208 + unsigned long call_dl_resolve;
4210 + down_read(¤t->mm->mmap_sem);
4211 + call_dl_resolve = current->mm->call_dl_resolve;
4212 + up_read(¤t->mm->mmap_sem);
4213 + if (likely(call_dl_resolve))
4216 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4218 + down_write(¤t->mm->mmap_sem);
4219 + if (current->mm->call_dl_resolve) {
4220 + call_dl_resolve = current->mm->call_dl_resolve;
4221 + up_write(¤t->mm->mmap_sem);
4223 + kmem_cache_free(vm_area_cachep, vma);
4227 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4228 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4229 + up_write(¤t->mm->mmap_sem);
4231 + kmem_cache_free(vm_area_cachep, vma);
4235 + if (pax_insert_vma(vma, call_dl_resolve)) {
4236 + up_write(¤t->mm->mmap_sem);
4237 + kmem_cache_free(vm_area_cachep, vma);
4241 + current->mm->call_dl_resolve = call_dl_resolve;
4242 + up_write(¤t->mm->mmap_sem);
4245 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4246 + regs->pc = call_dl_resolve;
4247 + regs->npc = addr+4;
4252 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4253 + if ((save & 0xFFC00000U) == 0x05000000U &&
4254 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4255 + nop == 0x01000000U)
4257 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4258 + regs->u_regs[UREG_G2] = addr + 4;
4259 + addr = (save & 0x003FFFFFU) << 10;
4260 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4262 + regs->npc = addr+4;
4268 + do { /* PaX: unpatched PLT emulation step 2 */
4269 + unsigned int save, call, nop;
4271 + err = get_user(save, (unsigned int *)(regs->pc-4));
4272 + err |= get_user(call, (unsigned int *)regs->pc);
4273 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
4277 + if (save == 0x9DE3BFA8U &&
4278 + (call & 0xC0000000U) == 0x40000000U &&
4279 + nop == 0x01000000U)
4281 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4283 + regs->u_regs[UREG_RETPC] = regs->pc;
4284 + regs->pc = dl_resolve;
4285 + regs->npc = dl_resolve+4;
4294 +void pax_report_insns(void *pc, void *sp)
4298 + printk(KERN_ERR "PAX: bytes at PC: ");
4299 + for (i = 0; i < 8; i++) {
4301 + if (get_user(c, (unsigned int *)pc+i))
4302 + printk(KERN_CONT "???????? ");
4304 + printk(KERN_CONT "%08x ", c);
4310 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
4311 unsigned long address)
4313 @@ -234,6 +498,24 @@ good_area:
4314 if(!(vma->vm_flags & VM_WRITE))
4318 +#ifdef CONFIG_PAX_PAGEEXEC
4319 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4320 + up_read(&mm->mmap_sem);
4321 + switch (pax_handle_fetch_fault(regs)) {
4323 +#ifdef CONFIG_PAX_EMUPLT
4330 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4331 + do_group_exit(SIGKILL);
4335 /* Allow reads even for write-only mappings */
4336 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4338 diff -urNp linux-2.6.33/arch/sparc/mm/fault_64.c linux-2.6.33/arch/sparc/mm/fault_64.c
4339 --- linux-2.6.33/arch/sparc/mm/fault_64.c 2010-02-24 13:52:17.000000000 -0500
4340 +++ linux-2.6.33/arch/sparc/mm/fault_64.c 2010-03-07 12:23:35.913649556 -0500
4342 #include <linux/kprobes.h>
4343 #include <linux/kdebug.h>
4344 #include <linux/percpu.h>
4345 +#include <linux/slab.h>
4346 +#include <linux/pagemap.h>
4347 +#include <linux/compiler.h>
4349 #include <asm/page.h>
4350 #include <asm/pgtable.h>
4351 @@ -244,6 +247,456 @@ static void noinline __kprobes bogus_32b
4355 +#ifdef CONFIG_PAX_PAGEEXEC
4356 +#ifdef CONFIG_PAX_DLRESOLVE
4357 +static void pax_emuplt_close(struct vm_area_struct *vma)
4359 + vma->vm_mm->call_dl_resolve = 0UL;
4362 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4364 + unsigned int *kaddr;
4366 + vmf->page = alloc_page(GFP_HIGHUSER);
4368 + return VM_FAULT_OOM;
4370 + kaddr = kmap(vmf->page);
4371 + memset(kaddr, 0, PAGE_SIZE);
4372 + kaddr[0] = 0x9DE3BFA8U; /* save */
4373 + flush_dcache_page(vmf->page);
4374 + kunmap(vmf->page);
4375 + return VM_FAULT_MAJOR;
4378 +static const struct vm_operations_struct pax_vm_ops = {
4379 + .close = pax_emuplt_close,
4380 + .fault = pax_emuplt_fault
4383 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4387 + vma->vm_mm = current->mm;
4388 + vma->vm_start = addr;
4389 + vma->vm_end = addr + PAGE_SIZE;
4390 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4391 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4392 + vma->vm_ops = &pax_vm_ops;
4394 + ret = insert_vm_struct(current->mm, vma);
4398 + ++current->mm->total_vm;
4404 + * PaX: decide what to do with offenders (regs->tpc = fault address)
4406 + * returns 1 when task should be killed
4407 + * 2 when patched PLT trampoline was detected
4408 + * 3 when unpatched PLT trampoline was detected
4410 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4413 +#ifdef CONFIG_PAX_EMUPLT
4416 + do { /* PaX: patched PLT emulation #1 */
4417 + unsigned int sethi1, sethi2, jmpl;
4419 + err = get_user(sethi1, (unsigned int *)regs->tpc);
4420 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4421 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4426 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4427 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4428 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4430 + unsigned long addr;
4432 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4433 + addr = regs->u_regs[UREG_G1];
4434 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4436 + if (test_thread_flag(TIF_32BIT))
4437 + addr &= 0xFFFFFFFFUL;
4440 + regs->tnpc = addr+4;
4445 + { /* PaX: patched PLT emulation #2 */
4448 + err = get_user(ba, (unsigned int *)regs->tpc);
4450 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4451 + unsigned long addr;
4453 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4455 + if (test_thread_flag(TIF_32BIT))
4456 + addr &= 0xFFFFFFFFUL;
4459 + regs->tnpc = addr+4;
4464 + do { /* PaX: patched PLT emulation #3 */
4465 + unsigned int sethi, jmpl, nop;
4467 + err = get_user(sethi, (unsigned int *)regs->tpc);
4468 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4469 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4474 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4475 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4476 + nop == 0x01000000U)
4478 + unsigned long addr;
4480 + addr = (sethi & 0x003FFFFFU) << 10;
4481 + regs->u_regs[UREG_G1] = addr;
4482 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4484 + if (test_thread_flag(TIF_32BIT))
4485 + addr &= 0xFFFFFFFFUL;
4488 + regs->tnpc = addr+4;
4493 + do { /* PaX: patched PLT emulation #4 */
4494 + unsigned int sethi, mov1, call, mov2;
4496 + err = get_user(sethi, (unsigned int *)regs->tpc);
4497 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4498 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
4499 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4504 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4505 + mov1 == 0x8210000FU &&
4506 + (call & 0xC0000000U) == 0x40000000U &&
4507 + mov2 == 0x9E100001U)
4509 + unsigned long addr;
4511 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4512 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4514 + if (test_thread_flag(TIF_32BIT))
4515 + addr &= 0xFFFFFFFFUL;
4518 + regs->tnpc = addr+4;
4523 + do { /* PaX: patched PLT emulation #5 */
4524 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
4526 + err = get_user(sethi, (unsigned int *)regs->tpc);
4527 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4528 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4529 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
4530 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
4531 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
4532 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
4533 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
4538 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4539 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
4540 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4541 + (or1 & 0xFFFFE000U) == 0x82106000U &&
4542 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
4543 + sllx == 0x83287020U &&
4544 + jmpl == 0x81C04005U &&
4545 + nop == 0x01000000U)
4547 + unsigned long addr;
4549 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4550 + regs->u_regs[UREG_G1] <<= 32;
4551 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4552 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4554 + regs->tnpc = addr+4;
4559 + do { /* PaX: patched PLT emulation #6 */
4560 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
4562 + err = get_user(sethi, (unsigned int *)regs->tpc);
4563 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4564 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4565 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
4566 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
4567 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
4568 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
4573 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4574 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
4575 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4576 + sllx == 0x83287020U &&
4577 + (or & 0xFFFFE000U) == 0x8A116000U &&
4578 + jmpl == 0x81C04005U &&
4579 + nop == 0x01000000U)
4581 + unsigned long addr;
4583 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
4584 + regs->u_regs[UREG_G1] <<= 32;
4585 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
4586 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4588 + regs->tnpc = addr+4;
4593 + do { /* PaX: unpatched PLT emulation step 1 */
4594 + unsigned int sethi, ba, nop;
4596 + err = get_user(sethi, (unsigned int *)regs->tpc);
4597 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4598 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4603 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4604 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4605 + nop == 0x01000000U)
4607 + unsigned long addr;
4608 + unsigned int save, call;
4609 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
4611 + if ((ba & 0xFFC00000U) == 0x30800000U)
4612 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4614 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4616 + if (test_thread_flag(TIF_32BIT))
4617 + addr &= 0xFFFFFFFFUL;
4619 + err = get_user(save, (unsigned int *)addr);
4620 + err |= get_user(call, (unsigned int *)(addr+4));
4621 + err |= get_user(nop, (unsigned int *)(addr+8));
4625 +#ifdef CONFIG_PAX_DLRESOLVE
4626 + if (save == 0x9DE3BFA8U &&
4627 + (call & 0xC0000000U) == 0x40000000U &&
4628 + nop == 0x01000000U)
4630 + struct vm_area_struct *vma;
4631 + unsigned long call_dl_resolve;
4633 + down_read(¤t->mm->mmap_sem);
4634 + call_dl_resolve = current->mm->call_dl_resolve;
4635 + up_read(¤t->mm->mmap_sem);
4636 + if (likely(call_dl_resolve))
4639 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4641 + down_write(¤t->mm->mmap_sem);
4642 + if (current->mm->call_dl_resolve) {
4643 + call_dl_resolve = current->mm->call_dl_resolve;
4644 + up_write(¤t->mm->mmap_sem);
4646 + kmem_cache_free(vm_area_cachep, vma);
4650 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4651 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4652 + up_write(¤t->mm->mmap_sem);
4654 + kmem_cache_free(vm_area_cachep, vma);
4658 + if (pax_insert_vma(vma, call_dl_resolve)) {
4659 + up_write(¤t->mm->mmap_sem);
4660 + kmem_cache_free(vm_area_cachep, vma);
4664 + current->mm->call_dl_resolve = call_dl_resolve;
4665 + up_write(¤t->mm->mmap_sem);
4668 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4669 + regs->tpc = call_dl_resolve;
4670 + regs->tnpc = addr+4;
4675 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4676 + if ((save & 0xFFC00000U) == 0x05000000U &&
4677 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4678 + nop == 0x01000000U)
4680 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4681 + regs->u_regs[UREG_G2] = addr + 4;
4682 + addr = (save & 0x003FFFFFU) << 10;
4683 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4685 + if (test_thread_flag(TIF_32BIT))
4686 + addr &= 0xFFFFFFFFUL;
4689 + regs->tnpc = addr+4;
4693 + /* PaX: 64-bit PLT stub */
4694 + err = get_user(sethi1, (unsigned int *)addr);
4695 + err |= get_user(sethi2, (unsigned int *)(addr+4));
4696 + err |= get_user(or1, (unsigned int *)(addr+8));
4697 + err |= get_user(or2, (unsigned int *)(addr+12));
4698 + err |= get_user(sllx, (unsigned int *)(addr+16));
4699 + err |= get_user(add, (unsigned int *)(addr+20));
4700 + err |= get_user(jmpl, (unsigned int *)(addr+24));
4701 + err |= get_user(nop, (unsigned int *)(addr+28));
4705 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
4706 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4707 + (or1 & 0xFFFFE000U) == 0x88112000U &&
4708 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
4709 + sllx == 0x89293020U &&
4710 + add == 0x8A010005U &&
4711 + jmpl == 0x89C14000U &&
4712 + nop == 0x01000000U)
4714 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4715 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4716 + regs->u_regs[UREG_G4] <<= 32;
4717 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4718 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
4719 + regs->u_regs[UREG_G4] = addr + 24;
4720 + addr = regs->u_regs[UREG_G5];
4722 + regs->tnpc = addr+4;
4728 +#ifdef CONFIG_PAX_DLRESOLVE
4729 + do { /* PaX: unpatched PLT emulation step 2 */
4730 + unsigned int save, call, nop;
4732 + err = get_user(save, (unsigned int *)(regs->tpc-4));
4733 + err |= get_user(call, (unsigned int *)regs->tpc);
4734 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
4738 + if (save == 0x9DE3BFA8U &&
4739 + (call & 0xC0000000U) == 0x40000000U &&
4740 + nop == 0x01000000U)
4742 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4744 + if (test_thread_flag(TIF_32BIT))
4745 + dl_resolve &= 0xFFFFFFFFUL;
4747 + regs->u_regs[UREG_RETPC] = regs->tpc;
4748 + regs->tpc = dl_resolve;
4749 + regs->tnpc = dl_resolve+4;
4755 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
4756 + unsigned int sethi, ba, nop;
4758 + err = get_user(sethi, (unsigned int *)regs->tpc);
4759 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4760 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4765 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4766 + (ba & 0xFFF00000U) == 0x30600000U &&
4767 + nop == 0x01000000U)
4769 + unsigned long addr;
4771 + addr = (sethi & 0x003FFFFFU) << 10;
4772 + regs->u_regs[UREG_G1] = addr;
4773 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4775 + if (test_thread_flag(TIF_32BIT))
4776 + addr &= 0xFFFFFFFFUL;
4779 + regs->tnpc = addr+4;
4789 +void pax_report_insns(void *pc, void *sp)
4793 + printk(KERN_ERR "PAX: bytes at PC: ");
4794 + for (i = 0; i < 8; i++) {
4796 + if (get_user(c, (unsigned int *)pc+i))
4797 + printk(KERN_CONT "???????? ");
4799 + printk(KERN_CONT "%08x ", c);
4805 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
4807 struct mm_struct *mm = current->mm;
4808 @@ -312,6 +765,29 @@ asmlinkage void __kprobes do_sparc64_fau
4812 +#ifdef CONFIG_PAX_PAGEEXEC
4813 + /* PaX: detect ITLB misses on non-exec pages */
4814 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
4815 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
4817 + if (address != regs->tpc)
4820 + up_read(&mm->mmap_sem);
4821 + switch (pax_handle_fetch_fault(regs)) {
4823 +#ifdef CONFIG_PAX_EMUPLT
4830 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
4831 + do_group_exit(SIGKILL);
4835 /* Pure DTLB misses do not tell us whether the fault causing
4836 * load/store/atomic was a write or not, it only says that there
4837 * was no match. So in such a case we (carefully) read the
4838 diff -urNp linux-2.6.33/arch/sparc/mm/init_32.c linux-2.6.33/arch/sparc/mm/init_32.c
4839 --- linux-2.6.33/arch/sparc/mm/init_32.c 2010-02-24 13:52:17.000000000 -0500
4840 +++ linux-2.6.33/arch/sparc/mm/init_32.c 2010-03-07 12:23:35.913649556 -0500
4841 @@ -317,6 +317,9 @@ extern void device_scan(void);
4842 pgprot_t PAGE_SHARED __read_mostly;
4843 EXPORT_SYMBOL(PAGE_SHARED);
4845 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
4846 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
4848 void __init paging_init(void)
4850 switch(sparc_cpu_model) {
4851 @@ -345,17 +348,17 @@ void __init paging_init(void)
4853 /* Initialize the protection map with non-constant, MMU dependent values. */
4854 protection_map[0] = PAGE_NONE;
4855 - protection_map[1] = PAGE_READONLY;
4856 - protection_map[2] = PAGE_COPY;
4857 - protection_map[3] = PAGE_COPY;
4858 + protection_map[1] = PAGE_READONLY_NOEXEC;
4859 + protection_map[2] = PAGE_COPY_NOEXEC;
4860 + protection_map[3] = PAGE_COPY_NOEXEC;
4861 protection_map[4] = PAGE_READONLY;
4862 protection_map[5] = PAGE_READONLY;
4863 protection_map[6] = PAGE_COPY;
4864 protection_map[7] = PAGE_COPY;
4865 protection_map[8] = PAGE_NONE;
4866 - protection_map[9] = PAGE_READONLY;
4867 - protection_map[10] = PAGE_SHARED;
4868 - protection_map[11] = PAGE_SHARED;
4869 + protection_map[9] = PAGE_READONLY_NOEXEC;
4870 + protection_map[10] = PAGE_SHARED_NOEXEC;
4871 + protection_map[11] = PAGE_SHARED_NOEXEC;
4872 protection_map[12] = PAGE_READONLY;
4873 protection_map[13] = PAGE_READONLY;
4874 protection_map[14] = PAGE_SHARED;
4875 diff -urNp linux-2.6.33/arch/sparc/mm/Makefile linux-2.6.33/arch/sparc/mm/Makefile
4876 --- linux-2.6.33/arch/sparc/mm/Makefile 2010-02-24 13:52:17.000000000 -0500
4877 +++ linux-2.6.33/arch/sparc/mm/Makefile 2010-03-07 12:23:35.913649556 -0500
4882 -ccflags-y := -Werror
4883 +#ccflags-y := -Werror
4885 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
4886 obj-y += fault_$(BITS).o
4887 diff -urNp linux-2.6.33/arch/sparc/mm/srmmu.c linux-2.6.33/arch/sparc/mm/srmmu.c
4888 --- linux-2.6.33/arch/sparc/mm/srmmu.c 2010-02-24 13:52:17.000000000 -0500
4889 +++ linux-2.6.33/arch/sparc/mm/srmmu.c 2010-03-07 12:23:35.913649556 -0500
4890 @@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
4891 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
4892 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
4893 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
4895 +#ifdef CONFIG_PAX_PAGEEXEC
4896 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
4897 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
4898 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
4901 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
4902 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
4904 diff -urNp linux-2.6.33/arch/um/include/asm/kmap_types.h linux-2.6.33/arch/um/include/asm/kmap_types.h
4905 --- linux-2.6.33/arch/um/include/asm/kmap_types.h 2010-02-24 13:52:17.000000000 -0500
4906 +++ linux-2.6.33/arch/um/include/asm/kmap_types.h 2010-03-07 12:23:35.913649556 -0500
4907 @@ -23,6 +23,7 @@ enum km_type {
4915 diff -urNp linux-2.6.33/arch/um/include/asm/page.h linux-2.6.33/arch/um/include/asm/page.h
4916 --- linux-2.6.33/arch/um/include/asm/page.h 2010-02-24 13:52:17.000000000 -0500
4917 +++ linux-2.6.33/arch/um/include/asm/page.h 2010-03-07 12:23:35.913649556 -0500
4919 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
4920 #define PAGE_MASK (~(PAGE_SIZE-1))
4922 +#define ktla_ktva(addr) (addr)
4923 +#define ktva_ktla(addr) (addr)
4925 #ifndef __ASSEMBLY__
4928 diff -urNp linux-2.6.33/arch/um/sys-i386/syscalls.c linux-2.6.33/arch/um/sys-i386/syscalls.c
4929 --- linux-2.6.33/arch/um/sys-i386/syscalls.c 2010-02-24 13:52:17.000000000 -0500
4930 +++ linux-2.6.33/arch/um/sys-i386/syscalls.c 2010-03-07 12:23:35.913649556 -0500
4932 #include "asm/uaccess.h"
4933 #include "asm/unistd.h"
4935 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
4937 + unsigned long pax_task_size = TASK_SIZE;
4939 +#ifdef CONFIG_PAX_SEGMEXEC
4940 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
4941 + pax_task_size = SEGMEXEC_TASK_SIZE;
4944 + if (len > pax_task_size || addr > pax_task_size - len)
4951 * Perform the select(nd, in, out, ex, tv) and mmap() system
4952 * calls. Linux/i386 didn't use to be able to handle more than
4953 diff -urNp linux-2.6.33/arch/x86/boot/bitops.h linux-2.6.33/arch/x86/boot/bitops.h
4954 --- linux-2.6.33/arch/x86/boot/bitops.h 2010-02-24 13:52:17.000000000 -0500
4955 +++ linux-2.6.33/arch/x86/boot/bitops.h 2010-03-07 12:23:35.913649556 -0500
4956 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
4958 const u32 *p = (const u32 *)addr;
4960 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
4961 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
4965 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
4967 static inline void set_bit(int nr, void *addr)
4969 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
4970 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
4973 #endif /* BOOT_BITOPS_H */
4974 diff -urNp linux-2.6.33/arch/x86/boot/boot.h linux-2.6.33/arch/x86/boot/boot.h
4975 --- linux-2.6.33/arch/x86/boot/boot.h 2010-02-24 13:52:17.000000000 -0500
4976 +++ linux-2.6.33/arch/x86/boot/boot.h 2010-03-07 12:23:35.913649556 -0500
4977 @@ -82,7 +82,7 @@ static inline void io_delay(void)
4978 static inline u16 ds(void)
4981 - asm("movw %%ds,%0" : "=rm" (seg));
4982 + asm volatile("movw %%ds,%0" : "=rm" (seg));
4986 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
4987 static inline int memcmp(const void *s1, const void *s2, size_t len)
4990 - asm("repe; cmpsb; setnz %0"
4991 + asm volatile("repe; cmpsb; setnz %0"
4992 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
4995 diff -urNp linux-2.6.33/arch/x86/boot/compressed/head_32.S linux-2.6.33/arch/x86/boot/compressed/head_32.S
4996 --- linux-2.6.33/arch/x86/boot/compressed/head_32.S 2010-02-24 13:52:17.000000000 -0500
4997 +++ linux-2.6.33/arch/x86/boot/compressed/head_32.S 2010-03-07 12:23:35.913649556 -0500
4998 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5002 - movl $LOAD_PHYSICAL_ADDR, %ebx
5003 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5006 /* Target address to relocate to for decompression */
5007 @@ -149,7 +149,7 @@ relocated:
5008 * and where it was actually loaded.
5011 - subl $LOAD_PHYSICAL_ADDR, %ebx
5012 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5013 jz 2f /* Nothing to be done if loaded at compiled addr. */
5015 * Process relocations.
5016 @@ -157,8 +157,7 @@ relocated:
5023 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5026 diff -urNp linux-2.6.33/arch/x86/boot/compressed/head_64.S linux-2.6.33/arch/x86/boot/compressed/head_64.S
5027 --- linux-2.6.33/arch/x86/boot/compressed/head_64.S 2010-02-24 13:52:17.000000000 -0500
5028 +++ linux-2.6.33/arch/x86/boot/compressed/head_64.S 2010-03-07 12:23:35.913649556 -0500
5029 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5033 - movl $LOAD_PHYSICAL_ADDR, %ebx
5034 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5037 /* Target address to relocate to for decompression */
5038 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5042 - movq $LOAD_PHYSICAL_ADDR, %rbp
5043 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5046 /* Target address to relocate to for decompression */
5047 diff -urNp linux-2.6.33/arch/x86/boot/compressed/misc.c linux-2.6.33/arch/x86/boot/compressed/misc.c
5048 --- linux-2.6.33/arch/x86/boot/compressed/misc.c 2010-02-24 13:52:17.000000000 -0500
5049 +++ linux-2.6.33/arch/x86/boot/compressed/misc.c 2010-03-07 12:23:35.913649556 -0500
5050 @@ -292,7 +292,7 @@ static void parse_elf(void *output)
5052 #ifdef CONFIG_RELOCATABLE
5054 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5055 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5057 dest = (void *)(phdr->p_paddr);
5059 @@ -339,7 +339,7 @@ asmlinkage void decompress_kernel(void *
5060 error("Destination address too large");
5062 #ifndef CONFIG_RELOCATABLE
5063 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5064 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5065 error("Wrong destination address");
5068 diff -urNp linux-2.6.33/arch/x86/boot/compressed/mkpiggy.c linux-2.6.33/arch/x86/boot/compressed/mkpiggy.c
5069 --- linux-2.6.33/arch/x86/boot/compressed/mkpiggy.c 2010-02-24 13:52:17.000000000 -0500
5070 +++ linux-2.6.33/arch/x86/boot/compressed/mkpiggy.c 2010-03-07 12:23:35.913649556 -0500
5071 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5073 offs = (olen > ilen) ? olen - ilen : 0;
5074 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5075 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5076 + offs += 64*1024; /* Add 64K bytes slack */
5077 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5079 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
5080 diff -urNp linux-2.6.33/arch/x86/boot/compressed/relocs.c linux-2.6.33/arch/x86/boot/compressed/relocs.c
5081 --- linux-2.6.33/arch/x86/boot/compressed/relocs.c 2010-02-24 13:52:17.000000000 -0500
5082 +++ linux-2.6.33/arch/x86/boot/compressed/relocs.c 2010-03-07 12:23:35.917681499 -0500
5085 static void die(char *fmt, ...);
5087 +#include "../../../../include/generated/autoconf.h"
5089 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5090 static Elf32_Ehdr ehdr;
5091 +static Elf32_Phdr *phdr;
5092 static unsigned long reloc_count, reloc_idx;
5093 static unsigned long *relocs;
5095 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5099 +static void read_phdrs(FILE *fp)
5103 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5105 + die("Unable to allocate %d program headers\n",
5108 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5109 + die("Seek to %d failed: %s\n",
5110 + ehdr.e_phoff, strerror(errno));
5112 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5113 + die("Cannot read ELF program headers: %s\n",
5116 + for(i = 0; i < ehdr.e_phnum; i++) {
5117 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5118 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5119 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5120 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5121 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5122 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5123 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5124 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5129 static void read_shdrs(FILE *fp)
5135 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5136 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5138 static void read_strtabs(FILE *fp)
5142 for (i = 0; i < ehdr.e_shnum; i++) {
5143 struct section *sec = &secs[i];
5144 if (sec->shdr.sh_type != SHT_STRTAB) {
5145 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5147 static void read_symtabs(FILE *fp)
5151 for (i = 0; i < ehdr.e_shnum; i++) {
5152 struct section *sec = &secs[i];
5153 if (sec->shdr.sh_type != SHT_SYMTAB) {
5154 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5156 static void read_relocs(FILE *fp)
5162 for (i = 0; i < ehdr.e_shnum; i++) {
5163 struct section *sec = &secs[i];
5164 if (sec->shdr.sh_type != SHT_REL) {
5165 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5166 die("Cannot read symbol table: %s\n",
5170 + for (j = 0; j < ehdr.e_phnum; j++) {
5171 + if (phdr[j].p_type != PT_LOAD )
5173 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5175 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5178 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5179 Elf32_Rel *rel = &sec->reltab[j];
5180 - rel->r_offset = elf32_to_cpu(rel->r_offset);
5181 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5182 rel->r_info = elf32_to_cpu(rel->r_info);
5185 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5187 static void print_absolute_symbols(void)
5191 printf("Absolute symbols\n");
5192 printf(" Num: Value Size Type Bind Visibility Name\n");
5193 for (i = 0; i < ehdr.e_shnum; i++) {
5194 struct section *sec = &secs[i];
5196 Elf32_Sym *sh_symtab;
5200 if (sec->shdr.sh_type != SHT_SYMTAB) {
5202 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5204 static void print_absolute_relocs(void)
5206 - int i, printed = 0;
5207 + unsigned int i, printed = 0;
5209 for (i = 0; i < ehdr.e_shnum; i++) {
5210 struct section *sec = &secs[i];
5211 struct section *sec_applies, *sec_symtab;
5213 Elf32_Sym *sh_symtab;
5216 if (sec->shdr.sh_type != SHT_REL) {
5219 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5221 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5225 /* Walk through the relocations */
5226 for (i = 0; i < ehdr.e_shnum; i++) {
5228 Elf32_Sym *sh_symtab;
5229 struct section *sec_applies, *sec_symtab;
5232 struct section *sec = &secs[i];
5234 if (sec->shdr.sh_type != SHT_REL) {
5235 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5236 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5239 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5240 + if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5243 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5244 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5245 + if (!strcmp(sec_name(sym->st_shndx), ".data") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5247 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5249 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5251 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5258 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5260 static void emit_relocs(int as_text)
5264 /* Count how many relocations I have and allocate space for them. */
5266 walk_relocs(count_reloc);
5267 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
5268 fname, strerror(errno));
5275 diff -urNp linux-2.6.33/arch/x86/boot/cpucheck.c linux-2.6.33/arch/x86/boot/cpucheck.c
5276 --- linux-2.6.33/arch/x86/boot/cpucheck.c 2010-02-24 13:52:17.000000000 -0500
5277 +++ linux-2.6.33/arch/x86/boot/cpucheck.c 2010-03-07 12:23:35.917681499 -0500
5278 @@ -74,7 +74,7 @@ static int has_fpu(void)
5279 u16 fcw = -1, fsw = -1;
5282 - asm("movl %%cr0,%0" : "=r" (cr0));
5283 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
5284 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5285 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5286 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5287 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5292 + asm volatile("pushfl ; "
5296 @@ -115,7 +115,7 @@ static void get_flags(void)
5297 set_bit(X86_FEATURE_FPU, cpu.flags);
5299 if (has_eflag(X86_EFLAGS_ID)) {
5301 + asm volatile("cpuid"
5302 : "=a" (max_intel_level),
5303 "=b" (cpu_vendor[0]),
5304 "=d" (cpu_vendor[1]),
5305 @@ -124,7 +124,7 @@ static void get_flags(void)
5307 if (max_intel_level >= 0x00000001 &&
5308 max_intel_level <= 0x0000ffff) {
5310 + asm volatile("cpuid"
5312 "=c" (cpu.flags[4]),
5314 @@ -136,7 +136,7 @@ static void get_flags(void)
5315 cpu.model += ((tfms >> 16) & 0xf) << 4;
5319 + asm volatile("cpuid"
5320 : "=a" (max_amd_level)
5322 : "ebx", "ecx", "edx");
5323 @@ -144,7 +144,7 @@ static void get_flags(void)
5324 if (max_amd_level >= 0x80000001 &&
5325 max_amd_level <= 0x8000ffff) {
5326 u32 eax = 0x80000001;
5328 + asm volatile("cpuid"
5330 "=c" (cpu.flags[6]),
5332 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5333 u32 ecx = MSR_K7_HWCR;
5336 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5337 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5339 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5340 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5342 get_flags(); /* Make sure it really did something */
5343 err = check_flags();
5344 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5345 u32 ecx = MSR_VIA_FCR;
5348 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5349 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5350 eax |= (1<<1)|(1<<7);
5351 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5352 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5354 set_bit(X86_FEATURE_CX8, cpu.flags);
5355 err = check_flags();
5356 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5360 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5361 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5363 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5364 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5365 + asm volatile("cpuid"
5366 : "+a" (level), "=d" (cpu.flags[0])
5368 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5369 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5371 err = check_flags();
5373 diff -urNp linux-2.6.33/arch/x86/boot/header.S linux-2.6.33/arch/x86/boot/header.S
5374 --- linux-2.6.33/arch/x86/boot/header.S 2010-02-24 13:52:17.000000000 -0500
5375 +++ linux-2.6.33/arch/x86/boot/header.S 2010-03-07 12:23:35.917681499 -0500
5376 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5377 # single linked list of
5380 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5381 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5383 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5384 #define VO_INIT_SIZE (VO__end - VO__text)
5385 diff -urNp linux-2.6.33/arch/x86/boot/video-vesa.c linux-2.6.33/arch/x86/boot/video-vesa.c
5386 --- linux-2.6.33/arch/x86/boot/video-vesa.c 2010-02-24 13:52:17.000000000 -0500
5387 +++ linux-2.6.33/arch/x86/boot/video-vesa.c 2010-03-07 12:23:35.917681499 -0500
5388 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
5390 boot_params.screen_info.vesapm_seg = oreg.es;
5391 boot_params.screen_info.vesapm_off = oreg.di;
5392 + boot_params.screen_info.vesapm_size = oreg.cx;
5396 diff -urNp linux-2.6.33/arch/x86/ia32/ia32_signal.c linux-2.6.33/arch/x86/ia32/ia32_signal.c
5397 --- linux-2.6.33/arch/x86/ia32/ia32_signal.c 2010-02-24 13:52:17.000000000 -0500
5398 +++ linux-2.6.33/arch/x86/ia32/ia32_signal.c 2010-03-07 12:23:35.917681499 -0500
5399 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
5401 /* Align the stack pointer according to the i386 ABI,
5402 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
5403 - sp = ((sp + 4) & -16ul) - 4;
5404 + sp = ((sp - 12) & -16ul) - 4;
5405 return (void __user *) sp;
5408 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
5410 __NR_ia32_rt_sigreturn,
5416 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
5417 diff -urNp linux-2.6.33/arch/x86/include/asm/alternative.h linux-2.6.33/arch/x86/include/asm/alternative.h
5418 --- linux-2.6.33/arch/x86/include/asm/alternative.h 2010-02-24 13:52:17.000000000 -0500
5419 +++ linux-2.6.33/arch/x86/include/asm/alternative.h 2010-03-07 12:23:35.917681499 -0500
5420 @@ -86,7 +86,7 @@ static inline void alternatives_smp_swit
5421 " .byte 664f-663f\n" /* replacementlen */ \
5422 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
5424 - ".section .altinstr_replacement, \"ax\"\n" \
5425 + ".section .altinstr_replacement, \"a\"\n" \
5426 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
5429 diff -urNp linux-2.6.33/arch/x86/include/asm/apm.h linux-2.6.33/arch/x86/include/asm/apm.h
5430 --- linux-2.6.33/arch/x86/include/asm/apm.h 2010-02-24 13:52:17.000000000 -0500
5431 +++ linux-2.6.33/arch/x86/include/asm/apm.h 2010-03-07 12:23:35.917681499 -0500
5432 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
5433 __asm__ __volatile__(APM_DO_ZERO_SEGS
5436 - "lcall *%%cs:apm_bios_entry\n\t"
5437 + "lcall *%%ss:apm_bios_entry\n\t"
5441 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
5442 __asm__ __volatile__(APM_DO_ZERO_SEGS
5445 - "lcall *%%cs:apm_bios_entry\n\t"
5446 + "lcall *%%ss:apm_bios_entry\n\t"
5450 diff -urNp linux-2.6.33/arch/x86/include/asm/atomic_32.h linux-2.6.33/arch/x86/include/asm/atomic_32.h
5451 --- linux-2.6.33/arch/x86/include/asm/atomic_32.h 2010-02-24 13:52:17.000000000 -0500
5452 +++ linux-2.6.33/arch/x86/include/asm/atomic_32.h 2010-03-07 12:23:35.917681499 -0500
5453 @@ -25,6 +25,17 @@ static inline int atomic_read(const atom
5457 + * atomic_read_unchecked - read atomic variable
5458 + * @v: pointer of type atomic_unchecked_t
5460 + * Atomically reads the value of @v.
5462 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5464 + return v->counter;
5468 * atomic_set - set atomic variable
5469 * @v: pointer of type atomic_t
5470 * @i: required value
5471 @@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
5475 + * atomic_set_unchecked - set atomic variable
5476 + * @v: pointer of type atomic_unchecked_t
5477 + * @i: required value
5479 + * Atomically sets the value of @v to @i.
5481 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5487 * atomic_add - add integer to atomic variable
5488 * @i: integer value to add
5489 * @v: pointer of type atomic_t
5490 @@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
5492 static inline void atomic_add(int i, atomic_t *v)
5494 - asm volatile(LOCK_PREFIX "addl %1,%0"
5495 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
5497 +#ifdef CONFIG_PAX_REFCOUNT
5499 + LOCK_PREFIX "subl %1,%0\n"
5501 + _ASM_EXTABLE(0b, 0b)
5504 + : "+m" (v->counter)
5509 + * atomic_add_unchecked - add integer to atomic variable
5510 + * @i: integer value to add
5511 + * @v: pointer of type atomic_unchecked_t
5513 + * Atomically adds @i to @v.
5515 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
5517 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
5521 @@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
5523 static inline void atomic_sub(int i, atomic_t *v)
5525 - asm volatile(LOCK_PREFIX "subl %1,%0"
5526 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
5528 +#ifdef CONFIG_PAX_REFCOUNT
5530 + LOCK_PREFIX "addl %1,%0\n"
5532 + _ASM_EXTABLE(0b, 0b)
5535 + : "+m" (v->counter)
5540 + * atomic_sub_unchecked - subtract integer from atomic variable
5541 + * @i: integer value to subtract
5542 + * @v: pointer of type atomic_t
5544 + * Atomically subtracts @i from @v.
5546 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
5548 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
5552 @@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
5556 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
5557 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
5559 +#ifdef CONFIG_PAX_REFCOUNT
5561 + LOCK_PREFIX "addl %2,%0\n"
5563 + _ASM_EXTABLE(0b, 0b)
5567 : "+m" (v->counter), "=qm" (c)
5568 : "ir" (i) : "memory");
5570 @@ -91,7 +167,30 @@ static inline int atomic_sub_and_test(in
5572 static inline void atomic_inc(atomic_t *v)
5574 - asm volatile(LOCK_PREFIX "incl %0"
5575 + asm volatile(LOCK_PREFIX "incl %0\n"
5577 +#ifdef CONFIG_PAX_REFCOUNT
5579 + ".pushsection .fixup,\"ax\"\n"
5581 + LOCK_PREFIX "decl %0\n"
5584 + _ASM_EXTABLE(0b, 1b)
5587 + : "+m" (v->counter));
5591 + * atomic_inc_unchecked - increment atomic variable
5592 + * @v: pointer of type atomic_unchecked_t
5594 + * Atomically increments @v by 1.
5596 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5598 + asm volatile(LOCK_PREFIX "incl %0\n"
5599 : "+m" (v->counter));
5602 @@ -103,7 +202,18 @@ static inline void atomic_inc(atomic_t *
5604 static inline void atomic_dec(atomic_t *v)
5606 - asm volatile(LOCK_PREFIX "decl %0"
5607 + asm volatile(LOCK_PREFIX "decl %0\n"
5609 +#ifdef CONFIG_PAX_REFCOUNT
5611 + ".pushsection .fixup,\"ax\"\n"
5613 + LOCK_PREFIX "incl %0\n"
5616 + _ASM_EXTABLE(0b, 1b)
5619 : "+m" (v->counter));
5622 @@ -119,7 +229,19 @@ static inline int atomic_dec_and_test(at
5626 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
5627 + asm volatile(LOCK_PREFIX "decl %0\n"
5629 +#ifdef CONFIG_PAX_REFCOUNT
5631 + ".pushsection .fixup,\"ax\"\n"
5633 + LOCK_PREFIX "incl %0\n"
5636 + _ASM_EXTABLE(0b, 1b)
5640 : "+m" (v->counter), "=qm" (c)
5643 @@ -137,7 +259,19 @@ static inline int atomic_inc_and_test(at
5647 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
5648 + asm volatile(LOCK_PREFIX "incl %0\n"
5650 +#ifdef CONFIG_PAX_REFCOUNT
5652 + ".pushsection .fixup,\"ax\"\n"
5654 + LOCK_PREFIX "decl %0\n"
5657 + _ASM_EXTABLE(0b, 1b)
5661 : "+m" (v->counter), "=qm" (c)
5664 @@ -156,7 +290,16 @@ static inline int atomic_add_negative(in
5668 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
5669 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
5671 +#ifdef CONFIG_PAX_REFCOUNT
5673 + LOCK_PREFIX "subl %2,%0\n"
5675 + _ASM_EXTABLE(0b, 0b)
5679 : "+m" (v->counter), "=qm" (c)
5680 : "ir" (i) : "memory");
5682 @@ -179,6 +322,46 @@ static inline int atomic_add_return(int
5684 /* Modern 486+ processor */
5686 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
5688 +#ifdef CONFIG_PAX_REFCOUNT
5692 + _ASM_EXTABLE(0b, 0b)
5695 + : "+r" (i), "+m" (v->counter)
5700 +no_xadd: /* Legacy 386 processor */
5701 + local_irq_save(flags);
5702 + __i = atomic_read(v);
5703 + atomic_set(v, i + __i);
5704 + local_irq_restore(flags);
5710 + * atomic_add_return_unchecked - add integer and return
5711 + * @v: pointer of type atomic_unchecked_t
5712 + * @i: integer value to add
5714 + * Atomically adds @i to @v and returns @i + @v
5716 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
5720 + unsigned long flags;
5721 + if (unlikely(boot_cpu_data.x86 <= 3))
5724 + /* Modern 486+ processor */
5726 asm volatile(LOCK_PREFIX "xaddl %0, %1"
5727 : "+r" (i), "+m" (v->counter)
5729 @@ -227,22 +410,34 @@ static inline int atomic_xchg(atomic_t *
5731 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5737 - if (unlikely(c == (u)))
5738 + if (unlikely(c == u))
5740 - old = atomic_cmpxchg((v), c, c + (a));
5742 + asm volatile("addl %2,%0\n"
5744 +#ifdef CONFIG_PAX_REFCOUNT
5746 + _ASM_EXTABLE(0b, 0b)
5750 + : "0" (c), "ir" (a));
5752 + old = atomic_cmpxchg(v, c, new);
5753 if (likely(old == c))
5761 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
5763 #define atomic_inc_return(v) (atomic_add_return(1, v))
5764 +#define atomic_inc_return_unchecked(v) (atomic_add_return_unchecked(1, v))
5765 #define atomic_dec_return(v) (atomic_sub_return(1, v))
5767 /* These are x86-specific, used by some header files */
5768 @@ -266,6 +461,14 @@ typedef struct {
5769 u64 __aligned(8) counter;
5772 +#ifdef CONFIG_PAX_REFCOUNT
5774 + u64 __aligned(8) counter;
5775 +} atomic64_unchecked_t;
5777 +typedef atomic64_t atomic64_unchecked_t;
5780 #define ATOMIC64_INIT(val) { (val) }
5782 extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
5783 diff -urNp linux-2.6.33/arch/x86/include/asm/atomic_64.h linux-2.6.33/arch/x86/include/asm/atomic_64.h
5784 --- linux-2.6.33/arch/x86/include/asm/atomic_64.h 2010-02-24 13:52:17.000000000 -0500
5785 +++ linux-2.6.33/arch/x86/include/asm/atomic_64.h 2010-03-07 12:23:35.917681499 -0500
5786 @@ -24,6 +24,17 @@ static inline int atomic_read(const atom
5790 + * atomic_read_unchecked - read atomic variable
5791 + * @v: pointer of type atomic_unchecked_t
5793 + * Atomically reads the value of @v.
5795 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5797 + return v->counter;
5801 * atomic_set - set atomic variable
5802 * @v: pointer of type atomic_t
5803 * @i: required value
5804 @@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
5808 + * atomic_set_unchecked - set atomic variable
5809 + * @v: pointer of type atomic_unchecked_t
5810 + * @i: required value
5812 + * Atomically sets the value of @v to @i.
5814 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5820 * atomic_add - add integer to atomic variable
5821 * @i: integer value to add
5822 * @v: pointer of type atomic_t
5823 @@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
5825 static inline void atomic_add(int i, atomic_t *v)
5827 - asm volatile(LOCK_PREFIX "addl %1,%0"
5828 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
5830 +#ifdef CONFIG_PAX_REFCOUNT
5832 + LOCK_PREFIX "subl %1,%0\n"
5834 + _ASM_EXTABLE(0b, 0b)
5837 + : "=m" (v->counter)
5838 + : "ir" (i), "m" (v->counter));
5842 + * atomic_add_unchecked - add integer to atomic variable
5843 + * @i: integer value to add
5844 + * @v: pointer of type atomic_unchecked_t
5846 + * Atomically adds @i to @v.
5848 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
5850 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
5852 : "ir" (i), "m" (v->counter));
5854 @@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
5856 static inline void atomic_sub(int i, atomic_t *v)
5858 - asm volatile(LOCK_PREFIX "subl %1,%0"
5859 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
5861 +#ifdef CONFIG_PAX_REFCOUNT
5863 + LOCK_PREFIX "addl %1,%0\n"
5865 + _ASM_EXTABLE(0b, 0b)
5868 + : "=m" (v->counter)
5869 + : "ir" (i), "m" (v->counter));
5873 + * atomic_sub_unchecked - subtract the atomic variable
5874 + * @i: integer value to subtract
5875 + * @v: pointer of type atomic_unchecked_t
5877 + * Atomically subtracts @i from @v.
5879 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
5881 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
5883 : "ir" (i), "m" (v->counter));
5885 @@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
5889 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
5890 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
5892 +#ifdef CONFIG_PAX_REFCOUNT
5894 + LOCK_PREFIX "addl %2,%0\n"
5896 + _ASM_EXTABLE(0b, 0b)
5900 : "=m" (v->counter), "=qm" (c)
5901 : "ir" (i), "m" (v->counter) : "memory");
5903 @@ -90,7 +166,32 @@ static inline int atomic_sub_and_test(in
5905 static inline void atomic_inc(atomic_t *v)
5907 - asm volatile(LOCK_PREFIX "incl %0"
5908 + asm volatile(LOCK_PREFIX "incl %0\n"
5910 +#ifdef CONFIG_PAX_REFCOUNT
5913 + ".pushsection .fixup,\"ax\"\n"
5915 + LOCK_PREFIX "decl %0\n"
5918 + _ASM_EXTABLE(0b, 1b)
5921 + : "=m" (v->counter)
5922 + : "m" (v->counter));
5926 + * atomic_inc_unchecked - increment atomic variable
5927 + * @v: pointer of type atomic_unchecked_t
5929 + * Atomically increments @v by 1.
5931 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5933 + asm volatile(LOCK_PREFIX "incl %0\n"
5935 : "m" (v->counter));
5937 @@ -103,7 +204,19 @@ static inline void atomic_inc(atomic_t *
5939 static inline void atomic_dec(atomic_t *v)
5941 - asm volatile(LOCK_PREFIX "decl %0"
5942 + asm volatile(LOCK_PREFIX "decl %0\n"
5944 +#ifdef CONFIG_PAX_REFCOUNT
5947 + ".pushsection .fixup,\"ax\"\n"
5949 + LOCK_PREFIX "incl %0\n"
5952 + _ASM_EXTABLE(0b, 1b)
5956 : "m" (v->counter));
5958 @@ -120,7 +233,20 @@ static inline int atomic_dec_and_test(at
5962 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
5963 + asm volatile(LOCK_PREFIX "decl %0\n"
5965 +#ifdef CONFIG_PAX_REFCOUNT
5968 + ".pushsection .fixup,\"ax\"\n"
5970 + LOCK_PREFIX "incl %0\n"
5973 + _ASM_EXTABLE(0b, 1b)
5977 : "=m" (v->counter), "=qm" (c)
5978 : "m" (v->counter) : "memory");
5980 @@ -138,7 +264,20 @@ static inline int atomic_inc_and_test(at
5984 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
5985 + asm volatile(LOCK_PREFIX "incl %0\n"
5987 +#ifdef CONFIG_PAX_REFCOUNT
5990 + ".pushsection .fixup,\"ax\"\n"
5992 + LOCK_PREFIX "decl %0\n"
5995 + _ASM_EXTABLE(0b, 1b)
5999 : "=m" (v->counter), "=qm" (c)
6000 : "m" (v->counter) : "memory");
6002 @@ -157,7 +296,16 @@ static inline int atomic_add_negative(in
6006 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6007 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6009 +#ifdef CONFIG_PAX_REFCOUNT
6011 + LOCK_PREFIX "subl %2,%0\n"
6013 + _ASM_EXTABLE(0b, 0b)
6017 : "=m" (v->counter), "=qm" (c)
6018 : "ir" (i), "m" (v->counter) : "memory");
6020 @@ -173,7 +321,15 @@ static inline int atomic_add_negative(in
6021 static inline int atomic_add_return(int i, atomic_t *v)
6024 - asm volatile(LOCK_PREFIX "xaddl %0, %1"
6025 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6027 +#ifdef CONFIG_PAX_REFCOUNT
6031 + _ASM_EXTABLE(0b, 0b)
6034 : "+r" (i), "+m" (v->counter)
6037 @@ -204,6 +360,18 @@ static inline long atomic64_read(const a
6041 + * atomic64_read_unchecked - read atomic64 variable
6042 + * @v: pointer of type atomic64_unchecked_t
6044 + * Atomically reads the value of @v.
6045 + * Doesn't imply a read memory barrier.
6047 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6049 + return v->counter;
6053 * atomic64_set - set atomic64 variable
6054 * @v: pointer to type atomic64_t
6055 * @i: required value
6056 @@ -216,6 +384,18 @@ static inline void atomic64_set(atomic64
6060 + * atomic64_set_unchecked - set atomic64 variable
6061 + * @v: pointer to type atomic64_unchecked_t
6062 + * @i: required value
6064 + * Atomically sets the value of @v to @i.
6066 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6072 * atomic64_add - add integer to atomic64 variable
6073 * @i: integer value to add
6074 * @v: pointer to type atomic64_t
6075 @@ -224,6 +404,28 @@ static inline void atomic64_set(atomic64
6077 static inline void atomic64_add(long i, atomic64_t *v)
6079 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6081 +#ifdef CONFIG_PAX_REFCOUNT
6083 + LOCK_PREFIX "subq %1,%0\n"
6085 + _ASM_EXTABLE(0b, 0b)
6088 + : "=m" (v->counter)
6089 + : "er" (i), "m" (v->counter));
6093 + * atomic64_add_unchecked - add integer to atomic64 variable
6094 + * @i: integer value to add
6095 + * @v: pointer to type atomic64_unchecked_t
6097 + * Atomically adds @i to @v.
6099 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6101 asm volatile(LOCK_PREFIX "addq %1,%0"
6103 : "er" (i), "m" (v->counter));
6104 @@ -238,7 +440,15 @@ static inline void atomic64_add(long i,
6106 static inline void atomic64_sub(long i, atomic64_t *v)
6108 - asm volatile(LOCK_PREFIX "subq %1,%0"
6109 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6111 +#ifdef CONFIG_PAX_REFCOUNT
6113 + LOCK_PREFIX "addq %1,%0\n"
6115 + _ASM_EXTABLE(0b, 0b)
6119 : "er" (i), "m" (v->counter));
6121 @@ -256,7 +466,16 @@ static inline int atomic64_sub_and_test(
6125 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6126 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6128 +#ifdef CONFIG_PAX_REFCOUNT
6130 + LOCK_PREFIX "addq %2,%0\n"
6132 + _ASM_EXTABLE(0b, 0b)
6136 : "=m" (v->counter), "=qm" (c)
6137 : "er" (i), "m" (v->counter) : "memory");
6139 @@ -270,6 +489,31 @@ static inline int atomic64_sub_and_test(
6141 static inline void atomic64_inc(atomic64_t *v)
6143 + asm volatile(LOCK_PREFIX "incq %0\n"
6145 +#ifdef CONFIG_PAX_REFCOUNT
6148 + ".pushsection .fixup,\"ax\"\n"
6150 + LOCK_PREFIX "decq %0\n"
6153 + _ASM_EXTABLE(0b, 1b)
6156 + : "=m" (v->counter)
6157 + : "m" (v->counter));
6161 + * atomic64_inc_unchecked - increment atomic64 variable
6162 + * @v: pointer to type atomic64_unchecked_t
6164 + * Atomically increments @v by 1.
6166 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6168 asm volatile(LOCK_PREFIX "incq %0"
6170 : "m" (v->counter));
6171 @@ -283,7 +527,19 @@ static inline void atomic64_inc(atomic64
6173 static inline void atomic64_dec(atomic64_t *v)
6175 - asm volatile(LOCK_PREFIX "decq %0"
6176 + asm volatile(LOCK_PREFIX "decq %0\n"
6178 +#ifdef CONFIG_PAX_REFCOUNT
6181 + ".pushsection .fixup,\"ax\"\n"
6183 + LOCK_PREFIX "incq %0\n"
6186 + _ASM_EXTABLE(0b, 1b)
6190 : "m" (v->counter));
6192 @@ -300,7 +556,20 @@ static inline int atomic64_dec_and_test(
6196 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6197 + asm volatile(LOCK_PREFIX "decq %0\n"
6199 +#ifdef CONFIG_PAX_REFCOUNT
6202 + ".pushsection .fixup,\"ax\"\n"
6204 + LOCK_PREFIX "incq %0\n"
6207 + _ASM_EXTABLE(0b, 1b)
6211 : "=m" (v->counter), "=qm" (c)
6212 : "m" (v->counter) : "memory");
6214 @@ -318,7 +587,20 @@ static inline int atomic64_inc_and_test(
6218 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6219 + asm volatile(LOCK_PREFIX "incq %0\n"
6221 +#ifdef CONFIG_PAX_REFCOUNT
6224 + ".pushsection .fixup,\"ax\"\n"
6226 + LOCK_PREFIX "decq %0\n"
6229 + _ASM_EXTABLE(0b, 1b)
6233 : "=m" (v->counter), "=qm" (c)
6234 : "m" (v->counter) : "memory");
6236 @@ -337,7 +619,16 @@ static inline int atomic64_add_negative(
6240 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6241 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6243 +#ifdef CONFIG_PAX_REFCOUNT
6245 + LOCK_PREFIX "subq %2,%0\n"
6247 + _ASM_EXTABLE(0b, 0b)
6251 : "=m" (v->counter), "=qm" (c)
6252 : "er" (i), "m" (v->counter) : "memory");
6254 @@ -353,7 +644,31 @@ static inline int atomic64_add_negative(
6255 static inline long atomic64_add_return(long i, atomic64_t *v)
6258 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6259 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6261 +#ifdef CONFIG_PAX_REFCOUNT
6265 + _ASM_EXTABLE(0b, 0b)
6268 + : "+r" (i), "+m" (v->counter)
6274 + * atomic64_add_return_unchecked - add and return
6275 + * @i: integer value to add
6276 + * @v: pointer to type atomic64_unchecked_t
6278 + * Atomically adds @i to @v and returns @i + @v
6280 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6283 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6284 : "+r" (i), "+m" (v->counter)
6287 @@ -365,6 +680,7 @@ static inline long atomic64_sub_return(l
6290 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6291 +#define atomic64_inc_return_unchecked(v) (atomic64_add_return_unchecked(1, (v)))
6292 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6294 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6295 @@ -398,17 +714,29 @@ static inline long atomic_xchg(atomic_t
6297 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6303 - if (unlikely(c == (u)))
6304 + if (unlikely(c == u))
6306 - old = atomic_cmpxchg((v), c, c + (a));
6308 + asm volatile("addl %2,%0\n"
6310 +#ifdef CONFIG_PAX_REFCOUNT
6313 + _ASM_EXTABLE(0b, 0b)
6317 + : "0" (c), "ir" (a));
6319 + old = atomic_cmpxchg(v, c, new);
6320 if (likely(old == c))
6328 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6329 @@ -424,17 +752,29 @@ static inline int atomic_add_unless(atom
6331 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6335 c = atomic64_read(v);
6337 - if (unlikely(c == (u)))
6338 + if (unlikely(c == u))
6340 - old = atomic64_cmpxchg((v), c, c + (a));
6342 + asm volatile("addq %2,%0\n"
6344 +#ifdef CONFIG_PAX_REFCOUNT
6347 + _ASM_EXTABLE(0b, 0b)
6351 + : "0" (c), "er" (a));
6353 + old = atomic64_cmpxchg((v), c, new);
6354 if (likely(old == c))
6363 diff -urNp linux-2.6.33/arch/x86/include/asm/boot.h linux-2.6.33/arch/x86/include/asm/boot.h
6364 --- linux-2.6.33/arch/x86/include/asm/boot.h 2010-02-24 13:52:17.000000000 -0500
6365 +++ linux-2.6.33/arch/x86/include/asm/boot.h 2010-03-07 12:23:35.917681499 -0500
6367 #include <asm/pgtable_types.h>
6369 /* Physical address where kernel should be loaded. */
6370 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6371 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6372 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6373 & ~(CONFIG_PHYSICAL_ALIGN - 1))
6375 +#ifndef __ASSEMBLY__
6376 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
6377 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
6380 /* Minimum kernel alignment, as a power of two */
6381 #ifdef CONFIG_X86_64
6382 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
6383 diff -urNp linux-2.6.33/arch/x86/include/asm/cache.h linux-2.6.33/arch/x86/include/asm/cache.h
6384 --- linux-2.6.33/arch/x86/include/asm/cache.h 2010-02-24 13:52:17.000000000 -0500
6385 +++ linux-2.6.33/arch/x86/include/asm/cache.h 2010-03-07 12:23:35.917681499 -0500
6387 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6389 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
6390 +#define __read_only __attribute__((__section__(".data.read_only")))
6392 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
6393 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
6394 diff -urNp linux-2.6.33/arch/x86/include/asm/checksum_32.h linux-2.6.33/arch/x86/include/asm/checksum_32.h
6395 --- linux-2.6.33/arch/x86/include/asm/checksum_32.h 2010-02-24 13:52:17.000000000 -0500
6396 +++ linux-2.6.33/arch/x86/include/asm/checksum_32.h 2010-03-07 12:23:35.917681499 -0500
6397 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
6398 int len, __wsum sum,
6399 int *src_err_ptr, int *dst_err_ptr);
6401 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
6402 + int len, __wsum sum,
6403 + int *src_err_ptr, int *dst_err_ptr);
6405 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
6406 + int len, __wsum sum,
6407 + int *src_err_ptr, int *dst_err_ptr);
6410 * Note: when you get a NULL pointer exception here this means someone
6411 * passed in an incorrect kernel address to one of these functions.
6412 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
6416 - return csum_partial_copy_generic((__force void *)src, dst,
6417 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
6418 len, sum, err_ptr, NULL);
6421 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
6424 if (access_ok(VERIFY_WRITE, dst, len))
6425 - return csum_partial_copy_generic(src, (__force void *)dst,
6426 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
6427 len, sum, NULL, err_ptr);
6430 diff -urNp linux-2.6.33/arch/x86/include/asm/desc.h linux-2.6.33/arch/x86/include/asm/desc.h
6431 --- linux-2.6.33/arch/x86/include/asm/desc.h 2010-02-24 13:52:17.000000000 -0500
6432 +++ linux-2.6.33/arch/x86/include/asm/desc.h 2010-03-07 12:23:35.917681499 -0500
6434 #include <asm/desc_defs.h>
6435 #include <asm/ldt.h>
6436 #include <asm/mmu.h>
6437 +#include <asm/pgtable.h>
6438 #include <linux/smp.h>
6440 static inline void fill_ldt(struct desc_struct *desc,
6441 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
6442 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
6443 desc->type = (info->read_exec_only ^ 1) << 1;
6444 desc->type |= info->contents << 2;
6445 + desc->type |= info->seg_not_present ^ 1;
6448 desc->p = info->seg_not_present ^ 1;
6449 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
6452 extern struct desc_ptr idt_descr;
6453 -extern gate_desc idt_table[];
6456 - struct desc_struct gdt[GDT_ENTRIES];
6457 -} __attribute__((aligned(PAGE_SIZE)));
6458 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
6459 +extern gate_desc idt_table[256];
6461 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
6462 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
6464 - return per_cpu(gdt_page, cpu).gdt;
6465 + return cpu_gdt_table[cpu];
6468 #ifdef CONFIG_X86_64
6469 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
6470 static inline void native_write_idt_entry(gate_desc *idt, int entry,
6471 const gate_desc *gate)
6473 + pax_open_kernel();
6474 memcpy(&idt[entry], gate, sizeof(*gate));
6475 + pax_close_kernel();
6478 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
6481 + pax_open_kernel();
6482 memcpy(&ldt[entry], desc, 8);
6483 + pax_close_kernel();
6486 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
6487 const void *desc, int type)
6493 size = sizeof(tss_desc);
6494 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
6495 size = sizeof(struct desc_struct);
6499 + pax_open_kernel();
6500 memcpy(&gdt[entry], desc, size);
6501 + pax_close_kernel();
6504 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
6505 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
6507 static inline void native_load_tr_desc(void)
6509 + pax_open_kernel();
6510 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
6511 + pax_close_kernel();
6514 static inline void native_load_gdt(const struct desc_ptr *dtr)
6515 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
6517 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
6519 + pax_open_kernel();
6520 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
6521 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
6522 + pax_close_kernel();
6525 #define _LDT_empty(info) \
6526 @@ -392,4 +402,16 @@ static inline void set_system_intr_gate_
6527 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
6530 +#ifdef CONFIG_X86_32
6531 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
6533 + struct desc_struct d;
6535 + if (likely(limit))
6536 + limit = (limit - 1UL) >> PAGE_SHIFT;
6537 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
6538 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
6542 #endif /* _ASM_X86_DESC_H */
6543 diff -urNp linux-2.6.33/arch/x86/include/asm/device.h linux-2.6.33/arch/x86/include/asm/device.h
6544 --- linux-2.6.33/arch/x86/include/asm/device.h 2010-02-24 13:52:17.000000000 -0500
6545 +++ linux-2.6.33/arch/x86/include/asm/device.h 2010-03-07 12:23:35.917681499 -0500
6546 @@ -6,7 +6,7 @@ struct dev_archdata {
6549 #ifdef CONFIG_X86_64
6550 -struct dma_map_ops *dma_ops;
6551 + const struct dma_map_ops *dma_ops;
6553 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
6554 void *iommu; /* hook for IOMMU specific extension */
6555 diff -urNp linux-2.6.33/arch/x86/include/asm/dma-mapping.h linux-2.6.33/arch/x86/include/asm/dma-mapping.h
6556 --- linux-2.6.33/arch/x86/include/asm/dma-mapping.h 2010-02-24 13:52:17.000000000 -0500
6557 +++ linux-2.6.33/arch/x86/include/asm/dma-mapping.h 2010-03-07 12:23:35.917681499 -0500
6558 @@ -26,9 +26,9 @@ extern int iommu_merge;
6559 extern struct device x86_dma_fallback_dev;
6560 extern int panic_on_overflow;
6562 -extern struct dma_map_ops *dma_ops;
6563 +extern const struct dma_map_ops *dma_ops;
6565 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
6566 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
6568 #ifdef CONFIG_X86_32
6570 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
6571 /* Make sure we keep the same behaviour */
6572 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
6574 - struct dma_map_ops *ops = get_dma_ops(dev);
6575 + const struct dma_map_ops *ops = get_dma_ops(dev);
6576 if (ops->mapping_error)
6577 return ops->mapping_error(dev, dma_addr);
6579 @@ -123,7 +123,7 @@ static inline void *
6580 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
6583 - struct dma_map_ops *ops = get_dma_ops(dev);
6584 + const struct dma_map_ops *ops = get_dma_ops(dev);
6587 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
6588 @@ -150,7 +150,7 @@ dma_alloc_coherent(struct device *dev, s
6589 static inline void dma_free_coherent(struct device *dev, size_t size,
6590 void *vaddr, dma_addr_t bus)
6592 - struct dma_map_ops *ops = get_dma_ops(dev);
6593 + const struct dma_map_ops *ops = get_dma_ops(dev);
6595 WARN_ON(irqs_disabled()); /* for portability */
6597 diff -urNp linux-2.6.33/arch/x86/include/asm/e820.h linux-2.6.33/arch/x86/include/asm/e820.h
6598 --- linux-2.6.33/arch/x86/include/asm/e820.h 2010-02-24 13:52:17.000000000 -0500
6599 +++ linux-2.6.33/arch/x86/include/asm/e820.h 2010-03-07 12:23:35.917681499 -0500
6600 @@ -64,7 +64,7 @@ struct e820map {
6601 #define ISA_START_ADDRESS 0xa0000
6602 #define ISA_END_ADDRESS 0x100000
6604 -#define BIOS_BEGIN 0x000a0000
6605 +#define BIOS_BEGIN 0x000c0000
6606 #define BIOS_END 0x00100000
6609 diff -urNp linux-2.6.33/arch/x86/include/asm/elf.h linux-2.6.33/arch/x86/include/asm/elf.h
6610 --- linux-2.6.33/arch/x86/include/asm/elf.h 2010-02-24 13:52:17.000000000 -0500
6611 +++ linux-2.6.33/arch/x86/include/asm/elf.h 2010-03-07 12:23:35.917681499 -0500
6612 @@ -237,7 +237,25 @@ extern int force_personality32;
6613 the loader. We need to make sure that it is out of the way of the program
6614 that it will "exec", and that there is sufficient room for the brk. */
6616 +#ifdef CONFIG_PAX_SEGMEXEC
6617 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
6619 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
6622 +#ifdef CONFIG_PAX_ASLR
6623 +#ifdef CONFIG_X86_32
6624 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
6626 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
6627 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
6629 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
6631 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : 32)
6632 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : 32)
6636 /* This yields a mask that user programs can use to figure out what
6637 instruction set this CPU supports. This could be done in user space,
6638 @@ -291,8 +309,7 @@ do { \
6639 #define ARCH_DLINFO \
6642 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
6643 - (unsigned long)current->mm->context.vdso); \
6644 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
6647 #define AT_SYSINFO 32
6648 @@ -303,7 +320,7 @@ do { \
6650 #endif /* !CONFIG_X86_32 */
6652 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
6653 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
6655 #define VDSO_ENTRY \
6656 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
6657 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
6658 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
6659 #define compat_arch_setup_additional_pages syscall32_setup_pages
6661 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
6662 -#define arch_randomize_brk arch_randomize_brk
6664 #endif /* _ASM_X86_ELF_H */
6665 diff -urNp linux-2.6.33/arch/x86/include/asm/futex.h linux-2.6.33/arch/x86/include/asm/futex.h
6666 --- linux-2.6.33/arch/x86/include/asm/futex.h 2010-02-24 13:52:17.000000000 -0500
6667 +++ linux-2.6.33/arch/x86/include/asm/futex.h 2010-03-07 12:23:35.917681499 -0500
6669 #include <asm/processor.h>
6670 #include <asm/system.h>
6672 +#ifdef CONFIG_X86_32
6673 +#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
6675 + "movw\t%w6, %%ds\n" \
6676 + "1:\t" insn "\n" \
6677 + "2:\tpushl\t%%ss\n" \
6678 + "\tpopl\t%%ds\n" \
6679 + "\t.section .fixup,\"ax\"\n" \
6680 + "3:\tmov\t%3, %1\n" \
6683 + _ASM_EXTABLE(1b, 3b) \
6684 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
6685 + : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
6687 +#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
6688 + asm volatile("movw\t%w7, %%es\n" \
6689 + "1:\tmovl\t%%es:%2, %0\n" \
6690 + "\tmovl\t%0, %3\n" \
6692 + "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
6694 + "3:\tpushl\t%%ss\n" \
6695 + "\tpopl\t%%es\n" \
6696 + "\t.section .fixup,\"ax\"\n" \
6697 + "4:\tmov\t%5, %1\n" \
6700 + _ASM_EXTABLE(1b, 4b) \
6701 + _ASM_EXTABLE(2b, 4b) \
6702 + : "=&a" (oldval), "=&r" (ret), \
6703 + "+m" (*uaddr), "=&r" (tem) \
6704 + : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
6706 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
6707 asm volatile("1:\t" insn "\n" \
6708 "2:\t.section .fixup,\"ax\"\n" \
6710 : "=&a" (oldval), "=&r" (ret), \
6711 "+m" (*uaddr), "=&r" (tem) \
6712 : "r" (oparg), "i" (-EFAULT), "1" (0))
6715 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
6716 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
6718 int op = (encoded_op >> 28) & 7;
6719 int cmp = (encoded_op >> 24) & 15;
6720 @@ -61,11 +96,20 @@ static inline int futex_atomic_op_inuser
6724 +#ifdef CONFIG_X86_32
6725 + __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
6727 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
6731 +#ifdef CONFIG_X86_32
6732 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
6735 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
6740 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
6741 @@ -109,7 +153,7 @@ static inline int futex_atomic_op_inuser
6745 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
6746 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
6750 @@ -122,14 +166,27 @@ static inline int futex_atomic_cmpxchg_i
6751 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
6754 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6756 +#ifdef CONFIG_X86_32
6757 + "\tmovw %w5, %%ds\n"
6758 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6759 + "2:\tpushl %%ss\n"
6761 + "\t.section .fixup, \"ax\"\n"
6763 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6764 "2:\t.section .fixup, \"ax\"\n"
6769 _ASM_EXTABLE(1b, 3b)
6770 : "=a" (oldval), "+m" (*uaddr)
6771 +#ifdef CONFIG_X86_32
6772 + : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
6774 : "i" (-EFAULT), "r" (newval), "0" (oldval)
6779 diff -urNp linux-2.6.33/arch/x86/include/asm/i387.h linux-2.6.33/arch/x86/include/asm/i387.h
6780 --- linux-2.6.33/arch/x86/include/asm/i387.h 2010-02-24 13:52:17.000000000 -0500
6781 +++ linux-2.6.33/arch/x86/include/asm/i387.h 2010-03-07 12:23:35.917681499 -0500
6782 @@ -197,13 +197,8 @@ static inline int fxrstor_checking(struc
6785 /* We need a safe address that is cheap to find and that is already
6786 - in L1 during context switch. The best choices are unfortunately
6787 - different for UP and SMP */
6789 -#define safe_address (__per_cpu_offset[0])
6791 -#define safe_address (kstat_cpu(0).cpustat.user)
6793 + in L1 during context switch. */
6794 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
6797 * These must be called with preempt disabled
6798 diff -urNp linux-2.6.33/arch/x86/include/asm/io_64.h linux-2.6.33/arch/x86/include/asm/io_64.h
6799 --- linux-2.6.33/arch/x86/include/asm/io_64.h 2010-02-24 13:52:17.000000000 -0500
6800 +++ linux-2.6.33/arch/x86/include/asm/io_64.h 2010-03-07 12:23:35.917681499 -0500
6801 @@ -140,6 +140,17 @@ __OUTS(l)
6803 #include <linux/vmalloc.h>
6805 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
6806 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
6808 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
6811 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
6813 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
6816 #include <asm-generic/iomap.h>
6818 void __memcpy_fromio(void *, unsigned long, unsigned);
6819 diff -urNp linux-2.6.33/arch/x86/include/asm/iommu.h linux-2.6.33/arch/x86/include/asm/iommu.h
6820 --- linux-2.6.33/arch/x86/include/asm/iommu.h 2010-02-24 13:52:17.000000000 -0500
6821 +++ linux-2.6.33/arch/x86/include/asm/iommu.h 2010-03-07 12:23:35.917681499 -0500
6823 #ifndef _ASM_X86_IOMMU_H
6824 #define _ASM_X86_IOMMU_H
6826 -extern struct dma_map_ops nommu_dma_ops;
6827 +extern const struct dma_map_ops nommu_dma_ops;
6828 extern int force_iommu, no_iommu;
6829 extern int iommu_detected;
6830 extern int iommu_pass_through;
6831 diff -urNp linux-2.6.33/arch/x86/include/asm/irqflags.h linux-2.6.33/arch/x86/include/asm/irqflags.h
6832 --- linux-2.6.33/arch/x86/include/asm/irqflags.h 2010-02-24 13:52:17.000000000 -0500
6833 +++ linux-2.6.33/arch/x86/include/asm/irqflags.h 2010-03-07 12:23:35.921647784 -0500
6834 @@ -142,10 +142,75 @@ static inline unsigned long __raw_local_
6838 +/* PaX: special register usage in entry_64.S, beware */
6839 +#ifdef CONFIG_PAX_KERNEXEC
6840 + .macro ljmpq sel, off
6841 + .byte 0x48; ljmp *1234f(%rip)
6842 + .pushsection .rodata
6844 + 1234: .quad \off; .word \sel
6848 +#define PAX_EXIT_KERNEL \
6850 + cmp $__KERNEXEC_KERNEL_CS, %esi;\
6854 + ljmpq __KERNEL_CS, 1f; \
6855 +1: mov %rsi, %cr0; \
6858 +#define PAX_ENTER_KERNEL \
6863 + cmp $__KERNEL_CS, %esi; \
6865 + ljmpq __KERNEL_CS, 3f; \
6866 +1: ljmpq __KERNEXEC_KERNEL_CS, 2f; \
6867 +2: mov %rsi, %cr0; \
6870 +#define PAX_EXIT_KERNEL
6871 +#define PAX_ENTER_KERNEL
6875 #define INTERRUPT_RETURN iret
6876 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
6877 #define GET_CR0_INTO_EAX movl %cr0, %eax
6879 +/* PaX: special register usage in entry_32.S, beware */
6880 +#ifdef CONFIG_PAX_KERNEXEC
6881 +#define PAX_EXIT_KERNEL \
6883 + cmp $__KERNEXEC_KERNEL_CS, %esi;\
6887 + ljmp $__KERNEL_CS, $1f; \
6888 +1: mov %esi, %cr0; \
6891 +#define PAX_ENTER_KERNEL \
6896 + cmp $__KERNEL_CS, %esi; \
6898 + ljmp $__KERNEL_CS, $3f; \
6899 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f;\
6900 +2: mov %esi, %cr0; \
6903 +#define PAX_EXIT_KERNEL
6904 +#define PAX_ENTER_KERNEL
6910 diff -urNp linux-2.6.33/arch/x86/include/asm/kvm_host.h linux-2.6.33/arch/x86/include/asm/kvm_host.h
6911 --- linux-2.6.33/arch/x86/include/asm/kvm_host.h 2010-02-24 13:52:17.000000000 -0500
6912 +++ linux-2.6.33/arch/x86/include/asm/kvm_host.h 2010-03-07 12:23:35.921647784 -0500
6913 @@ -536,7 +536,7 @@ struct kvm_x86_ops {
6914 const struct trace_print_flags *exit_reasons_str;
6917 -extern struct kvm_x86_ops *kvm_x86_ops;
6918 +extern const struct kvm_x86_ops *kvm_x86_ops;
6920 int kvm_mmu_module_init(void);
6921 void kvm_mmu_module_exit(void);
6922 diff -urNp linux-2.6.33/arch/x86/include/asm/local.h linux-2.6.33/arch/x86/include/asm/local.h
6923 --- linux-2.6.33/arch/x86/include/asm/local.h 2010-02-24 13:52:17.000000000 -0500
6924 +++ linux-2.6.33/arch/x86/include/asm/local.h 2010-03-07 12:23:35.921647784 -0500
6925 @@ -18,26 +18,90 @@ typedef struct {
6927 static inline void local_inc(local_t *l)
6929 - asm volatile(_ASM_INC "%0"
6930 + asm volatile(_ASM_INC "%0\n"
6932 +#ifdef CONFIG_PAX_REFCOUNT
6933 +#ifdef CONFIG_X86_32
6939 + ".pushsection .fixup,\"ax\"\n"
6944 + _ASM_EXTABLE(0b, 1b)
6947 : "+m" (l->a.counter));
6950 static inline void local_dec(local_t *l)
6952 - asm volatile(_ASM_DEC "%0"
6953 + asm volatile(_ASM_DEC "%0\n"
6955 +#ifdef CONFIG_PAX_REFCOUNT
6956 +#ifdef CONFIG_X86_32
6962 + ".pushsection .fixup,\"ax\"\n"
6967 + _ASM_EXTABLE(0b, 1b)
6970 : "+m" (l->a.counter));
6973 static inline void local_add(long i, local_t *l)
6975 - asm volatile(_ASM_ADD "%1,%0"
6976 + asm volatile(_ASM_ADD "%1,%0\n"
6978 +#ifdef CONFIG_PAX_REFCOUNT
6979 +#ifdef CONFIG_X86_32
6985 + ".pushsection .fixup,\"ax\"\n"
6987 + _ASM_SUB "%1,%0\n"
6990 + _ASM_EXTABLE(0b, 1b)
6993 : "+m" (l->a.counter)
6997 static inline void local_sub(long i, local_t *l)
6999 - asm volatile(_ASM_SUB "%1,%0"
7000 + asm volatile(_ASM_SUB "%1,%0\n"
7002 +#ifdef CONFIG_PAX_REFCOUNT
7003 +#ifdef CONFIG_X86_32
7009 + ".pushsection .fixup,\"ax\"\n"
7011 + _ASM_ADD "%1,%0\n"
7014 + _ASM_EXTABLE(0b, 1b)
7017 : "+m" (l->a.counter)
7020 @@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7024 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7025 + asm volatile(_ASM_SUB "%2,%0\n"
7027 +#ifdef CONFIG_PAX_REFCOUNT
7028 +#ifdef CONFIG_X86_32
7034 + ".pushsection .fixup,\"ax\"\n"
7036 + _ASM_ADD "%2,%0\n"
7039 + _ASM_EXTABLE(0b, 1b)
7043 : "+m" (l->a.counter), "=qm" (c)
7044 : "ir" (i) : "memory");
7046 @@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7050 - asm volatile(_ASM_DEC "%0; sete %1"
7051 + asm volatile(_ASM_DEC "%0\n"
7053 +#ifdef CONFIG_PAX_REFCOUNT
7054 +#ifdef CONFIG_X86_32
7060 + ".pushsection .fixup,\"ax\"\n"
7065 + _ASM_EXTABLE(0b, 1b)
7069 : "+m" (l->a.counter), "=qm" (c)
7072 @@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7076 - asm volatile(_ASM_INC "%0; sete %1"
7077 + asm volatile(_ASM_INC "%0\n"
7079 +#ifdef CONFIG_PAX_REFCOUNT
7080 +#ifdef CONFIG_X86_32
7086 + ".pushsection .fixup,\"ax\"\n"
7091 + _ASM_EXTABLE(0b, 1b)
7095 : "+m" (l->a.counter), "=qm" (c)
7098 @@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7102 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7103 + asm volatile(_ASM_ADD "%2,%0\n"
7105 +#ifdef CONFIG_PAX_REFCOUNT
7106 +#ifdef CONFIG_X86_32
7112 + ".pushsection .fixup,\"ax\"\n"
7114 + _ASM_SUB "%2,%0\n"
7117 + _ASM_EXTABLE(0b, 1b)
7121 : "+m" (l->a.counter), "=qm" (c)
7122 : "ir" (i) : "memory");
7124 @@ -133,7 +265,23 @@ static inline long local_add_return(long
7126 /* Modern 486+ processor */
7128 - asm volatile(_ASM_XADD "%0, %1;"
7129 + asm volatile(_ASM_XADD "%0, %1\n"
7131 +#ifdef CONFIG_PAX_REFCOUNT
7132 +#ifdef CONFIG_X86_32
7138 + ".pushsection .fixup,\"ax\"\n"
7140 + _ASM_MOV "%0,%1\n"
7143 + _ASM_EXTABLE(0b, 1b)
7146 : "+r" (i), "+m" (l->a.counter)
7149 diff -urNp linux-2.6.33/arch/x86/include/asm/microcode.h linux-2.6.33/arch/x86/include/asm/microcode.h
7150 --- linux-2.6.33/arch/x86/include/asm/microcode.h 2010-02-24 13:52:17.000000000 -0500
7151 +++ linux-2.6.33/arch/x86/include/asm/microcode.h 2010-03-07 12:23:35.921647784 -0500
7152 @@ -12,13 +12,13 @@ struct device;
7153 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7155 struct microcode_ops {
7156 - enum ucode_state (*request_microcode_user) (int cpu,
7157 + enum ucode_state (* const request_microcode_user) (int cpu,
7158 const void __user *buf, size_t size);
7160 - enum ucode_state (*request_microcode_fw) (int cpu,
7161 + enum ucode_state (* const request_microcode_fw) (int cpu,
7162 struct device *device);
7164 - void (*microcode_fini_cpu) (int cpu);
7165 + void (* const microcode_fini_cpu) (int cpu);
7168 * The generic 'microcode_core' part guarantees that
7169 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
7170 extern struct ucode_cpu_info ucode_cpu_info[];
7172 #ifdef CONFIG_MICROCODE_INTEL
7173 -extern struct microcode_ops * __init init_intel_microcode(void);
7174 +extern const struct microcode_ops * __init init_intel_microcode(void);
7176 -static inline struct microcode_ops * __init init_intel_microcode(void)
7177 +static inline const struct microcode_ops * __init init_intel_microcode(void)
7181 #endif /* CONFIG_MICROCODE_INTEL */
7183 #ifdef CONFIG_MICROCODE_AMD
7184 -extern struct microcode_ops * __init init_amd_microcode(void);
7185 +extern const struct microcode_ops * __init init_amd_microcode(void);
7187 -static inline struct microcode_ops * __init init_amd_microcode(void)
7188 +static inline const struct microcode_ops * __init init_amd_microcode(void)
7192 diff -urNp linux-2.6.33/arch/x86/include/asm/mman.h linux-2.6.33/arch/x86/include/asm/mman.h
7193 --- linux-2.6.33/arch/x86/include/asm/mman.h 2010-02-24 13:52:17.000000000 -0500
7194 +++ linux-2.6.33/arch/x86/include/asm/mman.h 2010-03-07 12:23:35.921647784 -0500
7197 #include <asm-generic/mman.h>
7200 +#ifndef __ASSEMBLY__
7201 +#ifdef CONFIG_X86_32
7202 +#define arch_mmap_check i386_mmap_check
7203 +int i386_mmap_check(unsigned long addr, unsigned long len,
7204 + unsigned long flags);
7209 #endif /* _ASM_X86_MMAN_H */
7210 diff -urNp linux-2.6.33/arch/x86/include/asm/mmu_context.h linux-2.6.33/arch/x86/include/asm/mmu_context.h
7211 --- linux-2.6.33/arch/x86/include/asm/mmu_context.h 2010-02-24 13:52:17.000000000 -0500
7212 +++ linux-2.6.33/arch/x86/include/asm/mmu_context.h 2010-03-07 12:23:35.921647784 -0500
7213 @@ -34,11 +34,17 @@ static inline void switch_mm(struct mm_s
7214 struct task_struct *tsk)
7216 unsigned cpu = smp_processor_id();
7217 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7218 + int tlbstate = TLBSTATE_OK;
7221 if (likely(prev != next)) {
7222 /* stop flush ipis for the previous mm */
7223 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7225 +#ifdef CONFIG_X86_32
7226 + tlbstate = percpu_read(cpu_tlbstate.state);
7228 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7229 percpu_write(cpu_tlbstate.active_mm, next);
7231 @@ -52,6 +58,26 @@ static inline void switch_mm(struct mm_s
7233 if (unlikely(prev->context.ldt != next->context.ldt))
7234 load_LDT_nolock(&next->context);
7236 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7237 + if (!(__supported_pte_mask & _PAGE_NX)) {
7238 + smp_mb__before_clear_bit();
7239 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7240 + smp_mb__after_clear_bit();
7241 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7245 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7246 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7247 + prev->context.user_cs_limit != next->context.user_cs_limit))
7248 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7250 + else if (unlikely(tlbstate != TLBSTATE_OK))
7251 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7258 @@ -65,6 +91,19 @@ static inline void switch_mm(struct mm_s
7260 load_cr3(next->pgd);
7261 load_LDT_nolock(&next->context);
7263 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7264 + if (!(__supported_pte_mask & _PAGE_NX))
7265 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7268 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7269 +#ifdef CONFIG_PAX_PAGEEXEC
7270 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
7272 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7278 diff -urNp linux-2.6.33/arch/x86/include/asm/mmu.h linux-2.6.33/arch/x86/include/asm/mmu.h
7279 --- linux-2.6.33/arch/x86/include/asm/mmu.h 2010-02-24 13:52:17.000000000 -0500
7280 +++ linux-2.6.33/arch/x86/include/asm/mmu.h 2010-03-07 12:23:35.921647784 -0500
7282 * we put the segment information here.
7286 + struct desc_struct *ldt;
7290 + unsigned long vdso;
7292 +#ifdef CONFIG_X86_32
7293 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7294 + unsigned long user_cs_base;
7295 + unsigned long user_cs_limit;
7297 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7298 + cpumask_t cpu_user_cs_mask;
7307 diff -urNp linux-2.6.33/arch/x86/include/asm/module.h linux-2.6.33/arch/x86/include/asm/module.h
7308 --- linux-2.6.33/arch/x86/include/asm/module.h 2010-02-24 13:52:17.000000000 -0500
7309 +++ linux-2.6.33/arch/x86/include/asm/module.h 2010-03-07 12:23:35.921647784 -0500
7312 # define MODULE_STACKSIZE ""
7314 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
7315 +# ifdef CONFIG_GRKERNSEC
7316 +# define MODULE_GRSEC "GRSECURITY "
7318 +# define MODULE_GRSEC ""
7320 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
7323 #endif /* _ASM_X86_MODULE_H */
7324 diff -urNp linux-2.6.33/arch/x86/include/asm/page_32_types.h linux-2.6.33/arch/x86/include/asm/page_32_types.h
7325 --- linux-2.6.33/arch/x86/include/asm/page_32_types.h 2010-02-24 13:52:17.000000000 -0500
7326 +++ linux-2.6.33/arch/x86/include/asm/page_32_types.h 2010-03-07 12:23:35.921647784 -0500
7329 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
7331 +#ifdef CONFIG_PAX_PAGEEXEC
7332 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
7335 #ifdef CONFIG_4KSTACKS
7336 #define THREAD_ORDER 0
7338 diff -urNp linux-2.6.33/arch/x86/include/asm/page_64_types.h linux-2.6.33/arch/x86/include/asm/page_64_types.h
7339 --- linux-2.6.33/arch/x86/include/asm/page_64_types.h 2010-02-24 13:52:17.000000000 -0500
7340 +++ linux-2.6.33/arch/x86/include/asm/page_64_types.h 2010-03-07 12:23:35.921647784 -0500
7342 #define __START_KERNEL (__START_KERNEL_map + __PHYSICAL_START)
7343 #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
7345 +#define ktla_ktva(addr) (addr)
7346 +#define ktva_ktla(addr) (addr)
7348 /* See Documentation/x86/x86_64/mm.txt for a description of the memory map. */
7349 #define __PHYSICAL_MASK_SHIFT 46
7350 #define __VIRTUAL_MASK_SHIFT 47
7351 diff -urNp linux-2.6.33/arch/x86/include/asm/paravirt.h linux-2.6.33/arch/x86/include/asm/paravirt.h
7352 --- linux-2.6.33/arch/x86/include/asm/paravirt.h 2010-02-24 13:52:17.000000000 -0500
7353 +++ linux-2.6.33/arch/x86/include/asm/paravirt.h 2010-03-07 12:23:55.597717555 -0500
7354 @@ -729,6 +729,21 @@ static inline void __set_fixmap(unsigned
7355 pv_mmu_ops.set_fixmap(idx, phys, flags);
7358 +#ifdef CONFIG_PAX_KERNEXEC
7359 +static inline unsigned long pax_open_kernel(void)
7361 + return pv_mmu_ops.pax_open_kernel();
7364 +static inline unsigned long pax_close_kernel(void)
7366 + return pv_mmu_ops.pax_close_kernel();
7369 +static inline unsigned long pax_open_kernel(void) { return 0; }
7370 +static inline unsigned long pax_close_kernel(void) { return 0; }
7373 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
7375 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
7376 @@ -945,7 +960,7 @@ extern void default_banner(void);
7378 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
7379 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
7380 -#define PARA_INDIRECT(addr) *%cs:addr
7381 +#define PARA_INDIRECT(addr) *%ss:addr
7384 #define INTERRUPT_RETURN \
7385 @@ -980,6 +995,34 @@ extern void default_banner(void);
7387 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
7389 +#ifdef CONFIG_PAX_KERNEXEC
7390 +#define PAX_EXIT_KERNEL \
7391 + push %eax; push %ecx; \
7393 + cmp $__KERNEXEC_KERNEL_CS, %eax; \
7395 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7397 + ljmp $__KERNEL_CS, $1f; \
7398 +1: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7399 +2: pop %ecx; pop %eax; \
7401 +#define PAX_ENTER_KERNEL \
7402 + push %eax; push %ecx; \
7403 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7407 + cmp $__KERNEL_CS, %ecx; \
7409 + ljmp $__KERNEL_CS, $3f; \
7410 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f; \
7411 +2: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7412 +3: pop %ecx; pop %eax;
7414 +#define PAX_EXIT_KERNEL
7415 +#define PAX_ENTER_KERNEL
7418 #else /* !CONFIG_X86_32 */
7420 @@ -1022,6 +1065,44 @@ extern void default_banner(void);
7421 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
7423 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
7425 +#ifdef CONFIG_PAX_KERNEXEC
7426 + .macro ljmpq sel, off
7427 + .byte 0x48; ljmp *1234f(%rip)
7428 + .pushsection .rodata
7430 + 1234: .quad \off; .word \sel
7434 +#define PAX_EXIT_KERNEL \
7435 + push %rax; push %rcx; \
7437 + cmp $__KERNEXEC_KERNEL_CS, %eax; \
7439 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7441 + ljmpq __KERNEL_CS, 1f; \
7442 +1: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7443 +2: pop %rcx; pop %rax; \
7445 +#define PAX_ENTER_KERNEL \
7446 + push %rax; push %rcx; \
7447 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7451 + cmp $__KERNEL_CS, %ecx; \
7453 + ljmpq __KERNEL_CS, 3f; \
7454 +1: ljmpq __KERNEXEC_KERNEL_CS, 2f; \
7455 +2: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7456 +3: pop %rcx; pop %rax;
7458 +#define PAX_EXIT_KERNEL
7459 +#define PAX_ENTER_KERNEL
7462 #endif /* CONFIG_X86_32 */
7464 #endif /* __ASSEMBLY__ */
7465 diff -urNp linux-2.6.33/arch/x86/include/asm/paravirt_types.h linux-2.6.33/arch/x86/include/asm/paravirt_types.h
7466 --- linux-2.6.33/arch/x86/include/asm/paravirt_types.h 2010-02-24 13:52:17.000000000 -0500
7467 +++ linux-2.6.33/arch/x86/include/asm/paravirt_types.h 2010-03-07 12:23:35.921647784 -0500
7468 @@ -316,6 +316,12 @@ struct pv_mmu_ops {
7469 an mfn. We can tell which is which from the index. */
7470 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
7471 phys_addr_t phys, pgprot_t flags);
7473 +#ifdef CONFIG_PAX_KERNEXEC
7474 + unsigned long (*pax_open_kernel)(void);
7475 + unsigned long (*pax_close_kernel)(void);
7480 struct arch_spinlock;
7481 diff -urNp linux-2.6.33/arch/x86/include/asm/pci_x86.h linux-2.6.33/arch/x86/include/asm/pci_x86.h
7482 --- linux-2.6.33/arch/x86/include/asm/pci_x86.h 2010-02-24 13:52:17.000000000 -0500
7483 +++ linux-2.6.33/arch/x86/include/asm/pci_x86.h 2010-03-07 12:23:35.921647784 -0500
7484 @@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
7485 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
7487 struct pci_raw_ops {
7488 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7489 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7490 int reg, int len, u32 *val);
7491 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7492 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7493 int reg, int len, u32 val);
7496 -extern struct pci_raw_ops *raw_pci_ops;
7497 -extern struct pci_raw_ops *raw_pci_ext_ops;
7498 +extern const struct pci_raw_ops *raw_pci_ops;
7499 +extern const struct pci_raw_ops *raw_pci_ext_ops;
7501 -extern struct pci_raw_ops pci_direct_conf1;
7502 +extern const struct pci_raw_ops pci_direct_conf1;
7503 extern bool port_cf9_safe;
7505 /* arch_initcall level */
7506 diff -urNp linux-2.6.33/arch/x86/include/asm/pgalloc.h linux-2.6.33/arch/x86/include/asm/pgalloc.h
7507 --- linux-2.6.33/arch/x86/include/asm/pgalloc.h 2010-02-24 13:52:17.000000000 -0500
7508 +++ linux-2.6.33/arch/x86/include/asm/pgalloc.h 2010-03-07 12:23:35.921647784 -0500
7509 @@ -58,6 +58,13 @@ static inline void pmd_populate_kernel(s
7510 pmd_t *pmd, pte_t *pte)
7512 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
7513 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
7516 +static inline void pmd_populate_user(struct mm_struct *mm,
7517 + pmd_t *pmd, pte_t *pte)
7519 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
7520 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
7523 diff -urNp linux-2.6.33/arch/x86/include/asm/pgtable-2level.h linux-2.6.33/arch/x86/include/asm/pgtable-2level.h
7524 --- linux-2.6.33/arch/x86/include/asm/pgtable-2level.h 2010-02-24 13:52:17.000000000 -0500
7525 +++ linux-2.6.33/arch/x86/include/asm/pgtable-2level.h 2010-03-07 12:23:35.921647784 -0500
7526 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
7528 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7530 + pax_open_kernel();
7532 + pax_close_kernel();
7535 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
7536 diff -urNp linux-2.6.33/arch/x86/include/asm/pgtable_32.h linux-2.6.33/arch/x86/include/asm/pgtable_32.h
7537 --- linux-2.6.33/arch/x86/include/asm/pgtable_32.h 2010-02-24 13:52:17.000000000 -0500
7538 +++ linux-2.6.33/arch/x86/include/asm/pgtable_32.h 2010-03-07 12:23:35.921647784 -0500
7541 struct vm_area_struct;
7543 -extern pgd_t swapper_pg_dir[1024];
7545 static inline void pgtable_cache_init(void) { }
7546 static inline void check_pgt_cache(void) { }
7547 void paging_init(void);
7548 @@ -48,6 +46,11 @@ extern void set_pmd_pfn(unsigned long, u
7549 # include <asm/pgtable-2level.h>
7552 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
7553 +#ifdef CONFIG_X86_PAE
7554 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
7557 #if defined(CONFIG_HIGHPTE)
7559 (in_nmi() ? KM_NMI_PTE : \
7560 @@ -72,7 +75,9 @@ extern void set_pmd_pfn(unsigned long, u
7561 /* Clear a kernel PTE and flush it from the TLB */
7562 #define kpte_clear_flush(ptep, vaddr) \
7564 + pax_open_kernel(); \
7565 pte_clear(&init_mm, (vaddr), (ptep)); \
7566 + pax_close_kernel(); \
7567 __flush_tlb_one((vaddr)); \
7570 @@ -84,6 +89,9 @@ do { \
7572 #endif /* !__ASSEMBLY__ */
7574 +#define HAVE_ARCH_UNMAPPED_AREA
7575 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
7578 * kern_addr_valid() is (1) for FLATMEM and (0) for
7579 * SPARSEMEM and DISCONTIGMEM
7580 diff -urNp linux-2.6.33/arch/x86/include/asm/pgtable_32_types.h linux-2.6.33/arch/x86/include/asm/pgtable_32_types.h
7581 --- linux-2.6.33/arch/x86/include/asm/pgtable_32_types.h 2010-02-24 13:52:17.000000000 -0500
7582 +++ linux-2.6.33/arch/x86/include/asm/pgtable_32_types.h 2010-03-07 12:23:35.921647784 -0500
7585 #ifdef CONFIG_X86_PAE
7586 # include <asm/pgtable-3level_types.h>
7587 -# define PMD_SIZE (1UL << PMD_SHIFT)
7588 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
7589 # define PMD_MASK (~(PMD_SIZE - 1))
7591 # include <asm/pgtable-2level_types.h>
7592 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
7593 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
7596 +#ifdef CONFIG_PAX_KERNEXEC
7597 +#ifndef __ASSEMBLY__
7598 +extern unsigned char MODULES_EXEC_VADDR[];
7599 +extern unsigned char MODULES_EXEC_END[];
7601 +#include <asm/boot.h>
7602 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
7603 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
7605 +#define ktla_ktva(addr) (addr)
7606 +#define ktva_ktla(addr) (addr)
7609 #define MODULES_VADDR VMALLOC_START
7610 #define MODULES_END VMALLOC_END
7611 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
7612 diff -urNp linux-2.6.33/arch/x86/include/asm/pgtable-3level.h linux-2.6.33/arch/x86/include/asm/pgtable-3level.h
7613 --- linux-2.6.33/arch/x86/include/asm/pgtable-3level.h 2010-02-24 13:52:17.000000000 -0500
7614 +++ linux-2.6.33/arch/x86/include/asm/pgtable-3level.h 2010-03-07 12:23:35.921647784 -0500
7615 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
7617 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7619 + pax_open_kernel();
7620 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
7621 + pax_close_kernel();
7624 static inline void native_set_pud(pud_t *pudp, pud_t pud)
7626 + pax_open_kernel();
7627 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
7628 + pax_close_kernel();
7632 diff -urNp linux-2.6.33/arch/x86/include/asm/pgtable_64.h linux-2.6.33/arch/x86/include/asm/pgtable_64.h
7633 --- linux-2.6.33/arch/x86/include/asm/pgtable_64.h 2010-02-24 13:52:17.000000000 -0500
7634 +++ linux-2.6.33/arch/x86/include/asm/pgtable_64.h 2010-03-07 12:23:35.921647784 -0500
7637 extern pud_t level3_kernel_pgt[512];
7638 extern pud_t level3_ident_pgt[512];
7639 +extern pud_t level3_vmalloc_pgt[512];
7640 +extern pud_t level3_vmemmap_pgt[512];
7641 +extern pud_t level2_vmemmap_pgt[512];
7642 extern pmd_t level2_kernel_pgt[512];
7643 extern pmd_t level2_fixmap_pgt[512];
7644 -extern pmd_t level2_ident_pgt[512];
7645 +extern pmd_t level2_ident_pgt[512*2];
7646 extern pgd_t init_level4_pgt[];
7648 #define swapper_pg_dir init_level4_pgt
7649 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
7651 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7653 + pax_open_kernel();
7655 + pax_close_kernel();
7658 static inline void native_pmd_clear(pmd_t *pmd)
7659 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
7661 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
7663 + pax_open_kernel();
7665 + pax_close_kernel();
7668 static inline void native_pgd_clear(pgd_t *pgd)
7669 diff -urNp linux-2.6.33/arch/x86/include/asm/pgtable.h linux-2.6.33/arch/x86/include/asm/pgtable.h
7670 --- linux-2.6.33/arch/x86/include/asm/pgtable.h 2010-02-24 13:52:17.000000000 -0500
7671 +++ linux-2.6.33/arch/x86/include/asm/pgtable.h 2010-03-07 12:23:35.921647784 -0500
7672 @@ -76,12 +76,51 @@ extern struct list_head pgd_list;
7674 #define arch_end_context_switch(prev) do {} while(0)
7676 +#define pax_open_kernel() native_pax_open_kernel()
7677 +#define pax_close_kernel() native_pax_close_kernel()
7678 #endif /* CONFIG_PARAVIRT */
7680 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
7681 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
7683 +#ifdef CONFIG_PAX_KERNEXEC
7684 +static inline unsigned long native_pax_open_kernel(void)
7686 + unsigned long cr0;
7688 + preempt_disable();
7690 + cr0 = read_cr0() ^ X86_CR0_WP;
7691 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
7693 + return cr0 ^ X86_CR0_WP;
7696 +static inline unsigned long native_pax_close_kernel(void)
7698 + unsigned long cr0;
7700 + cr0 = read_cr0() ^ X86_CR0_WP;
7701 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
7704 + preempt_enable_no_resched();
7705 + return cr0 ^ X86_CR0_WP;
7708 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
7709 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
7713 * The following only work if pte_present() is true.
7714 * Undefined behaviour if not..
7716 +static inline int pte_user(pte_t pte)
7718 + return pte_val(pte) & _PAGE_USER;
7721 static inline int pte_dirty(pte_t pte)
7723 return pte_flags(pte) & _PAGE_DIRTY;
7724 @@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
7725 return pte_clear_flags(pte, _PAGE_RW);
7728 +static inline pte_t pte_mkread(pte_t pte)
7730 + return __pte(pte_val(pte) | _PAGE_USER);
7733 static inline pte_t pte_mkexec(pte_t pte)
7735 - return pte_clear_flags(pte, _PAGE_NX);
7736 +#ifdef CONFIG_X86_PAE
7737 + if (__supported_pte_mask & _PAGE_NX)
7738 + return pte_clear_flags(pte, _PAGE_NX);
7741 + return pte_set_flags(pte, _PAGE_USER);
7744 +static inline pte_t pte_exprotect(pte_t pte)
7746 +#ifdef CONFIG_X86_PAE
7747 + if (__supported_pte_mask & _PAGE_NX)
7748 + return pte_set_flags(pte, _PAGE_NX);
7751 + return pte_clear_flags(pte, _PAGE_USER);
7754 static inline pte_t pte_mkdirty(pte_t pte)
7755 @@ -474,7 +533,7 @@ static inline pud_t *pud_offset(pgd_t *p
7757 static inline int pgd_bad(pgd_t pgd)
7759 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
7760 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
7763 static inline int pgd_none(pgd_t pgd)
7764 @@ -613,9 +672,12 @@ static inline void ptep_set_wrprotect(st
7765 * dst and src can be on the same page, but the range must not overlap,
7766 * and must not cross a page boundary.
7768 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
7769 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
7771 - memcpy(dst, src, count * sizeof(pgd_t));
7772 + pax_open_kernel();
7775 + pax_close_kernel();
7779 diff -urNp linux-2.6.33/arch/x86/include/asm/pgtable_types.h linux-2.6.33/arch/x86/include/asm/pgtable_types.h
7780 --- linux-2.6.33/arch/x86/include/asm/pgtable_types.h 2010-02-24 13:52:17.000000000 -0500
7781 +++ linux-2.6.33/arch/x86/include/asm/pgtable_types.h 2010-03-07 12:23:35.921647784 -0500
7783 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
7784 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
7785 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
7786 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
7787 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
7788 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
7789 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
7790 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
7791 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
7792 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
7793 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
7794 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
7796 /* If _PAGE_BIT_PRESENT is clear, we use these: */
7798 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
7799 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
7800 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
7801 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
7802 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
7803 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
7804 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
7807 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
7808 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
7810 +#elif defined(CONFIG_KMEMCHECK)
7811 #define _PAGE_NX (_AT(pteval_t, 0))
7813 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
7816 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
7818 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
7821 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
7822 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
7824 #define __PAGE_KERNEL_EXEC \
7825 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
7826 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
7828 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
7829 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
7830 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
7831 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
7832 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
7833 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
7834 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
7835 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
7836 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
7837 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
7839 * bits are combined, this will alow user to access the high address mapped
7840 * VDSO in the presence of CONFIG_COMPAT_VDSO
7842 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
7843 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
7844 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
7845 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
7846 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
7849 @@ -278,7 +281,6 @@ typedef struct page *pgtable_t;
7851 extern pteval_t __supported_pte_mask;
7852 extern void set_nx(void);
7853 -extern int nx_enabled;
7855 #define pgprot_writecombine pgprot_writecombine
7856 extern pgprot_t pgprot_writecombine(pgprot_t prot);
7857 diff -urNp linux-2.6.33/arch/x86/include/asm/processor.h linux-2.6.33/arch/x86/include/asm/processor.h
7858 --- linux-2.6.33/arch/x86/include/asm/processor.h 2010-02-24 13:52:17.000000000 -0500
7859 +++ linux-2.6.33/arch/x86/include/asm/processor.h 2010-03-07 12:23:35.921647784 -0500
7860 @@ -273,7 +273,7 @@ struct tss_struct {
7862 } ____cacheline_aligned;
7864 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
7865 +extern struct tss_struct init_tss[NR_CPUS];
7868 * Save the original ist values for checking stack pointers during debugging
7869 @@ -913,8 +913,15 @@ static inline void spin_lock_prefetch(co
7871 #define TASK_SIZE PAGE_OFFSET
7872 #define TASK_SIZE_MAX TASK_SIZE
7874 +#ifdef CONFIG_PAX_SEGMEXEC
7875 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
7876 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
7878 #define STACK_TOP TASK_SIZE
7879 -#define STACK_TOP_MAX STACK_TOP
7882 +#define STACK_TOP_MAX TASK_SIZE
7884 #define INIT_THREAD { \
7885 .sp0 = sizeof(init_stack) + (long)&init_stack, \
7886 @@ -931,7 +938,7 @@ static inline void spin_lock_prefetch(co
7888 #define INIT_TSS { \
7890 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
7891 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
7892 .ss0 = __KERNEL_DS, \
7893 .ss1 = __KERNEL_CS, \
7894 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
7895 @@ -942,11 +949,7 @@ static inline void spin_lock_prefetch(co
7896 extern unsigned long thread_saved_pc(struct task_struct *tsk);
7898 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
7899 -#define KSTK_TOP(info) \
7901 - unsigned long *__ptr = (unsigned long *)(info); \
7902 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
7904 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
7907 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
7908 @@ -961,7 +964,7 @@ extern unsigned long thread_saved_pc(str
7909 #define task_pt_regs(task) \
7911 struct pt_regs *__regs__; \
7912 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
7913 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
7917 @@ -977,7 +980,7 @@ extern unsigned long thread_saved_pc(str
7918 * space during mmap's.
7920 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
7921 - 0xc0000000 : 0xFFFFe000)
7922 + 0xc0000000 : 0xFFFFf000)
7924 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
7925 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
7926 @@ -1014,6 +1017,10 @@ extern void start_thread(struct pt_regs
7928 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
7930 +#ifdef CONFIG_PAX_SEGMEXEC
7931 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
7934 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
7936 /* Get/set a process' ability to use the timestamp counter instruction */
7937 diff -urNp linux-2.6.33/arch/x86/include/asm/ptrace.h linux-2.6.33/arch/x86/include/asm/ptrace.h
7938 --- linux-2.6.33/arch/x86/include/asm/ptrace.h 2010-02-24 13:52:17.000000000 -0500
7939 +++ linux-2.6.33/arch/x86/include/asm/ptrace.h 2010-03-07 12:23:35.921647784 -0500
7940 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
7944 - * user_mode_vm(regs) determines whether a register set came from user mode.
7945 + * user_mode(regs) determines whether a register set came from user mode.
7946 * This is true if V8086 mode was enabled OR if the register set was from
7947 * protected mode with RPL-3 CS value. This tricky test checks that with
7948 * one comparison. Many places in the kernel can bypass this full check
7949 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
7950 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
7953 -static inline int user_mode(struct pt_regs *regs)
7954 +static inline int user_mode_novm(struct pt_regs *regs)
7956 #ifdef CONFIG_X86_32
7957 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
7959 - return !!(regs->cs & 3);
7960 + return !!(regs->cs & SEGMENT_RPL_MASK);
7964 -static inline int user_mode_vm(struct pt_regs *regs)
7965 +static inline int user_mode(struct pt_regs *regs)
7967 #ifdef CONFIG_X86_32
7968 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
7971 - return user_mode(regs);
7972 + return user_mode_novm(regs);
7976 diff -urNp linux-2.6.33/arch/x86/include/asm/reboot.h linux-2.6.33/arch/x86/include/asm/reboot.h
7977 --- linux-2.6.33/arch/x86/include/asm/reboot.h 2010-02-24 13:52:17.000000000 -0500
7978 +++ linux-2.6.33/arch/x86/include/asm/reboot.h 2010-03-07 12:23:35.921647784 -0500
7979 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
7981 void native_machine_crash_shutdown(struct pt_regs *regs);
7982 void native_machine_shutdown(void);
7983 -void machine_real_restart(const unsigned char *code, int length);
7984 +void machine_real_restart(const unsigned char *code, unsigned int length);
7986 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
7987 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
7988 diff -urNp linux-2.6.33/arch/x86/include/asm/rwsem.h linux-2.6.33/arch/x86/include/asm/rwsem.h
7989 --- linux-2.6.33/arch/x86/include/asm/rwsem.h 2010-02-24 13:52:17.000000000 -0500
7990 +++ linux-2.6.33/arch/x86/include/asm/rwsem.h 2010-03-07 12:23:35.925702533 -0500
7991 @@ -106,10 +106,26 @@ static inline void __down_read(struct rw
7993 asm volatile("# beginning down_read\n\t"
7994 LOCK_PREFIX " incl (%%eax)\n\t"
7996 +#ifdef CONFIG_PAX_REFCOUNT
7997 +#ifdef CONFIG_X86_32
8003 + ".pushsection .fixup,\"ax\"\n"
8005 + LOCK_PREFIX "decl (%%eax)\n"
8008 + _ASM_EXTABLE(0b, 1b)
8011 /* adds 0x00000001, returns the old value */
8014 " call call_rwsem_down_read_failed\n"
8017 "# ending down_read\n\t"
8020 @@ -124,13 +140,29 @@ static inline int __down_read_trylock(st
8022 asm volatile("# beginning __down_read_trylock\n\t"
8030 +#ifdef CONFIG_PAX_REFCOUNT
8031 +#ifdef CONFIG_X86_32
8037 + ".pushsection .fixup,\"ax\"\n"
8042 + _ASM_EXTABLE(0b, 1b)
8046 LOCK_PREFIX " cmpxchgl %2,%0\n\t"
8051 "# ending __down_read_trylock\n\t"
8052 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
8053 : "i" (RWSEM_ACTIVE_READ_BIAS)
8054 @@ -148,12 +180,28 @@ static inline void __down_write_nested(s
8055 tmp = RWSEM_ACTIVE_WRITE_BIAS;
8056 asm volatile("# beginning down_write\n\t"
8057 LOCK_PREFIX " xadd %%edx,(%%eax)\n\t"
8059 +#ifdef CONFIG_PAX_REFCOUNT
8060 +#ifdef CONFIG_X86_32
8066 + ".pushsection .fixup,\"ax\"\n"
8068 + "movl %%edx,(%%eax)\n"
8071 + _ASM_EXTABLE(0b, 1b)
8074 /* subtract 0x0000ffff, returns the old value */
8075 " testl %%edx,%%edx\n\t"
8076 /* was the count 0 before? */
8079 " call call_rwsem_down_write_failed\n"
8082 "# ending down_write"
8083 : "+m" (sem->count), "=d" (tmp)
8084 : "a" (sem), "1" (tmp)
8085 @@ -186,10 +234,26 @@ static inline void __up_read(struct rw_s
8086 __s32 tmp = -RWSEM_ACTIVE_READ_BIAS;
8087 asm volatile("# beginning __up_read\n\t"
8088 LOCK_PREFIX " xadd %%edx,(%%eax)\n\t"
8090 +#ifdef CONFIG_PAX_REFCOUNT
8091 +#ifdef CONFIG_X86_32
8097 + ".pushsection .fixup,\"ax\"\n"
8099 + "movl %%edx,(%%eax)\n"
8102 + _ASM_EXTABLE(0b, 1b)
8105 /* subtracts 1, returns the old value */
8108 " call call_rwsem_wake\n"
8111 "# ending __up_read\n"
8112 : "+m" (sem->count), "=d" (tmp)
8113 : "a" (sem), "1" (tmp)
8114 @@ -204,11 +268,27 @@ static inline void __up_write(struct rw_
8115 asm volatile("# beginning __up_write\n\t"
8116 " movl %2,%%edx\n\t"
8117 LOCK_PREFIX " xaddl %%edx,(%%eax)\n\t"
8119 +#ifdef CONFIG_PAX_REFCOUNT
8120 +#ifdef CONFIG_X86_32
8126 + ".pushsection .fixup,\"ax\"\n"
8128 + "movl %%edx,(%%eax)\n"
8131 + _ASM_EXTABLE(0b, 1b)
8134 /* tries to transition
8135 0xffff0001 -> 0x00000000 */
8138 " call call_rwsem_wake\n"
8141 "# ending __up_write\n"
8143 : "a" (sem), "i" (-RWSEM_ACTIVE_WRITE_BIAS)
8144 @@ -222,10 +302,26 @@ static inline void __downgrade_write(str
8146 asm volatile("# beginning __downgrade_write\n\t"
8147 LOCK_PREFIX " addl %2,(%%eax)\n\t"
8149 +#ifdef CONFIG_PAX_REFCOUNT
8150 +#ifdef CONFIG_X86_32
8156 + ".pushsection .fixup,\"ax\"\n"
8158 + LOCK_PREFIX "subl %2,(%%eax)\n"
8161 + _ASM_EXTABLE(0b, 1b)
8164 /* transitions 0xZZZZ0001 -> 0xYYYY0001 */
8167 " call call_rwsem_downgrade_wake\n"
8170 "# ending __downgrade_write\n"
8172 : "a" (sem), "i" (-RWSEM_WAITING_BIAS)
8173 @@ -237,7 +333,23 @@ static inline void __downgrade_write(str
8175 static inline void rwsem_atomic_add(int delta, struct rw_semaphore *sem)
8177 - asm volatile(LOCK_PREFIX "addl %1,%0"
8178 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
8180 +#ifdef CONFIG_PAX_REFCOUNT
8181 +#ifdef CONFIG_X86_32
8187 + ".pushsection .fixup,\"ax\"\n"
8189 + LOCK_PREFIX "subl %1,%0\n"
8192 + _ASM_EXTABLE(0b, 1b)
8198 @@ -249,7 +361,23 @@ static inline int rwsem_atomic_update(in
8202 - asm volatile(LOCK_PREFIX "xadd %0,%1"
8203 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8205 +#ifdef CONFIG_PAX_REFCOUNT
8206 +#ifdef CONFIG_X86_32
8212 + ".pushsection .fixup,\"ax\"\n"
8217 + _ASM_EXTABLE(0b, 1b)
8220 : "+r" (tmp), "+m" (sem->count)
8223 diff -urNp linux-2.6.33/arch/x86/include/asm/segment.h linux-2.6.33/arch/x86/include/asm/segment.h
8224 --- linux-2.6.33/arch/x86/include/asm/segment.h 2010-02-24 13:52:17.000000000 -0500
8225 +++ linux-2.6.33/arch/x86/include/asm/segment.h 2010-03-07 12:23:35.925702533 -0500
8227 * 26 - ESPFIX small SS
8228 * 27 - per-cpu [ offset to per-cpu data area ]
8229 * 28 - stack_canary-20 [ for stack protector ]
8232 + * 29 - PCI BIOS CS
8233 + * 30 - PCI BIOS DS
8234 * 31 - TSS for double fault handler
8236 #define GDT_ENTRY_TLS_MIN 6
8239 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
8241 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8243 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
8245 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
8247 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
8248 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
8250 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8251 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8253 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
8255 @@ -102,6 +104,12 @@
8256 #define __KERNEL_STACK_CANARY 0
8259 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
8260 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8262 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
8263 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8265 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8271 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8272 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8273 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8278 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
8279 #define __USER32_DS __USER_DS
8281 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
8283 #define GDT_ENTRY_TSS 8 /* needs two entries */
8284 #define GDT_ENTRY_LDT 10 /* needs two entries */
8285 #define GDT_ENTRY_TLS_MIN 12
8289 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
8290 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
8291 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
8292 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
8293 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
8294 diff -urNp linux-2.6.33/arch/x86/include/asm/spinlock.h linux-2.6.33/arch/x86/include/asm/spinlock.h
8295 --- linux-2.6.33/arch/x86/include/asm/spinlock.h 2010-02-24 13:52:17.000000000 -0500
8296 +++ linux-2.6.33/arch/x86/include/asm/spinlock.h 2010-03-07 12:23:35.925702533 -0500
8297 @@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
8298 static inline void arch_read_lock(arch_rwlock_t *rw)
8300 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
8302 - "call __read_lock_failed\n\t"
8304 +#ifdef CONFIG_PAX_REFCOUNT
8305 +#ifdef CONFIG_X86_32
8311 + ".pushsection .fixup,\"ax\"\n"
8313 + LOCK_PREFIX " addl $1,(%0)\n"
8316 + _ASM_EXTABLE(0b, 1b)
8320 + "call __read_lock_failed\n\t"
8322 ::LOCK_PTR_REG (rw) : "memory");
8325 static inline void arch_write_lock(arch_rwlock_t *rw)
8327 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
8329 - "call __write_lock_failed\n\t"
8331 +#ifdef CONFIG_PAX_REFCOUNT
8332 +#ifdef CONFIG_X86_32
8338 + ".pushsection .fixup,\"ax\"\n"
8340 + LOCK_PREFIX " addl %1,(%0)\n"
8343 + _ASM_EXTABLE(0b, 1b)
8347 + "call __write_lock_failed\n\t"
8349 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
8352 @@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
8354 static inline void arch_read_unlock(arch_rwlock_t *rw)
8356 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
8357 + asm volatile(LOCK_PREFIX "incl %0\n"
8359 +#ifdef CONFIG_PAX_REFCOUNT
8360 +#ifdef CONFIG_X86_32
8366 + ".pushsection .fixup,\"ax\"\n"
8368 + LOCK_PREFIX "decl %0\n"
8371 + _ASM_EXTABLE(0b, 1b)
8374 + :"+m" (rw->lock) : : "memory");
8377 static inline void arch_write_unlock(arch_rwlock_t *rw)
8379 - asm volatile(LOCK_PREFIX "addl %1, %0"
8380 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
8382 +#ifdef CONFIG_PAX_REFCOUNT
8383 +#ifdef CONFIG_X86_32
8389 + ".pushsection .fixup,\"ax\"\n"
8391 + LOCK_PREFIX "subl %1,%0\n"
8394 + _ASM_EXTABLE(0b, 1b)
8397 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
8400 diff -urNp linux-2.6.33/arch/x86/include/asm/system.h linux-2.6.33/arch/x86/include/asm/system.h
8401 --- linux-2.6.33/arch/x86/include/asm/system.h 2010-02-24 13:52:17.000000000 -0500
8402 +++ linux-2.6.33/arch/x86/include/asm/system.h 2010-03-07 12:23:35.925702533 -0500
8403 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
8405 unsigned long __limit;
8406 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
8407 - return __limit + 1;
8411 static inline void native_clts(void)
8412 @@ -342,7 +342,7 @@ void enable_hlt(void);
8414 void cpu_idle_wait(void);
8416 -extern unsigned long arch_align_stack(unsigned long sp);
8417 +#define arch_align_stack(x) ((x) & ~0xfUL)
8418 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
8420 void default_idle(void);
8421 diff -urNp linux-2.6.33/arch/x86/include/asm/uaccess_32.h linux-2.6.33/arch/x86/include/asm/uaccess_32.h
8422 --- linux-2.6.33/arch/x86/include/asm/uaccess_32.h 2010-02-24 13:52:17.000000000 -0500
8423 +++ linux-2.6.33/arch/x86/include/asm/uaccess_32.h 2010-03-07 12:23:35.925702533 -0500
8424 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
8425 static __always_inline unsigned long __must_check
8426 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
8431 if (__builtin_constant_p(n)) {
8434 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
8438 + if (!__builtin_constant_p(n))
8439 + check_object_size(from, n, true);
8440 return __copy_to_user_ll(to, from, n);
8443 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
8444 static __always_inline unsigned long
8445 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
8450 /* Avoid zeroing the tail if the copy fails..
8451 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
8452 * but as the zeroing behaviour is only significant when n is not
8453 @@ -138,6 +146,10 @@ static __always_inline unsigned long
8454 __copy_from_user(void *to, const void __user *from, unsigned long n)
8461 if (__builtin_constant_p(n)) {
8464 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
8468 + if (!__builtin_constant_p(n))
8469 + check_object_size(to, n, false);
8470 return __copy_from_user_ll(to, from, n);
8473 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
8474 const void __user *from, unsigned long n)
8481 if (__builtin_constant_p(n)) {
8484 @@ -182,15 +200,19 @@ static __always_inline unsigned long
8485 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
8488 - return __copy_from_user_ll_nocache_nozero(to, from, n);
8493 -unsigned long __must_check copy_to_user(void __user *to,
8494 - const void *from, unsigned long n);
8495 -unsigned long __must_check _copy_from_user(void *to,
8496 - const void __user *from,
8498 + return __copy_from_user_ll_nocache_nozero(to, from, n);
8501 +extern void copy_to_user_overflow(void)
8502 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
8503 + __compiletime_error("copy_to_user() buffer size is not provably correct")
8505 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
8509 extern void copy_from_user_overflow(void)
8510 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
8511 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
8515 -static inline unsigned long __must_check copy_from_user(void *to,
8516 - const void __user *from,
8519 + * copy_to_user: - Copy a block of data into user space.
8520 + * @to: Destination address, in user space.
8521 + * @from: Source address, in kernel space.
8522 + * @n: Number of bytes to copy.
8524 + * Context: User context only. This function may sleep.
8526 + * Copy data from kernel space to user space.
8528 + * Returns number of bytes that could not be copied.
8529 + * On success, this will be zero.
8531 +static inline unsigned long __must_check
8532 +copy_to_user(void __user *to, const void *from, unsigned long n)
8534 + int sz = __compiletime_object_size(from);
8536 + if (unlikely(sz != -1 && sz < n))
8537 + copy_to_user_overflow();
8538 + else if (access_ok(VERIFY_WRITE, to, n))
8539 + n = __copy_to_user(to, from, n);
8544 + * copy_from_user: - Copy a block of data from user space.
8545 + * @to: Destination address, in kernel space.
8546 + * @from: Source address, in user space.
8547 + * @n: Number of bytes to copy.
8549 + * Context: User context only. This function may sleep.
8551 + * Copy data from user space to kernel space.
8553 + * Returns number of bytes that could not be copied.
8554 + * On success, this will be zero.
8556 + * If some data could not be copied, this function will pad the copied
8557 + * data to the requested size using zero bytes.
8559 +static inline unsigned long __must_check
8560 +copy_from_user(void *to, const void __user *from, unsigned long n)
8562 int sz = __compiletime_object_size(to);
8564 - if (likely(sz == -1 || sz >= n))
8565 - n = _copy_from_user(to, from, n);
8567 + if (unlikely(sz != -1 && sz < n))
8568 copy_from_user_overflow();
8570 + else if (access_ok(VERIFY_READ, from, n))
8571 + n = __copy_from_user(to, from, n);
8572 + else if ((long)n > 0) {
8573 + if (!__builtin_constant_p(n))
8574 + check_object_size(to, n, false);
8580 diff -urNp linux-2.6.33/arch/x86/include/asm/uaccess_64.h linux-2.6.33/arch/x86/include/asm/uaccess_64.h
8581 --- linux-2.6.33/arch/x86/include/asm/uaccess_64.h 2010-02-24 13:52:17.000000000 -0500
8582 +++ linux-2.6.33/arch/x86/include/asm/uaccess_64.h 2010-03-07 12:23:35.925702533 -0500
8584 #include <linux/lockdep.h>
8585 #include <asm/page.h>
8587 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
8590 * Copy To/From Userspace
8593 /* Handles exceptions in both to and from, but doesn't do access_ok */
8594 __must_check unsigned long
8595 copy_user_generic(void *to, const void *from, unsigned len);
8597 -__must_check unsigned long
8598 -_copy_to_user(void __user *to, const void *from, unsigned len);
8599 -__must_check unsigned long
8600 -_copy_from_user(void *to, const void __user *from, unsigned len);
8601 +static __always_inline __must_check unsigned long
8602 +__copy_to_user(void __user *to, const void *from, unsigned len);
8603 +static __always_inline __must_check unsigned long
8604 +__copy_from_user(void *to, const void __user *from, unsigned len);
8605 __must_check unsigned long
8606 copy_in_user(void __user *to, const void __user *from, unsigned len);
8608 static inline unsigned long __must_check copy_from_user(void *to,
8609 const void __user *from,
8613 - int sz = __compiletime_object_size(to);
8616 - if (likely(sz == -1 || sz >= n))
8617 - n = _copy_from_user(to, from, n);
8618 -#ifdef CONFIG_DEBUG_VM
8620 - WARN(1, "Buffer overflow detected!\n");
8623 + if (access_ok(VERIFY_READ, from, n))
8624 + n = __copy_from_user(to, from, n);
8625 + else if ((int)n > 0) {
8626 + if (!__builtin_constant_p(n))
8627 + check_object_size(to, n, false);
8633 @@ -46,17 +47,33 @@ int copy_to_user(void __user *dst, const
8637 - return _copy_to_user(dst, src, size);
8638 + if (access_ok(VERIFY_WRITE, dst, size))
8639 + size = __copy_to_user(dst, src, size);
8643 static __always_inline __must_check
8644 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
8645 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
8648 + int sz = __compiletime_object_size(dst);
8652 - if (!__builtin_constant_p(size))
8654 + if ((int)size < 0)
8657 + if (unlikely(sz != -1 && sz < size)) {
8658 +#ifdef CONFIG_DEBUG_VM
8659 + WARN(1, "Buffer overflow detected!\n");
8664 + if (!__builtin_constant_p(size)) {
8665 + check_object_size(dst, size, false);
8666 return copy_user_generic(dst, (__force void *)src, size);
8669 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
8670 ret, "b", "b", "=q", 1);
8671 @@ -94,13 +111,27 @@ int __copy_from_user(void *dst, const vo
8674 static __always_inline __must_check
8675 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
8676 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
8679 + int sz = __compiletime_object_size(src);
8683 - if (!__builtin_constant_p(size))
8685 + if ((int)size < 0)
8688 + if (unlikely(sz != -1 && sz < size)) {
8689 +#ifdef CONFIG_DEBUG_VM
8690 + WARN(1, "Buffer overflow detected!\n");
8695 + if (!__builtin_constant_p(size)) {
8696 + check_object_size(src, size, true);
8697 return copy_user_generic((__force void *)dst, src, size);
8700 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
8701 ret, "b", "b", "iq", 1);
8702 @@ -138,11 +169,15 @@ int __copy_to_user(void __user *dst, con
8705 static __always_inline __must_check
8706 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
8707 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
8714 + if ((int)size < 0)
8717 if (!__builtin_constant_p(size))
8718 return copy_user_generic((__force void *)dst,
8719 (__force void *)src, size);
8720 @@ -206,30 +241,38 @@ __copy_from_user_inatomic(void *dst, con
8721 return copy_user_generic(dst, (__force const void *)src, size);
8724 -static __must_check __always_inline int
8725 +static __must_check __always_inline unsigned long
8726 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
8728 + if ((int)size < 0)
8731 return copy_user_generic((__force void *)dst, src, size);
8734 -extern long __copy_user_nocache(void *dst, const void __user *src,
8735 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
8736 unsigned size, int zerorest);
8739 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
8740 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
8744 + if ((int)size < 0)
8747 return __copy_user_nocache(dst, src, size, 1);
8751 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
8752 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
8755 + if ((int)size < 0)
8758 return __copy_user_nocache(dst, src, size, 0);
8762 +extern unsigned long
8763 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
8765 #endif /* _ASM_X86_UACCESS_64_H */
8766 diff -urNp linux-2.6.33/arch/x86/include/asm/uaccess.h linux-2.6.33/arch/x86/include/asm/uaccess.h
8767 --- linux-2.6.33/arch/x86/include/asm/uaccess.h 2010-02-24 13:52:17.000000000 -0500
8768 +++ linux-2.6.33/arch/x86/include/asm/uaccess.h 2010-03-07 12:23:35.925702533 -0500
8770 #include <linux/thread_info.h>
8771 #include <linux/prefetch.h>
8772 #include <linux/string.h>
8773 +#include <linux/sched.h>
8774 +#include <linux/slab.h>
8775 #include <asm/asm.h>
8776 #include <asm/page.h>
8777 +#include <asm/segment.h>
8779 #define VERIFY_READ 0
8780 #define VERIFY_WRITE 1
8783 #define get_ds() (KERNEL_DS)
8784 #define get_fs() (current_thread_info()->addr_limit)
8785 +#ifdef CONFIG_X86_32
8786 +void __set_fs(mm_segment_t x, int cpu);
8787 +void set_fs(mm_segment_t x);
8789 #define set_fs(x) (current_thread_info()->addr_limit = (x))
8792 #define segment_eq(a, b) ((a).seg == (b).seg)
8795 * checks that the pointer is in the user space range - after calling
8796 * this function, memory access functions may still return -EFAULT.
8798 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
8799 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
8800 +#define access_ok(type, addr, size) \
8802 + long __size = size; \
8803 + unsigned long __addr = (unsigned long)addr; \
8804 + unsigned long __addr_ao = __addr & PAGE_MASK; \
8805 + unsigned long __end_ao = __addr + __size - 1; \
8806 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
8807 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
8808 + for (; __addr_ao <= __end_ao; __addr_ao += PAGE_SIZE) { \
8810 + if (__size > PAGE_SIZE) \
8812 + if (__get_user(__c_ao, (char __user *)__addr_ao))\
8814 + if (type != VERIFY_WRITE) \
8816 + if (__put_user(__c_ao, (char __user *)__addr_ao))\
8824 * The exception table consists of pairs of addresses: the first is the
8825 @@ -183,13 +213,21 @@ extern int __get_user_bad(void);
8826 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
8827 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
8830 +#ifdef CONFIG_X86_32
8831 +#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
8832 +#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
8834 +#define _ASM_LOAD_USER_DS(ds)
8835 +#define _ASM_LOAD_KERNEL_DS
8838 #ifdef CONFIG_X86_32
8839 #define __put_user_asm_u64(x, addr, err, errret) \
8840 - asm volatile("1: movl %%eax,0(%2)\n" \
8841 - "2: movl %%edx,4(%2)\n" \
8842 + asm volatile(_ASM_LOAD_USER_DS(5) \
8843 + "1: movl %%eax,%%ds:0(%2)\n" \
8844 + "2: movl %%edx,%%ds:4(%2)\n" \
8846 + _ASM_LOAD_KERNEL_DS \
8847 ".section .fixup,\"ax\"\n" \
8850 @@ -197,15 +235,18 @@ extern int __get_user_bad(void);
8851 _ASM_EXTABLE(1b, 4b) \
8852 _ASM_EXTABLE(2b, 4b) \
8854 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
8855 + : "A" (x), "r" (addr), "i" (errret), "0" (err), \
8858 #define __put_user_asm_ex_u64(x, addr) \
8859 - asm volatile("1: movl %%eax,0(%1)\n" \
8860 - "2: movl %%edx,4(%1)\n" \
8861 + asm volatile(_ASM_LOAD_USER_DS(2) \
8862 + "1: movl %%eax,%%ds:0(%1)\n" \
8863 + "2: movl %%edx,%%ds:4(%1)\n" \
8865 + _ASM_LOAD_KERNEL_DS \
8866 _ASM_EXTABLE(1b, 2b - 1b) \
8867 _ASM_EXTABLE(2b, 3b - 2b) \
8868 - : : "A" (x), "r" (addr))
8869 + : : "A" (x), "r" (addr), "r"(__USER_DS))
8871 #define __put_user_x8(x, ptr, __ret_pu) \
8872 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
8873 @@ -374,16 +415,18 @@ do { \
8876 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
8877 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
8878 + asm volatile(_ASM_LOAD_USER_DS(5) \
8879 + "1: mov"itype" %%ds:%2,%"rtype"1\n" \
8881 + _ASM_LOAD_KERNEL_DS \
8882 ".section .fixup,\"ax\"\n" \
8884 " xor"itype" %"rtype"1,%"rtype"1\n" \
8887 _ASM_EXTABLE(1b, 3b) \
8888 - : "=r" (err), ltype(x) \
8889 - : "m" (__m(addr)), "i" (errret), "0" (err))
8890 + : "=r" (err), ltype (x) \
8891 + : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
8893 #define __get_user_size_ex(x, ptr, size) \
8895 @@ -407,10 +450,12 @@ do { \
8898 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
8899 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
8900 + asm volatile(_ASM_LOAD_USER_DS(2) \
8901 + "1: mov"itype" %%ds:%1,%"rtype"0\n" \
8903 + _ASM_LOAD_KERNEL_DS \
8904 _ASM_EXTABLE(1b, 2b - 1b) \
8905 - : ltype(x) : "m" (__m(addr)))
8906 + : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
8908 #define __put_user_nocheck(x, ptr, size) \
8910 @@ -424,7 +469,7 @@ do { \
8912 unsigned long __gu_val; \
8913 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
8914 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
8915 + (x) = (__typeof__(*(ptr)))__gu_val; \
8919 @@ -438,21 +483,26 @@ struct __large_struct { unsigned long bu
8922 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
8923 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
8924 + asm volatile(_ASM_LOAD_USER_DS(5) \
8925 + "1: mov"itype" %"rtype"1,%%ds:%2\n" \
8927 + _ASM_LOAD_KERNEL_DS \
8928 ".section .fixup,\"ax\"\n" \
8932 _ASM_EXTABLE(1b, 3b) \
8934 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
8935 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
8938 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
8939 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
8940 + asm volatile(_ASM_LOAD_USER_DS(2) \
8941 + "1: mov"itype" %"rtype"0,%%ds:%1\n" \
8943 + _ASM_LOAD_KERNEL_DS \
8944 _ASM_EXTABLE(1b, 2b - 1b) \
8945 - : : ltype(x), "m" (__m(addr)))
8946 + : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
8949 * uaccess_try and catch
8950 @@ -530,7 +580,7 @@ struct __large_struct { unsigned long bu
8951 #define get_user_ex(x, ptr) do { \
8952 unsigned long __gue_val; \
8953 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
8954 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
8955 + (x) = (__typeof__(*(ptr)))__gue_val; \
8958 #ifdef CONFIG_X86_WP_WORKS_OK
8959 @@ -567,6 +617,7 @@ extern struct movsl_mask {
8961 #define ARCH_HAS_NOCACHE_UACCESS 1
8963 +#define ARCH_HAS_SORT_EXTABLE
8964 #ifdef CONFIG_X86_32
8965 # include "uaccess_32.h"
8967 diff -urNp linux-2.6.33/arch/x86/include/asm/vgtod.h linux-2.6.33/arch/x86/include/asm/vgtod.h
8968 --- linux-2.6.33/arch/x86/include/asm/vgtod.h 2010-02-24 13:52:17.000000000 -0500
8969 +++ linux-2.6.33/arch/x86/include/asm/vgtod.h 2010-03-07 12:23:35.925702533 -0500
8970 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
8972 struct timezone sys_tz;
8973 struct { /* extract of a clocksource struct */
8975 cycle_t (*vread)(void);
8978 diff -urNp linux-2.6.33/arch/x86/include/asm/vmi.h linux-2.6.33/arch/x86/include/asm/vmi.h
8979 --- linux-2.6.33/arch/x86/include/asm/vmi.h 2010-02-24 13:52:17.000000000 -0500
8980 +++ linux-2.6.33/arch/x86/include/asm/vmi.h 2010-03-07 12:23:35.925702533 -0500
8981 @@ -191,6 +191,7 @@ struct vrom_header {
8982 u8 reserved[96]; /* Reserved for headers */
8983 char vmi_init[8]; /* VMI_Init jump point */
8984 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
8985 + char rom_data[8048]; /* rest of the option ROM */
8986 } __attribute__((packed));
8989 diff -urNp linux-2.6.33/arch/x86/include/asm/vsyscall.h linux-2.6.33/arch/x86/include/asm/vsyscall.h
8990 --- linux-2.6.33/arch/x86/include/asm/vsyscall.h 2010-02-24 13:52:17.000000000 -0500
8991 +++ linux-2.6.33/arch/x86/include/asm/vsyscall.h 2010-03-07 12:23:35.925702533 -0500
8992 @@ -15,9 +15,10 @@ enum vsyscall_num {
8995 #include <linux/seqlock.h>
8996 +#include <linux/getcpu.h>
8997 +#include <linux/time.h>
8999 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
9000 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
9002 /* Definitions for CONFIG_GENERIC_TIME definitions */
9003 #define __section_vsyscall_gtod_data __attribute__ \
9004 @@ -31,7 +32,6 @@ enum vsyscall_num {
9005 #define VGETCPU_LSL 2
9007 extern int __vgetcpu_mode;
9008 -extern volatile unsigned long __jiffies;
9010 /* kernel space (writeable) */
9011 extern int vgetcpu_mode;
9012 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
9014 extern void map_vsyscall(void);
9016 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
9017 +extern time_t vtime(time_t *t);
9018 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
9019 #endif /* __KERNEL__ */
9021 #endif /* _ASM_X86_VSYSCALL_H */
9022 diff -urNp linux-2.6.33/arch/x86/Kconfig linux-2.6.33/arch/x86/Kconfig
9023 --- linux-2.6.33/arch/x86/Kconfig 2010-02-24 13:52:17.000000000 -0500
9024 +++ linux-2.6.33/arch/x86/Kconfig 2010-03-07 12:23:35.925702533 -0500
9025 @@ -1088,7 +1088,7 @@ config PAGE_OFFSET
9027 default 0xB0000000 if VMSPLIT_3G_OPT
9028 default 0x80000000 if VMSPLIT_2G
9029 - default 0x78000000 if VMSPLIT_2G_OPT
9030 + default 0x70000000 if VMSPLIT_2G_OPT
9031 default 0x40000000 if VMSPLIT_1G
9034 @@ -1422,7 +1422,7 @@ config ARCH_USES_PG_UNCACHED
9037 bool "EFI runtime service support"
9039 + depends on ACPI && !PAX_KERNEXEC
9041 This enables the kernel to use EFI runtime services that are
9042 available (such as the EFI variable services).
9043 @@ -1509,6 +1509,7 @@ config KEXEC_JUMP
9044 config PHYSICAL_START
9045 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
9047 + range 0x400000 0x40000000
9049 This gives the physical address where the kernel is loaded.
9051 @@ -1573,6 +1574,7 @@ config PHYSICAL_ALIGN
9053 prompt "Alignment value to which kernel should be aligned" if X86_32
9055 + range 0x400000 0x1000000 if PAX_KERNEXEC
9056 range 0x2000 0x1000000
9058 This value puts the alignment restrictions on physical address
9059 @@ -1604,9 +1606,10 @@ config HOTPLUG_CPU
9060 Say N if you want to disable CPU hotplug.
9065 prompt "Compat VDSO support"
9066 depends on X86_32 || IA32_EMULATION
9067 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
9069 Map the 32-bit VDSO to the predictable old-style address too.
9071 diff -urNp linux-2.6.33/arch/x86/Kconfig.cpu linux-2.6.33/arch/x86/Kconfig.cpu
9072 --- linux-2.6.33/arch/x86/Kconfig.cpu 2010-02-24 13:52:17.000000000 -0500
9073 +++ linux-2.6.33/arch/x86/Kconfig.cpu 2010-03-07 12:23:35.925702533 -0500
9074 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
9078 - depends on M586MMX || M586TSC || M586 || M486 || M386
9079 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
9081 config X86_WP_WORKS_OK
9083 @@ -356,7 +356,7 @@ config X86_POPAD_OK
9085 config X86_ALIGNMENT_16
9087 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9088 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9090 config X86_INTEL_USERCOPY
9092 @@ -402,7 +402,7 @@ config X86_CMPXCHG64
9096 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9097 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9099 config X86_MINIMUM_CPU_FAMILY
9101 diff -urNp linux-2.6.33/arch/x86/Kconfig.debug linux-2.6.33/arch/x86/Kconfig.debug
9102 --- linux-2.6.33/arch/x86/Kconfig.debug 2010-02-24 13:52:17.000000000 -0500
9103 +++ linux-2.6.33/arch/x86/Kconfig.debug 2010-03-07 12:23:35.925702533 -0500
9104 @@ -99,7 +99,7 @@ config X86_PTDUMP
9106 bool "Write protect kernel read-only data structures"
9108 - depends on DEBUG_KERNEL
9109 + depends on DEBUG_KERNEL && BROKEN
9111 Mark the kernel read-only data as write-protected in the pagetables,
9112 in order to catch accidental (and incorrect) writes to such const
9113 diff -urNp linux-2.6.33/arch/x86/kernel/acpi/boot.c linux-2.6.33/arch/x86/kernel/acpi/boot.c
9114 --- linux-2.6.33/arch/x86/kernel/acpi/boot.c 2010-02-24 13:52:17.000000000 -0500
9115 +++ linux-2.6.33/arch/x86/kernel/acpi/boot.c 2010-03-07 12:23:35.925702533 -0500
9116 @@ -1496,7 +1496,7 @@ static struct dmi_system_id __initdata a
9117 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
9121 + { NULL, NULL, {{0, {0}}}, NULL}
9125 diff -urNp linux-2.6.33/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.33/arch/x86/kernel/acpi/realmode/wakeup.S
9126 --- linux-2.6.33/arch/x86/kernel/acpi/realmode/wakeup.S 2010-02-24 13:52:17.000000000 -0500
9127 +++ linux-2.6.33/arch/x86/kernel/acpi/realmode/wakeup.S 2010-03-07 12:23:35.925702533 -0500
9128 @@ -104,7 +104,7 @@ _start:
9132 - movl $0xc0000080, %ecx
9133 + mov $MSR_EFER, %ecx
9137 diff -urNp linux-2.6.33/arch/x86/kernel/acpi/sleep.c linux-2.6.33/arch/x86/kernel/acpi/sleep.c
9138 --- linux-2.6.33/arch/x86/kernel/acpi/sleep.c 2010-02-24 13:52:17.000000000 -0500
9139 +++ linux-2.6.33/arch/x86/kernel/acpi/sleep.c 2010-03-07 12:23:35.925702533 -0500
9141 #include <linux/cpumask.h>
9142 #include <asm/segment.h>
9143 #include <asm/desc.h>
9144 +#include <asm/e820.h>
9146 #include "realmode/wakeup.h"
9149 -unsigned long acpi_wakeup_address;
9150 +unsigned long acpi_wakeup_address = 0x2000;
9151 unsigned long acpi_realmode_flags;
9153 /* address in low memory of the wakeup routine. */
9154 @@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
9155 header->trampoline_segment = setup_trampoline() >> 4;
9157 stack_start.sp = temp_stack + sizeof(temp_stack);
9159 + pax_open_kernel();
9160 early_gdt_descr.address =
9161 (unsigned long)get_cpu_gdt_table(smp_processor_id());
9162 + pax_close_kernel();
9164 initial_gs = per_cpu_offset(smp_processor_id());
9166 initial_code = (unsigned long)wakeup_long64;
9167 diff -urNp linux-2.6.33/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.33/arch/x86/kernel/acpi/wakeup_32.S
9168 --- linux-2.6.33/arch/x86/kernel/acpi/wakeup_32.S 2010-02-24 13:52:17.000000000 -0500
9169 +++ linux-2.6.33/arch/x86/kernel/acpi/wakeup_32.S 2010-03-07 12:23:35.925702533 -0500
9170 @@ -30,13 +30,11 @@ wakeup_pmode_return:
9171 # and restore the stack ... but you need gdt for this to work
9172 movl saved_context_esp, %esp
9174 - movl %cs:saved_magic, %eax
9175 - cmpl $0x12345678, %eax
9176 + cmpl $0x12345678, saved_magic
9179 # jump to place where we left off
9180 - movl saved_eip, %eax
9186 diff -urNp linux-2.6.33/arch/x86/kernel/alternative.c linux-2.6.33/arch/x86/kernel/alternative.c
9187 --- linux-2.6.33/arch/x86/kernel/alternative.c 2010-02-24 13:52:17.000000000 -0500
9188 +++ linux-2.6.33/arch/x86/kernel/alternative.c 2010-03-07 12:23:35.929609343 -0500
9189 @@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
9191 BUG_ON(p->len > MAX_PATCH_LEN);
9192 /* prep the buffer with the original instructions */
9193 - memcpy(insnbuf, p->instr, p->len);
9194 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
9195 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
9196 (unsigned long)p->instr, p->len);
9198 @@ -492,12 +492,16 @@ void __init alternative_instructions(voi
9199 * instructions. And on the local CPU you need to be protected again NMI or MCE
9200 * handlers seeing an inconsistent instruction while you patch.
9202 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
9203 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
9206 unsigned long flags;
9207 local_irq_save(flags);
9208 - memcpy(addr, opcode, len);
9210 + pax_open_kernel();
9211 + memcpy(ktla_ktva(addr), opcode, len);
9212 + pax_close_kernel();
9215 local_irq_restore(flags);
9216 /* Could also do a CLFLUSH here to speed up CPU recovery; but
9217 @@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
9219 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
9221 - unsigned long flags;
9223 + unsigned char *vaddr = ktla_ktva(addr);
9224 struct page *pages[2];
9228 if (!core_kernel_text((unsigned long)addr)) {
9229 - pages[0] = vmalloc_to_page(addr);
9230 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
9231 + pages[0] = vmalloc_to_page(vaddr);
9232 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
9234 - pages[0] = virt_to_page(addr);
9235 + pages[0] = virt_to_page(vaddr);
9236 WARN_ON(!PageReserved(pages[0]));
9237 - pages[1] = virt_to_page(addr + PAGE_SIZE);
9238 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
9241 - local_irq_save(flags);
9242 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
9244 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
9245 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
9246 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
9247 - clear_fixmap(FIX_TEXT_POKE0);
9249 - clear_fixmap(FIX_TEXT_POKE1);
9250 - local_flush_tlb();
9252 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
9253 - that causes hangs on some VIA CPUs. */
9254 + text_poke_early(addr, opcode, len);
9255 for (i = 0; i < len; i++)
9256 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
9257 - local_irq_restore(flags);
9258 + BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
9261 diff -urNp linux-2.6.33/arch/x86/kernel/amd_iommu.c linux-2.6.33/arch/x86/kernel/amd_iommu.c
9262 --- linux-2.6.33/arch/x86/kernel/amd_iommu.c 2010-02-24 13:52:17.000000000 -0500
9263 +++ linux-2.6.33/arch/x86/kernel/amd_iommu.c 2010-03-07 12:23:35.929609343 -0500
9264 @@ -2210,7 +2210,7 @@ static void prealloc_protection_domains(
9268 -static struct dma_map_ops amd_iommu_dma_ops = {
9269 +static const struct dma_map_ops amd_iommu_dma_ops = {
9270 .alloc_coherent = alloc_coherent,
9271 .free_coherent = free_coherent,
9272 .map_page = map_page,
9273 diff -urNp linux-2.6.33/arch/x86/kernel/apic/io_apic.c linux-2.6.33/arch/x86/kernel/apic/io_apic.c
9274 --- linux-2.6.33/arch/x86/kernel/apic/io_apic.c 2010-02-24 13:52:17.000000000 -0500
9275 +++ linux-2.6.33/arch/x86/kernel/apic/io_apic.c 2010-03-07 12:23:35.929609343 -0500
9276 @@ -701,7 +701,7 @@ struct IO_APIC_route_entry **alloc_ioapi
9277 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
9279 if (!ioapic_entries)
9283 for (apic = 0; apic < nr_ioapics; apic++) {
9284 ioapic_entries[apic] =
9285 @@ -718,7 +718,7 @@ nomem:
9286 kfree(ioapic_entries[apic]);
9287 kfree(ioapic_entries);
9294 @@ -1135,7 +1135,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
9296 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
9298 -void lock_vector_lock(void)
9299 +void lock_vector_lock(void) __acquires(vector_lock)
9301 /* Used to the online set of cpus does not change
9302 * during assign_irq_vector.
9303 @@ -1143,7 +1143,7 @@ void lock_vector_lock(void)
9304 spin_lock(&vector_lock);
9307 -void unlock_vector_lock(void)
9308 +void unlock_vector_lock(void) __releases(vector_lock)
9310 spin_unlock(&vector_lock);
9312 diff -urNp linux-2.6.33/arch/x86/kernel/apm_32.c linux-2.6.33/arch/x86/kernel/apm_32.c
9313 --- linux-2.6.33/arch/x86/kernel/apm_32.c 2010-02-24 13:52:17.000000000 -0500
9314 +++ linux-2.6.33/arch/x86/kernel/apm_32.c 2010-03-07 12:23:35.929609343 -0500
9315 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
9316 * This is for buggy BIOS's that refer to (real mode) segment 0x40
9317 * even though they are called in protected mode.
9319 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
9320 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
9321 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
9323 static const char driver_version[] = "1.16ac"; /* no spaces */
9324 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
9326 gdt = get_cpu_gdt_table(cpu);
9327 save_desc_40 = gdt[0x40 / 8];
9329 + pax_open_kernel();
9330 gdt[0x40 / 8] = bad_bios_desc;
9331 + pax_close_kernel();
9333 apm_irq_save(flags);
9335 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
9337 APM_DO_RESTORE_SEGS;
9338 apm_irq_restore(flags);
9340 + pax_open_kernel();
9341 gdt[0x40 / 8] = save_desc_40;
9342 + pax_close_kernel();
9346 return call->eax & 0xff;
9347 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
9349 gdt = get_cpu_gdt_table(cpu);
9350 save_desc_40 = gdt[0x40 / 8];
9352 + pax_open_kernel();
9353 gdt[0x40 / 8] = bad_bios_desc;
9354 + pax_close_kernel();
9356 apm_irq_save(flags);
9358 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
9360 APM_DO_RESTORE_SEGS;
9361 apm_irq_restore(flags);
9363 + pax_open_kernel();
9364 gdt[0x40 / 8] = save_desc_40;
9365 + pax_close_kernel();
9370 @@ -975,7 +989,7 @@ recalc:
9372 static void apm_power_off(void)
9374 - unsigned char po_bios_call[] = {
9375 + const unsigned char po_bios_call[] = {
9376 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
9377 0x8e, 0xd0, /* movw ax,ss */
9378 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
9379 @@ -1931,7 +1945,10 @@ static const struct file_operations apm_
9380 static struct miscdevice apm_device = {
9391 @@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
9392 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
9396 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
9400 @@ -2355,12 +2372,15 @@ static int __init apm_init(void)
9403 gdt = get_cpu_gdt_table(0);
9405 + pax_open_kernel();
9406 set_desc_base(&gdt[APM_CS >> 3],
9407 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
9408 set_desc_base(&gdt[APM_CS_16 >> 3],
9409 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
9410 set_desc_base(&gdt[APM_DS >> 3],
9411 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
9412 + pax_close_kernel();
9414 proc_create("apm", 0, NULL, &apm_file_ops);
9416 diff -urNp linux-2.6.33/arch/x86/kernel/asm-offsets_32.c linux-2.6.33/arch/x86/kernel/asm-offsets_32.c
9417 --- linux-2.6.33/arch/x86/kernel/asm-offsets_32.c 2010-02-24 13:52:17.000000000 -0500
9418 +++ linux-2.6.33/arch/x86/kernel/asm-offsets_32.c 2010-03-07 12:23:35.929609343 -0500
9419 @@ -115,6 +115,11 @@ void foo(void)
9420 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
9421 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
9422 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
9424 +#ifdef CONFIG_PAX_KERNEXEC
9425 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
9431 diff -urNp linux-2.6.33/arch/x86/kernel/asm-offsets_64.c linux-2.6.33/arch/x86/kernel/asm-offsets_64.c
9432 --- linux-2.6.33/arch/x86/kernel/asm-offsets_64.c 2010-02-24 13:52:17.000000000 -0500
9433 +++ linux-2.6.33/arch/x86/kernel/asm-offsets_64.c 2010-03-07 12:23:55.597717555 -0500
9434 @@ -63,6 +63,12 @@ int main(void)
9435 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
9436 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
9437 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
9439 +#ifdef CONFIG_PAX_KERNEXEC
9440 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
9441 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
9447 @@ -115,6 +121,7 @@ int main(void)
9451 + DEFINE(TSS_size, sizeof(struct tss_struct));
9452 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
9454 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
9455 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/common.c linux-2.6.33/arch/x86/kernel/cpu/common.c
9456 --- linux-2.6.33/arch/x86/kernel/cpu/common.c 2010-02-24 13:52:17.000000000 -0500
9457 +++ linux-2.6.33/arch/x86/kernel/cpu/common.c 2010-03-07 12:23:35.929609343 -0500
9458 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
9460 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
9462 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
9463 -#ifdef CONFIG_X86_64
9465 - * We need valid kernel segments for data and code in long mode too
9466 - * IRET will check the segment types kkeil 2000/10/28
9467 - * Also sysret mandates a special GDT layout
9469 - * TLS descriptors are currently at a different place compared to i386.
9470 - * Hopefully nobody expects them at a fixed place (Wine?)
9472 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
9473 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
9474 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
9475 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
9476 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
9477 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
9479 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
9480 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9481 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
9482 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
9484 - * Segments used for calling PnP BIOS have byte granularity.
9485 - * They code segments and data segments have fixed 64k limits,
9486 - * the transfer segment sizes are set at run time.
9489 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
9491 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
9493 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
9495 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
9497 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
9499 - * The APM segments have byte granularity and their bases
9500 - * are set at run time. All have 64k limits.
9503 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
9505 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
9507 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
9509 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9510 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9511 - GDT_STACK_CANARY_INIT
9514 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
9516 static int __init x86_xsave_setup(char *s)
9518 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
9519 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
9521 struct desc_ptr gdt_descr;
9523 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
9524 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
9525 gdt_descr.size = GDT_SIZE - 1;
9526 load_gdt(&gdt_descr);
9527 /* Reload the per-cpu base */
9528 @@ -802,6 +748,10 @@ static void __cpuinit identify_cpu(struc
9529 /* Filter out anything that depends on CPUID levels we don't have */
9530 filter_cpuid_features(c, true);
9532 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
9533 + setup_clear_cpu_cap(X86_FEATURE_SEP);
9536 /* If the model name is still unset, do table lookup. */
9537 if (!c->x86_model_id[0]) {
9539 @@ -1103,7 +1053,7 @@ void __cpuinit cpu_init(void)
9542 cpu = stack_smp_processor_id();
9543 - t = &per_cpu(init_tss, cpu);
9544 + t = init_tss + cpu;
9545 oist = &per_cpu(orig_ist, cpu);
9548 @@ -1201,7 +1151,7 @@ void __cpuinit cpu_init(void)
9550 int cpu = smp_processor_id();
9551 struct task_struct *curr = current;
9552 - struct tss_struct *t = &per_cpu(init_tss, cpu);
9553 + struct tss_struct *t = init_tss + cpu;
9554 struct thread_struct *thread = &curr->thread;
9556 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
9557 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.33/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
9558 --- linux-2.6.33/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-02-24 13:52:17.000000000 -0500
9559 +++ linux-2.6.33/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-03-07 12:23:35.929609343 -0500
9560 @@ -523,7 +523,7 @@ static const struct dmi_system_id sw_any
9561 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
9565 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
9568 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
9569 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.33/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
9570 --- linux-2.6.33/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-02-24 13:52:17.000000000 -0500
9571 +++ linux-2.6.33/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-03-07 12:23:35.929609343 -0500
9572 @@ -225,7 +225,7 @@ static struct cpu_model models[] =
9573 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
9574 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
9577 + { NULL, NULL, 0, NULL}
9581 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/intel.c linux-2.6.33/arch/x86/kernel/cpu/intel.c
9582 --- linux-2.6.33/arch/x86/kernel/cpu/intel.c 2010-02-24 13:52:17.000000000 -0500
9583 +++ linux-2.6.33/arch/x86/kernel/cpu/intel.c 2010-03-07 12:23:35.929609343 -0500
9584 @@ -139,7 +139,7 @@ static void __cpuinit trap_init_f00f_bug
9585 * Update the IDT descriptor and reload the IDT so that
9586 * it uses the read-only mapped virtual address.
9588 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
9589 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
9590 load_idt(&idt_descr);
9593 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.33/arch/x86/kernel/cpu/intel_cacheinfo.c
9594 --- linux-2.6.33/arch/x86/kernel/cpu/intel_cacheinfo.c 2010-02-24 13:52:17.000000000 -0500
9595 +++ linux-2.6.33/arch/x86/kernel/cpu/intel_cacheinfo.c 2010-03-07 12:23:35.929609343 -0500
9596 @@ -848,7 +848,7 @@ static ssize_t store(struct kobject *kob
9600 -static struct sysfs_ops sysfs_ops = {
9601 +static const struct sysfs_ops sysfs_ops = {
9605 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/Makefile linux-2.6.33/arch/x86/kernel/cpu/Makefile
9606 --- linux-2.6.33/arch/x86/kernel/cpu/Makefile 2010-02-24 13:52:17.000000000 -0500
9607 +++ linux-2.6.33/arch/x86/kernel/cpu/Makefile 2010-03-07 12:23:35.929609343 -0500
9608 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
9609 CFLAGS_REMOVE_perf_event.o = -pg
9612 -# Make sure load_percpu_segment has no stackprotector
9613 -nostackp := $(call cc-option, -fno-stack-protector)
9614 -CFLAGS_common.o := $(nostackp)
9616 obj-y := intel_cacheinfo.o addon_cpuid_features.o
9617 obj-y += proc.o capflags.o powerflags.o common.o
9618 obj-y += vmware.o hypervisor.o sched.o
9619 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.33/arch/x86/kernel/cpu/mcheck/mce_amd.c
9620 --- linux-2.6.33/arch/x86/kernel/cpu/mcheck/mce_amd.c 2010-02-24 13:52:17.000000000 -0500
9621 +++ linux-2.6.33/arch/x86/kernel/cpu/mcheck/mce_amd.c 2010-03-07 12:23:35.929609343 -0500
9622 @@ -388,7 +388,7 @@ static ssize_t store(struct kobject *kob
9626 -static struct sysfs_ops threshold_ops = {
9627 +static const struct sysfs_ops threshold_ops = {
9631 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.33/arch/x86/kernel/cpu/mcheck/mce.c
9632 --- linux-2.6.33/arch/x86/kernel/cpu/mcheck/mce.c 2010-02-24 13:52:17.000000000 -0500
9633 +++ linux-2.6.33/arch/x86/kernel/cpu/mcheck/mce.c 2010-03-07 12:23:35.933601961 -0500
9634 @@ -201,7 +201,7 @@ static void print_mce(struct mce *m)
9635 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
9638 - if (m->cs == __KERNEL_CS)
9639 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
9640 print_symbol("{%s}", m->ip);
9643 @@ -1444,14 +1444,14 @@ void __cpuinit mcheck_cpu_init(struct cp
9646 static DEFINE_SPINLOCK(mce_state_lock);
9647 -static int open_count; /* #times opened */
9648 +static atomic_t open_count; /* #times opened */
9649 static int open_exclu; /* already open exclusive? */
9651 static int mce_open(struct inode *inode, struct file *file)
9653 spin_lock(&mce_state_lock);
9655 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
9656 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
9657 spin_unlock(&mce_state_lock);
9660 @@ -1459,7 +1459,7 @@ static int mce_open(struct inode *inode,
9662 if (file->f_flags & O_EXCL)
9665 + atomic_inc(&open_count);
9667 spin_unlock(&mce_state_lock);
9669 @@ -1470,7 +1470,7 @@ static int mce_release(struct inode *ino
9671 spin_lock(&mce_state_lock);
9674 + atomic_dec(&open_count);
9677 spin_unlock(&mce_state_lock);
9678 @@ -1610,6 +1610,7 @@ static struct miscdevice mce_log_device
9682 + {NULL, NULL}, NULL, NULL
9686 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.33/arch/x86/kernel/cpu/mtrr/amd.c
9687 --- linux-2.6.33/arch/x86/kernel/cpu/mtrr/amd.c 2010-02-24 13:52:17.000000000 -0500
9688 +++ linux-2.6.33/arch/x86/kernel/cpu/mtrr/amd.c 2010-03-07 12:23:35.933601961 -0500
9689 @@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
9693 -static struct mtrr_ops amd_mtrr_ops = {
9694 +static const struct mtrr_ops amd_mtrr_ops = {
9695 .vendor = X86_VENDOR_AMD,
9696 .set = amd_set_mtrr,
9697 .get = amd_get_mtrr,
9698 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.33/arch/x86/kernel/cpu/mtrr/centaur.c
9699 --- linux-2.6.33/arch/x86/kernel/cpu/mtrr/centaur.c 2010-02-24 13:52:17.000000000 -0500
9700 +++ linux-2.6.33/arch/x86/kernel/cpu/mtrr/centaur.c 2010-03-07 12:23:35.933601961 -0500
9701 @@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
9705 -static struct mtrr_ops centaur_mtrr_ops = {
9706 +static const struct mtrr_ops centaur_mtrr_ops = {
9707 .vendor = X86_VENDOR_CENTAUR,
9708 .set = centaur_set_mcr,
9709 .get = centaur_get_mcr,
9710 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.33/arch/x86/kernel/cpu/mtrr/cyrix.c
9711 --- linux-2.6.33/arch/x86/kernel/cpu/mtrr/cyrix.c 2010-02-24 13:52:17.000000000 -0500
9712 +++ linux-2.6.33/arch/x86/kernel/cpu/mtrr/cyrix.c 2010-03-07 12:23:35.933601961 -0500
9713 @@ -265,7 +265,7 @@ static void cyrix_set_all(void)
9717 -static struct mtrr_ops cyrix_mtrr_ops = {
9718 +static const struct mtrr_ops cyrix_mtrr_ops = {
9719 .vendor = X86_VENDOR_CYRIX,
9720 .set_all = cyrix_set_all,
9721 .set = cyrix_set_arr,
9722 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.33/arch/x86/kernel/cpu/mtrr/generic.c
9723 --- linux-2.6.33/arch/x86/kernel/cpu/mtrr/generic.c 2010-02-24 13:52:17.000000000 -0500
9724 +++ linux-2.6.33/arch/x86/kernel/cpu/mtrr/generic.c 2010-03-07 12:23:35.933601961 -0500
9725 @@ -29,7 +29,7 @@ static struct fixed_range_block fixed_ra
9726 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
9727 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
9728 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
9733 static unsigned long smp_changes_mask;
9734 @@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
9736 * Generic structure...
9738 -struct mtrr_ops generic_mtrr_ops = {
9739 +const struct mtrr_ops generic_mtrr_ops = {
9741 .set_all = generic_set_all,
9742 .get = generic_get_mtrr,
9743 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.33/arch/x86/kernel/cpu/mtrr/main.c
9744 --- linux-2.6.33/arch/x86/kernel/cpu/mtrr/main.c 2010-02-24 13:52:17.000000000 -0500
9745 +++ linux-2.6.33/arch/x86/kernel/cpu/mtrr/main.c 2010-03-07 12:23:35.933601961 -0500
9746 @@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
9747 u64 size_or_mask, size_and_mask;
9748 static bool mtrr_aps_delayed_init;
9750 -static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
9751 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
9753 -struct mtrr_ops *mtrr_if;
9754 +const struct mtrr_ops *mtrr_if;
9756 static void set_mtrr(unsigned int reg, unsigned long base,
9757 unsigned long size, mtrr_type type);
9759 -void set_mtrr_ops(struct mtrr_ops *ops)
9760 +void set_mtrr_ops(const struct mtrr_ops *ops)
9762 if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
9763 mtrr_ops[ops->vendor] = ops;
9764 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.33/arch/x86/kernel/cpu/mtrr/mtrr.h
9765 --- linux-2.6.33/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-02-24 13:52:17.000000000 -0500
9766 +++ linux-2.6.33/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-03-07 12:23:35.933601961 -0500
9768 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
9773 - void (*set)(unsigned int reg, unsigned long base,
9775 + const u32 use_intel_if;
9776 + void (* const set)(unsigned int reg, unsigned long base,
9777 unsigned long size, mtrr_type type);
9778 - void (*set_all)(void);
9779 + void (* const set_all)(void);
9781 - void (*get)(unsigned int reg, unsigned long *base,
9782 + void (* const get)(unsigned int reg, unsigned long *base,
9783 unsigned long *size, mtrr_type *type);
9784 - int (*get_free_region)(unsigned long base, unsigned long size,
9785 + int (* const get_free_region)(unsigned long base, unsigned long size,
9787 - int (*validate_add_page)(unsigned long base, unsigned long size,
9788 + int (* const validate_add_page)(unsigned long base, unsigned long size,
9790 - int (*have_wrcomb)(void);
9791 + int (* const have_wrcomb)(void);
9794 extern int generic_get_free_region(unsigned long base, unsigned long size,
9795 @@ -32,7 +32,7 @@ extern int generic_get_free_region(unsig
9796 extern int generic_validate_add_page(unsigned long base, unsigned long size,
9799 -extern struct mtrr_ops generic_mtrr_ops;
9800 +extern const struct mtrr_ops generic_mtrr_ops;
9802 extern int positive_have_wrcomb(void);
9804 @@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
9805 u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
9806 void get_mtrr_state(void);
9808 -extern void set_mtrr_ops(struct mtrr_ops *ops);
9809 +extern void set_mtrr_ops(const struct mtrr_ops *ops);
9811 extern u64 size_or_mask, size_and_mask;
9812 -extern struct mtrr_ops *mtrr_if;
9813 +extern const struct mtrr_ops *mtrr_if;
9815 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
9816 #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
9817 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.33/arch/x86/kernel/cpu/perfctr-watchdog.c
9818 --- linux-2.6.33/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-02-24 13:52:17.000000000 -0500
9819 +++ linux-2.6.33/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-03-07 12:23:35.933601961 -0500
9820 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
9822 /* Interface defining a CPU specific perfctr watchdog */
9824 - int (*reserve)(void);
9825 - void (*unreserve)(void);
9826 - int (*setup)(unsigned nmi_hz);
9827 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
9828 - void (*stop)(void);
9829 + int (* const reserve)(void);
9830 + void (* const unreserve)(void);
9831 + int (* const setup)(unsigned nmi_hz);
9832 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
9833 + void (* const stop)(void);
9837 @@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
9838 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
9839 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
9841 +/* cannot be const */
9842 static struct wd_ops intel_arch_wd_ops;
9844 static int setup_intel_arch_watchdog(unsigned nmi_hz)
9845 @@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
9849 +/* cannot be const */
9850 static struct wd_ops intel_arch_wd_ops __read_mostly = {
9851 .reserve = single_msr_reserve,
9852 .unreserve = single_msr_unreserve,
9853 diff -urNp linux-2.6.33/arch/x86/kernel/cpu/perf_event.c linux-2.6.33/arch/x86/kernel/cpu/perf_event.c
9854 --- linux-2.6.33/arch/x86/kernel/cpu/perf_event.c 2010-02-24 13:52:17.000000000 -0500
9855 +++ linux-2.6.33/arch/x86/kernel/cpu/perf_event.c 2010-03-07 12:23:35.933601961 -0500
9856 @@ -2426,7 +2426,7 @@ perf_callchain_user(struct pt_regs *regs
9859 callchain_store(entry, frame.return_address);
9860 - fp = frame.next_frame;
9861 + fp = (__force const void __user *)frame.next_frame;
9865 diff -urNp linux-2.6.33/arch/x86/kernel/crash.c linux-2.6.33/arch/x86/kernel/crash.c
9866 --- linux-2.6.33/arch/x86/kernel/crash.c 2010-02-24 13:52:17.000000000 -0500
9867 +++ linux-2.6.33/arch/x86/kernel/crash.c 2010-03-07 12:23:35.933601961 -0500
9868 @@ -41,7 +41,7 @@ static void kdump_nmi_callback(int cpu,
9871 #ifdef CONFIG_X86_32
9872 - if (!user_mode_vm(regs)) {
9873 + if (!user_mode(regs)) {
9874 crash_fixup_ss_esp(&fixed_regs, regs);
9877 diff -urNp linux-2.6.33/arch/x86/kernel/doublefault_32.c linux-2.6.33/arch/x86/kernel/doublefault_32.c
9878 --- linux-2.6.33/arch/x86/kernel/doublefault_32.c 2010-02-24 13:52:17.000000000 -0500
9879 +++ linux-2.6.33/arch/x86/kernel/doublefault_32.c 2010-03-07 12:23:35.933601961 -0500
9882 #define DOUBLEFAULT_STACKSIZE (1024)
9883 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
9884 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
9885 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
9887 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
9889 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
9890 unsigned long gdt, tss;
9892 store_gdt(&gdt_desc);
9893 - gdt = gdt_desc.address;
9894 + gdt = (unsigned long)gdt_desc.address;
9896 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
9898 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
9899 /* 0x2 bit is always set */
9900 .flags = X86_EFLAGS_SF | 0x2,
9903 + .es = __KERNEL_DS,
9907 + .ds = __KERNEL_DS,
9908 .fs = __KERNEL_PERCPU,
9910 .__cr3 = __pa_nodebug(swapper_pg_dir),
9911 diff -urNp linux-2.6.33/arch/x86/kernel/dumpstack_32.c linux-2.6.33/arch/x86/kernel/dumpstack_32.c
9912 --- linux-2.6.33/arch/x86/kernel/dumpstack_32.c 2010-02-24 13:52:17.000000000 -0500
9913 +++ linux-2.6.33/arch/x86/kernel/dumpstack_32.c 2010-03-07 12:23:35.933601961 -0500
9914 @@ -112,11 +112,12 @@ void show_registers(struct pt_regs *regs
9915 * When in-kernel, we also print out the stack and code at the
9916 * time of the fault..
9918 - if (!user_mode_vm(regs)) {
9919 + if (!user_mode(regs)) {
9920 unsigned int code_prologue = code_bytes * 43 / 64;
9921 unsigned int code_len = code_bytes;
9924 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
9926 printk(KERN_EMERG "Stack:\n");
9927 show_stack_log_lvl(NULL, regs, ®s->sp,
9928 @@ -124,10 +125,10 @@ void show_registers(struct pt_regs *regs
9930 printk(KERN_EMERG "Code: ");
9932 - ip = (u8 *)regs->ip - code_prologue;
9933 + ip = (u8 *)regs->ip - code_prologue + cs_base;
9934 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
9935 /* try starting at IP */
9936 - ip = (u8 *)regs->ip;
9937 + ip = (u8 *)regs->ip + cs_base;
9938 code_len = code_len - code_prologue + 1;
9940 for (i = 0; i < code_len; i++, ip++) {
9941 @@ -136,7 +137,7 @@ void show_registers(struct pt_regs *regs
9942 printk(" Bad EIP value.");
9945 - if (ip == (u8 *)regs->ip)
9946 + if (ip == (u8 *)regs->ip + cs_base)
9947 printk("<%02x> ", c);
9950 @@ -149,6 +150,7 @@ int is_valid_bugaddr(unsigned long ip)
9954 + ip = ktla_ktva(ip);
9955 if (ip < PAGE_OFFSET)
9957 if (probe_kernel_address((unsigned short *)ip, ud2))
9958 diff -urNp linux-2.6.33/arch/x86/kernel/dumpstack.c linux-2.6.33/arch/x86/kernel/dumpstack.c
9959 --- linux-2.6.33/arch/x86/kernel/dumpstack.c 2010-02-24 13:52:17.000000000 -0500
9960 +++ linux-2.6.33/arch/x86/kernel/dumpstack.c 2010-03-07 12:23:35.933601961 -0500
9961 @@ -207,7 +207,7 @@ void dump_stack(void)
9964 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
9965 - current->pid, current->comm, current->xid, print_tainted(),
9966 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
9967 init_utsname()->release,
9968 (int)strcspn(init_utsname()->version, " "),
9969 init_utsname()->version);
9970 @@ -268,7 +268,7 @@ void __kprobes oops_end(unsigned long fl
9971 panic("Fatal exception in interrupt");
9973 panic("Fatal exception");
9975 + do_group_exit(signr);
9978 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
9979 @@ -295,7 +295,7 @@ int __kprobes __die(const char *str, str
9981 show_registers(regs);
9982 #ifdef CONFIG_X86_32
9983 - if (user_mode_vm(regs)) {
9984 + if (user_mode(regs)) {
9986 ss = regs->ss & 0xffff;
9988 @@ -323,7 +323,7 @@ void die(const char *str, struct pt_regs
9989 unsigned long flags = oops_begin();
9992 - if (!user_mode_vm(regs))
9993 + if (!user_mode(regs))
9994 report_bug(regs->ip, regs);
9996 if (__die(str, regs, err))
9997 diff -urNp linux-2.6.33/arch/x86/kernel/e820.c linux-2.6.33/arch/x86/kernel/e820.c
9998 --- linux-2.6.33/arch/x86/kernel/e820.c 2010-02-24 13:52:17.000000000 -0500
9999 +++ linux-2.6.33/arch/x86/kernel/e820.c 2010-03-07 12:23:35.933601961 -0500
10001 #include <asm/setup.h>
10002 #include <asm/trampoline.h>
10004 +#include "acpi/realmode/wakeup.h"
10007 * The e820 map is the map that gets modified e.g. with command line parameters
10008 * and that is also registered with modifications in the kernel resource tree
10009 @@ -741,8 +743,19 @@ static struct early_res early_res[MAX_EA
10011 { PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE", 1 },
10015 +#ifdef CONFIG_VM86
10016 +#ifdef CONFIG_ACPI_SLEEP
10017 +#define ACPI_EXTRA WAKEUP_SIZE
10019 +#define ACPI_EXTRA 0
10021 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_TRAMPOLINE)
10022 + { 3*PAGE_SIZE + ACPI_EXTRA, ISA_START_ADDRESS, "V86 mode memory", 1 },
10024 + { 2*PAGE_SIZE + ACPI_EXTRA, ISA_START_ADDRESS, "V86 mode memory", 1 },
10030 static int __init find_overlapped_early(u64 start, u64 end)
10031 diff -urNp linux-2.6.33/arch/x86/kernel/efi_32.c linux-2.6.33/arch/x86/kernel/efi_32.c
10032 --- linux-2.6.33/arch/x86/kernel/efi_32.c 2010-02-24 13:52:17.000000000 -0500
10033 +++ linux-2.6.33/arch/x86/kernel/efi_32.c 2010-03-07 12:23:35.933601961 -0500
10034 @@ -38,70 +38,38 @@
10037 static unsigned long efi_rt_eflags;
10038 -static pgd_t efi_bak_pg_dir_pointer[2];
10039 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
10041 -void efi_call_phys_prelog(void)
10042 +void __init efi_call_phys_prelog(void)
10044 - unsigned long cr4;
10045 - unsigned long temp;
10046 struct desc_ptr gdt_descr;
10048 local_irq_save(efi_rt_eflags);
10051 - * If I don't have PAE, I should just duplicate two entries in page
10052 - * directory. If I have PAE, I just need to duplicate one entry in
10053 - * page directory.
10055 - cr4 = read_cr4_safe();
10057 - if (cr4 & X86_CR4_PAE) {
10058 - efi_bak_pg_dir_pointer[0].pgd =
10059 - swapper_pg_dir[pgd_index(0)].pgd;
10060 - swapper_pg_dir[0].pgd =
10061 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10063 - efi_bak_pg_dir_pointer[0].pgd =
10064 - swapper_pg_dir[pgd_index(0)].pgd;
10065 - efi_bak_pg_dir_pointer[1].pgd =
10066 - swapper_pg_dir[pgd_index(0x400000)].pgd;
10067 - swapper_pg_dir[pgd_index(0)].pgd =
10068 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10069 - temp = PAGE_OFFSET + 0x400000;
10070 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10071 - swapper_pg_dir[pgd_index(temp)].pgd;
10073 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
10074 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10075 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10078 * After the lock is released, the original page table is restored.
10082 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
10083 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
10084 gdt_descr.size = GDT_SIZE - 1;
10085 load_gdt(&gdt_descr);
10088 -void efi_call_phys_epilog(void)
10089 +void __init efi_call_phys_epilog(void)
10091 - unsigned long cr4;
10092 struct desc_ptr gdt_descr;
10094 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
10095 + gdt_descr.address = get_cpu_gdt_table(0);
10096 gdt_descr.size = GDT_SIZE - 1;
10097 load_gdt(&gdt_descr);
10099 - cr4 = read_cr4_safe();
10101 - if (cr4 & X86_CR4_PAE) {
10102 - swapper_pg_dir[pgd_index(0)].pgd =
10103 - efi_bak_pg_dir_pointer[0].pgd;
10105 - swapper_pg_dir[pgd_index(0)].pgd =
10106 - efi_bak_pg_dir_pointer[0].pgd;
10107 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10108 - efi_bak_pg_dir_pointer[1].pgd;
10110 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
10113 * After the lock is released, the original page table is restored.
10114 diff -urNp linux-2.6.33/arch/x86/kernel/efi_stub_32.S linux-2.6.33/arch/x86/kernel/efi_stub_32.S
10115 --- linux-2.6.33/arch/x86/kernel/efi_stub_32.S 2010-02-24 13:52:17.000000000 -0500
10116 +++ linux-2.6.33/arch/x86/kernel/efi_stub_32.S 2010-03-07 12:23:35.933601961 -0500
10120 #include <linux/linkage.h>
10121 +#include <linux/init.h>
10122 #include <asm/page_types.h>
10126 * service functions will comply with gcc calling convention, too.
10131 ENTRY(efi_call_phys)
10133 * 0. The function can only be called in Linux kernel. So CS has been
10134 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
10135 * The mapping of lower virtual memory has been created in prelog and
10139 - subl $__PAGE_OFFSET, %edx
10141 + jmp 1f-__PAGE_OFFSET
10145 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
10146 * parameter 2, ..., param n. To make things easy, we save the return
10147 * address of efi_call_phys in a global variable.
10150 - movl %edx, saved_return_addr
10151 - /* get the function pointer into ECX*/
10153 - movl %ecx, efi_rt_function_ptr
10155 - subl $__PAGE_OFFSET, %edx
10157 + popl (saved_return_addr)
10158 + popl (efi_rt_function_ptr)
10161 * 3. Clear PG bit in %CR0.
10162 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
10164 * 5. Call the physical function.
10167 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
10171 * 6. After EFI runtime service returns, control will return to
10172 * following instruction. We'd better readjust stack pointer first.
10173 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
10175 orl $0x80000000, %edx
10181 * 8. Now restore the virtual mode from flat mode by
10182 * adding EIP with PAGE_OFFSET.
10186 + jmp 1f+__PAGE_OFFSET
10190 * 9. Balance the stack. And because EAX contain the return value,
10191 * we'd better not clobber it.
10193 - leal efi_rt_function_ptr, %edx
10194 - movl (%edx), %ecx
10196 + pushl (efi_rt_function_ptr)
10199 - * 10. Push the saved return address onto the stack and return.
10200 + * 10. Return to the saved return address.
10202 - leal saved_return_addr, %edx
10203 - movl (%edx), %ecx
10206 + jmpl *(saved_return_addr)
10207 ENDPROC(efi_call_phys)
10214 efi_rt_function_ptr:
10215 diff -urNp linux-2.6.33/arch/x86/kernel/entry_32.S linux-2.6.33/arch/x86/kernel/entry_32.S
10216 --- linux-2.6.33/arch/x86/kernel/entry_32.S 2010-02-24 13:52:17.000000000 -0500
10217 +++ linux-2.6.33/arch/x86/kernel/entry_32.S 2010-03-07 12:23:35.937701195 -0500
10218 @@ -191,7 +191,7 @@
10220 #endif /* CONFIG_X86_32_LAZY_GS */
10223 +.macro __SAVE_ALL _DS
10227 @@ -224,7 +224,7 @@
10229 CFI_ADJUST_CFA_OFFSET 4
10230 CFI_REL_OFFSET ebx, 0
10231 - movl $(__USER_DS), %edx
10235 movl $(__KERNEL_PERCPU), %edx
10236 @@ -232,6 +232,15 @@
10241 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
10242 + __SAVE_ALL __KERNEL_DS
10245 + __SAVE_ALL __USER_DS
10249 .macro RESTORE_INT_REGS
10251 CFI_ADJUST_CFA_OFFSET -4
10252 @@ -356,7 +365,15 @@ check_userspace:
10253 movb PT_CS(%esp), %al
10254 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
10255 cmpl $USER_RPL, %eax
10257 +#ifdef CONFIG_PAX_KERNEXEC
10258 + jae resume_userspace
10261 + jmp resume_kernel
10263 jb resume_kernel # not returning to v8086 or userspace
10266 ENTRY(resume_userspace)
10268 @@ -422,10 +439,9 @@ sysenter_past_esp:
10269 /*CFI_REL_OFFSET cs, 0*/
10271 * Push current_thread_info()->sysenter_return to the stack.
10272 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
10273 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
10275 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
10276 + GET_THREAD_INFO(%ebp)
10277 + pushl TI_sysenter_return(%ebp)
10278 CFI_ADJUST_CFA_OFFSET 4
10279 CFI_REL_OFFSET eip, 0
10281 @@ -438,9 +454,19 @@ sysenter_past_esp:
10282 * Load the potential sixth argument from user stack.
10283 * Careful about security.
10285 + movl PT_OLDESP(%esp),%ebp
10287 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10288 + mov PT_OLDSS(%esp),%ds
10289 +1: movl %ds:(%ebp),%ebp
10293 cmpl $__PAGE_OFFSET-3,%ebp
10295 1: movl (%ebp),%ebp
10298 movl %ebp,PT_EBP(%esp)
10299 .section __ex_table,"a"
10301 @@ -463,12 +489,23 @@ sysenter_do_call:
10302 testl $_TIF_ALLWORK_MASK, %ecx
10306 +#ifdef CONFIG_PAX_RANDKSTACK
10308 + CFI_ADJUST_CFA_OFFSET 4
10309 + call pax_randomize_kstack
10311 + CFI_ADJUST_CFA_OFFSET -4
10314 /* if something modifies registers it must also disable sysexit */
10315 movl PT_EIP(%esp), %edx
10316 movl PT_OLDESP(%esp), %ecx
10319 1: mov PT_FS(%esp), %fs
10320 +2: mov PT_DS(%esp), %ds
10321 +3: mov PT_ES(%esp), %es
10323 ENABLE_INTERRUPTS_SYSEXIT
10325 @@ -512,11 +549,17 @@ sysexit_audit:
10328 .pushsection .fixup,"ax"
10329 -2: movl $0,PT_FS(%esp)
10330 +4: movl $0,PT_FS(%esp)
10332 +5: movl $0,PT_DS(%esp)
10334 +6: movl $0,PT_ES(%esp)
10336 .section __ex_table,"a"
10344 ENDPROC(ia32_sysenter_target)
10345 @@ -550,6 +593,10 @@ syscall_exit:
10346 testl $_TIF_ALLWORK_MASK, %ecx # current->work
10347 jne syscall_exit_work
10349 +#ifdef CONFIG_PAX_RANDKSTACK
10350 + call pax_randomize_kstack
10355 restore_all_notrace:
10356 @@ -614,7 +661,13 @@ ldt_ss:
10357 mov PT_OLDESP(%esp), %eax /* load userspace esp */
10358 mov %dx, %ax /* eax: new kernel esp */
10359 sub %eax, %edx /* offset (low word is 0) */
10360 - PER_CPU(gdt_page, %ebx)
10362 + movl PER_CPU_VAR(cpu_number), %ebx
10363 + shll $PAGE_SHIFT_asm, %ebx
10364 + addl $cpu_gdt_table, %ebx
10366 + movl $cpu_gdt_table, %ebx
10369 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
10370 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
10371 @@ -654,25 +707,19 @@ work_resched:
10373 work_notifysig: # deal with pending signals and
10374 # notify-resume requests
10377 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
10379 - jne work_notifysig_v86 # returning to kernel-space or
10380 + jz 1f # returning to kernel-space or
10383 - call do_notify_resume
10384 - jmp resume_userspace_sig
10387 -work_notifysig_v86:
10388 pushl %ecx # save ti_flags for do_notify_resume
10389 CFI_ADJUST_CFA_OFFSET 4
10390 call save_v86_state # %eax contains pt_regs pointer
10392 CFI_ADJUST_CFA_OFFSET -4
10399 call do_notify_resume
10400 @@ -707,6 +754,10 @@ END(syscall_exit_work)
10402 RING0_INT_FRAME # can't unwind into user space anyway
10404 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10408 GET_THREAD_INFO(%ebp)
10409 movl $-EFAULT,PT_EAX(%esp)
10410 jmp resume_userspace
10411 @@ -790,7 +841,13 @@ ptregs_clone:
10412 * normal stack and adjusts ESP with the matching offset.
10414 /* fixup the stack */
10415 - PER_CPU(gdt_page, %ebx)
10417 + movl PER_CPU_VAR(cpu_number), %ebx
10418 + shll $PAGE_SHIFT_asm, %ebx
10419 + addl $cpu_gdt_table, %ebx
10421 + movl $cpu_gdt_table, %ebx
10423 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
10424 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
10426 @@ -1254,7 +1311,6 @@ return_to_handler:
10430 -.section .rodata,"a"
10431 #include "syscall_table_32.S"
10433 syscall_table_size=(.-sys_call_table)
10434 @@ -1306,12 +1362,15 @@ error_code:
10436 UNWIND_ESPFIX_STACK
10441 movl PT_GS(%esp), %edi # get the function address
10442 movl PT_ORIG_EAX(%esp), %edx # get the error code
10443 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
10446 - movl $(__USER_DS), %ecx
10447 + movl $(__KERNEL_DS), %ecx
10451 @@ -1407,6 +1466,9 @@ nmi_stack_correct:
10452 xorl %edx,%edx # zero error code
10453 movl %esp,%eax # pt_regs pointer
10458 jmp restore_all_notrace
10461 @@ -1447,6 +1509,9 @@ nmi_espfix_stack:
10462 FIXUP_ESPFIX_STACK # %eax == %esp
10463 xorl %edx,%edx # zero error code
10469 lss 12+4(%esp), %esp # back to espfix stack
10470 CFI_ADJUST_CFA_OFFSET -24
10471 diff -urNp linux-2.6.33/arch/x86/kernel/entry_64.S linux-2.6.33/arch/x86/kernel/entry_64.S
10472 --- linux-2.6.33/arch/x86/kernel/entry_64.S 2010-02-24 13:52:17.000000000 -0500
10473 +++ linux-2.6.33/arch/x86/kernel/entry_64.S 2010-03-07 12:23:35.937701195 -0500
10475 #include <asm/paravirt.h>
10476 #include <asm/ftrace.h>
10477 #include <asm/percpu.h>
10478 +#include <asm/pgtable.h>
10480 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
10481 #include <linux/elf-em.h>
10482 @@ -800,6 +801,7 @@ END(interrupt)
10483 CFI_ADJUST_CFA_OFFSET 10*8
10490 @@ -825,6 +827,7 @@ ret_from_intr:
10491 CFI_DEF_CFA_REGISTER rsp
10492 CFI_ADJUST_CFA_OFFSET -8
10495 GET_THREAD_INFO(%rcx)
10496 testl $3,CS-ARGOFFSET(%rsp)
10498 @@ -1040,6 +1043,7 @@ ENTRY(\sym)
10499 CFI_ADJUST_CFA_OFFSET 15*8
10503 movq %rsp,%rdi /* pt_regs pointer */
10504 xorl %esi,%esi /* no error code */
10506 @@ -1057,6 +1061,7 @@ ENTRY(\sym)
10511 movq %rsp,%rdi /* pt_regs pointer */
10512 xorl %esi,%esi /* no error code */
10514 @@ -1074,9 +1079,15 @@ ENTRY(\sym)
10519 movq %rsp,%rdi /* pt_regs pointer */
10520 xorl %esi,%esi /* no error code */
10521 - PER_CPU(init_tss, %r12)
10523 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
10524 + lea init_tss(%r12), %r12
10526 + lea init_tss(%rip), %r12
10528 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
10530 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
10531 @@ -1093,6 +1104,7 @@ ENTRY(\sym)
10532 CFI_ADJUST_CFA_OFFSET 15*8
10536 movq %rsp,%rdi /* pt_regs pointer */
10537 movq ORIG_RAX(%rsp),%rsi /* get error code */
10538 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
10539 @@ -1112,6 +1124,7 @@ ENTRY(\sym)
10544 movq %rsp,%rdi /* pt_regs pointer */
10545 movq ORIG_RAX(%rsp),%rsi /* get error code */
10546 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
10547 @@ -1373,11 +1386,13 @@ ENTRY(paranoid_exit)
10549 jnz paranoid_userspace
10553 SWAPGS_UNSAFE_STACK
10561 @@ -1499,6 +1514,7 @@ ENTRY(nmi)
10562 CFI_ADJUST_CFA_OFFSET 15*8
10566 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
10569 @@ -1514,6 +1530,7 @@ ENTRY(nmi)
10571 SWAPGS_UNSAFE_STACK
10577 diff -urNp linux-2.6.33/arch/x86/kernel/ftrace.c linux-2.6.33/arch/x86/kernel/ftrace.c
10578 --- linux-2.6.33/arch/x86/kernel/ftrace.c 2010-02-24 13:52:17.000000000 -0500
10579 +++ linux-2.6.33/arch/x86/kernel/ftrace.c 2010-03-07 12:23:35.937701195 -0500
10580 @@ -151,7 +151,9 @@ void ftrace_nmi_enter(void)
10582 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
10584 + pax_open_kernel();
10586 + pax_close_kernel();
10587 atomic_inc(&nmi_update_count);
10589 /* Must have previous changes seen before executions */
10590 @@ -234,7 +236,7 @@ do_ftrace_mod_code(unsigned long ip, voi
10594 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
10595 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
10597 static unsigned char *ftrace_nop_replace(void)
10599 @@ -247,6 +249,8 @@ ftrace_modify_code(unsigned long ip, uns
10601 unsigned char replaced[MCOUNT_INSN_SIZE];
10603 + ip = ktla_ktva(ip);
10606 * Note: Due to modules and __init, code can
10607 * disappear and change, we need to protect against faulting
10608 @@ -303,7 +307,7 @@ int ftrace_update_ftrace_func(ftrace_fun
10609 unsigned char old[MCOUNT_INSN_SIZE], *new;
10612 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
10613 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
10614 new = ftrace_call_replace(ip, (unsigned long)func);
10615 ret = ftrace_modify_code(ip, old, new);
10617 @@ -356,15 +360,15 @@ int __init ftrace_dyn_arch_init(void *da
10620 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
10621 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
10622 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
10625 pr_info("converting mcount calls to 66 66 66 66 90\n");
10626 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
10627 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
10630 pr_info("converting mcount calls to jmp . + 5\n");
10631 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
10632 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
10636 @@ -385,6 +389,8 @@ static int ftrace_mod_jmp(unsigned long
10638 unsigned char code[MCOUNT_INSN_SIZE];
10640 + ip = ktla_ktva(ip);
10642 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
10645 diff -urNp linux-2.6.33/arch/x86/kernel/head32.c linux-2.6.33/arch/x86/kernel/head32.c
10646 --- linux-2.6.33/arch/x86/kernel/head32.c 2010-02-24 13:52:17.000000000 -0500
10647 +++ linux-2.6.33/arch/x86/kernel/head32.c 2010-03-07 12:23:35.937701195 -0500
10649 #include <asm/apic.h>
10650 #include <asm/io_apic.h>
10651 #include <asm/bios_ebda.h>
10652 +#include <asm/boot.h>
10654 static void __init i386_default_early_setup(void)
10656 @@ -29,7 +30,7 @@ static void __init i386_default_early_se
10658 void __init i386_start_kernel(void)
10660 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
10661 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
10663 #ifdef CONFIG_BLK_DEV_INITRD
10664 /* Reserve INITRD */
10665 diff -urNp linux-2.6.33/arch/x86/kernel/head_32.S linux-2.6.33/arch/x86/kernel/head_32.S
10666 --- linux-2.6.33/arch/x86/kernel/head_32.S 2010-02-24 13:52:17.000000000 -0500
10667 +++ linux-2.6.33/arch/x86/kernel/head_32.S 2010-03-07 12:23:35.937701195 -0500
10668 @@ -21,10 +21,17 @@
10669 #include <asm/msr-index.h>
10670 #include <asm/cpufeature.h>
10671 #include <asm/percpu.h>
10672 +#include <asm/msr-index.h>
10674 /* Physical address */
10675 #define pa(X) ((X) - __PAGE_OFFSET)
10677 +#ifdef CONFIG_PAX_KERNEXEC
10680 +#define ta(X) ((X) - __PAGE_OFFSET)
10684 * References to members of the new_cpu_data structure.
10687 * and small than max_low_pfn, otherwise will waste some page table entries
10690 -#if PTRS_PER_PMD > 1
10691 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
10693 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
10695 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
10697 /* Enough space to fit pagetables for the low memory linear map */
10698 MAPPING_BEYOND_END = \
10699 @@ -75,6 +78,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
10700 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
10703 + * Real beginning of normal "text" segment
10709 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
10710 * %esi points to the real-mode code as a 32-bit pointer.
10711 * CS and DS must be 4 GB flat segments, but we don't depend on
10712 @@ -82,6 +91,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
10717 +#ifdef CONFIG_PAX_KERNEXEC
10719 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
10720 +.fill PAGE_SIZE-5,1,0xcc
10724 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
10725 us to not reload segments */
10726 @@ -99,6 +115,55 @@ ENTRY(startup_32)
10731 + movl $pa(cpu_gdt_table),%edi
10732 + movl $__per_cpu_load,%eax
10733 + movw %ax,__KERNEL_PERCPU + 2(%edi)
10735 + movb %al,__KERNEL_PERCPU + 4(%edi)
10736 + movb %ah,__KERNEL_PERCPU + 7(%edi)
10737 + movl $__per_cpu_end - 1,%eax
10738 + subl $__per_cpu_start,%eax
10739 + movw %ax,__KERNEL_PERCPU + 0(%edi)
10742 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10743 + movl $NR_CPUS,%ecx
10744 + movl $pa(cpu_gdt_table),%edi
10746 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
10747 + addl $PAGE_SIZE_asm,%edi
10751 +#ifdef CONFIG_PAX_KERNEXEC
10752 + movl $pa(boot_gdt),%edi
10753 + movl $__LOAD_PHYSICAL_ADDR,%eax
10754 + movw %ax,__BOOT_CS + 2(%edi)
10756 + movb %al,__BOOT_CS + 4(%edi)
10757 + movb %ah,__BOOT_CS + 7(%edi)
10760 + ljmp $(__BOOT_CS),$1f
10763 + movl $NR_CPUS,%ecx
10764 + movl $pa(cpu_gdt_table),%edi
10765 + addl $__PAGE_OFFSET,%eax
10767 + movw %ax,__KERNEL_CS + 2(%edi)
10768 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
10770 + movb %al,__KERNEL_CS + 4(%edi)
10771 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
10772 + movb %ah,__KERNEL_CS + 7(%edi)
10773 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
10775 + addl $PAGE_SIZE_asm,%edi
10780 * Clear BSS first so that there are no surprises...
10782 @@ -142,9 +207,7 @@ ENTRY(startup_32)
10783 cmpl $num_subarch_entries, %eax
10786 - movl pa(subarch_entries)(,%eax,4), %eax
10787 - subl $__PAGE_OFFSET, %eax
10789 + jmp *pa(subarch_entries)(,%eax,4)
10793 @@ -156,10 +219,10 @@ WEAK(xen_entry)
10797 - .long default_entry /* normal x86/PC */
10798 - .long lguest_entry /* lguest hypervisor */
10799 - .long xen_entry /* Xen hypervisor */
10800 - .long default_entry /* Moorestown MID */
10801 + .long ta(default_entry) /* normal x86/PC */
10802 + .long ta(lguest_entry) /* lguest hypervisor */
10803 + .long ta(xen_entry) /* Xen hypervisor */
10804 + .long ta(default_entry) /* Moorestown MID */
10805 num_subarch_entries = (. - subarch_entries) / 4
10807 #endif /* CONFIG_PARAVIRT */
10808 @@ -220,8 +283,11 @@ default_entry:
10809 movl %eax, pa(max_pfn_mapped)
10811 /* Do early initialization of the fixmap area */
10812 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
10813 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10814 +#ifdef CONFIG_COMPAT_VDSO
10815 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10817 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10819 #else /* Not PAE */
10821 page_pde_offset = (__PAGE_OFFSET >> 20);
10822 @@ -251,8 +317,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
10823 movl %eax, pa(max_pfn_mapped)
10825 /* Do early initialization of the fixmap area */
10826 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
10827 - movl %eax,pa(swapper_pg_dir+0xffc)
10828 +#ifdef CONFIG_COMPAT_VDSO
10829 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
10831 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
10836 @@ -299,6 +368,7 @@ ENTRY(startup_32_smp)
10840 +#ifdef CONFIG_X86_PAE
10841 testb $X86_CR4_PAE, %al # check if PAE is enabled
10844 @@ -323,6 +393,9 @@ ENTRY(startup_32_smp)
10845 /* Make changes effective */
10848 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
10854 @@ -348,9 +421,7 @@ ENTRY(startup_32_smp)
10858 - jz 1f /* Initial CPU cleans BSS */
10861 + jnz checkCPUtype /* Initial CPU cleans BSS */
10862 #endif /* CONFIG_SMP */
10865 @@ -428,7 +499,7 @@ is386: movl $2,%ecx # set MP
10866 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
10867 movl %eax,%ss # after changing gdt.
10869 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
10870 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
10874 @@ -442,8 +513,11 @@ is386: movl $2,%ecx # set MP
10878 - movl $per_cpu__gdt_page,%eax
10879 + movl $cpu_gdt_table,%eax
10880 movl $per_cpu__stack_canary,%ecx
10882 + addl $__per_cpu_load,%ecx
10884 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
10886 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
10887 @@ -461,10 +535,6 @@ is386: movl $2,%ecx # set MP
10891 - cmpb $0,%cl # the first CPU calls start_kernel
10893 - movl (stack_start), %esp
10895 #endif /* CONFIG_SMP */
10896 jmp *(initial_code)
10898 @@ -550,22 +620,22 @@ early_page_fault:
10903 #ifdef CONFIG_PRINTK
10904 + cmpl $1,%ss:early_recursion_flag
10906 + incl %ss:early_recursion_flag
10909 movl $(__KERNEL_DS),%eax
10912 - cmpl $2,early_recursion_flag
10914 - incl early_recursion_flag
10917 pushl %edx /* trapno */
10926 @@ -573,8 +643,11 @@ hlt_loop:
10927 /* This is the default interrupt "handler" :-) */
10931 #ifdef CONFIG_PRINTK
10932 + cmpl $2,%ss:early_recursion_flag
10934 + incl %ss:early_recursion_flag
10939 @@ -583,9 +656,6 @@ ignore_int:
10940 movl $(__KERNEL_DS),%eax
10943 - cmpl $2,early_recursion_flag
10945 - incl early_recursion_flag
10949 @@ -612,27 +682,37 @@ ENTRY(initial_code)
10953 -__PAGE_ALIGNED_BSS
10954 - .align PAGE_SIZE_asm
10955 #ifdef CONFIG_X86_PAE
10956 +.section .swapper_pg_pmd,"a",@progbits
10958 .fill 1024*KPMDS,4,0
10960 +.section .swapper_pg_dir,"a",@progbits
10961 ENTRY(swapper_pg_dir)
10968 +.section .empty_zero_page,"a",@progbits
10969 ENTRY(empty_zero_page)
10973 + * The IDT has to be page-aligned to simplify the Pentium
10974 + * F0 0F bug workaround.. We have a special link segment
10977 +.section .idt,"a",@progbits
10982 * This starts the data section.
10984 #ifdef CONFIG_X86_PAE
10985 -__PAGE_ALIGNED_DATA
10986 - /* Page-aligned for the benefit of paravirt? */
10987 - .align PAGE_SIZE_asm
10988 +.section .swapper_pg_dir,"a",@progbits
10989 ENTRY(swapper_pg_dir)
10990 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
10992 @@ -655,11 +735,12 @@ ENTRY(swapper_pg_dir)
10996 - .long init_thread_union+THREAD_SIZE
10997 + .long init_thread_union+THREAD_SIZE-8
11002 +.section .rodata,"a",@progbits
11003 early_recursion_flag:
11006 @@ -695,7 +776,7 @@ fault_msg:
11007 .word 0 # 32 bit align gdt_desc.address
11010 - .long boot_gdt - __PAGE_OFFSET
11011 + .long pa(boot_gdt)
11013 .word 0 # 32-bit align idt_desc.address
11015 @@ -706,7 +787,7 @@ idt_descr:
11016 .word 0 # 32 bit align gdt_desc.address
11017 ENTRY(early_gdt_descr)
11018 .word GDT_ENTRIES*8-1
11019 - .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
11020 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
11023 * The boot_gdt must mirror the equivalent in setup.S and is
11024 @@ -715,5 +796,65 @@ ENTRY(early_gdt_descr)
11025 .align L1_CACHE_BYTES
11027 .fill GDT_ENTRY_BOOT_CS,8,0
11028 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
11029 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
11030 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
11031 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
11033 + .align PAGE_SIZE_asm
11034 +ENTRY(cpu_gdt_table)
11036 + .quad 0x0000000000000000 /* NULL descriptor */
11037 + .quad 0x0000000000000000 /* 0x0b reserved */
11038 + .quad 0x0000000000000000 /* 0x13 reserved */
11039 + .quad 0x0000000000000000 /* 0x1b reserved */
11041 +#ifdef CONFIG_PAX_KERNEXEC
11042 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
11044 + .quad 0x0000000000000000 /* 0x20 unused */
11047 + .quad 0x0000000000000000 /* 0x28 unused */
11048 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
11049 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
11050 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
11051 + .quad 0x0000000000000000 /* 0x4b reserved */
11052 + .quad 0x0000000000000000 /* 0x53 reserved */
11053 + .quad 0x0000000000000000 /* 0x5b reserved */
11055 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
11056 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
11057 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
11058 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
11060 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
11061 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
11064 + * Segments used for calling PnP BIOS have byte granularity.
11065 + * The code segments and data segments have fixed 64k limits,
11066 + * the transfer segment sizes are set at run time.
11068 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
11069 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
11070 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
11071 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
11072 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
11075 + * The APM segments have byte granularity and their bases
11076 + * are set at run time. All have 64k limits.
11078 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
11079 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
11080 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
11082 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
11083 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
11084 + .quad 0x0040930000000018 /* 0xe0 - STACK_CANARY */
11085 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
11086 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
11087 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
11089 + /* Be sure this is zeroed to avoid false validations in Xen */
11090 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
11092 diff -urNp linux-2.6.33/arch/x86/kernel/head_64.S linux-2.6.33/arch/x86/kernel/head_64.S
11093 --- linux-2.6.33/arch/x86/kernel/head_64.S 2010-02-24 13:52:17.000000000 -0500
11094 +++ linux-2.6.33/arch/x86/kernel/head_64.S 2010-03-07 16:45:32.258187459 -0500
11095 @@ -38,6 +38,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
11096 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
11097 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
11098 L3_START_KERNEL = pud_index(__START_KERNEL_map)
11099 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
11100 +L3_VMALLOC_START = pud_index(VMALLOC_START)
11101 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
11102 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
11106 @@ -85,35 +89,22 @@ startup_64:
11108 addq %rbp, init_level4_pgt + 0(%rip)
11109 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
11110 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
11111 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
11112 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
11114 addq %rbp, level3_ident_pgt + 0(%rip)
11115 +#ifndef CONFIG_XEN
11116 + addq %rbp, level3_ident_pgt + 8(%rip)
11119 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
11120 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
11121 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
11123 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
11124 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
11125 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
11127 - /* Add an Identity mapping if I am above 1G */
11128 - leaq _text(%rip), %rdi
11129 - andq $PMD_PAGE_MASK, %rdi
11132 - shrq $PUD_SHIFT, %rax
11133 - andq $(PTRS_PER_PUD - 1), %rax
11134 - jz ident_complete
11136 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
11137 - leaq level3_ident_pgt(%rip), %rbx
11138 - movq %rdx, 0(%rbx, %rax, 8)
11141 - shrq $PMD_SHIFT, %rax
11142 - andq $(PTRS_PER_PMD - 1), %rax
11143 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
11144 - leaq level2_spare_pgt(%rip), %rbx
11145 - movq %rdx, 0(%rbx, %rax, 8)
11147 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
11148 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
11151 * Fixup the kernel text+data virtual addresses. Note that
11152 @@ -187,6 +178,11 @@ ENTRY(secondary_startup_64)
11153 btl $20,%edi /* No Execute supported? */
11155 btsl $_EFER_NX, %eax
11156 + leaq init_level4_pgt(%rip), %rdi
11157 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
11158 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
11159 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
11160 + btsq $_PAGE_BIT_NX, (__supported_pte_mask)
11161 1: wrmsr /* Make changes effective */
11164 @@ -271,7 +267,7 @@ ENTRY(secondary_startup_64)
11168 - .section ".init.text","ax"
11170 #ifdef CONFIG_EARLY_PRINTK
11171 .globl early_idt_handlers
11172 early_idt_handlers:
11173 @@ -316,18 +312,23 @@ ENTRY(early_idt_handler)
11174 #endif /* EARLY_PRINTK */
11179 #ifdef CONFIG_EARLY_PRINTK
11181 early_recursion_flag:
11185 + .section .rodata,"a",@progbits
11187 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
11190 -#endif /* CONFIG_EARLY_PRINTK */
11192 +#endif /* CONFIG_EARLY_PRINTK */
11194 + .section .rodata,"a",@progbits
11195 #define NEXT_PAGE(name) \
11196 .balign PAGE_SIZE; \
11198 @@ -351,13 +352,29 @@ NEXT_PAGE(init_level4_pgt)
11199 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
11200 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
11201 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
11202 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
11203 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
11204 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
11205 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
11206 .org init_level4_pgt + L4_START_KERNEL*8, 0
11207 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
11208 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
11210 NEXT_PAGE(level3_ident_pgt)
11211 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
11215 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
11219 +NEXT_PAGE(level3_vmalloc_pgt)
11222 +NEXT_PAGE(level3_vmemmap_pgt)
11223 + .fill L3_VMEMMAP_START,8,0
11224 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
11226 NEXT_PAGE(level3_kernel_pgt)
11227 .fill L3_START_KERNEL,8,0
11228 @@ -365,20 +382,23 @@ NEXT_PAGE(level3_kernel_pgt)
11229 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
11230 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
11232 +NEXT_PAGE(level2_vmemmap_pgt)
11235 NEXT_PAGE(level2_fixmap_pgt)
11237 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
11238 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
11241 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
11242 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
11245 -NEXT_PAGE(level1_fixmap_pgt)
11246 +NEXT_PAGE(level1_vsyscall_pgt)
11249 -NEXT_PAGE(level2_ident_pgt)
11250 - /* Since I easily can, map the first 1G.
11251 + /* Since I easily can, map the first 2G.
11252 * Don't set NX because code runs from these pages.
11254 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
11255 +NEXT_PAGE(level2_ident_pgt)
11256 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
11258 NEXT_PAGE(level2_kernel_pgt)
11260 @@ -391,33 +411,55 @@ NEXT_PAGE(level2_kernel_pgt)
11261 * If you want to increase this then increase MODULES_VADDR
11264 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
11265 - KERNEL_IMAGE_SIZE/PMD_SIZE)
11267 -NEXT_PAGE(level2_spare_pgt)
11269 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
11276 +ENTRY(cpu_gdt_table)
11278 + .quad 0x0000000000000000 /* NULL descriptor */
11279 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
11280 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
11281 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
11282 + .quad 0x00cffb000000ffff /* __USER32_CS */
11283 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
11284 + .quad 0x00affb000000ffff /* __USER_CS */
11286 +#ifdef CONFIG_PAX_KERNEXEC
11287 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
11289 + .quad 0x0 /* unused */
11292 + .quad 0,0 /* TSS */
11293 + .quad 0,0 /* LDT */
11294 + .quad 0,0,0 /* three TLS descriptors */
11295 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
11296 + /* asm/segment.h:GDT_ENTRIES must match this */
11298 + /* zero the remaining page */
11299 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
11303 .globl early_gdt_descr
11305 .word GDT_ENTRIES*8-1
11306 early_gdt_descr_base:
11307 - .quad INIT_PER_CPU_VAR(gdt_page)
11308 + .quad cpu_gdt_table
11311 /* This must match the first entry in level2_kernel_pgt */
11312 .quad 0x0000000000000000
11314 #include "../../x86/xen/xen-head.S"
11316 - .section .bss, "aw", @nobits
11318 + .section .rodata,"a",@progbits
11319 .align L1_CACHE_BYTES
11321 - .skip IDT_ENTRIES * 16
11326 diff -urNp linux-2.6.33/arch/x86/kernel/i386_ksyms_32.c linux-2.6.33/arch/x86/kernel/i386_ksyms_32.c
11327 --- linux-2.6.33/arch/x86/kernel/i386_ksyms_32.c 2010-02-24 13:52:17.000000000 -0500
11328 +++ linux-2.6.33/arch/x86/kernel/i386_ksyms_32.c 2010-03-07 12:23:35.937701195 -0500
11329 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
11330 EXPORT_SYMBOL(cmpxchg8b_emu);
11333 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
11335 /* Networking helper routines. */
11336 EXPORT_SYMBOL(csum_partial_copy_generic);
11337 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
11338 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
11340 EXPORT_SYMBOL(__get_user_1);
11341 EXPORT_SYMBOL(__get_user_2);
11342 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
11344 EXPORT_SYMBOL(csum_partial);
11345 EXPORT_SYMBOL(empty_zero_page);
11347 +#ifdef CONFIG_PAX_KERNEXEC
11348 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
11350 diff -urNp linux-2.6.33/arch/x86/kernel/init_task.c linux-2.6.33/arch/x86/kernel/init_task.c
11351 --- linux-2.6.33/arch/x86/kernel/init_task.c 2010-02-24 13:52:17.000000000 -0500
11352 +++ linux-2.6.33/arch/x86/kernel/init_task.c 2010-03-07 12:23:35.937701195 -0500
11353 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
11354 * section. Since TSS's are completely CPU-local, we want them
11355 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
11357 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
11359 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
11360 +EXPORT_SYMBOL(init_tss);
11361 diff -urNp linux-2.6.33/arch/x86/kernel/ioport.c linux-2.6.33/arch/x86/kernel/ioport.c
11362 --- linux-2.6.33/arch/x86/kernel/ioport.c 2010-02-24 13:52:17.000000000 -0500
11363 +++ linux-2.6.33/arch/x86/kernel/ioport.c 2010-03-07 12:23:35.937701195 -0500
11365 #include <linux/sched.h>
11366 #include <linux/kernel.h>
11367 #include <linux/capability.h>
11368 +#include <linux/security.h>
11369 #include <linux/errno.h>
11370 #include <linux/types.h>
11371 #include <linux/ioport.h>
11372 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
11374 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
11376 +#ifdef CONFIG_GRKERNSEC_IO
11378 + gr_handle_ioperm();
11382 if (turn_on && !capable(CAP_SYS_RAWIO))
11385 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
11386 * because the ->io_bitmap_max value must match the bitmap
11389 - tss = &per_cpu(init_tss, get_cpu());
11390 + tss = init_tss + get_cpu();
11392 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
11394 @@ -112,8 +119,13 @@ long sys_iopl(unsigned int level, struct
11396 /* Trying to gain more privileges? */
11398 +#ifdef CONFIG_GRKERNSEC_IO
11399 + gr_handle_iopl();
11402 if (!capable(CAP_SYS_RAWIO))
11406 regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
11407 t->iopl = level << 12;
11408 diff -urNp linux-2.6.33/arch/x86/kernel/irq_32.c linux-2.6.33/arch/x86/kernel/irq_32.c
11409 --- linux-2.6.33/arch/x86/kernel/irq_32.c 2010-02-24 13:52:17.000000000 -0500
11410 +++ linux-2.6.33/arch/x86/kernel/irq_32.c 2010-03-07 12:23:35.937701195 -0500
11411 @@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
11414 /* build the stack frame on the IRQ stack */
11415 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
11416 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
11417 irqctx->tinfo.task = curctx->tinfo.task;
11418 irqctx->tinfo.previous_esp = current_stack_pointer;
11420 @@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
11421 irqctx->tinfo.previous_esp = current_stack_pointer;
11423 /* build the stack frame on the softirq stack */
11424 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
11425 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
11427 call_on_stack(__do_softirq, isp);
11429 diff -urNp linux-2.6.33/arch/x86/kernel/kgdb.c linux-2.6.33/arch/x86/kernel/kgdb.c
11430 --- linux-2.6.33/arch/x86/kernel/kgdb.c 2010-02-24 13:52:17.000000000 -0500
11431 +++ linux-2.6.33/arch/x86/kernel/kgdb.c 2010-03-07 12:23:35.937701195 -0500
11432 @@ -89,7 +89,7 @@ void pt_regs_to_gdb_regs(unsigned long *
11433 gdb_regs[GDB_CS] = regs->cs;
11434 gdb_regs[GDB_FS] = 0xFFFF;
11435 gdb_regs[GDB_GS] = 0xFFFF;
11436 - if (user_mode_vm(regs)) {
11437 + if (user_mode(regs)) {
11438 gdb_regs[GDB_SS] = regs->ss;
11439 gdb_regs[GDB_SP] = regs->sp;
11441 @@ -690,7 +690,7 @@ unsigned long kgdb_arch_pc(int exception
11442 return instruction_pointer(regs);
11445 -struct kgdb_arch arch_kgdb_ops = {
11446 +const struct kgdb_arch arch_kgdb_ops = {
11447 /* Breakpoint instruction: */
11448 .gdb_bpt_instr = { 0xcc },
11449 .flags = KGDB_HW_BREAKPOINT,
11450 diff -urNp linux-2.6.33/arch/x86/kernel/kprobes.c linux-2.6.33/arch/x86/kernel/kprobes.c
11451 --- linux-2.6.33/arch/x86/kernel/kprobes.c 2010-02-24 13:52:17.000000000 -0500
11452 +++ linux-2.6.33/arch/x86/kernel/kprobes.c 2010-03-07 12:23:35.937701195 -0500
11453 @@ -113,9 +113,13 @@ static void __kprobes set_jmp_op(void *f
11456 } __attribute__((packed)) * jop;
11457 - jop = (struct __arch_jmp_op *)from;
11459 + jop = (struct __arch_jmp_op *)(ktla_ktva(from));
11461 + pax_open_kernel();
11462 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
11463 jop->op = RELATIVEJUMP_INSTRUCTION;
11464 + pax_close_kernel();
11468 @@ -323,16 +327,18 @@ static void __kprobes fix_riprel(struct
11470 static void __kprobes arch_copy_kprobe(struct kprobe *p)
11472 - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
11473 + pax_open_kernel();
11474 + memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
11475 + pax_close_kernel();
11479 - if (can_boost(p->addr))
11480 + if (can_boost(ktla_ktva(p->addr)))
11481 p->ainsn.boostable = 0;
11483 p->ainsn.boostable = -1;
11485 - p->opcode = *p->addr;
11486 + p->opcode = *(ktla_ktva(p->addr));
11489 int __kprobes arch_prepare_kprobe(struct kprobe *p)
11490 @@ -412,7 +418,7 @@ static void __kprobes prepare_singlestep
11491 if (p->opcode == BREAKPOINT_INSTRUCTION)
11492 regs->ip = (unsigned long)p->addr;
11494 - regs->ip = (unsigned long)p->ainsn.insn;
11495 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
11498 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
11499 @@ -433,7 +439,7 @@ static void __kprobes setup_singlestep(s
11500 if (p->ainsn.boostable == 1 && !p->post_handler) {
11501 /* Boost up -- we can execute copied instructions directly */
11502 reset_current_kprobe();
11503 - regs->ip = (unsigned long)p->ainsn.insn;
11504 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
11505 preempt_enable_no_resched();
11508 @@ -490,7 +496,7 @@ static int __kprobes kprobe_handler(stru
11509 struct kprobe_ctlblk *kcb;
11511 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
11512 - if (*addr != BREAKPOINT_INSTRUCTION) {
11513 + if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
11515 * The breakpoint instruction was removed right
11516 * after we hit it. Another cpu has removed
11517 @@ -742,7 +748,7 @@ static void __kprobes resume_execution(s
11518 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
11520 unsigned long *tos = stack_addr(regs);
11521 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
11522 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
11523 unsigned long orig_ip = (unsigned long)p->addr;
11524 kprobe_opcode_t *insn = p->ainsn.insn;
11526 @@ -925,7 +931,7 @@ int __kprobes kprobe_exceptions_notify(s
11527 struct die_args *args = data;
11528 int ret = NOTIFY_DONE;
11530 - if (args->regs && user_mode_vm(args->regs))
11531 + if (args->regs && user_mode(args->regs))
11535 diff -urNp linux-2.6.33/arch/x86/kernel/ldt.c linux-2.6.33/arch/x86/kernel/ldt.c
11536 --- linux-2.6.33/arch/x86/kernel/ldt.c 2010-02-24 13:52:17.000000000 -0500
11537 +++ linux-2.6.33/arch/x86/kernel/ldt.c 2010-03-07 12:23:35.937701195 -0500
11538 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
11543 + load_LDT_nolock(pc);
11544 if (!cpumask_equal(mm_cpumask(current->mm),
11545 cpumask_of(smp_processor_id())))
11546 smp_call_function(flush_ldt, current->mm, 1);
11550 + load_LDT_nolock(pc);
11554 @@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
11557 for (i = 0; i < old->size; i++)
11558 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
11559 + write_ldt_entry(new->ldt, i, old->ldt + i);
11563 @@ -115,6 +115,24 @@ int init_new_context(struct task_struct
11564 retval = copy_ldt(&mm->context, &old_mm->context);
11565 mutex_unlock(&old_mm->context.lock);
11568 + if (tsk == current) {
11569 + mm->context.vdso = ~0UL;
11571 +#ifdef CONFIG_X86_32
11572 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
11573 + mm->context.user_cs_base = 0UL;
11574 + mm->context.user_cs_limit = ~0UL;
11576 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
11577 + cpus_clear(mm->context.cpu_user_cs_mask);
11588 @@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
11592 +#ifdef CONFIG_PAX_SEGMEXEC
11593 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
11599 fill_ldt(&ldt, &ldt_info);
11602 diff -urNp linux-2.6.33/arch/x86/kernel/machine_kexec_32.c linux-2.6.33/arch/x86/kernel/machine_kexec_32.c
11603 --- linux-2.6.33/arch/x86/kernel/machine_kexec_32.c 2010-02-24 13:52:17.000000000 -0500
11604 +++ linux-2.6.33/arch/x86/kernel/machine_kexec_32.c 2010-03-07 12:23:35.937701195 -0500
11606 #include <asm/cacheflush.h>
11607 #include <asm/debugreg.h>
11609 -static void set_idt(void *newidt, __u16 limit)
11610 +static void set_idt(struct desc_struct *newidt, __u16 limit)
11612 struct desc_ptr curidt;
11614 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
11618 -static void set_gdt(void *newgdt, __u16 limit)
11619 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
11621 struct desc_ptr curgdt;
11623 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
11626 control_page = page_address(image->control_code_page);
11627 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
11628 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
11630 relocate_kernel_ptr = control_page;
11631 page_list[PA_CONTROL_PAGE] = __pa(control_page);
11632 diff -urNp linux-2.6.33/arch/x86/kernel/microcode_amd.c linux-2.6.33/arch/x86/kernel/microcode_amd.c
11633 --- linux-2.6.33/arch/x86/kernel/microcode_amd.c 2010-02-24 13:52:17.000000000 -0500
11634 +++ linux-2.6.33/arch/x86/kernel/microcode_amd.c 2010-03-07 12:23:35.937701195 -0500
11635 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
11639 -static struct microcode_ops microcode_amd_ops = {
11640 +static const struct microcode_ops microcode_amd_ops = {
11641 .request_microcode_user = request_microcode_user,
11642 .request_microcode_fw = request_microcode_fw,
11643 .collect_cpu_info = collect_cpu_info_amd,
11644 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
11645 .microcode_fini_cpu = microcode_fini_cpu_amd,
11648 -struct microcode_ops * __init init_amd_microcode(void)
11649 +const struct microcode_ops * __init init_amd_microcode(void)
11651 return µcode_amd_ops;
11653 diff -urNp linux-2.6.33/arch/x86/kernel/microcode_core.c linux-2.6.33/arch/x86/kernel/microcode_core.c
11654 --- linux-2.6.33/arch/x86/kernel/microcode_core.c 2010-02-24 13:52:17.000000000 -0500
11655 +++ linux-2.6.33/arch/x86/kernel/microcode_core.c 2010-03-07 12:23:35.937701195 -0500
11656 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
11658 #define MICROCODE_VERSION "2.00"
11660 -static struct microcode_ops *microcode_ops;
11661 +static const struct microcode_ops *microcode_ops;
11665 diff -urNp linux-2.6.33/arch/x86/kernel/microcode_intel.c linux-2.6.33/arch/x86/kernel/microcode_intel.c
11666 --- linux-2.6.33/arch/x86/kernel/microcode_intel.c 2010-02-24 13:52:17.000000000 -0500
11667 +++ linux-2.6.33/arch/x86/kernel/microcode_intel.c 2010-03-07 12:23:35.937701195 -0500
11668 @@ -436,13 +436,13 @@ static enum ucode_state request_microcod
11670 static int get_ucode_user(void *to, const void *from, size_t n)
11672 - return copy_from_user(to, from, n);
11673 + return copy_from_user(to, (__force const void __user *)from, n);
11676 static enum ucode_state
11677 request_microcode_user(int cpu, const void __user *buf, size_t size)
11679 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
11680 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
11683 static void microcode_fini_cpu(int cpu)
11684 @@ -453,7 +453,7 @@ static void microcode_fini_cpu(int cpu)
11688 -static struct microcode_ops microcode_intel_ops = {
11689 +static const struct microcode_ops microcode_intel_ops = {
11690 .request_microcode_user = request_microcode_user,
11691 .request_microcode_fw = request_microcode_fw,
11692 .collect_cpu_info = collect_cpu_info,
11693 @@ -461,7 +461,7 @@ static struct microcode_ops microcode_in
11694 .microcode_fini_cpu = microcode_fini_cpu,
11697 -struct microcode_ops * __init init_intel_microcode(void)
11698 +const struct microcode_ops * __init init_intel_microcode(void)
11700 return µcode_intel_ops;
11702 diff -urNp linux-2.6.33/arch/x86/kernel/module.c linux-2.6.33/arch/x86/kernel/module.c
11703 --- linux-2.6.33/arch/x86/kernel/module.c 2010-02-24 13:52:17.000000000 -0500
11704 +++ linux-2.6.33/arch/x86/kernel/module.c 2010-03-07 12:23:35.941628368 -0500
11706 #define DEBUGP(fmt...)
11709 -void *module_alloc(unsigned long size)
11710 +static void *__module_alloc(unsigned long size, pgprot_t prot)
11712 struct vm_struct *area;
11714 @@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
11718 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
11719 - PAGE_KERNEL_EXEC);
11720 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
11723 +void *module_alloc(unsigned long size)
11726 +#ifdef CONFIG_PAX_KERNEXEC
11727 + return __module_alloc(size, PAGE_KERNEL);
11729 + return __module_alloc(size, PAGE_KERNEL_EXEC);
11734 /* Free memory returned from module_alloc */
11735 @@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
11736 vfree(module_region);
11739 +#ifdef CONFIG_PAX_KERNEXEC
11740 +#ifdef CONFIG_X86_32
11741 +void *module_alloc_exec(unsigned long size)
11743 + struct vm_struct *area;
11748 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
11749 + return area ? area->addr : NULL;
11751 +EXPORT_SYMBOL(module_alloc_exec);
11753 +void module_free_exec(struct module *mod, void *module_region)
11755 + vunmap(module_region);
11757 +EXPORT_SYMBOL(module_free_exec);
11759 +void module_free_exec(struct module *mod, void *module_region)
11761 + module_free(mod, module_region);
11763 +EXPORT_SYMBOL(module_free_exec);
11765 +void *module_alloc_exec(unsigned long size)
11767 + return __module_alloc(size, PAGE_KERNEL_RX);
11769 +EXPORT_SYMBOL(module_alloc_exec);
11773 /* We don't need anything special. */
11774 int module_frob_arch_sections(Elf_Ehdr *hdr,
11776 @@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
11778 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
11780 - uint32_t *location;
11781 + uint32_t *plocation, location;
11783 DEBUGP("Applying relocate section %u to %u\n", relsec,
11784 sechdrs[relsec].sh_info);
11785 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
11786 /* This is where to make the change */
11787 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
11788 - + rel[i].r_offset;
11789 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
11790 + location = (uint32_t)plocation;
11791 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
11792 + plocation = ktla_ktva((void *)plocation);
11793 /* This is the symbol it is referring to. Note that all
11794 undefined symbols have been resolved. */
11795 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
11796 @@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
11797 switch (ELF32_R_TYPE(rel[i].r_info)) {
11799 /* We add the value into the location given */
11800 - *location += sym->st_value;
11801 + pax_open_kernel();
11802 + *plocation += sym->st_value;
11803 + pax_close_kernel();
11806 /* Add the value, subtract its postition */
11807 - *location += sym->st_value - (uint32_t)location;
11808 + pax_open_kernel();
11809 + *plocation += sym->st_value - location;
11810 + pax_close_kernel();
11813 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
11814 @@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
11815 case R_X86_64_NONE:
11818 + pax_open_kernel();
11820 + pax_close_kernel();
11823 + pax_open_kernel();
11825 + pax_close_kernel();
11826 if (val != *(u32 *)loc)
11830 + pax_open_kernel();
11832 + pax_close_kernel();
11833 if ((s64)val != *(s32 *)loc)
11836 case R_X86_64_PC32:
11838 + pax_open_kernel();
11840 + pax_close_kernel();
11843 if ((s64)val != *(s32 *)loc)
11845 diff -urNp linux-2.6.33/arch/x86/kernel/paravirt.c linux-2.6.33/arch/x86/kernel/paravirt.c
11846 --- linux-2.6.33/arch/x86/kernel/paravirt.c 2010-02-24 13:52:17.000000000 -0500
11847 +++ linux-2.6.33/arch/x86/kernel/paravirt.c 2010-03-07 12:23:35.941628368 -0500
11848 @@ -120,9 +120,9 @@ unsigned paravirt_patch_jmp(void *insnbu
11850 /* Neat trick to map patch type back to the call within the
11851 * corresponding structure. */
11852 -static void *get_call_destination(u8 type)
11853 +static const void *get_call_destination(u8 type)
11855 - struct paravirt_patch_template tmpl = {
11856 + const struct paravirt_patch_template tmpl = {
11857 .pv_init_ops = pv_init_ops,
11858 .pv_time_ops = pv_time_ops,
11859 .pv_cpu_ops = pv_cpu_ops,
11860 @@ -133,13 +133,13 @@ static void *get_call_destination(u8 typ
11861 .pv_lock_ops = pv_lock_ops,
11864 - return *((void **)&tmpl + type);
11865 + return *((const void **)&tmpl + type);
11868 unsigned paravirt_patch_default(u8 type, u16 clobbers, void *insnbuf,
11869 unsigned long addr, unsigned len)
11871 - void *opfunc = get_call_destination(type);
11872 + const void *opfunc = get_call_destination(type);
11875 if (opfunc == NULL)
11876 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
11877 if (insn_len > len || start == NULL)
11880 - memcpy(insnbuf, start, insn_len);
11881 + memcpy(insnbuf, ktla_ktva(start), insn_len);
11885 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
11889 -struct pv_info pv_info = {
11890 +struct pv_info pv_info __read_only = {
11891 .name = "bare hardware",
11892 .paravirt_enabled = 0,
11894 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
11897 -struct pv_init_ops pv_init_ops = {
11898 +struct pv_init_ops pv_init_ops __read_only = {
11899 .patch = native_patch,
11902 -struct pv_time_ops pv_time_ops = {
11903 +struct pv_time_ops pv_time_ops __read_only = {
11904 .sched_clock = native_sched_clock,
11907 -struct pv_irq_ops pv_irq_ops = {
11908 +struct pv_irq_ops pv_irq_ops __read_only = {
11909 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
11910 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
11911 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
11912 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
11916 -struct pv_cpu_ops pv_cpu_ops = {
11917 +struct pv_cpu_ops pv_cpu_ops __read_only = {
11918 .cpuid = native_cpuid,
11919 .get_debugreg = native_get_debugreg,
11920 .set_debugreg = native_set_debugreg,
11921 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
11922 .end_context_switch = paravirt_nop,
11925 -struct pv_apic_ops pv_apic_ops = {
11926 +struct pv_apic_ops pv_apic_ops __read_only = {
11927 #ifdef CONFIG_X86_LOCAL_APIC
11928 .startup_ipi_hook = paravirt_nop,
11930 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
11931 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
11934 -struct pv_mmu_ops pv_mmu_ops = {
11935 +struct pv_mmu_ops pv_mmu_ops __read_only = {
11937 .read_cr2 = native_read_cr2,
11938 .write_cr2 = native_write_cr2,
11939 @@ -467,6 +467,12 @@ struct pv_mmu_ops pv_mmu_ops = {
11942 .set_fixmap = native_set_fixmap,
11944 +#ifdef CONFIG_PAX_KERNEXEC
11945 + .pax_open_kernel = native_pax_open_kernel,
11946 + .pax_close_kernel = native_pax_close_kernel,
11951 EXPORT_SYMBOL_GPL(pv_time_ops);
11952 diff -urNp linux-2.6.33/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.33/arch/x86/kernel/paravirt-spinlocks.c
11953 --- linux-2.6.33/arch/x86/kernel/paravirt-spinlocks.c 2010-02-24 13:52:17.000000000 -0500
11954 +++ linux-2.6.33/arch/x86/kernel/paravirt-spinlocks.c 2010-03-07 12:23:35.941628368 -0500
11955 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
11956 arch_spin_lock(lock);
11959 -struct pv_lock_ops pv_lock_ops = {
11960 +struct pv_lock_ops pv_lock_ops __read_only = {
11962 .spin_is_locked = __ticket_spin_is_locked,
11963 .spin_is_contended = __ticket_spin_is_contended,
11964 diff -urNp linux-2.6.33/arch/x86/kernel/pci-calgary_64.c linux-2.6.33/arch/x86/kernel/pci-calgary_64.c
11965 --- linux-2.6.33/arch/x86/kernel/pci-calgary_64.c 2010-02-24 13:52:17.000000000 -0500
11966 +++ linux-2.6.33/arch/x86/kernel/pci-calgary_64.c 2010-03-07 12:23:35.941628368 -0500
11967 @@ -470,7 +470,7 @@ static void calgary_free_coherent(struct
11968 free_pages((unsigned long)vaddr, get_order(size));
11971 -static struct dma_map_ops calgary_dma_ops = {
11972 +static const struct dma_map_ops calgary_dma_ops = {
11973 .alloc_coherent = calgary_alloc_coherent,
11974 .free_coherent = calgary_free_coherent,
11975 .map_sg = calgary_map_sg,
11976 diff -urNp linux-2.6.33/arch/x86/kernel/pci-dma.c linux-2.6.33/arch/x86/kernel/pci-dma.c
11977 --- linux-2.6.33/arch/x86/kernel/pci-dma.c 2010-02-24 13:52:17.000000000 -0500
11978 +++ linux-2.6.33/arch/x86/kernel/pci-dma.c 2010-03-07 12:23:35.941628368 -0500
11981 static int forbid_dac __read_mostly;
11983 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
11984 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
11985 EXPORT_SYMBOL(dma_ops);
11987 static int iommu_sac_force __read_mostly;
11988 @@ -240,7 +240,7 @@ early_param("iommu", iommu_setup);
11990 int dma_supported(struct device *dev, u64 mask)
11992 - struct dma_map_ops *ops = get_dma_ops(dev);
11993 + const struct dma_map_ops *ops = get_dma_ops(dev);
11996 if (mask > 0xffffffff && forbid_dac > 0) {
11997 diff -urNp linux-2.6.33/arch/x86/kernel/pci-gart_64.c linux-2.6.33/arch/x86/kernel/pci-gart_64.c
11998 --- linux-2.6.33/arch/x86/kernel/pci-gart_64.c 2010-02-24 13:52:17.000000000 -0500
11999 +++ linux-2.6.33/arch/x86/kernel/pci-gart_64.c 2010-03-07 12:23:35.941628368 -0500
12000 @@ -695,7 +695,7 @@ static __init int init_k8_gatt(struct ag
12004 -static struct dma_map_ops gart_dma_ops = {
12005 +static const struct dma_map_ops gart_dma_ops = {
12006 .map_sg = gart_map_sg,
12007 .unmap_sg = gart_unmap_sg,
12008 .map_page = gart_map_page,
12009 diff -urNp linux-2.6.33/arch/x86/kernel/pci-nommu.c linux-2.6.33/arch/x86/kernel/pci-nommu.c
12010 --- linux-2.6.33/arch/x86/kernel/pci-nommu.c 2010-02-24 13:52:17.000000000 -0500
12011 +++ linux-2.6.33/arch/x86/kernel/pci-nommu.c 2010-03-07 12:23:35.941628368 -0500
12012 @@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
12013 flush_write_buffers();
12016 -struct dma_map_ops nommu_dma_ops = {
12017 +const struct dma_map_ops nommu_dma_ops = {
12018 .alloc_coherent = dma_generic_alloc_coherent,
12019 .free_coherent = nommu_free_coherent,
12020 .map_sg = nommu_map_sg,
12021 diff -urNp linux-2.6.33/arch/x86/kernel/pci-swiotlb.c linux-2.6.33/arch/x86/kernel/pci-swiotlb.c
12022 --- linux-2.6.33/arch/x86/kernel/pci-swiotlb.c 2010-02-24 13:52:17.000000000 -0500
12023 +++ linux-2.6.33/arch/x86/kernel/pci-swiotlb.c 2010-03-07 12:23:35.941628368 -0500
12024 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
12025 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
12028 -static struct dma_map_ops swiotlb_dma_ops = {
12029 +static const struct dma_map_ops swiotlb_dma_ops = {
12030 .mapping_error = swiotlb_dma_mapping_error,
12031 .alloc_coherent = x86_swiotlb_alloc_coherent,
12032 .free_coherent = swiotlb_free_coherent,
12033 diff -urNp linux-2.6.33/arch/x86/kernel/process_32.c linux-2.6.33/arch/x86/kernel/process_32.c
12034 --- linux-2.6.33/arch/x86/kernel/process_32.c 2010-02-24 13:52:17.000000000 -0500
12035 +++ linux-2.6.33/arch/x86/kernel/process_32.c 2010-03-07 12:23:35.941628368 -0500
12036 @@ -66,6 +66,7 @@ asmlinkage void ret_from_fork(void) __as
12037 unsigned long thread_saved_pc(struct task_struct *tsk)
12039 return ((unsigned long *)tsk->thread.sp)[3];
12040 +//XXX return tsk->thread.eip;
12044 @@ -127,7 +128,7 @@ void __show_regs(struct pt_regs *regs, i
12046 unsigned short ss, gs;
12048 - if (user_mode_vm(regs)) {
12049 + if (user_mode(regs)) {
12051 ss = regs->ss & 0xffff;
12052 gs = get_user_gs(regs);
12053 @@ -203,7 +204,7 @@ int copy_thread(unsigned long clone_flag
12054 struct task_struct *tsk;
12057 - childregs = task_pt_regs(p);
12058 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
12059 *childregs = *regs;
12061 childregs->sp = sp;
12062 @@ -237,6 +238,7 @@ int copy_thread(unsigned long clone_flag
12063 * Set a new TLS for the child thread?
12065 if (clone_flags & CLONE_SETTLS)
12066 +//XXX needs set_fs()?
12067 err = do_set_thread_area(p, -1,
12068 (struct user_desc __user *)childregs->si, 0);
12070 @@ -307,7 +309,7 @@ __switch_to(struct task_struct *prev_p,
12071 struct thread_struct *prev = &prev_p->thread,
12072 *next = &next_p->thread;
12073 int cpu = smp_processor_id();
12074 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
12075 + struct tss_struct *tss = init_tss + cpu;
12078 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
12079 @@ -342,6 +344,11 @@ __switch_to(struct task_struct *prev_p,
12081 lazy_save_gs(prev->gs);
12083 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12084 + if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
12085 + __set_fs(task_thread_info(next_p)->addr_limit, cpu);
12089 * Load the per-thread Thread-Local Storage descriptor.
12091 @@ -418,3 +425,27 @@ unsigned long get_wchan(struct task_stru
12095 +#ifdef CONFIG_PAX_RANDKSTACK
12096 +asmlinkage void pax_randomize_kstack(void)
12098 + struct thread_struct *thread = ¤t->thread;
12099 + unsigned long time;
12101 + if (!randomize_va_space)
12106 + /* P4 seems to return a 0 LSB, ignore it */
12107 +#ifdef CONFIG_MPENTIUM4
12115 + thread->sp0 ^= time;
12116 + load_sp0(init_tss + smp_processor_id(), thread);
12119 diff -urNp linux-2.6.33/arch/x86/kernel/process_64.c linux-2.6.33/arch/x86/kernel/process_64.c
12120 --- linux-2.6.33/arch/x86/kernel/process_64.c 2010-02-24 13:52:17.000000000 -0500
12121 +++ linux-2.6.33/arch/x86/kernel/process_64.c 2010-03-07 12:23:35.941628368 -0500
12122 @@ -88,7 +88,7 @@ static void __exit_idle(void)
12123 void exit_idle(void)
12125 /* idle loop has pid 0 */
12126 - if (current->pid)
12127 + if (task_pid_nr(current))
12131 @@ -389,7 +389,7 @@ __switch_to(struct task_struct *prev_p,
12132 struct thread_struct *prev = &prev_p->thread;
12133 struct thread_struct *next = &next_p->thread;
12134 int cpu = smp_processor_id();
12135 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
12136 + struct tss_struct *tss = init_tss + cpu;
12137 unsigned fsindex, gsindex;
12140 @@ -542,12 +542,11 @@ unsigned long get_wchan(struct task_stru
12141 if (!p || p == current || p->state == TASK_RUNNING)
12143 stack = (unsigned long)task_stack_page(p);
12144 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
12145 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
12147 fp = *(u64 *)(p->thread.sp);
12149 - if (fp < (unsigned long)stack ||
12150 - fp >= (unsigned long)stack+THREAD_SIZE)
12151 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
12153 ip = *(u64 *)(fp+8);
12154 if (!in_sched_functions(ip))
12155 diff -urNp linux-2.6.33/arch/x86/kernel/process.c linux-2.6.33/arch/x86/kernel/process.c
12156 --- linux-2.6.33/arch/x86/kernel/process.c 2010-02-24 13:52:17.000000000 -0500
12157 +++ linux-2.6.33/arch/x86/kernel/process.c 2010-03-07 12:23:35.941628368 -0500
12158 @@ -78,7 +78,7 @@ void exit_thread(void)
12159 unsigned long *bp = t->io_bitmap_ptr;
12162 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
12163 + struct tss_struct *tss = init_tss + get_cpu();
12165 t->io_bitmap_ptr = NULL;
12166 clear_thread_flag(TIF_IO_BITMAP);
12167 @@ -115,6 +115,9 @@ void flush_thread(void)
12169 struct task_struct *tsk = current;
12171 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
12172 + loadsegment(gs, 0);
12174 flush_ptrace_hw_breakpoint(tsk);
12175 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
12177 @@ -272,8 +275,8 @@ int kernel_thread(int (*fn)(void *), voi
12178 regs.di = (unsigned long) arg;
12180 #ifdef CONFIG_X86_32
12181 - regs.ds = __USER_DS;
12182 - regs.es = __USER_DS;
12183 + regs.ds = __KERNEL_DS;
12184 + regs.es = __KERNEL_DS;
12185 regs.fs = __KERNEL_PERCPU;
12186 regs.gs = __KERNEL_STACK_CANARY;
12188 @@ -664,17 +667,3 @@ static int __init idle_setup(char *str)
12191 early_param("idle", idle_setup);
12193 -unsigned long arch_align_stack(unsigned long sp)
12195 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
12196 - sp -= get_random_int() % 8192;
12197 - return sp & ~0xf;
12200 -unsigned long arch_randomize_brk(struct mm_struct *mm)
12202 - unsigned long range_end = mm->brk + 0x02000000;
12203 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
12206 diff -urNp linux-2.6.33/arch/x86/kernel/ptrace.c linux-2.6.33/arch/x86/kernel/ptrace.c
12207 --- linux-2.6.33/arch/x86/kernel/ptrace.c 2010-02-24 13:52:17.000000000 -0500
12208 +++ linux-2.6.33/arch/x86/kernel/ptrace.c 2010-03-07 12:23:35.941628368 -0500
12209 @@ -1167,7 +1167,7 @@ static const struct user_regset_view use
12210 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
12213 - unsigned long __user *datap = (unsigned long __user *)data;
12214 + unsigned long __user *datap = (__force unsigned long __user *)data;
12217 /* read the word at location addr in the USER area. */
12218 @@ -1254,14 +1254,14 @@ long arch_ptrace(struct task_struct *chi
12221 ret = do_get_thread_area(child, addr,
12222 - (struct user_desc __user *) data);
12223 + (__force struct user_desc __user *) data);
12226 case PTRACE_SET_THREAD_AREA:
12229 ret = do_set_thread_area(child, addr,
12230 - (struct user_desc __user *) data, 0);
12231 + (__force struct user_desc __user *) data, 0);
12235 @@ -1280,12 +1280,12 @@ long arch_ptrace(struct task_struct *chi
12236 #ifdef CONFIG_X86_PTRACE_BTS
12237 case PTRACE_BTS_CONFIG:
12238 ret = ptrace_bts_config
12239 - (child, data, (struct ptrace_bts_config __user *)addr);
12240 + (child, data, (__force struct ptrace_bts_config __user *)addr);
12243 case PTRACE_BTS_STATUS:
12244 ret = ptrace_bts_status
12245 - (child, data, (struct ptrace_bts_config __user *)addr);
12246 + (child, data, (__force struct ptrace_bts_config __user *)addr);
12249 case PTRACE_BTS_SIZE:
12250 @@ -1294,7 +1294,7 @@ long arch_ptrace(struct task_struct *chi
12252 case PTRACE_BTS_GET:
12253 ret = ptrace_bts_read_record
12254 - (child, data, (struct bts_struct __user *) addr);
12255 + (child, data, (__force struct bts_struct __user *) addr);
12258 case PTRACE_BTS_CLEAR:
12259 @@ -1303,7 +1303,7 @@ long arch_ptrace(struct task_struct *chi
12261 case PTRACE_BTS_DRAIN:
12262 ret = ptrace_bts_drain
12263 - (child, data, (struct bts_struct __user *) addr);
12264 + (child, data, (__force struct bts_struct __user *) addr);
12266 #endif /* CONFIG_X86_PTRACE_BTS */
12268 @@ -1690,7 +1690,7 @@ static void fill_sigtrap_info(struct tas
12269 memset(info, 0, sizeof(*info));
12270 info->si_signo = SIGTRAP;
12271 info->si_code = si_code;
12272 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
12273 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
12276 void user_single_step_siginfo(struct task_struct *tsk,
12277 diff -urNp linux-2.6.33/arch/x86/kernel/reboot.c linux-2.6.33/arch/x86/kernel/reboot.c
12278 --- linux-2.6.33/arch/x86/kernel/reboot.c 2010-02-24 13:52:17.000000000 -0500
12279 +++ linux-2.6.33/arch/x86/kernel/reboot.c 2010-03-07 12:23:35.941628368 -0500
12280 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
12281 EXPORT_SYMBOL(pm_power_off);
12283 static const struct desc_ptr no_idt = {};
12284 -static int reboot_mode;
12285 +static unsigned short reboot_mode;
12286 enum reboot_type reboot_type = BOOT_KBD;
12289 @@ -276,7 +276,7 @@ static struct dmi_system_id __initdata r
12290 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
12294 + { NULL, NULL, {{0, {0}}}, NULL}
12297 static int __init reboot_init(void)
12298 @@ -292,12 +292,12 @@ core_initcall(reboot_init);
12299 controller to pulse the CPU reset line, which is more thorough, but
12300 doesn't work with at least one type of 486 motherboard. It is easy
12301 to stop this code working; hence the copious comments. */
12302 -static const unsigned long long
12303 -real_mode_gdt_entries [3] =
12304 +static struct desc_struct
12305 +real_mode_gdt_entries [3] __read_only =
12307 - 0x0000000000000000ULL, /* Null descriptor */
12308 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
12309 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
12310 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
12311 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
12312 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
12315 static const struct desc_ptr
12316 @@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
12317 * specified by the code and length parameters.
12318 * We assume that length will aways be less that 100!
12320 -void machine_real_restart(const unsigned char *code, int length)
12321 +void machine_real_restart(const unsigned char *code, unsigned int length)
12323 local_irq_disable();
12325 @@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
12326 /* Remap the kernel at virtual address zero, as well as offset zero
12327 from the kernel segment. This assumes the kernel segment starts at
12328 virtual address PAGE_OFFSET. */
12329 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
12330 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
12331 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
12332 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
12335 * Use `swapper_pg_dir' as our page directory.
12336 @@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
12337 boot)". This seems like a fairly standard thing that gets set by
12338 REBOOT.COM programs, and the previous reset routine did this
12340 - *((unsigned short *)0x472) = reboot_mode;
12341 + *(unsigned short *)(__va(0x472)) = reboot_mode;
12343 /* For the switch to real mode, copy some code to low memory. It has
12344 to be in the first 64k because it is running in 16-bit mode, and it
12345 has to have the same physical and virtual address, because it turns
12346 off paging. Copy it near the end of the first page, out of the way
12347 of BIOS variables. */
12348 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
12349 - real_mode_switch, sizeof (real_mode_switch));
12350 - memcpy((void *)(0x1000 - 100), code, length);
12351 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
12352 + memcpy(__va(0x1000 - 100), code, length);
12354 /* Set up the IDT for real mode. */
12355 load_idt(&real_mode_idt);
12356 diff -urNp linux-2.6.33/arch/x86/kernel/setup.c linux-2.6.33/arch/x86/kernel/setup.c
12357 --- linux-2.6.33/arch/x86/kernel/setup.c 2010-02-24 13:52:17.000000000 -0500
12358 +++ linux-2.6.33/arch/x86/kernel/setup.c 2010-03-07 12:23:35.941628368 -0500
12359 @@ -749,14 +749,14 @@ void __init setup_arch(char **cmdline_p)
12361 if (!boot_params.hdr.root_flags)
12362 root_mountflags &= ~MS_RDONLY;
12363 - init_mm.start_code = (unsigned long) _text;
12364 - init_mm.end_code = (unsigned long) _etext;
12365 + init_mm.start_code = ktla_ktva((unsigned long) _text);
12366 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
12367 init_mm.end_data = (unsigned long) _edata;
12368 init_mm.brk = _brk_end;
12370 - code_resource.start = virt_to_phys(_text);
12371 - code_resource.end = virt_to_phys(_etext)-1;
12372 - data_resource.start = virt_to_phys(_etext);
12373 + code_resource.start = virt_to_phys(ktla_ktva(_text));
12374 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
12375 + data_resource.start = virt_to_phys(_sdata);
12376 data_resource.end = virt_to_phys(_edata)-1;
12377 bss_resource.start = virt_to_phys(&__bss_start);
12378 bss_resource.end = virt_to_phys(&__bss_stop)-1;
12379 diff -urNp linux-2.6.33/arch/x86/kernel/setup_percpu.c linux-2.6.33/arch/x86/kernel/setup_percpu.c
12380 --- linux-2.6.33/arch/x86/kernel/setup_percpu.c 2010-02-24 13:52:17.000000000 -0500
12381 +++ linux-2.6.33/arch/x86/kernel/setup_percpu.c 2010-03-07 12:23:35.941628368 -0500
12382 @@ -27,19 +27,17 @@
12383 # define DBG(fmt, ...) do { if (0) pr_dbg(fmt, ##__VA_ARGS__); } while (0)
12387 DEFINE_PER_CPU(int, cpu_number);
12388 EXPORT_PER_CPU_SYMBOL(cpu_number);
12391 -#ifdef CONFIG_X86_64
12392 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
12394 -#define BOOT_PERCPU_OFFSET 0
12397 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
12398 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
12400 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
12401 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
12402 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
12404 EXPORT_SYMBOL(__per_cpu_offset);
12405 @@ -160,13 +158,15 @@ static void __init pcpup_populate_pte(un
12406 static inline void setup_percpu_segment(int cpu)
12408 #ifdef CONFIG_X86_32
12409 - struct desc_struct gdt;
12410 + struct desc_struct d, *gdt = get_cpu_gdt_table(cpu);
12411 + unsigned long base = per_cpu_offset(cpu);
12412 + const unsigned long limit = VMALLOC_END - base - 1;
12414 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
12415 - 0x2 | DESCTYPE_S, 0x8);
12417 - write_gdt_entry(get_cpu_gdt_table(cpu),
12418 - GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
12419 + if (limit < 64*1024)
12420 + pack_descriptor(&d, base, limit, 0x80 | DESCTYPE_S | 0x3, 0x4);
12422 + pack_descriptor(&d, base, limit >> PAGE_SHIFT, 0x80 | DESCTYPE_S | 0x3, 0xC);
12423 + write_gdt_entry(gdt, GDT_ENTRY_PERCPU, &d, DESCTYPE_S);
12427 @@ -213,6 +213,11 @@ void __init setup_per_cpu_areas(void)
12428 /* alrighty, percpu areas up and running */
12429 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
12430 for_each_possible_cpu(cpu) {
12431 +#ifdef CONFIG_CC_STACKPROTECTOR
12432 +#ifdef CONFIG_x86_32
12433 + unsigned long canary = per_cpu(stack_canary, cpu);
12436 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
12437 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
12438 per_cpu(cpu_number, cpu) = cpu;
12439 @@ -240,6 +245,12 @@ void __init setup_per_cpu_areas(void)
12440 early_per_cpu_map(x86_cpu_to_node_map, cpu);
12443 +#ifdef CONFIG_CC_STACKPROTECTOR
12444 +#ifdef CONFIG_x86_32
12445 + if (cpu == boot_cpu_id)
12446 + per_cpu(stack_canary, cpu) = canary;
12450 * Up to this point, the boot CPU has been using .data.init
12451 * area. Reload any changed state for the boot CPU.
12452 diff -urNp linux-2.6.33/arch/x86/kernel/signal.c linux-2.6.33/arch/x86/kernel/signal.c
12453 --- linux-2.6.33/arch/x86/kernel/signal.c 2010-02-24 13:52:17.000000000 -0500
12454 +++ linux-2.6.33/arch/x86/kernel/signal.c 2010-03-07 12:23:35.941628368 -0500
12455 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
12456 * Align the stack pointer according to the i386 ABI,
12457 * i.e. so that on function entry ((sp + 4) & 15) == 0.
12459 - sp = ((sp + 4) & -16ul) - 4;
12460 + sp = ((sp - 12) & -16ul) - 4;
12461 #else /* !CONFIG_X86_32 */
12462 sp = round_down(sp, 16) - 8;
12464 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
12465 * Return an always-bogus address instead so we will die with SIGSEGV.
12467 if (onsigstack && !likely(on_sig_stack(sp)))
12468 - return (void __user *)-1L;
12469 + return (__force void __user *)-1L;
12471 /* save i387 state */
12472 if (used_math() && save_i387_xstate(*fpstate) < 0)
12473 - return (void __user *)-1L;
12474 + return (__force void __user *)-1L;
12476 return (void __user *)sp;
12478 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
12481 if (current->mm->context.vdso)
12482 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
12483 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
12485 - restorer = &frame->retcode;
12486 + restorer = (void __user *)&frame->retcode;
12487 if (ka->sa.sa_flags & SA_RESTORER)
12488 restorer = ka->sa.sa_restorer;
12490 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
12491 * reasons and because gdb uses it as a signature to notice
12492 * signal handler stack frames.
12494 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
12495 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
12499 @@ -378,7 +378,7 @@ static int __setup_rt_frame(int sig, str
12500 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
12502 /* Set up to return from userspace. */
12503 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
12504 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
12505 if (ka->sa.sa_flags & SA_RESTORER)
12506 restorer = ka->sa.sa_restorer;
12507 put_user_ex(restorer, &frame->pretcode);
12508 @@ -390,7 +390,7 @@ static int __setup_rt_frame(int sig, str
12509 * reasons and because gdb uses it as a signature to notice
12510 * signal handler stack frames.
12512 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
12513 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
12514 } put_user_catch(err);
12517 @@ -780,7 +780,7 @@ static void do_signal(struct pt_regs *re
12518 * X86_32: vm86 regs switched out by assembly code before reaching
12519 * here, so testing against kernel CS suffices.
12521 - if (!user_mode(regs))
12522 + if (!user_mode_novm(regs))
12525 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
12526 diff -urNp linux-2.6.33/arch/x86/kernel/smpboot.c linux-2.6.33/arch/x86/kernel/smpboot.c
12527 --- linux-2.6.33/arch/x86/kernel/smpboot.c 2010-02-24 13:52:17.000000000 -0500
12528 +++ linux-2.6.33/arch/x86/kernel/smpboot.c 2010-03-07 12:23:35.941628368 -0500
12529 @@ -750,7 +750,11 @@ do_rest:
12530 (unsigned long)task_stack_page(c_idle.idle) -
12531 KERNEL_STACK_OFFSET + THREAD_SIZE;
12534 + pax_open_kernel();
12535 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
12536 + pax_close_kernel();
12538 initial_code = (unsigned long)start_secondary;
12539 stack_start.sp = (void *) c_idle.idle->thread.sp;
12541 diff -urNp linux-2.6.33/arch/x86/kernel/step.c linux-2.6.33/arch/x86/kernel/step.c
12542 --- linux-2.6.33/arch/x86/kernel/step.c 2010-02-24 13:52:17.000000000 -0500
12543 +++ linux-2.6.33/arch/x86/kernel/step.c 2010-03-07 12:23:35.941628368 -0500
12544 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
12545 struct desc_struct *desc;
12546 unsigned long base;
12551 mutex_lock(&child->mm->context.lock);
12552 - if (unlikely((seg >> 3) >= child->mm->context.size))
12553 + if (unlikely(seg >= child->mm->context.size))
12554 addr = -1L; /* bogus selector, access would fault */
12556 desc = child->mm->context.ldt + seg;
12557 @@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
12558 unsigned char opcode[15];
12559 unsigned long addr = convert_ip_to_linear(child, regs);
12561 + if (addr == -EINVAL)
12564 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
12565 for (i = 0; i < copied; i++) {
12566 switch (opcode[i]) {
12567 @@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
12569 #ifdef CONFIG_X86_64
12570 case 0x40 ... 0x4f:
12571 - if (regs->cs != __USER_CS)
12572 + if ((regs->cs & 0xffff) != __USER_CS)
12573 /* 32-bit mode: register increment */
12575 /* 64-bit mode: REX prefix */
12576 diff -urNp linux-2.6.33/arch/x86/kernel/syscall_table_32.S linux-2.6.33/arch/x86/kernel/syscall_table_32.S
12577 --- linux-2.6.33/arch/x86/kernel/syscall_table_32.S 2010-02-24 13:52:17.000000000 -0500
12578 +++ linux-2.6.33/arch/x86/kernel/syscall_table_32.S 2010-03-07 12:23:35.941628368 -0500
12580 +.section .rodata,"a",@progbits
12581 ENTRY(sys_call_table)
12582 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
12584 diff -urNp linux-2.6.33/arch/x86/kernel/sys_i386_32.c linux-2.6.33/arch/x86/kernel/sys_i386_32.c
12585 --- linux-2.6.33/arch/x86/kernel/sys_i386_32.c 2010-02-24 13:52:17.000000000 -0500
12586 +++ linux-2.6.33/arch/x86/kernel/sys_i386_32.c 2010-03-07 12:23:35.945583410 -0500
12589 #include <asm/syscalls.h>
12591 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
12593 + unsigned long pax_task_size = TASK_SIZE;
12595 +#ifdef CONFIG_PAX_SEGMEXEC
12596 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
12597 + pax_task_size = SEGMEXEC_TASK_SIZE;
12600 + if (len > pax_task_size || addr > pax_task_size - len)
12607 * Perform the select(nd, in, out, ex, tv) and mmap() system
12608 * calls. Linux/i386 didn't use to be able to handle more than
12609 @@ -58,6 +73,205 @@ out:
12614 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
12615 + unsigned long len, unsigned long pgoff, unsigned long flags)
12617 + struct mm_struct *mm = current->mm;
12618 + struct vm_area_struct *vma;
12619 + unsigned long start_addr, pax_task_size = TASK_SIZE;
12621 +#ifdef CONFIG_PAX_SEGMEXEC
12622 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
12623 + pax_task_size = SEGMEXEC_TASK_SIZE;
12626 + if (len > pax_task_size)
12629 + if (flags & MAP_FIXED)
12632 +#ifdef CONFIG_PAX_RANDMMAP
12633 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12637 + addr = PAGE_ALIGN(addr);
12638 + vma = find_vma(mm, addr);
12639 + if (pax_task_size - len >= addr &&
12640 + (!vma || addr + len <= vma->vm_start))
12643 + if (len > mm->cached_hole_size) {
12644 + start_addr = addr = mm->free_area_cache;
12646 + start_addr = addr = mm->mmap_base;
12647 + mm->cached_hole_size = 0;
12650 +#ifdef CONFIG_PAX_PAGEEXEC
12651 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
12652 + start_addr = 0x00110000UL;
12654 +#ifdef CONFIG_PAX_RANDMMAP
12655 + if (mm->pax_flags & MF_PAX_RANDMMAP)
12656 + start_addr += mm->delta_mmap & 0x03FFF000UL;
12659 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
12660 + start_addr = addr = mm->mmap_base;
12662 + addr = start_addr;
12667 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
12668 + /* At this point: (!vma || addr < vma->vm_end). */
12669 + if (pax_task_size - len < addr) {
12671 + * Start a new search - just in case we missed
12674 + if (start_addr != mm->mmap_base) {
12675 + start_addr = addr = mm->mmap_base;
12676 + mm->cached_hole_size = 0;
12677 + goto full_search;
12681 + if (!vma || addr + len <= vma->vm_start) {
12683 + * Remember the place where we stopped the search:
12685 + mm->free_area_cache = addr + len;
12688 + if (addr + mm->cached_hole_size < vma->vm_start)
12689 + mm->cached_hole_size = vma->vm_start - addr;
12690 + addr = vma->vm_end;
12691 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
12692 + start_addr = addr = mm->mmap_base;
12693 + mm->cached_hole_size = 0;
12694 + goto full_search;
12700 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12701 + const unsigned long len, const unsigned long pgoff,
12702 + const unsigned long flags)
12704 + struct vm_area_struct *vma;
12705 + struct mm_struct *mm = current->mm;
12706 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
12708 +#ifdef CONFIG_PAX_SEGMEXEC
12709 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
12710 + pax_task_size = SEGMEXEC_TASK_SIZE;
12713 + /* requested length too big for entire address space */
12714 + if (len > pax_task_size)
12717 + if (flags & MAP_FIXED)
12720 +#ifdef CONFIG_PAX_PAGEEXEC
12721 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
12725 +#ifdef CONFIG_PAX_RANDMMAP
12726 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12729 + /* requesting a specific address */
12731 + addr = PAGE_ALIGN(addr);
12732 + vma = find_vma(mm, addr);
12733 + if (pax_task_size - len >= addr &&
12734 + (!vma || addr + len <= vma->vm_start))
12738 + /* check if free_area_cache is useful for us */
12739 + if (len <= mm->cached_hole_size) {
12740 + mm->cached_hole_size = 0;
12741 + mm->free_area_cache = mm->mmap_base;
12744 + /* either no address requested or can't fit in requested address hole */
12745 + addr = mm->free_area_cache;
12747 + /* make sure it can fit in the remaining address space */
12748 + if (addr > len) {
12749 + vma = find_vma(mm, addr-len);
12750 + if (!vma || addr <= vma->vm_start)
12751 + /* remember the address as a hint for next time */
12752 + return (mm->free_area_cache = addr-len);
12755 + if (mm->mmap_base < len)
12758 + addr = mm->mmap_base-len;
12762 + * Lookup failure means no vma is above this address,
12763 + * else if new region fits below vma->vm_start,
12764 + * return with success:
12766 + vma = find_vma(mm, addr);
12767 + if (!vma || addr+len <= vma->vm_start)
12768 + /* remember the address as a hint for next time */
12769 + return (mm->free_area_cache = addr);
12771 + /* remember the largest hole we saw so far */
12772 + if (addr + mm->cached_hole_size < vma->vm_start)
12773 + mm->cached_hole_size = vma->vm_start - addr;
12775 + /* try just below the current vma->vm_start */
12776 + addr = vma->vm_start-len;
12777 + } while (len < vma->vm_start);
12781 + * A failed mmap() very likely causes application failure,
12782 + * so fall back to the bottom-up function here. This scenario
12783 + * can happen with large stack limits and large mmap()
12787 +#ifdef CONFIG_PAX_SEGMEXEC
12788 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
12789 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
12793 + mm->mmap_base = TASK_UNMAPPED_BASE;
12795 +#ifdef CONFIG_PAX_RANDMMAP
12796 + if (mm->pax_flags & MF_PAX_RANDMMAP)
12797 + mm->mmap_base += mm->delta_mmap;
12800 + mm->free_area_cache = mm->mmap_base;
12801 + mm->cached_hole_size = ~0UL;
12802 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
12804 + * Restore the topdown base:
12806 + mm->mmap_base = base;
12807 + mm->free_area_cache = base;
12808 + mm->cached_hole_size = ~0UL;
12813 struct sel_arg_struct {
12815 @@ -93,7 +307,7 @@ asmlinkage int sys_ipc(uint call, int fi
12816 return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
12818 return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
12819 - (const struct timespec __user *)fifth);
12820 + (__force const struct timespec __user *)fifth);
12823 return sys_semget(first, second, third);
12824 @@ -140,7 +354,7 @@ asmlinkage int sys_ipc(uint call, int fi
12825 ret = do_shmat(first, (char __user *) ptr, second, &raddr);
12828 - return put_user(raddr, (ulong __user *) third);
12829 + return put_user(raddr, (__force ulong __user *) third);
12831 case 1: /* iBCS2 emulator entry point */
12832 if (!segment_eq(get_fs(), get_ds()))
12833 diff -urNp linux-2.6.33/arch/x86/kernel/sys_x86_64.c linux-2.6.33/arch/x86/kernel/sys_x86_64.c
12834 --- linux-2.6.33/arch/x86/kernel/sys_x86_64.c 2010-02-24 13:52:17.000000000 -0500
12835 +++ linux-2.6.33/arch/x86/kernel/sys_x86_64.c 2010-03-07 12:23:35.945583410 -0500
12836 @@ -32,8 +32,8 @@ out:
12840 -static void find_start_end(unsigned long flags, unsigned long *begin,
12841 - unsigned long *end)
12842 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
12843 + unsigned long *begin, unsigned long *end)
12845 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
12846 unsigned long new_begin;
12847 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
12848 *begin = new_begin;
12851 - *begin = TASK_UNMAPPED_BASE;
12852 + *begin = mm->mmap_base;
12856 @@ -69,11 +69,15 @@ arch_get_unmapped_area(struct file *filp
12857 if (flags & MAP_FIXED)
12860 - find_start_end(flags, &begin, &end);
12861 + find_start_end(mm, flags, &begin, &end);
12866 +#ifdef CONFIG_PAX_RANDMMAP
12867 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12871 addr = PAGE_ALIGN(addr);
12872 vma = find_vma(mm, addr);
12873 @@ -128,7 +132,7 @@ arch_get_unmapped_area_topdown(struct fi
12875 struct vm_area_struct *vma;
12876 struct mm_struct *mm = current->mm;
12877 - unsigned long addr = addr0;
12878 + unsigned long base = mm->mmap_base, addr = addr0;
12880 /* requested length too big for entire address space */
12881 if (len > TASK_SIZE)
12882 @@ -141,6 +145,10 @@ arch_get_unmapped_area_topdown(struct fi
12883 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
12886 +#ifdef CONFIG_PAX_RANDMMAP
12887 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12890 /* requesting a specific address */
12892 addr = PAGE_ALIGN(addr);
12893 @@ -198,13 +206,21 @@ bottomup:
12894 * can happen with large stack limits and large mmap()
12897 + mm->mmap_base = TASK_UNMAPPED_BASE;
12899 +#ifdef CONFIG_PAX_RANDMMAP
12900 + if (mm->pax_flags & MF_PAX_RANDMMAP)
12901 + mm->mmap_base += mm->delta_mmap;
12904 + mm->free_area_cache = mm->mmap_base;
12905 mm->cached_hole_size = ~0UL;
12906 - mm->free_area_cache = TASK_UNMAPPED_BASE;
12907 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
12909 * Restore the topdown base:
12911 - mm->free_area_cache = mm->mmap_base;
12912 + mm->mmap_base = base;
12913 + mm->free_area_cache = base;
12914 mm->cached_hole_size = ~0UL;
12917 diff -urNp linux-2.6.33/arch/x86/kernel/time.c linux-2.6.33/arch/x86/kernel/time.c
12918 --- linux-2.6.33/arch/x86/kernel/time.c 2010-02-24 13:52:17.000000000 -0500
12919 +++ linux-2.6.33/arch/x86/kernel/time.c 2010-03-07 12:23:35.945583410 -0500
12920 @@ -26,17 +26,13 @@
12924 -#ifdef CONFIG_X86_64
12925 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
12928 unsigned long profile_pc(struct pt_regs *regs)
12930 unsigned long pc = instruction_pointer(regs);
12932 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
12933 + if (!user_mode(regs) && in_lock_functions(pc)) {
12934 #ifdef CONFIG_FRAME_POINTER
12935 - return *(unsigned long *)(regs->bp + sizeof(long));
12936 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
12938 unsigned long *sp =
12939 (unsigned long *)kernel_stack_pointer(regs);
12940 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
12941 * or above a saved flags. Eflags has bits 22-31 zero,
12942 * kernel addresses don't.
12945 +#ifdef CONFIG_PAX_KERNEXEC
12946 + return ktla_ktva(sp[0]);
12958 diff -urNp linux-2.6.33/arch/x86/kernel/tls.c linux-2.6.33/arch/x86/kernel/tls.c
12959 --- linux-2.6.33/arch/x86/kernel/tls.c 2010-02-24 13:52:17.000000000 -0500
12960 +++ linux-2.6.33/arch/x86/kernel/tls.c 2010-03-07 12:23:35.945583410 -0500
12961 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
12962 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
12965 +#ifdef CONFIG_PAX_SEGMEXEC
12966 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
12970 set_tls_desc(p, idx, &info, 1);
12973 diff -urNp linux-2.6.33/arch/x86/kernel/trampoline_32.S linux-2.6.33/arch/x86/kernel/trampoline_32.S
12974 --- linux-2.6.33/arch/x86/kernel/trampoline_32.S 2010-02-24 13:52:17.000000000 -0500
12975 +++ linux-2.6.33/arch/x86/kernel/trampoline_32.S 2010-03-07 12:23:35.945583410 -0500
12977 #include <asm/segment.h>
12978 #include <asm/page_types.h>
12980 +#ifdef CONFIG_PAX_KERNEXEC
12983 +#define ta(X) ((X) - __PAGE_OFFSET)
12986 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
12989 @@ -60,7 +66,7 @@ r_base = .
12990 inc %ax # protected mode (PE) bit
12991 lmsw %ax # into protected mode
12992 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
12993 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
12994 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
12996 # These need to be in the same 64K segment as the above;
12997 # hence we don't use the boot_gdt_descr defined in head.S
12998 diff -urNp linux-2.6.33/arch/x86/kernel/traps.c linux-2.6.33/arch/x86/kernel/traps.c
12999 --- linux-2.6.33/arch/x86/kernel/traps.c 2010-02-24 13:52:17.000000000 -0500
13000 +++ linux-2.6.33/arch/x86/kernel/traps.c 2010-03-07 12:23:35.945583410 -0500
13001 @@ -69,12 +69,6 @@ asmlinkage int system_call(void);
13003 /* Do we ignore FPU interrupts ? */
13004 char ignore_fpu_irq;
13007 - * The IDT has to be page-aligned to simplify the Pentium
13008 - * F0 0F bug workaround.
13010 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
13013 DECLARE_BITMAP(used_vectors, NR_VECTORS);
13014 @@ -112,19 +106,19 @@ static inline void preempt_conditional_c
13016 die_if_kernel(const char *str, struct pt_regs *regs, long err)
13018 - if (!user_mode_vm(regs))
13019 + if (!user_mode(regs))
13020 die(str, regs, err);
13024 static void __kprobes
13025 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
13026 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
13027 long error_code, siginfo_t *info)
13029 struct task_struct *tsk = current;
13031 #ifdef CONFIG_X86_32
13032 - if (regs->flags & X86_VM_MASK) {
13033 + if (v8086_mode(regs)) {
13035 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
13036 * On nmi (interrupt 2), do_trap should not be called.
13037 @@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
13041 - if (!user_mode(regs))
13042 + if (!user_mode_novm(regs))
13045 #ifdef CONFIG_X86_32
13046 @@ -158,7 +152,7 @@ trap_signal:
13047 printk_ratelimit()) {
13049 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
13050 - tsk->comm, tsk->pid, str,
13051 + tsk->comm, task_pid_nr(tsk), str,
13052 regs->ip, regs->sp, error_code);
13053 print_vma_addr(" in ", regs->ip);
13055 @@ -175,8 +169,20 @@ kernel_trap:
13056 if (!fixup_exception(regs)) {
13057 tsk->thread.error_code = error_code;
13058 tsk->thread.trap_no = trapnr;
13060 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13061 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
13062 + str = "PAX: suspicious stack segment fault";
13065 die(str, regs, error_code);
13068 +#ifdef CONFIG_PAX_REFCOUNT
13070 + pax_report_refcount_overflow(regs);
13075 #ifdef CONFIG_X86_32
13076 @@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
13077 conditional_sti(regs);
13079 #ifdef CONFIG_X86_32
13080 - if (regs->flags & X86_VM_MASK)
13081 + if (v8086_mode(regs))
13086 - if (!user_mode(regs))
13087 + if (!user_mode_novm(regs))
13090 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
13091 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
13092 + struct mm_struct *mm = tsk->mm;
13093 + unsigned long limit;
13095 + down_write(&mm->mmap_sem);
13096 + limit = mm->context.user_cs_limit;
13097 + if (limit < TASK_SIZE) {
13098 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
13099 + up_write(&mm->mmap_sem);
13102 + up_write(&mm->mmap_sem);
13106 tsk->thread.error_code = error_code;
13107 tsk->thread.trap_no = 13;
13109 @@ -305,6 +327,13 @@ gp_in_kernel:
13110 if (notify_die(DIE_GPF, "general protection fault", regs,
13111 error_code, 13, SIGSEGV) == NOTIFY_STOP)
13114 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13115 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
13116 + die("PAX: suspicious general protection fault", regs, error_code);
13120 die("general protection fault", regs, error_code);
13123 @@ -556,7 +585,7 @@ dotraplinkage void __kprobes do_debug(st
13124 /* It's safe to allow irq's after DR6 has been saved */
13125 preempt_conditional_sti(regs);
13127 - if (regs->flags & X86_VM_MASK) {
13128 + if (v8086_mode(regs)) {
13129 handle_vm86_trap((struct kernel_vm86_regs *) regs,
13132 @@ -569,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
13133 * We already checked v86 mode above, so we can check for kernel mode
13134 * by just checking the CPL of CS.
13136 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
13137 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
13138 tsk->thread.debugreg6 &= ~DR_STEP;
13139 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
13140 regs->flags &= ~X86_EFLAGS_TF;
13141 @@ -736,7 +765,7 @@ do_simd_coprocessor_error(struct pt_regs
13142 * Handle strange cache flush from user space exception
13143 * in all other cases. This is undocumented behaviour.
13145 - if (regs->flags & X86_VM_MASK) {
13146 + if (v8086_mode(regs)) {
13147 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
13150 diff -urNp linux-2.6.33/arch/x86/kernel/tsc.c linux-2.6.33/arch/x86/kernel/tsc.c
13151 --- linux-2.6.33/arch/x86/kernel/tsc.c 2010-02-24 13:52:17.000000000 -0500
13152 +++ linux-2.6.33/arch/x86/kernel/tsc.c 2010-03-07 12:23:35.945583410 -0500
13153 @@ -795,7 +795,7 @@ static struct dmi_system_id __initdata b
13154 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
13158 + { NULL, NULL, {{0, {0}}}, NULL}
13161 static void __init check_system_tsc_reliable(void)
13162 diff -urNp linux-2.6.33/arch/x86/kernel/vm86_32.c linux-2.6.33/arch/x86/kernel/vm86_32.c
13163 --- linux-2.6.33/arch/x86/kernel/vm86_32.c 2010-02-24 13:52:17.000000000 -0500
13164 +++ linux-2.6.33/arch/x86/kernel/vm86_32.c 2010-03-07 12:23:35.945583410 -0500
13166 #include <linux/ptrace.h>
13167 #include <linux/audit.h>
13168 #include <linux/stddef.h>
13169 +#include <linux/grsecurity.h>
13171 #include <asm/uaccess.h>
13172 #include <asm/io.h>
13173 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
13177 - tss = &per_cpu(init_tss, get_cpu());
13178 + tss = init_tss + get_cpu();
13179 current->thread.sp0 = current->thread.saved_sp0;
13180 current->thread.sysenter_cs = __KERNEL_CS;
13181 load_sp0(tss, ¤t->thread);
13182 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
13183 struct task_struct *tsk;
13184 int tmp, ret = -EPERM;
13186 +#ifdef CONFIG_GRKERNSEC_VM86
13187 + if (!capable(CAP_SYS_RAWIO)) {
13188 + gr_handle_vm86();
13194 if (tsk->thread.saved_sp0)
13196 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
13198 struct vm86plus_struct __user *v86;
13200 +#ifdef CONFIG_GRKERNSEC_VM86
13201 + if (!capable(CAP_SYS_RAWIO)) {
13202 + gr_handle_vm86();
13210 case VM86_REQUEST_IRQ:
13211 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
13212 tsk->thread.saved_fs = info->regs32->fs;
13213 tsk->thread.saved_gs = get_user_gs(info->regs32);
13215 - tss = &per_cpu(init_tss, get_cpu());
13216 + tss = init_tss + get_cpu();
13217 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
13219 tsk->thread.sysenter_cs = 0;
13220 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
13221 goto cannot_handle;
13222 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
13223 goto cannot_handle;
13224 - intr_ptr = (unsigned long __user *) (i << 2);
13225 + intr_ptr = (__force unsigned long __user *) (i << 2);
13226 if (get_user(segoffs, intr_ptr))
13227 goto cannot_handle;
13228 if ((segoffs >> 16) == BIOSSEG)
13229 diff -urNp linux-2.6.33/arch/x86/kernel/vmi_32.c linux-2.6.33/arch/x86/kernel/vmi_32.c
13230 --- linux-2.6.33/arch/x86/kernel/vmi_32.c 2010-02-24 13:52:17.000000000 -0500
13231 +++ linux-2.6.33/arch/x86/kernel/vmi_32.c 2010-03-07 12:23:35.945583410 -0500
13232 @@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
13233 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
13235 #define call_vrom_func(rom,func) \
13236 - (((VROMFUNC *)(rom->func))())
13237 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
13239 #define call_vrom_long_func(rom,func,arg) \
13240 - (((VROMLONGFUNC *)(rom->func)) (arg))
13242 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
13243 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
13244 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
13248 -static struct vrom_header *vmi_rom;
13249 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
13250 static int disable_pge;
13251 static int disable_pse;
13252 static int disable_sep;
13253 @@ -76,10 +81,10 @@ static struct {
13254 void (*set_initial_ap_state)(int, int);
13255 void (*halt)(void);
13256 void (*set_lazy_mode)(int mode);
13258 +} vmi_ops __read_only;
13260 /* Cached VMI operations */
13261 -struct vmi_timer_ops vmi_timer_ops;
13262 +struct vmi_timer_ops vmi_timer_ops __read_only;
13265 * VMI patching routines.
13266 @@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
13267 static inline void patch_offset(void *insnbuf,
13268 unsigned long ip, unsigned long dest)
13270 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
13271 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
13274 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
13275 @@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
13278 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
13280 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
13281 switch(rel->type) {
13282 case VMI_RELOCATION_CALL_REL:
13283 @@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
13285 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
13287 - const pte_t pte = { .pte = 0 };
13288 + const pte_t pte = __pte(0ULL);
13289 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
13292 static void vmi_pmd_clear(pmd_t *pmd)
13294 - const pte_t pte = { .pte = 0 };
13295 + const pte_t pte = __pte(0ULL);
13296 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
13299 @@ -438,8 +444,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
13300 ap.ss = __KERNEL_DS;
13301 ap.esp = (unsigned long) start_esp;
13303 - ap.ds = __USER_DS;
13304 - ap.es = __USER_DS;
13305 + ap.ds = __KERNEL_DS;
13306 + ap.es = __KERNEL_DS;
13307 ap.fs = __KERNEL_PERCPU;
13308 ap.gs = __KERNEL_STACK_CANARY;
13310 @@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
13311 paravirt_leave_lazy_mmu();
13314 +#ifdef CONFIG_PAX_KERNEXEC
13315 +static unsigned long vmi_pax_open_kernel(void)
13320 +static unsigned long vmi_pax_close_kernel(void)
13326 static inline int __init check_vmi_rom(struct vrom_header *rom)
13328 struct pci_header *pci;
13329 @@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
13331 if (rom->vrom_signature != VMI_SIGNATURE)
13333 + if (rom->rom_length * 512 > sizeof(*rom)) {
13334 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
13337 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
13338 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
13339 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
13340 @@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
13341 struct vrom_header *romstart;
13342 romstart = (struct vrom_header *)isa_bus_to_virt(base);
13343 if (check_vmi_rom(romstart)) {
13344 - vmi_rom = romstart;
13345 + vmi_rom = *romstart;
13349 @@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
13351 para_fill(pv_irq_ops.safe_halt, Halt);
13353 +#ifdef CONFIG_PAX_KERNEXEC
13354 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
13355 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
13359 * Alternative instruction rewriting doesn't happen soon enough
13360 * to convert VMI_IRET to a call instead of a jump; so we have
13361 @@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
13363 void __init vmi_init(void)
13366 + if (!vmi_rom.rom_signature)
13369 - check_vmi_rom(vmi_rom);
13370 + check_vmi_rom(&vmi_rom);
13372 /* In case probing for or validating the ROM failed, basil */
13374 + if (!vmi_rom.rom_signature)
13377 - reserve_top_address(-vmi_rom->virtual_top);
13378 + reserve_top_address(-vmi_rom.virtual_top);
13380 #ifdef CONFIG_X86_IO_APIC
13381 /* This is virtual hardware; timer routing is wired correctly */
13382 @@ -874,7 +901,7 @@ void __init vmi_activate(void)
13384 unsigned long flags;
13387 + if (!vmi_rom.rom_signature)
13390 local_irq_save(flags);
13391 diff -urNp linux-2.6.33/arch/x86/kernel/vmlinux.lds.S linux-2.6.33/arch/x86/kernel/vmlinux.lds.S
13392 --- linux-2.6.33/arch/x86/kernel/vmlinux.lds.S 2010-02-24 13:52:17.000000000 -0500
13393 +++ linux-2.6.33/arch/x86/kernel/vmlinux.lds.S 2010-03-07 12:23:35.945583410 -0500
13395 #include <asm/page_types.h>
13396 #include <asm/cache.h>
13397 #include <asm/boot.h>
13398 +#include <asm/segment.h>
13402 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
13403 +#define PMD_SHIFT 21
13405 +#define PMD_SHIFT 22
13407 +#define PMD_SIZE (1 << PMD_SHIFT)
13409 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13410 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
13412 +#define __KERNEL_TEXT_OFFSET 0
13415 #undef i386 /* in case the preprocessor is a 32bit one */
13417 @@ -34,13 +50,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
13418 #ifdef CONFIG_X86_32
13420 ENTRY(phys_startup_32)
13421 -jiffies = jiffies_64;
13423 OUTPUT_ARCH(i386:x86-64)
13424 ENTRY(phys_startup_64)
13425 -jiffies_64 = jiffies;
13428 +jiffies = jiffies_64;
13430 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
13432 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
13433 @@ -69,31 +85,46 @@ jiffies_64 = jiffies;
13436 text PT_LOAD FLAGS(5); /* R_E */
13437 - data PT_LOAD FLAGS(7); /* RWE */
13439 + rodata PT_LOAD FLAGS(5); /* R_E */
13441 + rodata PT_LOAD FLAGS(4); /* R__ */
13443 +#ifdef CONFIG_X86_32
13444 + module PT_LOAD FLAGS(5); /* R_E */
13446 + data PT_LOAD FLAGS(6); /* RW_ */
13447 #ifdef CONFIG_X86_64
13448 user PT_LOAD FLAGS(5); /* R_E */
13450 + init.begin PT_LOAD FLAGS(6); /* RW_ */
13452 percpu PT_LOAD FLAGS(6); /* RW_ */
13454 + text.init PT_LOAD FLAGS(5); /* R_E */
13455 + text.exit PT_LOAD FLAGS(5); /* R_E */
13456 init PT_LOAD FLAGS(7); /* RWE */
13458 note PT_NOTE FLAGS(0); /* ___ */
13463 #ifdef CONFIG_X86_32
13464 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
13465 - phys_startup_32 = startup_32 - LOAD_OFFSET;
13466 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
13468 - . = __START_KERNEL;
13469 - phys_startup_64 = startup_64 - LOAD_OFFSET;
13470 + . = __START_KERNEL;
13473 /* Text and read-only data */
13474 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
13476 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
13477 /* bootstrapping code */
13478 +#ifdef CONFIG_X86_32
13479 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13481 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13483 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13486 #ifdef CONFIG_X86_32
13487 . = ALIGN(PAGE_SIZE);
13488 @@ -108,30 +139,66 @@ SECTIONS
13492 - /* End of text section */
13496 - NOTES :text :note
13497 + . += __KERNEL_TEXT_OFFSET;
13499 + . = ALIGN(PAGE_SIZE);
13500 + NOTES :rodata :note
13502 - EXCEPTION_TABLE(16) :text = 0x9090
13503 + EXCEPTION_TABLE(16) :rodata
13505 X64_ALIGN_DEBUG_RODATA_BEGIN
13507 X64_ALIGN_DEBUG_RODATA_END
13509 +#ifdef CONFIG_X86_32
13510 + . = ALIGN(PAGE_SIZE);
13511 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
13513 + . = ALIGN(PAGE_SIZE);
13514 + *(.empty_zero_page)
13515 + *(.swapper_pg_pmd)
13516 + *(.swapper_pg_dir)
13519 + . = ALIGN(PAGE_SIZE);
13520 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
13524 + . = ALIGN(PAGE_SIZE);
13525 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
13527 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
13528 + MODULES_EXEC_VADDR = .;
13530 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
13531 + . = ALIGN(PMD_SIZE);
13532 + MODULES_EXEC_END = . - 1;
13539 .data : AT(ADDR(.data) - LOAD_OFFSET) {
13540 + /* End of text section */
13541 + _etext = . - __KERNEL_TEXT_OFFSET;
13543 +#ifdef CONFIG_PAX_KERNEXEC
13544 + . = ALIGN(PMD_SIZE);
13546 + . = ALIGN(PAGE_SIZE);
13549 /* Start of data section */
13553 INIT_TASK_DATA(THREAD_SIZE)
13555 -#ifdef CONFIG_X86_32
13556 - /* 32 bit has nosave before _edata */
13560 PAGE_ALIGNED_DATA(PAGE_SIZE)
13562 @@ -194,12 +261,6 @@ SECTIONS
13564 vgetcpu_mode = VVIRT(.vgetcpu_mode);
13566 - . = ALIGN(L1_CACHE_BYTES);
13567 - .jiffies : AT(VLOAD(.jiffies)) {
13570 - jiffies = VVIRT(.jiffies);
13572 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
13575 @@ -215,12 +276,19 @@ SECTIONS
13576 #endif /* CONFIG_X86_64 */
13578 /* Init code and data - will be freed after init */
13579 - . = ALIGN(PAGE_SIZE);
13580 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
13583 +#ifdef CONFIG_PAX_KERNEXEC
13584 + . = ALIGN(PMD_SIZE);
13586 + . = ALIGN(PAGE_SIZE);
13589 __init_begin = .; /* paired with __init_end */
13593 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
13596 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
13597 * output PHDR, so the next output section - .init.text - should
13598 @@ -229,12 +297,27 @@ SECTIONS
13599 PERCPU_VADDR(0, :percpu)
13602 - INIT_TEXT_SECTION(PAGE_SIZE)
13603 -#ifdef CONFIG_X86_64
13606 + . = ALIGN(PAGE_SIZE);
13608 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
13609 + VMLINUX_SYMBOL(_sinittext) = .;
13611 + VMLINUX_SYMBOL(_einittext) = .;
13612 + . = ALIGN(PAGE_SIZE);
13616 + * .exit.text is discard at runtime, not link time, to deal with
13617 + * references from .altinstructions and .eh_frame
13619 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
13623 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
13625 - INIT_DATA_SECTION(16)
13626 + . = ALIGN(PAGE_SIZE);
13627 + INIT_DATA_SECTION(16) :init
13629 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
13630 __x86_cpu_dev_start = .;
13631 @@ -260,19 +343,11 @@ SECTIONS
13632 *(.altinstr_replacement)
13636 - * .exit.text is discard at runtime, not link time, to deal with
13637 - * references from .altinstructions and .eh_frame
13639 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
13643 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
13647 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
13648 +#ifndef CONFIG_SMP
13652 @@ -295,12 +370,6 @@ SECTIONS
13653 . = ALIGN(PAGE_SIZE);
13656 -#ifdef CONFIG_X86_64
13657 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
13663 . = ALIGN(PAGE_SIZE);
13664 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
13665 @@ -316,6 +385,7 @@ SECTIONS
13667 . += 64 * 1024; /* 64k alignment slop space */
13668 *(.brk_reservation) /* areas brk users have reserved */
13669 + . = ALIGN(PMD_SIZE);
13673 @@ -342,13 +412,12 @@ SECTIONS
13674 * for the boot processor.
13676 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
13677 -INIT_PER_CPU(gdt_page);
13678 INIT_PER_CPU(irq_stack_union);
13681 * Build-time check on the image size:
13683 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
13684 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
13685 "kernel image bigger than KERNEL_IMAGE_SIZE");
13688 diff -urNp linux-2.6.33/arch/x86/kernel/vsyscall_64.c linux-2.6.33/arch/x86/kernel/vsyscall_64.c
13689 --- linux-2.6.33/arch/x86/kernel/vsyscall_64.c 2010-02-24 13:52:17.000000000 -0500
13690 +++ linux-2.6.33/arch/x86/kernel/vsyscall_64.c 2010-03-07 12:23:48.697874532 -0500
13691 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
13693 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
13694 /* copy vsyscall data */
13695 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
13696 vsyscall_gtod_data.clock.vread = clock->vread;
13697 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
13698 vsyscall_gtod_data.clock.mask = clock->mask;
13699 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
13700 We do this here because otherwise user space would do it on
13701 its own in a likely inferior way (no access to jiffies).
13702 If you don't like it pass NULL. */
13703 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
13704 + if (tcache && tcache->blob[0] == (j = jiffies)) {
13705 p = tcache->blob[1];
13706 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
13707 /* Load per CPU data from RDTSCP */
13708 diff -urNp linux-2.6.33/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.33/arch/x86/kernel/x8664_ksyms_64.c
13709 --- linux-2.6.33/arch/x86/kernel/x8664_ksyms_64.c 2010-02-24 13:52:17.000000000 -0500
13710 +++ linux-2.6.33/arch/x86/kernel/x8664_ksyms_64.c 2010-03-07 12:23:35.945583410 -0500
13711 @@ -28,8 +28,6 @@ EXPORT_SYMBOL(__put_user_8);
13713 EXPORT_SYMBOL(copy_user_generic);
13714 EXPORT_SYMBOL(__copy_user_nocache);
13715 -EXPORT_SYMBOL(_copy_from_user);
13716 -EXPORT_SYMBOL(_copy_to_user);
13718 EXPORT_SYMBOL(copy_page);
13719 EXPORT_SYMBOL(clear_page);
13720 diff -urNp linux-2.6.33/arch/x86/kernel/xsave.c linux-2.6.33/arch/x86/kernel/xsave.c
13721 --- linux-2.6.33/arch/x86/kernel/xsave.c 2010-02-24 13:52:17.000000000 -0500
13722 +++ linux-2.6.33/arch/x86/kernel/xsave.c 2010-03-07 12:23:35.945583410 -0500
13723 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
13724 fx_sw_user->xstate_size > fx_sw_user->extended_size)
13727 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
13728 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
13729 fx_sw_user->extended_size -
13730 FP_XSTATE_MAGIC2_SIZE));
13732 @@ -196,7 +196,7 @@ fx_only:
13733 * the other extended state.
13735 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
13736 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
13737 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
13741 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
13742 if (task_thread_info(tsk)->status & TS_XSAVE)
13743 err = restore_user_xstate(buf);
13745 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
13746 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
13748 if (unlikely(err)) {
13750 diff -urNp linux-2.6.33/arch/x86/kvm/emulate.c linux-2.6.33/arch/x86/kvm/emulate.c
13751 --- linux-2.6.33/arch/x86/kvm/emulate.c 2010-02-24 13:52:17.000000000 -0500
13752 +++ linux-2.6.33/arch/x86/kvm/emulate.c 2010-03-07 12:23:35.945583410 -0500
13753 @@ -398,6 +398,7 @@ static u32 group2_table[] = {
13755 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
13757 + unsigned long _tmp; \
13758 __asm__ __volatile__ ( \
13759 _PRE_EFLAGS("0", "4", "2") \
13760 _op _suffix " %"_x"3,%1; " \
13761 @@ -411,8 +412,6 @@ static u32 group2_table[] = {
13762 /* Raw emulation: instruction has two explicit operands. */
13763 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
13765 - unsigned long _tmp; \
13767 switch ((_dst).bytes) { \
13769 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
13770 @@ -428,7 +427,6 @@ static u32 group2_table[] = {
13772 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
13774 - unsigned long _tmp; \
13775 switch ((_dst).bytes) { \
13777 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
13778 diff -urNp linux-2.6.33/arch/x86/kvm/svm.c linux-2.6.33/arch/x86/kvm/svm.c
13779 --- linux-2.6.33/arch/x86/kvm/svm.c 2010-02-24 13:52:17.000000000 -0500
13780 +++ linux-2.6.33/arch/x86/kvm/svm.c 2010-03-07 12:23:35.945583410 -0500
13781 @@ -2428,7 +2428,11 @@ static void reload_tss(struct kvm_vcpu *
13782 int cpu = raw_smp_processor_id();
13784 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
13786 + pax_open_kernel();
13787 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
13788 + pax_close_kernel();
13793 @@ -2910,7 +2914,7 @@ static bool svm_gb_page_enable(void)
13797 -static struct kvm_x86_ops svm_x86_ops = {
13798 +static const struct kvm_x86_ops svm_x86_ops = {
13799 .cpu_has_kvm_support = has_svm,
13800 .disabled_by_bios = is_disabled,
13801 .hardware_setup = svm_hardware_setup,
13802 diff -urNp linux-2.6.33/arch/x86/kvm/vmx.c linux-2.6.33/arch/x86/kvm/vmx.c
13803 --- linux-2.6.33/arch/x86/kvm/vmx.c 2010-02-24 13:52:17.000000000 -0500
13804 +++ linux-2.6.33/arch/x86/kvm/vmx.c 2010-03-07 12:23:35.949701331 -0500
13805 @@ -580,7 +580,11 @@ static void reload_tss(void)
13808 descs = (void *)gdt.base;
13810 + pax_open_kernel();
13811 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
13812 + pax_close_kernel();
13817 @@ -1383,8 +1387,11 @@ static __init int hardware_setup(void)
13818 if (!cpu_has_vmx_flexpriority())
13819 flexpriority_enabled = 0;
13821 - if (!cpu_has_vmx_tpr_shadow())
13822 - kvm_x86_ops->update_cr8_intercept = NULL;
13823 + if (!cpu_has_vmx_tpr_shadow()) {
13824 + pax_open_kernel();
13825 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
13826 + pax_close_kernel();
13829 if (enable_ept && !cpu_has_vmx_ept_2m_page())
13830 kvm_disable_largepages();
13831 @@ -2355,7 +2362,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
13832 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
13834 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
13835 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
13836 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
13837 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
13838 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
13839 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
13840 @@ -3732,6 +3739,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
13841 "jmp .Lkvm_vmx_return \n\t"
13842 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
13843 ".Lkvm_vmx_return: "
13845 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13846 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
13847 + ".Lkvm_vmx_return2: "
13850 /* Save guest registers, load host registers, keep flags */
13851 "xchg %0, (%%"R"sp) \n\t"
13852 "mov %%"R"ax, %c[rax](%0) \n\t"
13853 @@ -3778,6 +3791,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
13854 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
13856 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
13858 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13859 + ,[cs]"i"(__KERNEL_CS)
13863 , R"bx", R"di", R"si"
13864 #ifdef CONFIG_X86_64
13865 @@ -3796,7 +3814,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
13866 if (vmx->rmode.irq.pending)
13867 fixup_rmode_irq(vmx);
13869 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
13870 + asm("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
13873 vmx_complete_interrupts(vmx);
13874 @@ -3964,7 +3982,7 @@ static bool vmx_gb_page_enable(void)
13878 -static struct kvm_x86_ops vmx_x86_ops = {
13879 +static const struct kvm_x86_ops vmx_x86_ops = {
13880 .cpu_has_kvm_support = cpu_has_kvm_support,
13881 .disabled_by_bios = vmx_disabled_by_bios,
13882 .hardware_setup = hardware_setup,
13883 diff -urNp linux-2.6.33/arch/x86/kvm/x86.c linux-2.6.33/arch/x86/kvm/x86.c
13884 --- linux-2.6.33/arch/x86/kvm/x86.c 2010-02-24 13:52:17.000000000 -0500
13885 +++ linux-2.6.33/arch/x86/kvm/x86.c 2010-03-07 12:23:35.949701331 -0500
13886 @@ -83,7 +83,7 @@ static void update_cr8_intercept(struct
13887 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
13888 struct kvm_cpuid_entry2 __user *entries);
13890 -struct kvm_x86_ops *kvm_x86_ops;
13891 +const struct kvm_x86_ops *kvm_x86_ops;
13892 EXPORT_SYMBOL_GPL(kvm_x86_ops);
13894 int ignore_msrs = 0;
13895 @@ -109,38 +109,38 @@ static struct kvm_shared_msrs_global __r
13896 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
13898 struct kvm_stats_debugfs_item debugfs_entries[] = {
13899 - { "pf_fixed", VCPU_STAT(pf_fixed) },
13900 - { "pf_guest", VCPU_STAT(pf_guest) },
13901 - { "tlb_flush", VCPU_STAT(tlb_flush) },
13902 - { "invlpg", VCPU_STAT(invlpg) },
13903 - { "exits", VCPU_STAT(exits) },
13904 - { "io_exits", VCPU_STAT(io_exits) },
13905 - { "mmio_exits", VCPU_STAT(mmio_exits) },
13906 - { "signal_exits", VCPU_STAT(signal_exits) },
13907 - { "irq_window", VCPU_STAT(irq_window_exits) },
13908 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
13909 - { "halt_exits", VCPU_STAT(halt_exits) },
13910 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
13911 - { "hypercalls", VCPU_STAT(hypercalls) },
13912 - { "request_irq", VCPU_STAT(request_irq_exits) },
13913 - { "irq_exits", VCPU_STAT(irq_exits) },
13914 - { "host_state_reload", VCPU_STAT(host_state_reload) },
13915 - { "efer_reload", VCPU_STAT(efer_reload) },
13916 - { "fpu_reload", VCPU_STAT(fpu_reload) },
13917 - { "insn_emulation", VCPU_STAT(insn_emulation) },
13918 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
13919 - { "irq_injections", VCPU_STAT(irq_injections) },
13920 - { "nmi_injections", VCPU_STAT(nmi_injections) },
13921 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
13922 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
13923 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
13924 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
13925 - { "mmu_flooded", VM_STAT(mmu_flooded) },
13926 - { "mmu_recycled", VM_STAT(mmu_recycled) },
13927 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
13928 - { "mmu_unsync", VM_STAT(mmu_unsync) },
13929 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
13930 - { "largepages", VM_STAT(lpages) },
13931 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
13932 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
13933 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
13934 + { "invlpg", VCPU_STAT(invlpg), NULL },
13935 + { "exits", VCPU_STAT(exits), NULL },
13936 + { "io_exits", VCPU_STAT(io_exits), NULL },
13937 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
13938 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
13939 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
13940 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
13941 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
13942 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
13943 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
13944 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
13945 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
13946 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
13947 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
13948 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
13949 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
13950 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
13951 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
13952 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
13953 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
13954 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
13955 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
13956 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
13957 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
13958 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
13959 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
13960 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
13961 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
13962 + { "largepages", VM_STAT(lpages), NULL },
13966 @@ -1405,6 +1405,8 @@ long kvm_arch_dev_ioctl(struct file *fil
13967 if (n < msr_list.nmsrs)
13970 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
13972 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
13973 num_msrs_to_save * sizeof(u32)))
13975 @@ -1787,7 +1789,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
13976 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
13977 struct kvm_interrupt *irq)
13979 - if (irq->irq < 0 || irq->irq >= 256)
13980 + if (irq->irq >= 256)
13982 if (irqchip_in_kernel(vcpu->kvm))
13984 @@ -3414,10 +3416,10 @@ static void kvm_timer_init(void)
13988 -int kvm_arch_init(void *opaque)
13989 +int kvm_arch_init(const void *opaque)
13992 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
13993 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
13996 printk(KERN_ERR "kvm: already loaded the other module\n");
13997 diff -urNp linux-2.6.33/arch/x86/lib/checksum_32.S linux-2.6.33/arch/x86/lib/checksum_32.S
13998 --- linux-2.6.33/arch/x86/lib/checksum_32.S 2010-02-24 13:52:17.000000000 -0500
13999 +++ linux-2.6.33/arch/x86/lib/checksum_32.S 2010-03-07 12:23:35.949701331 -0500
14001 #include <linux/linkage.h>
14002 #include <asm/dwarf2.h>
14003 #include <asm/errno.h>
14005 +#include <asm/segment.h>
14008 * computes a partial checksum, e.g. for TCP/UDP fragments
14010 @@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
14015 -ENTRY(csum_partial_copy_generic)
14017 +ENTRY(csum_partial_copy_generic_to_user)
14019 + pushl $(__USER_DS)
14020 + CFI_ADJUST_CFA_OFFSET 4
14022 + CFI_ADJUST_CFA_OFFSET -4
14023 + jmp csum_partial_copy_generic
14025 +ENTRY(csum_partial_copy_generic_from_user)
14026 + pushl $(__USER_DS)
14027 + CFI_ADJUST_CFA_OFFSET 4
14029 + CFI_ADJUST_CFA_OFFSET -4
14031 +ENTRY(csum_partial_copy_generic)
14033 CFI_ADJUST_CFA_OFFSET 4
14035 @@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
14037 SRC(1: movw (%esi), %bx )
14039 -DST( movw %bx, (%edi) )
14040 +DST( movw %bx, %es:(%edi) )
14044 @@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
14045 SRC(1: movl (%esi), %ebx )
14046 SRC( movl 4(%esi), %edx )
14048 -DST( movl %ebx, (%edi) )
14049 +DST( movl %ebx, %es:(%edi) )
14051 -DST( movl %edx, 4(%edi) )
14052 +DST( movl %edx, %es:4(%edi) )
14054 SRC( movl 8(%esi), %ebx )
14055 SRC( movl 12(%esi), %edx )
14057 -DST( movl %ebx, 8(%edi) )
14058 +DST( movl %ebx, %es:8(%edi) )
14060 -DST( movl %edx, 12(%edi) )
14061 +DST( movl %edx, %es:12(%edi) )
14063 SRC( movl 16(%esi), %ebx )
14064 SRC( movl 20(%esi), %edx )
14066 -DST( movl %ebx, 16(%edi) )
14067 +DST( movl %ebx, %es:16(%edi) )
14069 -DST( movl %edx, 20(%edi) )
14070 +DST( movl %edx, %es:20(%edi) )
14072 SRC( movl 24(%esi), %ebx )
14073 SRC( movl 28(%esi), %edx )
14075 -DST( movl %ebx, 24(%edi) )
14076 +DST( movl %ebx, %es:24(%edi) )
14078 -DST( movl %edx, 28(%edi) )
14079 +DST( movl %edx, %es:28(%edi) )
14083 @@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
14084 shrl $2, %edx # This clears CF
14085 SRC(3: movl (%esi), %ebx )
14087 -DST( movl %ebx, (%edi) )
14088 +DST( movl %ebx, %es:(%edi) )
14092 @@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
14094 SRC( movw (%esi), %cx )
14096 -DST( movw %cx, (%edi) )
14097 +DST( movw %cx, %es:(%edi) )
14101 SRC(5: movb (%esi), %cl )
14102 -DST( movb %cl, (%edi) )
14103 +DST( movb %cl, %es:(%edi) )
14107 @@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
14110 movl ARGBASE+20(%esp), %ebx # src_err_ptr
14111 - movl $-EFAULT, (%ebx)
14112 + movl $-EFAULT, %ss:(%ebx)
14114 # zero the complete destination - computing the rest
14116 @@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
14119 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
14120 - movl $-EFAULT,(%ebx)
14121 + movl $-EFAULT,%ss:(%ebx)
14127 + CFI_ADJUST_CFA_OFFSET 4
14129 + CFI_ADJUST_CFA_OFFSET -4
14131 + CFI_ADJUST_CFA_OFFSET 4
14133 + CFI_ADJUST_CFA_OFFSET -4
14135 CFI_ADJUST_CFA_OFFSET -4
14137 @@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
14138 CFI_ADJUST_CFA_OFFSET -4
14141 -ENDPROC(csum_partial_copy_generic)
14142 +ENDPROC(csum_partial_copy_generic_to_user)
14146 /* Version for PentiumII/PPro */
14148 #define ROUND1(x) \
14150 SRC(movl x(%esi), %ebx ) ; \
14151 addl %ebx, %eax ; \
14152 - DST(movl %ebx, x(%edi) ) ;
14153 + DST(movl %ebx, %es:x(%edi)) ;
14157 SRC(movl x(%esi), %ebx ) ; \
14158 adcl %ebx, %eax ; \
14159 - DST(movl %ebx, x(%edi) ) ;
14160 + DST(movl %ebx, %es:x(%edi)) ;
14164 -ENTRY(csum_partial_copy_generic)
14166 +ENTRY(csum_partial_copy_generic_to_user)
14168 + pushl $(__USER_DS)
14169 + CFI_ADJUST_CFA_OFFSET 4
14171 + CFI_ADJUST_CFA_OFFSET -4
14172 + jmp csum_partial_copy_generic
14174 +ENTRY(csum_partial_copy_generic_from_user)
14175 + pushl $(__USER_DS)
14176 + CFI_ADJUST_CFA_OFFSET 4
14178 + CFI_ADJUST_CFA_OFFSET -4
14180 +ENTRY(csum_partial_copy_generic)
14182 CFI_ADJUST_CFA_OFFSET 4
14183 CFI_REL_OFFSET ebx, 0
14184 @@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
14188 - lea 3f(%ebx,%ebx), %ebx
14189 + lea 3f(%ebx,%ebx,2), %ebx
14193 @@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
14195 SRC( movw (%esi), %dx )
14197 -DST( movw %dx, (%edi) )
14198 +DST( movw %dx, %es:(%edi) )
14203 SRC( movb (%esi), %dl )
14204 -DST( movb %dl, (%edi) )
14205 +DST( movb %dl, %es:(%edi) )
14209 .section .fixup, "ax"
14210 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
14211 - movl $-EFAULT, (%ebx)
14212 + movl $-EFAULT, %ss:(%ebx)
14213 # zero the complete destination (computing the rest is too much work)
14214 movl ARGBASE+8(%esp),%edi # dst
14215 movl ARGBASE+12(%esp),%ecx # len
14216 @@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
14219 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
14220 - movl $-EFAULT, (%ebx)
14221 + movl $-EFAULT, %ss:(%ebx)
14226 + CFI_ADJUST_CFA_OFFSET 4
14228 + CFI_ADJUST_CFA_OFFSET -4
14230 + CFI_ADJUST_CFA_OFFSET 4
14232 + CFI_ADJUST_CFA_OFFSET -4
14234 CFI_ADJUST_CFA_OFFSET -4
14236 @@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
14240 -ENDPROC(csum_partial_copy_generic)
14241 +ENDPROC(csum_partial_copy_generic_to_user)
14245 diff -urNp linux-2.6.33/arch/x86/lib/clear_page_64.S linux-2.6.33/arch/x86/lib/clear_page_64.S
14246 --- linux-2.6.33/arch/x86/lib/clear_page_64.S 2010-02-24 13:52:17.000000000 -0500
14247 +++ linux-2.6.33/arch/x86/lib/clear_page_64.S 2010-03-07 12:23:35.949701331 -0500
14248 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
14250 #include <asm/cpufeature.h>
14252 - .section .altinstr_replacement,"ax"
14253 + .section .altinstr_replacement,"a"
14254 1: .byte 0xeb /* jmp <disp8> */
14255 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
14257 diff -urNp linux-2.6.33/arch/x86/lib/copy_page_64.S linux-2.6.33/arch/x86/lib/copy_page_64.S
14258 --- linux-2.6.33/arch/x86/lib/copy_page_64.S 2010-02-24 13:52:17.000000000 -0500
14259 +++ linux-2.6.33/arch/x86/lib/copy_page_64.S 2010-03-07 12:23:35.949701331 -0500
14260 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
14262 #include <asm/cpufeature.h>
14264 - .section .altinstr_replacement,"ax"
14265 + .section .altinstr_replacement,"a"
14266 1: .byte 0xeb /* jmp <disp8> */
14267 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
14269 diff -urNp linux-2.6.33/arch/x86/lib/copy_user_64.S linux-2.6.33/arch/x86/lib/copy_user_64.S
14270 --- linux-2.6.33/arch/x86/lib/copy_user_64.S 2010-02-24 13:52:17.000000000 -0500
14271 +++ linux-2.6.33/arch/x86/lib/copy_user_64.S 2010-03-07 12:23:35.949701331 -0500
14273 .byte 0xe9 /* 32bit jump */
14274 .long \orig-1f /* by default jump to orig */
14276 - .section .altinstr_replacement,"ax"
14277 + .section .altinstr_replacement,"a"
14278 2: .byte 0xe9 /* near jump with 32bit immediate */
14279 .long \alt-1b /* offset */ /* or alternatively to alt */
14285 -/* Standard copy_to_user with segment limit checking */
14286 -ENTRY(_copy_to_user)
14288 - GET_THREAD_INFO(%rax)
14292 - cmpq TI_addr_limit(%rax),%rcx
14294 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14296 -ENDPROC(_copy_to_user)
14298 -/* Standard copy_from_user with segment limit checking */
14299 -ENTRY(_copy_from_user)
14301 - GET_THREAD_INFO(%rax)
14305 - cmpq TI_addr_limit(%rax),%rcx
14306 - jae bad_from_user
14307 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14309 -ENDPROC(_copy_from_user)
14311 ENTRY(copy_user_generic)
14313 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14314 @@ -101,6 +75,8 @@ ENDPROC(copy_user_generic)
14315 ENTRY(bad_from_user)
14323 diff -urNp linux-2.6.33/arch/x86/lib/getuser.S linux-2.6.33/arch/x86/lib/getuser.S
14324 --- linux-2.6.33/arch/x86/lib/getuser.S 2010-02-24 13:52:17.000000000 -0500
14325 +++ linux-2.6.33/arch/x86/lib/getuser.S 2010-03-07 12:23:35.949701331 -0500
14326 @@ -33,14 +33,28 @@
14327 #include <asm/asm-offsets.h>
14328 #include <asm/thread_info.h>
14329 #include <asm/asm.h>
14330 +#include <asm/segment.h>
14333 ENTRY(__get_user_1)
14336 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14337 + pushl $(__USER_DS)
14340 GET_THREAD_INFO(%_ASM_DX)
14341 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14345 1: movzb (%_ASM_AX),%edx
14347 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14355 @@ -49,11 +63,24 @@ ENDPROC(__get_user_1)
14356 ENTRY(__get_user_2)
14360 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14361 + pushl $(__USER_DS)
14365 GET_THREAD_INFO(%_ASM_DX)
14366 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14370 2: movzwl -1(%_ASM_AX),%edx
14372 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14380 @@ -62,11 +89,24 @@ ENDPROC(__get_user_2)
14381 ENTRY(__get_user_4)
14385 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14386 + pushl $(__USER_DS)
14390 GET_THREAD_INFO(%_ASM_DX)
14391 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14395 3: mov -3(%_ASM_AX),%edx
14397 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14405 @@ -89,6 +129,12 @@ ENDPROC(__get_user_8)
14410 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
14416 mov $(-EFAULT),%_ASM_AX
14418 diff -urNp linux-2.6.33/arch/x86/lib/memcpy_64.S linux-2.6.33/arch/x86/lib/memcpy_64.S
14419 --- linux-2.6.33/arch/x86/lib/memcpy_64.S 2010-02-24 13:52:17.000000000 -0500
14420 +++ linux-2.6.33/arch/x86/lib/memcpy_64.S 2010-03-07 12:23:35.949701331 -0500
14421 @@ -128,7 +128,7 @@ ENDPROC(__memcpy)
14422 * It is also a lot simpler. Use this when possible:
14425 - .section .altinstr_replacement, "ax"
14426 + .section .altinstr_replacement, "a"
14427 1: .byte 0xeb /* jmp <disp8> */
14428 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
14430 diff -urNp linux-2.6.33/arch/x86/lib/memset_64.S linux-2.6.33/arch/x86/lib/memset_64.S
14431 --- linux-2.6.33/arch/x86/lib/memset_64.S 2010-02-24 13:52:17.000000000 -0500
14432 +++ linux-2.6.33/arch/x86/lib/memset_64.S 2010-03-07 12:23:35.949701331 -0500
14433 @@ -118,7 +118,7 @@ ENDPROC(__memset)
14435 #include <asm/cpufeature.h>
14437 - .section .altinstr_replacement,"ax"
14438 + .section .altinstr_replacement,"a"
14439 1: .byte 0xeb /* jmp <disp8> */
14440 .byte (memset_c - memset) - (2f - 1b) /* offset */
14442 diff -urNp linux-2.6.33/arch/x86/lib/mmx_32.c linux-2.6.33/arch/x86/lib/mmx_32.c
14443 --- linux-2.6.33/arch/x86/lib/mmx_32.c 2010-02-24 13:52:17.000000000 -0500
14444 +++ linux-2.6.33/arch/x86/lib/mmx_32.c 2010-03-07 12:23:35.949701331 -0500
14445 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
14449 + unsigned long cr0;
14451 if (unlikely(in_interrupt()))
14452 return __memcpy(to, from, len);
14453 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
14454 kernel_fpu_begin();
14456 __asm__ __volatile__ (
14457 - "1: prefetch (%0)\n" /* This set is 28 bytes */
14458 - " prefetch 64(%0)\n"
14459 - " prefetch 128(%0)\n"
14460 - " prefetch 192(%0)\n"
14461 - " prefetch 256(%0)\n"
14462 + "1: prefetch (%1)\n" /* This set is 28 bytes */
14463 + " prefetch 64(%1)\n"
14464 + " prefetch 128(%1)\n"
14465 + " prefetch 192(%1)\n"
14466 + " prefetch 256(%1)\n"
14468 ".section .fixup, \"ax\"\n"
14469 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14472 +#ifdef CONFIG_PAX_KERNEXEC
14473 + " movl %%cr0, %0\n"
14474 + " movl %0, %%eax\n"
14475 + " andl $0xFFFEFFFF, %%eax\n"
14476 + " movl %%eax, %%cr0\n"
14479 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14481 +#ifdef CONFIG_PAX_KERNEXEC
14482 + " movl %0, %%cr0\n"
14487 _ASM_EXTABLE(1b, 3b)
14489 + : "=&r" (cr0) : "r" (from) : "ax");
14491 for ( ; i > 5; i--) {
14492 __asm__ __volatile__ (
14493 - "1: prefetch 320(%0)\n"
14494 - "2: movq (%0), %%mm0\n"
14495 - " movq 8(%0), %%mm1\n"
14496 - " movq 16(%0), %%mm2\n"
14497 - " movq 24(%0), %%mm3\n"
14498 - " movq %%mm0, (%1)\n"
14499 - " movq %%mm1, 8(%1)\n"
14500 - " movq %%mm2, 16(%1)\n"
14501 - " movq %%mm3, 24(%1)\n"
14502 - " movq 32(%0), %%mm0\n"
14503 - " movq 40(%0), %%mm1\n"
14504 - " movq 48(%0), %%mm2\n"
14505 - " movq 56(%0), %%mm3\n"
14506 - " movq %%mm0, 32(%1)\n"
14507 - " movq %%mm1, 40(%1)\n"
14508 - " movq %%mm2, 48(%1)\n"
14509 - " movq %%mm3, 56(%1)\n"
14510 + "1: prefetch 320(%1)\n"
14511 + "2: movq (%1), %%mm0\n"
14512 + " movq 8(%1), %%mm1\n"
14513 + " movq 16(%1), %%mm2\n"
14514 + " movq 24(%1), %%mm3\n"
14515 + " movq %%mm0, (%2)\n"
14516 + " movq %%mm1, 8(%2)\n"
14517 + " movq %%mm2, 16(%2)\n"
14518 + " movq %%mm3, 24(%2)\n"
14519 + " movq 32(%1), %%mm0\n"
14520 + " movq 40(%1), %%mm1\n"
14521 + " movq 48(%1), %%mm2\n"
14522 + " movq 56(%1), %%mm3\n"
14523 + " movq %%mm0, 32(%2)\n"
14524 + " movq %%mm1, 40(%2)\n"
14525 + " movq %%mm2, 48(%2)\n"
14526 + " movq %%mm3, 56(%2)\n"
14527 ".section .fixup, \"ax\"\n"
14528 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14531 +#ifdef CONFIG_PAX_KERNEXEC
14532 + " movl %%cr0, %0\n"
14533 + " movl %0, %%eax\n"
14534 + " andl $0xFFFEFFFF, %%eax\n"
14535 + " movl %%eax, %%cr0\n"
14538 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14540 +#ifdef CONFIG_PAX_KERNEXEC
14541 + " movl %0, %%cr0\n"
14546 _ASM_EXTABLE(1b, 3b)
14547 - : : "r" (from), "r" (to) : "memory");
14548 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14552 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
14553 static void fast_copy_page(void *to, void *from)
14556 + unsigned long cr0;
14558 kernel_fpu_begin();
14560 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
14561 * but that is for later. -AV
14563 __asm__ __volatile__(
14564 - "1: prefetch (%0)\n"
14565 - " prefetch 64(%0)\n"
14566 - " prefetch 128(%0)\n"
14567 - " prefetch 192(%0)\n"
14568 - " prefetch 256(%0)\n"
14569 + "1: prefetch (%1)\n"
14570 + " prefetch 64(%1)\n"
14571 + " prefetch 128(%1)\n"
14572 + " prefetch 192(%1)\n"
14573 + " prefetch 256(%1)\n"
14575 ".section .fixup, \"ax\"\n"
14576 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14579 +#ifdef CONFIG_PAX_KERNEXEC
14580 + " movl %%cr0, %0\n"
14581 + " movl %0, %%eax\n"
14582 + " andl $0xFFFEFFFF, %%eax\n"
14583 + " movl %%eax, %%cr0\n"
14586 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14588 +#ifdef CONFIG_PAX_KERNEXEC
14589 + " movl %0, %%cr0\n"
14594 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
14595 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
14597 for (i = 0; i < (4096-320)/64; i++) {
14598 __asm__ __volatile__ (
14599 - "1: prefetch 320(%0)\n"
14600 - "2: movq (%0), %%mm0\n"
14601 - " movntq %%mm0, (%1)\n"
14602 - " movq 8(%0), %%mm1\n"
14603 - " movntq %%mm1, 8(%1)\n"
14604 - " movq 16(%0), %%mm2\n"
14605 - " movntq %%mm2, 16(%1)\n"
14606 - " movq 24(%0), %%mm3\n"
14607 - " movntq %%mm3, 24(%1)\n"
14608 - " movq 32(%0), %%mm4\n"
14609 - " movntq %%mm4, 32(%1)\n"
14610 - " movq 40(%0), %%mm5\n"
14611 - " movntq %%mm5, 40(%1)\n"
14612 - " movq 48(%0), %%mm6\n"
14613 - " movntq %%mm6, 48(%1)\n"
14614 - " movq 56(%0), %%mm7\n"
14615 - " movntq %%mm7, 56(%1)\n"
14616 + "1: prefetch 320(%1)\n"
14617 + "2: movq (%1), %%mm0\n"
14618 + " movntq %%mm0, (%2)\n"
14619 + " movq 8(%1), %%mm1\n"
14620 + " movntq %%mm1, 8(%2)\n"
14621 + " movq 16(%1), %%mm2\n"
14622 + " movntq %%mm2, 16(%2)\n"
14623 + " movq 24(%1), %%mm3\n"
14624 + " movntq %%mm3, 24(%2)\n"
14625 + " movq 32(%1), %%mm4\n"
14626 + " movntq %%mm4, 32(%2)\n"
14627 + " movq 40(%1), %%mm5\n"
14628 + " movntq %%mm5, 40(%2)\n"
14629 + " movq 48(%1), %%mm6\n"
14630 + " movntq %%mm6, 48(%2)\n"
14631 + " movq 56(%1), %%mm7\n"
14632 + " movntq %%mm7, 56(%2)\n"
14633 ".section .fixup, \"ax\"\n"
14634 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14637 +#ifdef CONFIG_PAX_KERNEXEC
14638 + " movl %%cr0, %0\n"
14639 + " movl %0, %%eax\n"
14640 + " andl $0xFFFEFFFF, %%eax\n"
14641 + " movl %%eax, %%cr0\n"
14644 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14646 +#ifdef CONFIG_PAX_KERNEXEC
14647 + " movl %0, %%cr0\n"
14652 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
14653 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14657 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
14658 static void fast_copy_page(void *to, void *from)
14661 + unsigned long cr0;
14663 kernel_fpu_begin();
14665 __asm__ __volatile__ (
14666 - "1: prefetch (%0)\n"
14667 - " prefetch 64(%0)\n"
14668 - " prefetch 128(%0)\n"
14669 - " prefetch 192(%0)\n"
14670 - " prefetch 256(%0)\n"
14671 + "1: prefetch (%1)\n"
14672 + " prefetch 64(%1)\n"
14673 + " prefetch 128(%1)\n"
14674 + " prefetch 192(%1)\n"
14675 + " prefetch 256(%1)\n"
14677 ".section .fixup, \"ax\"\n"
14678 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14681 +#ifdef CONFIG_PAX_KERNEXEC
14682 + " movl %%cr0, %0\n"
14683 + " movl %0, %%eax\n"
14684 + " andl $0xFFFEFFFF, %%eax\n"
14685 + " movl %%eax, %%cr0\n"
14688 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14690 +#ifdef CONFIG_PAX_KERNEXEC
14691 + " movl %0, %%cr0\n"
14696 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
14697 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
14699 for (i = 0; i < 4096/64; i++) {
14700 __asm__ __volatile__ (
14701 - "1: prefetch 320(%0)\n"
14702 - "2: movq (%0), %%mm0\n"
14703 - " movq 8(%0), %%mm1\n"
14704 - " movq 16(%0), %%mm2\n"
14705 - " movq 24(%0), %%mm3\n"
14706 - " movq %%mm0, (%1)\n"
14707 - " movq %%mm1, 8(%1)\n"
14708 - " movq %%mm2, 16(%1)\n"
14709 - " movq %%mm3, 24(%1)\n"
14710 - " movq 32(%0), %%mm0\n"
14711 - " movq 40(%0), %%mm1\n"
14712 - " movq 48(%0), %%mm2\n"
14713 - " movq 56(%0), %%mm3\n"
14714 - " movq %%mm0, 32(%1)\n"
14715 - " movq %%mm1, 40(%1)\n"
14716 - " movq %%mm2, 48(%1)\n"
14717 - " movq %%mm3, 56(%1)\n"
14718 + "1: prefetch 320(%1)\n"
14719 + "2: movq (%1), %%mm0\n"
14720 + " movq 8(%1), %%mm1\n"
14721 + " movq 16(%1), %%mm2\n"
14722 + " movq 24(%1), %%mm3\n"
14723 + " movq %%mm0, (%2)\n"
14724 + " movq %%mm1, 8(%2)\n"
14725 + " movq %%mm2, 16(%2)\n"
14726 + " movq %%mm3, 24(%2)\n"
14727 + " movq 32(%1), %%mm0\n"
14728 + " movq 40(%1), %%mm1\n"
14729 + " movq 48(%1), %%mm2\n"
14730 + " movq 56(%1), %%mm3\n"
14731 + " movq %%mm0, 32(%2)\n"
14732 + " movq %%mm1, 40(%2)\n"
14733 + " movq %%mm2, 48(%2)\n"
14734 + " movq %%mm3, 56(%2)\n"
14735 ".section .fixup, \"ax\"\n"
14736 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14739 +#ifdef CONFIG_PAX_KERNEXEC
14740 + " movl %%cr0, %0\n"
14741 + " movl %0, %%eax\n"
14742 + " andl $0xFFFEFFFF, %%eax\n"
14743 + " movl %%eax, %%cr0\n"
14746 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14748 +#ifdef CONFIG_PAX_KERNEXEC
14749 + " movl %0, %%cr0\n"
14754 _ASM_EXTABLE(1b, 3b)
14755 - : : "r" (from), "r" (to) : "memory");
14756 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14760 diff -urNp linux-2.6.33/arch/x86/lib/putuser.S linux-2.6.33/arch/x86/lib/putuser.S
14761 --- linux-2.6.33/arch/x86/lib/putuser.S 2010-02-24 13:52:17.000000000 -0500
14762 +++ linux-2.6.33/arch/x86/lib/putuser.S 2010-03-07 12:23:35.949701331 -0500
14764 #include <asm/thread_info.h>
14765 #include <asm/errno.h>
14766 #include <asm/asm.h>
14767 +#include <asm/segment.h>
14771 @@ -39,7 +40,19 @@ ENTRY(__put_user_1)
14773 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
14776 +#ifdef CONFIG_X86_32
14777 + pushl $(__USER_DS)
14781 1: movb %al,(%_ASM_CX)
14783 +#ifdef CONFIG_X86_32
14790 ENDPROC(__put_user_1)
14791 @@ -50,7 +63,19 @@ ENTRY(__put_user_2)
14793 cmp %_ASM_BX,%_ASM_CX
14796 +#ifdef CONFIG_X86_32
14797 + pushl $(__USER_DS)
14801 2: movw %ax,(%_ASM_CX)
14803 +#ifdef CONFIG_X86_32
14810 ENDPROC(__put_user_2)
14811 @@ -61,7 +86,19 @@ ENTRY(__put_user_4)
14813 cmp %_ASM_BX,%_ASM_CX
14816 +#ifdef CONFIG_X86_32
14817 + pushl $(__USER_DS)
14821 3: movl %eax,(%_ASM_CX)
14823 +#ifdef CONFIG_X86_32
14830 ENDPROC(__put_user_4)
14831 @@ -72,16 +109,34 @@ ENTRY(__put_user_8)
14833 cmp %_ASM_BX,%_ASM_CX
14836 +#ifdef CONFIG_X86_32
14837 + pushl $(__USER_DS)
14841 4: mov %_ASM_AX,(%_ASM_CX)
14842 #ifdef CONFIG_X86_32
14843 5: movl %edx,4(%_ASM_CX)
14846 +#ifdef CONFIG_X86_32
14853 ENDPROC(__put_user_8)
14858 +#ifdef CONFIG_X86_32
14866 diff -urNp linux-2.6.33/arch/x86/lib/usercopy_32.c linux-2.6.33/arch/x86/lib/usercopy_32.c
14867 --- linux-2.6.33/arch/x86/lib/usercopy_32.c 2010-02-24 13:52:17.000000000 -0500
14868 +++ linux-2.6.33/arch/x86/lib/usercopy_32.c 2010-03-07 12:23:35.953604355 -0500
14869 @@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
14870 * Copy a null terminated string from userspace.
14873 -#define __do_strncpy_from_user(dst, src, count, res) \
14875 - int __d0, __d1, __d2; \
14877 - __asm__ __volatile__( \
14878 - " testl %1,%1\n" \
14882 - " testb %%al,%%al\n" \
14886 - "1: subl %1,%0\n" \
14888 - ".section .fixup,\"ax\"\n" \
14889 - "3: movl %5,%0\n" \
14892 - _ASM_EXTABLE(0b,3b) \
14893 - : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
14895 - : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
14898 +static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
14900 + int __d0, __d1, __d2;
14901 + long res = -EFAULT;
14904 + __asm__ __volatile__(
14905 + " movw %w10,%%ds\n"
14910 + " testb %%al,%%al\n"
14914 + "1: subl %1,%0\n"
14918 + ".section .fixup,\"ax\"\n"
14919 + "3: movl %5,%0\n"
14922 + _ASM_EXTABLE(0b,3b)
14923 + : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
14925 + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
14932 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
14933 @@ -85,9 +92,7 @@ do { \
14935 __strncpy_from_user(char *dst, const char __user *src, long count)
14938 - __do_strncpy_from_user(dst, src, count, res);
14940 + return __do_strncpy_from_user(dst, src, count);
14942 EXPORT_SYMBOL(__strncpy_from_user);
14944 @@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
14946 long res = -EFAULT;
14947 if (access_ok(VERIFY_READ, src, 1))
14948 - __do_strncpy_from_user(dst, src, count, res);
14949 + res = __do_strncpy_from_user(dst, src, count);
14952 EXPORT_SYMBOL(strncpy_from_user);
14953 @@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
14957 -#define __do_clear_user(addr,size) \
14961 - __asm__ __volatile__( \
14962 - "0: rep; stosl\n" \
14963 - " movl %2,%0\n" \
14964 - "1: rep; stosb\n" \
14966 - ".section .fixup,\"ax\"\n" \
14967 - "3: lea 0(%2,%0,4),%0\n" \
14970 - _ASM_EXTABLE(0b,3b) \
14971 - _ASM_EXTABLE(1b,2b) \
14972 - : "=&c"(size), "=&D" (__d0) \
14973 - : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
14975 +static unsigned long __do_clear_user(void __user *addr, unsigned long size)
14980 + __asm__ __volatile__(
14981 + " movw %w6,%%es\n"
14982 + "0: rep; stosl\n"
14984 + "1: rep; stosb\n"
14988 + ".section .fixup,\"ax\"\n"
14989 + "3: lea 0(%2,%0,4),%0\n"
14992 + _ASM_EXTABLE(0b,3b)
14993 + _ASM_EXTABLE(1b,2b)
14994 + : "=&c"(size), "=&D" (__d0)
14995 + : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
15001 * clear_user: - Zero a block of memory in user space.
15002 @@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
15005 if (access_ok(VERIFY_WRITE, to, n))
15006 - __do_clear_user(to, n);
15007 + n = __do_clear_user(to, n);
15010 EXPORT_SYMBOL(clear_user);
15011 @@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
15013 __clear_user(void __user *to, unsigned long n)
15015 - __do_clear_user(to, n);
15017 + return __do_clear_user(to, n);
15019 EXPORT_SYMBOL(__clear_user);
15021 @@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
15024 __asm__ __volatile__(
15025 + " movw %w8,%%es\n"
15028 - " andl %0,%%ecx\n"
15029 + " movl %0,%%ecx\n"
15030 "0: repne; scasb\n"
15037 ".section .fixup,\"ax\"\n"
15038 "2: xorl %%eax,%%eax\n"
15040 @@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
15043 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
15044 - :"0" (n), "1" (s), "2" (0), "3" (mask)
15045 + :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
15049 @@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
15051 #ifdef CONFIG_X86_INTEL_USERCOPY
15052 static unsigned long
15053 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
15054 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
15057 + __asm__ __volatile__(
15058 + " movw %w6, %%es\n"
15059 + " .align 2,0x90\n"
15060 + "1: movl 32(%4), %%eax\n"
15061 + " cmpl $67, %0\n"
15063 + "2: movl 64(%4), %%eax\n"
15064 + " .align 2,0x90\n"
15065 + "3: movl 0(%4), %%eax\n"
15066 + "4: movl 4(%4), %%edx\n"
15067 + "5: movl %%eax, %%es:0(%3)\n"
15068 + "6: movl %%edx, %%es:4(%3)\n"
15069 + "7: movl 8(%4), %%eax\n"
15070 + "8: movl 12(%4),%%edx\n"
15071 + "9: movl %%eax, %%es:8(%3)\n"
15072 + "10: movl %%edx, %%es:12(%3)\n"
15073 + "11: movl 16(%4), %%eax\n"
15074 + "12: movl 20(%4), %%edx\n"
15075 + "13: movl %%eax, %%es:16(%3)\n"
15076 + "14: movl %%edx, %%es:20(%3)\n"
15077 + "15: movl 24(%4), %%eax\n"
15078 + "16: movl 28(%4), %%edx\n"
15079 + "17: movl %%eax, %%es:24(%3)\n"
15080 + "18: movl %%edx, %%es:28(%3)\n"
15081 + "19: movl 32(%4), %%eax\n"
15082 + "20: movl 36(%4), %%edx\n"
15083 + "21: movl %%eax, %%es:32(%3)\n"
15084 + "22: movl %%edx, %%es:36(%3)\n"
15085 + "23: movl 40(%4), %%eax\n"
15086 + "24: movl 44(%4), %%edx\n"
15087 + "25: movl %%eax, %%es:40(%3)\n"
15088 + "26: movl %%edx, %%es:44(%3)\n"
15089 + "27: movl 48(%4), %%eax\n"
15090 + "28: movl 52(%4), %%edx\n"
15091 + "29: movl %%eax, %%es:48(%3)\n"
15092 + "30: movl %%edx, %%es:52(%3)\n"
15093 + "31: movl 56(%4), %%eax\n"
15094 + "32: movl 60(%4), %%edx\n"
15095 + "33: movl %%eax, %%es:56(%3)\n"
15096 + "34: movl %%edx, %%es:60(%3)\n"
15097 + " addl $-64, %0\n"
15098 + " addl $64, %4\n"
15099 + " addl $64, %3\n"
15100 + " cmpl $63, %0\n"
15102 + "35: movl %0, %%eax\n"
15104 + " andl $3, %%eax\n"
15106 + "99: rep; movsl\n"
15107 + "36: movl %%eax, %0\n"
15108 + "37: rep; movsb\n"
15112 + ".section .fixup,\"ax\"\n"
15113 + "101: lea 0(%%eax,%0,4),%0\n"
15116 + ".section __ex_table,\"a\"\n"
15118 + " .long 1b,100b\n"
15119 + " .long 2b,100b\n"
15120 + " .long 3b,100b\n"
15121 + " .long 4b,100b\n"
15122 + " .long 5b,100b\n"
15123 + " .long 6b,100b\n"
15124 + " .long 7b,100b\n"
15125 + " .long 8b,100b\n"
15126 + " .long 9b,100b\n"
15127 + " .long 10b,100b\n"
15128 + " .long 11b,100b\n"
15129 + " .long 12b,100b\n"
15130 + " .long 13b,100b\n"
15131 + " .long 14b,100b\n"
15132 + " .long 15b,100b\n"
15133 + " .long 16b,100b\n"
15134 + " .long 17b,100b\n"
15135 + " .long 18b,100b\n"
15136 + " .long 19b,100b\n"
15137 + " .long 20b,100b\n"
15138 + " .long 21b,100b\n"
15139 + " .long 22b,100b\n"
15140 + " .long 23b,100b\n"
15141 + " .long 24b,100b\n"
15142 + " .long 25b,100b\n"
15143 + " .long 26b,100b\n"
15144 + " .long 27b,100b\n"
15145 + " .long 28b,100b\n"
15146 + " .long 29b,100b\n"
15147 + " .long 30b,100b\n"
15148 + " .long 31b,100b\n"
15149 + " .long 32b,100b\n"
15150 + " .long 33b,100b\n"
15151 + " .long 34b,100b\n"
15152 + " .long 35b,100b\n"
15153 + " .long 36b,100b\n"
15154 + " .long 37b,100b\n"
15155 + " .long 99b,101b\n"
15157 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
15158 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15159 + : "eax", "edx", "memory");
15163 +static unsigned long
15164 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
15167 __asm__ __volatile__(
15168 + " movw %w6, %%ds\n"
15170 "1: movl 32(%4), %%eax\n"
15172 @@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
15174 "3: movl 0(%4), %%eax\n"
15175 "4: movl 4(%4), %%edx\n"
15176 - "5: movl %%eax, 0(%3)\n"
15177 - "6: movl %%edx, 4(%3)\n"
15178 + "5: movl %%eax, %%es:0(%3)\n"
15179 + "6: movl %%edx, %%es:4(%3)\n"
15180 "7: movl 8(%4), %%eax\n"
15181 "8: movl 12(%4),%%edx\n"
15182 - "9: movl %%eax, 8(%3)\n"
15183 - "10: movl %%edx, 12(%3)\n"
15184 + "9: movl %%eax, %%es:8(%3)\n"
15185 + "10: movl %%edx, %%es:12(%3)\n"
15186 "11: movl 16(%4), %%eax\n"
15187 "12: movl 20(%4), %%edx\n"
15188 - "13: movl %%eax, 16(%3)\n"
15189 - "14: movl %%edx, 20(%3)\n"
15190 + "13: movl %%eax, %%es:16(%3)\n"
15191 + "14: movl %%edx, %%es:20(%3)\n"
15192 "15: movl 24(%4), %%eax\n"
15193 "16: movl 28(%4), %%edx\n"
15194 - "17: movl %%eax, 24(%3)\n"
15195 - "18: movl %%edx, 28(%3)\n"
15196 + "17: movl %%eax, %%es:24(%3)\n"
15197 + "18: movl %%edx, %%es:28(%3)\n"
15198 "19: movl 32(%4), %%eax\n"
15199 "20: movl 36(%4), %%edx\n"
15200 - "21: movl %%eax, 32(%3)\n"
15201 - "22: movl %%edx, 36(%3)\n"
15202 + "21: movl %%eax, %%es:32(%3)\n"
15203 + "22: movl %%edx, %%es:36(%3)\n"
15204 "23: movl 40(%4), %%eax\n"
15205 "24: movl 44(%4), %%edx\n"
15206 - "25: movl %%eax, 40(%3)\n"
15207 - "26: movl %%edx, 44(%3)\n"
15208 + "25: movl %%eax, %%es:40(%3)\n"
15209 + "26: movl %%edx, %%es:44(%3)\n"
15210 "27: movl 48(%4), %%eax\n"
15211 "28: movl 52(%4), %%edx\n"
15212 - "29: movl %%eax, 48(%3)\n"
15213 - "30: movl %%edx, 52(%3)\n"
15214 + "29: movl %%eax, %%es:48(%3)\n"
15215 + "30: movl %%edx, %%es:52(%3)\n"
15216 "31: movl 56(%4), %%eax\n"
15217 "32: movl 60(%4), %%edx\n"
15218 - "33: movl %%eax, 56(%3)\n"
15219 - "34: movl %%edx, 60(%3)\n"
15220 + "33: movl %%eax, %%es:56(%3)\n"
15221 + "34: movl %%edx, %%es:60(%3)\n"
15225 @@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
15226 "36: movl %%eax, %0\n"
15231 ".section .fixup,\"ax\"\n"
15232 "101: lea 0(%%eax,%0,4),%0\n"
15234 @@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
15235 " .long 99b,101b\n"
15237 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15238 - : "1"(to), "2"(from), "0"(size)
15239 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15240 : "eax", "edx", "memory");
15243 @@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
15246 __asm__ __volatile__(
15247 + " movw %w6, %%ds\n"
15249 "0: movl 32(%4), %%eax\n"
15251 @@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
15253 "2: movl 0(%4), %%eax\n"
15254 "21: movl 4(%4), %%edx\n"
15255 - " movl %%eax, 0(%3)\n"
15256 - " movl %%edx, 4(%3)\n"
15257 + " movl %%eax, %%es:0(%3)\n"
15258 + " movl %%edx, %%es:4(%3)\n"
15259 "3: movl 8(%4), %%eax\n"
15260 "31: movl 12(%4),%%edx\n"
15261 - " movl %%eax, 8(%3)\n"
15262 - " movl %%edx, 12(%3)\n"
15263 + " movl %%eax, %%es:8(%3)\n"
15264 + " movl %%edx, %%es:12(%3)\n"
15265 "4: movl 16(%4), %%eax\n"
15266 "41: movl 20(%4), %%edx\n"
15267 - " movl %%eax, 16(%3)\n"
15268 - " movl %%edx, 20(%3)\n"
15269 + " movl %%eax, %%es:16(%3)\n"
15270 + " movl %%edx, %%es:20(%3)\n"
15271 "10: movl 24(%4), %%eax\n"
15272 "51: movl 28(%4), %%edx\n"
15273 - " movl %%eax, 24(%3)\n"
15274 - " movl %%edx, 28(%3)\n"
15275 + " movl %%eax, %%es:24(%3)\n"
15276 + " movl %%edx, %%es:28(%3)\n"
15277 "11: movl 32(%4), %%eax\n"
15278 "61: movl 36(%4), %%edx\n"
15279 - " movl %%eax, 32(%3)\n"
15280 - " movl %%edx, 36(%3)\n"
15281 + " movl %%eax, %%es:32(%3)\n"
15282 + " movl %%edx, %%es:36(%3)\n"
15283 "12: movl 40(%4), %%eax\n"
15284 "71: movl 44(%4), %%edx\n"
15285 - " movl %%eax, 40(%3)\n"
15286 - " movl %%edx, 44(%3)\n"
15287 + " movl %%eax, %%es:40(%3)\n"
15288 + " movl %%edx, %%es:44(%3)\n"
15289 "13: movl 48(%4), %%eax\n"
15290 "81: movl 52(%4), %%edx\n"
15291 - " movl %%eax, 48(%3)\n"
15292 - " movl %%edx, 52(%3)\n"
15293 + " movl %%eax, %%es:48(%3)\n"
15294 + " movl %%edx, %%es:52(%3)\n"
15295 "14: movl 56(%4), %%eax\n"
15296 "91: movl 60(%4), %%edx\n"
15297 - " movl %%eax, 56(%3)\n"
15298 - " movl %%edx, 60(%3)\n"
15299 + " movl %%eax, %%es:56(%3)\n"
15300 + " movl %%edx, %%es:60(%3)\n"
15304 @@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
15310 ".section .fixup,\"ax\"\n"
15311 "9: lea 0(%%eax,%0,4),%0\n"
15313 @@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
15316 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15317 - : "1"(to), "2"(from), "0"(size)
15318 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15319 : "eax", "edx", "memory");
15322 @@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
15325 __asm__ __volatile__(
15326 + " movw %w6, %%ds\n"
15328 "0: movl 32(%4), %%eax\n"
15330 @@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
15332 "2: movl 0(%4), %%eax\n"
15333 "21: movl 4(%4), %%edx\n"
15334 - " movnti %%eax, 0(%3)\n"
15335 - " movnti %%edx, 4(%3)\n"
15336 + " movnti %%eax, %%es:0(%3)\n"
15337 + " movnti %%edx, %%es:4(%3)\n"
15338 "3: movl 8(%4), %%eax\n"
15339 "31: movl 12(%4),%%edx\n"
15340 - " movnti %%eax, 8(%3)\n"
15341 - " movnti %%edx, 12(%3)\n"
15342 + " movnti %%eax, %%es:8(%3)\n"
15343 + " movnti %%edx, %%es:12(%3)\n"
15344 "4: movl 16(%4), %%eax\n"
15345 "41: movl 20(%4), %%edx\n"
15346 - " movnti %%eax, 16(%3)\n"
15347 - " movnti %%edx, 20(%3)\n"
15348 + " movnti %%eax, %%es:16(%3)\n"
15349 + " movnti %%edx, %%es:20(%3)\n"
15350 "10: movl 24(%4), %%eax\n"
15351 "51: movl 28(%4), %%edx\n"
15352 - " movnti %%eax, 24(%3)\n"
15353 - " movnti %%edx, 28(%3)\n"
15354 + " movnti %%eax, %%es:24(%3)\n"
15355 + " movnti %%edx, %%es:28(%3)\n"
15356 "11: movl 32(%4), %%eax\n"
15357 "61: movl 36(%4), %%edx\n"
15358 - " movnti %%eax, 32(%3)\n"
15359 - " movnti %%edx, 36(%3)\n"
15360 + " movnti %%eax, %%es:32(%3)\n"
15361 + " movnti %%edx, %%es:36(%3)\n"
15362 "12: movl 40(%4), %%eax\n"
15363 "71: movl 44(%4), %%edx\n"
15364 - " movnti %%eax, 40(%3)\n"
15365 - " movnti %%edx, 44(%3)\n"
15366 + " movnti %%eax, %%es:40(%3)\n"
15367 + " movnti %%edx, %%es:44(%3)\n"
15368 "13: movl 48(%4), %%eax\n"
15369 "81: movl 52(%4), %%edx\n"
15370 - " movnti %%eax, 48(%3)\n"
15371 - " movnti %%edx, 52(%3)\n"
15372 + " movnti %%eax, %%es:48(%3)\n"
15373 + " movnti %%edx, %%es:52(%3)\n"
15374 "14: movl 56(%4), %%eax\n"
15375 "91: movl 60(%4), %%edx\n"
15376 - " movnti %%eax, 56(%3)\n"
15377 - " movnti %%edx, 60(%3)\n"
15378 + " movnti %%eax, %%es:56(%3)\n"
15379 + " movnti %%edx, %%es:60(%3)\n"
15383 @@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
15389 ".section .fixup,\"ax\"\n"
15390 "9: lea 0(%%eax,%0,4),%0\n"
15392 @@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
15395 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15396 - : "1"(to), "2"(from), "0"(size)
15397 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15398 : "eax", "edx", "memory");
15401 @@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
15404 __asm__ __volatile__(
15405 + " movw %w6, %%ds\n"
15407 "0: movl 32(%4), %%eax\n"
15409 @@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
15411 "2: movl 0(%4), %%eax\n"
15412 "21: movl 4(%4), %%edx\n"
15413 - " movnti %%eax, 0(%3)\n"
15414 - " movnti %%edx, 4(%3)\n"
15415 + " movnti %%eax, %%es:0(%3)\n"
15416 + " movnti %%edx, %%es:4(%3)\n"
15417 "3: movl 8(%4), %%eax\n"
15418 "31: movl 12(%4),%%edx\n"
15419 - " movnti %%eax, 8(%3)\n"
15420 - " movnti %%edx, 12(%3)\n"
15421 + " movnti %%eax, %%es:8(%3)\n"
15422 + " movnti %%edx, %%es:12(%3)\n"
15423 "4: movl 16(%4), %%eax\n"
15424 "41: movl 20(%4), %%edx\n"
15425 - " movnti %%eax, 16(%3)\n"
15426 - " movnti %%edx, 20(%3)\n"
15427 + " movnti %%eax, %%es:16(%3)\n"
15428 + " movnti %%edx, %%es:20(%3)\n"
15429 "10: movl 24(%4), %%eax\n"
15430 "51: movl 28(%4), %%edx\n"
15431 - " movnti %%eax, 24(%3)\n"
15432 - " movnti %%edx, 28(%3)\n"
15433 + " movnti %%eax, %%es:24(%3)\n"
15434 + " movnti %%edx, %%es:28(%3)\n"
15435 "11: movl 32(%4), %%eax\n"
15436 "61: movl 36(%4), %%edx\n"
15437 - " movnti %%eax, 32(%3)\n"
15438 - " movnti %%edx, 36(%3)\n"
15439 + " movnti %%eax, %%es:32(%3)\n"
15440 + " movnti %%edx, %%es:36(%3)\n"
15441 "12: movl 40(%4), %%eax\n"
15442 "71: movl 44(%4), %%edx\n"
15443 - " movnti %%eax, 40(%3)\n"
15444 - " movnti %%edx, 44(%3)\n"
15445 + " movnti %%eax, %%es:40(%3)\n"
15446 + " movnti %%edx, %%es:44(%3)\n"
15447 "13: movl 48(%4), %%eax\n"
15448 "81: movl 52(%4), %%edx\n"
15449 - " movnti %%eax, 48(%3)\n"
15450 - " movnti %%edx, 52(%3)\n"
15451 + " movnti %%eax, %%es:48(%3)\n"
15452 + " movnti %%edx, %%es:52(%3)\n"
15453 "14: movl 56(%4), %%eax\n"
15454 "91: movl 60(%4), %%edx\n"
15455 - " movnti %%eax, 56(%3)\n"
15456 - " movnti %%edx, 60(%3)\n"
15457 + " movnti %%eax, %%es:56(%3)\n"
15458 + " movnti %%edx, %%es:60(%3)\n"
15462 @@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
15468 ".section .fixup,\"ax\"\n"
15469 "9: lea 0(%%eax,%0,4),%0\n"
15471 @@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
15474 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15475 - : "1"(to), "2"(from), "0"(size)
15476 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15477 : "eax", "edx", "memory");
15480 @@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
15482 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
15483 unsigned long size);
15484 -unsigned long __copy_user_intel(void __user *to, const void *from,
15485 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
15486 + unsigned long size);
15487 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
15488 unsigned long size);
15489 unsigned long __copy_user_zeroing_intel_nocache(void *to,
15490 const void __user *from, unsigned long size);
15491 #endif /* CONFIG_X86_INTEL_USERCOPY */
15493 /* Generic arbitrary sized copy. */
15494 -#define __copy_user(to, from, size) \
15496 - int __d0, __d1, __d2; \
15497 - __asm__ __volatile__( \
15500 - " movl %1,%0\n" \
15502 - " andl $7,%0\n" \
15503 - " subl %0,%3\n" \
15504 - "4: rep; movsb\n" \
15505 - " movl %3,%0\n" \
15506 - " shrl $2,%0\n" \
15507 - " andl $3,%3\n" \
15508 - " .align 2,0x90\n" \
15509 - "0: rep; movsl\n" \
15510 - " movl %3,%0\n" \
15511 - "1: rep; movsb\n" \
15513 - ".section .fixup,\"ax\"\n" \
15514 - "5: addl %3,%0\n" \
15516 - "3: lea 0(%3,%0,4),%0\n" \
15519 - ".section __ex_table,\"a\"\n" \
15521 - " .long 4b,5b\n" \
15522 - " .long 0b,3b\n" \
15523 - " .long 1b,2b\n" \
15525 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
15526 - : "3"(size), "0"(size), "1"(to), "2"(from) \
15530 -#define __copy_user_zeroing(to, from, size) \
15532 - int __d0, __d1, __d2; \
15533 - __asm__ __volatile__( \
15536 - " movl %1,%0\n" \
15538 - " andl $7,%0\n" \
15539 - " subl %0,%3\n" \
15540 - "4: rep; movsb\n" \
15541 - " movl %3,%0\n" \
15542 - " shrl $2,%0\n" \
15543 - " andl $3,%3\n" \
15544 - " .align 2,0x90\n" \
15545 - "0: rep; movsl\n" \
15546 - " movl %3,%0\n" \
15547 - "1: rep; movsb\n" \
15549 - ".section .fixup,\"ax\"\n" \
15550 - "5: addl %3,%0\n" \
15552 - "3: lea 0(%3,%0,4),%0\n" \
15553 - "6: pushl %0\n" \
15554 - " pushl %%eax\n" \
15555 - " xorl %%eax,%%eax\n" \
15556 - " rep; stosb\n" \
15557 - " popl %%eax\n" \
15561 - ".section __ex_table,\"a\"\n" \
15563 - " .long 4b,5b\n" \
15564 - " .long 0b,3b\n" \
15565 - " .long 1b,6b\n" \
15567 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
15568 - : "3"(size), "0"(size), "1"(to), "2"(from) \
15571 +static unsigned long
15572 +__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
15574 + int __d0, __d1, __d2;
15576 + __asm__ __volatile__(
15577 + " movw %w8,%%es\n"
15584 + "4: rep; movsb\n"
15588 + " .align 2,0x90\n"
15589 + "0: rep; movsl\n"
15591 + "1: rep; movsb\n"
15595 + ".section .fixup,\"ax\"\n"
15596 + "5: addl %3,%0\n"
15598 + "3: lea 0(%3,%0,4),%0\n"
15601 + ".section __ex_table,\"a\"\n"
15607 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15608 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15613 +static unsigned long
15614 +__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
15616 + int __d0, __d1, __d2;
15618 + __asm__ __volatile__(
15619 + " movw %w8,%%ds\n"
15626 + "4: rep; movsb\n"
15630 + " .align 2,0x90\n"
15631 + "0: rep; movsl\n"
15633 + "1: rep; movsb\n"
15637 + ".section .fixup,\"ax\"\n"
15638 + "5: addl %3,%0\n"
15640 + "3: lea 0(%3,%0,4),%0\n"
15643 + ".section __ex_table,\"a\"\n"
15649 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15650 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15655 +static unsigned long
15656 +__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
15658 + int __d0, __d1, __d2;
15660 + __asm__ __volatile__(
15661 + " movw %w8,%%ds\n"
15668 + "4: rep; movsb\n"
15672 + " .align 2,0x90\n"
15673 + "0: rep; movsl\n"
15675 + "1: rep; movsb\n"
15679 + ".section .fixup,\"ax\"\n"
15680 + "5: addl %3,%0\n"
15682 + "3: lea 0(%3,%0,4),%0\n"
15685 + " xorl %%eax,%%eax\n"
15691 + ".section __ex_table,\"a\"\n"
15697 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15698 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15703 unsigned long __copy_to_user_ll(void __user *to, const void *from,
15705 @@ -775,9 +966,9 @@ survive:
15708 if (movsl_is_ok(to, from, n))
15709 - __copy_user(to, from, n);
15710 + n = __generic_copy_to_user(to, from, n);
15712 - n = __copy_user_intel(to, from, n);
15713 + n = __generic_copy_to_user_intel(to, from, n);
15716 EXPORT_SYMBOL(__copy_to_user_ll);
15717 @@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
15720 if (movsl_is_ok(to, from, n))
15721 - __copy_user_zeroing(to, from, n);
15722 + n = __copy_user_zeroing(to, from, n);
15724 n = __copy_user_zeroing_intel(to, from, n);
15726 @@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
15729 if (movsl_is_ok(to, from, n))
15730 - __copy_user(to, from, n);
15731 + n = __generic_copy_from_user(to, from, n);
15733 - n = __copy_user_intel((void __user *)to,
15734 - (const void *)from, n);
15735 + n = __generic_copy_from_user_intel(to, from, n);
15738 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
15739 @@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
15740 if (n > 64 && cpu_has_xmm2)
15741 n = __copy_user_zeroing_intel_nocache(to, from, n);
15743 - __copy_user_zeroing(to, from, n);
15744 + n = __copy_user_zeroing(to, from, n);
15746 - __copy_user_zeroing(to, from, n);
15747 + n = __copy_user_zeroing(to, from, n);
15751 @@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
15752 if (n > 64 && cpu_has_xmm2)
15753 n = __copy_user_intel_nocache(to, from, n);
15755 - __copy_user(to, from, n);
15756 + n = __generic_copy_from_user(to, from, n);
15758 - __copy_user(to, from, n);
15759 + n = __generic_copy_from_user(to, from, n);
15763 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
15766 - * copy_to_user: - Copy a block of data into user space.
15767 - * @to: Destination address, in user space.
15768 - * @from: Source address, in kernel space.
15769 - * @n: Number of bytes to copy.
15771 - * Context: User context only. This function may sleep.
15773 - * Copy data from kernel space to user space.
15775 - * Returns number of bytes that could not be copied.
15776 - * On success, this will be zero.
15779 -copy_to_user(void __user *to, const void *from, unsigned long n)
15780 +void copy_from_user_overflow(void)
15782 - if (access_ok(VERIFY_WRITE, to, n))
15783 - n = __copy_to_user(to, from, n);
15785 + WARN(1, "Buffer overflow detected!\n");
15787 -EXPORT_SYMBOL(copy_to_user);
15788 +EXPORT_SYMBOL(copy_from_user_overflow);
15791 - * copy_from_user: - Copy a block of data from user space.
15792 - * @to: Destination address, in kernel space.
15793 - * @from: Source address, in user space.
15794 - * @n: Number of bytes to copy.
15796 - * Context: User context only. This function may sleep.
15798 - * Copy data from user space to kernel space.
15800 - * Returns number of bytes that could not be copied.
15801 - * On success, this will be zero.
15803 - * If some data could not be copied, this function will pad the copied
15804 - * data to the requested size using zero bytes.
15807 -_copy_from_user(void *to, const void __user *from, unsigned long n)
15808 +void copy_to_user_overflow(void)
15810 - if (access_ok(VERIFY_READ, from, n))
15811 - n = __copy_from_user(to, from, n);
15813 - memset(to, 0, n);
15815 + WARN(1, "Buffer overflow detected!\n");
15817 -EXPORT_SYMBOL(_copy_from_user);
15818 +EXPORT_SYMBOL(copy_to_user_overflow);
15820 -void copy_from_user_overflow(void)
15821 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15822 +void __set_fs(mm_segment_t x, int cpu)
15824 - WARN(1, "Buffer overflow detected!\n");
15825 + unsigned long limit = x.seg;
15826 + struct desc_struct d;
15828 + current_thread_info()->addr_limit = x;
15829 + if (unlikely(paravirt_enabled()))
15832 + if (likely(limit))
15833 + limit = (limit - 1UL) >> PAGE_SHIFT;
15834 + pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
15835 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
15837 -EXPORT_SYMBOL(copy_from_user_overflow);
15839 +void set_fs(mm_segment_t x)
15841 + __set_fs(x, get_cpu());
15844 +EXPORT_SYMBOL(copy_from_user);
15846 +void set_fs(mm_segment_t x)
15848 + current_thread_info()->addr_limit = x;
15852 +EXPORT_SYMBOL(set_fs);
15853 diff -urNp linux-2.6.33/arch/x86/Makefile linux-2.6.33/arch/x86/Makefile
15854 --- linux-2.6.33/arch/x86/Makefile 2010-02-24 13:52:17.000000000 -0500
15855 +++ linux-2.6.33/arch/x86/Makefile 2010-03-07 12:23:35.953604355 -0500
15856 @@ -192,3 +192,12 @@ define archhelp
15857 echo ' FDARGS="..." arguments for the booted kernel'
15858 echo ' FDINITRD=file initrd for the booted kernel'
15863 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
15864 +*** Please upgrade your binutils to 2.18 or newer
15868 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
15869 diff -urNp linux-2.6.33/arch/x86/mm/extable.c linux-2.6.33/arch/x86/mm/extable.c
15870 --- linux-2.6.33/arch/x86/mm/extable.c 2010-02-24 13:52:17.000000000 -0500
15871 +++ linux-2.6.33/arch/x86/mm/extable.c 2010-03-07 12:23:35.953604355 -0500
15873 #include <linux/module.h>
15874 #include <linux/spinlock.h>
15875 +#include <linux/sort.h>
15876 #include <asm/uaccess.h>
15877 +#include <asm/pgtable.h>
15880 + * The exception table needs to be sorted so that the binary
15881 + * search that we use to find entries in it works properly.
15882 + * This is used both for the kernel exception table and for
15883 + * the exception tables of modules that get loaded.
15885 +static int cmp_ex(const void *a, const void *b)
15887 + const struct exception_table_entry *x = a, *y = b;
15889 + /* avoid overflow */
15890 + if (x->insn > y->insn)
15892 + if (x->insn < y->insn)
15897 +static void swap_ex(void *a, void *b, int size)
15899 + struct exception_table_entry t, *x = a, *y = b;
15903 + pax_open_kernel();
15906 + pax_close_kernel();
15909 +void sort_extable(struct exception_table_entry *start,
15910 + struct exception_table_entry *finish)
15912 + sort(start, finish - start, sizeof(struct exception_table_entry),
15913 + cmp_ex, swap_ex);
15916 +#ifdef CONFIG_MODULES
15918 + * If the exception table is sorted, any referring to the module init
15919 + * will be at the beginning or the end.
15921 +void trim_init_extable(struct module *m)
15923 + /*trim the beginning*/
15924 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
15926 + m->num_exentries--;
15929 + while (m->num_exentries &&
15930 + within_module_init(m->extable[m->num_exentries-1].insn, m))
15931 + m->num_exentries--;
15933 +#endif /* CONFIG_MODULES */
15935 int fixup_exception(struct pt_regs *regs)
15937 const struct exception_table_entry *fixup;
15939 #ifdef CONFIG_PNPBIOS
15940 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
15941 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
15942 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
15943 extern u32 pnp_bios_is_utter_crap;
15944 pnp_bios_is_utter_crap = 1;
15945 diff -urNp linux-2.6.33/arch/x86/mm/fault.c linux-2.6.33/arch/x86/mm/fault.c
15946 --- linux-2.6.33/arch/x86/mm/fault.c 2010-02-24 13:52:17.000000000 -0500
15947 +++ linux-2.6.33/arch/x86/mm/fault.c 2010-03-07 12:23:35.953604355 -0500
15948 @@ -11,10 +11,14 @@
15949 #include <linux/kprobes.h> /* __kprobes, ... */
15950 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
15951 #include <linux/perf_event.h> /* perf_sw_event */
15952 +#include <linux/unistd.h>
15953 +#include <linux/compiler.h>
15955 #include <asm/traps.h> /* dotraplinkage, ... */
15956 #include <asm/pgalloc.h> /* pgd_*(), ... */
15957 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
15958 +#include <asm/vsyscall.h>
15959 +#include <asm/tlbflush.h>
15962 * Page fault error code bits:
15963 @@ -52,7 +56,7 @@ static inline int __kprobes notify_page_
15966 /* kprobe_running() needs smp_processor_id() */
15967 - if (kprobes_built_in() && !user_mode_vm(regs)) {
15968 + if (kprobes_built_in() && !user_mode(regs)) {
15970 if (kprobe_running() && kprobe_fault_handler(regs, 14))
15972 @@ -173,6 +177,30 @@ force_sig_info_fault(int si_signo, int s
15973 force_sig_info(si_signo, &info, tsk);
15976 +#ifdef CONFIG_PAX_EMUTRAMP
15977 +static int pax_handle_fetch_fault(struct pt_regs *regs);
15980 +#ifdef CONFIG_PAX_PAGEEXEC
15981 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
15987 + pgd = pgd_offset(mm, address);
15988 + if (!pgd_present(*pgd))
15990 + pud = pud_offset(pgd, address);
15991 + if (!pud_present(*pud))
15993 + pmd = pmd_offset(pud, address);
15994 + if (!pmd_present(*pmd))
16000 DEFINE_SPINLOCK(pgd_lock);
16001 LIST_HEAD(pgd_list);
16003 @@ -536,7 +564,7 @@ static int is_errata93(struct pt_regs *r
16004 static int is_errata100(struct pt_regs *regs, unsigned long address)
16006 #ifdef CONFIG_X86_64
16007 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
16008 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
16012 @@ -563,7 +591,7 @@ static int is_f00f_bug(struct pt_regs *r
16015 static const char nx_warning[] = KERN_CRIT
16016 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
16017 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
16020 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
16021 @@ -572,15 +600,26 @@ show_fault_oops(struct pt_regs *regs, un
16022 if (!oops_may_print())
16025 - if (error_code & PF_INSTR) {
16026 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
16027 unsigned int level;
16029 pte_t *pte = lookup_address(address, &level);
16031 if (pte && pte_present(*pte) && !pte_exec(*pte))
16032 - printk(nx_warning, current_uid());
16033 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
16036 +#ifdef CONFIG_PAX_KERNEXEC
16037 + if (init_mm.start_code <= address && address < init_mm.end_code) {
16038 + if (current->signal->curr_ip)
16039 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
16040 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
16042 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
16043 + current->comm, task_pid_nr(current), current_uid(), current_euid());
16047 printk(KERN_ALERT "BUG: unable to handle kernel ");
16048 if (address < PAGE_SIZE)
16049 printk(KERN_CONT "NULL pointer dereference");
16050 @@ -705,6 +744,68 @@ __bad_area_nosemaphore(struct pt_regs *r
16051 unsigned long address, int si_code)
16053 struct task_struct *tsk = current;
16054 + struct mm_struct *mm = tsk->mm;
16056 +#ifdef CONFIG_X86_64
16057 + if (mm && (error_code & PF_INSTR)) {
16058 + if (regs->ip == (unsigned long)vgettimeofday) {
16059 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
16061 + } else if (regs->ip == (unsigned long)vtime) {
16062 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
16064 + } else if (regs->ip == (unsigned long)vgetcpu) {
16065 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
16071 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16072 + if (mm && (error_code & PF_USER)) {
16073 + unsigned long ip = regs->ip;
16075 + if (v8086_mode(regs))
16076 + ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff);
16079 + * It's possible to have interrupts off here:
16081 + local_irq_enable();
16083 +#ifdef CONFIG_PAX_PAGEEXEC
16084 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
16085 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) {
16087 +#ifdef CONFIG_PAX_EMUTRAMP
16088 + switch (pax_handle_fetch_fault(regs)) {
16094 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
16095 + do_group_exit(SIGKILL);
16099 +#ifdef CONFIG_PAX_SEGMEXEC
16100 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) {
16102 +#ifdef CONFIG_PAX_EMUTRAMP
16103 + switch (pax_handle_fetch_fault(regs)) {
16109 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
16110 + do_group_exit(SIGKILL);
16117 /* User mode accesses just cause a SIGSEGV */
16118 if (error_code & PF_USER) {
16119 @@ -849,6 +950,106 @@ static int spurious_fault_check(unsigned
16123 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16124 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
16129 + unsigned char pte_mask;
16131 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
16132 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
16135 + /* PaX: it's our fault, let's handle it if we can */
16137 + /* PaX: take a look at read faults before acquiring any locks */
16138 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
16139 + /* instruction fetch attempt from a protected page in user mode */
16140 + up_read(&mm->mmap_sem);
16142 +#ifdef CONFIG_PAX_EMUTRAMP
16143 + switch (pax_handle_fetch_fault(regs)) {
16149 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
16150 + do_group_exit(SIGKILL);
16153 + pmd = pax_get_pmd(mm, address);
16154 + if (unlikely(!pmd))
16157 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
16158 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
16159 + pte_unmap_unlock(pte, ptl);
16163 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
16164 + /* write attempt to a protected page in user mode */
16165 + pte_unmap_unlock(pte, ptl);
16170 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
16172 + if (likely(address > get_limit(regs->cs)))
16175 + set_pte(pte, pte_mkread(*pte));
16176 + __flush_tlb_one(address);
16177 + pte_unmap_unlock(pte, ptl);
16178 + up_read(&mm->mmap_sem);
16182 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
16185 + * PaX: fill DTLB with user rights and retry
16187 + __asm__ __volatile__ (
16188 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16189 + "movw %w4,%%es\n"
16192 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
16194 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
16195 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
16196 + * page fault when examined during a TLB load attempt. this is true not only
16197 + * for PTEs holding a non-present entry but also present entries that will
16198 + * raise a page fault (such as those set up by PaX, or the copy-on-write
16199 + * mechanism). in effect it means that we do *not* need to flush the TLBs
16200 + * for our target pages since their PTEs are simply not in the TLBs at all.
16202 + * the best thing in omitting it is that we gain around 15-20% speed in the
16203 + * fast path of the page fault handler and can get rid of tracing since we
16204 + * can no longer flush unintended entries.
16208 + "testb $0,%%es:(%0)\n"
16210 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16215 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
16216 + : "memory", "cc");
16217 + pte_unmap_unlock(pte, ptl);
16218 + up_read(&mm->mmap_sem);
16224 * Handle a spurious fault caused by a stale TLB entry.
16226 @@ -915,6 +1116,9 @@ int show_unhandled_signals = 1;
16228 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
16230 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
16234 /* write, present and write, not present: */
16235 if (unlikely(!(vma->vm_flags & VM_WRITE)))
16236 @@ -948,17 +1152,16 @@ do_page_fault(struct pt_regs *regs, unsi
16238 struct vm_area_struct *vma;
16239 struct task_struct *tsk;
16240 - unsigned long address;
16241 struct mm_struct *mm;
16245 + /* Get the faulting address: */
16246 + const unsigned long address = read_cr2();
16251 - /* Get the faulting address: */
16252 - address = read_cr2();
16255 * Detect and handle instructions that would cause a page fault for
16256 * both a tracked kernel page and a userspace page.
16257 @@ -1018,7 +1221,7 @@ do_page_fault(struct pt_regs *regs, unsi
16258 * User-mode registers count as a user access even for any
16259 * potential system fault or CPU buglet:
16261 - if (user_mode_vm(regs)) {
16262 + if (user_mode(regs)) {
16263 local_irq_enable();
16264 error_code |= PF_USER;
16266 @@ -1072,6 +1275,11 @@ do_page_fault(struct pt_regs *regs, unsi
16270 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16271 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
16275 vma = find_vma(mm, address);
16276 if (unlikely(!vma)) {
16277 bad_area(regs, error_code, address);
16278 @@ -1083,18 +1291,24 @@ do_page_fault(struct pt_regs *regs, unsi
16279 bad_area(regs, error_code, address);
16282 - if (error_code & PF_USER) {
16284 - * Accessing the stack below %sp is always a bug.
16285 - * The large cushion allows instructions like enter
16286 - * and pusha to work. ("enter $65535, $31" pushes
16287 - * 32 pointers and then decrements %sp by 65535.)
16289 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
16290 - bad_area(regs, error_code, address);
16294 + * Accessing the stack below %sp is always a bug.
16295 + * The large cushion allows instructions like enter
16296 + * and pusha to work. ("enter $65535, $31" pushes
16297 + * 32 pointers and then decrements %sp by 65535.)
16299 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
16300 + bad_area(regs, error_code, address);
16304 +#ifdef CONFIG_PAX_SEGMEXEC
16305 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
16306 + bad_area(regs, error_code, address);
16311 if (unlikely(expand_stack(vma, address))) {
16312 bad_area(regs, error_code, address);
16314 @@ -1138,3 +1352,199 @@ good_area:
16316 up_read(&mm->mmap_sem);
16319 +#ifdef CONFIG_PAX_EMUTRAMP
16320 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
16324 + do { /* PaX: gcc trampoline emulation #1 */
16325 + unsigned char mov1, mov2;
16326 + unsigned short jmp;
16327 + unsigned int addr1, addr2;
16329 +#ifdef CONFIG_X86_64
16330 + if ((regs->ip + 11) >> 32)
16334 + err = get_user(mov1, (unsigned char __user *)regs->ip);
16335 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
16336 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
16337 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
16338 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
16343 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
16344 + regs->cx = addr1;
16345 + regs->ax = addr2;
16346 + regs->ip = addr2;
16351 + do { /* PaX: gcc trampoline emulation #2 */
16352 + unsigned char mov, jmp;
16353 + unsigned int addr1, addr2;
16355 +#ifdef CONFIG_X86_64
16356 + if ((regs->ip + 9) >> 32)
16360 + err = get_user(mov, (unsigned char __user *)regs->ip);
16361 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
16362 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
16363 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
16368 + if (mov == 0xB9 && jmp == 0xE9) {
16369 + regs->cx = addr1;
16370 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
16375 + return 1; /* PaX in action */
16378 +#ifdef CONFIG_X86_64
16379 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
16383 + do { /* PaX: gcc trampoline emulation #1 */
16384 + unsigned short mov1, mov2, jmp1;
16385 + unsigned char jmp2;
16386 + unsigned int addr1;
16387 + unsigned long addr2;
16389 + err = get_user(mov1, (unsigned short __user *)regs->ip);
16390 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
16391 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
16392 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
16393 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
16394 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
16399 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
16400 + regs->r11 = addr1;
16401 + regs->r10 = addr2;
16402 + regs->ip = addr1;
16407 + do { /* PaX: gcc trampoline emulation #2 */
16408 + unsigned short mov1, mov2, jmp1;
16409 + unsigned char jmp2;
16410 + unsigned long addr1, addr2;
16412 + err = get_user(mov1, (unsigned short __user *)regs->ip);
16413 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
16414 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
16415 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
16416 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
16417 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
16422 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
16423 + regs->r11 = addr1;
16424 + regs->r10 = addr2;
16425 + regs->ip = addr1;
16430 + return 1; /* PaX in action */
16435 + * PaX: decide what to do with offenders (regs->ip = fault address)
16437 + * returns 1 when task should be killed
16438 + * 2 when gcc trampoline was detected
16440 +static int pax_handle_fetch_fault(struct pt_regs *regs)
16442 + if (v8086_mode(regs))
16445 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
16448 +#ifdef CONFIG_X86_32
16449 + return pax_handle_fetch_fault_32(regs);
16451 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
16452 + return pax_handle_fetch_fault_32(regs);
16454 + return pax_handle_fetch_fault_64(regs);
16459 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16460 +void pax_report_insns(void *pc, void *sp)
16464 + printk(KERN_ERR "PAX: bytes at PC: ");
16465 + for (i = 0; i < 20; i++) {
16467 + if (get_user(c, (__force unsigned char __user *)pc+i))
16468 + printk(KERN_CONT "?? ");
16470 + printk(KERN_CONT "%02x ", c);
16474 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
16475 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
16477 + if (get_user(c, (__force unsigned long __user *)sp+i))
16478 +#ifdef CONFIG_X86_32
16479 + printk(KERN_CONT "???????? ");
16481 + printk(KERN_CONT "???????????????? ");
16484 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
16491 + * probe_kernel_write(): safely attempt to write to a location
16492 + * @dst: address to write to
16493 + * @src: pointer to the data that shall be written
16494 + * @size: size of the data chunk
16496 + * Safely write to address @dst from the buffer at @src. If a kernel fault
16497 + * happens, handle that and return -EFAULT.
16499 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
16502 + mm_segment_t old_fs = get_fs();
16504 + set_fs(KERNEL_DS);
16505 + pagefault_disable();
16506 + pax_open_kernel();
16507 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
16508 + pax_close_kernel();
16509 + pagefault_enable();
16512 + return ret ? -EFAULT : 0;
16514 diff -urNp linux-2.6.33/arch/x86/mm/gup.c linux-2.6.33/arch/x86/mm/gup.c
16515 --- linux-2.6.33/arch/x86/mm/gup.c 2010-02-24 13:52:17.000000000 -0500
16516 +++ linux-2.6.33/arch/x86/mm/gup.c 2010-03-07 12:23:35.953604355 -0500
16517 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
16519 len = (unsigned long) nr_pages << PAGE_SHIFT;
16521 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
16522 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
16523 (void __user *)start, len)))
16526 diff -urNp linux-2.6.33/arch/x86/mm/highmem_32.c linux-2.6.33/arch/x86/mm/highmem_32.c
16527 --- linux-2.6.33/arch/x86/mm/highmem_32.c 2010-02-24 13:52:17.000000000 -0500
16528 +++ linux-2.6.33/arch/x86/mm/highmem_32.c 2010-03-07 12:23:35.953604355 -0500
16529 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
16530 idx = type + KM_TYPE_NR*smp_processor_id();
16531 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
16532 BUG_ON(!pte_none(*(kmap_pte-idx)));
16534 + pax_open_kernel();
16535 set_pte(kmap_pte-idx, mk_pte(page, prot));
16536 + pax_close_kernel();
16538 return (void *)vaddr;
16540 diff -urNp linux-2.6.33/arch/x86/mm/hugetlbpage.c linux-2.6.33/arch/x86/mm/hugetlbpage.c
16541 --- linux-2.6.33/arch/x86/mm/hugetlbpage.c 2010-02-24 13:52:17.000000000 -0500
16542 +++ linux-2.6.33/arch/x86/mm/hugetlbpage.c 2010-03-07 12:23:35.953604355 -0500
16543 @@ -267,13 +267,18 @@ static unsigned long hugetlb_get_unmappe
16544 struct hstate *h = hstate_file(file);
16545 struct mm_struct *mm = current->mm;
16546 struct vm_area_struct *vma;
16547 - unsigned long start_addr;
16548 + unsigned long start_addr, pax_task_size = TASK_SIZE;
16550 +#ifdef CONFIG_PAX_SEGMEXEC
16551 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16552 + pax_task_size = SEGMEXEC_TASK_SIZE;
16555 if (len > mm->cached_hole_size) {
16556 - start_addr = mm->free_area_cache;
16557 + start_addr = mm->free_area_cache;
16559 - start_addr = TASK_UNMAPPED_BASE;
16560 - mm->cached_hole_size = 0;
16561 + start_addr = mm->mmap_base;
16562 + mm->cached_hole_size = 0;
16566 @@ -281,13 +286,13 @@ full_search:
16568 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
16569 /* At this point: (!vma || addr < vma->vm_end). */
16570 - if (TASK_SIZE - len < addr) {
16571 + if (pax_task_size - len < addr) {
16573 * Start a new search - just in case we missed
16576 - if (start_addr != TASK_UNMAPPED_BASE) {
16577 - start_addr = TASK_UNMAPPED_BASE;
16578 + if (start_addr != mm->mmap_base) {
16579 + start_addr = mm->mmap_base;
16580 mm->cached_hole_size = 0;
16583 @@ -310,9 +315,8 @@ static unsigned long hugetlb_get_unmappe
16584 struct hstate *h = hstate_file(file);
16585 struct mm_struct *mm = current->mm;
16586 struct vm_area_struct *vma, *prev_vma;
16587 - unsigned long base = mm->mmap_base, addr = addr0;
16588 + unsigned long base = mm->mmap_base, addr;
16589 unsigned long largest_hole = mm->cached_hole_size;
16590 - int first_time = 1;
16592 /* don't allow allocations above current base */
16593 if (mm->free_area_cache > base)
16594 @@ -322,7 +326,7 @@ static unsigned long hugetlb_get_unmappe
16596 mm->free_area_cache = base;
16600 /* make sure it can fit in the remaining address space */
16601 if (mm->free_area_cache < len)
16603 @@ -364,22 +368,26 @@ try_again:
16607 - * if hint left us with no space for the requested
16608 - * mapping then try again:
16610 - if (first_time) {
16611 - mm->free_area_cache = base;
16612 - largest_hole = 0;
16617 * A failed mmap() very likely causes application failure,
16618 * so fall back to the bottom-up function here. This scenario
16619 * can happen with large stack limits and large mmap()
16622 - mm->free_area_cache = TASK_UNMAPPED_BASE;
16624 +#ifdef CONFIG_PAX_SEGMEXEC
16625 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16626 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
16630 + mm->mmap_base = TASK_UNMAPPED_BASE;
16632 +#ifdef CONFIG_PAX_RANDMMAP
16633 + if (mm->pax_flags & MF_PAX_RANDMMAP)
16634 + mm->mmap_base += mm->delta_mmap;
16637 + mm->free_area_cache = mm->mmap_base;
16638 mm->cached_hole_size = ~0UL;
16639 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
16640 len, pgoff, flags);
16641 @@ -387,6 +395,7 @@ fail:
16643 * Restore the topdown base:
16645 + mm->mmap_base = base;
16646 mm->free_area_cache = base;
16647 mm->cached_hole_size = ~0UL;
16649 @@ -400,10 +409,17 @@ hugetlb_get_unmapped_area(struct file *f
16650 struct hstate *h = hstate_file(file);
16651 struct mm_struct *mm = current->mm;
16652 struct vm_area_struct *vma;
16653 + unsigned long pax_task_size = TASK_SIZE;
16655 if (len & ~huge_page_mask(h))
16657 - if (len > TASK_SIZE)
16659 +#ifdef CONFIG_PAX_SEGMEXEC
16660 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16661 + pax_task_size = SEGMEXEC_TASK_SIZE;
16664 + if (len > pax_task_size)
16667 if (flags & MAP_FIXED) {
16668 @@ -415,7 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
16670 addr = ALIGN(addr, huge_page_size(h));
16671 vma = find_vma(mm, addr);
16672 - if (TASK_SIZE - len >= addr &&
16673 + if (pax_task_size - len >= addr &&
16674 (!vma || addr + len <= vma->vm_start))
16677 diff -urNp linux-2.6.33/arch/x86/mm/init_32.c linux-2.6.33/arch/x86/mm/init_32.c
16678 --- linux-2.6.33/arch/x86/mm/init_32.c 2010-02-24 13:52:17.000000000 -0500
16679 +++ linux-2.6.33/arch/x86/mm/init_32.c 2010-03-07 12:23:35.953604355 -0500
16680 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
16684 - * Creates a middle page table and puts a pointer to it in the
16685 - * given global directory entry. This only returns the gd entry
16686 - * in non-PAE compilation mode, since the middle layer is folded.
16688 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
16691 - pmd_t *pmd_table;
16693 -#ifdef CONFIG_X86_PAE
16694 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
16695 - if (after_bootmem)
16696 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
16698 - pmd_table = (pmd_t *)alloc_low_page();
16699 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
16700 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
16701 - pud = pud_offset(pgd, 0);
16702 - BUG_ON(pmd_table != pmd_offset(pud, 0));
16704 - return pmd_table;
16707 - pud = pud_offset(pgd, 0);
16708 - pmd_table = pmd_offset(pud, 0);
16710 - return pmd_table;
16714 * Create a page table and place a pointer to it in a middle page
16717 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
16718 page_table = (pte_t *)alloc_low_page();
16720 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
16721 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16722 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
16724 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
16726 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
16729 return pte_offset_kernel(pmd, 0);
16732 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
16735 + pmd_t *pmd_table;
16737 + pud = pud_offset(pgd, 0);
16738 + pmd_table = pmd_offset(pud, 0);
16740 + return pmd_table;
16743 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
16745 int pgd_idx = pgd_index(vaddr);
16746 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
16747 int pgd_idx, pmd_idx;
16748 unsigned long vaddr;
16754 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
16755 pgd = pgd_base + pgd_idx;
16757 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
16758 - pmd = one_md_table_init(pgd);
16759 - pmd = pmd + pmd_index(vaddr);
16760 + pud = pud_offset(pgd, vaddr);
16761 + pmd = pmd_offset(pud, vaddr);
16763 +#ifdef CONFIG_X86_PAE
16764 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
16767 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
16768 pmd++, pmd_idx++) {
16769 pte = page_table_kmap_check(one_page_table_init(pmd),
16770 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
16774 -static inline int is_kernel_text(unsigned long addr)
16775 +static inline int is_kernel_text(unsigned long start, unsigned long end)
16777 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
16780 + if ((start > ktla_ktva((unsigned long)_etext) ||
16781 + end <= ktla_ktva((unsigned long)_stext)) &&
16782 + (start > ktla_ktva((unsigned long)_einittext) ||
16783 + end <= ktla_ktva((unsigned long)_sinittext)) &&
16785 +#ifdef CONFIG_ACPI_SLEEP
16786 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
16789 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
16795 @@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
16796 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
16797 unsigned long start_pfn, end_pfn;
16798 pgd_t *pgd_base = swapper_pg_dir;
16799 - int pgd_idx, pmd_idx, pte_ofs;
16800 + unsigned int pgd_idx, pmd_idx, pte_ofs;
16806 unsigned pages_2m, pages_4k;
16807 @@ -278,8 +279,13 @@ repeat:
16809 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
16810 pgd = pgd_base + pgd_idx;
16811 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
16812 - pmd = one_md_table_init(pgd);
16813 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
16814 + pud = pud_offset(pgd, 0);
16815 + pmd = pmd_offset(pud, 0);
16817 +#ifdef CONFIG_X86_PAE
16818 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
16821 if (pfn >= end_pfn)
16823 @@ -291,14 +297,13 @@ repeat:
16825 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
16826 pmd++, pmd_idx++) {
16827 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
16828 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
16831 * Map with big pages if possible, otherwise
16832 * create normal page tables:
16835 - unsigned int addr2;
16836 pgprot_t prot = PAGE_KERNEL_LARGE;
16838 * first pass will use the same initial
16839 @@ -308,11 +313,7 @@ repeat:
16840 __pgprot(PTE_IDENT_ATTR |
16843 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
16844 - PAGE_OFFSET + PAGE_SIZE-1;
16846 - if (is_kernel_text(addr) ||
16847 - is_kernel_text(addr2))
16848 + if (is_kernel_text(address, address + PMD_SIZE))
16849 prot = PAGE_KERNEL_LARGE_EXEC;
16852 @@ -329,7 +330,7 @@ repeat:
16853 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
16855 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
16856 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
16857 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
16858 pgprot_t prot = PAGE_KERNEL;
16860 * first pass will use the same initial
16861 @@ -337,7 +338,7 @@ repeat:
16863 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
16865 - if (is_kernel_text(addr))
16866 + if (is_kernel_text(address, address + PAGE_SIZE))
16867 prot = PAGE_KERNEL_EXEC;
16870 @@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
16872 pud = pud_offset(pgd, va);
16873 pmd = pmd_offset(pud, va);
16874 - if (!pmd_present(*pmd))
16875 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
16878 pte = pte_offset_kernel(pmd, va);
16879 @@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
16881 static void __init pagetable_init(void)
16883 - pgd_t *pgd_base = swapper_pg_dir;
16885 - permanent_kmaps_init(pgd_base);
16886 + permanent_kmaps_init(swapper_pg_dir);
16889 #ifdef CONFIG_ACPI_SLEEP
16890 @@ -551,12 +550,12 @@ static void __init pagetable_init(void)
16891 * ACPI suspend needs this for resume, because things like the intel-agp
16892 * driver might have split up a kernel 4MB mapping.
16894 -char swsusp_pg_dir[PAGE_SIZE]
16895 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
16896 __attribute__ ((aligned(PAGE_SIZE)));
16898 static inline void save_pg_dir(void)
16900 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
16901 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
16903 #else /* !CONFIG_ACPI_SLEEP */
16904 static inline void save_pg_dir(void)
16905 @@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
16909 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
16910 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
16911 EXPORT_SYMBOL_GPL(__supported_pte_mask);
16913 /* user-defined highmem size */
16914 @@ -881,7 +880,7 @@ void __init mem_init(void)
16915 set_highmem_pages_init();
16917 codesize = (unsigned long) &_etext - (unsigned long) &_text;
16918 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
16919 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
16920 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
16922 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
16923 @@ -922,10 +921,10 @@ void __init mem_init(void)
16924 ((unsigned long)&__init_end -
16925 (unsigned long)&__init_begin) >> 10,
16927 - (unsigned long)&_etext, (unsigned long)&_edata,
16928 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
16929 + (unsigned long)&_sdata, (unsigned long)&_edata,
16930 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
16932 - (unsigned long)&_text, (unsigned long)&_etext,
16933 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
16934 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
16937 @@ -1006,6 +1005,7 @@ void set_kernel_text_rw(void)
16938 if (!kernel_set_to_readonly)
16941 + start = ktla_ktva(start);
16942 pr_debug("Set kernel text: %lx - %lx for read write\n",
16943 start, start+size);
16945 @@ -1020,6 +1020,7 @@ void set_kernel_text_ro(void)
16946 if (!kernel_set_to_readonly)
16949 + start = ktla_ktva(start);
16950 pr_debug("Set kernel text: %lx - %lx for read only\n",
16951 start, start+size);
16953 @@ -1031,6 +1032,7 @@ void mark_rodata_ro(void)
16954 unsigned long start = PFN_ALIGN(_text);
16955 unsigned long size = PFN_ALIGN(_etext) - start;
16957 + start = ktla_ktva(start);
16958 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
16959 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
16961 diff -urNp linux-2.6.33/arch/x86/mm/init_64.c linux-2.6.33/arch/x86/mm/init_64.c
16962 --- linux-2.6.33/arch/x86/mm/init_64.c 2010-02-24 13:52:17.000000000 -0500
16963 +++ linux-2.6.33/arch/x86/mm/init_64.c 2010-03-07 12:23:35.953604355 -0500
16964 @@ -73,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
16965 * around without checking the pgd every time.
16968 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
16969 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
16970 EXPORT_SYMBOL_GPL(__supported_pte_mask);
16972 int force_personality32;
16973 @@ -164,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
16974 pmd = fill_pmd(pud, vaddr);
16975 pte = fill_pte(pmd, vaddr);
16977 + pax_open_kernel();
16978 set_pte(pte, new_pte);
16979 + pax_close_kernel();
16982 * It's enough to flush this one mapping.
16983 @@ -223,14 +225,12 @@ static void __init __init_extra_mapping(
16984 pgd = pgd_offset_k((unsigned long)__va(phys));
16985 if (pgd_none(*pgd)) {
16986 pud = (pud_t *) spp_getpage();
16987 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
16989 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
16991 pud = pud_offset(pgd, (unsigned long)__va(phys));
16992 if (pud_none(*pud)) {
16993 pmd = (pmd_t *) spp_getpage();
16994 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
16996 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
16998 pmd = pmd_offset(pud, phys);
16999 BUG_ON(!pmd_none(*pmd));
17000 @@ -882,8 +882,8 @@ int kern_addr_valid(unsigned long addr)
17001 static struct vm_area_struct gate_vma = {
17002 .vm_start = VSYSCALL_START,
17003 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
17004 - .vm_page_prot = PAGE_READONLY_EXEC,
17005 - .vm_flags = VM_READ | VM_EXEC
17006 + .vm_page_prot = PAGE_READONLY,
17007 + .vm_flags = VM_READ
17010 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
17011 @@ -917,7 +917,7 @@ int in_gate_area_no_task(unsigned long a
17013 const char *arch_vma_name(struct vm_area_struct *vma)
17015 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
17016 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
17018 if (vma == &gate_vma)
17019 return "[vsyscall]";
17020 diff -urNp linux-2.6.33/arch/x86/mm/init.c linux-2.6.33/arch/x86/mm/init.c
17021 --- linux-2.6.33/arch/x86/mm/init.c 2010-02-24 13:52:17.000000000 -0500
17022 +++ linux-2.6.33/arch/x86/mm/init.c 2010-03-07 12:23:35.953604355 -0500
17023 @@ -327,7 +327,13 @@ unsigned long __init_refok init_memory_m
17025 int devmem_is_allowed(unsigned long pagenr)
17027 - if (pagenr <= 256)
17030 +#ifdef CONFIG_VM86
17031 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
17034 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
17036 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
17038 @@ -375,6 +381,87 @@ void free_init_pages(char *what, unsigne
17040 void free_initmem(void)
17043 +#ifdef CONFIG_PAX_KERNEXEC
17048 +#ifdef CONFIG_X86_32
17049 + /* PaX: limit KERNEL_CS to actual size */
17050 + unsigned long addr, limit;
17051 + struct desc_struct d;
17054 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
17055 + limit = (limit - 1UL) >> PAGE_SHIFT;
17057 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
17058 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
17059 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
17060 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
17063 + /* PaX: make KERNEL_CS read-only */
17064 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
17065 + if (!paravirt_enabled())
17066 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
17068 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
17069 + pgd = pgd_offset_k(addr);
17070 + pud = pud_offset(pgd, addr);
17071 + pmd = pmd_offset(pud, addr);
17072 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
17075 +#ifdef CONFIG_X86_PAE
17076 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
17077 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
17078 + pgd = pgd_offset_k(addr);
17079 + pud = pud_offset(pgd, addr);
17080 + pmd = pmd_offset(pud, addr);
17081 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
17085 +#ifdef CONFIG_MODULES
17086 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
17090 + unsigned long addr, end;
17092 + /* PaX: make kernel code/rodata read-only, rest non-executable */
17093 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
17094 + pgd = pgd_offset_k(addr);
17095 + pud = pud_offset(pgd, addr);
17096 + pmd = pmd_offset(pud, addr);
17097 + if (!pmd_present(*pmd))
17099 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
17100 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
17102 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
17105 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
17106 + end = addr + KERNEL_IMAGE_SIZE;
17107 + for (; addr < end; addr += PMD_SIZE) {
17108 + pgd = pgd_offset_k(addr);
17109 + pud = pud_offset(pgd, addr);
17110 + pmd = pmd_offset(pud, addr);
17111 + if (!pmd_present(*pmd))
17113 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
17114 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
17116 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
17123 free_init_pages("unused kernel memory",
17124 (unsigned long)(&__init_begin),
17125 (unsigned long)(&__init_end));
17126 diff -urNp linux-2.6.33/arch/x86/mm/iomap_32.c linux-2.6.33/arch/x86/mm/iomap_32.c
17127 --- linux-2.6.33/arch/x86/mm/iomap_32.c 2010-02-24 13:52:17.000000000 -0500
17128 +++ linux-2.6.33/arch/x86/mm/iomap_32.c 2010-03-07 12:23:35.953604355 -0500
17129 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
17130 debug_kmap_atomic(type);
17131 idx = type + KM_TYPE_NR * smp_processor_id();
17132 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
17134 + pax_open_kernel();
17135 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
17136 + pax_close_kernel();
17138 arch_flush_lazy_mmu_mode();
17140 return (void *)vaddr;
17141 diff -urNp linux-2.6.33/arch/x86/mm/ioremap.c linux-2.6.33/arch/x86/mm/ioremap.c
17142 --- linux-2.6.33/arch/x86/mm/ioremap.c 2010-02-24 13:52:17.000000000 -0500
17143 +++ linux-2.6.33/arch/x86/mm/ioremap.c 2010-03-07 12:23:35.953604355 -0500
17144 @@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
17145 * Second special case: Some BIOSen report the PC BIOS
17146 * area (640->1Mb) as ram even though it is not.
17148 - if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
17149 - pagenr < (BIOS_END >> PAGE_SHIFT))
17150 + if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
17151 + pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
17154 for (i = 0; i < e820.nr_map; i++) {
17155 @@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
17157 * Don't allow anybody to remap normal RAM that we're using..
17159 - for (pfn = phys_addr >> PAGE_SHIFT;
17160 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
17163 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
17164 int is_ram = page_is_ram(pfn);
17166 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
17167 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
17169 WARN_ON_ONCE(is_ram);
17171 @@ -383,7 +380,7 @@ static int __init early_ioremap_debug_se
17172 early_param("early_ioremap_debug", early_ioremap_debug_setup);
17174 static __initdata int after_paging_init;
17175 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
17176 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
17178 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
17180 @@ -415,8 +412,7 @@ void __init early_ioremap_init(void)
17181 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
17183 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
17184 - memset(bm_pte, 0, sizeof(bm_pte));
17185 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
17186 + pmd_populate_user(&init_mm, pmd, bm_pte);
17189 * The boot-ioremap range spans multiple pmds, for which
17190 diff -urNp linux-2.6.33/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.33/arch/x86/mm/kmemcheck/kmemcheck.c
17191 --- linux-2.6.33/arch/x86/mm/kmemcheck/kmemcheck.c 2010-02-24 13:52:17.000000000 -0500
17192 +++ linux-2.6.33/arch/x86/mm/kmemcheck/kmemcheck.c 2010-03-07 12:23:35.953604355 -0500
17193 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
17194 * memory (e.g. tracked pages)? For now, we need this to avoid
17195 * invoking kmemcheck for PnP BIOS calls.
17197 - if (regs->flags & X86_VM_MASK)
17198 + if (v8086_mode(regs))
17200 - if (regs->cs != __KERNEL_CS)
17201 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
17204 pte = kmemcheck_pte_lookup(address);
17205 diff -urNp linux-2.6.33/arch/x86/mm/mmap.c linux-2.6.33/arch/x86/mm/mmap.c
17206 --- linux-2.6.33/arch/x86/mm/mmap.c 2010-02-24 13:52:17.000000000 -0500
17207 +++ linux-2.6.33/arch/x86/mm/mmap.c 2010-03-07 12:23:35.957616985 -0500
17208 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
17209 * Leave an at least ~128 MB hole with possible stack randomization.
17211 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
17212 -#define MAX_GAP (TASK_SIZE/6*5)
17213 +#define MAX_GAP (pax_task_size/6*5)
17216 * True on X86_32 or when emulating IA32 on X86_64
17217 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
17218 return rnd << PAGE_SHIFT;
17221 -static unsigned long mmap_base(void)
17222 +static unsigned long mmap_base(struct mm_struct *mm)
17224 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
17225 + unsigned long pax_task_size = TASK_SIZE;
17227 +#ifdef CONFIG_PAX_SEGMEXEC
17228 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17229 + pax_task_size = SEGMEXEC_TASK_SIZE;
17234 else if (gap > MAX_GAP)
17237 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
17238 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
17242 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
17243 * does, but not when emulating X86_32
17245 -static unsigned long mmap_legacy_base(void)
17246 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
17248 - if (mmap_is_ia32())
17249 + if (mmap_is_ia32()) {
17251 +#ifdef CONFIG_PAX_SEGMEXEC
17252 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17253 + return SEGMEXEC_TASK_UNMAPPED_BASE;
17257 return TASK_UNMAPPED_BASE;
17260 return TASK_UNMAPPED_BASE + mmap_rnd();
17263 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
17264 void arch_pick_mmap_layout(struct mm_struct *mm)
17266 if (mmap_is_legacy()) {
17267 - mm->mmap_base = mmap_legacy_base();
17268 + mm->mmap_base = mmap_legacy_base(mm);
17270 +#ifdef CONFIG_PAX_RANDMMAP
17271 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17272 + mm->mmap_base += mm->delta_mmap;
17275 mm->get_unmapped_area = arch_get_unmapped_area;
17276 mm->unmap_area = arch_unmap_area;
17278 - mm->mmap_base = mmap_base();
17279 + mm->mmap_base = mmap_base(mm);
17281 +#ifdef CONFIG_PAX_RANDMMAP
17282 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17283 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
17286 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
17287 mm->unmap_area = arch_unmap_area_topdown;
17289 diff -urNp linux-2.6.33/arch/x86/mm/numa_32.c linux-2.6.33/arch/x86/mm/numa_32.c
17290 --- linux-2.6.33/arch/x86/mm/numa_32.c 2010-02-24 13:52:17.000000000 -0500
17291 +++ linux-2.6.33/arch/x86/mm/numa_32.c 2010-03-07 12:23:35.957616985 -0500
17292 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
17296 -extern unsigned long find_max_low_pfn(void);
17297 extern unsigned long highend_pfn, highstart_pfn;
17299 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
17300 diff -urNp linux-2.6.33/arch/x86/mm/pageattr.c linux-2.6.33/arch/x86/mm/pageattr.c
17301 --- linux-2.6.33/arch/x86/mm/pageattr.c 2010-02-24 13:52:17.000000000 -0500
17302 +++ linux-2.6.33/arch/x86/mm/pageattr.c 2010-03-07 12:23:35.957616985 -0500
17303 @@ -268,9 +268,10 @@ static inline pgprot_t static_protection
17304 * Does not cover __inittext since that is gone later on. On
17305 * 64bit we do not enforce !NX on the low mapping
17307 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
17308 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
17309 pgprot_val(forbidden) |= _PAGE_NX;
17311 +#ifdef CONFIG_DEBUG_RODATA
17313 * The .rodata section needs to be read-only. Using the pfn
17314 * catches all aliases.
17315 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
17316 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
17317 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
17318 pgprot_val(forbidden) |= _PAGE_RW;
17321 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
17323 @@ -347,7 +349,10 @@ EXPORT_SYMBOL_GPL(lookup_address);
17324 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
17326 /* change init_mm */
17327 + pax_open_kernel();
17328 set_pte_atomic(kpte, pte);
17329 + pax_close_kernel();
17331 #ifdef CONFIG_X86_32
17332 if (!SHARED_KERNEL_PMD) {
17334 diff -urNp linux-2.6.33/arch/x86/mm/pageattr-test.c linux-2.6.33/arch/x86/mm/pageattr-test.c
17335 --- linux-2.6.33/arch/x86/mm/pageattr-test.c 2010-02-24 13:52:17.000000000 -0500
17336 +++ linux-2.6.33/arch/x86/mm/pageattr-test.c 2010-03-07 12:23:35.957616985 -0500
17337 @@ -36,7 +36,7 @@ enum {
17339 static int pte_testbit(pte_t pte)
17341 - return pte_flags(pte) & _PAGE_UNUSED1;
17342 + return pte_flags(pte) & _PAGE_CPA_TEST;
17345 struct split_state {
17346 diff -urNp linux-2.6.33/arch/x86/mm/pat.c linux-2.6.33/arch/x86/mm/pat.c
17347 --- linux-2.6.33/arch/x86/mm/pat.c 2010-02-24 13:52:17.000000000 -0500
17348 +++ linux-2.6.33/arch/x86/mm/pat.c 2010-03-07 12:23:35.957616985 -0500
17349 @@ -259,7 +259,7 @@ chk_conflict(struct memtype *new, struct
17352 printk(KERN_INFO "%s:%d conflicting memory types "
17353 - "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
17354 + "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
17355 new->end, cattr_name(new->type), cattr_name(entry->type));
17358 @@ -555,7 +555,7 @@ unlock_ret:
17361 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
17362 - current->comm, current->pid, start, end);
17363 + current->comm, task_pid_nr(current), start, end);
17366 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
17367 @@ -750,7 +750,7 @@ int kernel_map_sync_memtype(u64 base, un
17369 "%s:%d ioremap_change_attr failed %s "
17371 - current->comm, current->pid,
17372 + current->comm, task_pid_nr(current),
17374 base, (unsigned long long)(base + size));
17376 @@ -808,7 +808,7 @@ static int reserve_pfn_range(u64 paddr,
17377 free_memtype(paddr, paddr + size);
17378 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
17379 " for %Lx-%Lx, got %s\n",
17380 - current->comm, current->pid,
17381 + current->comm, task_pid_nr(current),
17382 cattr_name(want_flags),
17383 (unsigned long long)paddr,
17384 (unsigned long long)(paddr + size),
17385 diff -urNp linux-2.6.33/arch/x86/mm/pgtable_32.c linux-2.6.33/arch/x86/mm/pgtable_32.c
17386 --- linux-2.6.33/arch/x86/mm/pgtable_32.c 2010-02-24 13:52:17.000000000 -0500
17387 +++ linux-2.6.33/arch/x86/mm/pgtable_32.c 2010-03-07 12:23:35.957616985 -0500
17388 @@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
17391 pte = pte_offset_kernel(pmd, vaddr);
17393 + pax_open_kernel();
17394 if (pte_val(pteval))
17395 set_pte_at(&init_mm, vaddr, pte, pteval);
17397 pte_clear(&init_mm, vaddr, pte);
17398 + pax_close_kernel();
17401 * It's enough to flush this one mapping.
17402 diff -urNp linux-2.6.33/arch/x86/mm/tlb.c linux-2.6.33/arch/x86/mm/tlb.c
17403 --- linux-2.6.33/arch/x86/mm/tlb.c 2010-02-24 13:52:17.000000000 -0500
17404 +++ linux-2.6.33/arch/x86/mm/tlb.c 2010-03-07 12:23:35.957616985 -0500
17406 #include <asm/uv/uv.h>
17408 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
17409 - = { &init_mm, 0, };
17410 + = { &init_mm, 0 };
17413 * Smarter SMP flushing macros.
17414 diff -urNp linux-2.6.33/arch/x86/oprofile/backtrace.c linux-2.6.33/arch/x86/oprofile/backtrace.c
17415 --- linux-2.6.33/arch/x86/oprofile/backtrace.c 2010-02-24 13:52:17.000000000 -0500
17416 +++ linux-2.6.33/arch/x86/oprofile/backtrace.c 2010-03-07 12:23:35.957616985 -0500
17417 @@ -37,7 +37,7 @@ static void backtrace_address(void *data
17418 unsigned int *depth = data;
17421 - oprofile_add_trace(addr);
17422 + oprofile_add_trace(ktla_ktva(addr));
17425 static struct stacktrace_ops backtrace_ops = {
17426 @@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
17427 struct frame_head bufhead[2];
17429 /* Also check accessibility of one struct frame_head beyond */
17430 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
17431 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
17433 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
17435 @@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
17437 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
17439 - if (!user_mode_vm(regs)) {
17440 + if (!user_mode(regs)) {
17441 unsigned long stack = kernel_stack_pointer(regs);
17443 dump_trace(NULL, regs, (unsigned long *)stack, 0,
17444 diff -urNp linux-2.6.33/arch/x86/oprofile/op_model_p4.c linux-2.6.33/arch/x86/oprofile/op_model_p4.c
17445 --- linux-2.6.33/arch/x86/oprofile/op_model_p4.c 2010-02-24 13:52:17.000000000 -0500
17446 +++ linux-2.6.33/arch/x86/oprofile/op_model_p4.c 2010-03-07 12:23:35.957616985 -0500
17447 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
17451 -static int inline addr_increment(void)
17452 +static inline int addr_increment(void)
17455 return smp_num_siblings == 2 ? 2 : 1;
17456 diff -urNp linux-2.6.33/arch/x86/pci/common.c linux-2.6.33/arch/x86/pci/common.c
17457 --- linux-2.6.33/arch/x86/pci/common.c 2010-02-24 13:52:17.000000000 -0500
17458 +++ linux-2.6.33/arch/x86/pci/common.c 2010-03-07 12:23:35.957616985 -0500
17459 @@ -31,8 +31,8 @@ int noioapicreroute = 1;
17460 int pcibios_last_bus = -1;
17461 unsigned long pirq_table_addr;
17462 struct pci_bus *pci_root_bus;
17463 -struct pci_raw_ops *raw_pci_ops;
17464 -struct pci_raw_ops *raw_pci_ext_ops;
17465 +const struct pci_raw_ops *raw_pci_ops;
17466 +const struct pci_raw_ops *raw_pci_ext_ops;
17468 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
17469 int reg, int len, u32 *val)
17470 @@ -370,7 +370,7 @@ static const struct dmi_system_id __devi
17471 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
17475 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
17478 void __init dmi_check_pciprobe(void)
17479 diff -urNp linux-2.6.33/arch/x86/pci/direct.c linux-2.6.33/arch/x86/pci/direct.c
17480 --- linux-2.6.33/arch/x86/pci/direct.c 2010-02-24 13:52:17.000000000 -0500
17481 +++ linux-2.6.33/arch/x86/pci/direct.c 2010-03-07 12:23:35.957616985 -0500
17482 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
17484 #undef PCI_CONF1_ADDRESS
17486 -struct pci_raw_ops pci_direct_conf1 = {
17487 +const struct pci_raw_ops pci_direct_conf1 = {
17488 .read = pci_conf1_read,
17489 .write = pci_conf1_write,
17491 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
17493 #undef PCI_CONF2_ADDRESS
17495 -struct pci_raw_ops pci_direct_conf2 = {
17496 +const struct pci_raw_ops pci_direct_conf2 = {
17497 .read = pci_conf2_read,
17498 .write = pci_conf2_write,
17500 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
17501 * This should be close to trivial, but it isn't, because there are buggy
17502 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
17504 -static int __init pci_sanity_check(struct pci_raw_ops *o)
17505 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
17509 diff -urNp linux-2.6.33/arch/x86/pci/fixup.c linux-2.6.33/arch/x86/pci/fixup.c
17510 --- linux-2.6.33/arch/x86/pci/fixup.c 2010-02-24 13:52:17.000000000 -0500
17511 +++ linux-2.6.33/arch/x86/pci/fixup.c 2010-03-07 12:23:35.957616985 -0500
17512 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
17513 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
17517 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17521 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
17522 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
17526 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17529 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
17530 diff -urNp linux-2.6.33/arch/x86/pci/irq.c linux-2.6.33/arch/x86/pci/irq.c
17531 --- linux-2.6.33/arch/x86/pci/irq.c 2010-02-24 13:52:17.000000000 -0500
17532 +++ linux-2.6.33/arch/x86/pci/irq.c 2010-03-07 12:23:35.957616985 -0500
17533 @@ -543,7 +543,7 @@ static __init int intel_router_probe(str
17534 static struct pci_device_id __initdata pirq_440gx[] = {
17535 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
17536 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
17538 + { PCI_DEVICE(0, 0) }
17541 /* 440GX has a proprietary PIRQ router -- don't use it */
17542 @@ -1107,7 +1107,7 @@ static struct dmi_system_id __initdata p
17543 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
17547 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17550 int __init pcibios_irq_init(void)
17551 diff -urNp linux-2.6.33/arch/x86/pci/mmconfig_32.c linux-2.6.33/arch/x86/pci/mmconfig_32.c
17552 --- linux-2.6.33/arch/x86/pci/mmconfig_32.c 2010-02-24 13:52:17.000000000 -0500
17553 +++ linux-2.6.33/arch/x86/pci/mmconfig_32.c 2010-03-07 12:23:35.957616985 -0500
17554 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
17558 -static struct pci_raw_ops pci_mmcfg = {
17559 +static const struct pci_raw_ops pci_mmcfg = {
17560 .read = pci_mmcfg_read,
17561 .write = pci_mmcfg_write,
17563 diff -urNp linux-2.6.33/arch/x86/pci/mmconfig_64.c linux-2.6.33/arch/x86/pci/mmconfig_64.c
17564 --- linux-2.6.33/arch/x86/pci/mmconfig_64.c 2010-02-24 13:52:17.000000000 -0500
17565 +++ linux-2.6.33/arch/x86/pci/mmconfig_64.c 2010-03-07 12:23:35.957616985 -0500
17566 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
17570 -static struct pci_raw_ops pci_mmcfg = {
17571 +static const struct pci_raw_ops pci_mmcfg = {
17572 .read = pci_mmcfg_read,
17573 .write = pci_mmcfg_write,
17575 diff -urNp linux-2.6.33/arch/x86/pci/numaq_32.c linux-2.6.33/arch/x86/pci/numaq_32.c
17576 --- linux-2.6.33/arch/x86/pci/numaq_32.c 2010-02-24 13:52:17.000000000 -0500
17577 +++ linux-2.6.33/arch/x86/pci/numaq_32.c 2010-03-07 12:23:35.957616985 -0500
17578 @@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
17580 #undef PCI_CONF1_MQ_ADDRESS
17582 -static struct pci_raw_ops pci_direct_conf1_mq = {
17583 +static const struct pci_raw_ops pci_direct_conf1_mq = {
17584 .read = pci_conf1_mq_read,
17585 .write = pci_conf1_mq_write
17587 diff -urNp linux-2.6.33/arch/x86/pci/olpc.c linux-2.6.33/arch/x86/pci/olpc.c
17588 --- linux-2.6.33/arch/x86/pci/olpc.c 2010-02-24 13:52:17.000000000 -0500
17589 +++ linux-2.6.33/arch/x86/pci/olpc.c 2010-03-07 12:23:35.957616985 -0500
17590 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
17594 -static struct pci_raw_ops pci_olpc_conf = {
17595 +static const struct pci_raw_ops pci_olpc_conf = {
17596 .read = pci_olpc_read,
17597 .write = pci_olpc_write,
17599 diff -urNp linux-2.6.33/arch/x86/pci/pcbios.c linux-2.6.33/arch/x86/pci/pcbios.c
17600 --- linux-2.6.33/arch/x86/pci/pcbios.c 2010-02-24 13:52:17.000000000 -0500
17601 +++ linux-2.6.33/arch/x86/pci/pcbios.c 2010-03-07 12:23:35.957616985 -0500
17602 @@ -56,50 +56,93 @@ union bios32 {
17604 unsigned long address;
17605 unsigned short segment;
17606 -} bios32_indirect = { 0, __KERNEL_CS };
17607 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
17610 * Returns the entry point for the given service, NULL on error
17613 -static unsigned long bios32_service(unsigned long service)
17614 +static unsigned long __devinit bios32_service(unsigned long service)
17616 unsigned char return_code; /* %al */
17617 unsigned long address; /* %ebx */
17618 unsigned long length; /* %ecx */
17619 unsigned long entry; /* %edx */
17620 unsigned long flags;
17621 + struct desc_struct d, *gdt;
17623 local_irq_save(flags);
17624 - __asm__("lcall *(%%edi); cld"
17626 + gdt = get_cpu_gdt_table(smp_processor_id());
17628 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
17629 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
17630 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
17631 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
17633 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
17634 : "=a" (return_code),
17640 - "D" (&bios32_indirect));
17641 + "D" (&bios32_indirect),
17642 + "r"(__PCIBIOS_DS)
17645 + pax_open_kernel();
17646 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
17647 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
17648 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
17649 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
17650 + pax_close_kernel();
17652 local_irq_restore(flags);
17654 switch (return_code) {
17656 - return address + entry;
17657 - case 0x80: /* Not present */
17658 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
17660 - default: /* Shouldn't happen */
17661 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
17662 - service, return_code);
17665 + unsigned char flags;
17667 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
17668 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
17669 + printk(KERN_WARNING "bios32_service: not valid\n");
17672 + address = address + PAGE_OFFSET;
17673 + length += 16UL; /* some BIOSs underreport this... */
17675 + if (length >= 64*1024*1024) {
17676 + length >>= PAGE_SHIFT;
17680 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
17681 + gdt = get_cpu_gdt_table(cpu);
17682 + pack_descriptor(&d, address, length, 0x9b, flags);
17683 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
17684 + pack_descriptor(&d, address, length, 0x93, flags);
17685 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
17689 + case 0x80: /* Not present */
17690 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
17692 + default: /* Shouldn't happen */
17693 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
17694 + service, return_code);
17700 unsigned long address;
17701 unsigned short segment;
17702 -} pci_indirect = { 0, __KERNEL_CS };
17703 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
17705 -static int pci_bios_present;
17706 +static int pci_bios_present __read_only;
17708 static int __devinit check_pcibios(void)
17710 @@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
17711 unsigned long flags, pcibios_entry;
17713 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
17714 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
17715 + pci_indirect.address = pcibios_entry;
17717 local_irq_save(flags);
17719 - "lcall *(%%edi); cld\n\t"
17720 + __asm__("movw %w6, %%ds\n\t"
17721 + "lcall *%%ss:(%%edi); cld\n\t"
17727 @@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
17730 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
17731 - "D" (&pci_indirect)
17732 + "D" (&pci_indirect),
17733 + "r" (__PCIBIOS_DS)
17735 local_irq_restore(flags);
17737 @@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
17741 - __asm__("lcall *(%%esi); cld\n\t"
17742 + __asm__("movw %w6, %%ds\n\t"
17743 + "lcall *%%ss:(%%esi); cld\n\t"
17749 @@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
17750 : "1" (PCIBIOS_READ_CONFIG_BYTE),
17753 - "S" (&pci_indirect));
17754 + "S" (&pci_indirect),
17755 + "r" (__PCIBIOS_DS));
17757 * Zero-extend the result beyond 8 bits, do not trust the
17758 * BIOS having done it:
17759 @@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
17763 - __asm__("lcall *(%%esi); cld\n\t"
17764 + __asm__("movw %w6, %%ds\n\t"
17765 + "lcall *%%ss:(%%esi); cld\n\t"
17771 @@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
17772 : "1" (PCIBIOS_READ_CONFIG_WORD),
17775 - "S" (&pci_indirect));
17776 + "S" (&pci_indirect),
17777 + "r" (__PCIBIOS_DS));
17779 * Zero-extend the result beyond 16 bits, do not trust the
17780 * BIOS having done it:
17781 @@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
17785 - __asm__("lcall *(%%esi); cld\n\t"
17786 + __asm__("movw %w6, %%ds\n\t"
17787 + "lcall *%%ss:(%%esi); cld\n\t"
17793 @@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
17794 : "1" (PCIBIOS_READ_CONFIG_DWORD),
17797 - "S" (&pci_indirect));
17798 + "S" (&pci_indirect),
17799 + "r" (__PCIBIOS_DS));
17803 @@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
17807 - __asm__("lcall *(%%esi); cld\n\t"
17808 + __asm__("movw %w6, %%ds\n\t"
17809 + "lcall *%%ss:(%%esi); cld\n\t"
17815 @@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
17819 - "S" (&pci_indirect));
17820 + "S" (&pci_indirect),
17821 + "r" (__PCIBIOS_DS));
17824 - __asm__("lcall *(%%esi); cld\n\t"
17825 + __asm__("movw %w6, %%ds\n\t"
17826 + "lcall *%%ss:(%%esi); cld\n\t"
17832 @@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
17836 - "S" (&pci_indirect));
17837 + "S" (&pci_indirect),
17838 + "r" (__PCIBIOS_DS));
17841 - __asm__("lcall *(%%esi); cld\n\t"
17842 + __asm__("movw %w6, %%ds\n\t"
17843 + "lcall *%%ss:(%%esi); cld\n\t"
17849 @@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
17853 - "S" (&pci_indirect));
17854 + "S" (&pci_indirect),
17855 + "r" (__PCIBIOS_DS));
17859 @@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
17860 * Function table for BIOS32 access
17863 -static struct pci_raw_ops pci_bios_access = {
17864 +static const struct pci_raw_ops pci_bios_access = {
17865 .read = pci_bios_read,
17866 .write = pci_bios_write
17868 @@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
17869 * Try to find PCI BIOS.
17872 -static struct pci_raw_ops * __devinit pci_find_bios(void)
17873 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
17875 union bios32 *check;
17877 @@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
17879 DBG("PCI: Fetching IRQ routing table... ");
17880 __asm__("push %%es\n\t"
17881 + "movw %w8, %%ds\n\t"
17884 - "lcall *(%%esi); cld\n\t"
17885 + "lcall *%%ss:(%%esi); cld\n\t"
17892 @@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
17895 "S" (&pci_indirect),
17898 + "r" (__PCIBIOS_DS)
17900 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
17902 @@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
17906 - __asm__("lcall *(%%esi); cld\n\t"
17907 + __asm__("movw %w5, %%ds\n\t"
17908 + "lcall *%%ss:(%%esi); cld\n\t"
17914 @@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
17915 : "0" (PCIBIOS_SET_PCI_HW_INT),
17916 "b" ((dev->bus->number << 8) | dev->devfn),
17917 "c" ((irq << 8) | (pin + 10)),
17918 - "S" (&pci_indirect));
17919 + "S" (&pci_indirect),
17920 + "r" (__PCIBIOS_DS));
17921 return !(ret & 0xff00);
17923 EXPORT_SYMBOL(pcibios_set_irq_routing);
17924 diff -urNp linux-2.6.33/arch/x86/power/cpu.c linux-2.6.33/arch/x86/power/cpu.c
17925 --- linux-2.6.33/arch/x86/power/cpu.c 2010-02-24 13:52:17.000000000 -0500
17926 +++ linux-2.6.33/arch/x86/power/cpu.c 2010-03-07 12:23:35.957616985 -0500
17927 @@ -127,7 +127,7 @@ static void do_fpu_end(void)
17928 static void fix_processor_context(void)
17930 int cpu = smp_processor_id();
17931 - struct tss_struct *t = &per_cpu(init_tss, cpu);
17932 + struct tss_struct *t = init_tss + cpu;
17934 set_tss_desc(cpu, t); /*
17935 * This just modifies memory; should not be
17936 @@ -137,7 +137,9 @@ static void fix_processor_context(void)
17939 #ifdef CONFIG_X86_64
17940 + pax_open_kernel();
17941 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
17942 + pax_close_kernel();
17944 syscall_init(); /* This sets MSR_*STAR and related */
17946 diff -urNp linux-2.6.33/arch/x86/vdso/Makefile linux-2.6.33/arch/x86/vdso/Makefile
17947 --- linux-2.6.33/arch/x86/vdso/Makefile 2010-02-24 13:52:17.000000000 -0500
17948 +++ linux-2.6.33/arch/x86/vdso/Makefile 2010-03-07 12:23:35.957616985 -0500
17949 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
17950 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
17951 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
17953 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
17954 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
17958 diff -urNp linux-2.6.33/arch/x86/vdso/vclock_gettime.c linux-2.6.33/arch/x86/vdso/vclock_gettime.c
17959 --- linux-2.6.33/arch/x86/vdso/vclock_gettime.c 2010-02-24 13:52:17.000000000 -0500
17960 +++ linux-2.6.33/arch/x86/vdso/vclock_gettime.c 2010-03-07 12:23:35.961598666 -0500
17961 @@ -22,24 +22,48 @@
17962 #include <asm/hpet.h>
17963 #include <asm/unistd.h>
17964 #include <asm/io.h>
17965 +#include <asm/fixmap.h>
17966 #include "vextern.h"
17968 #define gtod vdso_vsyscall_gtod_data
17970 +notrace noinline long __vdso_fallback_time(long *t)
17973 + asm volatile("syscall"
17975 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
17979 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
17982 asm("syscall" : "=a" (ret) :
17983 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
17984 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
17988 +notrace static inline cycle_t __vdso_vread_hpet(void)
17990 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
17993 +notrace static inline cycle_t __vdso_vread_tsc(void)
17995 + cycle_t ret = (cycle_t)vget_cycles();
17997 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
18000 notrace static inline long vgetns(void)
18003 - cycles_t (*vread)(void);
18004 - vread = gtod->clock.vread;
18005 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
18006 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
18007 + v = __vdso_vread_tsc();
18009 + v = __vdso_vread_hpet();
18010 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
18011 return (v * gtod->clock.mult) >> gtod->clock.shift;
18014 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
18016 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
18018 - if (likely(gtod->sysctl_enabled))
18019 + if (likely(gtod->sysctl_enabled &&
18020 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
18021 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
18023 case CLOCK_REALTIME:
18024 if (likely(gtod->clock.vread))
18025 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
18026 int clock_gettime(clockid_t, struct timespec *)
18027 __attribute__((weak, alias("__vdso_clock_gettime")));
18029 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
18030 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
18033 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
18034 + asm("syscall" : "=a" (ret) :
18035 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
18039 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
18041 + if (likely(gtod->sysctl_enabled &&
18042 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
18043 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
18045 if (likely(tv != NULL)) {
18046 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
18047 offsetof(struct timespec, tv_nsec) ||
18048 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
18052 - asm("syscall" : "=a" (ret) :
18053 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
18055 + return __vdso_fallback_gettimeofday(tv, tz);
18057 int gettimeofday(struct timeval *, struct timezone *)
18058 __attribute__((weak, alias("__vdso_gettimeofday")));
18059 diff -urNp linux-2.6.33/arch/x86/vdso/vdso32-setup.c linux-2.6.33/arch/x86/vdso/vdso32-setup.c
18060 --- linux-2.6.33/arch/x86/vdso/vdso32-setup.c 2010-02-24 13:52:17.000000000 -0500
18061 +++ linux-2.6.33/arch/x86/vdso/vdso32-setup.c 2010-03-07 12:23:48.703416643 -0500
18063 #include <asm/tlbflush.h>
18064 #include <asm/vdso.h>
18065 #include <asm/proto.h>
18066 +#include <asm/mman.h>
18070 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
18071 void enable_sep_cpu(void)
18073 int cpu = get_cpu();
18074 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
18075 + struct tss_struct *tss = init_tss + cpu;
18077 if (!boot_cpu_has(X86_FEATURE_SEP)) {
18079 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
18080 gate_vma.vm_start = FIXADDR_USER_START;
18081 gate_vma.vm_end = FIXADDR_USER_END;
18082 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
18083 - gate_vma.vm_page_prot = __P101;
18084 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
18086 * Make sure the vDSO gets into every core dump.
18087 * Dumping its contents makes post-mortem fully interpretable later
18088 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
18090 addr = VDSO_HIGH_BASE;
18092 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
18093 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
18094 if (IS_ERR_VALUE(addr)) {
18100 - current->mm->context.vdso = (void *)addr;
18101 + current->mm->context.vdso = addr;
18103 if (compat_uses_vma || !compat) {
18105 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
18108 current_thread_info()->sysenter_return =
18109 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
18110 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
18114 - current->mm->context.vdso = NULL;
18115 + current->mm->context.vdso = 0;
18117 up_write(&mm->mmap_sem);
18119 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
18121 const char *arch_vma_name(struct vm_area_struct *vma)
18123 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18124 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18127 +#ifdef CONFIG_PAX_SEGMEXEC
18128 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
18135 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
18136 struct mm_struct *mm = tsk->mm;
18138 /* Check to see if this task was created in compat vdso mode */
18139 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
18140 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
18144 diff -urNp linux-2.6.33/arch/x86/vdso/vdso.lds.S linux-2.6.33/arch/x86/vdso/vdso.lds.S
18145 --- linux-2.6.33/arch/x86/vdso/vdso.lds.S 2010-02-24 13:52:17.000000000 -0500
18146 +++ linux-2.6.33/arch/x86/vdso/vdso.lds.S 2010-03-07 12:23:35.961598666 -0500
18147 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
18148 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
18149 #include "vextern.h"
18152 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
18153 +VEXTERN(fallback_gettimeofday)
18154 +VEXTERN(fallback_time)
18157 diff -urNp linux-2.6.33/arch/x86/vdso/vextern.h linux-2.6.33/arch/x86/vdso/vextern.h
18158 --- linux-2.6.33/arch/x86/vdso/vextern.h 2010-02-24 13:52:17.000000000 -0500
18159 +++ linux-2.6.33/arch/x86/vdso/vextern.h 2010-03-07 12:23:35.961598666 -0500
18161 put into vextern.h and be referenced as a pointer with vdso prefix.
18162 The main kernel later fills in the values. */
18165 VEXTERN(vgetcpu_mode)
18166 VEXTERN(vsyscall_gtod_data)
18167 diff -urNp linux-2.6.33/arch/x86/vdso/vma.c linux-2.6.33/arch/x86/vdso/vma.c
18168 --- linux-2.6.33/arch/x86/vdso/vma.c 2010-02-24 13:52:17.000000000 -0500
18169 +++ linux-2.6.33/arch/x86/vdso/vma.c 2010-03-07 12:23:35.961598666 -0500
18170 @@ -57,7 +57,7 @@ static int __init init_vdso_vars(void)
18174 - if (memcmp(vbase, "\177ELF", 4)) {
18175 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
18176 printk("VDSO: I'm broken; not ELF\n");
18179 @@ -66,6 +66,7 @@ static int __init init_vdso_vars(void)
18180 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
18181 #include "vextern.h"
18187 @@ -116,7 +117,7 @@ int arch_setup_additional_pages(struct l
18191 - current->mm->context.vdso = (void *)addr;
18192 + current->mm->context.vdso = addr;
18194 ret = install_special_mapping(mm, addr, vdso_size,
18196 @@ -124,7 +125,7 @@ int arch_setup_additional_pages(struct l
18200 - current->mm->context.vdso = NULL;
18201 + current->mm->context.vdso = 0;
18205 @@ -132,10 +133,3 @@ up_fail:
18206 up_write(&mm->mmap_sem);
18210 -static __init int vdso_setup(char *s)
18212 - vdso_enabled = simple_strtoul(s, NULL, 0);
18215 -__setup("vdso=", vdso_setup);
18216 diff -urNp linux-2.6.33/arch/x86/xen/enlighten.c linux-2.6.33/arch/x86/xen/enlighten.c
18217 --- linux-2.6.33/arch/x86/xen/enlighten.c 2010-02-24 13:52:17.000000000 -0500
18218 +++ linux-2.6.33/arch/x86/xen/enlighten.c 2010-03-07 12:23:35.961598666 -0500
18219 @@ -72,8 +72,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
18221 struct shared_info xen_dummy_shared_info;
18223 -void *xen_initial_gdt;
18226 * Point at some empty memory to start with. We map the real shared_info
18227 * page as soon as fixmap is up and running.
18228 @@ -549,7 +547,7 @@ static void xen_write_idt_entry(gate_des
18232 - start = __get_cpu_var(idt_desc).address;
18233 + start = (unsigned long)__get_cpu_var(idt_desc).address;
18234 end = start + __get_cpu_var(idt_desc).size + 1;
18237 @@ -1126,13 +1124,6 @@ asmlinkage void __init xen_start_kernel(
18239 machine_ops = xen_machine_ops;
18242 - * The only reliable way to retain the initial address of the
18243 - * percpu gdt_page is to remember it here, so we can go and
18244 - * mark it RW later, when the initial percpu area is freed.
18246 - xen_initial_gdt = &per_cpu(gdt_page, 0);
18250 pgd = (pgd_t *)xen_start_info->pt_base;
18251 diff -urNp linux-2.6.33/arch/x86/xen/mmu.c linux-2.6.33/arch/x86/xen/mmu.c
18252 --- linux-2.6.33/arch/x86/xen/mmu.c 2010-02-24 13:52:17.000000000 -0500
18253 +++ linux-2.6.33/arch/x86/xen/mmu.c 2010-03-07 12:23:35.961598666 -0500
18254 @@ -1710,6 +1710,8 @@ __init pgd_t *xen_setup_kernel_pagetable
18255 convert_pfn_mfn(init_level4_pgt);
18256 convert_pfn_mfn(level3_ident_pgt);
18257 convert_pfn_mfn(level3_kernel_pgt);
18258 + convert_pfn_mfn(level3_vmalloc_pgt);
18259 + convert_pfn_mfn(level3_vmemmap_pgt);
18261 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
18262 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
18263 @@ -1728,7 +1730,10 @@ __init pgd_t *xen_setup_kernel_pagetable
18264 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
18265 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
18266 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
18267 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
18268 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
18269 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
18270 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
18271 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
18272 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
18274 diff -urNp linux-2.6.33/arch/x86/xen/smp.c linux-2.6.33/arch/x86/xen/smp.c
18275 --- linux-2.6.33/arch/x86/xen/smp.c 2010-02-24 13:52:17.000000000 -0500
18276 +++ linux-2.6.33/arch/x86/xen/smp.c 2010-03-07 12:23:35.961598666 -0500
18277 @@ -168,11 +168,6 @@ static void __init xen_smp_prepare_boot_
18279 BUG_ON(smp_processor_id() != 0);
18280 native_smp_prepare_boot_cpu();
18282 - /* We've switched to the "real" per-cpu gdt, so make sure the
18283 - old memory can be recycled */
18284 - make_lowmem_page_readwrite(xen_initial_gdt);
18286 xen_setup_vcpu_info_placement();
18289 @@ -232,8 +227,8 @@ cpu_initialize_context(unsigned int cpu,
18290 gdt = get_cpu_gdt_table(cpu);
18292 ctxt->flags = VGCF_IN_KERNEL;
18293 - ctxt->user_regs.ds = __USER_DS;
18294 - ctxt->user_regs.es = __USER_DS;
18295 + ctxt->user_regs.ds = __KERNEL_DS;
18296 + ctxt->user_regs.es = __KERNEL_DS;
18297 ctxt->user_regs.ss = __KERNEL_DS;
18298 #ifdef CONFIG_X86_32
18299 ctxt->user_regs.fs = __KERNEL_PERCPU;
18300 diff -urNp linux-2.6.33/arch/x86/xen/xen-ops.h linux-2.6.33/arch/x86/xen/xen-ops.h
18301 --- linux-2.6.33/arch/x86/xen/xen-ops.h 2010-02-24 13:52:17.000000000 -0500
18302 +++ linux-2.6.33/arch/x86/xen/xen-ops.h 2010-03-07 12:23:35.961598666 -0500
18304 extern const char xen_hypervisor_callback[];
18305 extern const char xen_failsafe_callback[];
18307 -extern void *xen_initial_gdt;
18310 void xen_copy_trap_info(struct trap_info *traps);
18312 diff -urNp linux-2.6.33/block/blk-integrity.c linux-2.6.33/block/blk-integrity.c
18313 --- linux-2.6.33/block/blk-integrity.c 2010-02-24 13:52:17.000000000 -0500
18314 +++ linux-2.6.33/block/blk-integrity.c 2010-03-07 12:23:35.961598666 -0500
18315 @@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
18319 -static struct sysfs_ops integrity_ops = {
18320 +static const struct sysfs_ops integrity_ops = {
18321 .show = &integrity_attr_show,
18322 .store = &integrity_attr_store,
18324 diff -urNp linux-2.6.33/block/blk-iopoll.c linux-2.6.33/block/blk-iopoll.c
18325 --- linux-2.6.33/block/blk-iopoll.c 2010-02-24 13:52:17.000000000 -0500
18326 +++ linux-2.6.33/block/blk-iopoll.c 2010-03-07 12:23:35.961598666 -0500
18327 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
18329 EXPORT_SYMBOL(blk_iopoll_complete);
18331 -static void blk_iopoll_softirq(struct softirq_action *h)
18332 +static void blk_iopoll_softirq(void)
18334 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
18335 int rearm = 0, budget = blk_iopoll_budget;
18336 diff -urNp linux-2.6.33/block/blk-map.c linux-2.6.33/block/blk-map.c
18337 --- linux-2.6.33/block/blk-map.c 2010-02-24 13:52:17.000000000 -0500
18338 +++ linux-2.6.33/block/blk-map.c 2010-03-07 12:23:35.961598666 -0500
18339 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
18340 * direct dma. else, set up kernel bounce buffers
18342 uaddr = (unsigned long) ubuf;
18343 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
18344 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
18345 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
18347 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
18348 @@ -297,7 +297,7 @@ int blk_rq_map_kern(struct request_queue
18352 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
18353 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
18355 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
18357 diff -urNp linux-2.6.33/block/blk-softirq.c linux-2.6.33/block/blk-softirq.c
18358 --- linux-2.6.33/block/blk-softirq.c 2010-02-24 13:52:17.000000000 -0500
18359 +++ linux-2.6.33/block/blk-softirq.c 2010-03-07 12:23:35.961598666 -0500
18360 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
18361 * Softirq action handler - move entries to local list and loop over them
18362 * while passing them to the queue registered handler.
18364 -static void blk_done_softirq(struct softirq_action *h)
18365 +static void blk_done_softirq(void)
18367 struct list_head *cpu_list, local_list;
18369 diff -urNp linux-2.6.33/block/blk-sysfs.c linux-2.6.33/block/blk-sysfs.c
18370 --- linux-2.6.33/block/blk-sysfs.c 2010-02-24 13:52:17.000000000 -0500
18371 +++ linux-2.6.33/block/blk-sysfs.c 2010-03-07 12:23:35.961598666 -0500
18372 @@ -447,7 +447,7 @@ static void blk_release_queue(struct kob
18373 kmem_cache_free(blk_requestq_cachep, q);
18376 -static struct sysfs_ops queue_sysfs_ops = {
18377 +static const struct sysfs_ops queue_sysfs_ops = {
18378 .show = queue_attr_show,
18379 .store = queue_attr_store,
18381 diff -urNp linux-2.6.33/block/elevator.c linux-2.6.33/block/elevator.c
18382 --- linux-2.6.33/block/elevator.c 2010-02-24 13:52:17.000000000 -0500
18383 +++ linux-2.6.33/block/elevator.c 2010-03-07 12:23:35.961598666 -0500
18384 @@ -883,7 +883,7 @@ elv_attr_store(struct kobject *kobj, str
18388 -static struct sysfs_ops elv_sysfs_ops = {
18389 +static const struct sysfs_ops elv_sysfs_ops = {
18390 .show = elv_attr_show,
18391 .store = elv_attr_store,
18393 diff -urNp linux-2.6.33/crypto/lrw.c linux-2.6.33/crypto/lrw.c
18394 --- linux-2.6.33/crypto/lrw.c 2010-02-24 13:52:17.000000000 -0500
18395 +++ linux-2.6.33/crypto/lrw.c 2010-03-07 12:23:35.961598666 -0500
18396 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
18397 struct priv *ctx = crypto_tfm_ctx(parent);
18398 struct crypto_cipher *child = ctx->child;
18400 - be128 tmp = { 0 };
18401 + be128 tmp = { 0, 0 };
18402 int bsize = crypto_cipher_blocksize(child);
18404 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
18405 diff -urNp linux-2.6.33/Documentation/dontdiff linux-2.6.33/Documentation/dontdiff
18406 --- linux-2.6.33/Documentation/dontdiff 2010-02-24 13:52:17.000000000 -0500
18407 +++ linux-2.6.33/Documentation/dontdiff 2010-03-07 12:23:35.961598666 -0500
18424 @@ -49,11 +51,16 @@
18441 @@ -77,7 +84,9 @@ btfixupprep
18451 @@ -107,13 +116,14 @@ generated
18458 initramfs_data.cpio
18459 +initramfs_data.cpio.bz2
18460 initramfs_data.cpio.gz
18467 @@ -137,10 +147,13 @@ mkboot
18481 @@ -153,6 +166,7 @@ patches*
18489 @@ -167,6 +181,7 @@ setup
18497 @@ -190,14 +205,20 @@ version.h*
18518 diff -urNp linux-2.6.33/Documentation/filesystems/sysfs.txt linux-2.6.33/Documentation/filesystems/sysfs.txt
18519 --- linux-2.6.33/Documentation/filesystems/sysfs.txt 2010-02-24 13:52:17.000000000 -0500
18520 +++ linux-2.6.33/Documentation/filesystems/sysfs.txt 2010-03-07 12:23:35.961598666 -0500
18521 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
18522 show and store methods of the attribute owners.
18525 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
18526 - ssize_t (*store)(struct kobject *, struct attribute *, const char *);
18527 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
18528 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *);
18531 [ Subsystems should have already defined a struct kobj_type as a
18532 diff -urNp linux-2.6.33/Documentation/kernel-parameters.txt linux-2.6.33/Documentation/kernel-parameters.txt
18533 --- linux-2.6.33/Documentation/kernel-parameters.txt 2010-02-24 13:52:17.000000000 -0500
18534 +++ linux-2.6.33/Documentation/kernel-parameters.txt 2010-03-07 12:23:35.965718140 -0500
18535 @@ -1865,6 +1865,12 @@ and is between 256 and 4096 characters.
18536 the specified number of seconds. This is to be used if
18537 your oopses keep scrolling off the screen.
18539 + pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
18540 + virtualization environments that don't cope well with the
18541 + expand down segment used by UDEREF on X86-32.
18543 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
18548 diff -urNp linux-2.6.33/drivers/acpi/battery.c linux-2.6.33/drivers/acpi/battery.c
18549 --- linux-2.6.33/drivers/acpi/battery.c 2010-02-24 13:52:17.000000000 -0500
18550 +++ linux-2.6.33/drivers/acpi/battery.c 2010-03-07 12:23:35.965718140 -0500
18551 @@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
18554 static struct battery_file {
18555 - struct file_operations ops;
18556 + const struct file_operations ops;
18559 } acpi_battery_file[] = {
18560 diff -urNp linux-2.6.33/drivers/acpi/blacklist.c linux-2.6.33/drivers/acpi/blacklist.c
18561 --- linux-2.6.33/drivers/acpi/blacklist.c 2010-02-24 13:52:17.000000000 -0500
18562 +++ linux-2.6.33/drivers/acpi/blacklist.c 2010-03-07 12:23:35.965718140 -0500
18563 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
18564 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
18565 "Incorrect _ADR", 1},
18568 + {"", "", 0, NULL, all_versions, NULL, 0}
18571 #if CONFIG_ACPI_BLACKLIST_YEAR
18572 diff -urNp linux-2.6.33/drivers/acpi/dock.c linux-2.6.33/drivers/acpi/dock.c
18573 --- linux-2.6.33/drivers/acpi/dock.c 2010-02-24 13:52:17.000000000 -0500
18574 +++ linux-2.6.33/drivers/acpi/dock.c 2010-03-07 12:23:35.965718140 -0500
18575 @@ -76,7 +76,7 @@ struct dock_dependent_device {
18576 struct list_head list;
18577 struct list_head hotplug_list;
18578 acpi_handle handle;
18579 - struct acpi_dock_ops *ops;
18580 + const struct acpi_dock_ops *ops;
18584 @@ -588,7 +588,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
18585 * the dock driver after _DCK is executed.
18588 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
18589 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
18592 struct dock_dependent_device *dd;
18593 diff -urNp linux-2.6.33/drivers/acpi/osl.c linux-2.6.33/drivers/acpi/osl.c
18594 --- linux-2.6.33/drivers/acpi/osl.c 2010-02-24 13:52:17.000000000 -0500
18595 +++ linux-2.6.33/drivers/acpi/osl.c 2010-03-07 12:23:35.965718140 -0500
18596 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
18597 void __iomem *virt_addr;
18599 virt_addr = ioremap(phys_addr, width);
18601 + return AE_NO_MEMORY;
18605 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
18606 void __iomem *virt_addr;
18608 virt_addr = ioremap(phys_addr, width);
18610 + return AE_NO_MEMORY;
18614 diff -urNp linux-2.6.33/drivers/acpi/processor_core.c linux-2.6.33/drivers/acpi/processor_core.c
18615 --- linux-2.6.33/drivers/acpi/processor_core.c 2010-02-24 13:52:17.000000000 -0500
18616 +++ linux-2.6.33/drivers/acpi/processor_core.c 2010-03-07 12:23:35.965718140 -0500
18617 @@ -734,7 +734,7 @@ static int __cpuinit acpi_processor_add(
18621 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
18622 + BUG_ON(pr->id >= nr_cpu_ids);
18626 diff -urNp linux-2.6.33/drivers/acpi/processor_idle.c linux-2.6.33/drivers/acpi/processor_idle.c
18627 --- linux-2.6.33/drivers/acpi/processor_idle.c 2010-02-24 13:52:17.000000000 -0500
18628 +++ linux-2.6.33/drivers/acpi/processor_idle.c 2010-03-07 12:23:35.965718140 -0500
18629 @@ -118,7 +118,7 @@ static struct dmi_system_id __cpuinitdat
18630 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
18631 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
18634 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
18638 diff -urNp linux-2.6.33/drivers/acpi/sleep.c linux-2.6.33/drivers/acpi/sleep.c
18639 --- linux-2.6.33/drivers/acpi/sleep.c 2010-02-24 13:52:17.000000000 -0500
18640 +++ linux-2.6.33/drivers/acpi/sleep.c 2010-03-07 12:23:35.965718140 -0500
18641 @@ -302,7 +302,7 @@ static int acpi_suspend_state_valid(susp
18645 -static struct platform_suspend_ops acpi_suspend_ops = {
18646 +static const struct platform_suspend_ops acpi_suspend_ops = {
18647 .valid = acpi_suspend_state_valid,
18648 .begin = acpi_suspend_begin,
18649 .prepare_late = acpi_pm_prepare,
18650 @@ -330,7 +330,7 @@ static int acpi_suspend_begin_old(suspen
18651 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
18654 -static struct platform_suspend_ops acpi_suspend_ops_old = {
18655 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
18656 .valid = acpi_suspend_state_valid,
18657 .begin = acpi_suspend_begin_old,
18658 .prepare_late = acpi_pm_disable_gpes,
18659 @@ -557,7 +557,7 @@ static void acpi_pm_enable_gpes(void)
18660 acpi_enable_all_runtime_gpes();
18663 -static struct platform_hibernation_ops acpi_hibernation_ops = {
18664 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
18665 .begin = acpi_hibernation_begin,
18666 .end = acpi_pm_end,
18667 .pre_snapshot = acpi_hibernation_pre_snapshot,
18668 @@ -610,7 +610,7 @@ static int acpi_hibernation_pre_snapshot
18669 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
18672 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
18673 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
18674 .begin = acpi_hibernation_begin_old,
18675 .end = acpi_pm_end,
18676 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
18677 diff -urNp linux-2.6.33/drivers/acpi/video.c linux-2.6.33/drivers/acpi/video.c
18678 --- linux-2.6.33/drivers/acpi/video.c 2010-02-24 13:52:17.000000000 -0500
18679 +++ linux-2.6.33/drivers/acpi/video.c 2010-03-07 12:23:35.965718140 -0500
18680 @@ -366,7 +366,7 @@ static int acpi_video_set_brightness(str
18681 vd->brightness->levels[request_level]);
18684 -static struct backlight_ops acpi_backlight_ops = {
18685 +static const struct backlight_ops acpi_backlight_ops = {
18686 .get_brightness = acpi_video_get_brightness,
18687 .update_status = acpi_video_set_brightness,
18689 diff -urNp linux-2.6.33/drivers/ata/ahci.c linux-2.6.33/drivers/ata/ahci.c
18690 --- linux-2.6.33/drivers/ata/ahci.c 2010-02-24 13:52:17.000000000 -0500
18691 +++ linux-2.6.33/drivers/ata/ahci.c 2010-03-07 12:23:35.965718140 -0500
18692 @@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
18693 .sdev_attrs = ahci_sdev_attrs,
18696 -static struct ata_port_operations ahci_ops = {
18697 +static const struct ata_port_operations ahci_ops = {
18698 .inherits = &sata_pmp_port_ops,
18700 .qc_defer = sata_pmp_qc_defer_cmd_switch,
18701 @@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
18702 .port_stop = ahci_port_stop,
18705 -static struct ata_port_operations ahci_vt8251_ops = {
18706 +static const struct ata_port_operations ahci_vt8251_ops = {
18707 .inherits = &ahci_ops,
18708 .hardreset = ahci_vt8251_hardreset,
18711 -static struct ata_port_operations ahci_p5wdh_ops = {
18712 +static const struct ata_port_operations ahci_p5wdh_ops = {
18713 .inherits = &ahci_ops,
18714 .hardreset = ahci_p5wdh_hardreset,
18717 -static struct ata_port_operations ahci_sb600_ops = {
18718 +static const struct ata_port_operations ahci_sb600_ops = {
18719 .inherits = &ahci_ops,
18720 .softreset = ahci_sb600_softreset,
18721 .pmp_softreset = ahci_sb600_softreset,
18722 @@ -681,7 +681,7 @@ static const struct pci_device_id ahci_p
18723 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
18724 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
18726 - { } /* terminate list */
18727 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
18731 diff -urNp linux-2.6.33/drivers/ata/ata_generic.c linux-2.6.33/drivers/ata/ata_generic.c
18732 --- linux-2.6.33/drivers/ata/ata_generic.c 2010-02-24 13:52:17.000000000 -0500
18733 +++ linux-2.6.33/drivers/ata/ata_generic.c 2010-03-07 12:23:35.965718140 -0500
18734 @@ -95,7 +95,7 @@ static struct scsi_host_template generic
18735 ATA_BMDMA_SHT(DRV_NAME),
18738 -static struct ata_port_operations generic_port_ops = {
18739 +static const struct ata_port_operations generic_port_ops = {
18740 .inherits = &ata_bmdma_port_ops,
18741 .cable_detect = ata_cable_unknown,
18742 .set_mode = generic_set_mode,
18743 diff -urNp linux-2.6.33/drivers/ata/ata_piix.c linux-2.6.33/drivers/ata/ata_piix.c
18744 --- linux-2.6.33/drivers/ata/ata_piix.c 2010-02-24 13:52:17.000000000 -0500
18745 +++ linux-2.6.33/drivers/ata/ata_piix.c 2010-03-07 12:23:35.969642115 -0500
18746 @@ -291,7 +291,7 @@ static const struct pci_device_id piix_p
18747 { 0x8086, 0x3b2d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
18748 /* SATA Controller IDE (PCH) */
18749 { 0x8086, 0x3b2e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
18750 - { } /* terminate list */
18751 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
18754 static struct pci_driver piix_pci_driver = {
18755 @@ -309,7 +309,7 @@ static struct scsi_host_template piix_sh
18756 ATA_BMDMA_SHT(DRV_NAME),
18759 -static struct ata_port_operations piix_pata_ops = {
18760 +static const struct ata_port_operations piix_pata_ops = {
18761 .inherits = &ata_bmdma32_port_ops,
18762 .cable_detect = ata_cable_40wire,
18763 .set_piomode = piix_set_piomode,
18764 @@ -317,22 +317,22 @@ static struct ata_port_operations piix_p
18765 .prereset = piix_pata_prereset,
18768 -static struct ata_port_operations piix_vmw_ops = {
18769 +static const struct ata_port_operations piix_vmw_ops = {
18770 .inherits = &piix_pata_ops,
18771 .bmdma_status = piix_vmw_bmdma_status,
18774 -static struct ata_port_operations ich_pata_ops = {
18775 +static const struct ata_port_operations ich_pata_ops = {
18776 .inherits = &piix_pata_ops,
18777 .cable_detect = ich_pata_cable_detect,
18778 .set_dmamode = ich_set_dmamode,
18781 -static struct ata_port_operations piix_sata_ops = {
18782 +static const struct ata_port_operations piix_sata_ops = {
18783 .inherits = &ata_bmdma32_port_ops,
18786 -static struct ata_port_operations piix_sidpr_sata_ops = {
18787 +static const struct ata_port_operations piix_sidpr_sata_ops = {
18788 .inherits = &piix_sata_ops,
18789 .hardreset = sata_std_hardreset,
18790 .scr_read = piix_sidpr_scr_read,
18791 @@ -608,7 +608,7 @@ static const struct ich_laptop ich_lapto
18792 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
18793 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
18800 @@ -1086,7 +1086,7 @@ static int piix_broken_suspend(void)
18804 - { } /* terminate list */
18805 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
18807 static const char *oemstrs[] = {
18809 diff -urNp linux-2.6.33/drivers/ata/libata-acpi.c linux-2.6.33/drivers/ata/libata-acpi.c
18810 --- linux-2.6.33/drivers/ata/libata-acpi.c 2010-02-24 13:52:17.000000000 -0500
18811 +++ linux-2.6.33/drivers/ata/libata-acpi.c 2010-03-07 12:23:35.969642115 -0500
18812 @@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
18813 ata_acpi_uevent(dev->link->ap, dev, event);
18816 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
18817 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
18818 .handler = ata_acpi_dev_notify_dock,
18819 .uevent = ata_acpi_dev_uevent,
18822 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
18823 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
18824 .handler = ata_acpi_ap_notify_dock,
18825 .uevent = ata_acpi_ap_uevent,
18827 diff -urNp linux-2.6.33/drivers/ata/libata-core.c linux-2.6.33/drivers/ata/libata-core.c
18828 --- linux-2.6.33/drivers/ata/libata-core.c 2010-02-24 13:52:17.000000000 -0500
18829 +++ linux-2.6.33/drivers/ata/libata-core.c 2010-03-07 12:23:35.969642115 -0500
18830 @@ -896,7 +896,7 @@ static const struct ata_xfer_ent {
18831 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
18832 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
18833 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
18839 @@ -3163,7 +3163,7 @@ static const struct ata_timing ata_timin
18840 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
18841 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
18844 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
18847 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
18848 @@ -4385,7 +4385,7 @@ static const struct ata_blacklist_entry
18849 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
18853 + { NULL, NULL, 0 }
18856 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
18857 @@ -5961,7 +5961,7 @@ static void ata_host_stop(struct device
18861 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
18862 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
18864 static DEFINE_SPINLOCK(lock);
18865 const struct ata_port_operations *cur;
18866 @@ -5973,6 +5973,7 @@ static void ata_finalize_port_ops(struct
18870 + pax_open_kernel();
18872 for (cur = ops->inherits; cur; cur = cur->inherits) {
18873 void **inherit = (void **)cur;
18874 @@ -5986,8 +5987,9 @@ static void ata_finalize_port_ops(struct
18878 - ops->inherits = NULL;
18879 + ((struct ata_port_operations *)ops)->inherits = NULL;
18881 + pax_close_kernel();
18882 spin_unlock(&lock);
18885 @@ -6084,7 +6086,7 @@ int ata_host_start(struct ata_host *host
18887 /* KILLME - the only user left is ipr */
18888 void ata_host_init(struct ata_host *host, struct device *dev,
18889 - unsigned long flags, struct ata_port_operations *ops)
18890 + unsigned long flags, const struct ata_port_operations *ops)
18892 spin_lock_init(&host->lock);
18894 @@ -6754,7 +6756,7 @@ static void ata_dummy_error_handler(stru
18898 -struct ata_port_operations ata_dummy_port_ops = {
18899 +const struct ata_port_operations ata_dummy_port_ops = {
18900 .qc_prep = ata_noop_qc_prep,
18901 .qc_issue = ata_dummy_qc_issue,
18902 .error_handler = ata_dummy_error_handler,
18903 diff -urNp linux-2.6.33/drivers/ata/libata-eh.c linux-2.6.33/drivers/ata/libata-eh.c
18904 --- linux-2.6.33/drivers/ata/libata-eh.c 2010-02-24 13:52:17.000000000 -0500
18905 +++ linux-2.6.33/drivers/ata/libata-eh.c 2010-03-07 12:23:35.969642115 -0500
18906 @@ -3675,7 +3675,7 @@ void ata_do_eh(struct ata_port *ap, ata_
18908 void ata_std_error_handler(struct ata_port *ap)
18910 - struct ata_port_operations *ops = ap->ops;
18911 + const struct ata_port_operations *ops = ap->ops;
18912 ata_reset_fn_t hardreset = ops->hardreset;
18914 /* ignore built-in hardreset if SCR access is not available */
18915 diff -urNp linux-2.6.33/drivers/ata/libata-pmp.c linux-2.6.33/drivers/ata/libata-pmp.c
18916 --- linux-2.6.33/drivers/ata/libata-pmp.c 2010-02-24 13:52:17.000000000 -0500
18917 +++ linux-2.6.33/drivers/ata/libata-pmp.c 2010-03-07 12:23:35.969642115 -0500
18918 @@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
18920 static int sata_pmp_eh_recover(struct ata_port *ap)
18922 - struct ata_port_operations *ops = ap->ops;
18923 + const struct ata_port_operations *ops = ap->ops;
18924 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
18925 struct ata_link *pmp_link = &ap->link;
18926 struct ata_device *pmp_dev = pmp_link->device;
18927 diff -urNp linux-2.6.33/drivers/ata/pata_acpi.c linux-2.6.33/drivers/ata/pata_acpi.c
18928 --- linux-2.6.33/drivers/ata/pata_acpi.c 2010-02-24 13:52:17.000000000 -0500
18929 +++ linux-2.6.33/drivers/ata/pata_acpi.c 2010-03-07 12:23:35.969642115 -0500
18930 @@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
18931 ATA_BMDMA_SHT(DRV_NAME),
18934 -static struct ata_port_operations pacpi_ops = {
18935 +static const struct ata_port_operations pacpi_ops = {
18936 .inherits = &ata_bmdma_port_ops,
18937 .qc_issue = pacpi_qc_issue,
18938 .cable_detect = pacpi_cable_detect,
18939 diff -urNp linux-2.6.33/drivers/ata/pata_ali.c linux-2.6.33/drivers/ata/pata_ali.c
18940 --- linux-2.6.33/drivers/ata/pata_ali.c 2010-02-24 13:52:17.000000000 -0500
18941 +++ linux-2.6.33/drivers/ata/pata_ali.c 2010-03-07 12:23:35.969642115 -0500
18942 @@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
18943 * Port operations for PIO only ALi
18946 -static struct ata_port_operations ali_early_port_ops = {
18947 +static const struct ata_port_operations ali_early_port_ops = {
18948 .inherits = &ata_sff_port_ops,
18949 .cable_detect = ata_cable_40wire,
18950 .set_piomode = ali_set_piomode,
18951 @@ -382,7 +382,7 @@ static const struct ata_port_operations
18952 * Port operations for DMA capable ALi without cable
18955 -static struct ata_port_operations ali_20_port_ops = {
18956 +static const struct ata_port_operations ali_20_port_ops = {
18957 .inherits = &ali_dma_base_ops,
18958 .cable_detect = ata_cable_40wire,
18959 .mode_filter = ali_20_filter,
18960 @@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
18962 * Port operations for DMA capable ALi with cable detect
18964 -static struct ata_port_operations ali_c2_port_ops = {
18965 +static const struct ata_port_operations ali_c2_port_ops = {
18966 .inherits = &ali_dma_base_ops,
18967 .check_atapi_dma = ali_check_atapi_dma,
18968 .cable_detect = ali_c2_cable_detect,
18969 @@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
18971 * Port operations for DMA capable ALi with cable detect
18973 -static struct ata_port_operations ali_c4_port_ops = {
18974 +static const struct ata_port_operations ali_c4_port_ops = {
18975 .inherits = &ali_dma_base_ops,
18976 .check_atapi_dma = ali_check_atapi_dma,
18977 .cable_detect = ali_c2_cable_detect,
18978 @@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
18980 * Port operations for DMA capable ALi with cable detect and LBA48
18982 -static struct ata_port_operations ali_c5_port_ops = {
18983 +static const struct ata_port_operations ali_c5_port_ops = {
18984 .inherits = &ali_dma_base_ops,
18985 .check_atapi_dma = ali_check_atapi_dma,
18986 .dev_config = ali_warn_atapi_dma,
18987 diff -urNp linux-2.6.33/drivers/ata/pata_amd.c linux-2.6.33/drivers/ata/pata_amd.c
18988 --- linux-2.6.33/drivers/ata/pata_amd.c 2010-02-24 13:52:17.000000000 -0500
18989 +++ linux-2.6.33/drivers/ata/pata_amd.c 2010-03-07 12:23:35.969642115 -0500
18990 @@ -397,28 +397,28 @@ static const struct ata_port_operations
18991 .prereset = amd_pre_reset,
18994 -static struct ata_port_operations amd33_port_ops = {
18995 +static const struct ata_port_operations amd33_port_ops = {
18996 .inherits = &amd_base_port_ops,
18997 .cable_detect = ata_cable_40wire,
18998 .set_piomode = amd33_set_piomode,
18999 .set_dmamode = amd33_set_dmamode,
19002 -static struct ata_port_operations amd66_port_ops = {
19003 +static const struct ata_port_operations amd66_port_ops = {
19004 .inherits = &amd_base_port_ops,
19005 .cable_detect = ata_cable_unknown,
19006 .set_piomode = amd66_set_piomode,
19007 .set_dmamode = amd66_set_dmamode,
19010 -static struct ata_port_operations amd100_port_ops = {
19011 +static const struct ata_port_operations amd100_port_ops = {
19012 .inherits = &amd_base_port_ops,
19013 .cable_detect = ata_cable_unknown,
19014 .set_piomode = amd100_set_piomode,
19015 .set_dmamode = amd100_set_dmamode,
19018 -static struct ata_port_operations amd133_port_ops = {
19019 +static const struct ata_port_operations amd133_port_ops = {
19020 .inherits = &amd_base_port_ops,
19021 .cable_detect = amd_cable_detect,
19022 .set_piomode = amd133_set_piomode,
19023 @@ -433,13 +433,13 @@ static const struct ata_port_operations
19024 .host_stop = nv_host_stop,
19027 -static struct ata_port_operations nv100_port_ops = {
19028 +static const struct ata_port_operations nv100_port_ops = {
19029 .inherits = &nv_base_port_ops,
19030 .set_piomode = nv100_set_piomode,
19031 .set_dmamode = nv100_set_dmamode,
19034 -static struct ata_port_operations nv133_port_ops = {
19035 +static const struct ata_port_operations nv133_port_ops = {
19036 .inherits = &nv_base_port_ops,
19037 .set_piomode = nv133_set_piomode,
19038 .set_dmamode = nv133_set_dmamode,
19039 diff -urNp linux-2.6.33/drivers/ata/pata_artop.c linux-2.6.33/drivers/ata/pata_artop.c
19040 --- linux-2.6.33/drivers/ata/pata_artop.c 2010-02-24 13:52:17.000000000 -0500
19041 +++ linux-2.6.33/drivers/ata/pata_artop.c 2010-03-07 12:23:35.969642115 -0500
19042 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
19043 ATA_BMDMA_SHT(DRV_NAME),
19046 -static struct ata_port_operations artop6210_ops = {
19047 +static const struct ata_port_operations artop6210_ops = {
19048 .inherits = &ata_bmdma_port_ops,
19049 .cable_detect = ata_cable_40wire,
19050 .set_piomode = artop6210_set_piomode,
19051 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
19052 .qc_defer = artop6210_qc_defer,
19055 -static struct ata_port_operations artop6260_ops = {
19056 +static const struct ata_port_operations artop6260_ops = {
19057 .inherits = &ata_bmdma_port_ops,
19058 .cable_detect = artop6260_cable_detect,
19059 .set_piomode = artop6260_set_piomode,
19060 diff -urNp linux-2.6.33/drivers/ata/pata_at32.c linux-2.6.33/drivers/ata/pata_at32.c
19061 --- linux-2.6.33/drivers/ata/pata_at32.c 2010-02-24 13:52:17.000000000 -0500
19062 +++ linux-2.6.33/drivers/ata/pata_at32.c 2010-03-07 12:23:35.969642115 -0500
19063 @@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
19064 ATA_PIO_SHT(DRV_NAME),
19067 -static struct ata_port_operations at32_port_ops = {
19068 +static const struct ata_port_operations at32_port_ops = {
19069 .inherits = &ata_sff_port_ops,
19070 .cable_detect = ata_cable_40wire,
19071 .set_piomode = pata_at32_set_piomode,
19072 diff -urNp linux-2.6.33/drivers/ata/pata_at91.c linux-2.6.33/drivers/ata/pata_at91.c
19073 --- linux-2.6.33/drivers/ata/pata_at91.c 2010-02-24 13:52:17.000000000 -0500
19074 +++ linux-2.6.33/drivers/ata/pata_at91.c 2010-03-07 12:23:35.969642115 -0500
19075 @@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
19076 ATA_PIO_SHT(DRV_NAME),
19079 -static struct ata_port_operations pata_at91_port_ops = {
19080 +static const struct ata_port_operations pata_at91_port_ops = {
19081 .inherits = &ata_sff_port_ops,
19083 .sff_data_xfer = pata_at91_data_xfer_noirq,
19084 diff -urNp linux-2.6.33/drivers/ata/pata_atiixp.c linux-2.6.33/drivers/ata/pata_atiixp.c
19085 --- linux-2.6.33/drivers/ata/pata_atiixp.c 2010-02-24 13:52:17.000000000 -0500
19086 +++ linux-2.6.33/drivers/ata/pata_atiixp.c 2010-03-07 12:23:35.969642115 -0500
19087 @@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
19088 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19091 -static struct ata_port_operations atiixp_port_ops = {
19092 +static const struct ata_port_operations atiixp_port_ops = {
19093 .inherits = &ata_bmdma_port_ops,
19095 .qc_prep = ata_sff_dumb_qc_prep,
19096 diff -urNp linux-2.6.33/drivers/ata/pata_atp867x.c linux-2.6.33/drivers/ata/pata_atp867x.c
19097 --- linux-2.6.33/drivers/ata/pata_atp867x.c 2010-02-24 13:52:17.000000000 -0500
19098 +++ linux-2.6.33/drivers/ata/pata_atp867x.c 2010-03-07 12:23:35.973706141 -0500
19099 @@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
19100 ATA_BMDMA_SHT(DRV_NAME),
19103 -static struct ata_port_operations atp867x_ops = {
19104 +static const struct ata_port_operations atp867x_ops = {
19105 .inherits = &ata_bmdma_port_ops,
19106 .cable_detect = atp867x_cable_detect,
19107 .set_piomode = atp867x_set_piomode,
19108 diff -urNp linux-2.6.33/drivers/ata/pata_bf54x.c linux-2.6.33/drivers/ata/pata_bf54x.c
19109 --- linux-2.6.33/drivers/ata/pata_bf54x.c 2010-02-24 13:52:17.000000000 -0500
19110 +++ linux-2.6.33/drivers/ata/pata_bf54x.c 2010-03-07 12:23:35.973706141 -0500
19111 @@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
19112 .dma_boundary = ATA_DMA_BOUNDARY,
19115 -static struct ata_port_operations bfin_pata_ops = {
19116 +static const struct ata_port_operations bfin_pata_ops = {
19117 .inherits = &ata_sff_port_ops,
19119 .set_piomode = bfin_set_piomode,
19120 diff -urNp linux-2.6.33/drivers/ata/pata_cmd640.c linux-2.6.33/drivers/ata/pata_cmd640.c
19121 --- linux-2.6.33/drivers/ata/pata_cmd640.c 2010-02-24 13:52:17.000000000 -0500
19122 +++ linux-2.6.33/drivers/ata/pata_cmd640.c 2010-03-07 12:23:35.973706141 -0500
19123 @@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
19124 ATA_BMDMA_SHT(DRV_NAME),
19127 -static struct ata_port_operations cmd640_port_ops = {
19128 +static const struct ata_port_operations cmd640_port_ops = {
19129 .inherits = &ata_bmdma_port_ops,
19130 /* In theory xfer_noirq is not needed once we kill the prefetcher */
19131 .sff_data_xfer = ata_sff_data_xfer_noirq,
19132 diff -urNp linux-2.6.33/drivers/ata/pata_cmd64x.c linux-2.6.33/drivers/ata/pata_cmd64x.c
19133 --- linux-2.6.33/drivers/ata/pata_cmd64x.c 2010-02-24 13:52:17.000000000 -0500
19134 +++ linux-2.6.33/drivers/ata/pata_cmd64x.c 2010-03-07 12:23:35.973706141 -0500
19135 @@ -275,18 +275,18 @@ static const struct ata_port_operations
19136 .set_dmamode = cmd64x_set_dmamode,
19139 -static struct ata_port_operations cmd64x_port_ops = {
19140 +static const struct ata_port_operations cmd64x_port_ops = {
19141 .inherits = &cmd64x_base_ops,
19142 .cable_detect = ata_cable_40wire,
19145 -static struct ata_port_operations cmd646r1_port_ops = {
19146 +static const struct ata_port_operations cmd646r1_port_ops = {
19147 .inherits = &cmd64x_base_ops,
19148 .bmdma_stop = cmd646r1_bmdma_stop,
19149 .cable_detect = ata_cable_40wire,
19152 -static struct ata_port_operations cmd648_port_ops = {
19153 +static const struct ata_port_operations cmd648_port_ops = {
19154 .inherits = &cmd64x_base_ops,
19155 .bmdma_stop = cmd648_bmdma_stop,
19156 .cable_detect = cmd648_cable_detect,
19157 diff -urNp linux-2.6.33/drivers/ata/pata_cs5520.c linux-2.6.33/drivers/ata/pata_cs5520.c
19158 --- linux-2.6.33/drivers/ata/pata_cs5520.c 2010-02-24 13:52:17.000000000 -0500
19159 +++ linux-2.6.33/drivers/ata/pata_cs5520.c 2010-03-07 12:23:35.973706141 -0500
19160 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
19161 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19164 -static struct ata_port_operations cs5520_port_ops = {
19165 +static const struct ata_port_operations cs5520_port_ops = {
19166 .inherits = &ata_bmdma_port_ops,
19167 .qc_prep = ata_sff_dumb_qc_prep,
19168 .cable_detect = ata_cable_40wire,
19169 diff -urNp linux-2.6.33/drivers/ata/pata_cs5530.c linux-2.6.33/drivers/ata/pata_cs5530.c
19170 --- linux-2.6.33/drivers/ata/pata_cs5530.c 2010-02-24 13:52:17.000000000 -0500
19171 +++ linux-2.6.33/drivers/ata/pata_cs5530.c 2010-03-07 12:23:35.973706141 -0500
19172 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
19173 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19176 -static struct ata_port_operations cs5530_port_ops = {
19177 +static const struct ata_port_operations cs5530_port_ops = {
19178 .inherits = &ata_bmdma_port_ops,
19180 .qc_prep = ata_sff_dumb_qc_prep,
19181 diff -urNp linux-2.6.33/drivers/ata/pata_cs5535.c linux-2.6.33/drivers/ata/pata_cs5535.c
19182 --- linux-2.6.33/drivers/ata/pata_cs5535.c 2010-02-24 13:52:17.000000000 -0500
19183 +++ linux-2.6.33/drivers/ata/pata_cs5535.c 2010-03-07 12:23:35.973706141 -0500
19184 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
19185 ATA_BMDMA_SHT(DRV_NAME),
19188 -static struct ata_port_operations cs5535_port_ops = {
19189 +static const struct ata_port_operations cs5535_port_ops = {
19190 .inherits = &ata_bmdma_port_ops,
19191 .cable_detect = cs5535_cable_detect,
19192 .set_piomode = cs5535_set_piomode,
19193 diff -urNp linux-2.6.33/drivers/ata/pata_cs5536.c linux-2.6.33/drivers/ata/pata_cs5536.c
19194 --- linux-2.6.33/drivers/ata/pata_cs5536.c 2010-02-24 13:52:17.000000000 -0500
19195 +++ linux-2.6.33/drivers/ata/pata_cs5536.c 2010-03-07 12:23:35.973706141 -0500
19196 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
19197 ATA_BMDMA_SHT(DRV_NAME),
19200 -static struct ata_port_operations cs5536_port_ops = {
19201 +static const struct ata_port_operations cs5536_port_ops = {
19202 .inherits = &ata_bmdma32_port_ops,
19203 .cable_detect = cs5536_cable_detect,
19204 .set_piomode = cs5536_set_piomode,
19205 diff -urNp linux-2.6.33/drivers/ata/pata_cypress.c linux-2.6.33/drivers/ata/pata_cypress.c
19206 --- linux-2.6.33/drivers/ata/pata_cypress.c 2010-02-24 13:52:17.000000000 -0500
19207 +++ linux-2.6.33/drivers/ata/pata_cypress.c 2010-03-07 12:23:35.973706141 -0500
19208 @@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
19209 ATA_BMDMA_SHT(DRV_NAME),
19212 -static struct ata_port_operations cy82c693_port_ops = {
19213 +static const struct ata_port_operations cy82c693_port_ops = {
19214 .inherits = &ata_bmdma_port_ops,
19215 .cable_detect = ata_cable_40wire,
19216 .set_piomode = cy82c693_set_piomode,
19217 diff -urNp linux-2.6.33/drivers/ata/pata_efar.c linux-2.6.33/drivers/ata/pata_efar.c
19218 --- linux-2.6.33/drivers/ata/pata_efar.c 2010-02-24 13:52:17.000000000 -0500
19219 +++ linux-2.6.33/drivers/ata/pata_efar.c 2010-03-07 12:23:35.973706141 -0500
19220 @@ -223,7 +223,7 @@ static struct scsi_host_template efar_sh
19221 ATA_BMDMA_SHT(DRV_NAME),
19224 -static struct ata_port_operations efar_ops = {
19225 +static const struct ata_port_operations efar_ops = {
19226 .inherits = &ata_bmdma_port_ops,
19227 .cable_detect = efar_cable_detect,
19228 .set_piomode = efar_set_piomode,
19229 diff -urNp linux-2.6.33/drivers/ata/pata_hpt366.c linux-2.6.33/drivers/ata/pata_hpt366.c
19230 --- linux-2.6.33/drivers/ata/pata_hpt366.c 2010-02-24 13:52:17.000000000 -0500
19231 +++ linux-2.6.33/drivers/ata/pata_hpt366.c 2010-03-07 12:23:35.973706141 -0500
19232 @@ -280,7 +280,7 @@ static struct scsi_host_template hpt36x_
19233 * Configuration for HPT366/68
19236 -static struct ata_port_operations hpt366_port_ops = {
19237 +static const struct ata_port_operations hpt366_port_ops = {
19238 .inherits = &ata_bmdma_port_ops,
19239 .cable_detect = hpt36x_cable_detect,
19240 .mode_filter = hpt366_filter,
19241 diff -urNp linux-2.6.33/drivers/ata/pata_hpt37x.c linux-2.6.33/drivers/ata/pata_hpt37x.c
19242 --- linux-2.6.33/drivers/ata/pata_hpt37x.c 2010-02-24 13:52:17.000000000 -0500
19243 +++ linux-2.6.33/drivers/ata/pata_hpt37x.c 2010-03-07 12:23:35.973706141 -0500
19244 @@ -583,7 +583,7 @@ static struct scsi_host_template hpt37x_
19245 * Configuration for HPT370
19248 -static struct ata_port_operations hpt370_port_ops = {
19249 +static const struct ata_port_operations hpt370_port_ops = {
19250 .inherits = &ata_bmdma_port_ops,
19252 .bmdma_stop = hpt370_bmdma_stop,
19253 @@ -599,7 +599,7 @@ static struct ata_port_operations hpt370
19254 * Configuration for HPT370A. Close to 370 but less filters
19257 -static struct ata_port_operations hpt370a_port_ops = {
19258 +static const struct ata_port_operations hpt370a_port_ops = {
19259 .inherits = &hpt370_port_ops,
19260 .mode_filter = hpt370a_filter,
19262 @@ -609,7 +609,7 @@ static struct ata_port_operations hpt370
19263 * and DMA mode setting functionality.
19266 -static struct ata_port_operations hpt372_port_ops = {
19267 +static const struct ata_port_operations hpt372_port_ops = {
19268 .inherits = &ata_bmdma_port_ops,
19270 .bmdma_stop = hpt37x_bmdma_stop,
19271 @@ -625,7 +625,7 @@ static struct ata_port_operations hpt372
19272 * but we have a different cable detection procedure for function 1.
19275 -static struct ata_port_operations hpt374_fn1_port_ops = {
19276 +static const struct ata_port_operations hpt374_fn1_port_ops = {
19277 .inherits = &hpt372_port_ops,
19278 .cable_detect = hpt374_fn1_cable_detect,
19279 .prereset = hpt37x_pre_reset,
19280 diff -urNp linux-2.6.33/drivers/ata/pata_hpt3x2n.c linux-2.6.33/drivers/ata/pata_hpt3x2n.c
19281 --- linux-2.6.33/drivers/ata/pata_hpt3x2n.c 2010-02-24 13:52:17.000000000 -0500
19282 +++ linux-2.6.33/drivers/ata/pata_hpt3x2n.c 2010-03-07 12:23:35.973706141 -0500
19283 @@ -339,7 +339,7 @@ static struct scsi_host_template hpt3x2n
19284 * Configuration for HPT3x2n.
19287 -static struct ata_port_operations hpt3x2n_port_ops = {
19288 +static const struct ata_port_operations hpt3x2n_port_ops = {
19289 .inherits = &ata_bmdma_port_ops,
19291 .bmdma_stop = hpt3x2n_bmdma_stop,
19292 diff -urNp linux-2.6.33/drivers/ata/pata_hpt3x3.c linux-2.6.33/drivers/ata/pata_hpt3x3.c
19293 --- linux-2.6.33/drivers/ata/pata_hpt3x3.c 2010-02-24 13:52:17.000000000 -0500
19294 +++ linux-2.6.33/drivers/ata/pata_hpt3x3.c 2010-03-07 12:23:35.973706141 -0500
19295 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
19296 ATA_BMDMA_SHT(DRV_NAME),
19299 -static struct ata_port_operations hpt3x3_port_ops = {
19300 +static const struct ata_port_operations hpt3x3_port_ops = {
19301 .inherits = &ata_bmdma_port_ops,
19302 .cable_detect = ata_cable_40wire,
19303 .set_piomode = hpt3x3_set_piomode,
19304 diff -urNp linux-2.6.33/drivers/ata/pata_icside.c linux-2.6.33/drivers/ata/pata_icside.c
19305 --- linux-2.6.33/drivers/ata/pata_icside.c 2010-02-24 13:52:17.000000000 -0500
19306 +++ linux-2.6.33/drivers/ata/pata_icside.c 2010-03-07 12:23:35.973706141 -0500
19307 @@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
19311 -static struct ata_port_operations pata_icside_port_ops = {
19312 +static const struct ata_port_operations pata_icside_port_ops = {
19313 .inherits = &ata_sff_port_ops,
19314 /* no need to build any PRD tables for DMA */
19315 .qc_prep = ata_noop_qc_prep,
19316 diff -urNp linux-2.6.33/drivers/ata/pata_isapnp.c linux-2.6.33/drivers/ata/pata_isapnp.c
19317 --- linux-2.6.33/drivers/ata/pata_isapnp.c 2010-02-24 13:52:17.000000000 -0500
19318 +++ linux-2.6.33/drivers/ata/pata_isapnp.c 2010-03-07 12:23:35.973706141 -0500
19319 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
19320 ATA_PIO_SHT(DRV_NAME),
19323 -static struct ata_port_operations isapnp_port_ops = {
19324 +static const struct ata_port_operations isapnp_port_ops = {
19325 .inherits = &ata_sff_port_ops,
19326 .cable_detect = ata_cable_40wire,
19329 -static struct ata_port_operations isapnp_noalt_port_ops = {
19330 +static const struct ata_port_operations isapnp_noalt_port_ops = {
19331 .inherits = &ata_sff_port_ops,
19332 .cable_detect = ata_cable_40wire,
19333 /* No altstatus so we don't want to use the lost interrupt poll */
19334 diff -urNp linux-2.6.33/drivers/ata/pata_it8213.c linux-2.6.33/drivers/ata/pata_it8213.c
19335 --- linux-2.6.33/drivers/ata/pata_it8213.c 2010-02-24 13:52:17.000000000 -0500
19336 +++ linux-2.6.33/drivers/ata/pata_it8213.c 2010-03-07 12:23:35.973706141 -0500
19337 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
19341 -static struct ata_port_operations it8213_ops = {
19342 +static const struct ata_port_operations it8213_ops = {
19343 .inherits = &ata_bmdma_port_ops,
19344 .cable_detect = it8213_cable_detect,
19345 .set_piomode = it8213_set_piomode,
19346 diff -urNp linux-2.6.33/drivers/ata/pata_it821x.c linux-2.6.33/drivers/ata/pata_it821x.c
19347 --- linux-2.6.33/drivers/ata/pata_it821x.c 2010-02-24 13:52:17.000000000 -0500
19348 +++ linux-2.6.33/drivers/ata/pata_it821x.c 2010-03-07 12:23:35.973706141 -0500
19349 @@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
19350 ATA_BMDMA_SHT(DRV_NAME),
19353 -static struct ata_port_operations it821x_smart_port_ops = {
19354 +static const struct ata_port_operations it821x_smart_port_ops = {
19355 .inherits = &ata_bmdma_port_ops,
19357 .check_atapi_dma= it821x_check_atapi_dma,
19358 @@ -814,7 +814,7 @@ static struct ata_port_operations it821x
19359 .port_start = it821x_port_start,
19362 -static struct ata_port_operations it821x_passthru_port_ops = {
19363 +static const struct ata_port_operations it821x_passthru_port_ops = {
19364 .inherits = &ata_bmdma_port_ops,
19366 .check_atapi_dma= it821x_check_atapi_dma,
19367 @@ -830,7 +830,7 @@ static struct ata_port_operations it821x
19368 .port_start = it821x_port_start,
19371 -static struct ata_port_operations it821x_rdc_port_ops = {
19372 +static const struct ata_port_operations it821x_rdc_port_ops = {
19373 .inherits = &ata_bmdma_port_ops,
19375 .check_atapi_dma= it821x_check_atapi_dma,
19376 diff -urNp linux-2.6.33/drivers/ata/pata_ixp4xx_cf.c linux-2.6.33/drivers/ata/pata_ixp4xx_cf.c
19377 --- linux-2.6.33/drivers/ata/pata_ixp4xx_cf.c 2010-02-24 13:52:17.000000000 -0500
19378 +++ linux-2.6.33/drivers/ata/pata_ixp4xx_cf.c 2010-03-07 12:23:35.973706141 -0500
19379 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
19380 ATA_PIO_SHT(DRV_NAME),
19383 -static struct ata_port_operations ixp4xx_port_ops = {
19384 +static const struct ata_port_operations ixp4xx_port_ops = {
19385 .inherits = &ata_sff_port_ops,
19386 .sff_data_xfer = ixp4xx_mmio_data_xfer,
19387 .cable_detect = ata_cable_40wire,
19388 diff -urNp linux-2.6.33/drivers/ata/pata_jmicron.c linux-2.6.33/drivers/ata/pata_jmicron.c
19389 --- linux-2.6.33/drivers/ata/pata_jmicron.c 2010-02-24 13:52:17.000000000 -0500
19390 +++ linux-2.6.33/drivers/ata/pata_jmicron.c 2010-03-07 12:23:35.973706141 -0500
19391 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
19392 ATA_BMDMA_SHT(DRV_NAME),
19395 -static struct ata_port_operations jmicron_ops = {
19396 +static const struct ata_port_operations jmicron_ops = {
19397 .inherits = &ata_bmdma_port_ops,
19398 .prereset = jmicron_pre_reset,
19400 diff -urNp linux-2.6.33/drivers/ata/pata_legacy.c linux-2.6.33/drivers/ata/pata_legacy.c
19401 --- linux-2.6.33/drivers/ata/pata_legacy.c 2010-02-24 13:52:17.000000000 -0500
19402 +++ linux-2.6.33/drivers/ata/pata_legacy.c 2010-03-07 12:23:35.973706141 -0500
19403 @@ -113,7 +113,7 @@ struct legacy_probe {
19405 struct legacy_controller {
19407 - struct ata_port_operations *ops;
19408 + const struct ata_port_operations *ops;
19409 unsigned int pio_mask;
19410 unsigned int flags;
19411 unsigned int pflags;
19412 @@ -230,12 +230,12 @@ static const struct ata_port_operations
19413 * pio_mask as well.
19416 -static struct ata_port_operations simple_port_ops = {
19417 +static const struct ata_port_operations simple_port_ops = {
19418 .inherits = &legacy_base_port_ops,
19419 .sff_data_xfer = ata_sff_data_xfer_noirq,
19422 -static struct ata_port_operations legacy_port_ops = {
19423 +static const struct ata_port_operations legacy_port_ops = {
19424 .inherits = &legacy_base_port_ops,
19425 .sff_data_xfer = ata_sff_data_xfer_noirq,
19426 .set_mode = legacy_set_mode,
19427 @@ -331,7 +331,7 @@ static unsigned int pdc_data_xfer_vlb(st
19431 -static struct ata_port_operations pdc20230_port_ops = {
19432 +static const struct ata_port_operations pdc20230_port_ops = {
19433 .inherits = &legacy_base_port_ops,
19434 .set_piomode = pdc20230_set_piomode,
19435 .sff_data_xfer = pdc_data_xfer_vlb,
19436 @@ -364,7 +364,7 @@ static void ht6560a_set_piomode(struct a
19437 ioread8(ap->ioaddr.status_addr);
19440 -static struct ata_port_operations ht6560a_port_ops = {
19441 +static const struct ata_port_operations ht6560a_port_ops = {
19442 .inherits = &legacy_base_port_ops,
19443 .set_piomode = ht6560a_set_piomode,
19445 @@ -407,7 +407,7 @@ static void ht6560b_set_piomode(struct a
19446 ioread8(ap->ioaddr.status_addr);
19449 -static struct ata_port_operations ht6560b_port_ops = {
19450 +static const struct ata_port_operations ht6560b_port_ops = {
19451 .inherits = &legacy_base_port_ops,
19452 .set_piomode = ht6560b_set_piomode,
19454 @@ -506,7 +506,7 @@ static void opti82c611a_set_piomode(stru
19458 -static struct ata_port_operations opti82c611a_port_ops = {
19459 +static const struct ata_port_operations opti82c611a_port_ops = {
19460 .inherits = &legacy_base_port_ops,
19461 .set_piomode = opti82c611a_set_piomode,
19463 @@ -616,7 +616,7 @@ static unsigned int opti82c46x_qc_issue(
19464 return ata_sff_qc_issue(qc);
19467 -static struct ata_port_operations opti82c46x_port_ops = {
19468 +static const struct ata_port_operations opti82c46x_port_ops = {
19469 .inherits = &legacy_base_port_ops,
19470 .set_piomode = opti82c46x_set_piomode,
19471 .qc_issue = opti82c46x_qc_issue,
19472 @@ -778,20 +778,20 @@ static int qdi_port(struct platform_devi
19476 -static struct ata_port_operations qdi6500_port_ops = {
19477 +static const struct ata_port_operations qdi6500_port_ops = {
19478 .inherits = &legacy_base_port_ops,
19479 .set_piomode = qdi6500_set_piomode,
19480 .qc_issue = qdi_qc_issue,
19481 .sff_data_xfer = vlb32_data_xfer,
19484 -static struct ata_port_operations qdi6580_port_ops = {
19485 +static const struct ata_port_operations qdi6580_port_ops = {
19486 .inherits = &legacy_base_port_ops,
19487 .set_piomode = qdi6580_set_piomode,
19488 .sff_data_xfer = vlb32_data_xfer,
19491 -static struct ata_port_operations qdi6580dp_port_ops = {
19492 +static const struct ata_port_operations qdi6580dp_port_ops = {
19493 .inherits = &legacy_base_port_ops,
19494 .set_piomode = qdi6580dp_set_piomode,
19495 .qc_issue = qdi_qc_issue,
19496 @@ -863,7 +863,7 @@ static int winbond_port(struct platform_
19500 -static struct ata_port_operations winbond_port_ops = {
19501 +static const struct ata_port_operations winbond_port_ops = {
19502 .inherits = &legacy_base_port_ops,
19503 .set_piomode = winbond_set_piomode,
19504 .sff_data_xfer = vlb32_data_xfer,
19505 @@ -986,7 +986,7 @@ static __init int legacy_init_one(struct
19506 int pio_modes = controller->pio_mask;
19507 unsigned long io = probe->port;
19508 u32 mask = (1 << probe->slot);
19509 - struct ata_port_operations *ops = controller->ops;
19510 + const struct ata_port_operations *ops = controller->ops;
19511 struct legacy_data *ld = &legacy_data[probe->slot];
19512 struct ata_host *host = NULL;
19513 struct ata_port *ap;
19514 diff -urNp linux-2.6.33/drivers/ata/pata_macio.c linux-2.6.33/drivers/ata/pata_macio.c
19515 --- linux-2.6.33/drivers/ata/pata_macio.c 2010-02-24 13:52:17.000000000 -0500
19516 +++ linux-2.6.33/drivers/ata/pata_macio.c 2010-03-07 12:23:35.977706017 -0500
19517 @@ -915,7 +915,7 @@ static struct scsi_host_template pata_ma
19518 .slave_configure = pata_macio_slave_config,
19521 -static struct ata_port_operations pata_macio_ops = {
19522 +static const struct ata_port_operations pata_macio_ops = {
19523 .inherits = &ata_sff_port_ops,
19525 .freeze = pata_macio_freeze,
19526 diff -urNp linux-2.6.33/drivers/ata/pata_marvell.c linux-2.6.33/drivers/ata/pata_marvell.c
19527 --- linux-2.6.33/drivers/ata/pata_marvell.c 2010-02-24 13:52:17.000000000 -0500
19528 +++ linux-2.6.33/drivers/ata/pata_marvell.c 2010-03-07 12:23:35.977706017 -0500
19529 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
19530 ATA_BMDMA_SHT(DRV_NAME),
19533 -static struct ata_port_operations marvell_ops = {
19534 +static const struct ata_port_operations marvell_ops = {
19535 .inherits = &ata_bmdma_port_ops,
19536 .cable_detect = marvell_cable_detect,
19537 .prereset = marvell_pre_reset,
19538 diff -urNp linux-2.6.33/drivers/ata/pata_mpc52xx.c linux-2.6.33/drivers/ata/pata_mpc52xx.c
19539 --- linux-2.6.33/drivers/ata/pata_mpc52xx.c 2010-02-24 13:52:17.000000000 -0500
19540 +++ linux-2.6.33/drivers/ata/pata_mpc52xx.c 2010-03-07 12:23:35.977706017 -0500
19541 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
19542 ATA_PIO_SHT(DRV_NAME),
19545 -static struct ata_port_operations mpc52xx_ata_port_ops = {
19546 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
19547 .inherits = &ata_sff_port_ops,
19548 .sff_dev_select = mpc52xx_ata_dev_select,
19549 .set_piomode = mpc52xx_ata_set_piomode,
19550 diff -urNp linux-2.6.33/drivers/ata/pata_mpiix.c linux-2.6.33/drivers/ata/pata_mpiix.c
19551 --- linux-2.6.33/drivers/ata/pata_mpiix.c 2010-02-24 13:52:17.000000000 -0500
19552 +++ linux-2.6.33/drivers/ata/pata_mpiix.c 2010-03-07 12:23:35.977706017 -0500
19553 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
19554 ATA_PIO_SHT(DRV_NAME),
19557 -static struct ata_port_operations mpiix_port_ops = {
19558 +static const struct ata_port_operations mpiix_port_ops = {
19559 .inherits = &ata_sff_port_ops,
19560 .qc_issue = mpiix_qc_issue,
19561 .cable_detect = ata_cable_40wire,
19562 diff -urNp linux-2.6.33/drivers/ata/pata_netcell.c linux-2.6.33/drivers/ata/pata_netcell.c
19563 --- linux-2.6.33/drivers/ata/pata_netcell.c 2010-02-24 13:52:17.000000000 -0500
19564 +++ linux-2.6.33/drivers/ata/pata_netcell.c 2010-03-07 12:23:35.977706017 -0500
19565 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
19566 ATA_BMDMA_SHT(DRV_NAME),
19569 -static struct ata_port_operations netcell_ops = {
19570 +static const struct ata_port_operations netcell_ops = {
19571 .inherits = &ata_bmdma_port_ops,
19572 .cable_detect = ata_cable_80wire,
19573 .read_id = netcell_read_id,
19574 diff -urNp linux-2.6.33/drivers/ata/pata_ninja32.c linux-2.6.33/drivers/ata/pata_ninja32.c
19575 --- linux-2.6.33/drivers/ata/pata_ninja32.c 2010-02-24 13:52:17.000000000 -0500
19576 +++ linux-2.6.33/drivers/ata/pata_ninja32.c 2010-03-07 12:23:35.977706017 -0500
19577 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
19578 ATA_BMDMA_SHT(DRV_NAME),
19581 -static struct ata_port_operations ninja32_port_ops = {
19582 +static const struct ata_port_operations ninja32_port_ops = {
19583 .inherits = &ata_bmdma_port_ops,
19584 .sff_dev_select = ninja32_dev_select,
19585 .cable_detect = ata_cable_40wire,
19586 diff -urNp linux-2.6.33/drivers/ata/pata_ns87410.c linux-2.6.33/drivers/ata/pata_ns87410.c
19587 --- linux-2.6.33/drivers/ata/pata_ns87410.c 2010-02-24 13:52:17.000000000 -0500
19588 +++ linux-2.6.33/drivers/ata/pata_ns87410.c 2010-03-07 12:23:35.977706017 -0500
19589 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
19590 ATA_PIO_SHT(DRV_NAME),
19593 -static struct ata_port_operations ns87410_port_ops = {
19594 +static const struct ata_port_operations ns87410_port_ops = {
19595 .inherits = &ata_sff_port_ops,
19596 .qc_issue = ns87410_qc_issue,
19597 .cable_detect = ata_cable_40wire,
19598 diff -urNp linux-2.6.33/drivers/ata/pata_ns87415.c linux-2.6.33/drivers/ata/pata_ns87415.c
19599 --- linux-2.6.33/drivers/ata/pata_ns87415.c 2010-02-24 13:52:17.000000000 -0500
19600 +++ linux-2.6.33/drivers/ata/pata_ns87415.c 2010-03-07 12:23:35.977706017 -0500
19601 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
19603 #endif /* 87560 SuperIO Support */
19605 -static struct ata_port_operations ns87415_pata_ops = {
19606 +static const struct ata_port_operations ns87415_pata_ops = {
19607 .inherits = &ata_bmdma_port_ops,
19609 .check_atapi_dma = ns87415_check_atapi_dma,
19610 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
19613 #if defined(CONFIG_SUPERIO)
19614 -static struct ata_port_operations ns87560_pata_ops = {
19615 +static const struct ata_port_operations ns87560_pata_ops = {
19616 .inherits = &ns87415_pata_ops,
19617 .sff_tf_read = ns87560_tf_read,
19618 .sff_check_status = ns87560_check_status,
19619 diff -urNp linux-2.6.33/drivers/ata/pata_octeon_cf.c linux-2.6.33/drivers/ata/pata_octeon_cf.c
19620 --- linux-2.6.33/drivers/ata/pata_octeon_cf.c 2010-02-24 13:52:17.000000000 -0500
19621 +++ linux-2.6.33/drivers/ata/pata_octeon_cf.c 2010-03-07 12:23:35.977706017 -0500
19622 @@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
19626 +/* cannot be const */
19627 static struct ata_port_operations octeon_cf_ops = {
19628 .inherits = &ata_sff_port_ops,
19629 .check_atapi_dma = octeon_cf_check_atapi_dma,
19630 diff -urNp linux-2.6.33/drivers/ata/pata_oldpiix.c linux-2.6.33/drivers/ata/pata_oldpiix.c
19631 --- linux-2.6.33/drivers/ata/pata_oldpiix.c 2010-02-24 13:52:17.000000000 -0500
19632 +++ linux-2.6.33/drivers/ata/pata_oldpiix.c 2010-03-07 12:23:35.977706017 -0500
19633 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
19634 ATA_BMDMA_SHT(DRV_NAME),
19637 -static struct ata_port_operations oldpiix_pata_ops = {
19638 +static const struct ata_port_operations oldpiix_pata_ops = {
19639 .inherits = &ata_bmdma_port_ops,
19640 .qc_issue = oldpiix_qc_issue,
19641 .cable_detect = ata_cable_40wire,
19642 diff -urNp linux-2.6.33/drivers/ata/pata_opti.c linux-2.6.33/drivers/ata/pata_opti.c
19643 --- linux-2.6.33/drivers/ata/pata_opti.c 2010-02-24 13:52:17.000000000 -0500
19644 +++ linux-2.6.33/drivers/ata/pata_opti.c 2010-03-07 12:23:35.977706017 -0500
19645 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
19646 ATA_PIO_SHT(DRV_NAME),
19649 -static struct ata_port_operations opti_port_ops = {
19650 +static const struct ata_port_operations opti_port_ops = {
19651 .inherits = &ata_sff_port_ops,
19652 .cable_detect = ata_cable_40wire,
19653 .set_piomode = opti_set_piomode,
19654 diff -urNp linux-2.6.33/drivers/ata/pata_optidma.c linux-2.6.33/drivers/ata/pata_optidma.c
19655 --- linux-2.6.33/drivers/ata/pata_optidma.c 2010-02-24 13:52:17.000000000 -0500
19656 +++ linux-2.6.33/drivers/ata/pata_optidma.c 2010-03-07 12:23:35.977706017 -0500
19657 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
19658 ATA_BMDMA_SHT(DRV_NAME),
19661 -static struct ata_port_operations optidma_port_ops = {
19662 +static const struct ata_port_operations optidma_port_ops = {
19663 .inherits = &ata_bmdma_port_ops,
19664 .cable_detect = ata_cable_40wire,
19665 .set_piomode = optidma_set_pio_mode,
19666 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
19667 .prereset = optidma_pre_reset,
19670 -static struct ata_port_operations optiplus_port_ops = {
19671 +static const struct ata_port_operations optiplus_port_ops = {
19672 .inherits = &optidma_port_ops,
19673 .set_piomode = optiplus_set_pio_mode,
19674 .set_dmamode = optiplus_set_dma_mode,
19675 diff -urNp linux-2.6.33/drivers/ata/pata_palmld.c linux-2.6.33/drivers/ata/pata_palmld.c
19676 --- linux-2.6.33/drivers/ata/pata_palmld.c 2010-02-24 13:52:17.000000000 -0500
19677 +++ linux-2.6.33/drivers/ata/pata_palmld.c 2010-03-07 12:23:35.977706017 -0500
19678 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
19679 ATA_PIO_SHT(DRV_NAME),
19682 -static struct ata_port_operations palmld_port_ops = {
19683 +static const struct ata_port_operations palmld_port_ops = {
19684 .inherits = &ata_sff_port_ops,
19685 .sff_data_xfer = ata_sff_data_xfer_noirq,
19686 .cable_detect = ata_cable_40wire,
19687 diff -urNp linux-2.6.33/drivers/ata/pata_pcmcia.c linux-2.6.33/drivers/ata/pata_pcmcia.c
19688 --- linux-2.6.33/drivers/ata/pata_pcmcia.c 2010-02-24 13:52:17.000000000 -0500
19689 +++ linux-2.6.33/drivers/ata/pata_pcmcia.c 2010-03-07 12:23:35.977706017 -0500
19690 @@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
19691 ATA_PIO_SHT(DRV_NAME),
19694 -static struct ata_port_operations pcmcia_port_ops = {
19695 +static const struct ata_port_operations pcmcia_port_ops = {
19696 .inherits = &ata_sff_port_ops,
19697 .sff_data_xfer = ata_sff_data_xfer_noirq,
19698 .cable_detect = ata_cable_40wire,
19699 .set_mode = pcmcia_set_mode,
19702 -static struct ata_port_operations pcmcia_8bit_port_ops = {
19703 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
19704 .inherits = &ata_sff_port_ops,
19705 .sff_data_xfer = ata_data_xfer_8bit,
19706 .cable_detect = ata_cable_40wire,
19707 @@ -253,7 +253,7 @@ static int pcmcia_init_one(struct pcmcia
19708 unsigned long io_base, ctl_base;
19709 void __iomem *io_addr, *ctl_addr;
19711 - struct ata_port_operations *ops = &pcmcia_port_ops;
19712 + const struct ata_port_operations *ops = &pcmcia_port_ops;
19714 info = kzalloc(sizeof(*info), GFP_KERNEL);
19716 diff -urNp linux-2.6.33/drivers/ata/pata_pdc2027x.c linux-2.6.33/drivers/ata/pata_pdc2027x.c
19717 --- linux-2.6.33/drivers/ata/pata_pdc2027x.c 2010-02-24 13:52:17.000000000 -0500
19718 +++ linux-2.6.33/drivers/ata/pata_pdc2027x.c 2010-03-07 12:23:35.977706017 -0500
19719 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
19720 ATA_BMDMA_SHT(DRV_NAME),
19723 -static struct ata_port_operations pdc2027x_pata100_ops = {
19724 +static const struct ata_port_operations pdc2027x_pata100_ops = {
19725 .inherits = &ata_bmdma_port_ops,
19726 .check_atapi_dma = pdc2027x_check_atapi_dma,
19727 .cable_detect = pdc2027x_cable_detect,
19728 .prereset = pdc2027x_prereset,
19731 -static struct ata_port_operations pdc2027x_pata133_ops = {
19732 +static const struct ata_port_operations pdc2027x_pata133_ops = {
19733 .inherits = &pdc2027x_pata100_ops,
19734 .mode_filter = pdc2027x_mode_filter,
19735 .set_piomode = pdc2027x_set_piomode,
19736 diff -urNp linux-2.6.33/drivers/ata/pata_pdc202xx_old.c linux-2.6.33/drivers/ata/pata_pdc202xx_old.c
19737 --- linux-2.6.33/drivers/ata/pata_pdc202xx_old.c 2010-02-24 13:52:17.000000000 -0500
19738 +++ linux-2.6.33/drivers/ata/pata_pdc202xx_old.c 2010-03-07 12:23:35.977706017 -0500
19739 @@ -265,7 +265,7 @@ static struct scsi_host_template pdc202x
19740 ATA_BMDMA_SHT(DRV_NAME),
19743 -static struct ata_port_operations pdc2024x_port_ops = {
19744 +static const struct ata_port_operations pdc2024x_port_ops = {
19745 .inherits = &ata_bmdma_port_ops,
19747 .cable_detect = ata_cable_40wire,
19748 @@ -273,7 +273,7 @@ static struct ata_port_operations pdc202
19749 .set_dmamode = pdc202xx_set_dmamode,
19752 -static struct ata_port_operations pdc2026x_port_ops = {
19753 +static const struct ata_port_operations pdc2026x_port_ops = {
19754 .inherits = &pdc2024x_port_ops,
19756 .check_atapi_dma = pdc2026x_check_atapi_dma,
19757 diff -urNp linux-2.6.33/drivers/ata/pata_piccolo.c linux-2.6.33/drivers/ata/pata_piccolo.c
19758 --- linux-2.6.33/drivers/ata/pata_piccolo.c 2010-02-24 13:52:17.000000000 -0500
19759 +++ linux-2.6.33/drivers/ata/pata_piccolo.c 2010-03-07 12:23:35.977706017 -0500
19760 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
19761 ATA_BMDMA_SHT(DRV_NAME),
19764 -static struct ata_port_operations tosh_port_ops = {
19765 +static const struct ata_port_operations tosh_port_ops = {
19766 .inherits = &ata_bmdma_port_ops,
19767 .cable_detect = ata_cable_unknown,
19768 .set_piomode = tosh_set_piomode,
19769 diff -urNp linux-2.6.33/drivers/ata/pata_platform.c linux-2.6.33/drivers/ata/pata_platform.c
19770 --- linux-2.6.33/drivers/ata/pata_platform.c 2010-02-24 13:52:17.000000000 -0500
19771 +++ linux-2.6.33/drivers/ata/pata_platform.c 2010-03-07 12:23:35.977706017 -0500
19772 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
19773 ATA_PIO_SHT(DRV_NAME),
19776 -static struct ata_port_operations pata_platform_port_ops = {
19777 +static const struct ata_port_operations pata_platform_port_ops = {
19778 .inherits = &ata_sff_port_ops,
19779 .sff_data_xfer = ata_sff_data_xfer_noirq,
19780 .cable_detect = ata_cable_unknown,
19781 diff -urNp linux-2.6.33/drivers/ata/pata_qdi.c linux-2.6.33/drivers/ata/pata_qdi.c
19782 --- linux-2.6.33/drivers/ata/pata_qdi.c 2010-02-24 13:52:17.000000000 -0500
19783 +++ linux-2.6.33/drivers/ata/pata_qdi.c 2010-03-07 12:23:35.977706017 -0500
19784 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
19785 ATA_PIO_SHT(DRV_NAME),
19788 -static struct ata_port_operations qdi6500_port_ops = {
19789 +static const struct ata_port_operations qdi6500_port_ops = {
19790 .inherits = &ata_sff_port_ops,
19791 .qc_issue = qdi_qc_issue,
19792 .sff_data_xfer = qdi_data_xfer,
19793 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
19794 .set_piomode = qdi6500_set_piomode,
19797 -static struct ata_port_operations qdi6580_port_ops = {
19798 +static const struct ata_port_operations qdi6580_port_ops = {
19799 .inherits = &qdi6500_port_ops,
19800 .set_piomode = qdi6580_set_piomode,
19802 diff -urNp linux-2.6.33/drivers/ata/pata_radisys.c linux-2.6.33/drivers/ata/pata_radisys.c
19803 --- linux-2.6.33/drivers/ata/pata_radisys.c 2010-02-24 13:52:17.000000000 -0500
19804 +++ linux-2.6.33/drivers/ata/pata_radisys.c 2010-03-07 12:23:35.977706017 -0500
19805 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
19806 ATA_BMDMA_SHT(DRV_NAME),
19809 -static struct ata_port_operations radisys_pata_ops = {
19810 +static const struct ata_port_operations radisys_pata_ops = {
19811 .inherits = &ata_bmdma_port_ops,
19812 .qc_issue = radisys_qc_issue,
19813 .cable_detect = ata_cable_unknown,
19814 diff -urNp linux-2.6.33/drivers/ata/pata_rb532_cf.c linux-2.6.33/drivers/ata/pata_rb532_cf.c
19815 --- linux-2.6.33/drivers/ata/pata_rb532_cf.c 2010-02-24 13:52:17.000000000 -0500
19816 +++ linux-2.6.33/drivers/ata/pata_rb532_cf.c 2010-03-07 12:23:35.977706017 -0500
19817 @@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
19818 return IRQ_HANDLED;
19821 -static struct ata_port_operations rb532_pata_port_ops = {
19822 +static const struct ata_port_operations rb532_pata_port_ops = {
19823 .inherits = &ata_sff_port_ops,
19824 .sff_data_xfer = ata_sff_data_xfer32,
19826 diff -urNp linux-2.6.33/drivers/ata/pata_rdc.c linux-2.6.33/drivers/ata/pata_rdc.c
19827 --- linux-2.6.33/drivers/ata/pata_rdc.c 2010-02-24 13:52:17.000000000 -0500
19828 +++ linux-2.6.33/drivers/ata/pata_rdc.c 2010-03-07 12:23:35.977706017 -0500
19829 @@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
19830 pci_write_config_byte(dev, 0x48, udma_enable);
19833 -static struct ata_port_operations rdc_pata_ops = {
19834 +static const struct ata_port_operations rdc_pata_ops = {
19835 .inherits = &ata_bmdma32_port_ops,
19836 .cable_detect = rdc_pata_cable_detect,
19837 .set_piomode = rdc_set_piomode,
19838 diff -urNp linux-2.6.33/drivers/ata/pata_rz1000.c linux-2.6.33/drivers/ata/pata_rz1000.c
19839 --- linux-2.6.33/drivers/ata/pata_rz1000.c 2010-02-24 13:52:17.000000000 -0500
19840 +++ linux-2.6.33/drivers/ata/pata_rz1000.c 2010-03-07 12:23:35.977706017 -0500
19841 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
19842 ATA_PIO_SHT(DRV_NAME),
19845 -static struct ata_port_operations rz1000_port_ops = {
19846 +static const struct ata_port_operations rz1000_port_ops = {
19847 .inherits = &ata_sff_port_ops,
19848 .cable_detect = ata_cable_40wire,
19849 .set_mode = rz1000_set_mode,
19850 diff -urNp linux-2.6.33/drivers/ata/pata_sc1200.c linux-2.6.33/drivers/ata/pata_sc1200.c
19851 --- linux-2.6.33/drivers/ata/pata_sc1200.c 2010-02-24 13:52:17.000000000 -0500
19852 +++ linux-2.6.33/drivers/ata/pata_sc1200.c 2010-03-07 12:23:35.977706017 -0500
19853 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
19854 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19857 -static struct ata_port_operations sc1200_port_ops = {
19858 +static const struct ata_port_operations sc1200_port_ops = {
19859 .inherits = &ata_bmdma_port_ops,
19860 .qc_prep = ata_sff_dumb_qc_prep,
19861 .qc_issue = sc1200_qc_issue,
19862 diff -urNp linux-2.6.33/drivers/ata/pata_scc.c linux-2.6.33/drivers/ata/pata_scc.c
19863 --- linux-2.6.33/drivers/ata/pata_scc.c 2010-02-24 13:52:17.000000000 -0500
19864 +++ linux-2.6.33/drivers/ata/pata_scc.c 2010-03-07 12:23:35.981708557 -0500
19865 @@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
19866 ATA_BMDMA_SHT(DRV_NAME),
19869 -static struct ata_port_operations scc_pata_ops = {
19870 +static const struct ata_port_operations scc_pata_ops = {
19871 .inherits = &ata_bmdma_port_ops,
19873 .set_piomode = scc_set_piomode,
19874 diff -urNp linux-2.6.33/drivers/ata/pata_sch.c linux-2.6.33/drivers/ata/pata_sch.c
19875 --- linux-2.6.33/drivers/ata/pata_sch.c 2010-02-24 13:52:17.000000000 -0500
19876 +++ linux-2.6.33/drivers/ata/pata_sch.c 2010-03-07 12:23:35.981708557 -0500
19877 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
19878 ATA_BMDMA_SHT(DRV_NAME),
19881 -static struct ata_port_operations sch_pata_ops = {
19882 +static const struct ata_port_operations sch_pata_ops = {
19883 .inherits = &ata_bmdma_port_ops,
19884 .cable_detect = ata_cable_unknown,
19885 .set_piomode = sch_set_piomode,
19886 diff -urNp linux-2.6.33/drivers/ata/pata_serverworks.c linux-2.6.33/drivers/ata/pata_serverworks.c
19887 --- linux-2.6.33/drivers/ata/pata_serverworks.c 2010-02-24 13:52:17.000000000 -0500
19888 +++ linux-2.6.33/drivers/ata/pata_serverworks.c 2010-03-07 12:23:35.981708557 -0500
19889 @@ -299,7 +299,7 @@ static struct scsi_host_template serverw
19890 ATA_BMDMA_SHT(DRV_NAME),
19893 -static struct ata_port_operations serverworks_osb4_port_ops = {
19894 +static const struct ata_port_operations serverworks_osb4_port_ops = {
19895 .inherits = &ata_bmdma_port_ops,
19896 .cable_detect = serverworks_cable_detect,
19897 .mode_filter = serverworks_osb4_filter,
19898 @@ -307,7 +307,7 @@ static struct ata_port_operations server
19899 .set_dmamode = serverworks_set_dmamode,
19902 -static struct ata_port_operations serverworks_csb_port_ops = {
19903 +static const struct ata_port_operations serverworks_csb_port_ops = {
19904 .inherits = &serverworks_osb4_port_ops,
19905 .mode_filter = serverworks_csb_filter,
19907 diff -urNp linux-2.6.33/drivers/ata/pata_sil680.c linux-2.6.33/drivers/ata/pata_sil680.c
19908 --- linux-2.6.33/drivers/ata/pata_sil680.c 2010-02-24 13:52:17.000000000 -0500
19909 +++ linux-2.6.33/drivers/ata/pata_sil680.c 2010-03-07 12:23:35.981708557 -0500
19910 @@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
19911 ATA_BMDMA_SHT(DRV_NAME),
19914 -static struct ata_port_operations sil680_port_ops = {
19915 +static const struct ata_port_operations sil680_port_ops = {
19916 .inherits = &ata_bmdma32_port_ops,
19917 .cable_detect = sil680_cable_detect,
19918 .set_piomode = sil680_set_piomode,
19919 diff -urNp linux-2.6.33/drivers/ata/pata_sis.c linux-2.6.33/drivers/ata/pata_sis.c
19920 --- linux-2.6.33/drivers/ata/pata_sis.c 2010-02-24 13:52:17.000000000 -0500
19921 +++ linux-2.6.33/drivers/ata/pata_sis.c 2010-03-07 12:23:35.981708557 -0500
19922 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
19923 ATA_BMDMA_SHT(DRV_NAME),
19926 -static struct ata_port_operations sis_133_for_sata_ops = {
19927 +static const struct ata_port_operations sis_133_for_sata_ops = {
19928 .inherits = &ata_bmdma_port_ops,
19929 .set_piomode = sis_133_set_piomode,
19930 .set_dmamode = sis_133_set_dmamode,
19931 .cable_detect = sis_133_cable_detect,
19934 -static struct ata_port_operations sis_base_ops = {
19935 +static const struct ata_port_operations sis_base_ops = {
19936 .inherits = &ata_bmdma_port_ops,
19937 .prereset = sis_pre_reset,
19940 -static struct ata_port_operations sis_133_ops = {
19941 +static const struct ata_port_operations sis_133_ops = {
19942 .inherits = &sis_base_ops,
19943 .set_piomode = sis_133_set_piomode,
19944 .set_dmamode = sis_133_set_dmamode,
19945 .cable_detect = sis_133_cable_detect,
19948 -static struct ata_port_operations sis_133_early_ops = {
19949 +static const struct ata_port_operations sis_133_early_ops = {
19950 .inherits = &sis_base_ops,
19951 .set_piomode = sis_100_set_piomode,
19952 .set_dmamode = sis_133_early_set_dmamode,
19953 .cable_detect = sis_66_cable_detect,
19956 -static struct ata_port_operations sis_100_ops = {
19957 +static const struct ata_port_operations sis_100_ops = {
19958 .inherits = &sis_base_ops,
19959 .set_piomode = sis_100_set_piomode,
19960 .set_dmamode = sis_100_set_dmamode,
19961 .cable_detect = sis_66_cable_detect,
19964 -static struct ata_port_operations sis_66_ops = {
19965 +static const struct ata_port_operations sis_66_ops = {
19966 .inherits = &sis_base_ops,
19967 .set_piomode = sis_old_set_piomode,
19968 .set_dmamode = sis_66_set_dmamode,
19969 .cable_detect = sis_66_cable_detect,
19972 -static struct ata_port_operations sis_old_ops = {
19973 +static const struct ata_port_operations sis_old_ops = {
19974 .inherits = &sis_base_ops,
19975 .set_piomode = sis_old_set_piomode,
19976 .set_dmamode = sis_old_set_dmamode,
19977 diff -urNp linux-2.6.33/drivers/ata/pata_sl82c105.c linux-2.6.33/drivers/ata/pata_sl82c105.c
19978 --- linux-2.6.33/drivers/ata/pata_sl82c105.c 2010-02-24 13:52:17.000000000 -0500
19979 +++ linux-2.6.33/drivers/ata/pata_sl82c105.c 2010-03-07 12:23:35.981708557 -0500
19980 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
19981 ATA_BMDMA_SHT(DRV_NAME),
19984 -static struct ata_port_operations sl82c105_port_ops = {
19985 +static const struct ata_port_operations sl82c105_port_ops = {
19986 .inherits = &ata_bmdma_port_ops,
19987 .qc_defer = sl82c105_qc_defer,
19988 .bmdma_start = sl82c105_bmdma_start,
19989 diff -urNp linux-2.6.33/drivers/ata/pata_triflex.c linux-2.6.33/drivers/ata/pata_triflex.c
19990 --- linux-2.6.33/drivers/ata/pata_triflex.c 2010-02-24 13:52:17.000000000 -0500
19991 +++ linux-2.6.33/drivers/ata/pata_triflex.c 2010-03-07 12:23:35.981708557 -0500
19992 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
19993 ATA_BMDMA_SHT(DRV_NAME),
19996 -static struct ata_port_operations triflex_port_ops = {
19997 +static const struct ata_port_operations triflex_port_ops = {
19998 .inherits = &ata_bmdma_port_ops,
19999 .bmdma_start = triflex_bmdma_start,
20000 .bmdma_stop = triflex_bmdma_stop,
20001 diff -urNp linux-2.6.33/drivers/ata/pata_via.c linux-2.6.33/drivers/ata/pata_via.c
20002 --- linux-2.6.33/drivers/ata/pata_via.c 2010-02-24 13:52:17.000000000 -0500
20003 +++ linux-2.6.33/drivers/ata/pata_via.c 2010-03-07 12:23:35.981708557 -0500
20004 @@ -452,7 +452,7 @@ static struct scsi_host_template via_sht
20005 ATA_BMDMA_SHT(DRV_NAME),
20008 -static struct ata_port_operations via_port_ops = {
20009 +static const struct ata_port_operations via_port_ops = {
20010 .inherits = &ata_bmdma_port_ops,
20011 .cable_detect = via_cable_detect,
20012 .set_piomode = via_set_piomode,
20013 @@ -463,7 +463,7 @@ static struct ata_port_operations via_po
20014 .mode_filter = via_mode_filter,
20017 -static struct ata_port_operations via_port_ops_noirq = {
20018 +static const struct ata_port_operations via_port_ops_noirq = {
20019 .inherits = &via_port_ops,
20020 .sff_data_xfer = ata_sff_data_xfer_noirq,
20022 diff -urNp linux-2.6.33/drivers/ata/pata_winbond.c linux-2.6.33/drivers/ata/pata_winbond.c
20023 --- linux-2.6.33/drivers/ata/pata_winbond.c 2010-02-24 13:52:17.000000000 -0500
20024 +++ linux-2.6.33/drivers/ata/pata_winbond.c 2010-03-07 12:23:35.981708557 -0500
20025 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
20026 ATA_PIO_SHT(DRV_NAME),
20029 -static struct ata_port_operations winbond_port_ops = {
20030 +static const struct ata_port_operations winbond_port_ops = {
20031 .inherits = &ata_sff_port_ops,
20032 .sff_data_xfer = winbond_data_xfer,
20033 .cable_detect = ata_cable_40wire,
20034 diff -urNp linux-2.6.33/drivers/ata/pdc_adma.c linux-2.6.33/drivers/ata/pdc_adma.c
20035 --- linux-2.6.33/drivers/ata/pdc_adma.c 2010-02-24 13:52:17.000000000 -0500
20036 +++ linux-2.6.33/drivers/ata/pdc_adma.c 2010-03-07 12:23:35.981708557 -0500
20037 @@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
20038 .dma_boundary = ADMA_DMA_BOUNDARY,
20041 -static struct ata_port_operations adma_ata_ops = {
20042 +static const struct ata_port_operations adma_ata_ops = {
20043 .inherits = &ata_sff_port_ops,
20045 .lost_interrupt = ATA_OP_NULL,
20046 diff -urNp linux-2.6.33/drivers/ata/sata_fsl.c linux-2.6.33/drivers/ata/sata_fsl.c
20047 --- linux-2.6.33/drivers/ata/sata_fsl.c 2010-02-24 13:52:17.000000000 -0500
20048 +++ linux-2.6.33/drivers/ata/sata_fsl.c 2010-03-07 12:23:35.981708557 -0500
20049 @@ -1260,7 +1260,7 @@ static struct scsi_host_template sata_fs
20050 .dma_boundary = ATA_DMA_BOUNDARY,
20053 -static struct ata_port_operations sata_fsl_ops = {
20054 +static const struct ata_port_operations sata_fsl_ops = {
20055 .inherits = &sata_pmp_port_ops,
20057 .qc_defer = ata_std_qc_defer,
20058 diff -urNp linux-2.6.33/drivers/ata/sata_inic162x.c linux-2.6.33/drivers/ata/sata_inic162x.c
20059 --- linux-2.6.33/drivers/ata/sata_inic162x.c 2010-02-24 13:52:17.000000000 -0500
20060 +++ linux-2.6.33/drivers/ata/sata_inic162x.c 2010-03-07 12:23:35.981708557 -0500
20061 @@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
20065 -static struct ata_port_operations inic_port_ops = {
20066 +static const struct ata_port_operations inic_port_ops = {
20067 .inherits = &sata_port_ops,
20069 .check_atapi_dma = inic_check_atapi_dma,
20070 diff -urNp linux-2.6.33/drivers/ata/sata_mv.c linux-2.6.33/drivers/ata/sata_mv.c
20071 --- linux-2.6.33/drivers/ata/sata_mv.c 2010-02-24 13:52:17.000000000 -0500
20072 +++ linux-2.6.33/drivers/ata/sata_mv.c 2010-03-07 12:23:35.981708557 -0500
20073 @@ -662,7 +662,7 @@ static struct scsi_host_template mv6_sht
20074 .dma_boundary = MV_DMA_BOUNDARY,
20077 -static struct ata_port_operations mv5_ops = {
20078 +static const struct ata_port_operations mv5_ops = {
20079 .inherits = &ata_sff_port_ops,
20081 .lost_interrupt = ATA_OP_NULL,
20082 @@ -684,7 +684,7 @@ static struct ata_port_operations mv5_op
20083 .port_stop = mv_port_stop,
20086 -static struct ata_port_operations mv6_ops = {
20087 +static const struct ata_port_operations mv6_ops = {
20088 .inherits = &mv5_ops,
20089 .dev_config = mv6_dev_config,
20090 .scr_read = mv_scr_read,
20091 @@ -704,7 +704,7 @@ static struct ata_port_operations mv6_op
20092 .bmdma_status = mv_bmdma_status,
20095 -static struct ata_port_operations mv_iie_ops = {
20096 +static const struct ata_port_operations mv_iie_ops = {
20097 .inherits = &mv6_ops,
20098 .dev_config = ATA_OP_NULL,
20099 .qc_prep = mv_qc_prep_iie,
20100 diff -urNp linux-2.6.33/drivers/ata/sata_nv.c linux-2.6.33/drivers/ata/sata_nv.c
20101 --- linux-2.6.33/drivers/ata/sata_nv.c 2010-02-24 13:52:17.000000000 -0500
20102 +++ linux-2.6.33/drivers/ata/sata_nv.c 2010-03-07 12:23:35.981708557 -0500
20103 @@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
20104 * cases. Define nv_hardreset() which only kicks in for post-boot
20105 * probing and use it for all variants.
20107 -static struct ata_port_operations nv_generic_ops = {
20108 +static const struct ata_port_operations nv_generic_ops = {
20109 .inherits = &ata_bmdma_port_ops,
20110 .lost_interrupt = ATA_OP_NULL,
20111 .scr_read = nv_scr_read,
20112 @@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
20113 .hardreset = nv_hardreset,
20116 -static struct ata_port_operations nv_nf2_ops = {
20117 +static const struct ata_port_operations nv_nf2_ops = {
20118 .inherits = &nv_generic_ops,
20119 .freeze = nv_nf2_freeze,
20120 .thaw = nv_nf2_thaw,
20123 -static struct ata_port_operations nv_ck804_ops = {
20124 +static const struct ata_port_operations nv_ck804_ops = {
20125 .inherits = &nv_generic_ops,
20126 .freeze = nv_ck804_freeze,
20127 .thaw = nv_ck804_thaw,
20128 .host_stop = nv_ck804_host_stop,
20131 -static struct ata_port_operations nv_adma_ops = {
20132 +static const struct ata_port_operations nv_adma_ops = {
20133 .inherits = &nv_ck804_ops,
20135 .check_atapi_dma = nv_adma_check_atapi_dma,
20136 @@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
20137 .host_stop = nv_adma_host_stop,
20140 -static struct ata_port_operations nv_swncq_ops = {
20141 +static const struct ata_port_operations nv_swncq_ops = {
20142 .inherits = &nv_generic_ops,
20144 .qc_defer = ata_std_qc_defer,
20145 diff -urNp linux-2.6.33/drivers/ata/sata_promise.c linux-2.6.33/drivers/ata/sata_promise.c
20146 --- linux-2.6.33/drivers/ata/sata_promise.c 2010-02-24 13:52:17.000000000 -0500
20147 +++ linux-2.6.33/drivers/ata/sata_promise.c 2010-03-07 12:23:35.981708557 -0500
20148 @@ -195,7 +195,7 @@ static const struct ata_port_operations
20149 .error_handler = pdc_error_handler,
20152 -static struct ata_port_operations pdc_sata_ops = {
20153 +static const struct ata_port_operations pdc_sata_ops = {
20154 .inherits = &pdc_common_ops,
20155 .cable_detect = pdc_sata_cable_detect,
20156 .freeze = pdc_sata_freeze,
20157 @@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
20159 /* First-generation chips need a more restrictive ->check_atapi_dma op,
20160 and ->freeze/thaw that ignore the hotplug controls. */
20161 -static struct ata_port_operations pdc_old_sata_ops = {
20162 +static const struct ata_port_operations pdc_old_sata_ops = {
20163 .inherits = &pdc_sata_ops,
20164 .freeze = pdc_freeze,
20166 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
20169 -static struct ata_port_operations pdc_pata_ops = {
20170 +static const struct ata_port_operations pdc_pata_ops = {
20171 .inherits = &pdc_common_ops,
20172 .cable_detect = pdc_pata_cable_detect,
20173 .freeze = pdc_freeze,
20174 diff -urNp linux-2.6.33/drivers/ata/sata_qstor.c linux-2.6.33/drivers/ata/sata_qstor.c
20175 --- linux-2.6.33/drivers/ata/sata_qstor.c 2010-02-24 13:52:17.000000000 -0500
20176 +++ linux-2.6.33/drivers/ata/sata_qstor.c 2010-03-07 12:23:35.985647175 -0500
20177 @@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
20178 .dma_boundary = QS_DMA_BOUNDARY,
20181 -static struct ata_port_operations qs_ata_ops = {
20182 +static const struct ata_port_operations qs_ata_ops = {
20183 .inherits = &ata_sff_port_ops,
20185 .check_atapi_dma = qs_check_atapi_dma,
20186 diff -urNp linux-2.6.33/drivers/ata/sata_sil24.c linux-2.6.33/drivers/ata/sata_sil24.c
20187 --- linux-2.6.33/drivers/ata/sata_sil24.c 2010-02-24 13:52:17.000000000 -0500
20188 +++ linux-2.6.33/drivers/ata/sata_sil24.c 2010-03-07 12:23:35.985647175 -0500
20189 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
20190 .dma_boundary = ATA_DMA_BOUNDARY,
20193 -static struct ata_port_operations sil24_ops = {
20194 +static const struct ata_port_operations sil24_ops = {
20195 .inherits = &sata_pmp_port_ops,
20197 .qc_defer = sil24_qc_defer,
20198 diff -urNp linux-2.6.33/drivers/ata/sata_sil.c linux-2.6.33/drivers/ata/sata_sil.c
20199 --- linux-2.6.33/drivers/ata/sata_sil.c 2010-02-24 13:52:17.000000000 -0500
20200 +++ linux-2.6.33/drivers/ata/sata_sil.c 2010-03-07 12:23:35.985647175 -0500
20201 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
20202 .sg_tablesize = ATA_MAX_PRD
20205 -static struct ata_port_operations sil_ops = {
20206 +static const struct ata_port_operations sil_ops = {
20207 .inherits = &ata_bmdma32_port_ops,
20208 .dev_config = sil_dev_config,
20209 .set_mode = sil_set_mode,
20210 diff -urNp linux-2.6.33/drivers/ata/sata_sis.c linux-2.6.33/drivers/ata/sata_sis.c
20211 --- linux-2.6.33/drivers/ata/sata_sis.c 2010-02-24 13:52:17.000000000 -0500
20212 +++ linux-2.6.33/drivers/ata/sata_sis.c 2010-03-07 12:23:35.985647175 -0500
20213 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
20214 ATA_BMDMA_SHT(DRV_NAME),
20217 -static struct ata_port_operations sis_ops = {
20218 +static const struct ata_port_operations sis_ops = {
20219 .inherits = &ata_bmdma_port_ops,
20220 .scr_read = sis_scr_read,
20221 .scr_write = sis_scr_write,
20222 diff -urNp linux-2.6.33/drivers/ata/sata_svw.c linux-2.6.33/drivers/ata/sata_svw.c
20223 --- linux-2.6.33/drivers/ata/sata_svw.c 2010-02-24 13:52:17.000000000 -0500
20224 +++ linux-2.6.33/drivers/ata/sata_svw.c 2010-03-07 12:23:35.985647175 -0500
20225 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
20229 -static struct ata_port_operations k2_sata_ops = {
20230 +static const struct ata_port_operations k2_sata_ops = {
20231 .inherits = &ata_bmdma_port_ops,
20232 .sff_tf_load = k2_sata_tf_load,
20233 .sff_tf_read = k2_sata_tf_read,
20234 diff -urNp linux-2.6.33/drivers/ata/sata_sx4.c linux-2.6.33/drivers/ata/sata_sx4.c
20235 --- linux-2.6.33/drivers/ata/sata_sx4.c 2010-02-24 13:52:17.000000000 -0500
20236 +++ linux-2.6.33/drivers/ata/sata_sx4.c 2010-03-07 12:23:35.985647175 -0500
20237 @@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
20240 /* TODO: inherit from base port_ops after converting to new EH */
20241 -static struct ata_port_operations pdc_20621_ops = {
20242 +static const struct ata_port_operations pdc_20621_ops = {
20243 .inherits = &ata_sff_port_ops,
20245 .check_atapi_dma = pdc_check_atapi_dma,
20246 diff -urNp linux-2.6.33/drivers/ata/sata_uli.c linux-2.6.33/drivers/ata/sata_uli.c
20247 --- linux-2.6.33/drivers/ata/sata_uli.c 2010-02-24 13:52:17.000000000 -0500
20248 +++ linux-2.6.33/drivers/ata/sata_uli.c 2010-03-07 12:23:35.985647175 -0500
20249 @@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
20250 ATA_BMDMA_SHT(DRV_NAME),
20253 -static struct ata_port_operations uli_ops = {
20254 +static const struct ata_port_operations uli_ops = {
20255 .inherits = &ata_bmdma_port_ops,
20256 .scr_read = uli_scr_read,
20257 .scr_write = uli_scr_write,
20258 diff -urNp linux-2.6.33/drivers/ata/sata_via.c linux-2.6.33/drivers/ata/sata_via.c
20259 --- linux-2.6.33/drivers/ata/sata_via.c 2010-02-24 13:52:17.000000000 -0500
20260 +++ linux-2.6.33/drivers/ata/sata_via.c 2010-03-07 12:23:35.985647175 -0500
20261 @@ -112,31 +112,31 @@ static struct scsi_host_template svia_sh
20262 ATA_BMDMA_SHT(DRV_NAME),
20265 -static struct ata_port_operations svia_base_ops = {
20266 +static const struct ata_port_operations svia_base_ops = {
20267 .inherits = &ata_bmdma_port_ops,
20268 .sff_tf_load = svia_tf_load,
20271 -static struct ata_port_operations vt6420_sata_ops = {
20272 +static const struct ata_port_operations vt6420_sata_ops = {
20273 .inherits = &svia_base_ops,
20274 .freeze = svia_noop_freeze,
20275 .prereset = vt6420_prereset,
20278 -static struct ata_port_operations vt6421_pata_ops = {
20279 +static const struct ata_port_operations vt6421_pata_ops = {
20280 .inherits = &svia_base_ops,
20281 .cable_detect = vt6421_pata_cable_detect,
20282 .set_piomode = vt6421_set_pio_mode,
20283 .set_dmamode = vt6421_set_dma_mode,
20286 -static struct ata_port_operations vt6421_sata_ops = {
20287 +static const struct ata_port_operations vt6421_sata_ops = {
20288 .inherits = &svia_base_ops,
20289 .scr_read = svia_scr_read,
20290 .scr_write = svia_scr_write,
20293 -static struct ata_port_operations vt8251_ops = {
20294 +static const struct ata_port_operations vt8251_ops = {
20295 .inherits = &svia_base_ops,
20296 .hardreset = sata_std_hardreset,
20297 .scr_read = vt8251_scr_read,
20298 diff -urNp linux-2.6.33/drivers/ata/sata_vsc.c linux-2.6.33/drivers/ata/sata_vsc.c
20299 --- linux-2.6.33/drivers/ata/sata_vsc.c 2010-02-24 13:52:17.000000000 -0500
20300 +++ linux-2.6.33/drivers/ata/sata_vsc.c 2010-03-07 12:23:35.985647175 -0500
20301 @@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
20305 -static struct ata_port_operations vsc_sata_ops = {
20306 +static const struct ata_port_operations vsc_sata_ops = {
20307 .inherits = &ata_bmdma_port_ops,
20308 /* The IRQ handling is not quite standard SFF behaviour so we
20309 cannot use the default lost interrupt handler */
20310 diff -urNp linux-2.6.33/drivers/atm/adummy.c linux-2.6.33/drivers/atm/adummy.c
20311 --- linux-2.6.33/drivers/atm/adummy.c 2010-02-24 13:52:17.000000000 -0500
20312 +++ linux-2.6.33/drivers/atm/adummy.c 2010-03-07 12:23:35.985647175 -0500
20313 @@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
20314 vcc->pop(vcc, skb);
20316 dev_kfree_skb_any(skb);
20317 - atomic_inc(&vcc->stats->tx);
20318 + atomic_inc_unchecked(&vcc->stats->tx);
20322 diff -urNp linux-2.6.33/drivers/atm/ambassador.c linux-2.6.33/drivers/atm/ambassador.c
20323 --- linux-2.6.33/drivers/atm/ambassador.c 2010-02-24 13:52:17.000000000 -0500
20324 +++ linux-2.6.33/drivers/atm/ambassador.c 2010-03-07 12:23:35.985647175 -0500
20325 @@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
20326 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
20329 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20330 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20332 // free the descriptor
20334 @@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
20335 dump_skb ("<<<", vc, skb);
20338 - atomic_inc(&atm_vcc->stats->rx);
20339 + atomic_inc_unchecked(&atm_vcc->stats->rx);
20340 __net_timestamp(skb);
20341 // end of our responsability
20342 atm_vcc->push (atm_vcc, skb);
20343 @@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
20345 PRINTK (KERN_INFO, "dropped over-size frame");
20346 // should we count this?
20347 - atomic_inc(&atm_vcc->stats->rx_drop);
20348 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20352 @@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
20355 if (check_area (skb->data, skb->len)) {
20356 - atomic_inc(&atm_vcc->stats->tx_err);
20357 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
20358 return -ENOMEM; // ?
20361 diff -urNp linux-2.6.33/drivers/atm/atmtcp.c linux-2.6.33/drivers/atm/atmtcp.c
20362 --- linux-2.6.33/drivers/atm/atmtcp.c 2010-02-24 13:52:17.000000000 -0500
20363 +++ linux-2.6.33/drivers/atm/atmtcp.c 2010-03-07 12:23:35.985647175 -0500
20364 @@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
20365 if (vcc->pop) vcc->pop(vcc,skb);
20366 else dev_kfree_skb(skb);
20367 if (dev_data) return 0;
20368 - atomic_inc(&vcc->stats->tx_err);
20369 + atomic_inc_unchecked(&vcc->stats->tx_err);
20372 size = skb->len+sizeof(struct atmtcp_hdr);
20373 @@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
20375 if (vcc->pop) vcc->pop(vcc,skb);
20376 else dev_kfree_skb(skb);
20377 - atomic_inc(&vcc->stats->tx_err);
20378 + atomic_inc_unchecked(&vcc->stats->tx_err);
20381 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
20382 @@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
20383 if (vcc->pop) vcc->pop(vcc,skb);
20384 else dev_kfree_skb(skb);
20385 out_vcc->push(out_vcc,new_skb);
20386 - atomic_inc(&vcc->stats->tx);
20387 - atomic_inc(&out_vcc->stats->rx);
20388 + atomic_inc_unchecked(&vcc->stats->tx);
20389 + atomic_inc_unchecked(&out_vcc->stats->rx);
20393 @@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
20394 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
20395 read_unlock(&vcc_sklist_lock);
20397 - atomic_inc(&vcc->stats->tx_err);
20398 + atomic_inc_unchecked(&vcc->stats->tx_err);
20401 skb_pull(skb,sizeof(struct atmtcp_hdr));
20402 @@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
20403 __net_timestamp(new_skb);
20404 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
20405 out_vcc->push(out_vcc,new_skb);
20406 - atomic_inc(&vcc->stats->tx);
20407 - atomic_inc(&out_vcc->stats->rx);
20408 + atomic_inc_unchecked(&vcc->stats->tx);
20409 + atomic_inc_unchecked(&out_vcc->stats->rx);
20411 if (vcc->pop) vcc->pop(vcc,skb);
20412 else dev_kfree_skb(skb);
20413 diff -urNp linux-2.6.33/drivers/atm/eni.c linux-2.6.33/drivers/atm/eni.c
20414 --- linux-2.6.33/drivers/atm/eni.c 2010-02-24 13:52:17.000000000 -0500
20415 +++ linux-2.6.33/drivers/atm/eni.c 2010-03-07 12:23:35.985647175 -0500
20416 @@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
20417 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
20420 - atomic_inc(&vcc->stats->rx_err);
20421 + atomic_inc_unchecked(&vcc->stats->rx_err);
20424 length = ATM_CELL_SIZE-1; /* no HEC */
20425 @@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
20429 - atomic_inc(&vcc->stats->rx_err);
20430 + atomic_inc_unchecked(&vcc->stats->rx_err);
20433 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
20434 @@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
20435 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
20436 vcc->dev->number,vcc->vci,length,size << 2,descr);
20438 - atomic_inc(&vcc->stats->rx_err);
20439 + atomic_inc_unchecked(&vcc->stats->rx_err);
20442 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
20443 @@ -770,7 +770,7 @@ rx_dequeued++;
20444 vcc->push(vcc,skb);
20447 - atomic_inc(&vcc->stats->rx);
20448 + atomic_inc_unchecked(&vcc->stats->rx);
20450 wake_up(&eni_dev->rx_wait);
20452 @@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
20454 if (vcc->pop) vcc->pop(vcc,skb);
20455 else dev_kfree_skb_irq(skb);
20456 - atomic_inc(&vcc->stats->tx);
20457 + atomic_inc_unchecked(&vcc->stats->tx);
20458 wake_up(&eni_dev->tx_wait);
20461 diff -urNp linux-2.6.33/drivers/atm/firestream.c linux-2.6.33/drivers/atm/firestream.c
20462 --- linux-2.6.33/drivers/atm/firestream.c 2010-02-24 13:52:17.000000000 -0500
20463 +++ linux-2.6.33/drivers/atm/firestream.c 2010-03-07 12:23:35.985647175 -0500
20464 @@ -748,7 +748,7 @@ static void process_txdone_queue (struct
20468 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20469 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20471 fs_dprintk (FS_DEBUG_TXMEM, "i");
20472 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
20473 @@ -815,7 +815,7 @@ static void process_incoming (struct fs_
20475 skb_put (skb, qe->p1 & 0xffff);
20476 ATM_SKB(skb)->vcc = atm_vcc;
20477 - atomic_inc(&atm_vcc->stats->rx);
20478 + atomic_inc_unchecked(&atm_vcc->stats->rx);
20479 __net_timestamp(skb);
20480 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
20481 atm_vcc->push (atm_vcc, skb);
20482 @@ -836,12 +836,12 @@ static void process_incoming (struct fs_
20486 - atomic_inc(&atm_vcc->stats->rx_drop);
20487 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20489 case 0x1f: /* Reassembly abort: no buffers. */
20490 /* Silently increment error counter. */
20492 - atomic_inc(&atm_vcc->stats->rx_drop);
20493 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20495 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
20496 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
20497 diff -urNp linux-2.6.33/drivers/atm/fore200e.c linux-2.6.33/drivers/atm/fore200e.c
20498 --- linux-2.6.33/drivers/atm/fore200e.c 2010-02-24 13:52:17.000000000 -0500
20499 +++ linux-2.6.33/drivers/atm/fore200e.c 2010-03-07 12:23:35.989712079 -0500
20500 @@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
20502 /* check error condition */
20503 if (*entry->status & STATUS_ERROR)
20504 - atomic_inc(&vcc->stats->tx_err);
20505 + atomic_inc_unchecked(&vcc->stats->tx_err);
20507 - atomic_inc(&vcc->stats->tx);
20508 + atomic_inc_unchecked(&vcc->stats->tx);
20512 @@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
20514 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
20516 - atomic_inc(&vcc->stats->rx_drop);
20517 + atomic_inc_unchecked(&vcc->stats->rx_drop);
20521 @@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
20523 dev_kfree_skb_any(skb);
20525 - atomic_inc(&vcc->stats->rx_drop);
20526 + atomic_inc_unchecked(&vcc->stats->rx_drop);
20530 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
20532 vcc->push(vcc, skb);
20533 - atomic_inc(&vcc->stats->rx);
20534 + atomic_inc_unchecked(&vcc->stats->rx);
20536 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
20538 @@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
20539 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
20540 fore200e->atm_dev->number,
20541 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
20542 - atomic_inc(&vcc->stats->rx_err);
20543 + atomic_inc_unchecked(&vcc->stats->rx_err);
20547 @@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
20551 - atomic_inc(&vcc->stats->tx_err);
20552 + atomic_inc_unchecked(&vcc->stats->tx_err);
20554 fore200e->tx_sat++;
20555 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
20556 diff -urNp linux-2.6.33/drivers/atm/he.c linux-2.6.33/drivers/atm/he.c
20557 --- linux-2.6.33/drivers/atm/he.c 2010-02-24 13:52:17.000000000 -0500
20558 +++ linux-2.6.33/drivers/atm/he.c 2010-03-07 12:23:35.989712079 -0500
20559 @@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
20561 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
20562 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
20563 - atomic_inc(&vcc->stats->rx_drop);
20564 + atomic_inc_unchecked(&vcc->stats->rx_drop);
20565 goto return_host_buffers;
20568 @@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
20569 RBRQ_LEN_ERR(he_dev->rbrq_head)
20571 vcc->vpi, vcc->vci);
20572 - atomic_inc(&vcc->stats->rx_err);
20573 + atomic_inc_unchecked(&vcc->stats->rx_err);
20574 goto return_host_buffers;
20577 @@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
20578 vcc->push(vcc, skb);
20579 spin_lock(&he_dev->global_lock);
20581 - atomic_inc(&vcc->stats->rx);
20582 + atomic_inc_unchecked(&vcc->stats->rx);
20584 return_host_buffers:
20586 @@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
20587 tpd->vcc->pop(tpd->vcc, tpd->skb);
20589 dev_kfree_skb_any(tpd->skb);
20590 - atomic_inc(&tpd->vcc->stats->tx_err);
20591 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
20593 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
20595 @@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20596 vcc->pop(vcc, skb);
20598 dev_kfree_skb_any(skb);
20599 - atomic_inc(&vcc->stats->tx_err);
20600 + atomic_inc_unchecked(&vcc->stats->tx_err);
20604 @@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20605 vcc->pop(vcc, skb);
20607 dev_kfree_skb_any(skb);
20608 - atomic_inc(&vcc->stats->tx_err);
20609 + atomic_inc_unchecked(&vcc->stats->tx_err);
20613 @@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20614 vcc->pop(vcc, skb);
20616 dev_kfree_skb_any(skb);
20617 - atomic_inc(&vcc->stats->tx_err);
20618 + atomic_inc_unchecked(&vcc->stats->tx_err);
20619 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20622 @@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20623 vcc->pop(vcc, skb);
20625 dev_kfree_skb_any(skb);
20626 - atomic_inc(&vcc->stats->tx_err);
20627 + atomic_inc_unchecked(&vcc->stats->tx_err);
20628 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20631 @@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
20632 __enqueue_tpd(he_dev, tpd, cid);
20633 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20635 - atomic_inc(&vcc->stats->tx);
20636 + atomic_inc_unchecked(&vcc->stats->tx);
20640 diff -urNp linux-2.6.33/drivers/atm/horizon.c linux-2.6.33/drivers/atm/horizon.c
20641 --- linux-2.6.33/drivers/atm/horizon.c 2010-02-24 13:52:17.000000000 -0500
20642 +++ linux-2.6.33/drivers/atm/horizon.c 2010-03-07 12:23:35.989712079 -0500
20643 @@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
20645 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
20647 - atomic_inc(&vcc->stats->rx);
20648 + atomic_inc_unchecked(&vcc->stats->rx);
20649 __net_timestamp(skb);
20650 // end of our responsability
20651 vcc->push (vcc, skb);
20652 @@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
20653 dev->tx_iovec = NULL;
20656 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20657 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20660 hrz_kfree_skb (skb);
20661 diff -urNp linux-2.6.33/drivers/atm/idt77252.c linux-2.6.33/drivers/atm/idt77252.c
20662 --- linux-2.6.33/drivers/atm/idt77252.c 2010-02-24 13:52:17.000000000 -0500
20663 +++ linux-2.6.33/drivers/atm/idt77252.c 2010-03-07 12:23:35.989712079 -0500
20664 @@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
20666 dev_kfree_skb(skb);
20668 - atomic_inc(&vcc->stats->tx);
20669 + atomic_inc_unchecked(&vcc->stats->tx);
20672 atomic_dec(&scq->used);
20673 @@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
20674 if ((sb = dev_alloc_skb(64)) == NULL) {
20675 printk("%s: Can't allocate buffers for aal0.\n",
20677 - atomic_add(i, &vcc->stats->rx_drop);
20678 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
20681 if (!atm_charge(vcc, sb->truesize)) {
20682 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
20684 - atomic_add(i - 1, &vcc->stats->rx_drop);
20685 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
20689 @@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
20690 ATM_SKB(sb)->vcc = vcc;
20691 __net_timestamp(sb);
20692 vcc->push(vcc, sb);
20693 - atomic_inc(&vcc->stats->rx);
20694 + atomic_inc_unchecked(&vcc->stats->rx);
20696 cell += ATM_CELL_PAYLOAD;
20698 @@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
20700 card->name, len, rpp->len, readl(SAR_REG_CDC));
20701 recycle_rx_pool_skb(card, rpp);
20702 - atomic_inc(&vcc->stats->rx_err);
20703 + atomic_inc_unchecked(&vcc->stats->rx_err);
20706 if (stat & SAR_RSQE_CRC) {
20707 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
20708 recycle_rx_pool_skb(card, rpp);
20709 - atomic_inc(&vcc->stats->rx_err);
20710 + atomic_inc_unchecked(&vcc->stats->rx_err);
20713 if (skb_queue_len(&rpp->queue) > 1) {
20714 @@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
20715 RXPRINTK("%s: Can't alloc RX skb.\n",
20717 recycle_rx_pool_skb(card, rpp);
20718 - atomic_inc(&vcc->stats->rx_err);
20719 + atomic_inc_unchecked(&vcc->stats->rx_err);
20722 if (!atm_charge(vcc, skb->truesize)) {
20723 @@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
20724 __net_timestamp(skb);
20726 vcc->push(vcc, skb);
20727 - atomic_inc(&vcc->stats->rx);
20728 + atomic_inc_unchecked(&vcc->stats->rx);
20732 @@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
20733 __net_timestamp(skb);
20735 vcc->push(vcc, skb);
20736 - atomic_inc(&vcc->stats->rx);
20737 + atomic_inc_unchecked(&vcc->stats->rx);
20739 if (skb->truesize > SAR_FB_SIZE_3)
20740 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
20741 @@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
20742 if (vcc->qos.aal != ATM_AAL0) {
20743 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
20744 card->name, vpi, vci);
20745 - atomic_inc(&vcc->stats->rx_drop);
20746 + atomic_inc_unchecked(&vcc->stats->rx_drop);
20750 if ((sb = dev_alloc_skb(64)) == NULL) {
20751 printk("%s: Can't allocate buffers for AAL0.\n",
20753 - atomic_inc(&vcc->stats->rx_err);
20754 + atomic_inc_unchecked(&vcc->stats->rx_err);
20758 @@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
20759 ATM_SKB(sb)->vcc = vcc;
20760 __net_timestamp(sb);
20761 vcc->push(vcc, sb);
20762 - atomic_inc(&vcc->stats->rx);
20763 + atomic_inc_unchecked(&vcc->stats->rx);
20766 skb_pull(queue, 64);
20767 @@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20770 printk("%s: NULL connection in send().\n", card->name);
20771 - atomic_inc(&vcc->stats->tx_err);
20772 + atomic_inc_unchecked(&vcc->stats->tx_err);
20773 dev_kfree_skb(skb);
20776 if (!test_bit(VCF_TX, &vc->flags)) {
20777 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
20778 - atomic_inc(&vcc->stats->tx_err);
20779 + atomic_inc_unchecked(&vcc->stats->tx_err);
20780 dev_kfree_skb(skb);
20783 @@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20786 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
20787 - atomic_inc(&vcc->stats->tx_err);
20788 + atomic_inc_unchecked(&vcc->stats->tx_err);
20789 dev_kfree_skb(skb);
20793 if (skb_shinfo(skb)->nr_frags != 0) {
20794 printk("%s: No scatter-gather yet.\n", card->name);
20795 - atomic_inc(&vcc->stats->tx_err);
20796 + atomic_inc_unchecked(&vcc->stats->tx_err);
20797 dev_kfree_skb(skb);
20800 @@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20802 err = queue_skb(card, vc, skb, oam);
20804 - atomic_inc(&vcc->stats->tx_err);
20805 + atomic_inc_unchecked(&vcc->stats->tx_err);
20806 dev_kfree_skb(skb);
20809 @@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
20810 skb = dev_alloc_skb(64);
20812 printk("%s: Out of memory in send_oam().\n", card->name);
20813 - atomic_inc(&vcc->stats->tx_err);
20814 + atomic_inc_unchecked(&vcc->stats->tx_err);
20817 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
20818 diff -urNp linux-2.6.33/drivers/atm/iphase.c linux-2.6.33/drivers/atm/iphase.c
20819 --- linux-2.6.33/drivers/atm/iphase.c 2010-02-24 13:52:17.000000000 -0500
20820 +++ linux-2.6.33/drivers/atm/iphase.c 2010-03-07 12:23:35.989712079 -0500
20821 @@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
20822 status = (u_short) (buf_desc_ptr->desc_mode);
20823 if (status & (RX_CER | RX_PTE | RX_OFL))
20825 - atomic_inc(&vcc->stats->rx_err);
20826 + atomic_inc_unchecked(&vcc->stats->rx_err);
20827 IF_ERR(printk("IA: bad packet, dropping it");)
20828 if (status & RX_CER) {
20829 IF_ERR(printk(" cause: packet CRC error\n");)
20830 @@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
20831 len = dma_addr - buf_addr;
20832 if (len > iadev->rx_buf_sz) {
20833 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
20834 - atomic_inc(&vcc->stats->rx_err);
20835 + atomic_inc_unchecked(&vcc->stats->rx_err);
20836 goto out_free_desc;
20839 @@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
20840 ia_vcc = INPH_IA_VCC(vcc);
20841 if (ia_vcc == NULL)
20843 - atomic_inc(&vcc->stats->rx_err);
20844 + atomic_inc_unchecked(&vcc->stats->rx_err);
20845 dev_kfree_skb_any(skb);
20846 atm_return(vcc, atm_guess_pdu2truesize(len));
20848 @@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
20849 if ((length > iadev->rx_buf_sz) || (length >
20850 (skb->len - sizeof(struct cpcs_trailer))))
20852 - atomic_inc(&vcc->stats->rx_err);
20853 + atomic_inc_unchecked(&vcc->stats->rx_err);
20854 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
20855 length, skb->len);)
20856 dev_kfree_skb_any(skb);
20857 @@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
20859 IF_RX(printk("rx_dle_intr: skb push");)
20860 vcc->push(vcc,skb);
20861 - atomic_inc(&vcc->stats->rx);
20862 + atomic_inc_unchecked(&vcc->stats->rx);
20863 iadev->rx_pkt_cnt++;
20866 @@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
20868 struct k_sonet_stats *stats;
20869 stats = &PRIV(_ia_dev[board])->sonet_stats;
20870 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
20871 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
20872 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
20873 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
20874 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
20875 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
20876 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
20877 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
20878 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
20879 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
20880 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
20881 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
20882 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
20883 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
20884 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
20885 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
20886 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
20887 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
20889 ia_cmds.status = 0;
20891 @@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
20892 if ((desc == 0) || (desc > iadev->num_tx_desc))
20894 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
20895 - atomic_inc(&vcc->stats->tx);
20896 + atomic_inc_unchecked(&vcc->stats->tx);
20898 vcc->pop(vcc, skb);
20900 @@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
20901 ATM_DESC(skb) = vcc->vci;
20902 skb_queue_tail(&iadev->tx_dma_q, skb);
20904 - atomic_inc(&vcc->stats->tx);
20905 + atomic_inc_unchecked(&vcc->stats->tx);
20906 iadev->tx_pkt_cnt++;
20907 /* Increment transaction counter */
20908 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
20911 /* add flow control logic */
20912 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
20913 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
20914 if (iavcc->vc_desc_cnt > 10) {
20915 vcc->tx_quota = vcc->tx_quota * 3 / 4;
20916 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
20917 diff -urNp linux-2.6.33/drivers/atm/lanai.c linux-2.6.33/drivers/atm/lanai.c
20918 --- linux-2.6.33/drivers/atm/lanai.c 2010-02-24 13:52:17.000000000 -0500
20919 +++ linux-2.6.33/drivers/atm/lanai.c 2010-03-07 12:23:35.989712079 -0500
20920 @@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
20921 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
20922 lanai_endtx(lanai, lvcc);
20923 lanai_free_skb(lvcc->tx.atmvcc, skb);
20924 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
20925 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
20928 /* Try to fill the buffer - don't call unless there is backlog */
20929 @@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
20930 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
20931 __net_timestamp(skb);
20932 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
20933 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
20934 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
20936 lvcc->rx.buf.ptr = end;
20937 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
20938 @@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
20939 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
20940 "vcc %d\n", lanai->number, (unsigned int) s, vci);
20941 lanai->stats.service_rxnotaal5++;
20942 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
20943 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
20946 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
20947 @@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
20949 read_unlock(&vcc_sklist_lock);
20950 DPRINTK("got trashed rx pdu on vci %d\n", vci);
20951 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
20952 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
20953 lvcc->stats.x.aal5.service_trash++;
20954 bytes = (SERVICE_GET_END(s) * 16) -
20955 (((unsigned long) lvcc->rx.buf.ptr) -
20956 @@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
20958 if (s & SERVICE_STREAM) {
20959 read_unlock(&vcc_sklist_lock);
20960 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
20961 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
20962 lvcc->stats.x.aal5.service_stream++;
20963 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
20964 "PDU on VCI %d!\n", lanai->number, vci);
20965 @@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
20968 DPRINTK("got rx crc error on vci %d\n", vci);
20969 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
20970 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
20971 lvcc->stats.x.aal5.service_rxcrc++;
20972 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
20973 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
20974 diff -urNp linux-2.6.33/drivers/atm/nicstar.c linux-2.6.33/drivers/atm/nicstar.c
20975 --- linux-2.6.33/drivers/atm/nicstar.c 2010-02-24 13:52:17.000000000 -0500
20976 +++ linux-2.6.33/drivers/atm/nicstar.c 2010-03-07 12:23:35.993715829 -0500
20977 @@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
20978 if ((vc = (vc_map *) vcc->dev_data) == NULL)
20980 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
20981 - atomic_inc(&vcc->stats->tx_err);
20982 + atomic_inc_unchecked(&vcc->stats->tx_err);
20983 dev_kfree_skb_any(skb);
20986 @@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
20989 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
20990 - atomic_inc(&vcc->stats->tx_err);
20991 + atomic_inc_unchecked(&vcc->stats->tx_err);
20992 dev_kfree_skb_any(skb);
20995 @@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
20996 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
20998 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
20999 - atomic_inc(&vcc->stats->tx_err);
21000 + atomic_inc_unchecked(&vcc->stats->tx_err);
21001 dev_kfree_skb_any(skb);
21004 @@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
21005 if (skb_shinfo(skb)->nr_frags != 0)
21007 printk("nicstar%d: No scatter-gather yet.\n", card->index);
21008 - atomic_inc(&vcc->stats->tx_err);
21009 + atomic_inc_unchecked(&vcc->stats->tx_err);
21010 dev_kfree_skb_any(skb);
21013 @@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
21015 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
21017 - atomic_inc(&vcc->stats->tx_err);
21018 + atomic_inc_unchecked(&vcc->stats->tx_err);
21019 dev_kfree_skb_any(skb);
21022 - atomic_inc(&vcc->stats->tx);
21023 + atomic_inc_unchecked(&vcc->stats->tx);
21027 @@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
21029 printk("nicstar%d: Can't allocate buffers for aal0.\n",
21031 - atomic_add(i,&vcc->stats->rx_drop);
21032 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
21035 if (!atm_charge(vcc, sb->truesize))
21037 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
21039 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
21040 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
21041 dev_kfree_skb_any(sb);
21044 @@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
21045 ATM_SKB(sb)->vcc = vcc;
21046 __net_timestamp(sb);
21047 vcc->push(vcc, sb);
21048 - atomic_inc(&vcc->stats->rx);
21049 + atomic_inc_unchecked(&vcc->stats->rx);
21050 cell += ATM_CELL_PAYLOAD;
21053 @@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
21056 printk("nicstar%d: Out of iovec buffers.\n", card->index);
21057 - atomic_inc(&vcc->stats->rx_drop);
21058 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21059 recycle_rx_buf(card, skb);
21062 @@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
21063 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
21065 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
21066 - atomic_inc(&vcc->stats->rx_err);
21067 + atomic_inc_unchecked(&vcc->stats->rx_err);
21068 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
21069 NS_SKB(iovb)->iovcnt = 0;
21071 @@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
21072 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
21074 which_list(card, skb);
21075 - atomic_inc(&vcc->stats->rx_err);
21076 + atomic_inc_unchecked(&vcc->stats->rx_err);
21077 recycle_rx_buf(card, skb);
21079 recycle_iov_buf(card, iovb);
21080 @@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
21081 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
21083 which_list(card, skb);
21084 - atomic_inc(&vcc->stats->rx_err);
21085 + atomic_inc_unchecked(&vcc->stats->rx_err);
21086 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
21087 NS_SKB(iovb)->iovcnt);
21089 @@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
21090 printk(" - PDU size mismatch.\n");
21093 - atomic_inc(&vcc->stats->rx_err);
21094 + atomic_inc_unchecked(&vcc->stats->rx_err);
21095 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
21096 NS_SKB(iovb)->iovcnt);
21098 @@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
21099 if (!atm_charge(vcc, skb->truesize))
21101 push_rxbufs(card, skb);
21102 - atomic_inc(&vcc->stats->rx_drop);
21103 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21107 @@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
21108 ATM_SKB(skb)->vcc = vcc;
21109 __net_timestamp(skb);
21110 vcc->push(vcc, skb);
21111 - atomic_inc(&vcc->stats->rx);
21112 + atomic_inc_unchecked(&vcc->stats->rx);
21115 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
21116 @@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
21117 if (!atm_charge(vcc, sb->truesize))
21119 push_rxbufs(card, sb);
21120 - atomic_inc(&vcc->stats->rx_drop);
21121 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21125 @@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
21126 ATM_SKB(sb)->vcc = vcc;
21127 __net_timestamp(sb);
21128 vcc->push(vcc, sb);
21129 - atomic_inc(&vcc->stats->rx);
21130 + atomic_inc_unchecked(&vcc->stats->rx);
21133 push_rxbufs(card, skb);
21134 @@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
21135 if (!atm_charge(vcc, skb->truesize))
21137 push_rxbufs(card, skb);
21138 - atomic_inc(&vcc->stats->rx_drop);
21139 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21143 @@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
21144 ATM_SKB(skb)->vcc = vcc;
21145 __net_timestamp(skb);
21146 vcc->push(vcc, skb);
21147 - atomic_inc(&vcc->stats->rx);
21148 + atomic_inc_unchecked(&vcc->stats->rx);
21151 push_rxbufs(card, sb);
21152 @@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
21155 printk("nicstar%d: Out of huge buffers.\n", card->index);
21156 - atomic_inc(&vcc->stats->rx_drop);
21157 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21158 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
21159 NS_SKB(iovb)->iovcnt);
21161 @@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
21164 dev_kfree_skb_any(hb);
21165 - atomic_inc(&vcc->stats->rx_drop);
21166 + atomic_inc_unchecked(&vcc->stats->rx_drop);
21170 @@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
21171 #endif /* NS_USE_DESTRUCTORS */
21172 __net_timestamp(hb);
21173 vcc->push(vcc, hb);
21174 - atomic_inc(&vcc->stats->rx);
21175 + atomic_inc_unchecked(&vcc->stats->rx);
21179 diff -urNp linux-2.6.33/drivers/atm/solos-pci.c linux-2.6.33/drivers/atm/solos-pci.c
21180 --- linux-2.6.33/drivers/atm/solos-pci.c 2010-02-24 13:52:17.000000000 -0500
21181 +++ linux-2.6.33/drivers/atm/solos-pci.c 2010-03-07 12:23:35.993715829 -0500
21182 @@ -714,7 +714,7 @@ void solos_bh(unsigned long card_arg)
21184 atm_charge(vcc, skb->truesize);
21185 vcc->push(vcc, skb);
21186 - atomic_inc(&vcc->stats->rx);
21187 + atomic_inc_unchecked(&vcc->stats->rx);
21191 @@ -1017,7 +1017,7 @@ static uint32_t fpga_tx(struct solos_car
21192 vcc = SKB_CB(oldskb)->vcc;
21195 - atomic_inc(&vcc->stats->tx);
21196 + atomic_inc_unchecked(&vcc->stats->tx);
21197 solos_pop(vcc, oldskb);
21199 dev_kfree_skb_irq(oldskb);
21200 diff -urNp linux-2.6.33/drivers/atm/suni.c linux-2.6.33/drivers/atm/suni.c
21201 --- linux-2.6.33/drivers/atm/suni.c 2010-02-24 13:52:17.000000000 -0500
21202 +++ linux-2.6.33/drivers/atm/suni.c 2010-03-07 12:23:35.993715829 -0500
21203 @@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
21206 #define ADD_LIMITED(s,v) \
21207 - atomic_add((v),&stats->s); \
21208 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
21209 + atomic_add_unchecked((v),&stats->s); \
21210 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
21213 static void suni_hz(unsigned long from_timer)
21214 diff -urNp linux-2.6.33/drivers/atm/uPD98402.c linux-2.6.33/drivers/atm/uPD98402.c
21215 --- linux-2.6.33/drivers/atm/uPD98402.c 2010-02-24 13:52:17.000000000 -0500
21216 +++ linux-2.6.33/drivers/atm/uPD98402.c 2010-03-07 12:23:35.993715829 -0500
21217 @@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
21218 struct sonet_stats tmp;
21221 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
21222 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
21223 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
21224 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
21225 if (zero && !error) {
21226 @@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
21229 #define ADD_LIMITED(s,v) \
21230 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
21231 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
21232 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
21233 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
21234 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
21235 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
21238 static void stat_event(struct atm_dev *dev)
21239 @@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
21240 if (reason & uPD98402_INT_PFM) stat_event(dev);
21241 if (reason & uPD98402_INT_PCO) {
21242 (void) GET(PCOCR); /* clear interrupt cause */
21243 - atomic_add(GET(HECCT),
21244 + atomic_add_unchecked(GET(HECCT),
21245 &PRIV(dev)->sonet_stats.uncorr_hcs);
21247 if ((reason & uPD98402_INT_RFO) &&
21248 @@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
21249 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
21250 uPD98402_INT_LOS),PIMR); /* enable them */
21251 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
21252 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
21253 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
21254 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
21255 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
21256 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
21257 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
21261 diff -urNp linux-2.6.33/drivers/atm/zatm.c linux-2.6.33/drivers/atm/zatm.c
21262 --- linux-2.6.33/drivers/atm/zatm.c 2010-02-24 13:52:17.000000000 -0500
21263 +++ linux-2.6.33/drivers/atm/zatm.c 2010-03-07 12:23:35.993715829 -0500
21264 @@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
21267 dev_kfree_skb_irq(skb);
21268 - if (vcc) atomic_inc(&vcc->stats->rx_err);
21269 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
21272 if (!atm_charge(vcc,skb->truesize)) {
21273 @@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
21275 ATM_SKB(skb)->vcc = vcc;
21276 vcc->push(vcc,skb);
21277 - atomic_inc(&vcc->stats->rx);
21278 + atomic_inc_unchecked(&vcc->stats->rx);
21280 zout(pos & 0xffff,MTA(mbx));
21281 #if 0 /* probably a stupid idea */
21282 @@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
21283 skb_queue_head(&zatm_vcc->backlog,skb);
21286 - atomic_inc(&vcc->stats->tx);
21287 + atomic_inc_unchecked(&vcc->stats->tx);
21288 wake_up(&zatm_vcc->tx_wait);
21291 diff -urNp linux-2.6.33/drivers/base/bus.c linux-2.6.33/drivers/base/bus.c
21292 --- linux-2.6.33/drivers/base/bus.c 2010-02-24 13:52:17.000000000 -0500
21293 +++ linux-2.6.33/drivers/base/bus.c 2010-03-07 12:23:35.993715829 -0500
21294 @@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
21298 -static struct sysfs_ops driver_sysfs_ops = {
21299 +static const struct sysfs_ops driver_sysfs_ops = {
21300 .show = drv_attr_show,
21301 .store = drv_attr_store,
21303 @@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
21307 -static struct sysfs_ops bus_sysfs_ops = {
21308 +static const struct sysfs_ops bus_sysfs_ops = {
21309 .show = bus_attr_show,
21310 .store = bus_attr_store,
21312 @@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
21316 -static struct kset_uevent_ops bus_uevent_ops = {
21317 +static const struct kset_uevent_ops bus_uevent_ops = {
21318 .filter = bus_uevent_filter,
21321 diff -urNp linux-2.6.33/drivers/base/class.c linux-2.6.33/drivers/base/class.c
21322 --- linux-2.6.33/drivers/base/class.c 2010-02-24 13:52:17.000000000 -0500
21323 +++ linux-2.6.33/drivers/base/class.c 2010-03-07 12:23:35.993715829 -0500
21324 @@ -63,7 +63,7 @@ static void class_release(struct kobject
21328 -static struct sysfs_ops class_sysfs_ops = {
21329 +static const struct sysfs_ops class_sysfs_ops = {
21330 .show = class_attr_show,
21331 .store = class_attr_store,
21333 diff -urNp linux-2.6.33/drivers/base/core.c linux-2.6.33/drivers/base/core.c
21334 --- linux-2.6.33/drivers/base/core.c 2010-02-24 13:52:17.000000000 -0500
21335 +++ linux-2.6.33/drivers/base/core.c 2010-03-07 12:23:35.993715829 -0500
21336 @@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
21340 -static struct sysfs_ops dev_sysfs_ops = {
21341 +static const struct sysfs_ops dev_sysfs_ops = {
21342 .show = dev_attr_show,
21343 .store = dev_attr_store,
21345 @@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
21349 -static struct kset_uevent_ops device_uevent_ops = {
21350 +static const struct kset_uevent_ops device_uevent_ops = {
21351 .filter = dev_uevent_filter,
21352 .name = dev_uevent_name,
21353 .uevent = dev_uevent,
21354 diff -urNp linux-2.6.33/drivers/base/memory.c linux-2.6.33/drivers/base/memory.c
21355 --- linux-2.6.33/drivers/base/memory.c 2010-02-24 13:52:17.000000000 -0500
21356 +++ linux-2.6.33/drivers/base/memory.c 2010-03-07 12:23:35.993715829 -0500
21357 @@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
21361 -static struct kset_uevent_ops memory_uevent_ops = {
21362 +static const struct kset_uevent_ops memory_uevent_ops = {
21363 .name = memory_uevent_name,
21364 .uevent = memory_uevent,
21366 diff -urNp linux-2.6.33/drivers/base/sys.c linux-2.6.33/drivers/base/sys.c
21367 --- linux-2.6.33/drivers/base/sys.c 2010-02-24 13:52:17.000000000 -0500
21368 +++ linux-2.6.33/drivers/base/sys.c 2010-03-07 12:23:35.993715829 -0500
21369 @@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
21373 -static struct sysfs_ops sysfs_ops = {
21374 +static const struct sysfs_ops sysfs_ops = {
21375 .show = sysdev_show,
21376 .store = sysdev_store,
21378 @@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
21382 -static struct sysfs_ops sysfs_class_ops = {
21383 +static const struct sysfs_ops sysfs_class_ops = {
21384 .show = sysdev_class_show,
21385 .store = sysdev_class_store,
21387 diff -urNp linux-2.6.33/drivers/block/pktcdvd.c linux-2.6.33/drivers/block/pktcdvd.c
21388 --- linux-2.6.33/drivers/block/pktcdvd.c 2010-02-24 13:52:17.000000000 -0500
21389 +++ linux-2.6.33/drivers/block/pktcdvd.c 2010-03-07 12:23:35.993715829 -0500
21390 @@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
21394 -static struct sysfs_ops kobj_pkt_ops = {
21395 +static const struct sysfs_ops kobj_pkt_ops = {
21396 .show = kobj_pkt_show,
21397 .store = kobj_pkt_store
21399 diff -urNp linux-2.6.33/drivers/char/agp/frontend.c linux-2.6.33/drivers/char/agp/frontend.c
21400 --- linux-2.6.33/drivers/char/agp/frontend.c 2010-02-24 13:52:17.000000000 -0500
21401 +++ linux-2.6.33/drivers/char/agp/frontend.c 2010-03-07 12:23:35.993715829 -0500
21402 @@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
21403 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
21406 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
21407 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
21410 client = agp_find_client_by_pid(reserve.pid);
21411 diff -urNp linux-2.6.33/drivers/char/agp/intel-agp.c linux-2.6.33/drivers/char/agp/intel-agp.c
21412 --- linux-2.6.33/drivers/char/agp/intel-agp.c 2010-02-24 13:52:17.000000000 -0500
21413 +++ linux-2.6.33/drivers/char/agp/intel-agp.c 2010-03-07 12:23:35.997708726 -0500
21414 @@ -2575,7 +2575,7 @@ static struct pci_device_id agp_intel_pc
21415 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_M_HB),
21416 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MA_HB),
21417 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MC2_HB),
21419 + { 0, 0, 0, 0, 0, 0, 0 }
21422 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
21423 diff -urNp linux-2.6.33/drivers/char/hpet.c linux-2.6.33/drivers/char/hpet.c
21424 --- linux-2.6.33/drivers/char/hpet.c 2010-02-24 13:52:17.000000000 -0500
21425 +++ linux-2.6.33/drivers/char/hpet.c 2010-03-07 12:23:35.997708726 -0500
21426 @@ -995,7 +995,7 @@ static struct acpi_driver hpet_acpi_driv
21430 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
21431 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
21433 static int __init hpet_init(void)
21435 diff -urNp linux-2.6.33/drivers/char/hvc_beat.c linux-2.6.33/drivers/char/hvc_beat.c
21436 --- linux-2.6.33/drivers/char/hvc_beat.c 2010-02-24 13:52:17.000000000 -0500
21437 +++ linux-2.6.33/drivers/char/hvc_beat.c 2010-03-07 12:23:35.997708726 -0500
21438 @@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
21442 -static struct hv_ops hvc_beat_get_put_ops = {
21443 +static const struct hv_ops hvc_beat_get_put_ops = {
21444 .get_chars = hvc_beat_get_chars,
21445 .put_chars = hvc_beat_put_chars,
21447 diff -urNp linux-2.6.33/drivers/char/hvc_console.c linux-2.6.33/drivers/char/hvc_console.c
21448 --- linux-2.6.33/drivers/char/hvc_console.c 2010-02-24 13:52:17.000000000 -0500
21449 +++ linux-2.6.33/drivers/char/hvc_console.c 2010-03-07 12:23:35.997708726 -0500
21450 @@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
21451 * console interfaces but can still be used as a tty device. This has to be
21452 * static because kmalloc will not work during early console init.
21454 -static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
21455 +static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
21456 static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
21457 {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
21459 @@ -247,7 +247,7 @@ static void destroy_hvc_struct(struct kr
21460 * vty adapters do NOT get an hvc_instantiate() callback since they
21461 * appear after early console init.
21463 -int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
21464 +int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
21466 struct hvc_struct *hp;
21468 @@ -749,7 +749,7 @@ static const struct tty_operations hvc_o
21471 struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
21472 - struct hv_ops *ops, int outbuf_size)
21473 + const struct hv_ops *ops, int outbuf_size)
21475 struct hvc_struct *hp;
21477 diff -urNp linux-2.6.33/drivers/char/hvc_console.h linux-2.6.33/drivers/char/hvc_console.h
21478 --- linux-2.6.33/drivers/char/hvc_console.h 2010-02-24 13:52:17.000000000 -0500
21479 +++ linux-2.6.33/drivers/char/hvc_console.h 2010-03-07 12:23:35.997708726 -0500
21480 @@ -55,7 +55,7 @@ struct hvc_struct {
21484 - struct hv_ops *ops;
21485 + const struct hv_ops *ops;
21489 @@ -76,11 +76,11 @@ struct hv_ops {
21492 /* Register a vterm and a slot index for use as a console (console_init) */
21493 -extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
21494 +extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
21496 /* register a vterm for hvc tty operation (module_init or hotplug add) */
21497 extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
21498 - struct hv_ops *ops, int outbuf_size);
21499 + const struct hv_ops *ops, int outbuf_size);
21500 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
21501 extern int hvc_remove(struct hvc_struct *hp);
21503 diff -urNp linux-2.6.33/drivers/char/hvc_iseries.c linux-2.6.33/drivers/char/hvc_iseries.c
21504 --- linux-2.6.33/drivers/char/hvc_iseries.c 2010-02-24 13:52:17.000000000 -0500
21505 +++ linux-2.6.33/drivers/char/hvc_iseries.c 2010-03-07 12:23:35.997708726 -0500
21506 @@ -197,7 +197,7 @@ done:
21510 -static struct hv_ops hvc_get_put_ops = {
21511 +static const struct hv_ops hvc_get_put_ops = {
21512 .get_chars = get_chars,
21513 .put_chars = put_chars,
21514 .notifier_add = notifier_add_irq,
21515 diff -urNp linux-2.6.33/drivers/char/hvc_iucv.c linux-2.6.33/drivers/char/hvc_iucv.c
21516 --- linux-2.6.33/drivers/char/hvc_iucv.c 2010-02-24 13:52:17.000000000 -0500
21517 +++ linux-2.6.33/drivers/char/hvc_iucv.c 2010-03-07 12:23:35.997708726 -0500
21518 @@ -922,7 +922,7 @@ static int hvc_iucv_pm_restore_thaw(stru
21521 /* HVC operations */
21522 -static struct hv_ops hvc_iucv_ops = {
21523 +static const struct hv_ops hvc_iucv_ops = {
21524 .get_chars = hvc_iucv_get_chars,
21525 .put_chars = hvc_iucv_put_chars,
21526 .notifier_add = hvc_iucv_notifier_add,
21527 diff -urNp linux-2.6.33/drivers/char/hvc_rtas.c linux-2.6.33/drivers/char/hvc_rtas.c
21528 --- linux-2.6.33/drivers/char/hvc_rtas.c 2010-02-24 13:52:17.000000000 -0500
21529 +++ linux-2.6.33/drivers/char/hvc_rtas.c 2010-03-07 12:23:35.997708726 -0500
21530 @@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
21534 -static struct hv_ops hvc_rtas_get_put_ops = {
21535 +static const struct hv_ops hvc_rtas_get_put_ops = {
21536 .get_chars = hvc_rtas_read_console,
21537 .put_chars = hvc_rtas_write_console,
21539 diff -urNp linux-2.6.33/drivers/char/hvcs.c linux-2.6.33/drivers/char/hvcs.c
21540 --- linux-2.6.33/drivers/char/hvcs.c 2010-02-24 13:52:17.000000000 -0500
21541 +++ linux-2.6.33/drivers/char/hvcs.c 2010-03-07 12:23:35.997708726 -0500
21542 @@ -269,7 +269,7 @@ struct hvcs_struct {
21543 unsigned int index;
21545 struct tty_struct *tty;
21547 + atomic_t open_count;
21550 * Used to tell the driver kernel_thread what operations need to take
21551 @@ -419,7 +419,7 @@ static ssize_t hvcs_vterm_state_store(st
21553 spin_lock_irqsave(&hvcsd->lock, flags);
21555 - if (hvcsd->open_count > 0) {
21556 + if (atomic_read(&hvcsd->open_count) > 0) {
21557 spin_unlock_irqrestore(&hvcsd->lock, flags);
21558 printk(KERN_INFO "HVCS: vterm state unchanged. "
21559 "The hvcs device node is still in use.\n");
21560 @@ -1135,7 +1135,7 @@ static int hvcs_open(struct tty_struct *
21561 if ((retval = hvcs_partner_connect(hvcsd)))
21562 goto error_release;
21564 - hvcsd->open_count = 1;
21565 + atomic_set(&hvcsd->open_count, 1);
21567 tty->driver_data = hvcsd;
21569 @@ -1169,7 +1169,7 @@ fast_open:
21571 spin_lock_irqsave(&hvcsd->lock, flags);
21572 kref_get(&hvcsd->kref);
21573 - hvcsd->open_count++;
21574 + atomic_inc(&hvcsd->open_count);
21575 hvcsd->todo_mask |= HVCS_SCHED_READ;
21576 spin_unlock_irqrestore(&hvcsd->lock, flags);
21578 @@ -1213,7 +1213,7 @@ static void hvcs_close(struct tty_struct
21579 hvcsd = tty->driver_data;
21581 spin_lock_irqsave(&hvcsd->lock, flags);
21582 - if (--hvcsd->open_count == 0) {
21583 + if (atomic_dec_and_test(&hvcsd->open_count)) {
21585 vio_disable_interrupts(hvcsd->vdev);
21587 @@ -1239,10 +1239,10 @@ static void hvcs_close(struct tty_struct
21588 free_irq(irq, hvcsd);
21589 kref_put(&hvcsd->kref, destroy_hvcs_struct);
21591 - } else if (hvcsd->open_count < 0) {
21592 + } else if (atomic_read(&hvcsd->open_count) < 0) {
21593 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
21594 " is missmanaged.\n",
21595 - hvcsd->vdev->unit_address, hvcsd->open_count);
21596 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
21599 spin_unlock_irqrestore(&hvcsd->lock, flags);
21600 @@ -1258,7 +1258,7 @@ static void hvcs_hangup(struct tty_struc
21602 spin_lock_irqsave(&hvcsd->lock, flags);
21603 /* Preserve this so that we know how many kref refs to put */
21604 - temp_open_count = hvcsd->open_count;
21605 + temp_open_count = atomic_read(&hvcsd->open_count);
21608 * Don't kref put inside the spinlock because the destruction
21609 @@ -1273,7 +1273,7 @@ static void hvcs_hangup(struct tty_struc
21610 hvcsd->tty->driver_data = NULL;
21613 - hvcsd->open_count = 0;
21614 + atomic_set(&hvcsd->open_count, 0);
21616 /* This will drop any buffered data on the floor which is OK in a hangup
21618 @@ -1344,7 +1344,7 @@ static int hvcs_write(struct tty_struct
21619 * the middle of a write operation? This is a crummy place to do this
21620 * but we want to keep it all in the spinlock.
21622 - if (hvcsd->open_count <= 0) {
21623 + if (atomic_read(&hvcsd->open_count) <= 0) {
21624 spin_unlock_irqrestore(&hvcsd->lock, flags);
21627 @@ -1418,7 +1418,7 @@ static int hvcs_write_room(struct tty_st
21629 struct hvcs_struct *hvcsd = tty->driver_data;
21631 - if (!hvcsd || hvcsd->open_count <= 0)
21632 + if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
21635 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
21636 diff -urNp linux-2.6.33/drivers/char/hvc_udbg.c linux-2.6.33/drivers/char/hvc_udbg.c
21637 --- linux-2.6.33/drivers/char/hvc_udbg.c 2010-02-24 13:52:17.000000000 -0500
21638 +++ linux-2.6.33/drivers/char/hvc_udbg.c 2010-03-07 12:23:35.997708726 -0500
21639 @@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
21643 -static struct hv_ops hvc_udbg_ops = {
21644 +static const struct hv_ops hvc_udbg_ops = {
21645 .get_chars = hvc_udbg_get,
21646 .put_chars = hvc_udbg_put,
21648 diff -urNp linux-2.6.33/drivers/char/hvc_vio.c linux-2.6.33/drivers/char/hvc_vio.c
21649 --- linux-2.6.33/drivers/char/hvc_vio.c 2010-02-24 13:52:17.000000000 -0500
21650 +++ linux-2.6.33/drivers/char/hvc_vio.c 2010-03-07 12:23:35.997708726 -0500
21651 @@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
21655 -static struct hv_ops hvc_get_put_ops = {
21656 +static const struct hv_ops hvc_get_put_ops = {
21657 .get_chars = filtered_get_chars,
21658 .put_chars = hvc_put_chars,
21659 .notifier_add = notifier_add_irq,
21660 diff -urNp linux-2.6.33/drivers/char/hvc_xen.c linux-2.6.33/drivers/char/hvc_xen.c
21661 --- linux-2.6.33/drivers/char/hvc_xen.c 2010-02-24 13:52:17.000000000 -0500
21662 +++ linux-2.6.33/drivers/char/hvc_xen.c 2010-03-07 12:23:35.997708726 -0500
21663 @@ -122,7 +122,7 @@ static int read_console(uint32_t vtermno
21667 -static struct hv_ops hvc_ops = {
21668 +static const struct hv_ops hvc_ops = {
21669 .get_chars = read_console,
21670 .put_chars = write_console,
21671 .notifier_add = notifier_add_irq,
21672 diff -urNp linux-2.6.33/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.33/drivers/char/ipmi/ipmi_msghandler.c
21673 --- linux-2.6.33/drivers/char/ipmi/ipmi_msghandler.c 2010-02-24 13:52:17.000000000 -0500
21674 +++ linux-2.6.33/drivers/char/ipmi/ipmi_msghandler.c 2010-03-07 12:23:35.997708726 -0500
21675 @@ -414,7 +414,7 @@ struct ipmi_smi {
21676 struct proc_dir_entry *proc_dir;
21677 char proc_dir_name[10];
21679 - atomic_t stats[IPMI_NUM_STATS];
21680 + atomic_unchecked_t stats[IPMI_NUM_STATS];
21683 * run_to_completion duplicate of smb_info, smi_info
21684 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
21687 #define ipmi_inc_stat(intf, stat) \
21688 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
21689 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
21690 #define ipmi_get_stat(intf, stat) \
21691 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
21692 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
21694 static int is_lan_addr(struct ipmi_addr *addr)
21696 @@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
21697 INIT_LIST_HEAD(&intf->cmd_rcvrs);
21698 init_waitqueue_head(&intf->waitq);
21699 for (i = 0; i < IPMI_NUM_STATS; i++)
21700 - atomic_set(&intf->stats[i], 0);
21701 + atomic_set_unchecked(&intf->stats[i], 0);
21703 intf->proc_dir = NULL;
21705 diff -urNp linux-2.6.33/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.33/drivers/char/ipmi/ipmi_si_intf.c
21706 --- linux-2.6.33/drivers/char/ipmi/ipmi_si_intf.c 2010-02-24 13:52:17.000000000 -0500
21707 +++ linux-2.6.33/drivers/char/ipmi/ipmi_si_intf.c 2010-03-07 12:23:36.001707082 -0500
21708 @@ -278,7 +278,7 @@ struct smi_info {
21709 unsigned char slave_addr;
21711 /* Counters and things for the proc filesystem. */
21712 - atomic_t stats[SI_NUM_STATS];
21713 + atomic_unchecked_t stats[SI_NUM_STATS];
21715 struct task_struct *thread;
21717 @@ -286,9 +286,9 @@ struct smi_info {
21720 #define smi_inc_stat(smi, stat) \
21721 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
21722 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
21723 #define smi_get_stat(smi, stat) \
21724 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
21725 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
21727 #define SI_MAX_PARMS 4
21729 @@ -3020,7 +3020,7 @@ static int try_smi_init(struct smi_info
21730 atomic_set(&new_smi->req_events, 0);
21731 new_smi->run_to_completion = 0;
21732 for (i = 0; i < SI_NUM_STATS; i++)
21733 - atomic_set(&new_smi->stats[i], 0);
21734 + atomic_set_unchecked(&new_smi->stats[i], 0);
21736 new_smi->interrupt_disabled = 0;
21737 atomic_set(&new_smi->stop_operation, 0);
21738 diff -urNp linux-2.6.33/drivers/char/keyboard.c linux-2.6.33/drivers/char/keyboard.c
21739 --- linux-2.6.33/drivers/char/keyboard.c 2010-02-24 13:52:17.000000000 -0500
21740 +++ linux-2.6.33/drivers/char/keyboard.c 2010-03-07 12:23:36.001707082 -0500
21741 @@ -652,6 +652,16 @@ static void k_spec(struct vc_data *vc, u
21742 kbd->kbdmode == VC_MEDIUMRAW) &&
21743 value != KVAL(K_SAK))
21744 return; /* SAK is allowed even in raw mode */
21746 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
21748 + void *func = fn_handler[value];
21749 + if (func == fn_show_state || func == fn_show_ptregs ||
21750 + func == fn_show_mem)
21755 fn_handler[value](vc);
21758 @@ -1405,7 +1415,7 @@ static const struct input_device_id kbd_
21759 .evbit = { BIT_MASK(EV_SND) },
21762 - { }, /* Terminating entry */
21763 + { 0 }, /* Terminating entry */
21766 MODULE_DEVICE_TABLE(input, kbd_ids);
21767 diff -urNp linux-2.6.33/drivers/char/mem.c linux-2.6.33/drivers/char/mem.c
21768 --- linux-2.6.33/drivers/char/mem.c 2010-02-24 13:52:17.000000000 -0500
21769 +++ linux-2.6.33/drivers/char/mem.c 2010-03-07 12:23:36.001707082 -0500
21771 #include <linux/raw.h>
21772 #include <linux/tty.h>
21773 #include <linux/capability.h>
21774 +#include <linux/security.h>
21775 #include <linux/ptrace.h>
21776 #include <linux/device.h>
21777 #include <linux/highmem.h>
21779 # include <linux/efi.h>
21782 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
21783 +extern struct file_operations grsec_fops;
21786 static inline unsigned long size_inside_page(unsigned long start,
21787 unsigned long size)
21789 @@ -191,6 +196,11 @@ static ssize_t write_mem(struct file * f
21790 if (!valid_phys_addr_range(p, count))
21793 +#ifdef CONFIG_GRKERNSEC_KMEM
21794 + gr_handle_mem_write();
21800 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
21801 @@ -311,6 +321,11 @@ static int mmap_mem(struct file * file,
21802 &vma->vm_page_prot))
21805 +#ifdef CONFIG_GRKERNSEC_KMEM
21806 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
21810 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
21812 vma->vm_page_prot);
21813 @@ -527,6 +542,11 @@ static ssize_t write_kmem(struct file *
21814 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
21817 +#ifdef CONFIG_GRKERNSEC_KMEM
21818 + gr_handle_kmem_write();
21822 if (p < (unsigned long) high_memory) {
21823 unsigned long to_write = min_t(unsigned long, count,
21824 (unsigned long)high_memory - p);
21825 @@ -727,6 +747,16 @@ static loff_t memory_lseek(struct file *
21827 static int open_port(struct inode * inode, struct file * filp)
21829 +#ifdef CONFIG_GRKERNSEC_KMEM
21830 + gr_handle_open_port();
21834 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
21837 +static int open_mem(struct inode * inode, struct file * filp)
21839 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
21842 @@ -734,7 +764,6 @@ static int open_port(struct inode * inod
21843 #define full_lseek null_lseek
21844 #define write_zero write_null
21845 #define read_full read_zero
21846 -#define open_mem open_port
21847 #define open_kmem open_mem
21848 #define open_oldmem open_mem
21850 @@ -850,6 +879,9 @@ static const struct memdev {
21851 #ifdef CONFIG_CRASH_DUMP
21852 [12] = { "oldmem", 0, &oldmem_fops, NULL },
21854 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
21855 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
21859 static int memory_open(struct inode *inode, struct file *filp)
21860 diff -urNp linux-2.6.33/drivers/char/nvram.c linux-2.6.33/drivers/char/nvram.c
21861 --- linux-2.6.33/drivers/char/nvram.c 2010-02-24 13:52:17.000000000 -0500
21862 +++ linux-2.6.33/drivers/char/nvram.c 2010-03-07 12:23:36.001707082 -0500
21863 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
21865 spin_unlock_irq(&rtc_lock);
21867 - if (copy_to_user(buf, contents, tmp - contents))
21868 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
21872 @@ -434,7 +434,10 @@ static const struct file_operations nvra
21873 static struct miscdevice nvram_dev = {
21883 static int __init nvram_init(void)
21884 diff -urNp linux-2.6.33/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.33/drivers/char/pcmcia/ipwireless/tty.c
21885 --- linux-2.6.33/drivers/char/pcmcia/ipwireless/tty.c 2010-02-24 13:52:17.000000000 -0500
21886 +++ linux-2.6.33/drivers/char/pcmcia/ipwireless/tty.c 2010-03-07 12:23:36.001707082 -0500
21887 @@ -51,7 +51,7 @@ struct ipw_tty {
21889 struct ipw_network *network;
21890 struct tty_struct *linux_tty;
21892 + atomic_t open_count;
21893 unsigned int control_lines;
21894 struct mutex ipw_tty_mutex;
21895 int tx_bytes_queued;
21896 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
21897 mutex_unlock(&tty->ipw_tty_mutex);
21900 - if (tty->open_count == 0)
21901 + if (atomic_read(&tty->open_count) == 0)
21902 tty->tx_bytes_queued = 0;
21904 - tty->open_count++;
21905 + atomic_inc(&tty->open_count);
21907 tty->linux_tty = linux_tty;
21908 linux_tty->driver_data = tty;
21909 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
21911 static void do_ipw_close(struct ipw_tty *tty)
21913 - tty->open_count--;
21915 - if (tty->open_count == 0) {
21916 + if (atomic_dec_return(&tty->open_count) == 0) {
21917 struct tty_struct *linux_tty = tty->linux_tty;
21919 if (linux_tty != NULL) {
21920 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
21923 mutex_lock(&tty->ipw_tty_mutex);
21924 - if (tty->open_count == 0) {
21925 + if (atomic_read(&tty->open_count) == 0) {
21926 mutex_unlock(&tty->ipw_tty_mutex);
21929 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
21933 - if (!tty->open_count) {
21934 + if (!atomic_read(&tty->open_count)) {
21935 mutex_unlock(&tty->ipw_tty_mutex);
21938 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
21941 mutex_lock(&tty->ipw_tty_mutex);
21942 - if (!tty->open_count) {
21943 + if (!atomic_read(&tty->open_count)) {
21944 mutex_unlock(&tty->ipw_tty_mutex);
21947 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
21951 - if (!tty->open_count)
21952 + if (!atomic_read(&tty->open_count))
21955 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
21956 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
21960 - if (!tty->open_count)
21961 + if (!atomic_read(&tty->open_count))
21964 return tty->tx_bytes_queued;
21965 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
21969 - if (!tty->open_count)
21970 + if (!atomic_read(&tty->open_count))
21973 return get_control_lines(tty);
21974 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
21978 - if (!tty->open_count)
21979 + if (!atomic_read(&tty->open_count))
21982 return set_control_lines(tty, set, clear);
21983 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
21987 - if (!tty->open_count)
21988 + if (!atomic_read(&tty->open_count))
21991 /* FIXME: Exactly how is the tty object locked here .. */
21992 @@ -591,7 +589,7 @@ void ipwireless_tty_free(struct ipw_tty
21993 against a parallel ioctl etc */
21994 mutex_lock(&ttyj->ipw_tty_mutex);
21996 - while (ttyj->open_count)
21997 + while (atomic_read(&ttyj->open_count))
21998 do_ipw_close(ttyj);
21999 ipwireless_disassociate_network_ttys(network,
22000 ttyj->channel_idx);
22001 diff -urNp linux-2.6.33/drivers/char/pty.c linux-2.6.33/drivers/char/pty.c
22002 --- linux-2.6.33/drivers/char/pty.c 2010-02-24 13:52:17.000000000 -0500
22003 +++ linux-2.6.33/drivers/char/pty.c 2010-03-07 12:23:36.001707082 -0500
22004 @@ -676,7 +676,18 @@ static int ptmx_open(struct inode *inode
22008 -static struct file_operations ptmx_fops;
22009 +static const struct file_operations ptmx_fops = {
22010 + .llseek = no_llseek,
22011 + .read = tty_read,
22012 + .write = tty_write,
22013 + .poll = tty_poll,
22014 + .unlocked_ioctl = tty_ioctl,
22015 + .compat_ioctl = tty_compat_ioctl,
22016 + .open = ptmx_open,
22017 + .release = tty_release,
22018 + .fasync = tty_fasync,
22022 static void __init unix98_pty_init(void)
22024 @@ -730,9 +741,6 @@ static void __init unix98_pty_init(void)
22025 register_sysctl_table(pty_root_table);
22027 /* Now create the /dev/ptmx special device */
22028 - tty_default_fops(&ptmx_fops);
22029 - ptmx_fops.open = ptmx_open;
22031 cdev_init(&ptmx_cdev, &ptmx_fops);
22032 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
22033 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
22034 diff -urNp linux-2.6.33/drivers/char/random.c linux-2.6.33/drivers/char/random.c
22035 --- linux-2.6.33/drivers/char/random.c 2010-02-24 13:52:17.000000000 -0500
22036 +++ linux-2.6.33/drivers/char/random.c 2010-03-07 12:23:36.001707082 -0500
22037 @@ -254,8 +254,13 @@
22039 * Configuration information
22041 +#ifdef CONFIG_GRKERNSEC_RANDNET
22042 +#define INPUT_POOL_WORDS 512
22043 +#define OUTPUT_POOL_WORDS 128
22045 #define INPUT_POOL_WORDS 128
22046 #define OUTPUT_POOL_WORDS 32
22048 #define SEC_XFER_SIZE 512
22051 @@ -292,10 +297,17 @@ static struct poolinfo {
22053 int tap1, tap2, tap3, tap4, tap5;
22054 } poolinfo_table[] = {
22055 +#ifdef CONFIG_GRKERNSEC_RANDNET
22056 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
22057 + { 512, 411, 308, 208, 104, 1 },
22058 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
22059 + { 128, 103, 76, 51, 25, 1 },
22061 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
22062 { 128, 103, 76, 51, 25, 1 },
22063 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
22064 { 32, 26, 20, 14, 7, 1 },
22067 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
22068 { 2048, 1638, 1231, 819, 411, 1 },
22069 @@ -903,7 +915,7 @@ static ssize_t extract_entropy_user(stru
22071 extract_buf(r, tmp);
22072 i = min_t(int, nbytes, EXTRACT_SIZE);
22073 - if (copy_to_user(buf, tmp, i)) {
22074 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
22078 @@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
22079 #include <linux/sysctl.h>
22081 static int min_read_thresh = 8, min_write_thresh;
22082 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
22083 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
22084 static int max_write_thresh = INPUT_POOL_WORDS * 32;
22085 static char sysctl_bootid[16];
22087 diff -urNp linux-2.6.33/drivers/char/sonypi.c linux-2.6.33/drivers/char/sonypi.c
22088 --- linux-2.6.33/drivers/char/sonypi.c 2010-02-24 13:52:17.000000000 -0500
22089 +++ linux-2.6.33/drivers/char/sonypi.c 2010-03-07 12:23:36.001707082 -0500
22090 @@ -490,7 +490,7 @@ static struct sonypi_device {
22091 spinlock_t fifo_lock;
22092 wait_queue_head_t fifo_proc_list;
22093 struct fasync_struct *fifo_async;
22095 + atomic_t open_count;
22097 struct input_dev *input_jog_dev;
22098 struct input_dev *input_key_dev;
22099 @@ -897,7 +897,7 @@ static int sonypi_misc_fasync(int fd, st
22100 static int sonypi_misc_release(struct inode *inode, struct file *file)
22102 mutex_lock(&sonypi_device.lock);
22103 - sonypi_device.open_count--;
22104 + atomic_dec(&sonypi_device.open_count);
22105 mutex_unlock(&sonypi_device.lock);
22108 @@ -906,9 +906,9 @@ static int sonypi_misc_open(struct inode
22110 mutex_lock(&sonypi_device.lock);
22111 /* Flush input queue on first open */
22112 - if (!sonypi_device.open_count)
22113 + if (!atomic_read(&sonypi_device.open_count))
22114 kfifo_reset(&sonypi_device.fifo);
22115 - sonypi_device.open_count++;
22116 + atomic_inc(&sonypi_device.open_count);
22117 mutex_unlock(&sonypi_device.lock);
22120 diff -urNp linux-2.6.33/drivers/char/tpm/tpm_bios.c linux-2.6.33/drivers/char/tpm/tpm_bios.c
22121 --- linux-2.6.33/drivers/char/tpm/tpm_bios.c 2010-02-24 13:52:17.000000000 -0500
22122 +++ linux-2.6.33/drivers/char/tpm/tpm_bios.c 2010-03-07 12:23:36.001707082 -0500
22123 @@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
22126 if ((event->event_type == 0 && event->event_size == 0) ||
22127 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
22128 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
22132 @@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
22135 if ((event->event_type == 0 && event->event_size == 0) ||
22136 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
22137 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
22141 @@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
22144 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
22145 - seq_putc(m, data[i]);
22146 + if (!seq_putc(m, data[i]))
22151 @@ -409,6 +410,11 @@ static int read_log(struct tpm_bios_log
22152 log->bios_event_log_end = log->bios_event_log + len;
22154 virt = acpi_os_map_memory(start, len);
22156 + kfree(log->bios_event_log);
22157 + log->bios_event_log = NULL;
22161 memcpy(log->bios_event_log, virt, len);
22163 diff -urNp linux-2.6.33/drivers/char/tty_io.c linux-2.6.33/drivers/char/tty_io.c
22164 --- linux-2.6.33/drivers/char/tty_io.c 2010-02-24 13:52:17.000000000 -0500
22165 +++ linux-2.6.33/drivers/char/tty_io.c 2010-03-07 12:23:36.001707082 -0500
22166 @@ -136,20 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
22167 DEFINE_MUTEX(tty_mutex);
22168 EXPORT_SYMBOL(tty_mutex);
22170 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
22171 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
22172 ssize_t redirected_tty_write(struct file *, const char __user *,
22174 -static unsigned int tty_poll(struct file *, poll_table *);
22175 static int tty_open(struct inode *, struct file *);
22176 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
22177 -#ifdef CONFIG_COMPAT
22178 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
22179 - unsigned long arg);
22181 -#define tty_compat_ioctl NULL
22183 -static int tty_fasync(int fd, struct file *filp, int on);
22184 static void release_tty(struct tty_struct *tty, int idx);
22185 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
22186 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
22187 @@ -871,7 +861,7 @@ EXPORT_SYMBOL(start_tty);
22188 * read calls may be outstanding in parallel.
22191 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
22192 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
22196 @@ -899,6 +889,8 @@ static ssize_t tty_read(struct file *fil
22200 +EXPORT_SYMBOL(tty_read);
22202 void tty_write_unlock(struct tty_struct *tty)
22204 mutex_unlock(&tty->atomic_write_lock);
22205 @@ -1048,7 +1040,7 @@ void tty_write_message(struct tty_struct
22206 * write method will not be invoked in parallel for each device.
22209 -static ssize_t tty_write(struct file *file, const char __user *buf,
22210 +ssize_t tty_write(struct file *file, const char __user *buf,
22211 size_t count, loff_t *ppos)
22213 struct tty_struct *tty;
22214 @@ -1075,6 +1067,8 @@ static ssize_t tty_write(struct file *fi
22218 +EXPORT_SYMBOL(tty_write);
22220 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
22221 size_t count, loff_t *ppos)
22223 @@ -1894,6 +1888,8 @@ got_driver:
22227 +EXPORT_SYMBOL(tty_release);
22230 * tty_poll - check tty status
22231 * @filp: file being polled
22232 @@ -1906,7 +1902,7 @@ got_driver:
22233 * may be re-entered freely by other callers.
22236 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
22237 +unsigned int tty_poll(struct file *filp, poll_table *wait)
22239 struct tty_struct *tty;
22240 struct tty_ldisc *ld;
22241 @@ -1923,7 +1919,9 @@ static unsigned int tty_poll(struct file
22245 -static int tty_fasync(int fd, struct file *filp, int on)
22246 +EXPORT_SYMBOL(tty_poll);
22248 +int tty_fasync(int fd, struct file *filp, int on)
22250 struct tty_struct *tty;
22251 unsigned long flags;
22252 @@ -1967,6 +1965,8 @@ out:
22256 +EXPORT_SYMBOL(tty_fasync);
22259 * tiocsti - fake input character
22260 * @tty: tty to fake input into
22261 @@ -2599,8 +2599,10 @@ long tty_ioctl(struct file *file, unsign
22265 +EXPORT_SYMBOL(tty_ioctl);
22267 #ifdef CONFIG_COMPAT
22268 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
22269 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
22272 struct inode *inode = file->f_dentry->d_inode;
22273 @@ -2624,6 +2626,9 @@ static long tty_compat_ioctl(struct file
22278 +EXPORT_SYMBOL(tty_compat_ioctl);
22283 @@ -3067,11 +3072,6 @@ struct tty_struct *get_current_tty(void)
22285 EXPORT_SYMBOL_GPL(get_current_tty);
22287 -void tty_default_fops(struct file_operations *fops)
22289 - *fops = tty_fops;
22293 * Initialize the console device. This is called *early*, so
22294 * we can't necessarily depend on lots of kernel help here.
22295 diff -urNp linux-2.6.33/drivers/char/tty_ldisc.c linux-2.6.33/drivers/char/tty_ldisc.c
22296 --- linux-2.6.33/drivers/char/tty_ldisc.c 2010-02-24 13:52:17.000000000 -0500
22297 +++ linux-2.6.33/drivers/char/tty_ldisc.c 2010-03-07 12:23:36.001707082 -0500
22298 @@ -75,7 +75,7 @@ static void put_ldisc(struct tty_ldisc *
22299 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
22300 struct tty_ldisc_ops *ldo = ld->ops;
22303 + atomic_dec(&ldo->refcount);
22304 module_put(ldo->owner);
22305 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22307 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
22308 spin_lock_irqsave(&tty_ldisc_lock, flags);
22309 tty_ldiscs[disc] = new_ldisc;
22310 new_ldisc->num = disc;
22311 - new_ldisc->refcount = 0;
22312 + atomic_set(&new_ldisc->refcount, 0);
22313 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22316 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
22319 spin_lock_irqsave(&tty_ldisc_lock, flags);
22320 - if (tty_ldiscs[disc]->refcount)
22321 + if (atomic_read(&tty_ldiscs[disc]->refcount))
22324 tty_ldiscs[disc] = NULL;
22325 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
22327 ret = ERR_PTR(-EAGAIN);
22328 if (try_module_get(ldops->owner)) {
22329 - ldops->refcount++;
22330 + atomic_inc(&ldops->refcount);
22334 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
22335 unsigned long flags;
22337 spin_lock_irqsave(&tty_ldisc_lock, flags);
22338 - ldops->refcount--;
22339 + atomic_dec(&ldops->refcount);
22340 module_put(ldops->owner);
22341 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22343 diff -urNp linux-2.6.33/drivers/char/virtio_console.c linux-2.6.33/drivers/char/virtio_console.c
22344 --- linux-2.6.33/drivers/char/virtio_console.c 2010-02-24 13:52:17.000000000 -0500
22345 +++ linux-2.6.33/drivers/char/virtio_console.c 2010-03-07 12:23:36.001707082 -0500
22346 @@ -44,6 +44,7 @@ static unsigned int in_len;
22347 static char *in, *inbuf;
22349 /* The operations for our console. */
22350 +/* cannot be const */
22351 static struct hv_ops virtio_cons;
22353 /* The hvc device */
22354 diff -urNp linux-2.6.33/drivers/char/vt_ioctl.c linux-2.6.33/drivers/char/vt_ioctl.c
22355 --- linux-2.6.33/drivers/char/vt_ioctl.c 2010-02-24 13:52:17.000000000 -0500
22356 +++ linux-2.6.33/drivers/char/vt_ioctl.c 2010-03-07 12:23:36.005705305 -0500
22357 @@ -226,6 +226,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
22362 +#ifdef CONFIG_GRKERNSEC
22363 + if (!capable(CAP_SYS_TTY_CONFIG))
22367 if (!i && v == K_NOSUCHMAP) {
22368 /* deallocate map */
22369 key_map = key_maps[s];
22370 @@ -366,6 +372,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
22374 +#ifdef CONFIG_GRKERNSEC
22375 + if (!capable(CAP_SYS_TTY_CONFIG)) {
22382 first_free = funcbufptr + (funcbufsize - funcbufleft);
22383 for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
22384 diff -urNp linux-2.6.33/drivers/cpufreq/cpufreq.c linux-2.6.33/drivers/cpufreq/cpufreq.c
22385 --- linux-2.6.33/drivers/cpufreq/cpufreq.c 2010-02-24 13:52:17.000000000 -0500
22386 +++ linux-2.6.33/drivers/cpufreq/cpufreq.c 2010-03-07 12:23:36.005705305 -0500
22387 @@ -766,7 +766,7 @@ static void cpufreq_sysfs_release(struct
22388 complete(&policy->kobj_unregister);
22391 -static struct sysfs_ops sysfs_ops = {
22392 +static const struct sysfs_ops sysfs_ops = {
22396 diff -urNp linux-2.6.33/drivers/cpuidle/sysfs.c linux-2.6.33/drivers/cpuidle/sysfs.c
22397 --- linux-2.6.33/drivers/cpuidle/sysfs.c 2010-02-24 13:52:17.000000000 -0500
22398 +++ linux-2.6.33/drivers/cpuidle/sysfs.c 2010-03-07 12:23:36.005705305 -0500
22399 @@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
22403 -static struct sysfs_ops cpuidle_sysfs_ops = {
22404 +static const struct sysfs_ops cpuidle_sysfs_ops = {
22405 .show = cpuidle_show,
22406 .store = cpuidle_store,
22408 @@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
22412 -static struct sysfs_ops cpuidle_state_sysfs_ops = {
22413 +static const struct sysfs_ops cpuidle_state_sysfs_ops = {
22414 .show = cpuidle_state_show,
22417 diff -urNp linux-2.6.33/drivers/dma/ioat/dma.c linux-2.6.33/drivers/dma/ioat/dma.c
22418 --- linux-2.6.33/drivers/dma/ioat/dma.c 2010-02-24 13:52:17.000000000 -0500
22419 +++ linux-2.6.33/drivers/dma/ioat/dma.c 2010-03-07 12:23:36.005705305 -0500
22420 @@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
22421 return entry->show(&chan->common, page);
22424 -struct sysfs_ops ioat_sysfs_ops = {
22425 +const struct sysfs_ops ioat_sysfs_ops = {
22426 .show = ioat_attr_show,
22429 diff -urNp linux-2.6.33/drivers/dma/ioat/dma.h linux-2.6.33/drivers/dma/ioat/dma.h
22430 --- linux-2.6.33/drivers/dma/ioat/dma.h 2010-02-24 13:52:17.000000000 -0500
22431 +++ linux-2.6.33/drivers/dma/ioat/dma.h 2010-03-07 12:23:36.005705305 -0500
22432 @@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
22433 unsigned long *phys_complete);
22434 void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
22435 void ioat_kobject_del(struct ioatdma_device *device);
22436 -extern struct sysfs_ops ioat_sysfs_ops;
22437 +extern const struct sysfs_ops ioat_sysfs_ops;
22438 extern struct ioat_sysfs_entry ioat_version_attr;
22439 extern struct ioat_sysfs_entry ioat_cap_attr;
22440 #endif /* IOATDMA_H */
22441 diff -urNp linux-2.6.33/drivers/edac/edac_core.h linux-2.6.33/drivers/edac/edac_core.h
22442 --- linux-2.6.33/drivers/edac/edac_core.h 2010-02-24 13:52:17.000000000 -0500
22443 +++ linux-2.6.33/drivers/edac/edac_core.h 2010-03-07 12:23:36.005705305 -0500
22444 @@ -100,11 +100,11 @@ extern const char *edac_mem_types[];
22446 #else /* !CONFIG_EDAC_DEBUG */
22448 -#define debugf0( ... )
22449 -#define debugf1( ... )
22450 -#define debugf2( ... )
22451 -#define debugf3( ... )
22452 -#define debugf4( ... )
22453 +#define debugf0( ... ) do {} while (0)
22454 +#define debugf1( ... ) do {} while (0)
22455 +#define debugf2( ... ) do {} while (0)
22456 +#define debugf3( ... ) do {} while (0)
22457 +#define debugf4( ... ) do {} while (0)
22459 #endif /* !CONFIG_EDAC_DEBUG */
22461 diff -urNp linux-2.6.33/drivers/edac/edac_device_sysfs.c linux-2.6.33/drivers/edac/edac_device_sysfs.c
22462 --- linux-2.6.33/drivers/edac/edac_device_sysfs.c 2010-02-24 13:52:17.000000000 -0500
22463 +++ linux-2.6.33/drivers/edac/edac_device_sysfs.c 2010-03-07 12:23:36.005705305 -0500
22464 @@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
22467 /* edac_dev file operations for an 'ctl_info' */
22468 -static struct sysfs_ops device_ctl_info_ops = {
22469 +static const struct sysfs_ops device_ctl_info_ops = {
22470 .show = edac_dev_ctl_info_show,
22471 .store = edac_dev_ctl_info_store
22473 @@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
22476 /* edac_dev file operations for an 'instance' */
22477 -static struct sysfs_ops device_instance_ops = {
22478 +static const struct sysfs_ops device_instance_ops = {
22479 .show = edac_dev_instance_show,
22480 .store = edac_dev_instance_store
22482 @@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
22485 /* edac_dev file operations for a 'block' */
22486 -static struct sysfs_ops device_block_ops = {
22487 +static const struct sysfs_ops device_block_ops = {
22488 .show = edac_dev_block_show,
22489 .store = edac_dev_block_store
22491 diff -urNp linux-2.6.33/drivers/edac/edac_mc_sysfs.c linux-2.6.33/drivers/edac/edac_mc_sysfs.c
22492 --- linux-2.6.33/drivers/edac/edac_mc_sysfs.c 2010-02-24 13:52:17.000000000 -0500
22493 +++ linux-2.6.33/drivers/edac/edac_mc_sysfs.c 2010-03-07 12:23:36.005705305 -0500
22494 @@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
22498 -static struct sysfs_ops csrowfs_ops = {
22499 +static const struct sysfs_ops csrowfs_ops = {
22500 .show = csrowdev_show,
22501 .store = csrowdev_store
22503 @@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
22506 /* Intermediate show/store table */
22507 -static struct sysfs_ops mci_ops = {
22508 +static const struct sysfs_ops mci_ops = {
22509 .show = mcidev_show,
22510 .store = mcidev_store
22512 diff -urNp linux-2.6.33/drivers/edac/edac_pci_sysfs.c linux-2.6.33/drivers/edac/edac_pci_sysfs.c
22513 --- linux-2.6.33/drivers/edac/edac_pci_sysfs.c 2010-02-24 13:52:17.000000000 -0500
22514 +++ linux-2.6.33/drivers/edac/edac_pci_sysfs.c 2010-03-07 12:23:36.005705305 -0500
22515 @@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
22519 -static struct sysfs_ops pci_instance_ops = {
22520 +static const struct sysfs_ops pci_instance_ops = {
22521 .show = edac_pci_instance_show,
22522 .store = edac_pci_instance_store
22524 @@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
22528 -static struct sysfs_ops edac_pci_sysfs_ops = {
22529 +static const struct sysfs_ops edac_pci_sysfs_ops = {
22530 .show = edac_pci_dev_show,
22531 .store = edac_pci_dev_store
22533 diff -urNp linux-2.6.33/drivers/firmware/dmi_scan.c linux-2.6.33/drivers/firmware/dmi_scan.c
22534 --- linux-2.6.33/drivers/firmware/dmi_scan.c 2010-02-24 13:52:17.000000000 -0500
22535 +++ linux-2.6.33/drivers/firmware/dmi_scan.c 2010-03-07 12:23:36.005705305 -0500
22536 @@ -388,11 +388,6 @@ void __init dmi_scan_machine(void)
22541 - * no iounmap() for that ioremap(); it would be a no-op, but
22542 - * it's so early in setup that sucker gets confused into doing
22543 - * what it shouldn't if we actually call it.
22545 p = dmi_ioremap(0xF0000, 0x10000);
22548 diff -urNp linux-2.6.33/drivers/firmware/edd.c linux-2.6.33/drivers/firmware/edd.c
22549 --- linux-2.6.33/drivers/firmware/edd.c 2010-02-24 13:52:17.000000000 -0500
22550 +++ linux-2.6.33/drivers/firmware/edd.c 2010-03-07 12:23:36.005705305 -0500
22551 @@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
22555 -static struct sysfs_ops edd_attr_ops = {
22556 +static const struct sysfs_ops edd_attr_ops = {
22557 .show = edd_attr_show,
22560 diff -urNp linux-2.6.33/drivers/firmware/efivars.c linux-2.6.33/drivers/firmware/efivars.c
22561 --- linux-2.6.33/drivers/firmware/efivars.c 2010-02-24 13:52:17.000000000 -0500
22562 +++ linux-2.6.33/drivers/firmware/efivars.c 2010-03-07 12:23:36.005705305 -0500
22563 @@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
22567 -static struct sysfs_ops efivar_attr_ops = {
22568 +static const struct sysfs_ops efivar_attr_ops = {
22569 .show = efivar_attr_show,
22570 .store = efivar_attr_store,
22572 diff -urNp linux-2.6.33/drivers/firmware/iscsi_ibft.c linux-2.6.33/drivers/firmware/iscsi_ibft.c
22573 --- linux-2.6.33/drivers/firmware/iscsi_ibft.c 2010-02-24 13:52:17.000000000 -0500
22574 +++ linux-2.6.33/drivers/firmware/iscsi_ibft.c 2010-03-07 12:23:36.005705305 -0500
22575 @@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
22579 -static struct sysfs_ops ibft_attr_ops = {
22580 +static const struct sysfs_ops ibft_attr_ops = {
22581 .show = ibft_show_attribute,
22584 diff -urNp linux-2.6.33/drivers/firmware/memmap.c linux-2.6.33/drivers/firmware/memmap.c
22585 --- linux-2.6.33/drivers/firmware/memmap.c 2010-02-24 13:52:17.000000000 -0500
22586 +++ linux-2.6.33/drivers/firmware/memmap.c 2010-03-07 12:23:36.005705305 -0500
22587 @@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
22591 -static struct sysfs_ops memmap_attr_ops = {
22592 +static const struct sysfs_ops memmap_attr_ops = {
22593 .show = memmap_attr_show,
22596 diff -urNp linux-2.6.33/drivers/gpu/drm/drm_drv.c linux-2.6.33/drivers/gpu/drm/drm_drv.c
22597 --- linux-2.6.33/drivers/gpu/drm/drm_drv.c 2010-02-24 13:52:17.000000000 -0500
22598 +++ linux-2.6.33/drivers/gpu/drm/drm_drv.c 2010-03-07 12:23:36.009705010 -0500
22599 @@ -448,7 +448,7 @@ long drm_ioctl(struct file *filp,
22601 dev = file_priv->minor->dev;
22602 atomic_inc(&dev->ioctl_count);
22603 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
22604 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
22605 ++file_priv->ioctl_count;
22607 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
22608 diff -urNp linux-2.6.33/drivers/gpu/drm/drm_fops.c linux-2.6.33/drivers/gpu/drm/drm_fops.c
22609 --- linux-2.6.33/drivers/gpu/drm/drm_fops.c 2010-02-24 13:52:17.000000000 -0500
22610 +++ linux-2.6.33/drivers/gpu/drm/drm_fops.c 2010-03-07 12:23:36.009705010 -0500
22611 @@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
22614 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
22615 - atomic_set(&dev->counts[i], 0);
22616 + atomic_set_unchecked(&dev->counts[i], 0);
22618 dev->sigdata.lock = NULL;
22620 @@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
22622 retcode = drm_open_helper(inode, filp, dev);
22624 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
22625 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
22626 spin_lock(&dev->count_lock);
22627 - if (!dev->open_count++) {
22628 + if (atomic_inc_return(&dev->open_count) == 1) {
22629 spin_unlock(&dev->count_lock);
22630 retcode = drm_setup(dev);
22632 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
22636 - DRM_DEBUG("open_count = %d\n", dev->open_count);
22637 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
22639 if (dev->driver->preclose)
22640 dev->driver->preclose(dev, file_priv);
22641 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
22642 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
22643 task_pid_nr(current),
22644 (long)old_encode_dev(file_priv->minor->device),
22645 - dev->open_count);
22646 + atomic_read(&dev->open_count));
22648 /* if the master has gone away we can't do anything with the lock */
22649 if (file_priv->minor->master)
22650 @@ -565,9 +565,9 @@ int drm_release(struct inode *inode, str
22651 * End inline drm_release
22654 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
22655 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
22656 spin_lock(&dev->count_lock);
22657 - if (!--dev->open_count) {
22658 + if (atomic_dec_and_test(&dev->open_count)) {
22659 if (atomic_read(&dev->ioctl_count)) {
22660 DRM_ERROR("Device busy: %d\n",
22661 atomic_read(&dev->ioctl_count));
22662 diff -urNp linux-2.6.33/drivers/gpu/drm/drm_ioctl.c linux-2.6.33/drivers/gpu/drm/drm_ioctl.c
22663 --- linux-2.6.33/drivers/gpu/drm/drm_ioctl.c 2010-02-24 13:52:17.000000000 -0500
22664 +++ linux-2.6.33/drivers/gpu/drm/drm_ioctl.c 2010-03-07 12:23:36.009705010 -0500
22665 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
22666 stats->data[i].value =
22667 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
22669 - stats->data[i].value = atomic_read(&dev->counts[i]);
22670 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
22671 stats->data[i].type = dev->types[i];
22674 diff -urNp linux-2.6.33/drivers/gpu/drm/drm_lock.c linux-2.6.33/drivers/gpu/drm/drm_lock.c
22675 --- linux-2.6.33/drivers/gpu/drm/drm_lock.c 2010-02-24 13:52:17.000000000 -0500
22676 +++ linux-2.6.33/drivers/gpu/drm/drm_lock.c 2010-03-07 12:23:36.009705010 -0500
22677 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
22678 if (drm_lock_take(&master->lock, lock->context)) {
22679 master->lock.file_priv = file_priv;
22680 master->lock.lock_time = jiffies;
22681 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
22682 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
22683 break; /* Got lock */
22686 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
22690 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
22691 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
22693 /* kernel_context_switch isn't used by any of the x86 drm
22694 * modules but is required by the Sparc driver.
22695 diff -urNp linux-2.6.33/drivers/gpu/drm/i810/i810_dma.c linux-2.6.33/drivers/gpu/drm/i810/i810_dma.c
22696 --- linux-2.6.33/drivers/gpu/drm/i810/i810_dma.c 2010-02-24 13:52:17.000000000 -0500
22697 +++ linux-2.6.33/drivers/gpu/drm/i810/i810_dma.c 2010-03-07 12:23:36.009705010 -0500
22698 @@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
22699 dma->buflist[vertex->idx],
22700 vertex->discard, vertex->used);
22702 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
22703 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
22704 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
22705 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
22706 sarea_priv->last_enqueue = dev_priv->counter - 1;
22707 sarea_priv->last_dispatch = (int)hw_status[5];
22709 @@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
22710 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
22713 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
22714 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
22715 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
22716 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
22717 sarea_priv->last_enqueue = dev_priv->counter - 1;
22718 sarea_priv->last_dispatch = (int)hw_status[5];
22720 diff -urNp linux-2.6.33/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.33/drivers/gpu/drm/i915/dvo_ch7017.c
22721 --- linux-2.6.33/drivers/gpu/drm/i915/dvo_ch7017.c 2010-02-24 13:52:17.000000000 -0500
22722 +++ linux-2.6.33/drivers/gpu/drm/i915/dvo_ch7017.c 2010-03-07 12:23:36.009705010 -0500
22723 @@ -444,7 +444,7 @@ static void ch7017_destroy(struct intel_
22727 -struct intel_dvo_dev_ops ch7017_ops = {
22728 +const struct intel_dvo_dev_ops ch7017_ops = {
22729 .init = ch7017_init,
22730 .detect = ch7017_detect,
22731 .mode_valid = ch7017_mode_valid,
22732 diff -urNp linux-2.6.33/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.33/drivers/gpu/drm/i915/dvo_ch7xxx.c
22733 --- linux-2.6.33/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-02-24 13:52:17.000000000 -0500
22734 +++ linux-2.6.33/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-03-07 12:23:36.009705010 -0500
22735 @@ -358,7 +358,7 @@ static void ch7xxx_destroy(struct intel_
22739 -struct intel_dvo_dev_ops ch7xxx_ops = {
22740 +const struct intel_dvo_dev_ops ch7xxx_ops = {
22741 .init = ch7xxx_init,
22742 .detect = ch7xxx_detect,
22743 .mode_valid = ch7xxx_mode_valid,
22744 diff -urNp linux-2.6.33/drivers/gpu/drm/i915/dvo.h linux-2.6.33/drivers/gpu/drm/i915/dvo.h
22745 --- linux-2.6.33/drivers/gpu/drm/i915/dvo.h 2010-02-24 13:52:17.000000000 -0500
22746 +++ linux-2.6.33/drivers/gpu/drm/i915/dvo.h 2010-03-07 12:23:36.009705010 -0500
22747 @@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
22749 * \return singly-linked list of modes or NULL if no modes found.
22751 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
22752 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
22755 * Clean up driver-specific bits of the output
22757 - void (*destroy) (struct intel_dvo_device *dvo);
22758 + void (* const destroy) (struct intel_dvo_device *dvo);
22761 * Debugging hook to dump device registers to log file
22763 - void (*dump_regs)(struct intel_dvo_device *dvo);
22764 + void (* const dump_regs)(struct intel_dvo_device *dvo);
22767 -extern struct intel_dvo_dev_ops sil164_ops;
22768 -extern struct intel_dvo_dev_ops ch7xxx_ops;
22769 -extern struct intel_dvo_dev_ops ivch_ops;
22770 -extern struct intel_dvo_dev_ops tfp410_ops;
22771 -extern struct intel_dvo_dev_ops ch7017_ops;
22772 +extern const struct intel_dvo_dev_ops sil164_ops;
22773 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
22774 +extern const struct intel_dvo_dev_ops ivch_ops;
22775 +extern const struct intel_dvo_dev_ops tfp410_ops;
22776 +extern const struct intel_dvo_dev_ops ch7017_ops;
22778 #endif /* _INTEL_DVO_H */
22779 diff -urNp linux-2.6.33/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.33/drivers/gpu/drm/i915/dvo_ivch.c
22780 --- linux-2.6.33/drivers/gpu/drm/i915/dvo_ivch.c 2010-02-24 13:52:17.000000000 -0500
22781 +++ linux-2.6.33/drivers/gpu/drm/i915/dvo_ivch.c 2010-03-07 12:23:36.009705010 -0500
22782 @@ -431,7 +431,7 @@ static void ivch_destroy(struct intel_dv
22786 -struct intel_dvo_dev_ops ivch_ops= {
22787 +const struct intel_dvo_dev_ops ivch_ops= {
22791 diff -urNp linux-2.6.33/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.33/drivers/gpu/drm/i915/dvo_sil164.c
22792 --- linux-2.6.33/drivers/gpu/drm/i915/dvo_sil164.c 2010-02-24 13:52:17.000000000 -0500
22793 +++ linux-2.6.33/drivers/gpu/drm/i915/dvo_sil164.c 2010-03-07 12:23:36.009705010 -0500
22794 @@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
22798 -struct intel_dvo_dev_ops sil164_ops = {
22799 +const struct intel_dvo_dev_ops sil164_ops = {
22800 .init = sil164_init,
22801 .detect = sil164_detect,
22802 .mode_valid = sil164_mode_valid,
22803 diff -urNp linux-2.6.33/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.33/drivers/gpu/drm/i915/dvo_tfp410.c
22804 --- linux-2.6.33/drivers/gpu/drm/i915/dvo_tfp410.c 2010-02-24 13:52:17.000000000 -0500
22805 +++ linux-2.6.33/drivers/gpu/drm/i915/dvo_tfp410.c 2010-03-07 12:23:36.009705010 -0500
22806 @@ -325,7 +325,7 @@ static void tfp410_destroy(struct intel_
22810 -struct intel_dvo_dev_ops tfp410_ops = {
22811 +const struct intel_dvo_dev_ops tfp410_ops = {
22812 .init = tfp410_init,
22813 .detect = tfp410_detect,
22814 .mode_valid = tfp410_mode_valid,
22815 diff -urNp linux-2.6.33/drivers/gpu/drm/i915/i915_drv.c linux-2.6.33/drivers/gpu/drm/i915/i915_drv.c
22816 --- linux-2.6.33/drivers/gpu/drm/i915/i915_drv.c 2010-02-24 13:52:17.000000000 -0500
22817 +++ linux-2.6.33/drivers/gpu/drm/i915/i915_drv.c 2010-03-07 12:23:36.009705010 -0500
22818 @@ -470,7 +470,7 @@ const struct dev_pm_ops i915_pm_ops = {
22819 .restore = i915_pm_resume,
22822 -static struct vm_operations_struct i915_gem_vm_ops = {
22823 +static const struct vm_operations_struct i915_gem_vm_ops = {
22824 .fault = i915_gem_fault,
22825 .open = drm_gem_vm_open,
22826 .close = drm_gem_vm_close,
22827 diff -urNp linux-2.6.33/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.33/drivers/gpu/drm/nouveau/nouveau_backlight.c
22828 --- linux-2.6.33/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-02-24 13:52:17.000000000 -0500
22829 +++ linux-2.6.33/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-03-07 12:23:36.009705010 -0500
22830 @@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
22834 -static struct backlight_ops nv40_bl_ops = {
22835 +static const struct backlight_ops nv40_bl_ops = {
22836 .options = BL_CORE_SUSPENDRESUME,
22837 .get_brightness = nv40_get_intensity,
22838 .update_status = nv40_set_intensity,
22839 @@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
22843 -static struct backlight_ops nv50_bl_ops = {
22844 +static const struct backlight_ops nv50_bl_ops = {
22845 .options = BL_CORE_SUSPENDRESUME,
22846 .get_brightness = nv50_get_intensity,
22847 .update_status = nv50_set_intensity,
22848 diff -urNp linux-2.6.33/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.33/drivers/gpu/drm/radeon/mkregtable.c
22849 --- linux-2.6.33/drivers/gpu/drm/radeon/mkregtable.c 2010-02-24 13:52:17.000000000 -0500
22850 +++ linux-2.6.33/drivers/gpu/drm/radeon/mkregtable.c 2010-03-07 12:23:36.009705010 -0500
22851 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
22853 regmatch_t match[4];
22861 struct offset *offset;
22862 char last_reg_s[10];
22864 + unsigned long last_reg;
22867 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
22868 diff -urNp linux-2.6.33/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.33/drivers/gpu/drm/radeon/radeon_atombios.c
22869 --- linux-2.6.33/drivers/gpu/drm/radeon/radeon_atombios.c 2010-02-24 13:52:17.000000000 -0500
22870 +++ linux-2.6.33/drivers/gpu/drm/radeon/radeon_atombios.c 2010-03-07 12:23:36.009705010 -0500
22871 @@ -637,14 +637,14 @@ static uint16_t atombios_get_connector_o
22875 -struct bios_connector {
22876 +static struct bios_connector {
22880 int connector_type;
22881 struct radeon_i2c_bus_rec ddc_bus;
22882 struct radeon_hpd hpd;
22884 +} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
22886 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
22888 @@ -660,7 +660,6 @@ bool radeon_get_atom_connector_info_from
22890 union atom_supported_devices *supported_devices;
22891 int i, j, max_device;
22892 - struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
22894 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
22896 diff -urNp linux-2.6.33/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.33/drivers/gpu/drm/radeon/radeon_state.c
22897 --- linux-2.6.33/drivers/gpu/drm/radeon/radeon_state.c 2010-02-24 13:52:17.000000000 -0500
22898 +++ linux-2.6.33/drivers/gpu/drm/radeon/radeon_state.c 2010-03-07 12:23:36.013715915 -0500
22899 @@ -2139,7 +2139,7 @@ static int radeon_cp_clear(struct drm_de
22900 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
22901 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
22903 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
22904 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
22905 sarea_priv->nbox * sizeof(depth_boxes[0])))
22908 @@ -3014,7 +3014,7 @@ static int radeon_cp_getparam(struct drm
22910 drm_radeon_private_t *dev_priv = dev->dev_private;
22911 drm_radeon_getparam_t *param = data;
22915 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
22917 diff -urNp linux-2.6.33/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.33/drivers/gpu/drm/radeon/radeon_ttm.c
22918 --- linux-2.6.33/drivers/gpu/drm/radeon/radeon_ttm.c 2010-02-24 13:52:17.000000000 -0500
22919 +++ linux-2.6.33/drivers/gpu/drm/radeon/radeon_ttm.c 2010-03-07 12:23:36.013715915 -0500
22920 @@ -564,27 +564,10 @@ void radeon_ttm_fini(struct radeon_devic
22921 DRM_INFO("radeon: ttm finalized\n");
22924 -static struct vm_operations_struct radeon_ttm_vm_ops;
22925 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
22927 -static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
22929 - struct ttm_buffer_object *bo;
22932 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
22933 - if (bo == NULL) {
22934 - return VM_FAULT_NOPAGE;
22936 - r = ttm_vm_ops->fault(vma, vmf);
22940 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
22942 struct drm_file *file_priv;
22943 struct radeon_device *rdev;
22946 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
22947 return drm_mmap(filp, vma);
22948 @@ -592,20 +575,9 @@ int radeon_mmap(struct file *filp, struc
22950 file_priv = (struct drm_file *)filp->private_data;
22951 rdev = file_priv->minor->dev->dev_private;
22952 - if (rdev == NULL) {
22956 - r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
22957 - if (unlikely(r != 0)) {
22960 - if (unlikely(ttm_vm_ops == NULL)) {
22961 - ttm_vm_ops = vma->vm_ops;
22962 - radeon_ttm_vm_ops = *ttm_vm_ops;
22963 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
22965 - vma->vm_ops = &radeon_ttm_vm_ops;
22967 + return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
22971 diff -urNp linux-2.6.33/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.33/drivers/gpu/drm/ttm/ttm_bo.c
22972 --- linux-2.6.33/drivers/gpu/drm/ttm/ttm_bo.c 2010-02-24 13:52:17.000000000 -0500
22973 +++ linux-2.6.33/drivers/gpu/drm/ttm/ttm_bo.c 2010-03-07 12:23:36.013715915 -0500
22974 @@ -128,7 +128,7 @@ static struct attribute *ttm_bo_global_a
22978 -static struct sysfs_ops ttm_bo_global_ops = {
22979 +static const struct sysfs_ops ttm_bo_global_ops = {
22980 .show = &ttm_bo_global_show
22983 diff -urNp linux-2.6.33/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.33/drivers/gpu/drm/ttm/ttm_bo_vm.c
22984 --- linux-2.6.33/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-02-24 13:52:17.000000000 -0500
22985 +++ linux-2.6.33/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-03-07 12:23:36.013715915 -0500
22986 @@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
22988 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
22989 vma->vm_private_data;
22990 - struct ttm_bo_device *bdev = bo->bdev;
22991 + struct ttm_bo_device *bdev;
22992 unsigned long bus_base;
22993 unsigned long bus_offset;
22994 unsigned long bus_size;
22995 @@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
22996 unsigned long address = (unsigned long)vmf->virtual_address;
22997 int retval = VM_FAULT_NOPAGE;
23000 + return VM_FAULT_NOPAGE;
23004 * Work around locking order reversal in fault / nopfn
23005 * between mmap_sem and bo_reserve: Perform a trylock operation
23006 diff -urNp linux-2.6.33/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.33/drivers/gpu/drm/ttm/ttm_global.c
23007 --- linux-2.6.33/drivers/gpu/drm/ttm/ttm_global.c 2010-02-24 13:52:17.000000000 -0500
23008 +++ linux-2.6.33/drivers/gpu/drm/ttm/ttm_global.c 2010-03-07 12:23:36.013715915 -0500
23010 struct ttm_global_item {
23011 struct mutex mutex;
23014 + atomic_t refcount;
23017 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
23018 @@ -49,7 +49,7 @@ void ttm_global_init(void)
23019 struct ttm_global_item *item = &glob[i];
23020 mutex_init(&item->mutex);
23021 item->object = NULL;
23022 - item->refcount = 0;
23023 + atomic_set(&item->refcount, 0);
23027 @@ -59,7 +59,7 @@ void ttm_global_release(void)
23028 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
23029 struct ttm_global_item *item = &glob[i];
23030 BUG_ON(item->object != NULL);
23031 - BUG_ON(item->refcount != 0);
23032 + BUG_ON(atomic_read(&item->refcount) != 0);
23036 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
23039 mutex_lock(&item->mutex);
23040 - if (item->refcount == 0) {
23041 + if (atomic_read(&item->refcount) == 0) {
23042 item->object = kzalloc(ref->size, GFP_KERNEL);
23043 if (unlikely(item->object == NULL)) {
23045 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
23049 - ++item->refcount;
23050 + atomic_inc(&item->refcount);
23051 ref->object = item->object;
23052 object = item->object;
23053 mutex_unlock(&item->mutex);
23054 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
23055 struct ttm_global_item *item = &glob[ref->global_type];
23057 mutex_lock(&item->mutex);
23058 - BUG_ON(item->refcount == 0);
23059 + BUG_ON(atomic_read(&item->refcount) == 0);
23060 BUG_ON(ref->object != item->object);
23061 - if (--item->refcount == 0) {
23062 + if (atomic_dec_and_test(&item->refcount)) {
23064 item->object = NULL;
23066 diff -urNp linux-2.6.33/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.33/drivers/gpu/drm/ttm/ttm_memory.c
23067 --- linux-2.6.33/drivers/gpu/drm/ttm/ttm_memory.c 2010-02-24 13:52:17.000000000 -0500
23068 +++ linux-2.6.33/drivers/gpu/drm/ttm/ttm_memory.c 2010-03-07 12:23:36.013715915 -0500
23069 @@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
23073 -static struct sysfs_ops ttm_mem_zone_ops = {
23074 +static const struct sysfs_ops ttm_mem_zone_ops = {
23075 .show = &ttm_mem_zone_show,
23076 .store = &ttm_mem_zone_store
23078 diff -urNp linux-2.6.33/drivers/hwmon/k8temp.c linux-2.6.33/drivers/hwmon/k8temp.c
23079 --- linux-2.6.33/drivers/hwmon/k8temp.c 2010-02-24 13:52:17.000000000 -0500
23080 +++ linux-2.6.33/drivers/hwmon/k8temp.c 2010-03-07 12:23:36.013715915 -0500
23081 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
23083 static const struct pci_device_id k8temp_ids[] = {
23084 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
23086 + { 0, 0, 0, 0, 0, 0, 0 },
23089 MODULE_DEVICE_TABLE(pci, k8temp_ids);
23090 diff -urNp linux-2.6.33/drivers/hwmon/sis5595.c linux-2.6.33/drivers/hwmon/sis5595.c
23091 --- linux-2.6.33/drivers/hwmon/sis5595.c 2010-02-24 13:52:17.000000000 -0500
23092 +++ linux-2.6.33/drivers/hwmon/sis5595.c 2010-03-07 12:23:36.013715915 -0500
23093 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
23095 static const struct pci_device_id sis5595_pci_ids[] = {
23096 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
23098 + { 0, 0, 0, 0, 0, 0, 0 }
23101 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
23102 diff -urNp linux-2.6.33/drivers/hwmon/via686a.c linux-2.6.33/drivers/hwmon/via686a.c
23103 --- linux-2.6.33/drivers/hwmon/via686a.c 2010-02-24 13:52:17.000000000 -0500
23104 +++ linux-2.6.33/drivers/hwmon/via686a.c 2010-03-07 12:23:36.013715915 -0500
23105 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
23107 static const struct pci_device_id via686a_pci_ids[] = {
23108 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
23110 + { 0, 0, 0, 0, 0, 0, 0 }
23113 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
23114 diff -urNp linux-2.6.33/drivers/hwmon/vt8231.c linux-2.6.33/drivers/hwmon/vt8231.c
23115 --- linux-2.6.33/drivers/hwmon/vt8231.c 2010-02-24 13:52:17.000000000 -0500
23116 +++ linux-2.6.33/drivers/hwmon/vt8231.c 2010-03-07 12:23:36.013715915 -0500
23117 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
23119 static const struct pci_device_id vt8231_pci_ids[] = {
23120 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
23122 + { 0, 0, 0, 0, 0, 0, 0 }
23125 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
23126 diff -urNp linux-2.6.33/drivers/hwmon/w83791d.c linux-2.6.33/drivers/hwmon/w83791d.c
23127 --- linux-2.6.33/drivers/hwmon/w83791d.c 2010-02-24 13:52:17.000000000 -0500
23128 +++ linux-2.6.33/drivers/hwmon/w83791d.c 2010-03-07 12:23:36.013715915 -0500
23129 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
23130 struct i2c_board_info *info);
23131 static int w83791d_remove(struct i2c_client *client);
23133 -static int w83791d_read(struct i2c_client *client, u8 register);
23134 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
23135 +static int w83791d_read(struct i2c_client *client, u8 reg);
23136 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
23137 static struct w83791d_data *w83791d_update_device(struct device *dev);
23140 diff -urNp linux-2.6.33/drivers/i2c/busses/i2c-i801.c linux-2.6.33/drivers/i2c/busses/i2c-i801.c
23141 --- linux-2.6.33/drivers/i2c/busses/i2c-i801.c 2010-02-24 13:52:17.000000000 -0500
23142 +++ linux-2.6.33/drivers/i2c/busses/i2c-i801.c 2010-03-07 12:23:36.013715915 -0500
23143 @@ -578,7 +578,7 @@ static struct pci_device_id i801_ids[] =
23144 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_4) },
23145 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
23146 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
23148 + { 0, 0, 0, 0, 0, 0, 0 }
23151 MODULE_DEVICE_TABLE (pci, i801_ids);
23152 diff -urNp linux-2.6.33/drivers/i2c/busses/i2c-piix4.c linux-2.6.33/drivers/i2c/busses/i2c-piix4.c
23153 --- linux-2.6.33/drivers/i2c/busses/i2c-piix4.c 2010-02-24 13:52:17.000000000 -0500
23154 +++ linux-2.6.33/drivers/i2c/busses/i2c-piix4.c 2010-03-07 12:23:36.013715915 -0500
23155 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
23157 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
23160 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23163 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
23164 @@ -491,7 +491,7 @@ static struct pci_device_id piix4_ids[]
23165 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
23166 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
23167 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
23169 + { 0, 0, 0, 0, 0, 0, 0 }
23172 MODULE_DEVICE_TABLE (pci, piix4_ids);
23173 diff -urNp linux-2.6.33/drivers/i2c/busses/i2c-sis630.c linux-2.6.33/drivers/i2c/busses/i2c-sis630.c
23174 --- linux-2.6.33/drivers/i2c/busses/i2c-sis630.c 2010-02-24 13:52:17.000000000 -0500
23175 +++ linux-2.6.33/drivers/i2c/busses/i2c-sis630.c 2010-03-07 12:23:36.013715915 -0500
23176 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
23177 static struct pci_device_id sis630_ids[] __devinitdata = {
23178 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
23179 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
23181 + { 0, 0, 0, 0, 0, 0, 0 }
23184 MODULE_DEVICE_TABLE (pci, sis630_ids);
23185 diff -urNp linux-2.6.33/drivers/i2c/busses/i2c-sis96x.c linux-2.6.33/drivers/i2c/busses/i2c-sis96x.c
23186 --- linux-2.6.33/drivers/i2c/busses/i2c-sis96x.c 2010-02-24 13:52:17.000000000 -0500
23187 +++ linux-2.6.33/drivers/i2c/busses/i2c-sis96x.c 2010-03-07 12:23:36.013715915 -0500
23188 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
23190 static struct pci_device_id sis96x_ids[] = {
23191 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
23193 + { 0, 0, 0, 0, 0, 0, 0 }
23196 MODULE_DEVICE_TABLE (pci, sis96x_ids);
23197 diff -urNp linux-2.6.33/drivers/ide/ide-cd.c linux-2.6.33/drivers/ide/ide-cd.c
23198 --- linux-2.6.33/drivers/ide/ide-cd.c 2010-02-24 13:52:17.000000000 -0500
23199 +++ linux-2.6.33/drivers/ide/ide-cd.c 2010-03-07 12:23:36.017712707 -0500
23200 @@ -766,7 +766,7 @@ static void cdrom_do_block_pc(ide_drive_
23201 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
23202 if ((unsigned long)buf & alignment
23203 || blk_rq_bytes(rq) & q->dma_pad_mask
23204 - || object_is_on_stack(buf))
23205 + || object_starts_on_stack(buf))
23209 diff -urNp linux-2.6.33/drivers/ieee1394/dv1394.c linux-2.6.33/drivers/ieee1394/dv1394.c
23210 --- linux-2.6.33/drivers/ieee1394/dv1394.c 2010-02-24 13:52:17.000000000 -0500
23211 +++ linux-2.6.33/drivers/ieee1394/dv1394.c 2010-03-07 12:23:36.017712707 -0500
23212 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
23213 based upon DIF section and sequence
23216 -static void inline
23217 +static inline void
23218 frame_put_packet (struct frame *f, struct packet *p)
23220 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
23221 @@ -2178,7 +2178,7 @@ static const struct ieee1394_device_id d
23222 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
23223 .version = AVC_SW_VERSION_ENTRY & 0xffffff
23226 + { 0, 0, 0, 0, 0, 0 }
23229 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
23230 diff -urNp linux-2.6.33/drivers/ieee1394/eth1394.c linux-2.6.33/drivers/ieee1394/eth1394.c
23231 --- linux-2.6.33/drivers/ieee1394/eth1394.c 2010-02-24 13:52:17.000000000 -0500
23232 +++ linux-2.6.33/drivers/ieee1394/eth1394.c 2010-03-07 12:23:36.017712707 -0500
23233 @@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
23234 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
23235 .version = ETHER1394_GASP_VERSION,
23238 + { 0, 0, 0, 0, 0, 0 }
23241 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
23242 diff -urNp linux-2.6.33/drivers/ieee1394/hosts.c linux-2.6.33/drivers/ieee1394/hosts.c
23243 --- linux-2.6.33/drivers/ieee1394/hosts.c 2010-02-24 13:52:17.000000000 -0500
23244 +++ linux-2.6.33/drivers/ieee1394/hosts.c 2010-03-07 12:23:36.017712707 -0500
23245 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
23248 static struct hpsb_host_driver dummy_driver = {
23250 .transmit_packet = dummy_transmit_packet,
23251 .devctl = dummy_devctl,
23252 .isoctl = dummy_isoctl
23253 diff -urNp linux-2.6.33/drivers/ieee1394/ohci1394.c linux-2.6.33/drivers/ieee1394/ohci1394.c
23254 --- linux-2.6.33/drivers/ieee1394/ohci1394.c 2010-02-24 13:52:17.000000000 -0500
23255 +++ linux-2.6.33/drivers/ieee1394/ohci1394.c 2010-03-07 12:23:36.017712707 -0500
23256 @@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
23257 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
23259 /* Module Parameters */
23260 -static int phys_dma = 1;
23261 +static int phys_dma;
23262 module_param(phys_dma, int, 0444);
23263 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
23264 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
23266 static void dma_trm_tasklet(unsigned long data);
23267 static void dma_trm_reset(struct dma_trm_ctx *d);
23268 @@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
23269 .subvendor = PCI_ANY_ID,
23270 .subdevice = PCI_ANY_ID,
23273 + { 0, 0, 0, 0, 0, 0, 0 },
23276 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
23277 diff -urNp linux-2.6.33/drivers/ieee1394/raw1394.c linux-2.6.33/drivers/ieee1394/raw1394.c
23278 --- linux-2.6.33/drivers/ieee1394/raw1394.c 2010-02-24 13:52:17.000000000 -0500
23279 +++ linux-2.6.33/drivers/ieee1394/raw1394.c 2010-03-07 12:23:36.017712707 -0500
23280 @@ -3002,7 +3002,7 @@ static const struct ieee1394_device_id r
23281 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
23282 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
23283 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
23285 + { 0, 0, 0, 0, 0, 0 }
23288 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
23289 diff -urNp linux-2.6.33/drivers/ieee1394/sbp2.c linux-2.6.33/drivers/ieee1394/sbp2.c
23290 --- linux-2.6.33/drivers/ieee1394/sbp2.c 2010-02-24 13:52:17.000000000 -0500
23291 +++ linux-2.6.33/drivers/ieee1394/sbp2.c 2010-03-07 12:23:36.017712707 -0500
23292 @@ -290,7 +290,7 @@ static const struct ieee1394_device_id s
23293 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
23294 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
23295 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
23297 + { 0, 0, 0, 0, 0, 0 }
23299 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
23301 @@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
23302 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
23303 MODULE_LICENSE("GPL");
23305 -static int sbp2_module_init(void)
23306 +static int __init sbp2_module_init(void)
23310 diff -urNp linux-2.6.33/drivers/ieee1394/video1394.c linux-2.6.33/drivers/ieee1394/video1394.c
23311 --- linux-2.6.33/drivers/ieee1394/video1394.c 2010-02-24 13:52:17.000000000 -0500
23312 +++ linux-2.6.33/drivers/ieee1394/video1394.c 2010-03-07 12:23:36.021704836 -0500
23313 @@ -1311,7 +1311,7 @@ static const struct ieee1394_device_id v
23314 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
23315 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
23318 + { 0, 0, 0, 0, 0, 0 }
23321 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
23322 diff -urNp linux-2.6.33/drivers/infiniband/core/cm.c linux-2.6.33/drivers/infiniband/core/cm.c
23323 --- linux-2.6.33/drivers/infiniband/core/cm.c 2010-02-24 13:52:17.000000000 -0500
23324 +++ linux-2.6.33/drivers/infiniband/core/cm.c 2010-03-07 12:23:36.021704836 -0500
23325 @@ -112,7 +112,7 @@ static char const counter_group_names[CM
23327 struct cm_counter_group {
23328 struct kobject obj;
23329 - atomic_long_t counter[CM_ATTR_COUNT];
23330 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
23333 struct cm_counter_attribute {
23334 @@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
23335 struct ib_mad_send_buf *msg = NULL;
23338 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23339 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23340 counter[CM_REQ_COUNTER]);
23342 /* Quick state check to discard duplicate REQs. */
23343 @@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
23347 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23348 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23349 counter[CM_REP_COUNTER]);
23350 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
23352 @@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
23353 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
23354 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
23355 spin_unlock_irq(&cm_id_priv->lock);
23356 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23357 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23358 counter[CM_RTU_COUNTER]);
23361 @@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
23362 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
23363 dreq_msg->local_comm_id);
23365 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23366 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23367 counter[CM_DREQ_COUNTER]);
23368 cm_issue_drep(work->port, work->mad_recv_wc);
23370 @@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
23371 case IB_CM_MRA_REP_RCVD:
23373 case IB_CM_TIMEWAIT:
23374 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23375 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23376 counter[CM_DREQ_COUNTER]);
23377 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
23379 @@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
23382 case IB_CM_DREQ_RCVD:
23383 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23384 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23385 counter[CM_DREQ_COUNTER]);
23388 @@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
23389 ib_modify_mad(cm_id_priv->av.port->mad_agent,
23390 cm_id_priv->msg, timeout)) {
23391 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
23392 - atomic_long_inc(&work->port->
23393 + atomic_long_inc_unchecked(&work->port->
23394 counter_group[CM_RECV_DUPLICATES].
23395 counter[CM_MRA_COUNTER]);
23397 @@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
23399 case IB_CM_MRA_REQ_RCVD:
23400 case IB_CM_MRA_REP_RCVD:
23401 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23402 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23403 counter[CM_MRA_COUNTER]);
23406 @@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
23407 case IB_CM_LAP_IDLE:
23409 case IB_CM_MRA_LAP_SENT:
23410 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23411 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23412 counter[CM_LAP_COUNTER]);
23413 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
23415 @@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
23418 case IB_CM_LAP_RCVD:
23419 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23420 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23421 counter[CM_LAP_COUNTER]);
23424 @@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
23425 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
23426 if (cur_cm_id_priv) {
23427 spin_unlock_irq(&cm.lock);
23428 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23429 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23430 counter[CM_SIDR_REQ_COUNTER]);
23431 goto out; /* Duplicate message. */
23433 @@ -3183,10 +3183,10 @@ static void cm_send_handler(struct ib_ma
23434 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
23437 - atomic_long_add(1 + msg->retries,
23438 + atomic_long_add_unchecked(1 + msg->retries,
23439 &port->counter_group[CM_XMIT].counter[attr_index]);
23441 - atomic_long_add(msg->retries,
23442 + atomic_long_add_unchecked(msg->retries,
23443 &port->counter_group[CM_XMIT_RETRIES].
23444 counter[attr_index]);
23446 @@ -3396,7 +3396,7 @@ static void cm_recv_handler(struct ib_ma
23449 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
23450 - atomic_long_inc(&port->counter_group[CM_RECV].
23451 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
23452 counter[attr_id - CM_ATTR_ID_OFFSET]);
23454 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
23455 @@ -3594,10 +3594,10 @@ static ssize_t cm_show_counter(struct ko
23456 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
23458 return sprintf(buf, "%ld\n",
23459 - atomic_long_read(&group->counter[cm_attr->index]));
23460 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
23463 -static struct sysfs_ops cm_counter_ops = {
23464 +static const struct sysfs_ops cm_counter_ops = {
23465 .show = cm_show_counter
23468 diff -urNp linux-2.6.33/drivers/infiniband/core/sysfs.c linux-2.6.33/drivers/infiniband/core/sysfs.c
23469 --- linux-2.6.33/drivers/infiniband/core/sysfs.c 2010-02-24 13:52:17.000000000 -0500
23470 +++ linux-2.6.33/drivers/infiniband/core/sysfs.c 2010-03-07 12:23:36.021704836 -0500
23471 @@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
23472 return port_attr->show(p, port_attr, buf);
23475 -static struct sysfs_ops port_sysfs_ops = {
23476 +static const struct sysfs_ops port_sysfs_ops = {
23477 .show = port_attr_show
23480 diff -urNp linux-2.6.33/drivers/input/keyboard/atkbd.c linux-2.6.33/drivers/input/keyboard/atkbd.c
23481 --- linux-2.6.33/drivers/input/keyboard/atkbd.c 2010-02-24 13:52:17.000000000 -0500
23482 +++ linux-2.6.33/drivers/input/keyboard/atkbd.c 2010-03-07 12:23:36.021704836 -0500
23483 @@ -1229,7 +1229,7 @@ static struct serio_device_id atkbd_seri
23485 .extra = SERIO_ANY,
23491 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
23492 diff -urNp linux-2.6.33/drivers/input/mouse/lifebook.c linux-2.6.33/drivers/input/mouse/lifebook.c
23493 --- linux-2.6.33/drivers/input/mouse/lifebook.c 2010-02-24 13:52:17.000000000 -0500
23494 +++ linux-2.6.33/drivers/input/mouse/lifebook.c 2010-03-07 12:23:36.021704836 -0500
23495 @@ -122,7 +122,7 @@ static const struct dmi_system_id __init
23496 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
23500 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
23503 void __init lifebook_module_init(void)
23504 diff -urNp linux-2.6.33/drivers/input/mouse/psmouse-base.c linux-2.6.33/drivers/input/mouse/psmouse-base.c
23505 --- linux-2.6.33/drivers/input/mouse/psmouse-base.c 2010-02-24 13:52:17.000000000 -0500
23506 +++ linux-2.6.33/drivers/input/mouse/psmouse-base.c 2010-03-07 12:23:36.021704836 -0500
23507 @@ -1442,7 +1442,7 @@ static struct serio_device_id psmouse_se
23509 .extra = SERIO_ANY,
23515 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
23516 diff -urNp linux-2.6.33/drivers/input/mouse/synaptics.c linux-2.6.33/drivers/input/mouse/synaptics.c
23517 --- linux-2.6.33/drivers/input/mouse/synaptics.c 2010-02-24 13:52:17.000000000 -0500
23518 +++ linux-2.6.33/drivers/input/mouse/synaptics.c 2010-03-07 12:23:36.021704836 -0500
23519 @@ -438,7 +438,7 @@ static void synaptics_process_packet(str
23522 if (SYN_MODEL_PEN(priv->model_id))
23523 - ; /* Nothing, treat a pen as a single finger */
23524 + break; /* Nothing, treat a pen as a single finger */
23527 if (SYN_CAP_PALMDETECT(priv->capabilities))
23528 @@ -654,7 +654,6 @@ static const struct dmi_system_id __init
23529 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
23530 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
23535 /* Toshiba Portege M300 */
23536 @@ -663,9 +662,8 @@ static const struct dmi_system_id __init
23537 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
23538 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
23543 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23547 diff -urNp linux-2.6.33/drivers/input/mousedev.c linux-2.6.33/drivers/input/mousedev.c
23548 --- linux-2.6.33/drivers/input/mousedev.c 2010-02-24 13:52:17.000000000 -0500
23549 +++ linux-2.6.33/drivers/input/mousedev.c 2010-03-07 12:23:36.021704836 -0500
23550 @@ -760,7 +760,7 @@ static ssize_t mousedev_read(struct file
23552 spin_unlock_irq(&client->packet_lock);
23554 - if (copy_to_user(buffer, data, count))
23555 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
23559 @@ -1057,7 +1057,7 @@ static struct input_handler mousedev_han
23561 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
23562 static struct miscdevice psaux_mouse = {
23563 - PSMOUSE_MINOR, "psaux", &mousedev_fops
23564 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
23566 static int psaux_registered;
23568 diff -urNp linux-2.6.33/drivers/input/serio/i8042-x86ia64io.h linux-2.6.33/drivers/input/serio/i8042-x86ia64io.h
23569 --- linux-2.6.33/drivers/input/serio/i8042-x86ia64io.h 2010-02-24 13:52:17.000000000 -0500
23570 +++ linux-2.6.33/drivers/input/serio/i8042-x86ia64io.h 2010-03-07 12:23:36.021704836 -0500
23571 @@ -172,7 +172,7 @@ static const struct dmi_system_id __init
23572 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
23576 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23580 @@ -402,7 +402,7 @@ static const struct dmi_system_id __init
23581 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
23585 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23588 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
23589 @@ -469,7 +469,7 @@ static const struct dmi_system_id __init
23590 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
23594 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23598 @@ -488,7 +488,7 @@ static const struct dmi_system_id __init
23599 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
23603 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23606 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
23607 @@ -512,7 +512,7 @@ static const struct dmi_system_id __init
23608 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
23612 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23616 @@ -586,7 +586,7 @@ static const struct dmi_system_id __init
23617 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
23621 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23624 #endif /* CONFIG_X86 */
23625 diff -urNp linux-2.6.33/drivers/input/serio/serio_raw.c linux-2.6.33/drivers/input/serio/serio_raw.c
23626 --- linux-2.6.33/drivers/input/serio/serio_raw.c 2010-02-24 13:52:17.000000000 -0500
23627 +++ linux-2.6.33/drivers/input/serio/serio_raw.c 2010-03-07 12:23:36.021704836 -0500
23628 @@ -377,7 +377,7 @@ static struct serio_device_id serio_raw_
23630 .extra = SERIO_ANY,
23636 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
23637 diff -urNp linux-2.6.33/drivers/isdn/gigaset/common.c linux-2.6.33/drivers/isdn/gigaset/common.c
23638 --- linux-2.6.33/drivers/isdn/gigaset/common.c 2010-02-24 13:52:17.000000000 -0500
23639 +++ linux-2.6.33/drivers/isdn/gigaset/common.c 2010-03-07 12:23:36.021704836 -0500
23640 @@ -732,7 +732,7 @@ struct cardstate *gigaset_initcs(struct
23641 cs->commands_pending = 0;
23642 cs->cur_at_seq = 0;
23644 - cs->open_count = 0;
23645 + atomic_set(&cs->open_count, 0);
23648 cs->tty_dev = NULL;
23649 diff -urNp linux-2.6.33/drivers/isdn/gigaset/gigaset.h linux-2.6.33/drivers/isdn/gigaset/gigaset.h
23650 --- linux-2.6.33/drivers/isdn/gigaset/gigaset.h 2010-02-24 13:52:17.000000000 -0500
23651 +++ linux-2.6.33/drivers/isdn/gigaset/gigaset.h 2010-03-07 12:23:36.021704836 -0500
23652 @@ -440,7 +440,7 @@ struct cardstate {
23653 spinlock_t cmdlock;
23654 unsigned curlen, cmdbytes;
23656 - unsigned open_count;
23657 + atomic_t open_count;
23658 struct tty_struct *tty;
23659 struct tasklet_struct if_wake_tasklet;
23660 unsigned control_state;
23661 diff -urNp linux-2.6.33/drivers/isdn/gigaset/interface.c linux-2.6.33/drivers/isdn/gigaset/interface.c
23662 --- linux-2.6.33/drivers/isdn/gigaset/interface.c 2010-02-24 13:52:17.000000000 -0500
23663 +++ linux-2.6.33/drivers/isdn/gigaset/interface.c 2010-03-07 12:23:36.025724522 -0500
23664 @@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
23665 return -ERESTARTSYS;
23666 tty->driver_data = cs;
23668 - ++cs->open_count;
23670 - if (cs->open_count == 1) {
23671 + if (atomic_inc_return(&cs->open_count) == 1) {
23672 spin_lock_irqsave(&cs->lock, flags);
23674 spin_unlock_irqrestore(&cs->lock, flags);
23675 @@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
23677 if (!cs->connected)
23678 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23679 - else if (!cs->open_count)
23680 + else if (!atomic_read(&cs->open_count))
23681 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23683 - if (!--cs->open_count) {
23684 + if (!atomic_dec_return(&cs->open_count)) {
23685 spin_lock_irqsave(&cs->lock, flags);
23687 spin_unlock_irqrestore(&cs->lock, flags);
23688 @@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
23689 if (!cs->connected) {
23690 gig_dbg(DEBUG_IF, "not connected");
23692 - } else if (!cs->open_count)
23693 + } else if (!atomic_read(&cs->open_count))
23694 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23697 @@ -360,7 +358,7 @@ static int if_write(struct tty_struct *t
23698 if (!cs->connected) {
23699 gig_dbg(DEBUG_IF, "not connected");
23701 - } else if (!cs->open_count)
23702 + } else if (!atomic_read(&cs->open_count))
23703 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23704 else if (cs->mstate != MS_LOCKED) {
23705 dev_warn(cs->dev, "can't write to unlocked device\n");
23706 @@ -394,7 +392,7 @@ static int if_write_room(struct tty_stru
23707 if (!cs->connected) {
23708 gig_dbg(DEBUG_IF, "not connected");
23710 - } else if (!cs->open_count)
23711 + } else if (!atomic_read(&cs->open_count))
23712 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23713 else if (cs->mstate != MS_LOCKED) {
23714 dev_warn(cs->dev, "can't write to unlocked device\n");
23715 @@ -424,7 +422,7 @@ static int if_chars_in_buffer(struct tty
23717 if (!cs->connected)
23718 gig_dbg(DEBUG_IF, "not connected");
23719 - else if (!cs->open_count)
23720 + else if (!atomic_read(&cs->open_count))
23721 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23722 else if (cs->mstate != MS_LOCKED)
23723 dev_warn(cs->dev, "can't write to unlocked device\n");
23724 @@ -452,7 +450,7 @@ static void if_throttle(struct tty_struc
23726 if (!cs->connected)
23727 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23728 - else if (!cs->open_count)
23729 + else if (!atomic_read(&cs->open_count))
23730 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23732 gig_dbg(DEBUG_ANY, "%s: not implemented\n", __func__);
23733 @@ -476,7 +474,7 @@ static void if_unthrottle(struct tty_str
23735 if (!cs->connected)
23736 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23737 - else if (!cs->open_count)
23738 + else if (!atomic_read(&cs->open_count))
23739 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23741 gig_dbg(DEBUG_ANY, "%s: not implemented\n", __func__);
23742 @@ -507,7 +505,7 @@ static void if_set_termios(struct tty_st
23746 - if (!cs->open_count) {
23747 + if (!atomic_read(&cs->open_count)) {
23748 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23751 diff -urNp linux-2.6.33/drivers/isdn/hardware/avm/b1.c linux-2.6.33/drivers/isdn/hardware/avm/b1.c
23752 --- linux-2.6.33/drivers/isdn/hardware/avm/b1.c 2010-02-24 13:52:17.000000000 -0500
23753 +++ linux-2.6.33/drivers/isdn/hardware/avm/b1.c 2010-03-07 12:23:36.025724522 -0500
23754 @@ -173,7 +173,7 @@ int b1_load_t4file(avmcard *card, capilo
23757 if (t4file->user) {
23758 - if (copy_from_user(buf, dp, left))
23759 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
23762 memcpy(buf, dp, left);
23763 @@ -221,7 +221,7 @@ int b1_load_config(avmcard *card, capilo
23766 if (config->user) {
23767 - if (copy_from_user(buf, dp, left))
23768 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
23771 memcpy(buf, dp, left);
23772 diff -urNp linux-2.6.33/drivers/isdn/icn/icn.c linux-2.6.33/drivers/isdn/icn/icn.c
23773 --- linux-2.6.33/drivers/isdn/icn/icn.c 2010-02-24 13:52:17.000000000 -0500
23774 +++ linux-2.6.33/drivers/isdn/icn/icn.c 2010-03-07 12:23:36.025724522 -0500
23775 @@ -1044,7 +1044,7 @@ icn_writecmd(const u_char * buf, int len
23779 - if (copy_from_user(msg, buf, count))
23780 + if (count > sizeof(msg) || copy_from_user(msg, buf, count))
23783 memcpy(msg, buf, count);
23784 diff -urNp linux-2.6.33/drivers/lguest/core.c linux-2.6.33/drivers/lguest/core.c
23785 --- linux-2.6.33/drivers/lguest/core.c 2010-02-24 13:52:17.000000000 -0500
23786 +++ linux-2.6.33/drivers/lguest/core.c 2010-03-07 12:23:36.025724522 -0500
23787 @@ -91,9 +91,17 @@ static __init int map_switcher(void)
23788 * it's worked so far. The end address needs +1 because __get_vm_area
23789 * allocates an extra guard page, so we need space for that.
23792 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23793 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
23794 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
23795 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
23797 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
23798 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
23799 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
23802 if (!switcher_vma) {
23804 printk("lguest: could not map switcher pages high\n");
23805 diff -urNp linux-2.6.33/drivers/macintosh/via-pmu-backlight.c linux-2.6.33/drivers/macintosh/via-pmu-backlight.c
23806 --- linux-2.6.33/drivers/macintosh/via-pmu-backlight.c 2010-02-24 13:52:17.000000000 -0500
23807 +++ linux-2.6.33/drivers/macintosh/via-pmu-backlight.c 2010-03-07 12:23:36.025724522 -0500
23810 #define MAX_PMU_LEVEL 0xFF
23812 -static struct backlight_ops pmu_backlight_data;
23813 +static const struct backlight_ops pmu_backlight_data;
23814 static DEFINE_SPINLOCK(pmu_backlight_lock);
23815 static int sleeping, uses_pmu_bl;
23816 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
23817 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
23818 return bd->props.brightness;
23821 -static struct backlight_ops pmu_backlight_data = {
23822 +static const struct backlight_ops pmu_backlight_data = {
23823 .get_brightness = pmu_backlight_get_brightness,
23824 .update_status = pmu_backlight_update_status,
23826 diff -urNp linux-2.6.33/drivers/macintosh/via-pmu.c linux-2.6.33/drivers/macintosh/via-pmu.c
23827 --- linux-2.6.33/drivers/macintosh/via-pmu.c 2010-02-24 13:52:17.000000000 -0500
23828 +++ linux-2.6.33/drivers/macintosh/via-pmu.c 2010-03-07 12:23:36.025724522 -0500
23829 @@ -2254,7 +2254,7 @@ static int pmu_sleep_valid(suspend_state
23830 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
23833 -static struct platform_suspend_ops pmu_pm_ops = {
23834 +static const struct platform_suspend_ops pmu_pm_ops = {
23835 .enter = powerbook_sleep,
23836 .valid = pmu_sleep_valid,
23838 diff -urNp linux-2.6.33/drivers/md/bitmap.c linux-2.6.33/drivers/md/bitmap.c
23839 --- linux-2.6.33/drivers/md/bitmap.c 2010-02-24 13:52:17.000000000 -0500
23840 +++ linux-2.6.33/drivers/md/bitmap.c 2010-03-07 12:23:36.025724522 -0500
23843 # define PRINTK(x...) printk(KERN_DEBUG x)
23845 -# define PRINTK(x...)
23846 +# define PRINTK(x...) do {} while (0)
23850 diff -urNp linux-2.6.33/drivers/md/dm-sysfs.c linux-2.6.33/drivers/md/dm-sysfs.c
23851 --- linux-2.6.33/drivers/md/dm-sysfs.c 2010-02-24 13:52:17.000000000 -0500
23852 +++ linux-2.6.33/drivers/md/dm-sysfs.c 2010-03-07 12:23:36.025724522 -0500
23853 @@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
23857 -static struct sysfs_ops dm_sysfs_ops = {
23858 +static const struct sysfs_ops dm_sysfs_ops = {
23859 .show = dm_attr_show,
23862 diff -urNp linux-2.6.33/drivers/md/dm-table.c linux-2.6.33/drivers/md/dm-table.c
23863 --- linux-2.6.33/drivers/md/dm-table.c 2010-02-24 13:52:17.000000000 -0500
23864 +++ linux-2.6.33/drivers/md/dm-table.c 2010-03-07 12:23:36.025724522 -0500
23865 @@ -363,7 +363,7 @@ static int device_area_is_invalid(struct
23869 - if ((start >= dev_size) || (start + len > dev_size)) {
23870 + if ((start >= dev_size) || (len > dev_size - start)) {
23871 DMWARN("%s: %s too small for target: "
23872 "start=%llu, len=%llu, dev_size=%llu",
23873 dm_device_name(ti->table->md), bdevname(bdev, b),
23874 diff -urNp linux-2.6.33/drivers/md/md.c linux-2.6.33/drivers/md/md.c
23875 --- linux-2.6.33/drivers/md/md.c 2010-02-24 13:52:17.000000000 -0500
23876 +++ linux-2.6.33/drivers/md/md.c 2010-03-07 12:23:36.025724522 -0500
23877 @@ -2642,7 +2642,7 @@ static void rdev_free(struct kobject *ko
23878 mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
23881 -static struct sysfs_ops rdev_sysfs_ops = {
23882 +static const struct sysfs_ops rdev_sysfs_ops = {
23883 .show = rdev_attr_show,
23884 .store = rdev_attr_store,
23886 @@ -4059,7 +4059,7 @@ static void md_free(struct kobject *ko)
23890 -static struct sysfs_ops md_sysfs_ops = {
23891 +static const struct sysfs_ops md_sysfs_ops = {
23892 .show = md_attr_show,
23893 .store = md_attr_store,
23895 @@ -6187,7 +6187,7 @@ static int md_seq_show(struct seq_file *
23896 chunk_kb ? "KB" : "B");
23897 if (bitmap->file) {
23898 seq_printf(seq, ", file: ");
23899 - seq_path(seq, &bitmap->file->f_path, " \t\n");
23900 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
23903 seq_printf(seq, "\n");
23904 @@ -6281,7 +6281,7 @@ static int is_mddev_idle(mddev_t *mddev,
23905 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
23906 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
23907 (int)part_stat_read(&disk->part0, sectors[1]) -
23908 - atomic_read(&disk->sync_io);
23909 + atomic_read_unchecked(&disk->sync_io);
23910 /* sync IO will cause sync_io to increase before the disk_stats
23911 * as sync_io is counted when a request starts, and
23912 * disk_stats is counted when it completes.
23913 diff -urNp linux-2.6.33/drivers/md/md.h linux-2.6.33/drivers/md/md.h
23914 --- linux-2.6.33/drivers/md/md.h 2010-02-24 13:52:17.000000000 -0500
23915 +++ linux-2.6.33/drivers/md/md.h 2010-03-07 12:23:36.029587202 -0500
23916 @@ -327,7 +327,7 @@ static inline void rdev_dec_pending(mdk_
23918 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
23920 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
23921 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
23924 struct mdk_personality
23925 diff -urNp linux-2.6.33/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.33/drivers/media/dvb/dvb-core/dvbdev.c
23926 --- linux-2.6.33/drivers/media/dvb/dvb-core/dvbdev.c 2010-02-24 13:52:17.000000000 -0500
23927 +++ linux-2.6.33/drivers/media/dvb/dvb-core/dvbdev.c 2010-03-07 12:23:36.029587202 -0500
23928 @@ -191,6 +191,7 @@ int dvb_register_device(struct dvb_adapt
23929 const struct dvb_device *template, void *priv, int type)
23931 struct dvb_device *dvbdev;
23932 + /* cannot be const */
23933 struct file_operations *dvbdevfops;
23934 struct device *clsdev;
23936 diff -urNp linux-2.6.33/drivers/media/radio/radio-cadet.c linux-2.6.33/drivers/media/radio/radio-cadet.c
23937 --- linux-2.6.33/drivers/media/radio/radio-cadet.c 2010-02-24 13:52:17.000000000 -0500
23938 +++ linux-2.6.33/drivers/media/radio/radio-cadet.c 2010-03-07 12:23:36.029587202 -0500
23939 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
23940 while (i < count && dev->rdsin != dev->rdsout)
23941 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
23943 - if (copy_to_user(data, readbuf, i))
23944 + if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
23948 diff -urNp linux-2.6.33/drivers/message/i2o/i2o_proc.c linux-2.6.33/drivers/message/i2o/i2o_proc.c
23949 --- linux-2.6.33/drivers/message/i2o/i2o_proc.c 2010-02-24 13:52:17.000000000 -0500
23950 +++ linux-2.6.33/drivers/message/i2o/i2o_proc.c 2010-03-07 12:23:36.029587202 -0500
23951 @@ -259,13 +259,6 @@ static char *scsi_devices[] = {
23952 "Array Controller Device"
23955 -static char *chtostr(u8 * chars, int n)
23959 - return strncat(tmp, (char *)chars, n);
23962 static int i2o_report_query_status(struct seq_file *seq, int block_status,
23965 @@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
23967 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
23968 seq_printf(seq, "%-#8x", ddm_table.module_id);
23969 - seq_printf(seq, "%-29s",
23970 - chtostr(ddm_table.module_name_version, 28));
23971 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
23972 seq_printf(seq, "%9d ", ddm_table.data_size);
23973 seq_printf(seq, "%8d", ddm_table.code_size);
23975 @@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
23977 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
23978 seq_printf(seq, "%-#8x", dst->module_id);
23979 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
23980 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
23981 + seq_printf(seq, "%-.28s", dst->module_name_version);
23982 + seq_printf(seq, "%-.8s", dst->date);
23983 seq_printf(seq, "%8d ", dst->module_size);
23984 seq_printf(seq, "%8d ", dst->mpb_size);
23985 seq_printf(seq, "0x%04x", dst->module_flags);
23986 @@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
23987 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
23988 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
23989 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
23990 - seq_printf(seq, "Vendor info : %s\n",
23991 - chtostr((u8 *) (work32 + 2), 16));
23992 - seq_printf(seq, "Product info : %s\n",
23993 - chtostr((u8 *) (work32 + 6), 16));
23994 - seq_printf(seq, "Description : %s\n",
23995 - chtostr((u8 *) (work32 + 10), 16));
23996 - seq_printf(seq, "Product rev. : %s\n",
23997 - chtostr((u8 *) (work32 + 14), 8));
23998 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
23999 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
24000 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
24001 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
24003 seq_printf(seq, "Serial number : ");
24004 print_serial_number(seq, (u8 *) (work32 + 16),
24005 @@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
24008 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
24009 - seq_printf(seq, "Module name : %s\n",
24010 - chtostr(result.module_name, 24));
24011 - seq_printf(seq, "Module revision : %s\n",
24012 - chtostr(result.module_rev, 8));
24013 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
24014 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
24016 seq_printf(seq, "Serial number : ");
24017 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
24018 @@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
24022 - seq_printf(seq, "Device name : %s\n",
24023 - chtostr(result.device_name, 64));
24024 - seq_printf(seq, "Service name : %s\n",
24025 - chtostr(result.service_name, 64));
24026 - seq_printf(seq, "Physical name : %s\n",
24027 - chtostr(result.physical_location, 64));
24028 - seq_printf(seq, "Instance number : %s\n",
24029 - chtostr(result.instance_number, 4));
24030 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
24031 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
24032 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
24033 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
24037 diff -urNp linux-2.6.33/drivers/misc/kgdbts.c linux-2.6.33/drivers/misc/kgdbts.c
24038 --- linux-2.6.33/drivers/misc/kgdbts.c 2010-02-24 13:52:17.000000000 -0500
24039 +++ linux-2.6.33/drivers/misc/kgdbts.c 2010-03-07 12:23:36.029587202 -0500
24040 @@ -118,7 +118,7 @@
24042 #define MAX_CONFIG_LEN 40
24044 -static struct kgdb_io kgdbts_io_ops;
24045 +static const struct kgdb_io kgdbts_io_ops;
24046 static char get_buf[BUFMAX];
24047 static int get_buf_cnt;
24048 static char put_buf[BUFMAX];
24049 @@ -1108,7 +1108,7 @@ static void kgdbts_post_exp_handler(void
24050 module_put(THIS_MODULE);
24053 -static struct kgdb_io kgdbts_io_ops = {
24054 +static const struct kgdb_io kgdbts_io_ops = {
24056 .read_char = kgdbts_get_char,
24057 .write_char = kgdbts_put_char,
24058 diff -urNp linux-2.6.33/drivers/misc/sgi-gru/gruhandles.c linux-2.6.33/drivers/misc/sgi-gru/gruhandles.c
24059 --- linux-2.6.33/drivers/misc/sgi-gru/gruhandles.c 2010-02-24 13:52:17.000000000 -0500
24060 +++ linux-2.6.33/drivers/misc/sgi-gru/gruhandles.c 2010-03-07 12:23:36.029587202 -0500
24061 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
24062 unsigned long nsec;
24064 nsec = CLKS2NSEC(clks);
24065 - atomic_long_inc(&mcs_op_statistics[op].count);
24066 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
24067 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
24068 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
24069 if (mcs_op_statistics[op].max < nsec)
24070 mcs_op_statistics[op].max = nsec;
24072 diff -urNp linux-2.6.33/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.33/drivers/misc/sgi-gru/gruprocfs.c
24073 --- linux-2.6.33/drivers/misc/sgi-gru/gruprocfs.c 2010-02-24 13:52:17.000000000 -0500
24074 +++ linux-2.6.33/drivers/misc/sgi-gru/gruprocfs.c 2010-03-07 12:23:36.029587202 -0500
24077 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
24079 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
24080 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
24082 - unsigned long val = atomic_long_read(v);
24083 + unsigned long val = atomic_long_read_unchecked(v);
24085 seq_printf(s, "%16lu %s\n", val, id);
24087 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
24089 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
24090 for (op = 0; op < mcsop_last; op++) {
24091 - count = atomic_long_read(&mcs_op_statistics[op].count);
24092 - total = atomic_long_read(&mcs_op_statistics[op].total);
24093 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
24094 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
24095 max = mcs_op_statistics[op].max;
24096 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
24097 count ? total / count : 0, max);
24098 diff -urNp linux-2.6.33/drivers/misc/sgi-gru/grutables.h linux-2.6.33/drivers/misc/sgi-gru/grutables.h
24099 --- linux-2.6.33/drivers/misc/sgi-gru/grutables.h 2010-02-24 13:52:17.000000000 -0500
24100 +++ linux-2.6.33/drivers/misc/sgi-gru/grutables.h 2010-03-07 12:23:36.029587202 -0500
24101 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
24104 struct gru_stats_s {
24105 - atomic_long_t vdata_alloc;
24106 - atomic_long_t vdata_free;
24107 - atomic_long_t gts_alloc;
24108 - atomic_long_t gts_free;
24109 - atomic_long_t gms_alloc;
24110 - atomic_long_t gms_free;
24111 - atomic_long_t gts_double_allocate;
24112 - atomic_long_t assign_context;
24113 - atomic_long_t assign_context_failed;
24114 - atomic_long_t free_context;
24115 - atomic_long_t load_user_context;
24116 - atomic_long_t load_kernel_context;
24117 - atomic_long_t lock_kernel_context;
24118 - atomic_long_t unlock_kernel_context;
24119 - atomic_long_t steal_user_context;
24120 - atomic_long_t steal_kernel_context;
24121 - atomic_long_t steal_context_failed;
24122 - atomic_long_t nopfn;
24123 - atomic_long_t asid_new;
24124 - atomic_long_t asid_next;
24125 - atomic_long_t asid_wrap;
24126 - atomic_long_t asid_reuse;
24127 - atomic_long_t intr;
24128 - atomic_long_t intr_cbr;
24129 - atomic_long_t intr_tfh;
24130 - atomic_long_t intr_spurious;
24131 - atomic_long_t intr_mm_lock_failed;
24132 - atomic_long_t call_os;
24133 - atomic_long_t call_os_wait_queue;
24134 - atomic_long_t user_flush_tlb;
24135 - atomic_long_t user_unload_context;
24136 - atomic_long_t user_exception;
24137 - atomic_long_t set_context_option;
24138 - atomic_long_t check_context_retarget_intr;
24139 - atomic_long_t check_context_unload;
24140 - atomic_long_t tlb_dropin;
24141 - atomic_long_t tlb_preload_page;
24142 - atomic_long_t tlb_dropin_fail_no_asid;
24143 - atomic_long_t tlb_dropin_fail_upm;
24144 - atomic_long_t tlb_dropin_fail_invalid;
24145 - atomic_long_t tlb_dropin_fail_range_active;
24146 - atomic_long_t tlb_dropin_fail_idle;
24147 - atomic_long_t tlb_dropin_fail_fmm;
24148 - atomic_long_t tlb_dropin_fail_no_exception;
24149 - atomic_long_t tfh_stale_on_fault;
24150 - atomic_long_t mmu_invalidate_range;
24151 - atomic_long_t mmu_invalidate_page;
24152 - atomic_long_t flush_tlb;
24153 - atomic_long_t flush_tlb_gru;
24154 - atomic_long_t flush_tlb_gru_tgh;
24155 - atomic_long_t flush_tlb_gru_zero_asid;
24157 - atomic_long_t copy_gpa;
24158 - atomic_long_t read_gpa;
24160 - atomic_long_t mesq_receive;
24161 - atomic_long_t mesq_receive_none;
24162 - atomic_long_t mesq_send;
24163 - atomic_long_t mesq_send_failed;
24164 - atomic_long_t mesq_noop;
24165 - atomic_long_t mesq_send_unexpected_error;
24166 - atomic_long_t mesq_send_lb_overflow;
24167 - atomic_long_t mesq_send_qlimit_reached;
24168 - atomic_long_t mesq_send_amo_nacked;
24169 - atomic_long_t mesq_send_put_nacked;
24170 - atomic_long_t mesq_page_overflow;
24171 - atomic_long_t mesq_qf_locked;
24172 - atomic_long_t mesq_qf_noop_not_full;
24173 - atomic_long_t mesq_qf_switch_head_failed;
24174 - atomic_long_t mesq_qf_unexpected_error;
24175 - atomic_long_t mesq_noop_unexpected_error;
24176 - atomic_long_t mesq_noop_lb_overflow;
24177 - atomic_long_t mesq_noop_qlimit_reached;
24178 - atomic_long_t mesq_noop_amo_nacked;
24179 - atomic_long_t mesq_noop_put_nacked;
24180 - atomic_long_t mesq_noop_page_overflow;
24181 + atomic_long_unchecked_t vdata_alloc;
24182 + atomic_long_unchecked_t vdata_free;
24183 + atomic_long_unchecked_t gts_alloc;
24184 + atomic_long_unchecked_t gts_free;
24185 + atomic_long_unchecked_t gms_alloc;
24186 + atomic_long_unchecked_t gms_free;
24187 + atomic_long_unchecked_t gts_double_allocate;
24188 + atomic_long_unchecked_t assign_context;
24189 + atomic_long_unchecked_t assign_context_failed;
24190 + atomic_long_unchecked_t free_context;
24191 + atomic_long_unchecked_t load_user_context;
24192 + atomic_long_unchecked_t load_kernel_context;
24193 + atomic_long_unchecked_t lock_kernel_context;
24194 + atomic_long_unchecked_t unlock_kernel_context;
24195 + atomic_long_unchecked_t steal_user_context;
24196 + atomic_long_unchecked_t steal_kernel_context;
24197 + atomic_long_unchecked_t steal_context_failed;
24198 + atomic_long_unchecked_t nopfn;
24199 + atomic_long_unchecked_t asid_new;
24200 + atomic_long_unchecked_t asid_next;
24201 + atomic_long_unchecked_t asid_wrap;
24202 + atomic_long_unchecked_t asid_reuse;
24203 + atomic_long_unchecked_t intr;
24204 + atomic_long_unchecked_t intr_cbr;
24205 + atomic_long_unchecked_t intr_tfh;
24206 + atomic_long_unchecked_t intr_spurious;
24207 + atomic_long_unchecked_t intr_mm_lock_failed;
24208 + atomic_long_unchecked_t call_os;
24209 + atomic_long_unchecked_t call_os_wait_queue;
24210 + atomic_long_unchecked_t user_flush_tlb;
24211 + atomic_long_unchecked_t user_unload_context;
24212 + atomic_long_unchecked_t user_exception;
24213 + atomic_long_unchecked_t set_context_option;
24214 + atomic_long_unchecked_t check_context_retarget_intr;
24215 + atomic_long_unchecked_t check_context_unload;
24216 + atomic_long_unchecked_t tlb_dropin;
24217 + atomic_long_unchecked_t tlb_preload_page;
24218 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
24219 + atomic_long_unchecked_t tlb_dropin_fail_upm;
24220 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
24221 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
24222 + atomic_long_unchecked_t tlb_dropin_fail_idle;
24223 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
24224 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
24225 + atomic_long_unchecked_t tfh_stale_on_fault;
24226 + atomic_long_unchecked_t mmu_invalidate_range;
24227 + atomic_long_unchecked_t mmu_invalidate_page;
24228 + atomic_long_unchecked_t flush_tlb;
24229 + atomic_long_unchecked_t flush_tlb_gru;
24230 + atomic_long_unchecked_t flush_tlb_gru_tgh;
24231 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
24233 + atomic_long_unchecked_t copy_gpa;
24234 + atomic_long_unchecked_t read_gpa;
24236 + atomic_long_unchecked_t mesq_receive;
24237 + atomic_long_unchecked_t mesq_receive_none;
24238 + atomic_long_unchecked_t mesq_send;
24239 + atomic_long_unchecked_t mesq_send_failed;
24240 + atomic_long_unchecked_t mesq_noop;
24241 + atomic_long_unchecked_t mesq_send_unexpected_error;
24242 + atomic_long_unchecked_t mesq_send_lb_overflow;
24243 + atomic_long_unchecked_t mesq_send_qlimit_reached;
24244 + atomic_long_unchecked_t mesq_send_amo_nacked;
24245 + atomic_long_unchecked_t mesq_send_put_nacked;
24246 + atomic_long_unchecked_t mesq_page_overflow;
24247 + atomic_long_unchecked_t mesq_qf_locked;
24248 + atomic_long_unchecked_t mesq_qf_noop_not_full;
24249 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
24250 + atomic_long_unchecked_t mesq_qf_unexpected_error;
24251 + atomic_long_unchecked_t mesq_noop_unexpected_error;
24252 + atomic_long_unchecked_t mesq_noop_lb_overflow;
24253 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
24254 + atomic_long_unchecked_t mesq_noop_amo_nacked;
24255 + atomic_long_unchecked_t mesq_noop_put_nacked;
24256 + atomic_long_unchecked_t mesq_noop_page_overflow;
24260 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
24261 tghop_invalidate, mcsop_last};
24263 struct mcs_op_statistic {
24264 - atomic_long_t count;
24265 - atomic_long_t total;
24266 + atomic_long_unchecked_t count;
24267 + atomic_long_unchecked_t total;
24271 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
24273 #define STAT(id) do { \
24274 if (gru_options & OPT_STATS) \
24275 - atomic_long_inc(&gru_stats.id); \
24276 + atomic_long_inc_unchecked(&gru_stats.id); \
24279 #ifdef CONFIG_SGI_GRU_DEBUG
24280 diff -urNp linux-2.6.33/drivers/mtd/devices/doc2000.c linux-2.6.33/drivers/mtd/devices/doc2000.c
24281 --- linux-2.6.33/drivers/mtd/devices/doc2000.c 2010-02-24 13:52:17.000000000 -0500
24282 +++ linux-2.6.33/drivers/mtd/devices/doc2000.c 2010-03-07 12:23:36.029587202 -0500
24283 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
24285 /* The ECC will not be calculated correctly if less than 512 is written */
24287 - if (len != 0x200 && eccbuf)
24288 + if (len != 0x200)
24289 printk(KERN_WARNING
24290 "ECC needs a full sector write (adr: %lx size %lx)\n",
24291 (long) to, (long) len);
24292 diff -urNp linux-2.6.33/drivers/mtd/devices/doc2001.c linux-2.6.33/drivers/mtd/devices/doc2001.c
24293 --- linux-2.6.33/drivers/mtd/devices/doc2001.c 2010-02-24 13:52:17.000000000 -0500
24294 +++ linux-2.6.33/drivers/mtd/devices/doc2001.c 2010-03-07 12:23:36.029587202 -0500
24295 @@ -395,6 +395,8 @@ static int doc_read (struct mtd_info *mt
24296 /* Don't allow read past end of device */
24297 if (from >= this->totlen)
24302 /* Don't allow a single read to cross a 512-byte block boundary */
24303 if (from + len > ((from | 0x1ff) + 1))
24304 diff -urNp linux-2.6.33/drivers/mtd/ubi/build.c linux-2.6.33/drivers/mtd/ubi/build.c
24305 --- linux-2.6.33/drivers/mtd/ubi/build.c 2010-02-24 13:52:17.000000000 -0500
24306 +++ linux-2.6.33/drivers/mtd/ubi/build.c 2010-03-07 12:23:36.029587202 -0500
24307 @@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
24308 static int __init bytes_str_to_int(const char *str)
24311 - unsigned long result;
24312 + unsigned long result, scale = 1;
24314 result = simple_strtoul(str, &endp, 0);
24315 if (str == endp || result >= INT_MAX) {
24316 @@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
24328 if (endp[1] == 'i' && endp[2] == 'B')
24331 @@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
24336 + if ((intoverflow_t)result*scale >= INT_MAX) {
24337 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
24342 + return result*scale;
24346 diff -urNp linux-2.6.33/drivers/net/e1000e/82571.c linux-2.6.33/drivers/net/e1000e/82571.c
24347 --- linux-2.6.33/drivers/net/e1000e/82571.c 2010-02-24 13:52:17.000000000 -0500
24348 +++ linux-2.6.33/drivers/net/e1000e/82571.c 2010-03-07 12:23:36.029587202 -0500
24349 @@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
24351 struct e1000_hw *hw = &adapter->hw;
24352 struct e1000_mac_info *mac = &hw->mac;
24353 + /* cannot be const */
24354 struct e1000_mac_operations *func = &mac->ops;
24357 @@ -1688,7 +1689,7 @@ static void e1000_clear_hw_cntrs_82571(s
24361 -static struct e1000_mac_operations e82571_mac_ops = {
24362 +static const struct e1000_mac_operations e82571_mac_ops = {
24363 /* .check_mng_mode: mac type dependent */
24364 /* .check_for_link: media type dependent */
24365 .id_led_init = e1000e_id_led_init,
24366 @@ -1708,7 +1709,7 @@ static struct e1000_mac_operations e8257
24367 .setup_led = e1000e_setup_led_generic,
24370 -static struct e1000_phy_operations e82_phy_ops_igp = {
24371 +static const struct e1000_phy_operations e82_phy_ops_igp = {
24372 .acquire = e1000_get_hw_semaphore_82571,
24373 .check_polarity = e1000_check_polarity_igp,
24374 .check_reset_block = e1000e_check_reset_block_generic,
24375 @@ -1726,7 +1727,7 @@ static struct e1000_phy_operations e82_p
24376 .cfg_on_link_up = NULL,
24379 -static struct e1000_phy_operations e82_phy_ops_m88 = {
24380 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
24381 .acquire = e1000_get_hw_semaphore_82571,
24382 .check_polarity = e1000_check_polarity_m88,
24383 .check_reset_block = e1000e_check_reset_block_generic,
24384 @@ -1744,7 +1745,7 @@ static struct e1000_phy_operations e82_p
24385 .cfg_on_link_up = NULL,
24388 -static struct e1000_phy_operations e82_phy_ops_bm = {
24389 +static const struct e1000_phy_operations e82_phy_ops_bm = {
24390 .acquire = e1000_get_hw_semaphore_82571,
24391 .check_polarity = e1000_check_polarity_m88,
24392 .check_reset_block = e1000e_check_reset_block_generic,
24393 @@ -1762,7 +1763,7 @@ static struct e1000_phy_operations e82_p
24394 .cfg_on_link_up = NULL,
24397 -static struct e1000_nvm_operations e82571_nvm_ops = {
24398 +static const struct e1000_nvm_operations e82571_nvm_ops = {
24399 .acquire = e1000_acquire_nvm_82571,
24400 .read = e1000e_read_nvm_eerd,
24401 .release = e1000_release_nvm_82571,
24402 diff -urNp linux-2.6.33/drivers/net/e1000e/e1000.h linux-2.6.33/drivers/net/e1000e/e1000.h
24403 --- linux-2.6.33/drivers/net/e1000e/e1000.h 2010-02-24 13:52:17.000000000 -0500
24404 +++ linux-2.6.33/drivers/net/e1000e/e1000.h 2010-03-07 12:23:36.029587202 -0500
24405 @@ -379,9 +379,9 @@ struct e1000_info {
24407 u32 max_hw_frame_size;
24408 s32 (*get_variants)(struct e1000_adapter *);
24409 - struct e1000_mac_operations *mac_ops;
24410 - struct e1000_phy_operations *phy_ops;
24411 - struct e1000_nvm_operations *nvm_ops;
24412 + const struct e1000_mac_operations *mac_ops;
24413 + const struct e1000_phy_operations *phy_ops;
24414 + const struct e1000_nvm_operations *nvm_ops;
24417 /* hardware capability, feature, and workaround flags */
24418 diff -urNp linux-2.6.33/drivers/net/e1000e/es2lan.c linux-2.6.33/drivers/net/e1000e/es2lan.c
24419 --- linux-2.6.33/drivers/net/e1000e/es2lan.c 2010-02-24 13:52:17.000000000 -0500
24420 +++ linux-2.6.33/drivers/net/e1000e/es2lan.c 2010-03-07 12:23:36.029587202 -0500
24421 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
24423 struct e1000_hw *hw = &adapter->hw;
24424 struct e1000_mac_info *mac = &hw->mac;
24425 + /* cannot be const */
24426 struct e1000_mac_operations *func = &mac->ops;
24428 /* Set media type */
24429 @@ -1402,7 +1403,7 @@ static void e1000_clear_hw_cntrs_80003es
24433 -static struct e1000_mac_operations es2_mac_ops = {
24434 +static const struct e1000_mac_operations es2_mac_ops = {
24435 .id_led_init = e1000e_id_led_init,
24436 .check_mng_mode = e1000e_check_mng_mode_generic,
24437 /* check_for_link dependent on media type */
24438 @@ -1422,7 +1423,7 @@ static struct e1000_mac_operations es2_m
24439 .setup_led = e1000e_setup_led_generic,
24442 -static struct e1000_phy_operations es2_phy_ops = {
24443 +static const struct e1000_phy_operations es2_phy_ops = {
24444 .acquire = e1000_acquire_phy_80003es2lan,
24445 .check_polarity = e1000_check_polarity_m88,
24446 .check_reset_block = e1000e_check_reset_block_generic,
24447 @@ -1440,7 +1441,7 @@ static struct e1000_phy_operations es2_p
24448 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
24451 -static struct e1000_nvm_operations es2_nvm_ops = {
24452 +static const struct e1000_nvm_operations es2_nvm_ops = {
24453 .acquire = e1000_acquire_nvm_80003es2lan,
24454 .read = e1000e_read_nvm_eerd,
24455 .release = e1000_release_nvm_80003es2lan,
24456 diff -urNp linux-2.6.33/drivers/net/e1000e/hw.h linux-2.6.33/drivers/net/e1000e/hw.h
24457 --- linux-2.6.33/drivers/net/e1000e/hw.h 2010-02-24 13:52:17.000000000 -0500
24458 +++ linux-2.6.33/drivers/net/e1000e/hw.h 2010-03-07 12:23:36.029587202 -0500
24459 @@ -783,13 +783,13 @@ struct e1000_phy_operations {
24461 /* Function pointers for the NVM. */
24462 struct e1000_nvm_operations {
24463 - s32 (*acquire)(struct e1000_hw *);
24464 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
24465 - void (*release)(struct e1000_hw *);
24466 - s32 (*update)(struct e1000_hw *);
24467 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
24468 - s32 (*validate)(struct e1000_hw *);
24469 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
24470 + s32 (* const acquire)(struct e1000_hw *);
24471 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
24472 + void (* const release)(struct e1000_hw *);
24473 + s32 (* const update)(struct e1000_hw *);
24474 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
24475 + s32 (* const validate)(struct e1000_hw *);
24476 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
24479 struct e1000_mac_info {
24480 @@ -864,6 +864,7 @@ struct e1000_phy_info {
24483 struct e1000_nvm_info {
24484 + /* cannot be const */
24485 struct e1000_nvm_operations ops;
24487 enum e1000_nvm_type type;
24488 diff -urNp linux-2.6.33/drivers/net/e1000e/ich8lan.c linux-2.6.33/drivers/net/e1000e/ich8lan.c
24489 --- linux-2.6.33/drivers/net/e1000e/ich8lan.c 2010-02-24 13:52:17.000000000 -0500
24490 +++ linux-2.6.33/drivers/net/e1000e/ich8lan.c 2010-03-07 12:23:36.033711222 -0500
24491 @@ -3361,7 +3361,7 @@ static void e1000_clear_hw_cntrs_ich8lan
24495 -static struct e1000_mac_operations ich8_mac_ops = {
24496 +static const struct e1000_mac_operations ich8_mac_ops = {
24497 .id_led_init = e1000e_id_led_init,
24498 .check_mng_mode = e1000_check_mng_mode_ich8lan,
24499 .check_for_link = e1000_check_for_copper_link_ich8lan,
24500 @@ -3379,7 +3379,7 @@ static struct e1000_mac_operations ich8_
24501 /* id_led_init dependent on mac type */
24504 -static struct e1000_phy_operations ich8_phy_ops = {
24505 +static const struct e1000_phy_operations ich8_phy_ops = {
24506 .acquire = e1000_acquire_swflag_ich8lan,
24507 .check_reset_block = e1000_check_reset_block_ich8lan,
24509 @@ -3393,7 +3393,7 @@ static struct e1000_phy_operations ich8_
24510 .write_reg = e1000e_write_phy_reg_igp,
24513 -static struct e1000_nvm_operations ich8_nvm_ops = {
24514 +static const struct e1000_nvm_operations ich8_nvm_ops = {
24515 .acquire = e1000_acquire_nvm_ich8lan,
24516 .read = e1000_read_nvm_ich8lan,
24517 .release = e1000_release_nvm_ich8lan,
24518 diff -urNp linux-2.6.33/drivers/net/ibmveth.c linux-2.6.33/drivers/net/ibmveth.c
24519 --- linux-2.6.33/drivers/net/ibmveth.c 2010-02-24 13:52:17.000000000 -0500
24520 +++ linux-2.6.33/drivers/net/ibmveth.c 2010-03-07 12:23:36.033711222 -0500
24521 @@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
24525 -static struct sysfs_ops veth_pool_ops = {
24526 +static const struct sysfs_ops veth_pool_ops = {
24527 .show = veth_pool_show,
24528 .store = veth_pool_store,
24530 diff -urNp linux-2.6.33/drivers/net/igb/e1000_82575.c linux-2.6.33/drivers/net/igb/e1000_82575.c
24531 --- linux-2.6.33/drivers/net/igb/e1000_82575.c 2010-02-24 13:52:17.000000000 -0500
24532 +++ linux-2.6.33/drivers/net/igb/e1000_82575.c 2010-03-07 12:23:36.033711222 -0500
24533 @@ -1583,7 +1583,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
24537 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
24538 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
24539 .init_hw = igb_init_hw_82575,
24540 .check_for_link = igb_check_for_link_82575,
24541 .rar_set = igb_rar_set,
24542 @@ -1591,13 +1591,13 @@ static struct e1000_mac_operations e1000
24543 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
24546 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
24547 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
24548 .acquire = igb_acquire_phy_82575,
24549 .get_cfg_done = igb_get_cfg_done_82575,
24550 .release = igb_release_phy_82575,
24553 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
24554 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
24555 .acquire = igb_acquire_nvm_82575,
24556 .read = igb_read_nvm_eerd,
24557 .release = igb_release_nvm_82575,
24558 diff -urNp linux-2.6.33/drivers/net/igb/e1000_hw.h linux-2.6.33/drivers/net/igb/e1000_hw.h
24559 --- linux-2.6.33/drivers/net/igb/e1000_hw.h 2010-02-24 13:52:17.000000000 -0500
24560 +++ linux-2.6.33/drivers/net/igb/e1000_hw.h 2010-03-07 12:23:36.033711222 -0500
24561 @@ -316,17 +316,17 @@ struct e1000_phy_operations {
24564 struct e1000_nvm_operations {
24565 - s32 (*acquire)(struct e1000_hw *);
24566 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
24567 - void (*release)(struct e1000_hw *);
24568 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
24569 + s32 (* const acquire)(struct e1000_hw *);
24570 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
24571 + void (* const release)(struct e1000_hw *);
24572 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
24575 struct e1000_info {
24576 s32 (*get_invariants)(struct e1000_hw *);
24577 - struct e1000_mac_operations *mac_ops;
24578 - struct e1000_phy_operations *phy_ops;
24579 - struct e1000_nvm_operations *nvm_ops;
24580 + const struct e1000_mac_operations *mac_ops;
24581 + const struct e1000_phy_operations *phy_ops;
24582 + const struct e1000_nvm_operations *nvm_ops;
24585 extern const struct e1000_info e1000_82575_info;
24586 @@ -412,6 +412,7 @@ struct e1000_phy_info {
24589 struct e1000_nvm_info {
24590 + /* cannot be const */
24591 struct e1000_nvm_operations ops;
24593 enum e1000_nvm_type type;
24594 diff -urNp linux-2.6.33/drivers/net/irda/vlsi_ir.c linux-2.6.33/drivers/net/irda/vlsi_ir.c
24595 --- linux-2.6.33/drivers/net/irda/vlsi_ir.c 2010-02-24 13:52:17.000000000 -0500
24596 +++ linux-2.6.33/drivers/net/irda/vlsi_ir.c 2010-03-07 12:23:36.033711222 -0500
24597 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
24598 /* no race - tx-ring already empty */
24599 vlsi_set_baud(idev, iobase);
24600 netif_wake_queue(ndev);
24605 /* keep the speed change pending like it would
24606 * for any len>0 packet. tx completion interrupt
24607 * will apply it when the tx ring becomes empty.
24610 spin_unlock_irqrestore(&idev->lock, flags);
24611 dev_kfree_skb_any(skb);
24612 return NETDEV_TX_OK;
24613 diff -urNp linux-2.6.33/drivers/net/iseries_veth.c linux-2.6.33/drivers/net/iseries_veth.c
24614 --- linux-2.6.33/drivers/net/iseries_veth.c 2010-02-24 13:52:17.000000000 -0500
24615 +++ linux-2.6.33/drivers/net/iseries_veth.c 2010-03-07 12:23:36.033711222 -0500
24616 @@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
24620 -static struct sysfs_ops veth_cnx_sysfs_ops = {
24621 +static const struct sysfs_ops veth_cnx_sysfs_ops = {
24622 .show = veth_cnx_attribute_show
24625 @@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
24629 -static struct sysfs_ops veth_port_sysfs_ops = {
24630 +static const struct sysfs_ops veth_port_sysfs_ops = {
24631 .show = veth_port_attribute_show
24634 diff -urNp linux-2.6.33/drivers/net/pcnet32.c linux-2.6.33/drivers/net/pcnet32.c
24635 --- linux-2.6.33/drivers/net/pcnet32.c 2010-02-24 13:52:17.000000000 -0500
24636 +++ linux-2.6.33/drivers/net/pcnet32.c 2010-03-07 12:23:36.033711222 -0500
24637 @@ -80,7 +80,7 @@ static int cards_found;
24639 * VLB I/O addresses
24641 -static unsigned int pcnet32_portlist[] __initdata =
24642 +static unsigned int pcnet32_portlist[] __devinitdata =
24643 { 0x300, 0x320, 0x340, 0x360, 0 };
24645 static int pcnet32_debug = 0;
24646 diff -urNp linux-2.6.33/drivers/net/ppp_generic.c linux-2.6.33/drivers/net/ppp_generic.c
24647 --- linux-2.6.33/drivers/net/ppp_generic.c 2010-02-24 13:52:17.000000000 -0500
24648 +++ linux-2.6.33/drivers/net/ppp_generic.c 2010-03-07 12:23:36.033711222 -0500
24649 @@ -988,7 +988,6 @@ ppp_net_ioctl(struct net_device *dev, st
24650 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
24651 struct ppp_stats stats;
24652 struct ppp_comp_stats cstats;
24656 case SIOCGPPPSTATS:
24657 @@ -1010,8 +1009,7 @@ ppp_net_ioctl(struct net_device *dev, st
24661 - vers = PPP_VERSION;
24662 - if (copy_to_user(addr, vers, strlen(vers) + 1))
24663 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
24667 diff -urNp linux-2.6.33/drivers/net/tg3.h linux-2.6.33/drivers/net/tg3.h
24668 --- linux-2.6.33/drivers/net/tg3.h 2010-02-24 13:52:17.000000000 -0500
24669 +++ linux-2.6.33/drivers/net/tg3.h 2010-03-07 12:23:36.033711222 -0500
24670 @@ -101,6 +101,7 @@
24671 #define CHIPREV_ID_5750_A0 0x4000
24672 #define CHIPREV_ID_5750_A1 0x4001
24673 #define CHIPREV_ID_5750_A3 0x4003
24674 +#define CHIPREV_ID_5750_C1 0x4201
24675 #define CHIPREV_ID_5750_C2 0x4202
24676 #define CHIPREV_ID_5752_A0_HW 0x5000
24677 #define CHIPREV_ID_5752_A0 0x6000
24678 diff -urNp linux-2.6.33/drivers/net/tulip/de4x5.c linux-2.6.33/drivers/net/tulip/de4x5.c
24679 --- linux-2.6.33/drivers/net/tulip/de4x5.c 2010-02-24 13:52:17.000000000 -0500
24680 +++ linux-2.6.33/drivers/net/tulip/de4x5.c 2010-03-07 12:23:36.037634971 -0500
24681 @@ -5472,7 +5472,7 @@ de4x5_ioctl(struct net_device *dev, stru
24682 for (i=0; i<ETH_ALEN; i++) {
24683 tmp.addr[i] = dev->dev_addr[i];
24685 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
24686 + if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
24689 case DE4X5_SET_HWADDR: /* Set the hardware address */
24690 @@ -5512,7 +5512,7 @@ de4x5_ioctl(struct net_device *dev, stru
24691 spin_lock_irqsave(&lp->lock, flags);
24692 memcpy(&statbuf, &lp->pktStats, ioc->len);
24693 spin_unlock_irqrestore(&lp->lock, flags);
24694 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
24695 + if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
24699 diff -urNp linux-2.6.33/drivers/net/usb/hso.c linux-2.6.33/drivers/net/usb/hso.c
24700 --- linux-2.6.33/drivers/net/usb/hso.c 2010-02-24 13:52:17.000000000 -0500
24701 +++ linux-2.6.33/drivers/net/usb/hso.c 2010-03-07 12:23:36.037634971 -0500
24702 @@ -258,7 +258,7 @@ struct hso_serial {
24704 /* from usb_serial_port */
24705 struct tty_struct *tty;
24707 + atomic_t open_count;
24708 spinlock_t serial_lock;
24710 int (*write_data) (struct hso_serial *serial);
24711 @@ -1203,7 +1203,7 @@ static void put_rxbuf_data_and_resubmit_
24714 urb = serial->rx_urb[0];
24715 - if (serial->open_count > 0) {
24716 + if (atomic_read(&serial->open_count) > 0) {
24717 count = put_rxbuf_data(urb, serial);
24720 @@ -1239,7 +1239,7 @@ static void hso_std_serial_read_bulk_cal
24721 DUMP1(urb->transfer_buffer, urb->actual_length);
24723 /* Anyone listening? */
24724 - if (serial->open_count == 0)
24725 + if (atomic_read(&serial->open_count) == 0)
24729 @@ -1334,8 +1334,7 @@ static int hso_serial_open(struct tty_st
24730 spin_unlock_irq(&serial->serial_lock);
24732 /* check for port already opened, if not set the termios */
24733 - serial->open_count++;
24734 - if (serial->open_count == 1) {
24735 + if (atomic_inc_return(&serial->open_count) == 1) {
24736 tty->low_latency = 1;
24737 serial->rx_state = RX_IDLE;
24738 /* Force default termio settings */
24739 @@ -1348,7 +1347,7 @@ static int hso_serial_open(struct tty_st
24740 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
24742 hso_stop_serial_device(serial->parent);
24743 - serial->open_count--;
24744 + atomic_dec(&serial->open_count);
24745 kref_put(&serial->parent->ref, hso_serial_ref_free);
24748 @@ -1385,10 +1384,10 @@ static void hso_serial_close(struct tty_
24750 /* reset the rts and dtr */
24751 /* do the actual close */
24752 - serial->open_count--;
24753 + atomic_dec(&serial->open_count);
24755 - if (serial->open_count <= 0) {
24756 - serial->open_count = 0;
24757 + if (atomic_read(&serial->open_count) <= 0) {
24758 + atomic_set(&serial->open_count, 0);
24759 spin_lock_irq(&serial->serial_lock);
24760 if (serial->tty == tty) {
24761 serial->tty->driver_data = NULL;
24762 @@ -1470,7 +1469,7 @@ static void hso_serial_set_termios(struc
24764 /* the actual setup */
24765 spin_lock_irqsave(&serial->serial_lock, flags);
24766 - if (serial->open_count)
24767 + if (atomic_read(&serial->open_count))
24768 _hso_serial_set_termios(tty, old);
24770 tty->termios = old;
24771 @@ -1933,7 +1932,7 @@ static void intr_callback(struct urb *ur
24772 D1("Pending read interrupt on port %d\n", i);
24773 spin_lock(&serial->serial_lock);
24774 if (serial->rx_state == RX_IDLE &&
24775 - serial->open_count > 0) {
24776 + atomic_read(&serial->open_count) > 0) {
24777 /* Setup and send a ctrl req read on
24779 if (!serial->rx_urb_filled[0]) {
24780 @@ -3124,7 +3123,7 @@ static int hso_resume(struct usb_interfa
24781 /* Start all serial ports */
24782 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
24783 if (serial_table[i] && (serial_table[i]->interface == iface)) {
24784 - if (dev2ser(serial_table[i])->open_count) {
24785 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
24787 hso_start_serial_device(serial_table[i], GFP_NOIO);
24788 hso_kick_transmit(dev2ser(serial_table[i]));
24789 diff -urNp linux-2.6.33/drivers/net/wireless/b43/debugfs.c linux-2.6.33/drivers/net/wireless/b43/debugfs.c
24790 --- linux-2.6.33/drivers/net/wireless/b43/debugfs.c 2010-02-24 13:52:17.000000000 -0500
24791 +++ linux-2.6.33/drivers/net/wireless/b43/debugfs.c 2010-03-07 12:23:36.037634971 -0500
24792 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
24793 struct b43_debugfs_fops {
24794 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
24795 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
24796 - struct file_operations fops;
24797 + const struct file_operations fops;
24798 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
24799 size_t file_struct_offset;
24801 diff -urNp linux-2.6.33/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.33/drivers/net/wireless/b43legacy/debugfs.c
24802 --- linux-2.6.33/drivers/net/wireless/b43legacy/debugfs.c 2010-02-24 13:52:17.000000000 -0500
24803 +++ linux-2.6.33/drivers/net/wireless/b43legacy/debugfs.c 2010-03-07 12:23:36.037634971 -0500
24804 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
24805 struct b43legacy_debugfs_fops {
24806 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
24807 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
24808 - struct file_operations fops;
24809 + const struct file_operations fops;
24810 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
24811 size_t file_struct_offset;
24812 /* Take wl->irq_lock before calling read/write? */
24813 diff -urNp linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-1000.c
24814 --- linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-1000.c 2010-02-24 13:52:17.000000000 -0500
24815 +++ linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-1000.c 2010-03-07 12:23:36.037634971 -0500
24816 @@ -140,7 +140,7 @@ static struct iwl_lib_ops iwl1000_lib =
24820 -static struct iwl_ops iwl1000_ops = {
24821 +static const struct iwl_ops iwl1000_ops = {
24822 .ucode = &iwl5000_ucode,
24823 .lib = &iwl1000_lib,
24824 .hcmd = &iwl5000_hcmd,
24825 diff -urNp linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-3945.c
24826 --- linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-3945.c 2010-02-24 13:52:17.000000000 -0500
24827 +++ linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-3945.c 2010-03-07 12:23:36.037634971 -0500
24828 @@ -2804,7 +2804,7 @@ static struct iwl_hcmd_utils_ops iwl3945
24829 .rts_tx_cmd_flag = iwlcore_rts_tx_cmd_flag,
24832 -static struct iwl_ops iwl3945_ops = {
24833 +static const struct iwl_ops iwl3945_ops = {
24834 .ucode = &iwl3945_ucode,
24835 .lib = &iwl3945_lib,
24836 .hcmd = &iwl3945_hcmd,
24837 diff -urNp linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-4965.c
24838 --- linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-4965.c 2010-02-24 13:52:17.000000000 -0500
24839 +++ linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-4965.c 2010-03-07 12:23:36.037634971 -0500
24840 @@ -2208,7 +2208,7 @@ static struct iwl_lib_ops iwl4965_lib =
24844 -static struct iwl_ops iwl4965_ops = {
24845 +static const struct iwl_ops iwl4965_ops = {
24846 .ucode = &iwl4965_ucode,
24847 .lib = &iwl4965_lib,
24848 .hcmd = &iwl4965_hcmd,
24849 diff -urNp linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-5000.c
24850 --- linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-5000.c 2010-02-24 13:52:17.000000000 -0500
24851 +++ linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-5000.c 2010-03-07 12:23:36.037634971 -0500
24852 @@ -1553,7 +1553,7 @@ static struct iwl_lib_ops iwl5150_lib =
24856 -static struct iwl_ops iwl5000_ops = {
24857 +static const struct iwl_ops iwl5000_ops = {
24858 .ucode = &iwl5000_ucode,
24859 .lib = &iwl5000_lib,
24860 .hcmd = &iwl5000_hcmd,
24861 @@ -1561,7 +1561,7 @@ static struct iwl_ops iwl5000_ops = {
24862 .led = &iwlagn_led_ops,
24865 -static struct iwl_ops iwl5150_ops = {
24866 +static const struct iwl_ops iwl5150_ops = {
24867 .ucode = &iwl5000_ucode,
24868 .lib = &iwl5150_lib,
24869 .hcmd = &iwl5000_hcmd,
24870 diff -urNp linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-6000.c
24871 --- linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-6000.c 2010-02-24 13:52:17.000000000 -0500
24872 +++ linux-2.6.33/drivers/net/wireless/iwlwifi/iwl-6000.c 2010-03-07 12:23:36.037634971 -0500
24873 @@ -252,7 +252,7 @@ static struct iwl_lib_ops iwl6000_lib =
24877 -static struct iwl_ops iwl6000_ops = {
24878 +static const struct iwl_ops iwl6000_ops = {
24879 .ucode = &iwl5000_ucode,
24880 .lib = &iwl6000_lib,
24881 .hcmd = &iwl5000_hcmd,
24882 @@ -267,7 +267,7 @@ static struct iwl_hcmd_utils_ops iwl6050
24883 .calc_rssi = iwl5000_calc_rssi,
24886 -static struct iwl_ops iwl6050_ops = {
24887 +static const struct iwl_ops iwl6050_ops = {
24888 .ucode = &iwl5000_ucode,
24889 .lib = &iwl6000_lib,
24890 .hcmd = &iwl5000_hcmd,
24891 diff -urNp linux-2.6.33/drivers/net/wireless/libertas/debugfs.c linux-2.6.33/drivers/net/wireless/libertas/debugfs.c
24892 --- linux-2.6.33/drivers/net/wireless/libertas/debugfs.c 2010-02-24 13:52:17.000000000 -0500
24893 +++ linux-2.6.33/drivers/net/wireless/libertas/debugfs.c 2010-03-07 12:23:36.041708139 -0500
24894 @@ -717,7 +717,7 @@ out_unlock:
24895 struct lbs_debugfs_files {
24898 - struct file_operations fops;
24899 + const struct file_operations fops;
24902 static const struct lbs_debugfs_files debugfs_files[] = {
24903 diff -urNp linux-2.6.33/drivers/oprofile/buffer_sync.c linux-2.6.33/drivers/oprofile/buffer_sync.c
24904 --- linux-2.6.33/drivers/oprofile/buffer_sync.c 2010-02-24 13:52:17.000000000 -0500
24905 +++ linux-2.6.33/drivers/oprofile/buffer_sync.c 2010-03-07 12:23:36.041708139 -0500
24906 @@ -340,7 +340,7 @@ static void add_data(struct op_entry *en
24907 if (cookie == NO_COOKIE)
24909 if (cookie == INVALID_COOKIE) {
24910 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
24911 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
24914 if (cookie != last_cookie) {
24915 @@ -384,14 +384,14 @@ add_sample(struct mm_struct *mm, struct
24916 /* add userspace sample */
24919 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
24920 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
24924 cookie = lookup_dcookie(mm, s->eip, &offset);
24926 if (cookie == INVALID_COOKIE) {
24927 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
24928 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
24932 @@ -560,7 +560,7 @@ void sync_buffer(int cpu)
24933 /* ignore backtraces if failed to add a sample */
24934 if (state == sb_bt_start) {
24935 state = sb_bt_ignore;
24936 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
24937 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
24941 diff -urNp linux-2.6.33/drivers/oprofile/event_buffer.c linux-2.6.33/drivers/oprofile/event_buffer.c
24942 --- linux-2.6.33/drivers/oprofile/event_buffer.c 2010-02-24 13:52:17.000000000 -0500
24943 +++ linux-2.6.33/drivers/oprofile/event_buffer.c 2010-03-07 12:23:36.041708139 -0500
24944 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
24947 if (buffer_pos == buffer_size) {
24948 - atomic_inc(&oprofile_stats.event_lost_overflow);
24949 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
24953 diff -urNp linux-2.6.33/drivers/oprofile/oprof.c linux-2.6.33/drivers/oprofile/oprof.c
24954 --- linux-2.6.33/drivers/oprofile/oprof.c 2010-02-24 13:52:17.000000000 -0500
24955 +++ linux-2.6.33/drivers/oprofile/oprof.c 2010-03-07 12:23:36.041708139 -0500
24956 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
24957 if (oprofile_ops.switch_events())
24960 - atomic_inc(&oprofile_stats.multiplex_counter);
24961 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
24962 start_switch_worker();
24965 diff -urNp linux-2.6.33/drivers/oprofile/oprofilefs.c linux-2.6.33/drivers/oprofile/oprofilefs.c
24966 --- linux-2.6.33/drivers/oprofile/oprofilefs.c 2010-02-24 13:52:17.000000000 -0500
24967 +++ linux-2.6.33/drivers/oprofile/oprofilefs.c 2010-03-07 12:23:36.041708139 -0500
24968 @@ -187,7 +187,7 @@ static const struct file_operations atom
24971 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
24972 - char const *name, atomic_t *val)
24973 + char const *name, atomic_unchecked_t *val)
24975 struct dentry *d = __oprofilefs_create_file(sb, root, name,
24976 &atomic_ro_fops, 0444);
24977 diff -urNp linux-2.6.33/drivers/oprofile/oprofile_stats.c linux-2.6.33/drivers/oprofile/oprofile_stats.c
24978 --- linux-2.6.33/drivers/oprofile/oprofile_stats.c 2010-02-24 13:52:17.000000000 -0500
24979 +++ linux-2.6.33/drivers/oprofile/oprofile_stats.c 2010-03-07 12:23:36.041708139 -0500
24980 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
24981 cpu_buf->sample_invalid_eip = 0;
24984 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
24985 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
24986 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
24987 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
24988 - atomic_set(&oprofile_stats.multiplex_counter, 0);
24989 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
24990 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
24991 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
24992 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
24993 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
24997 diff -urNp linux-2.6.33/drivers/oprofile/oprofile_stats.h linux-2.6.33/drivers/oprofile/oprofile_stats.h
24998 --- linux-2.6.33/drivers/oprofile/oprofile_stats.h 2010-02-24 13:52:17.000000000 -0500
24999 +++ linux-2.6.33/drivers/oprofile/oprofile_stats.h 2010-03-07 12:23:36.041708139 -0500
25000 @@ -13,11 +13,11 @@
25001 #include <asm/atomic.h>
25003 struct oprofile_stat_struct {
25004 - atomic_t sample_lost_no_mm;
25005 - atomic_t sample_lost_no_mapping;
25006 - atomic_t bt_lost_no_mapping;
25007 - atomic_t event_lost_overflow;
25008 - atomic_t multiplex_counter;
25009 + atomic_unchecked_t sample_lost_no_mm;
25010 + atomic_unchecked_t sample_lost_no_mapping;
25011 + atomic_unchecked_t bt_lost_no_mapping;
25012 + atomic_unchecked_t event_lost_overflow;
25013 + atomic_unchecked_t multiplex_counter;
25016 extern struct oprofile_stat_struct oprofile_stats;
25017 diff -urNp linux-2.6.33/drivers/parisc/pdc_stable.c linux-2.6.33/drivers/parisc/pdc_stable.c
25018 --- linux-2.6.33/drivers/parisc/pdc_stable.c 2010-02-24 13:52:17.000000000 -0500
25019 +++ linux-2.6.33/drivers/parisc/pdc_stable.c 2010-03-07 12:23:36.041708139 -0500
25020 @@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
25024 -static struct sysfs_ops pdcspath_attr_ops = {
25025 +static const struct sysfs_ops pdcspath_attr_ops = {
25026 .show = pdcspath_attr_show,
25027 .store = pdcspath_attr_store,
25029 diff -urNp linux-2.6.33/drivers/parport/procfs.c linux-2.6.33/drivers/parport/procfs.c
25030 --- linux-2.6.33/drivers/parport/procfs.c 2010-02-24 13:52:17.000000000 -0500
25031 +++ linux-2.6.33/drivers/parport/procfs.c 2010-03-07 12:23:36.041708139 -0500
25032 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
25036 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
25037 + return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
25040 #ifdef CONFIG_PARPORT_1284
25041 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
25045 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
25046 + return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
25048 #endif /* IEEE1284.3 support. */
25050 diff -urNp linux-2.6.33/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.33/drivers/pci/hotplug/acpiphp_glue.c
25051 --- linux-2.6.33/drivers/pci/hotplug/acpiphp_glue.c 2010-02-24 13:52:17.000000000 -0500
25052 +++ linux-2.6.33/drivers/pci/hotplug/acpiphp_glue.c 2010-03-07 12:23:36.041708139 -0500
25053 @@ -109,7 +109,7 @@ static int post_dock_fixups(struct notif
25057 -static struct acpi_dock_ops acpiphp_dock_ops = {
25058 +static const struct acpi_dock_ops acpiphp_dock_ops = {
25059 .handler = handle_hotplug_event_func,
25062 diff -urNp linux-2.6.33/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.33/drivers/pci/hotplug/cpqphp_nvram.c
25063 --- linux-2.6.33/drivers/pci/hotplug/cpqphp_nvram.c 2010-02-24 13:52:17.000000000 -0500
25064 +++ linux-2.6.33/drivers/pci/hotplug/cpqphp_nvram.c 2010-03-07 12:23:36.041708139 -0500
25065 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
25067 void compaq_nvram_init (void __iomem *rom_start)
25070 +#ifndef CONFIG_PAX_KERNEXEC
25072 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
25076 dbg("int15 entry = %p\n", compaq_int15_entry_point);
25078 /* initialize our int15 lock */
25079 diff -urNp linux-2.6.33/drivers/pci/hotplug/fakephp.c linux-2.6.33/drivers/pci/hotplug/fakephp.c
25080 --- linux-2.6.33/drivers/pci/hotplug/fakephp.c 2010-02-24 13:52:17.000000000 -0500
25081 +++ linux-2.6.33/drivers/pci/hotplug/fakephp.c 2010-03-07 12:23:36.041708139 -0500
25082 @@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
25085 static struct kobj_type legacy_ktype = {
25086 - .sysfs_ops = &(struct sysfs_ops){
25087 + .sysfs_ops = &(const struct sysfs_ops){
25088 .store = legacy_store, .show = legacy_show
25090 .release = &legacy_release,
25091 diff -urNp linux-2.6.33/drivers/pci/intel-iommu.c linux-2.6.33/drivers/pci/intel-iommu.c
25092 --- linux-2.6.33/drivers/pci/intel-iommu.c 2010-02-24 13:52:17.000000000 -0500
25093 +++ linux-2.6.33/drivers/pci/intel-iommu.c 2010-03-07 12:23:36.041708139 -0500
25094 @@ -2940,7 +2940,7 @@ static int intel_mapping_error(struct de
25098 -struct dma_map_ops intel_dma_ops = {
25099 +const struct dma_map_ops intel_dma_ops = {
25100 .alloc_coherent = intel_alloc_coherent,
25101 .free_coherent = intel_free_coherent,
25102 .map_sg = intel_map_sg,
25103 diff -urNp linux-2.6.33/drivers/pci/pcie/portdrv_pci.c linux-2.6.33/drivers/pci/pcie/portdrv_pci.c
25104 --- linux-2.6.33/drivers/pci/pcie/portdrv_pci.c 2010-02-24 13:52:17.000000000 -0500
25105 +++ linux-2.6.33/drivers/pci/pcie/portdrv_pci.c 2010-03-07 12:23:36.041708139 -0500
25106 @@ -250,7 +250,7 @@ static void pcie_portdrv_err_resume(stru
25107 static const struct pci_device_id port_pci_ids[] = { {
25108 /* handle any PCI-Express port */
25109 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
25110 - }, { /* end: all zeroes */ }
25111 + }, { 0, 0, 0, 0, 0, 0, 0 }
25113 MODULE_DEVICE_TABLE(pci, port_pci_ids);
25115 diff -urNp linux-2.6.33/drivers/pci/proc.c linux-2.6.33/drivers/pci/proc.c
25116 --- linux-2.6.33/drivers/pci/proc.c 2010-02-24 13:52:17.000000000 -0500
25117 +++ linux-2.6.33/drivers/pci/proc.c 2010-03-07 12:23:36.041708139 -0500
25118 @@ -480,7 +480,16 @@ static const struct file_operations proc
25119 static int __init pci_proc_init(void)
25121 struct pci_dev *dev = NULL;
25123 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
25124 +#ifdef CONFIG_GRKERNSEC_PROC_USER
25125 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
25126 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25127 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
25130 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
25132 proc_create("devices", 0, proc_bus_pci_dir,
25133 &proc_bus_pci_dev_operations);
25134 proc_initialized = 1;
25135 diff -urNp linux-2.6.33/drivers/pci/slot.c linux-2.6.33/drivers/pci/slot.c
25136 --- linux-2.6.33/drivers/pci/slot.c 2010-02-24 13:52:17.000000000 -0500
25137 +++ linux-2.6.33/drivers/pci/slot.c 2010-03-07 12:23:36.041708139 -0500
25138 @@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
25139 return attribute->store ? attribute->store(slot, buf, len) : -EIO;
25142 -static struct sysfs_ops pci_slot_sysfs_ops = {
25143 +static const struct sysfs_ops pci_slot_sysfs_ops = {
25144 .show = pci_slot_attr_show,
25145 .store = pci_slot_attr_store,
25147 diff -urNp linux-2.6.33/drivers/pcmcia/ti113x.h linux-2.6.33/drivers/pcmcia/ti113x.h
25148 --- linux-2.6.33/drivers/pcmcia/ti113x.h 2010-02-24 13:52:17.000000000 -0500
25149 +++ linux-2.6.33/drivers/pcmcia/ti113x.h 2010-03-07 12:23:36.041708139 -0500
25150 @@ -903,7 +903,7 @@ static struct pci_device_id ene_tune_tbl
25151 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
25152 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
25155 + { 0, 0, 0, 0, 0, 0, 0 }
25158 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
25159 diff -urNp linux-2.6.33/drivers/pcmcia/yenta_socket.c linux-2.6.33/drivers/pcmcia/yenta_socket.c
25160 --- linux-2.6.33/drivers/pcmcia/yenta_socket.c 2010-02-24 13:52:17.000000000 -0500
25161 +++ linux-2.6.33/drivers/pcmcia/yenta_socket.c 2010-03-07 12:23:36.041708139 -0500
25162 @@ -1432,7 +1432,7 @@ static struct pci_device_id yenta_table[
25164 /* match any cardbus bridge */
25165 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
25166 - { /* all zeroes */ }
25167 + { 0, 0, 0, 0, 0, 0, 0 }
25169 MODULE_DEVICE_TABLE(pci, yenta_table);
25171 diff -urNp linux-2.6.33/drivers/platform/x86/acer-wmi.c linux-2.6.33/drivers/platform/x86/acer-wmi.c
25172 --- linux-2.6.33/drivers/platform/x86/acer-wmi.c 2010-02-24 13:52:17.000000000 -0500
25173 +++ linux-2.6.33/drivers/platform/x86/acer-wmi.c 2010-03-07 12:23:36.045616323 -0500
25174 @@ -915,7 +915,7 @@ static int update_bl_status(struct backl
25178 -static struct backlight_ops acer_bl_ops = {
25179 +static const struct backlight_ops acer_bl_ops = {
25180 .get_brightness = read_brightness,
25181 .update_status = update_bl_status,
25183 diff -urNp linux-2.6.33/drivers/platform/x86/asus_acpi.c linux-2.6.33/drivers/platform/x86/asus_acpi.c
25184 --- linux-2.6.33/drivers/platform/x86/asus_acpi.c 2010-02-24 13:52:17.000000000 -0500
25185 +++ linux-2.6.33/drivers/platform/x86/asus_acpi.c 2010-03-07 12:23:36.045616323 -0500
25186 @@ -1464,7 +1464,7 @@ static int asus_hotk_remove(struct acpi_
25190 -static struct backlight_ops asus_backlight_data = {
25191 +static const struct backlight_ops asus_backlight_data = {
25192 .get_brightness = read_brightness,
25193 .update_status = set_brightness_status,
25195 diff -urNp linux-2.6.33/drivers/platform/x86/asus-laptop.c linux-2.6.33/drivers/platform/x86/asus-laptop.c
25196 --- linux-2.6.33/drivers/platform/x86/asus-laptop.c 2010-02-24 13:52:17.000000000 -0500
25197 +++ linux-2.6.33/drivers/platform/x86/asus-laptop.c 2010-03-07 12:23:36.045616323 -0500
25198 @@ -251,7 +251,7 @@ static struct backlight_device *asus_bac
25200 static int read_brightness(struct backlight_device *bd);
25201 static int update_bl_status(struct backlight_device *bd);
25202 -static struct backlight_ops asusbl_ops = {
25203 +static const struct backlight_ops asusbl_ops = {
25204 .get_brightness = read_brightness,
25205 .update_status = update_bl_status,
25207 diff -urNp linux-2.6.33/drivers/platform/x86/classmate-laptop.c linux-2.6.33/drivers/platform/x86/classmate-laptop.c
25208 --- linux-2.6.33/drivers/platform/x86/classmate-laptop.c 2010-02-24 13:52:17.000000000 -0500
25209 +++ linux-2.6.33/drivers/platform/x86/classmate-laptop.c 2010-03-07 12:23:36.045616323 -0500
25210 @@ -452,7 +452,7 @@ static int cmpc_bl_update_status(struct
25214 -static struct backlight_ops cmpc_bl_ops = {
25215 +static const struct backlight_ops cmpc_bl_ops = {
25216 .get_brightness = cmpc_bl_get_brightness,
25217 .update_status = cmpc_bl_update_status
25219 diff -urNp linux-2.6.33/drivers/platform/x86/compal-laptop.c linux-2.6.33/drivers/platform/x86/compal-laptop.c
25220 --- linux-2.6.33/drivers/platform/x86/compal-laptop.c 2010-02-24 13:52:17.000000000 -0500
25221 +++ linux-2.6.33/drivers/platform/x86/compal-laptop.c 2010-03-07 12:23:36.045616323 -0500
25222 @@ -162,7 +162,7 @@ static int bl_update_status(struct backl
25223 return set_lcd_level(b->props.brightness);
25226 -static struct backlight_ops compalbl_ops = {
25227 +static const struct backlight_ops compalbl_ops = {
25228 .get_brightness = bl_get_brightness,
25229 .update_status = bl_update_status,
25231 diff -urNp linux-2.6.33/drivers/platform/x86/dell-laptop.c linux-2.6.33/drivers/platform/x86/dell-laptop.c
25232 --- linux-2.6.33/drivers/platform/x86/dell-laptop.c 2010-02-24 13:52:17.000000000 -0500
25233 +++ linux-2.6.33/drivers/platform/x86/dell-laptop.c 2010-03-07 12:23:36.045616323 -0500
25234 @@ -333,7 +333,7 @@ static int dell_get_intensity(struct bac
25235 return buffer.output[1];
25238 -static struct backlight_ops dell_ops = {
25239 +static const struct backlight_ops dell_ops = {
25240 .get_brightness = dell_get_intensity,
25241 .update_status = dell_send_intensity,
25243 diff -urNp linux-2.6.33/drivers/platform/x86/eeepc-laptop.c linux-2.6.33/drivers/platform/x86/eeepc-laptop.c
25244 --- linux-2.6.33/drivers/platform/x86/eeepc-laptop.c 2010-02-24 13:52:17.000000000 -0500
25245 +++ linux-2.6.33/drivers/platform/x86/eeepc-laptop.c 2010-03-07 12:23:36.045616323 -0500
25246 @@ -1096,7 +1096,7 @@ static int update_bl_status(struct backl
25247 return set_brightness(bd, bd->props.brightness);
25250 -static struct backlight_ops eeepcbl_ops = {
25251 +static const struct backlight_ops eeepcbl_ops = {
25252 .get_brightness = read_brightness,
25253 .update_status = update_bl_status,
25255 diff -urNp linux-2.6.33/drivers/platform/x86/fujitsu-laptop.c linux-2.6.33/drivers/platform/x86/fujitsu-laptop.c
25256 --- linux-2.6.33/drivers/platform/x86/fujitsu-laptop.c 2010-02-24 13:52:17.000000000 -0500
25257 +++ linux-2.6.33/drivers/platform/x86/fujitsu-laptop.c 2010-03-07 12:23:36.045616323 -0500
25258 @@ -436,7 +436,7 @@ static int bl_update_status(struct backl
25262 -static struct backlight_ops fujitsubl_ops = {
25263 +static const struct backlight_ops fujitsubl_ops = {
25264 .get_brightness = bl_get_brightness,
25265 .update_status = bl_update_status,
25267 diff -urNp linux-2.6.33/drivers/platform/x86/msi-laptop.c linux-2.6.33/drivers/platform/x86/msi-laptop.c
25268 --- linux-2.6.33/drivers/platform/x86/msi-laptop.c 2010-02-24 13:52:17.000000000 -0500
25269 +++ linux-2.6.33/drivers/platform/x86/msi-laptop.c 2010-03-07 12:23:36.045616323 -0500
25270 @@ -161,7 +161,7 @@ static int bl_update_status(struct backl
25271 return set_lcd_level(b->props.brightness);
25274 -static struct backlight_ops msibl_ops = {
25275 +static const struct backlight_ops msibl_ops = {
25276 .get_brightness = bl_get_brightness,
25277 .update_status = bl_update_status,
25279 diff -urNp linux-2.6.33/drivers/platform/x86/msi-wmi.c linux-2.6.33/drivers/platform/x86/msi-wmi.c
25280 --- linux-2.6.33/drivers/platform/x86/msi-wmi.c 2010-02-24 13:52:17.000000000 -0500
25281 +++ linux-2.6.33/drivers/platform/x86/msi-wmi.c 2010-03-07 12:23:36.045616323 -0500
25282 @@ -138,7 +138,7 @@ static int bl_set_status(struct backligh
25283 return msi_wmi_set_block(0, backlight_map[bright]);
25286 -static struct backlight_ops msi_backlight_ops = {
25287 +static const struct backlight_ops msi_backlight_ops = {
25288 .get_brightness = bl_get,
25289 .update_status = bl_set_status,
25291 diff -urNp linux-2.6.33/drivers/platform/x86/panasonic-laptop.c linux-2.6.33/drivers/platform/x86/panasonic-laptop.c
25292 --- linux-2.6.33/drivers/platform/x86/panasonic-laptop.c 2010-02-24 13:52:17.000000000 -0500
25293 +++ linux-2.6.33/drivers/platform/x86/panasonic-laptop.c 2010-03-07 12:23:36.045616323 -0500
25294 @@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
25295 return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
25298 -static struct backlight_ops pcc_backlight_ops = {
25299 +static const struct backlight_ops pcc_backlight_ops = {
25300 .get_brightness = bl_get,
25301 .update_status = bl_set_status,
25303 diff -urNp linux-2.6.33/drivers/platform/x86/sony-laptop.c linux-2.6.33/drivers/platform/x86/sony-laptop.c
25304 --- linux-2.6.33/drivers/platform/x86/sony-laptop.c 2010-02-24 13:52:17.000000000 -0500
25305 +++ linux-2.6.33/drivers/platform/x86/sony-laptop.c 2010-03-07 12:23:36.045616323 -0500
25306 @@ -853,7 +853,7 @@ static int sony_backlight_get_brightness
25309 static struct backlight_device *sony_backlight_device;
25310 -static struct backlight_ops sony_backlight_ops = {
25311 +static const struct backlight_ops sony_backlight_ops = {
25312 .update_status = sony_backlight_update_status,
25313 .get_brightness = sony_backlight_get_brightness,
25315 diff -urNp linux-2.6.33/drivers/platform/x86/thinkpad_acpi.c linux-2.6.33/drivers/platform/x86/thinkpad_acpi.c
25316 --- linux-2.6.33/drivers/platform/x86/thinkpad_acpi.c 2010-02-24 13:52:17.000000000 -0500
25317 +++ linux-2.6.33/drivers/platform/x86/thinkpad_acpi.c 2010-03-07 12:23:36.049684703 -0500
25318 @@ -6112,7 +6112,7 @@ static void tpacpi_brightness_notify_cha
25319 BACKLIGHT_UPDATE_HOTKEY);
25322 -static struct backlight_ops ibm_backlight_data = {
25323 +static const struct backlight_ops ibm_backlight_data = {
25324 .get_brightness = brightness_get,
25325 .update_status = brightness_update_status,
25327 diff -urNp linux-2.6.33/drivers/platform/x86/toshiba_acpi.c linux-2.6.33/drivers/platform/x86/toshiba_acpi.c
25328 --- linux-2.6.33/drivers/platform/x86/toshiba_acpi.c 2010-02-24 13:52:17.000000000 -0500
25329 +++ linux-2.6.33/drivers/platform/x86/toshiba_acpi.c 2010-03-07 12:23:36.049684703 -0500
25330 @@ -706,7 +706,7 @@ static acpi_status remove_device(void)
25334 -static struct backlight_ops toshiba_backlight_data = {
25335 +static const struct backlight_ops toshiba_backlight_data = {
25336 .get_brightness = get_lcd,
25337 .update_status = set_lcd_status,
25339 diff -urNp linux-2.6.33/drivers/pnp/pnpbios/bioscalls.c linux-2.6.33/drivers/pnp/pnpbios/bioscalls.c
25340 --- linux-2.6.33/drivers/pnp/pnpbios/bioscalls.c 2010-02-24 13:52:17.000000000 -0500
25341 +++ linux-2.6.33/drivers/pnp/pnpbios/bioscalls.c 2010-03-07 12:23:36.049684703 -0500
25342 @@ -60,7 +60,7 @@ do { \
25343 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
25346 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
25347 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
25348 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
25351 @@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
25354 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
25356 + pax_open_kernel();
25357 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
25358 + pax_close_kernel();
25360 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
25361 spin_lock_irqsave(&pnp_bios_lock, flags);
25362 @@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
25364 spin_unlock_irqrestore(&pnp_bios_lock, flags);
25366 + pax_open_kernel();
25367 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
25368 + pax_close_kernel();
25372 /* If we get here and this is set then the PnP BIOS faulted on us. */
25373 @@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
25377 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
25378 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
25382 @@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
25383 pnp_bios_callpoint.offset = header->fields.pm16offset;
25384 pnp_bios_callpoint.segment = PNP_CS16;
25386 + pax_open_kernel();
25388 for_each_possible_cpu(i) {
25389 struct desc_struct *gdt = get_cpu_gdt_table(i);
25391 @@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
25392 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
25393 (unsigned long)__va(header->fields.pm16dseg));
25396 + pax_close_kernel();
25398 diff -urNp linux-2.6.33/drivers/pnp/quirks.c linux-2.6.33/drivers/pnp/quirks.c
25399 --- linux-2.6.33/drivers/pnp/quirks.c 2010-02-24 13:52:17.000000000 -0500
25400 +++ linux-2.6.33/drivers/pnp/quirks.c 2010-03-07 12:23:36.049684703 -0500
25401 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
25402 /* PnP resources that might overlap PCI BARs */
25403 {"PNP0c01", quirk_system_pci_resources},
25404 {"PNP0c02", quirk_system_pci_resources},
25409 void pnp_fixup_device(struct pnp_dev *dev)
25410 diff -urNp linux-2.6.33/drivers/pnp/resource.c linux-2.6.33/drivers/pnp/resource.c
25411 --- linux-2.6.33/drivers/pnp/resource.c 2010-02-24 13:52:17.000000000 -0500
25412 +++ linux-2.6.33/drivers/pnp/resource.c 2010-03-07 12:23:36.049684703 -0500
25413 @@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
25416 /* check if the resource is valid */
25417 - if (*irq < 0 || *irq > 15)
25421 /* check if the resource is reserved */
25422 @@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
25425 /* check if the resource is valid */
25426 - if (*dma < 0 || *dma == 4 || *dma > 7)
25427 + if (*dma == 4 || *dma > 7)
25430 /* check if the resource is reserved */
25431 diff -urNp linux-2.6.33/drivers/s390/cio/qdio_debug.c linux-2.6.33/drivers/s390/cio/qdio_debug.c
25432 --- linux-2.6.33/drivers/s390/cio/qdio_debug.c 2010-02-24 13:52:17.000000000 -0500
25433 +++ linux-2.6.33/drivers/s390/cio/qdio_debug.c 2010-03-07 12:23:36.049684703 -0500
25434 @@ -215,7 +215,7 @@ static int qperf_seq_open(struct inode *
25435 filp->f_path.dentry->d_inode->i_private);
25438 -static struct file_operations debugfs_perf_fops = {
25439 +static const struct file_operations debugfs_perf_fops = {
25440 .owner = THIS_MODULE,
25441 .open = qperf_seq_open,
25443 diff -urNp linux-2.6.33/drivers/scsi/ipr.c linux-2.6.33/drivers/scsi/ipr.c
25444 --- linux-2.6.33/drivers/scsi/ipr.c 2010-02-24 13:52:17.000000000 -0500
25445 +++ linux-2.6.33/drivers/scsi/ipr.c 2010-03-07 12:23:36.049684703 -0500
25446 @@ -5291,7 +5291,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
25450 -static struct ata_port_operations ipr_sata_ops = {
25451 +static const struct ata_port_operations ipr_sata_ops = {
25452 .phy_reset = ipr_ata_phy_reset,
25453 .hardreset = ipr_sata_reset,
25454 .post_internal_cmd = ipr_ata_post_internal,
25455 diff -urNp linux-2.6.33/drivers/scsi/libfc/fc_exch.c linux-2.6.33/drivers/scsi/libfc/fc_exch.c
25456 --- linux-2.6.33/drivers/scsi/libfc/fc_exch.c 2010-02-24 13:52:17.000000000 -0500
25457 +++ linux-2.6.33/drivers/scsi/libfc/fc_exch.c 2010-03-07 12:23:36.049684703 -0500
25458 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
25459 * all together if not used XXX
25462 - atomic_t no_free_exch;
25463 - atomic_t no_free_exch_xid;
25464 - atomic_t xid_not_found;
25465 - atomic_t xid_busy;
25466 - atomic_t seq_not_found;
25467 - atomic_t non_bls_resp;
25468 + atomic_unchecked_t no_free_exch;
25469 + atomic_unchecked_t no_free_exch_xid;
25470 + atomic_unchecked_t xid_not_found;
25471 + atomic_unchecked_t xid_busy;
25472 + atomic_unchecked_t seq_not_found;
25473 + atomic_unchecked_t non_bls_resp;
25476 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
25477 @@ -671,7 +671,7 @@ static struct fc_exch *fc_exch_em_alloc(
25478 /* allocate memory for exchange */
25479 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
25481 - atomic_inc(&mp->stats.no_free_exch);
25482 + atomic_inc_unchecked(&mp->stats.no_free_exch);
25485 memset(ep, 0, sizeof(*ep));
25486 @@ -718,7 +718,7 @@ out:
25489 spin_unlock_bh(&pool->lock);
25490 - atomic_inc(&mp->stats.no_free_exch_xid);
25491 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
25492 mempool_free(ep, mp->ep_pool);
25495 @@ -868,7 +868,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25496 xid = ntohs(fh->fh_ox_id); /* we originated exch */
25497 ep = fc_exch_find(mp, xid);
25499 - atomic_inc(&mp->stats.xid_not_found);
25500 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25501 reject = FC_RJT_OX_ID;
25504 @@ -898,7 +898,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25505 ep = fc_exch_find(mp, xid);
25506 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
25508 - atomic_inc(&mp->stats.xid_busy);
25509 + atomic_inc_unchecked(&mp->stats.xid_busy);
25510 reject = FC_RJT_RX_ID;
25513 @@ -909,7 +909,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25515 xid = ep->xid; /* get our XID */
25517 - atomic_inc(&mp->stats.xid_not_found);
25518 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25519 reject = FC_RJT_RX_ID; /* XID not found */
25522 @@ -930,7 +930,7 @@ static enum fc_pf_rjt_reason fc_seq_look
25525 if (sp->id != fh->fh_seq_id) {
25526 - atomic_inc(&mp->stats.seq_not_found);
25527 + atomic_inc_unchecked(&mp->stats.seq_not_found);
25528 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
25531 @@ -1317,22 +1317,22 @@ static void fc_exch_recv_seq_resp(struct
25533 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
25535 - atomic_inc(&mp->stats.xid_not_found);
25536 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25539 if (ep->esb_stat & ESB_ST_COMPLETE) {
25540 - atomic_inc(&mp->stats.xid_not_found);
25541 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25544 if (ep->rxid == FC_XID_UNKNOWN)
25545 ep->rxid = ntohs(fh->fh_rx_id);
25546 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
25547 - atomic_inc(&mp->stats.xid_not_found);
25548 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25551 if (ep->did != ntoh24(fh->fh_s_id) &&
25552 ep->did != FC_FID_FLOGI) {
25553 - atomic_inc(&mp->stats.xid_not_found);
25554 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25558 @@ -1343,7 +1343,7 @@ static void fc_exch_recv_seq_resp(struct
25561 if (sp->id != fh->fh_seq_id) {
25562 - atomic_inc(&mp->stats.seq_not_found);
25563 + atomic_inc_unchecked(&mp->stats.seq_not_found);
25567 @@ -1406,9 +1406,9 @@ static void fc_exch_recv_resp(struct fc_
25568 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
25571 - atomic_inc(&mp->stats.xid_not_found);
25572 + atomic_inc_unchecked(&mp->stats.xid_not_found);
25574 - atomic_inc(&mp->stats.non_bls_resp);
25575 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
25579 diff -urNp linux-2.6.33/drivers/scsi/libsas/sas_ata.c linux-2.6.33/drivers/scsi/libsas/sas_ata.c
25580 --- linux-2.6.33/drivers/scsi/libsas/sas_ata.c 2010-02-24 13:52:17.000000000 -0500
25581 +++ linux-2.6.33/drivers/scsi/libsas/sas_ata.c 2010-03-07 12:23:36.049684703 -0500
25582 @@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
25586 -static struct ata_port_operations sas_sata_ops = {
25587 +static const struct ata_port_operations sas_sata_ops = {
25588 .phy_reset = sas_ata_phy_reset,
25589 .post_internal_cmd = sas_ata_post_internal,
25590 .qc_prep = ata_noop_qc_prep,
25591 diff -urNp linux-2.6.33/drivers/scsi/scsi_logging.h linux-2.6.33/drivers/scsi/scsi_logging.h
25592 --- linux-2.6.33/drivers/scsi/scsi_logging.h 2010-02-24 13:52:17.000000000 -0500
25593 +++ linux-2.6.33/drivers/scsi/scsi_logging.h 2010-03-07 12:23:36.049684703 -0500
25594 @@ -51,7 +51,7 @@ do { \
25598 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
25599 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
25600 #endif /* CONFIG_SCSI_LOGGING */
25603 diff -urNp linux-2.6.33/drivers/scsi/sg.c linux-2.6.33/drivers/scsi/sg.c
25604 --- linux-2.6.33/drivers/scsi/sg.c 2010-02-24 13:52:17.000000000 -0500
25605 +++ linux-2.6.33/drivers/scsi/sg.c 2010-03-07 12:23:36.053722379 -0500
25606 @@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
25607 const struct file_operations * fops;
25610 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
25611 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
25612 {"allow_dio", &adio_fops},
25613 {"debug", &debug_fops},
25614 {"def_reserved_size", &dressz_fops},
25615 @@ -2307,7 +2307,7 @@ sg_proc_init(void)
25618 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
25619 - struct sg_proc_leaf * leaf;
25620 + const struct sg_proc_leaf * leaf;
25622 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
25624 diff -urNp linux-2.6.33/drivers/serial/8250_pci.c linux-2.6.33/drivers/serial/8250_pci.c
25625 --- linux-2.6.33/drivers/serial/8250_pci.c 2010-02-24 13:52:17.000000000 -0500
25626 +++ linux-2.6.33/drivers/serial/8250_pci.c 2010-03-07 12:23:36.053722379 -0500
25627 @@ -3664,7 +3664,7 @@ static struct pci_device_id serial_pci_t
25628 PCI_ANY_ID, PCI_ANY_ID,
25629 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
25630 0xffff00, pbn_default },
25632 + { 0, 0, 0, 0, 0, 0, 0 }
25635 static struct pci_driver serial_pci_driver = {
25636 diff -urNp linux-2.6.33/drivers/serial/kgdboc.c linux-2.6.33/drivers/serial/kgdboc.c
25637 --- linux-2.6.33/drivers/serial/kgdboc.c 2010-02-24 13:52:17.000000000 -0500
25638 +++ linux-2.6.33/drivers/serial/kgdboc.c 2010-03-07 12:23:36.053722379 -0500
25641 #define MAX_CONFIG_LEN 40
25643 -static struct kgdb_io kgdboc_io_ops;
25644 +static const struct kgdb_io kgdboc_io_ops;
25646 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
25647 static int configured = -1;
25648 @@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
25649 module_put(THIS_MODULE);
25652 -static struct kgdb_io kgdboc_io_ops = {
25653 +static const struct kgdb_io kgdboc_io_ops = {
25655 .read_char = kgdboc_get_char,
25656 .write_char = kgdboc_put_char,
25657 diff -urNp linux-2.6.33/drivers/staging/b3dfg/b3dfg.c linux-2.6.33/drivers/staging/b3dfg/b3dfg.c
25658 --- linux-2.6.33/drivers/staging/b3dfg/b3dfg.c 2010-02-24 13:52:17.000000000 -0500
25659 +++ linux-2.6.33/drivers/staging/b3dfg/b3dfg.c 2010-03-07 12:23:36.053722379 -0500
25660 @@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
25661 return VM_FAULT_NOPAGE;
25664 -static struct vm_operations_struct b3dfg_vm_ops = {
25665 +static const struct vm_operations_struct b3dfg_vm_ops = {
25666 .fault = b3dfg_vma_fault,
25669 @@ -836,7 +836,7 @@ static int b3dfg_mmap(struct file *filp,
25673 -static struct file_operations b3dfg_fops = {
25674 +static const struct file_operations b3dfg_fops = {
25675 .owner = THIS_MODULE,
25676 .open = b3dfg_open,
25677 .release = b3dfg_release,
25678 diff -urNp linux-2.6.33/drivers/staging/comedi/comedi_fops.c linux-2.6.33/drivers/staging/comedi/comedi_fops.c
25679 --- linux-2.6.33/drivers/staging/comedi/comedi_fops.c 2010-02-24 13:52:17.000000000 -0500
25680 +++ linux-2.6.33/drivers/staging/comedi/comedi_fops.c 2010-03-07 12:23:36.053722379 -0500
25681 @@ -1384,7 +1384,7 @@ void comedi_unmap(struct vm_area_struct
25682 mutex_unlock(&dev->mutex);
25685 -static struct vm_operations_struct comedi_vm_ops = {
25686 +static const struct vm_operations_struct comedi_vm_ops = {
25687 .close = comedi_unmap,
25690 diff -urNp linux-2.6.33/drivers/staging/dream/pmem.c linux-2.6.33/drivers/staging/dream/pmem.c
25691 --- linux-2.6.33/drivers/staging/dream/pmem.c 2010-02-24 13:52:17.000000000 -0500
25692 +++ linux-2.6.33/drivers/staging/dream/pmem.c 2010-03-07 12:23:36.053722379 -0500
25693 @@ -174,7 +174,7 @@ static int pmem_mmap(struct file *, stru
25694 static int pmem_open(struct inode *, struct file *);
25695 static long pmem_ioctl(struct file *, unsigned int, unsigned long);
25697 -struct file_operations pmem_fops = {
25698 +const struct file_operations pmem_fops = {
25699 .release = pmem_release,
25702 @@ -1202,7 +1202,7 @@ static ssize_t debug_read(struct file *f
25703 return simple_read_from_buffer(buf, count, ppos, buffer, n);
25706 -static struct file_operations debug_fops = {
25707 +static const struct file_operations debug_fops = {
25708 .read = debug_read,
25709 .open = debug_open,
25711 diff -urNp linux-2.6.33/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.33/drivers/staging/dream/qdsp5/adsp_driver.c
25712 --- linux-2.6.33/drivers/staging/dream/qdsp5/adsp_driver.c 2010-02-24 13:52:17.000000000 -0500
25713 +++ linux-2.6.33/drivers/staging/dream/qdsp5/adsp_driver.c 2010-03-07 12:23:36.053722379 -0500
25714 @@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
25715 static dev_t adsp_devno;
25716 static struct class *adsp_class;
25718 -static struct file_operations adsp_fops = {
25719 +static const struct file_operations adsp_fops = {
25720 .owner = THIS_MODULE,
25722 .unlocked_ioctl = adsp_ioctl,
25723 diff -urNp linux-2.6.33/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.33/drivers/staging/dream/qdsp5/audio_aac.c
25724 --- linux-2.6.33/drivers/staging/dream/qdsp5/audio_aac.c 2010-02-24 13:52:17.000000000 -0500
25725 +++ linux-2.6.33/drivers/staging/dream/qdsp5/audio_aac.c 2010-03-07 12:23:36.053722379 -0500
25726 @@ -1022,7 +1022,7 @@ done:
25730 -static struct file_operations audio_aac_fops = {
25731 +static const struct file_operations audio_aac_fops = {
25732 .owner = THIS_MODULE,
25733 .open = audio_open,
25734 .release = audio_release,
25735 diff -urNp linux-2.6.33/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.33/drivers/staging/dream/qdsp5/audio_amrnb.c
25736 --- linux-2.6.33/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-02-24 13:52:17.000000000 -0500
25737 +++ linux-2.6.33/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-03-07 12:23:36.053722379 -0500
25738 @@ -833,7 +833,7 @@ done:
25742 -static struct file_operations audio_amrnb_fops = {
25743 +static const struct file_operations audio_amrnb_fops = {
25744 .owner = THIS_MODULE,
25745 .open = audamrnb_open,
25746 .release = audamrnb_release,
25747 diff -urNp linux-2.6.33/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.33/drivers/staging/dream/qdsp5/audio_evrc.c
25748 --- linux-2.6.33/drivers/staging/dream/qdsp5/audio_evrc.c 2010-02-24 13:52:17.000000000 -0500
25749 +++ linux-2.6.33/drivers/staging/dream/qdsp5/audio_evrc.c 2010-03-07 12:23:36.053722379 -0500
25750 @@ -805,7 +805,7 @@ dma_fail:
25754 -static struct file_operations audio_evrc_fops = {
25755 +static const struct file_operations audio_evrc_fops = {
25756 .owner = THIS_MODULE,
25757 .open = audevrc_open,
25758 .release = audevrc_release,
25759 diff -urNp linux-2.6.33/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.33/drivers/staging/dream/qdsp5/audio_in.c
25760 --- linux-2.6.33/drivers/staging/dream/qdsp5/audio_in.c 2010-02-24 13:52:17.000000000 -0500
25761 +++ linux-2.6.33/drivers/staging/dream/qdsp5/audio_in.c 2010-03-07 12:23:36.053722379 -0500
25762 @@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
25766 -static struct file_operations audio_fops = {
25767 +static const struct file_operations audio_fops = {
25768 .owner = THIS_MODULE,
25769 .open = audio_in_open,
25770 .release = audio_in_release,
25771 @@ -922,7 +922,7 @@ static struct file_operations audio_fops
25772 .unlocked_ioctl = audio_in_ioctl,
25775 -static struct file_operations audpre_fops = {
25776 +static const struct file_operations audpre_fops = {
25777 .owner = THIS_MODULE,
25778 .open = audpre_open,
25779 .unlocked_ioctl = audpre_ioctl,
25780 diff -urNp linux-2.6.33/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.33/drivers/staging/dream/qdsp5/audio_mp3.c
25781 --- linux-2.6.33/drivers/staging/dream/qdsp5/audio_mp3.c 2010-02-24 13:52:17.000000000 -0500
25782 +++ linux-2.6.33/drivers/staging/dream/qdsp5/audio_mp3.c 2010-03-07 12:23:36.053722379 -0500
25783 @@ -941,7 +941,7 @@ done:
25787 -static struct file_operations audio_mp3_fops = {
25788 +static const struct file_operations audio_mp3_fops = {
25789 .owner = THIS_MODULE,
25790 .open = audio_open,
25791 .release = audio_release,
25792 diff -urNp linux-2.6.33/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.33/drivers/staging/dream/qdsp5/audio_out.c
25793 --- linux-2.6.33/drivers/staging/dream/qdsp5/audio_out.c 2010-02-24 13:52:17.000000000 -0500
25794 +++ linux-2.6.33/drivers/staging/dream/qdsp5/audio_out.c 2010-03-07 12:23:36.053722379 -0500
25795 @@ -806,7 +806,7 @@ static int audpp_open(struct inode *inod
25799 -static struct file_operations audio_fops = {
25800 +static const struct file_operations audio_fops = {
25801 .owner = THIS_MODULE,
25802 .open = audio_open,
25803 .release = audio_release,
25804 @@ -815,7 +815,7 @@ static struct file_operations audio_fops
25805 .unlocked_ioctl = audio_ioctl,
25808 -static struct file_operations audpp_fops = {
25809 +static const struct file_operations audpp_fops = {
25810 .owner = THIS_MODULE,
25811 .open = audpp_open,
25812 .unlocked_ioctl = audpp_ioctl,
25813 diff -urNp linux-2.6.33/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.33/drivers/staging/dream/qdsp5/audio_qcelp.c
25814 --- linux-2.6.33/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-02-24 13:52:17.000000000 -0500
25815 +++ linux-2.6.33/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-03-07 12:23:36.053722379 -0500
25816 @@ -816,7 +816,7 @@ err:
25820 -static struct file_operations audio_qcelp_fops = {
25821 +static const struct file_operations audio_qcelp_fops = {
25822 .owner = THIS_MODULE,
25823 .open = audqcelp_open,
25824 .release = audqcelp_release,
25825 diff -urNp linux-2.6.33/drivers/staging/dream/qdsp5/snd.c linux-2.6.33/drivers/staging/dream/qdsp5/snd.c
25826 --- linux-2.6.33/drivers/staging/dream/qdsp5/snd.c 2010-02-24 13:52:17.000000000 -0500
25827 +++ linux-2.6.33/drivers/staging/dream/qdsp5/snd.c 2010-03-07 12:23:36.057707663 -0500
25828 @@ -242,7 +242,7 @@ err:
25832 -static struct file_operations snd_fops = {
25833 +static const struct file_operations snd_fops = {
25834 .owner = THIS_MODULE,
25836 .release = snd_release,
25837 diff -urNp linux-2.6.33/drivers/staging/dream/smd/smd_qmi.c linux-2.6.33/drivers/staging/dream/smd/smd_qmi.c
25838 --- linux-2.6.33/drivers/staging/dream/smd/smd_qmi.c 2010-02-24 13:52:17.000000000 -0500
25839 +++ linux-2.6.33/drivers/staging/dream/smd/smd_qmi.c 2010-03-07 12:23:36.057707663 -0500
25840 @@ -788,7 +788,7 @@ static int qmi_release(struct inode *ip,
25844 -static struct file_operations qmi_fops = {
25845 +static const struct file_operations qmi_fops = {
25846 .owner = THIS_MODULE,
25848 .write = qmi_write,
25849 diff -urNp linux-2.6.33/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.33/drivers/staging/dream/smd/smd_rpcrouter_device.c
25850 --- linux-2.6.33/drivers/staging/dream/smd/smd_rpcrouter_device.c 2010-02-24 13:52:17.000000000 -0500
25851 +++ linux-2.6.33/drivers/staging/dream/smd/smd_rpcrouter_device.c 2010-03-07 12:23:36.057707663 -0500
25852 @@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
25856 -static struct file_operations rpcrouter_server_fops = {
25857 +static const struct file_operations rpcrouter_server_fops = {
25858 .owner = THIS_MODULE,
25859 .open = rpcrouter_open,
25860 .release = rpcrouter_release,
25861 @@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
25862 .unlocked_ioctl = rpcrouter_ioctl,
25865 -static struct file_operations rpcrouter_router_fops = {
25866 +static const struct file_operations rpcrouter_router_fops = {
25867 .owner = THIS_MODULE,
25868 .open = rpcrouter_open,
25869 .release = rpcrouter_release,
25870 diff -urNp linux-2.6.33/drivers/staging/go7007/go7007-v4l2.c linux-2.6.33/drivers/staging/go7007/go7007-v4l2.c
25871 --- linux-2.6.33/drivers/staging/go7007/go7007-v4l2.c 2010-02-24 13:52:17.000000000 -0500
25872 +++ linux-2.6.33/drivers/staging/go7007/go7007-v4l2.c 2010-03-07 12:23:36.057707663 -0500
25873 @@ -1674,7 +1674,7 @@ static int go7007_vm_fault(struct vm_are
25877 -static struct vm_operations_struct go7007_vm_ops = {
25878 +static const struct vm_operations_struct go7007_vm_ops = {
25879 .open = go7007_vm_open,
25880 .close = go7007_vm_close,
25881 .fault = go7007_vm_fault,
25882 diff -urNp linux-2.6.33/drivers/staging/hv/blkvsc_drv.c linux-2.6.33/drivers/staging/hv/blkvsc_drv.c
25883 --- linux-2.6.33/drivers/staging/hv/blkvsc_drv.c 2010-02-24 13:52:17.000000000 -0500
25884 +++ linux-2.6.33/drivers/staging/hv/blkvsc_drv.c 2010-03-07 12:23:36.057707663 -0500
25885 @@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
25886 /* The one and only one */
25887 static struct blkvsc_driver_context g_blkvsc_drv;
25889 -static struct block_device_operations block_ops = {
25890 +static const struct block_device_operations block_ops = {
25891 .owner = THIS_MODULE,
25892 .open = blkvsc_open,
25893 .release = blkvsc_release,
25894 diff -urNp linux-2.6.33/drivers/staging/panel/panel.c linux-2.6.33/drivers/staging/panel/panel.c
25895 --- linux-2.6.33/drivers/staging/panel/panel.c 2010-02-24 13:52:17.000000000 -0500
25896 +++ linux-2.6.33/drivers/staging/panel/panel.c 2010-03-07 12:23:36.057707663 -0500
25897 @@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
25901 -static struct file_operations lcd_fops = {
25902 +static const struct file_operations lcd_fops = {
25903 .write = lcd_write,
25905 .release = lcd_release,
25906 @@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
25910 -static struct file_operations keypad_fops = {
25911 +static const struct file_operations keypad_fops = {
25912 .read = keypad_read, /* read */
25913 .open = keypad_open, /* open */
25914 .release = keypad_release, /* close */
25915 diff -urNp linux-2.6.33/drivers/staging/phison/phison.c linux-2.6.33/drivers/staging/phison/phison.c
25916 --- linux-2.6.33/drivers/staging/phison/phison.c 2010-02-24 13:52:17.000000000 -0500
25917 +++ linux-2.6.33/drivers/staging/phison/phison.c 2010-03-07 12:23:36.057707663 -0500
25918 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
25919 ATA_BMDMA_SHT(DRV_NAME),
25922 -static struct ata_port_operations phison_ops = {
25923 +static const struct ata_port_operations phison_ops = {
25924 .inherits = &ata_bmdma_port_ops,
25925 .prereset = phison_pre_reset,
25927 diff -urNp linux-2.6.33/drivers/staging/poch/poch.c linux-2.6.33/drivers/staging/poch/poch.c
25928 --- linux-2.6.33/drivers/staging/poch/poch.c 2010-02-24 13:52:17.000000000 -0500
25929 +++ linux-2.6.33/drivers/staging/poch/poch.c 2010-03-07 12:23:36.057707663 -0500
25930 @@ -1032,7 +1032,7 @@ static int poch_ioctl(struct inode *inod
25934 -static struct file_operations poch_fops = {
25935 +static const struct file_operations poch_fops = {
25936 .owner = THIS_MODULE,
25938 .release = poch_release,
25939 diff -urNp linux-2.6.33/drivers/staging/pohmelfs/inode.c linux-2.6.33/drivers/staging/pohmelfs/inode.c
25940 --- linux-2.6.33/drivers/staging/pohmelfs/inode.c 2010-02-24 13:52:17.000000000 -0500
25941 +++ linux-2.6.33/drivers/staging/pohmelfs/inode.c 2010-03-07 12:23:36.057707663 -0500
25942 @@ -1840,7 +1840,7 @@ static int pohmelfs_fill_super(struct su
25943 mutex_init(&psb->mcache_lock);
25944 psb->mcache_root = RB_ROOT;
25945 psb->mcache_timeout = msecs_to_jiffies(5000);
25946 - atomic_long_set(&psb->mcache_gen, 0);
25947 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
25949 psb->trans_max_pages = 100;
25951 diff -urNp linux-2.6.33/drivers/staging/pohmelfs/mcache.c linux-2.6.33/drivers/staging/pohmelfs/mcache.c
25952 --- linux-2.6.33/drivers/staging/pohmelfs/mcache.c 2010-02-24 13:52:17.000000000 -0500
25953 +++ linux-2.6.33/drivers/staging/pohmelfs/mcache.c 2010-03-07 12:23:36.057707663 -0500
25954 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
25958 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
25959 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
25961 mutex_lock(&psb->mcache_lock);
25962 err = pohmelfs_mcache_insert(psb, m);
25963 diff -urNp linux-2.6.33/drivers/staging/pohmelfs/netfs.h linux-2.6.33/drivers/staging/pohmelfs/netfs.h
25964 --- linux-2.6.33/drivers/staging/pohmelfs/netfs.h 2010-02-24 13:52:17.000000000 -0500
25965 +++ linux-2.6.33/drivers/staging/pohmelfs/netfs.h 2010-03-07 12:23:36.057707663 -0500
25966 @@ -570,7 +570,7 @@ struct pohmelfs_config;
25967 struct pohmelfs_sb {
25968 struct rb_root mcache_root;
25969 struct mutex mcache_lock;
25970 - atomic_long_t mcache_gen;
25971 + atomic_long_unchecked_t mcache_gen;
25972 unsigned long mcache_timeout;
25975 diff -urNp linux-2.6.33/drivers/staging/ramzswap/ramzswap_drv.c linux-2.6.33/drivers/staging/ramzswap/ramzswap_drv.c
25976 --- linux-2.6.33/drivers/staging/ramzswap/ramzswap_drv.c 2010-02-24 13:52:17.000000000 -0500
25977 +++ linux-2.6.33/drivers/staging/ramzswap/ramzswap_drv.c 2010-03-07 12:23:36.057707663 -0500
25978 @@ -1288,7 +1288,7 @@ out:
25982 -static struct block_device_operations ramzswap_devops = {
25983 +static const struct block_device_operations ramzswap_devops = {
25984 .ioctl = ramzswap_ioctl,
25985 .owner = THIS_MODULE,
25987 diff -urNp linux-2.6.33/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.33/drivers/staging/rtl8192u/ieee80211/proc.c
25988 --- linux-2.6.33/drivers/staging/rtl8192u/ieee80211/proc.c 2010-02-24 13:52:17.000000000 -0500
25989 +++ linux-2.6.33/drivers/staging/rtl8192u/ieee80211/proc.c 2010-03-07 12:23:36.057707663 -0500
25990 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
25991 return seq_open(file, &crypto_seq_ops);
25994 -static struct file_operations proc_crypto_ops = {
25995 +static const struct file_operations proc_crypto_ops = {
25996 .open = crypto_info_open,
25998 .llseek = seq_lseek,
25999 diff -urNp linux-2.6.33/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.33/drivers/staging/samsung-laptop/samsung-laptop.c
26000 --- linux-2.6.33/drivers/staging/samsung-laptop/samsung-laptop.c 2010-02-24 13:52:17.000000000 -0500
26001 +++ linux-2.6.33/drivers/staging/samsung-laptop/samsung-laptop.c 2010-03-07 12:23:36.057707663 -0500
26002 @@ -268,7 +268,7 @@ static int update_status(struct backligh
26006 -static struct backlight_ops backlight_ops = {
26007 +static const struct backlight_ops backlight_ops = {
26008 .get_brightness = get_brightness,
26009 .update_status = update_status,
26011 diff -urNp linux-2.6.33/drivers/staging/sep/sep_driver.c linux-2.6.33/drivers/staging/sep/sep_driver.c
26012 --- linux-2.6.33/drivers/staging/sep/sep_driver.c 2010-02-24 13:52:17.000000000 -0500
26013 +++ linux-2.6.33/drivers/staging/sep/sep_driver.c 2010-03-07 12:23:36.061712127 -0500
26014 @@ -2605,7 +2605,7 @@ static struct pci_driver sep_pci_driver
26015 static dev_t sep_devno;
26017 /* the files operations structure of the driver */
26018 -static struct file_operations sep_file_operations = {
26019 +static const struct file_operations sep_file_operations = {
26020 .owner = THIS_MODULE,
26021 .ioctl = sep_ioctl,
26023 diff -urNp linux-2.6.33/drivers/staging/vme/devices/vme_user.c linux-2.6.33/drivers/staging/vme/devices/vme_user.c
26024 --- linux-2.6.33/drivers/staging/vme/devices/vme_user.c 2010-02-24 13:52:17.000000000 -0500
26025 +++ linux-2.6.33/drivers/staging/vme/devices/vme_user.c 2010-03-07 12:23:36.061712127 -0500
26026 @@ -135,7 +135,7 @@ static int vme_user_ioctl(struct inode *
26027 static int __init vme_user_probe(struct device *, int, int);
26028 static int __exit vme_user_remove(struct device *, int, int);
26030 -static struct file_operations vme_user_fops = {
26031 +static const struct file_operations vme_user_fops = {
26032 .open = vme_user_open,
26033 .release = vme_user_release,
26034 .read = vme_user_read,
26035 diff -urNp linux-2.6.33/drivers/uio/uio.c linux-2.6.33/drivers/uio/uio.c
26036 --- linux-2.6.33/drivers/uio/uio.c 2010-02-24 13:52:17.000000000 -0500
26037 +++ linux-2.6.33/drivers/uio/uio.c 2010-03-07 12:23:36.061712127 -0500
26038 @@ -129,7 +129,7 @@ static ssize_t map_type_show(struct kobj
26039 return entry->show(mem, buf);
26042 -static struct sysfs_ops map_sysfs_ops = {
26043 +static const struct sysfs_ops map_sysfs_ops = {
26044 .show = map_type_show,
26047 @@ -217,7 +217,7 @@ static ssize_t portio_type_show(struct k
26048 return entry->show(port, buf);
26051 -static struct sysfs_ops portio_sysfs_ops = {
26052 +static const struct sysfs_ops portio_sysfs_ops = {
26053 .show = portio_type_show,
26056 diff -urNp linux-2.6.33/drivers/usb/atm/usbatm.c linux-2.6.33/drivers/usb/atm/usbatm.c
26057 --- linux-2.6.33/drivers/usb/atm/usbatm.c 2010-02-24 13:52:17.000000000 -0500
26058 +++ linux-2.6.33/drivers/usb/atm/usbatm.c 2010-03-07 12:23:36.061712127 -0500
26059 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
26060 if (printk_ratelimit())
26061 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
26062 __func__, vpi, vci);
26063 - atomic_inc(&vcc->stats->rx_err);
26064 + atomic_inc_unchecked(&vcc->stats->rx_err);
26068 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
26069 if (length > ATM_MAX_AAL5_PDU) {
26070 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
26071 __func__, length, vcc);
26072 - atomic_inc(&vcc->stats->rx_err);
26073 + atomic_inc_unchecked(&vcc->stats->rx_err);
26077 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
26078 if (sarb->len < pdu_length) {
26079 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
26080 __func__, pdu_length, sarb->len, vcc);
26081 - atomic_inc(&vcc->stats->rx_err);
26082 + atomic_inc_unchecked(&vcc->stats->rx_err);
26086 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
26087 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
26089 - atomic_inc(&vcc->stats->rx_err);
26090 + atomic_inc_unchecked(&vcc->stats->rx_err);
26094 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
26095 if (printk_ratelimit())
26096 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
26098 - atomic_inc(&vcc->stats->rx_drop);
26099 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26103 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
26105 vcc->push(vcc, skb);
26107 - atomic_inc(&vcc->stats->rx);
26108 + atomic_inc_unchecked(&vcc->stats->rx);
26112 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
26113 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
26115 usbatm_pop(vcc, skb);
26116 - atomic_inc(&vcc->stats->tx);
26117 + atomic_inc_unchecked(&vcc->stats->tx);
26119 skb = skb_dequeue(&instance->sndqueue);
26121 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
26123 return sprintf(page,
26124 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
26125 - atomic_read(&atm_dev->stats.aal5.tx),
26126 - atomic_read(&atm_dev->stats.aal5.tx_err),
26127 - atomic_read(&atm_dev->stats.aal5.rx),
26128 - atomic_read(&atm_dev->stats.aal5.rx_err),
26129 - atomic_read(&atm_dev->stats.aal5.rx_drop));
26130 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
26131 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
26132 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
26133 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
26134 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
26137 if (instance->disconnected)
26138 diff -urNp linux-2.6.33/drivers/usb/class/cdc-acm.c linux-2.6.33/drivers/usb/class/cdc-acm.c
26139 --- linux-2.6.33/drivers/usb/class/cdc-acm.c 2010-02-24 13:52:17.000000000 -0500
26140 +++ linux-2.6.33/drivers/usb/class/cdc-acm.c 2010-03-07 12:23:36.061712127 -0500
26141 @@ -1590,7 +1590,7 @@ static struct usb_device_id acm_ids[] =
26142 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
26143 USB_CDC_ACM_PROTO_AT_CDMA) },
26146 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
26149 MODULE_DEVICE_TABLE(usb, acm_ids);
26150 diff -urNp linux-2.6.33/drivers/usb/class/usblp.c linux-2.6.33/drivers/usb/class/usblp.c
26151 --- linux-2.6.33/drivers/usb/class/usblp.c 2010-02-24 13:52:17.000000000 -0500
26152 +++ linux-2.6.33/drivers/usb/class/usblp.c 2010-03-07 12:23:36.061712127 -0500
26153 @@ -228,7 +228,7 @@ static const struct quirk_printer_struct
26154 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
26155 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
26156 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
26161 static int usblp_wwait(struct usblp *usblp, int nonblock);
26162 @@ -1412,7 +1412,7 @@ static struct usb_device_id usblp_ids []
26163 { USB_INTERFACE_INFO(7, 1, 2) },
26164 { USB_INTERFACE_INFO(7, 1, 3) },
26165 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
26166 - { } /* Terminating entry */
26167 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
26170 MODULE_DEVICE_TABLE (usb, usblp_ids);
26171 diff -urNp linux-2.6.33/drivers/usb/core/hcd.c linux-2.6.33/drivers/usb/core/hcd.c
26172 --- linux-2.6.33/drivers/usb/core/hcd.c 2010-02-24 13:52:17.000000000 -0500
26173 +++ linux-2.6.33/drivers/usb/core/hcd.c 2010-03-07 12:23:36.061712127 -0500
26174 @@ -2266,7 +2266,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
26176 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
26178 -struct usb_mon_operations *mon_ops;
26179 +const struct usb_mon_operations *mon_ops;
26182 * The registration is unlocked.
26183 @@ -2276,7 +2276,7 @@ struct usb_mon_operations *mon_ops;
26184 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
26187 -int usb_mon_register (struct usb_mon_operations *ops)
26188 +int usb_mon_register (const struct usb_mon_operations *ops)
26192 diff -urNp linux-2.6.33/drivers/usb/core/hcd.h linux-2.6.33/drivers/usb/core/hcd.h
26193 --- linux-2.6.33/drivers/usb/core/hcd.h 2010-02-24 13:52:17.000000000 -0500
26194 +++ linux-2.6.33/drivers/usb/core/hcd.h 2010-03-07 12:23:36.061712127 -0500
26195 @@ -501,13 +501,13 @@ static inline void usbfs_cleanup(void) {
26196 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
26198 struct usb_mon_operations {
26199 - void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
26200 - void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
26201 - void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
26202 + void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
26203 + void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
26204 + void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
26205 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
26208 -extern struct usb_mon_operations *mon_ops;
26209 +extern const struct usb_mon_operations *mon_ops;
26211 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
26213 @@ -529,7 +529,7 @@ static inline void usbmon_urb_complete(s
26214 (*mon_ops->urb_complete)(bus, urb, status);
26217 -int usb_mon_register(struct usb_mon_operations *ops);
26218 +int usb_mon_register(const struct usb_mon_operations *ops);
26219 void usb_mon_deregister(void);
26222 diff -urNp linux-2.6.33/drivers/usb/core/hub.c linux-2.6.33/drivers/usb/core/hub.c
26223 --- linux-2.6.33/drivers/usb/core/hub.c 2010-02-24 13:52:17.000000000 -0500
26224 +++ linux-2.6.33/drivers/usb/core/hub.c 2010-03-07 12:23:36.061712127 -0500
26225 @@ -3450,7 +3450,7 @@ static struct usb_device_id hub_id_table
26226 .bDeviceClass = USB_CLASS_HUB},
26227 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
26228 .bInterfaceClass = USB_CLASS_HUB},
26229 - { } /* Terminating entry */
26230 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
26233 MODULE_DEVICE_TABLE (usb, hub_id_table);
26234 diff -urNp linux-2.6.33/drivers/usb/core/message.c linux-2.6.33/drivers/usb/core/message.c
26235 --- linux-2.6.33/drivers/usb/core/message.c 2010-02-24 13:52:17.000000000 -0500
26236 +++ linux-2.6.33/drivers/usb/core/message.c 2010-03-07 12:23:36.061712127 -0500
26237 @@ -909,8 +909,8 @@ char *usb_cache_string(struct usb_device
26238 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
26240 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
26242 - smallbuf = kmalloc(++len, GFP_NOIO);
26244 + smallbuf = kmalloc(len, GFP_NOIO);
26247 memcpy(smallbuf, buf, len);
26248 diff -urNp linux-2.6.33/drivers/usb/host/ehci-pci.c linux-2.6.33/drivers/usb/host/ehci-pci.c
26249 --- linux-2.6.33/drivers/usb/host/ehci-pci.c 2010-02-24 13:52:17.000000000 -0500
26250 +++ linux-2.6.33/drivers/usb/host/ehci-pci.c 2010-03-07 12:23:36.061712127 -0500
26251 @@ -422,7 +422,7 @@ static const struct pci_device_id pci_id
26252 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
26253 .driver_data = (unsigned long) &ehci_pci_hc_driver,
26255 - { /* end: all zeroes */ }
26256 + { 0, 0, 0, 0, 0, 0, 0 }
26258 MODULE_DEVICE_TABLE(pci, pci_ids);
26260 diff -urNp linux-2.6.33/drivers/usb/host/uhci-hcd.c linux-2.6.33/drivers/usb/host/uhci-hcd.c
26261 --- linux-2.6.33/drivers/usb/host/uhci-hcd.c 2010-02-24 13:52:17.000000000 -0500
26262 +++ linux-2.6.33/drivers/usb/host/uhci-hcd.c 2010-03-07 12:23:36.061712127 -0500
26263 @@ -940,7 +940,7 @@ static const struct pci_device_id uhci_p
26264 /* handle any USB UHCI controller */
26265 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
26266 .driver_data = (unsigned long) &uhci_driver,
26267 - }, { /* end: all zeroes */ }
26268 + }, { 0, 0, 0, 0, 0, 0, 0 }
26271 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
26272 diff -urNp linux-2.6.33/drivers/usb/misc/appledisplay.c linux-2.6.33/drivers/usb/misc/appledisplay.c
26273 --- linux-2.6.33/drivers/usb/misc/appledisplay.c 2010-02-24 13:52:17.000000000 -0500
26274 +++ linux-2.6.33/drivers/usb/misc/appledisplay.c 2010-03-07 12:23:36.065707381 -0500
26275 @@ -179,7 +179,7 @@ static int appledisplay_bl_get_brightnes
26276 return pdata->msgdata[1];
26279 -static struct backlight_ops appledisplay_bl_data = {
26280 +static const struct backlight_ops appledisplay_bl_data = {
26281 .get_brightness = appledisplay_bl_get_brightness,
26282 .update_status = appledisplay_bl_update_status,
26284 diff -urNp linux-2.6.33/drivers/usb/mon/mon_main.c linux-2.6.33/drivers/usb/mon/mon_main.c
26285 --- linux-2.6.33/drivers/usb/mon/mon_main.c 2010-02-24 13:52:17.000000000 -0500
26286 +++ linux-2.6.33/drivers/usb/mon/mon_main.c 2010-03-07 12:23:36.065707381 -0500
26287 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
26291 -static struct usb_mon_operations mon_ops_0 = {
26292 +static const struct usb_mon_operations mon_ops_0 = {
26293 .urb_submit = mon_submit,
26294 .urb_submit_error = mon_submit_error,
26295 .urb_complete = mon_complete,
26296 diff -urNp linux-2.6.33/drivers/usb/storage/debug.h linux-2.6.33/drivers/usb/storage/debug.h
26297 --- linux-2.6.33/drivers/usb/storage/debug.h 2010-02-24 13:52:17.000000000 -0500
26298 +++ linux-2.6.33/drivers/usb/storage/debug.h 2010-03-07 12:23:36.065707381 -0500
26299 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
26300 #define US_DEBUGPX(x...) printk( x )
26301 #define US_DEBUG(x) x
26303 -#define US_DEBUGP(x...)
26304 -#define US_DEBUGPX(x...)
26305 -#define US_DEBUG(x)
26306 +#define US_DEBUGP(x...) do {} while (0)
26307 +#define US_DEBUGPX(x...) do {} while (0)
26308 +#define US_DEBUG(x) do {} while (0)
26312 diff -urNp linux-2.6.33/drivers/usb/storage/usb.c linux-2.6.33/drivers/usb/storage/usb.c
26313 --- linux-2.6.33/drivers/usb/storage/usb.c 2010-02-24 13:52:17.000000000 -0500
26314 +++ linux-2.6.33/drivers/usb/storage/usb.c 2010-03-07 12:23:36.065707381 -0500
26315 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
26317 static struct us_unusual_dev us_unusual_dev_list[] = {
26318 # include "unusual_devs.h"
26319 - { } /* Terminating entry */
26320 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
26324 diff -urNp linux-2.6.33/drivers/usb/storage/usual-tables.c linux-2.6.33/drivers/usb/storage/usual-tables.c
26325 --- linux-2.6.33/drivers/usb/storage/usual-tables.c 2010-02-24 13:52:17.000000000 -0500
26326 +++ linux-2.6.33/drivers/usb/storage/usual-tables.c 2010-03-07 12:23:36.065707381 -0500
26329 struct usb_device_id usb_storage_usb_ids[] = {
26330 # include "unusual_devs.h"
26331 - { } /* Terminating entry */
26332 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
26334 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
26336 diff -urNp linux-2.6.33/drivers/uwb/wlp/messages.c linux-2.6.33/drivers/uwb/wlp/messages.c
26337 --- linux-2.6.33/drivers/uwb/wlp/messages.c 2010-02-24 13:52:17.000000000 -0500
26338 +++ linux-2.6.33/drivers/uwb/wlp/messages.c 2010-03-07 12:23:36.065707381 -0500
26339 @@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
26340 size_t len = skb->len;
26343 - struct wlp_nonce enonce, rnonce;
26344 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
26345 enum wlp_assc_error assc_err;
26346 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
26347 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
26348 diff -urNp linux-2.6.33/drivers/uwb/wlp/sysfs.c linux-2.6.33/drivers/uwb/wlp/sysfs.c
26349 --- linux-2.6.33/drivers/uwb/wlp/sysfs.c 2010-02-24 13:52:17.000000000 -0500
26350 +++ linux-2.6.33/drivers/uwb/wlp/sysfs.c 2010-03-07 12:23:36.065707381 -0500
26351 @@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
26356 -struct sysfs_ops wss_sysfs_ops = {
26357 +static const struct sysfs_ops wss_sysfs_ops = {
26358 .show = wlp_wss_attr_show,
26359 .store = wlp_wss_attr_store,
26361 diff -urNp linux-2.6.33/drivers/video/atmel_lcdfb.c linux-2.6.33/drivers/video/atmel_lcdfb.c
26362 --- linux-2.6.33/drivers/video/atmel_lcdfb.c 2010-02-24 13:52:17.000000000 -0500
26363 +++ linux-2.6.33/drivers/video/atmel_lcdfb.c 2010-03-07 12:23:36.065707381 -0500
26364 @@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
26365 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
26368 -static struct backlight_ops atmel_lcdc_bl_ops = {
26369 +static const struct backlight_ops atmel_lcdc_bl_ops = {
26370 .update_status = atmel_bl_update_status,
26371 .get_brightness = atmel_bl_get_brightness,
26373 diff -urNp linux-2.6.33/drivers/video/aty/aty128fb.c linux-2.6.33/drivers/video/aty/aty128fb.c
26374 --- linux-2.6.33/drivers/video/aty/aty128fb.c 2010-02-24 13:52:17.000000000 -0500
26375 +++ linux-2.6.33/drivers/video/aty/aty128fb.c 2010-03-07 12:23:36.065707381 -0500
26376 @@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
26377 return bd->props.brightness;
26380 -static struct backlight_ops aty128_bl_data = {
26381 +static const struct backlight_ops aty128_bl_data = {
26382 .get_brightness = aty128_bl_get_brightness,
26383 .update_status = aty128_bl_update_status,
26385 diff -urNp linux-2.6.33/drivers/video/aty/atyfb_base.c linux-2.6.33/drivers/video/aty/atyfb_base.c
26386 --- linux-2.6.33/drivers/video/aty/atyfb_base.c 2010-02-24 13:52:17.000000000 -0500
26387 +++ linux-2.6.33/drivers/video/aty/atyfb_base.c 2010-03-07 12:23:36.065707381 -0500
26388 @@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
26389 return bd->props.brightness;
26392 -static struct backlight_ops aty_bl_data = {
26393 +static const struct backlight_ops aty_bl_data = {
26394 .get_brightness = aty_bl_get_brightness,
26395 .update_status = aty_bl_update_status,
26397 diff -urNp linux-2.6.33/drivers/video/aty/radeon_backlight.c linux-2.6.33/drivers/video/aty/radeon_backlight.c
26398 --- linux-2.6.33/drivers/video/aty/radeon_backlight.c 2010-02-24 13:52:17.000000000 -0500
26399 +++ linux-2.6.33/drivers/video/aty/radeon_backlight.c 2010-03-07 12:23:36.065707381 -0500
26400 @@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
26401 return bd->props.brightness;
26404 -static struct backlight_ops radeon_bl_data = {
26405 +static const struct backlight_ops radeon_bl_data = {
26406 .get_brightness = radeon_bl_get_brightness,
26407 .update_status = radeon_bl_update_status,
26409 diff -urNp linux-2.6.33/drivers/video/bf54x-lq043fb.c linux-2.6.33/drivers/video/bf54x-lq043fb.c
26410 --- linux-2.6.33/drivers/video/bf54x-lq043fb.c 2010-02-24 13:52:17.000000000 -0500
26411 +++ linux-2.6.33/drivers/video/bf54x-lq043fb.c 2010-03-07 12:23:36.065707381 -0500
26412 @@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
26416 -static struct backlight_ops bfin_lq043fb_bl_ops = {
26417 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
26418 .get_brightness = bl_get_brightness,
26421 diff -urNp linux-2.6.33/drivers/video/bfin-t350mcqb-fb.c linux-2.6.33/drivers/video/bfin-t350mcqb-fb.c
26422 --- linux-2.6.33/drivers/video/bfin-t350mcqb-fb.c 2010-02-24 13:52:17.000000000 -0500
26423 +++ linux-2.6.33/drivers/video/bfin-t350mcqb-fb.c 2010-03-07 12:23:36.065707381 -0500
26424 @@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
26428 -static struct backlight_ops bfin_lq043fb_bl_ops = {
26429 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
26430 .get_brightness = bl_get_brightness,
26433 diff -urNp linux-2.6.33/drivers/video/fbmem.c linux-2.6.33/drivers/video/fbmem.c
26434 --- linux-2.6.33/drivers/video/fbmem.c 2010-02-24 13:52:17.000000000 -0500
26435 +++ linux-2.6.33/drivers/video/fbmem.c 2010-03-07 12:23:36.065707381 -0500
26436 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
26437 image->dx += image->width + 8;
26439 } else if (rotate == FB_ROTATE_UD) {
26440 - for (x = 0; x < num && image->dx >= 0; x++) {
26441 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
26442 info->fbops->fb_imageblit(info, image);
26443 image->dx -= image->width + 8;
26445 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
26446 image->dy += image->height + 8;
26448 } else if (rotate == FB_ROTATE_CCW) {
26449 - for (x = 0; x < num && image->dy >= 0; x++) {
26450 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
26451 info->fbops->fb_imageblit(info, image);
26452 image->dy -= image->height + 8;
26454 @@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
26456 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
26458 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
26459 + if (con2fb.framebuffer >= FB_MAX)
26461 if (!registered_fb[con2fb.framebuffer])
26462 request_module("fb%d", con2fb.framebuffer);
26463 diff -urNp linux-2.6.33/drivers/video/fbmon.c linux-2.6.33/drivers/video/fbmon.c
26464 --- linux-2.6.33/drivers/video/fbmon.c 2010-02-24 13:52:17.000000000 -0500
26465 +++ linux-2.6.33/drivers/video/fbmon.c 2010-03-07 12:23:36.065707381 -0500
26468 #define DPRINTK(fmt, args...) printk(fmt,## args)
26470 -#define DPRINTK(fmt, args...)
26471 +#define DPRINTK(fmt, args...) do {} while (0)
26474 #define FBMON_FIX_HEADER 1
26475 diff -urNp linux-2.6.33/drivers/video/i810/i810_accel.c linux-2.6.33/drivers/video/i810/i810_accel.c
26476 --- linux-2.6.33/drivers/video/i810/i810_accel.c 2010-02-24 13:52:17.000000000 -0500
26477 +++ linux-2.6.33/drivers/video/i810/i810_accel.c 2010-03-07 12:23:36.065707381 -0500
26478 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
26481 printk("ringbuffer lockup!!!\n");
26482 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
26483 i810_report_error(mmio);
26484 par->dev_flags |= LOCKUP;
26485 info->pixmap.scan_align = 1;
26486 diff -urNp linux-2.6.33/drivers/video/i810/i810_main.c linux-2.6.33/drivers/video/i810/i810_main.c
26487 --- linux-2.6.33/drivers/video/i810/i810_main.c 2010-02-24 13:52:17.000000000 -0500
26488 +++ linux-2.6.33/drivers/video/i810/i810_main.c 2010-03-07 12:23:36.069651738 -0500
26489 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
26490 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
26491 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
26492 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
26494 + { 0, 0, 0, 0, 0, 0, 0 },
26497 static struct pci_driver i810fb_driver = {
26498 diff -urNp linux-2.6.33/drivers/video/modedb.c linux-2.6.33/drivers/video/modedb.c
26499 --- linux-2.6.33/drivers/video/modedb.c 2010-02-24 13:52:17.000000000 -0500
26500 +++ linux-2.6.33/drivers/video/modedb.c 2010-03-07 12:23:36.069651738 -0500
26501 @@ -39,240 +39,240 @@ static const struct fb_videomode modedb[
26503 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
26504 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
26505 - 0, FB_VMODE_NONINTERLACED
26506 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26508 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
26509 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
26510 - 0, FB_VMODE_NONINTERLACED
26511 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26513 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
26514 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
26515 - 0, FB_VMODE_NONINTERLACED
26516 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26518 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
26519 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
26520 - 0, FB_VMODE_INTERLACED
26521 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26523 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
26524 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
26525 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26526 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26528 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
26529 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
26530 - 0, FB_VMODE_NONINTERLACED
26531 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26533 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
26534 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
26535 - 0, FB_VMODE_NONINTERLACED
26536 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26538 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
26539 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
26540 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26541 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26543 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
26544 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
26545 - 0, FB_VMODE_NONINTERLACED
26546 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26548 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
26549 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
26550 - 0, FB_VMODE_INTERLACED
26551 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26553 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
26554 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
26555 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26556 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26558 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
26559 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
26560 - 0, FB_VMODE_NONINTERLACED
26561 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26563 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
26564 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
26565 - 0, FB_VMODE_NONINTERLACED
26566 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26568 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
26569 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
26570 - 0, FB_VMODE_NONINTERLACED
26571 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26573 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
26574 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
26575 - 0, FB_VMODE_NONINTERLACED
26576 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26578 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
26579 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
26580 - 0, FB_VMODE_NONINTERLACED
26581 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26583 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
26584 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
26585 - 0, FB_VMODE_INTERLACED
26586 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26588 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
26589 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
26590 - 0, FB_VMODE_NONINTERLACED
26591 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26593 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
26594 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
26595 - 0, FB_VMODE_NONINTERLACED
26596 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26598 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
26599 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
26600 - 0, FB_VMODE_NONINTERLACED
26601 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26603 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
26604 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
26605 - 0, FB_VMODE_NONINTERLACED
26606 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26608 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
26609 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
26610 - 0, FB_VMODE_NONINTERLACED
26611 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26613 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
26614 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
26615 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26616 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26618 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
26619 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
26620 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26621 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26623 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
26624 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
26625 - 0, FB_VMODE_NONINTERLACED
26626 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26628 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
26629 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
26630 - 0, FB_VMODE_NONINTERLACED
26631 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26633 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
26634 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
26635 - 0, FB_VMODE_NONINTERLACED
26636 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26638 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
26639 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
26640 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26641 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26643 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
26644 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
26645 - 0, FB_VMODE_NONINTERLACED
26646 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26648 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
26649 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
26650 - 0, FB_VMODE_NONINTERLACED
26651 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26653 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
26654 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
26655 - 0, FB_VMODE_NONINTERLACED
26656 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26658 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
26659 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
26660 - 0, FB_VMODE_NONINTERLACED
26661 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26663 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
26664 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
26665 - 0, FB_VMODE_NONINTERLACED
26666 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26668 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
26669 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
26670 - 0, FB_VMODE_NONINTERLACED
26671 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26673 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
26674 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
26675 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26676 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26678 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
26679 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
26680 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26681 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26683 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
26684 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
26685 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26686 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26688 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
26689 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
26690 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26691 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26693 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
26694 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
26695 - 0, FB_VMODE_NONINTERLACED
26696 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26698 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
26699 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
26700 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26701 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26703 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
26704 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
26705 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26706 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26708 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
26709 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
26710 - 0, FB_VMODE_NONINTERLACED
26711 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26713 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
26714 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
26715 - 0, FB_VMODE_NONINTERLACED
26716 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26718 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
26719 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
26720 - 0, FB_VMODE_DOUBLE
26721 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26723 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
26724 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
26725 - 0, FB_VMODE_DOUBLE
26726 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26728 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
26729 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
26730 - 0, FB_VMODE_DOUBLE
26731 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26733 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
26734 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
26735 - 0, FB_VMODE_DOUBLE
26736 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26738 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
26739 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
26740 - 0, FB_VMODE_DOUBLE
26741 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26743 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
26744 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
26745 - 0, FB_VMODE_DOUBLE
26746 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26748 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
26749 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
26750 - 0, FB_VMODE_DOUBLE
26751 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26753 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
26754 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
26755 - 0, FB_VMODE_DOUBLE
26756 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26758 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
26759 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
26760 - 0, FB_VMODE_DOUBLE
26761 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26763 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
26764 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
26765 - 0, FB_VMODE_DOUBLE
26766 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26768 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
26769 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
26770 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
26771 - FB_VMODE_NONINTERLACED
26772 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26774 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
26775 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
26776 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26777 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26779 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
26780 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
26781 - 0, FB_VMODE_NONINTERLACED
26782 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26784 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
26785 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
26786 - 0, FB_VMODE_NONINTERLACED
26787 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26789 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
26790 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
26791 - 0, FB_VMODE_INTERLACED
26792 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26794 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
26795 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
26796 - 0, FB_VMODE_INTERLACED
26797 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26801 diff -urNp linux-2.6.33/drivers/video/nvidia/nv_backlight.c linux-2.6.33/drivers/video/nvidia/nv_backlight.c
26802 --- linux-2.6.33/drivers/video/nvidia/nv_backlight.c 2010-02-24 13:52:17.000000000 -0500
26803 +++ linux-2.6.33/drivers/video/nvidia/nv_backlight.c 2010-03-07 12:23:36.069651738 -0500
26804 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
26805 return bd->props.brightness;
26808 -static struct backlight_ops nvidia_bl_ops = {
26809 +static const struct backlight_ops nvidia_bl_ops = {
26810 .get_brightness = nvidia_bl_get_brightness,
26811 .update_status = nvidia_bl_update_status,
26813 diff -urNp linux-2.6.33/drivers/video/omap2/displays/panel-taal.c linux-2.6.33/drivers/video/omap2/displays/panel-taal.c
26814 --- linux-2.6.33/drivers/video/omap2/displays/panel-taal.c 2010-02-24 13:52:17.000000000 -0500
26815 +++ linux-2.6.33/drivers/video/omap2/displays/panel-taal.c 2010-03-07 12:23:36.069651738 -0500
26816 @@ -313,7 +313,7 @@ static int taal_bl_get_intensity(struct
26820 -static struct backlight_ops taal_bl_ops = {
26821 +static const struct backlight_ops taal_bl_ops = {
26822 .get_brightness = taal_bl_get_intensity,
26823 .update_status = taal_bl_update_status,
26825 diff -urNp linux-2.6.33/drivers/video/omap2/dss/manager.c linux-2.6.33/drivers/video/omap2/dss/manager.c
26826 --- linux-2.6.33/drivers/video/omap2/dss/manager.c 2010-02-24 13:52:17.000000000 -0500
26827 +++ linux-2.6.33/drivers/video/omap2/dss/manager.c 2010-03-07 12:23:36.069651738 -0500
26828 @@ -341,7 +341,7 @@ static ssize_t manager_attr_store(struct
26829 return manager_attr->store(manager, buf, size);
26832 -static struct sysfs_ops manager_sysfs_ops = {
26833 +static const struct sysfs_ops manager_sysfs_ops = {
26834 .show = manager_attr_show,
26835 .store = manager_attr_store,
26837 diff -urNp linux-2.6.33/drivers/video/omap2/dss/overlay.c linux-2.6.33/drivers/video/omap2/dss/overlay.c
26838 --- linux-2.6.33/drivers/video/omap2/dss/overlay.c 2010-02-24 13:52:17.000000000 -0500
26839 +++ linux-2.6.33/drivers/video/omap2/dss/overlay.c 2010-03-07 12:23:36.069651738 -0500
26840 @@ -320,7 +320,7 @@ static ssize_t overlay_attr_store(struct
26841 return overlay_attr->store(overlay, buf, size);
26844 -static struct sysfs_ops overlay_sysfs_ops = {
26845 +static const struct sysfs_ops overlay_sysfs_ops = {
26846 .show = overlay_attr_show,
26847 .store = overlay_attr_store,
26849 diff -urNp linux-2.6.33/drivers/video/riva/fbdev.c linux-2.6.33/drivers/video/riva/fbdev.c
26850 --- linux-2.6.33/drivers/video/riva/fbdev.c 2010-02-24 13:52:17.000000000 -0500
26851 +++ linux-2.6.33/drivers/video/riva/fbdev.c 2010-03-07 12:23:36.069651738 -0500
26852 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
26853 return bd->props.brightness;
26856 -static struct backlight_ops riva_bl_ops = {
26857 +static const struct backlight_ops riva_bl_ops = {
26858 .get_brightness = riva_bl_get_brightness,
26859 .update_status = riva_bl_update_status,
26861 diff -urNp linux-2.6.33/drivers/video/uvesafb.c linux-2.6.33/drivers/video/uvesafb.c
26862 --- linux-2.6.33/drivers/video/uvesafb.c 2010-02-24 13:52:17.000000000 -0500
26863 +++ linux-2.6.33/drivers/video/uvesafb.c 2010-03-07 12:23:36.069651738 -0500
26865 #include <linux/fb.h>
26866 #include <linux/io.h>
26867 #include <linux/mutex.h>
26868 +#include <linux/moduleloader.h>
26869 #include <video/edid.h>
26870 #include <video/uvesafb.h>
26872 @@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
26876 - return call_usermodehelper(v86d_path, argv, envp, 1);
26877 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
26881 @@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
26882 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
26883 par->pmi_setpal = par->ypan = 0;
26886 +#ifdef CONFIG_PAX_KERNEXEC
26887 +#ifdef CONFIG_MODULES
26888 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
26890 + if (!par->pmi_code) {
26891 + par->pmi_setpal = par->ypan = 0;
26896 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
26897 + task->t.regs.edi);
26899 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26900 + pax_open_kernel();
26901 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
26902 + pax_close_kernel();
26904 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
26905 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
26907 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
26908 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
26911 printk(KERN_INFO "uvesafb: protected mode interface info at "
26913 (u16)task->t.regs.es, (u16)task->t.regs.edi);
26914 @@ -1799,6 +1822,11 @@ out:
26915 if (par->vbe_modes)
26916 kfree(par->vbe_modes);
26918 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26919 + if (par->pmi_code)
26920 + module_free_exec(NULL, par->pmi_code);
26923 framebuffer_release(info);
26926 @@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
26927 kfree(par->vbe_state_orig);
26928 if (par->vbe_state_saved)
26929 kfree(par->vbe_state_saved);
26931 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26932 + if (par->pmi_code)
26933 + module_free_exec(NULL, par->pmi_code);
26938 framebuffer_release(info);
26939 diff -urNp linux-2.6.33/drivers/video/vesafb.c linux-2.6.33/drivers/video/vesafb.c
26940 --- linux-2.6.33/drivers/video/vesafb.c 2010-02-24 13:52:17.000000000 -0500
26941 +++ linux-2.6.33/drivers/video/vesafb.c 2010-03-07 12:23:36.069651738 -0500
26945 #include <linux/module.h>
26946 +#include <linux/moduleloader.h>
26947 #include <linux/kernel.h>
26948 #include <linux/errno.h>
26949 #include <linux/string.h>
26950 @@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
26951 static int vram_total __initdata; /* Set total amount of memory */
26952 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
26953 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
26954 -static void (*pmi_start)(void) __read_mostly;
26955 -static void (*pmi_pal) (void) __read_mostly;
26956 +static void (*pmi_start)(void) __read_only;
26957 +static void (*pmi_pal) (void) __read_only;
26958 static int depth __read_mostly;
26959 static int vga_compat __read_mostly;
26960 /* --------------------------------------------------------------------- */
26961 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
26962 unsigned int size_vmode;
26963 unsigned int size_remap;
26964 unsigned int size_total;
26965 + void *pmi_code = NULL;
26967 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
26969 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
26970 size_remap = size_total;
26971 vesafb_fix.smem_len = size_remap;
26974 - screen_info.vesapm_seg = 0;
26977 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
26978 printk(KERN_WARNING
26979 "vesafb: cannot reserve video memory at 0x%lx\n",
26980 @@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
26981 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
26982 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
26986 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26987 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
26989 +#elif !defined(CONFIG_PAX_KERNEXEC)
26994 + screen_info.vesapm_seg = 0;
26996 if (screen_info.vesapm_seg) {
26997 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
26998 - screen_info.vesapm_seg,screen_info.vesapm_off);
26999 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
27000 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
27003 if (screen_info.vesapm_seg < 0xc000)
27004 @@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
27006 if (ypan || pmi_setpal) {
27007 unsigned short *pmi_base;
27008 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
27009 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
27010 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
27012 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
27014 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
27015 + pax_open_kernel();
27016 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
27018 + pmi_code = pmi_base;
27021 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
27022 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
27024 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
27025 + pmi_start = ktva_ktla(pmi_start);
27026 + pmi_pal = ktva_ktla(pmi_pal);
27027 + pax_close_kernel();
27030 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
27032 printk(KERN_INFO "vesafb: pmi: ports = ");
27033 @@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
27034 info->node, info->fix.id);
27038 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
27039 + module_free_exec(NULL, pmi_code);
27042 if (info->screen_base)
27043 iounmap(info->screen_base);
27044 framebuffer_release(info);
27045 diff -urNp linux-2.6.33/drivers/xen/sys-hypervisor.c linux-2.6.33/drivers/xen/sys-hypervisor.c
27046 --- linux-2.6.33/drivers/xen/sys-hypervisor.c 2010-02-24 13:52:17.000000000 -0500
27047 +++ linux-2.6.33/drivers/xen/sys-hypervisor.c 2010-03-07 12:23:36.069651738 -0500
27048 @@ -426,7 +426,7 @@ static ssize_t hyp_sysfs_store(struct ko
27052 -static struct sysfs_ops hyp_sysfs_ops = {
27053 +static const struct sysfs_ops hyp_sysfs_ops = {
27054 .show = hyp_sysfs_show,
27055 .store = hyp_sysfs_store,
27057 diff -urNp linux-2.6.33/fs/9p/vfs_inode.c linux-2.6.33/fs/9p/vfs_inode.c
27058 --- linux-2.6.33/fs/9p/vfs_inode.c 2010-02-24 13:52:17.000000000 -0500
27059 +++ linux-2.6.33/fs/9p/vfs_inode.c 2010-03-07 12:23:36.069651738 -0500
27060 @@ -1041,7 +1041,7 @@ static void *v9fs_vfs_follow_link(struct
27062 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
27064 - char *s = nd_get_link(nd);
27065 + const char *s = nd_get_link(nd);
27067 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
27068 IS_ERR(s) ? "<error>" : s);
27069 diff -urNp linux-2.6.33/fs/aio.c linux-2.6.33/fs/aio.c
27070 --- linux-2.6.33/fs/aio.c 2010-02-24 13:52:17.000000000 -0500
27071 +++ linux-2.6.33/fs/aio.c 2010-03-07 12:23:36.069651738 -0500
27072 @@ -129,7 +129,7 @@ static int aio_setup_ring(struct kioctx
27073 size += sizeof(struct io_event) * nr_events;
27074 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
27076 - if (nr_pages < 0)
27077 + if (nr_pages <= 0)
27080 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
27081 diff -urNp linux-2.6.33/fs/attr.c linux-2.6.33/fs/attr.c
27082 --- linux-2.6.33/fs/attr.c 2010-02-24 13:52:17.000000000 -0500
27083 +++ linux-2.6.33/fs/attr.c 2010-03-07 12:23:36.069651738 -0500
27084 @@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
27085 unsigned long limit;
27087 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
27088 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
27089 if (limit != RLIM_INFINITY && offset > limit)
27091 if (offset > inode->i_sb->s_maxbytes)
27092 diff -urNp linux-2.6.33/fs/autofs/root.c linux-2.6.33/fs/autofs/root.c
27093 --- linux-2.6.33/fs/autofs/root.c 2010-02-24 13:52:17.000000000 -0500
27094 +++ linux-2.6.33/fs/autofs/root.c 2010-03-07 12:23:36.069651738 -0500
27095 @@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
27096 set_bit(n,sbi->symlink_bitmap);
27097 sl = &sbi->symlink[n];
27098 sl->len = strlen(symname);
27099 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
27100 + slsize = sl->len+1;
27101 + sl->data = kmalloc(slsize, GFP_KERNEL);
27103 clear_bit(n,sbi->symlink_bitmap);
27105 diff -urNp linux-2.6.33/fs/autofs4/symlink.c linux-2.6.33/fs/autofs4/symlink.c
27106 --- linux-2.6.33/fs/autofs4/symlink.c 2010-02-24 13:52:17.000000000 -0500
27107 +++ linux-2.6.33/fs/autofs4/symlink.c 2010-03-07 12:23:36.069651738 -0500
27109 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
27111 struct autofs_info *ino = autofs4_dentry_ino(dentry);
27112 - nd_set_link(nd, (char *)ino->u.symlink);
27113 + nd_set_link(nd, ino->u.symlink);
27117 diff -urNp linux-2.6.33/fs/befs/linuxvfs.c linux-2.6.33/fs/befs/linuxvfs.c
27118 --- linux-2.6.33/fs/befs/linuxvfs.c 2010-02-24 13:52:17.000000000 -0500
27119 +++ linux-2.6.33/fs/befs/linuxvfs.c 2010-03-07 12:23:36.073720428 -0500
27120 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
27122 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
27123 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
27124 - char *link = nd_get_link(nd);
27125 + const char *link = nd_get_link(nd);
27129 diff -urNp linux-2.6.33/fs/binfmt_aout.c linux-2.6.33/fs/binfmt_aout.c
27130 --- linux-2.6.33/fs/binfmt_aout.c 2010-02-24 13:52:17.000000000 -0500
27131 +++ linux-2.6.33/fs/binfmt_aout.c 2010-03-07 12:23:36.073720428 -0500
27133 #include <linux/string.h>
27134 #include <linux/fs.h>
27135 #include <linux/file.h>
27136 +#include <linux/security.h>
27137 #include <linux/stat.h>
27138 #include <linux/fcntl.h>
27139 #include <linux/ptrace.h>
27140 @@ -114,10 +115,12 @@ static int aout_core_dump(struct coredum
27142 /* If the size of the dump file exceeds the rlimit, then see what would happen
27143 if we wrote the stack, but not the data area. */
27144 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
27145 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
27148 /* Make sure we have enough room to write the stack and data areas. */
27149 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
27150 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
27153 @@ -250,6 +253,8 @@ static int load_aout_binary(struct linux
27154 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
27155 if (rlim >= RLIM_INFINITY)
27158 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
27159 if (ex.a_data + ex.a_bss > rlim)
27162 @@ -278,6 +283,27 @@ static int load_aout_binary(struct linux
27163 install_exec_creds(bprm);
27164 current->flags &= ~PF_FORKNOEXEC;
27166 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
27167 + current->mm->pax_flags = 0UL;
27170 +#ifdef CONFIG_PAX_PAGEEXEC
27171 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
27172 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
27174 +#ifdef CONFIG_PAX_EMUTRAMP
27175 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
27176 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
27179 +#ifdef CONFIG_PAX_MPROTECT
27180 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
27181 + current->mm->pax_flags |= MF_PAX_MPROTECT;
27187 if (N_MAGIC(ex) == OMAGIC) {
27188 unsigned long text_addr, map_size;
27190 @@ -350,7 +376,7 @@ static int load_aout_binary(struct linux
27192 down_write(¤t->mm->mmap_sem);
27193 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
27194 - PROT_READ | PROT_WRITE | PROT_EXEC,
27195 + PROT_READ | PROT_WRITE,
27196 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
27197 fd_offset + ex.a_text);
27198 up_write(¤t->mm->mmap_sem);
27199 diff -urNp linux-2.6.33/fs/binfmt_elf.c linux-2.6.33/fs/binfmt_elf.c
27200 --- linux-2.6.33/fs/binfmt_elf.c 2010-02-24 13:52:17.000000000 -0500
27201 +++ linux-2.6.33/fs/binfmt_elf.c 2010-03-07 12:23:36.073720428 -0500
27202 @@ -50,6 +50,10 @@ static int elf_core_dump(struct coredump
27203 #define elf_core_dump NULL
27206 +#ifdef CONFIG_PAX_MPROTECT
27207 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
27210 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
27211 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
27213 @@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
27214 .load_binary = load_elf_binary,
27215 .load_shlib = load_elf_library,
27216 .core_dump = elf_core_dump,
27218 +#ifdef CONFIG_PAX_MPROTECT
27219 + .handle_mprotect= elf_handle_mprotect,
27222 .min_coredump = ELF_EXEC_PAGESIZE,
27225 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
27227 static int set_brk(unsigned long start, unsigned long end)
27229 + unsigned long e = end;
27231 start = ELF_PAGEALIGN(start);
27232 end = ELF_PAGEALIGN(end);
27234 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
27235 if (BAD_ADDR(addr))
27238 - current->mm->start_brk = current->mm->brk = end;
27239 + current->mm->start_brk = current->mm->brk = e;
27243 @@ -148,7 +159,7 @@ create_elf_tables(struct linux_binprm *b
27244 elf_addr_t __user *u_rand_bytes;
27245 const char *k_platform = ELF_PLATFORM;
27246 const char *k_base_platform = ELF_BASE_PLATFORM;
27247 - unsigned char k_rand_bytes[16];
27248 + u32 k_rand_bytes[4];
27250 elf_addr_t *elf_info;
27252 @@ -195,6 +206,10 @@ create_elf_tables(struct linux_binprm *b
27253 * Generate 16 random bytes for userspace PRNG seeding.
27255 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
27256 + srandom32(k_rand_bytes[0] ^ random32());
27257 + srandom32(k_rand_bytes[1] ^ random32());
27258 + srandom32(k_rand_bytes[2] ^ random32());
27259 + srandom32(k_rand_bytes[3] ^ random32());
27260 u_rand_bytes = (elf_addr_t __user *)
27261 STACK_ALLOC(p, sizeof(k_rand_bytes));
27262 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
27263 @@ -385,10 +400,10 @@ static unsigned long load_elf_interp(str
27265 struct elf_phdr *elf_phdata;
27266 struct elf_phdr *eppnt;
27267 - unsigned long load_addr = 0;
27268 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
27269 int load_addr_set = 0;
27270 unsigned long last_bss = 0, elf_bss = 0;
27271 - unsigned long error = ~0UL;
27272 + unsigned long error = -EINVAL;
27273 unsigned long total_size;
27274 int retval, i, size;
27276 @@ -434,6 +449,11 @@ static unsigned long load_elf_interp(str
27280 +#ifdef CONFIG_PAX_SEGMEXEC
27281 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
27282 + pax_task_size = SEGMEXEC_TASK_SIZE;
27285 eppnt = elf_phdata;
27286 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
27287 if (eppnt->p_type == PT_LOAD) {
27288 @@ -477,8 +497,8 @@ static unsigned long load_elf_interp(str
27289 k = load_addr + eppnt->p_vaddr;
27291 eppnt->p_filesz > eppnt->p_memsz ||
27292 - eppnt->p_memsz > TASK_SIZE ||
27293 - TASK_SIZE - eppnt->p_memsz < k) {
27294 + eppnt->p_memsz > pax_task_size ||
27295 + pax_task_size - eppnt->p_memsz < k) {
27299 @@ -532,6 +552,177 @@ out:
27303 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
27304 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
27306 + unsigned long pax_flags = 0UL;
27308 +#ifdef CONFIG_PAX_PAGEEXEC
27309 + if (elf_phdata->p_flags & PF_PAGEEXEC)
27310 + pax_flags |= MF_PAX_PAGEEXEC;
27313 +#ifdef CONFIG_PAX_SEGMEXEC
27314 + if (elf_phdata->p_flags & PF_SEGMEXEC)
27315 + pax_flags |= MF_PAX_SEGMEXEC;
27318 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27319 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27320 + if ((__supported_pte_mask & _PAGE_NX))
27321 + pax_flags &= ~MF_PAX_SEGMEXEC;
27323 + pax_flags &= ~MF_PAX_PAGEEXEC;
27327 +#ifdef CONFIG_PAX_EMUTRAMP
27328 + if (elf_phdata->p_flags & PF_EMUTRAMP)
27329 + pax_flags |= MF_PAX_EMUTRAMP;
27332 +#ifdef CONFIG_PAX_MPROTECT
27333 + if (elf_phdata->p_flags & PF_MPROTECT)
27334 + pax_flags |= MF_PAX_MPROTECT;
27337 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
27338 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
27339 + pax_flags |= MF_PAX_RANDMMAP;
27342 + return pax_flags;
27346 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
27347 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
27349 + unsigned long pax_flags = 0UL;
27351 +#ifdef CONFIG_PAX_PAGEEXEC
27352 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
27353 + pax_flags |= MF_PAX_PAGEEXEC;
27356 +#ifdef CONFIG_PAX_SEGMEXEC
27357 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
27358 + pax_flags |= MF_PAX_SEGMEXEC;
27361 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27362 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27363 + if ((__supported_pte_mask & _PAGE_NX))
27364 + pax_flags &= ~MF_PAX_SEGMEXEC;
27366 + pax_flags &= ~MF_PAX_PAGEEXEC;
27370 +#ifdef CONFIG_PAX_EMUTRAMP
27371 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
27372 + pax_flags |= MF_PAX_EMUTRAMP;
27375 +#ifdef CONFIG_PAX_MPROTECT
27376 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
27377 + pax_flags |= MF_PAX_MPROTECT;
27380 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
27381 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
27382 + pax_flags |= MF_PAX_RANDMMAP;
27385 + return pax_flags;
27389 +#ifdef CONFIG_PAX_EI_PAX
27390 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
27392 + unsigned long pax_flags = 0UL;
27394 +#ifdef CONFIG_PAX_PAGEEXEC
27395 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
27396 + pax_flags |= MF_PAX_PAGEEXEC;
27399 +#ifdef CONFIG_PAX_SEGMEXEC
27400 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
27401 + pax_flags |= MF_PAX_SEGMEXEC;
27404 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27405 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27406 + if ((__supported_pte_mask & _PAGE_NX))
27407 + pax_flags &= ~MF_PAX_SEGMEXEC;
27409 + pax_flags &= ~MF_PAX_PAGEEXEC;
27413 +#ifdef CONFIG_PAX_EMUTRAMP
27414 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
27415 + pax_flags |= MF_PAX_EMUTRAMP;
27418 +#ifdef CONFIG_PAX_MPROTECT
27419 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
27420 + pax_flags |= MF_PAX_MPROTECT;
27423 +#ifdef CONFIG_PAX_ASLR
27424 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
27425 + pax_flags |= MF_PAX_RANDMMAP;
27428 + return pax_flags;
27432 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
27433 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
27435 + unsigned long pax_flags = 0UL;
27437 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
27441 +#ifdef CONFIG_PAX_EI_PAX
27442 + pax_flags = pax_parse_ei_pax(elf_ex);
27445 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
27446 + for (i = 0UL; i < elf_ex->e_phnum; i++)
27447 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
27448 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
27449 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
27450 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
27451 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
27452 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
27455 +#ifdef CONFIG_PAX_SOFTMODE
27456 + if (pax_softmode)
27457 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
27461 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
27466 + if (0 > pax_check_flags(&pax_flags))
27469 + current->mm->pax_flags = pax_flags;
27475 * These are the functions used to load ELF style executables and shared
27476 * libraries. There is no binary dependent code anywhere else.
27477 @@ -548,6 +739,11 @@ static unsigned long randomize_stack_top
27479 unsigned int random_variable = 0;
27481 +#ifdef CONFIG_PAX_RANDUSTACK
27482 + if (randomize_va_space)
27483 + return stack_top - current->mm->delta_stack;
27486 if ((current->flags & PF_RANDOMIZE) &&
27487 !(current->personality & ADDR_NO_RANDOMIZE)) {
27488 random_variable = get_random_int() & STACK_RND_MASK;
27489 @@ -566,7 +762,7 @@ static int load_elf_binary(struct linux_
27490 unsigned long load_addr = 0, load_bias = 0;
27491 int load_addr_set = 0;
27492 char * elf_interpreter = NULL;
27493 - unsigned long error;
27494 + unsigned long error = 0;
27495 struct elf_phdr *elf_ppnt, *elf_phdata;
27496 unsigned long elf_bss, elf_brk;
27498 @@ -576,11 +772,11 @@ static int load_elf_binary(struct linux_
27499 unsigned long start_code, end_code, start_data, end_data;
27500 unsigned long reloc_func_desc = 0;
27501 int executable_stack = EXSTACK_DEFAULT;
27502 - unsigned long def_flags = 0;
27504 struct elfhdr elf_ex;
27505 struct elfhdr interp_elf_ex;
27507 + unsigned long pax_task_size = TASK_SIZE;
27509 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
27511 @@ -718,11 +914,80 @@ static int load_elf_binary(struct linux_
27513 /* OK, This is the point of no return */
27514 current->flags &= ~PF_FORKNOEXEC;
27515 - current->mm->def_flags = def_flags;
27517 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
27518 + current->mm->pax_flags = 0UL;
27521 +#ifdef CONFIG_PAX_DLRESOLVE
27522 + current->mm->call_dl_resolve = 0UL;
27525 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
27526 + current->mm->call_syscall = 0UL;
27529 +#ifdef CONFIG_PAX_ASLR
27530 + current->mm->delta_mmap = 0UL;
27531 + current->mm->delta_stack = 0UL;
27534 + current->mm->def_flags = 0;
27536 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
27537 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
27538 + send_sig(SIGKILL, current, 0);
27539 + goto out_free_dentry;
27543 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
27544 + pax_set_initial_flags(bprm);
27545 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
27546 + if (pax_set_initial_flags_func)
27547 + (pax_set_initial_flags_func)(bprm);
27550 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
27551 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
27552 + current->mm->context.user_cs_limit = PAGE_SIZE;
27553 + current->mm->def_flags |= VM_PAGEEXEC;
27557 +#ifdef CONFIG_PAX_SEGMEXEC
27558 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
27559 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
27560 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
27561 + pax_task_size = SEGMEXEC_TASK_SIZE;
27565 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
27566 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27567 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
27572 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
27573 may depend on the personality. */
27574 SET_PERSONALITY(loc->elf_ex);
27576 +#ifdef CONFIG_PAX_ASLR
27577 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
27578 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
27579 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
27583 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
27584 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27585 + executable_stack = EXSTACK_DISABLE_X;
27586 + current->personality &= ~READ_IMPLIES_EXEC;
27590 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
27591 current->personality |= READ_IMPLIES_EXEC;
27593 @@ -804,6 +1069,20 @@ static int load_elf_binary(struct linux_
27595 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
27598 +#ifdef CONFIG_PAX_RANDMMAP
27599 + /* PaX: randomize base address at the default exe base if requested */
27600 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
27601 +#ifdef CONFIG_SPARC64
27602 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
27604 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
27606 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
27607 + elf_flags |= MAP_FIXED;
27613 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
27614 @@ -836,9 +1115,9 @@ static int load_elf_binary(struct linux_
27615 * allowed task size. Note that p_filesz must always be
27616 * <= p_memsz so it is only necessary to check p_memsz.
27618 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
27619 - elf_ppnt->p_memsz > TASK_SIZE ||
27620 - TASK_SIZE - elf_ppnt->p_memsz < k) {
27621 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
27622 + elf_ppnt->p_memsz > pax_task_size ||
27623 + pax_task_size - elf_ppnt->p_memsz < k) {
27624 /* set_brk can never work. Avoid overflows. */
27625 send_sig(SIGKILL, current, 0);
27627 @@ -866,6 +1145,11 @@ static int load_elf_binary(struct linux_
27628 start_data += load_bias;
27629 end_data += load_bias;
27631 +#ifdef CONFIG_PAX_RANDMMAP
27632 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
27633 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
27636 /* Calling set_brk effectively mmaps the pages that we need
27637 * for the bss and break sections. We must do this before
27638 * mapping in the interpreter, to make sure it doesn't wind
27639 @@ -877,9 +1161,11 @@ static int load_elf_binary(struct linux_
27640 goto out_free_dentry;
27642 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
27643 - send_sig(SIGSEGV, current, 0);
27644 - retval = -EFAULT; /* Nobody gets to see this, but.. */
27645 - goto out_free_dentry;
27647 + * This bss-zeroing can fail if the ELF
27648 + * file specifies odd protections. So
27649 + * we don't check the return value
27653 if (elf_interpreter) {
27654 @@ -1107,8 +1393,10 @@ static int dump_seek(struct file *file,
27655 unsigned long n = off;
27658 - if (!dump_write(file, buf, n))
27659 + if (!dump_write(file, buf, n)) {
27660 + free_page((unsigned long)buf);
27665 free_page((unsigned long)buf);
27666 @@ -1120,7 +1408,7 @@ static int dump_seek(struct file *file,
27667 * Decide what to dump of a segment, part, all or none.
27669 static unsigned long vma_dump_size(struct vm_area_struct *vma,
27670 - unsigned long mm_flags)
27671 + unsigned long mm_flags, long signr)
27673 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
27675 @@ -1154,7 +1442,7 @@ static unsigned long vma_dump_size(struc
27676 if (vma->vm_file == NULL)
27679 - if (FILTER(MAPPED_PRIVATE))
27680 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
27684 @@ -1250,9 +1538,12 @@ static int writenote(struct memelfnote *
27687 #define DUMP_WRITE(addr, nr) \
27689 + gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
27690 if ((size += (nr)) > cprm->limit || \
27691 !dump_write(cprm->file, (addr), (nr))) \
27692 - goto end_coredump;
27693 + goto end_coredump; \
27696 static void fill_elf_header(struct elfhdr *elf, int segs,
27697 u16 machine, u32 flags, u8 osabi)
27698 @@ -1381,9 +1672,9 @@ static void fill_auxv_note(struct memelf
27700 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
27705 - while (auxv[i - 2] != AT_NULL);
27706 + } while (auxv[i - 2] != AT_NULL);
27707 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
27710 @@ -1969,7 +2260,7 @@ static int elf_core_dump(struct coredump
27711 phdr.p_offset = offset;
27712 phdr.p_vaddr = vma->vm_start;
27714 - phdr.p_filesz = vma_dump_size(vma, mm_flags);
27715 + phdr.p_filesz = vma_dump_size(vma, mm_flags, cprm->signr);
27716 phdr.p_memsz = vma->vm_end - vma->vm_start;
27717 offset += phdr.p_filesz;
27718 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
27719 @@ -2002,7 +2293,7 @@ static int elf_core_dump(struct coredump
27720 unsigned long addr;
27723 - end = vma->vm_start + vma_dump_size(vma, mm_flags);
27724 + end = vma->vm_start + vma_dump_size(vma, mm_flags, cprm->signr);
27726 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
27728 @@ -2011,6 +2302,7 @@ static int elf_core_dump(struct coredump
27729 page = get_dump_page(addr);
27731 void *kaddr = kmap(page);
27732 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
27733 stop = ((size += PAGE_SIZE) > cprm->limit) ||
27734 !dump_write(cprm->file, kaddr,
27736 @@ -2039,6 +2331,97 @@ out:
27738 #endif /* CONFIG_ELF_CORE */
27740 +#ifdef CONFIG_PAX_MPROTECT
27741 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
27742 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
27743 + * we'll remove VM_MAYWRITE for good on RELRO segments.
27745 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
27746 + * basis because we want to allow the common case and not the special ones.
27748 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
27750 + struct elfhdr elf_h;
27751 + struct elf_phdr elf_p;
27753 + unsigned long oldflags;
27754 + bool is_textrel_rw, is_textrel_rx, is_relro;
27756 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
27759 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
27760 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
27762 +#ifdef CONFIG_PAX_NOELFRELOCS
27763 + is_textrel_rw = false;
27764 + is_textrel_rx = false;
27766 + /* possible TEXTREL */
27767 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
27768 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
27771 + /* possible RELRO */
27772 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
27774 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
27777 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
27778 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
27780 +#ifdef CONFIG_PAX_ETEXECRELOCS
27781 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
27783 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
27786 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
27787 + !elf_check_arch(&elf_h) ||
27788 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
27789 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
27792 + for (i = 0UL; i < elf_h.e_phnum; i++) {
27793 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
27795 + switch (elf_p.p_type) {
27797 + if (!is_textrel_rw && !is_textrel_rx)
27800 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
27803 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
27805 + if (dyn.d_tag == DT_NULL)
27807 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
27808 + gr_log_textrel(vma);
27809 + if (is_textrel_rw)
27810 + vma->vm_flags |= VM_MAYWRITE;
27812 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
27813 + vma->vm_flags &= ~VM_MAYWRITE;
27820 + case PT_GNU_RELRO:
27823 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
27824 + vma->vm_flags &= ~VM_MAYWRITE;
27831 static int __init init_elf_binfmt(void)
27833 return register_binfmt(&elf_format);
27834 diff -urNp linux-2.6.33/fs/binfmt_flat.c linux-2.6.33/fs/binfmt_flat.c
27835 --- linux-2.6.33/fs/binfmt_flat.c 2010-02-24 13:52:17.000000000 -0500
27836 +++ linux-2.6.33/fs/binfmt_flat.c 2010-03-07 12:23:36.073720428 -0500
27837 @@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
27838 realdatastart = (unsigned long) -ENOMEM;
27839 printk("Unable to allocate RAM for process data, errno %d\n",
27840 (int)-realdatastart);
27841 + down_write(¤t->mm->mmap_sem);
27842 do_munmap(current->mm, textpos, text_len);
27843 + up_write(¤t->mm->mmap_sem);
27844 ret = realdatastart;
27847 @@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
27849 if (IS_ERR_VALUE(result)) {
27850 printk("Unable to read data+bss, errno %d\n", (int)-result);
27851 + down_write(¤t->mm->mmap_sem);
27852 do_munmap(current->mm, textpos, text_len);
27853 do_munmap(current->mm, realdatastart, data_len + extra);
27854 + up_write(¤t->mm->mmap_sem);
27858 @@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
27860 if (IS_ERR_VALUE(result)) {
27861 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
27862 + down_write(¤t->mm->mmap_sem);
27863 do_munmap(current->mm, textpos, text_len + data_len + extra +
27864 MAX_SHARED_LIBS * sizeof(unsigned long));
27865 + up_write(¤t->mm->mmap_sem);
27869 diff -urNp linux-2.6.33/fs/binfmt_misc.c linux-2.6.33/fs/binfmt_misc.c
27870 --- linux-2.6.33/fs/binfmt_misc.c 2010-02-24 13:52:17.000000000 -0500
27871 +++ linux-2.6.33/fs/binfmt_misc.c 2010-03-07 12:23:36.073720428 -0500
27872 @@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
27873 static struct tree_descr bm_files[] = {
27874 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
27875 [3] = {"register", &bm_register_operations, S_IWUSR},
27876 - /* last one */ {""}
27877 + /* last one */ {"", NULL, 0}
27879 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
27881 diff -urNp linux-2.6.33/fs/bio.c linux-2.6.33/fs/bio.c
27882 --- linux-2.6.33/fs/bio.c 2010-02-24 13:52:17.000000000 -0500
27883 +++ linux-2.6.33/fs/bio.c 2010-03-07 12:23:36.073720428 -0500
27884 @@ -1217,7 +1217,7 @@ static void bio_copy_kern_endio(struct b
27885 const int read = bio_data_dir(bio) == READ;
27886 struct bio_map_data *bmd = bio->bi_private;
27888 - char *p = bmd->sgvecs[0].iov_base;
27889 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
27891 __bio_for_each_segment(bvec, bio, i, 0) {
27892 char *addr = page_address(bvec->bv_page);
27893 diff -urNp linux-2.6.33/fs/btrfs/ctree.c linux-2.6.33/fs/btrfs/ctree.c
27894 --- linux-2.6.33/fs/btrfs/ctree.c 2010-02-24 13:52:17.000000000 -0500
27895 +++ linux-2.6.33/fs/btrfs/ctree.c 2010-03-07 12:23:36.073720428 -0500
27896 @@ -3645,7 +3645,6 @@ setup_items_for_insert(struct btrfs_tran
27900 - struct btrfs_disk_key disk_key;
27901 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
27902 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
27904 diff -urNp linux-2.6.33/fs/btrfs/disk-io.c linux-2.6.33/fs/btrfs/disk-io.c
27905 --- linux-2.6.33/fs/btrfs/disk-io.c 2010-02-24 13:52:17.000000000 -0500
27906 +++ linux-2.6.33/fs/btrfs/disk-io.c 2010-03-07 12:23:36.073720428 -0500
27908 #include "tree-log.h"
27909 #include "free-space-cache.h"
27911 -static struct extent_io_ops btree_extent_io_ops;
27912 +static const struct extent_io_ops btree_extent_io_ops;
27913 static void end_workqueue_fn(struct btrfs_work *work);
27914 static void free_fs_root(struct btrfs_root *root);
27916 @@ -2605,7 +2605,7 @@ out:
27920 -static struct extent_io_ops btree_extent_io_ops = {
27921 +static const struct extent_io_ops btree_extent_io_ops = {
27922 .write_cache_pages_lock_hook = btree_lock_page_hook,
27923 .readpage_end_io_hook = btree_readpage_end_io_hook,
27924 .submit_bio_hook = btree_submit_bio_hook,
27925 diff -urNp linux-2.6.33/fs/btrfs/extent_io.h linux-2.6.33/fs/btrfs/extent_io.h
27926 --- linux-2.6.33/fs/btrfs/extent_io.h 2010-02-24 13:52:17.000000000 -0500
27927 +++ linux-2.6.33/fs/btrfs/extent_io.h 2010-03-07 12:23:36.073720428 -0500
27928 @@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
27929 struct bio *bio, int mirror_num,
27930 unsigned long bio_flags);
27931 struct extent_io_ops {
27932 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
27933 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
27934 u64 start, u64 end, int *page_started,
27935 unsigned long *nr_written);
27936 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
27937 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
27938 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
27939 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
27940 extent_submit_bio_hook_t *submit_bio_hook;
27941 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
27942 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
27943 size_t size, struct bio *bio,
27944 unsigned long bio_flags);
27945 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
27946 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
27947 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
27948 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
27949 u64 start, u64 end,
27950 struct extent_state *state);
27951 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
27952 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
27953 u64 start, u64 end,
27954 struct extent_state *state);
27955 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
27956 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
27957 struct extent_state *state);
27958 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
27959 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
27960 struct extent_state *state, int uptodate);
27961 - int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
27962 + int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
27963 unsigned long old, unsigned long bits);
27964 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
27965 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
27966 unsigned long bits);
27967 - int (*merge_extent_hook)(struct inode *inode,
27968 + int (* const merge_extent_hook)(struct inode *inode,
27969 struct extent_state *new,
27970 struct extent_state *other);
27971 - int (*split_extent_hook)(struct inode *inode,
27972 + int (* const split_extent_hook)(struct inode *inode,
27973 struct extent_state *orig, u64 split);
27974 - int (*write_cache_pages_lock_hook)(struct page *page);
27975 + int (* const write_cache_pages_lock_hook)(struct page *page);
27978 struct extent_io_tree {
27979 @@ -88,7 +88,7 @@ struct extent_io_tree {
27982 spinlock_t buffer_lock;
27983 - struct extent_io_ops *ops;
27984 + const struct extent_io_ops *ops;
27987 struct extent_state {
27988 diff -urNp linux-2.6.33/fs/btrfs/free-space-cache.c linux-2.6.33/fs/btrfs/free-space-cache.c
27989 --- linux-2.6.33/fs/btrfs/free-space-cache.c 2010-02-24 13:52:17.000000000 -0500
27990 +++ linux-2.6.33/fs/btrfs/free-space-cache.c 2010-03-07 12:23:36.073720428 -0500
27991 @@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
27994 if (entry->bytes < bytes || entry->offset < min_start) {
27995 - struct rb_node *node;
27997 node = rb_next(&entry->offset_index);
28000 @@ -1226,7 +1224,7 @@ again:
28002 while (entry->bitmap || found_bitmap ||
28003 (!entry->bitmap && entry->bytes < min_bytes)) {
28004 - struct rb_node *node = rb_next(&entry->offset_index);
28005 + node = rb_next(&entry->offset_index);
28007 if (entry->bitmap && entry->bytes > bytes + empty_size) {
28008 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
28009 diff -urNp linux-2.6.33/fs/btrfs/inode.c linux-2.6.33/fs/btrfs/inode.c
28010 --- linux-2.6.33/fs/btrfs/inode.c 2010-02-24 13:52:17.000000000 -0500
28011 +++ linux-2.6.33/fs/btrfs/inode.c 2010-03-07 12:23:36.077713587 -0500
28012 @@ -63,7 +63,7 @@ static const struct inode_operations btr
28013 static const struct address_space_operations btrfs_aops;
28014 static const struct address_space_operations btrfs_symlink_aops;
28015 static const struct file_operations btrfs_dir_file_operations;
28016 -static struct extent_io_ops btrfs_extent_io_ops;
28017 +static const struct extent_io_ops btrfs_extent_io_ops;
28019 static struct kmem_cache *btrfs_inode_cachep;
28020 struct kmem_cache *btrfs_trans_handle_cachep;
28021 @@ -5973,7 +5973,7 @@ static const struct file_operations btrf
28022 .fsync = btrfs_sync_file,
28025 -static struct extent_io_ops btrfs_extent_io_ops = {
28026 +static const struct extent_io_ops btrfs_extent_io_ops = {
28027 .fill_delalloc = run_delalloc_range,
28028 .submit_bio_hook = btrfs_submit_bio_hook,
28029 .merge_bio_hook = btrfs_merge_bio_hook,
28030 diff -urNp linux-2.6.33/fs/btrfs/sysfs.c linux-2.6.33/fs/btrfs/sysfs.c
28031 --- linux-2.6.33/fs/btrfs/sysfs.c 2010-02-24 13:52:17.000000000 -0500
28032 +++ linux-2.6.33/fs/btrfs/sysfs.c 2010-03-07 12:23:36.077713587 -0500
28033 @@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
28034 complete(&root->kobj_unregister);
28037 -static struct sysfs_ops btrfs_super_attr_ops = {
28038 +static const struct sysfs_ops btrfs_super_attr_ops = {
28039 .show = btrfs_super_attr_show,
28040 .store = btrfs_super_attr_store,
28043 -static struct sysfs_ops btrfs_root_attr_ops = {
28044 +static const struct sysfs_ops btrfs_root_attr_ops = {
28045 .show = btrfs_root_attr_show,
28046 .store = btrfs_root_attr_store,
28048 diff -urNp linux-2.6.33/fs/buffer.c linux-2.6.33/fs/buffer.c
28049 --- linux-2.6.33/fs/buffer.c 2010-02-24 13:52:17.000000000 -0500
28050 +++ linux-2.6.33/fs/buffer.c 2010-03-07 12:23:36.077713587 -0500
28052 #include <linux/percpu.h>
28053 #include <linux/slab.h>
28054 #include <linux/capability.h>
28055 +#include <linux/security.h>
28056 #include <linux/blkdev.h>
28057 #include <linux/file.h>
28058 #include <linux/quotaops.h>
28059 diff -urNp linux-2.6.33/fs/cachefiles/daemon.c linux-2.6.33/fs/cachefiles/daemon.c
28060 --- linux-2.6.33/fs/cachefiles/daemon.c 2010-02-24 13:52:17.000000000 -0500
28061 +++ linux-2.6.33/fs/cachefiles/daemon.c 2010-03-07 12:23:36.077713587 -0500
28062 @@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
28066 - if (copy_to_user(_buffer, buffer, n) != 0)
28067 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
28071 diff -urNp linux-2.6.33/fs/cachefiles/rdwr.c linux-2.6.33/fs/cachefiles/rdwr.c
28072 --- linux-2.6.33/fs/cachefiles/rdwr.c 2010-02-24 13:52:17.000000000 -0500
28073 +++ linux-2.6.33/fs/cachefiles/rdwr.c 2010-03-07 12:23:36.077713587 -0500
28074 @@ -944,7 +944,7 @@ int cachefiles_write_page(struct fscache
28077 ret = file->f_op->write(
28078 - file, (const void __user *) data, len, &pos);
28079 + file, (__force const void __user *) data, len, &pos);
28083 diff -urNp linux-2.6.33/fs/cifs/cifs_uniupr.h linux-2.6.33/fs/cifs/cifs_uniupr.h
28084 --- linux-2.6.33/fs/cifs/cifs_uniupr.h 2010-02-24 13:52:17.000000000 -0500
28085 +++ linux-2.6.33/fs/cifs/cifs_uniupr.h 2010-03-07 12:23:36.077713587 -0500
28086 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
28087 {0x0490, 0x04cc, UniCaseRangeU0490},
28088 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
28089 {0xff40, 0xff5a, UniCaseRangeUff40},
28095 diff -urNp linux-2.6.33/fs/cifs/link.c linux-2.6.33/fs/cifs/link.c
28096 --- linux-2.6.33/fs/cifs/link.c 2010-02-24 13:52:17.000000000 -0500
28097 +++ linux-2.6.33/fs/cifs/link.c 2010-03-07 12:23:36.077713587 -0500
28098 @@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
28100 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
28102 - char *p = nd_get_link(nd);
28103 + const char *p = nd_get_link(nd);
28107 diff -urNp linux-2.6.33/fs/compat_binfmt_elf.c linux-2.6.33/fs/compat_binfmt_elf.c
28108 --- linux-2.6.33/fs/compat_binfmt_elf.c 2010-02-24 13:52:17.000000000 -0500
28109 +++ linux-2.6.33/fs/compat_binfmt_elf.c 2010-03-07 12:23:36.077713587 -0500
28110 @@ -29,10 +29,12 @@
28116 #define elfhdr elf32_hdr
28117 #define elf_phdr elf32_phdr
28118 #define elf_note elf32_note
28119 +#define elf_dyn Elf32_Dyn
28120 #define elf_addr_t Elf32_Addr
28123 diff -urNp linux-2.6.33/fs/compat.c linux-2.6.33/fs/compat.c
28124 --- linux-2.6.33/fs/compat.c 2010-02-24 13:52:17.000000000 -0500
28125 +++ linux-2.6.33/fs/compat.c 2010-03-07 12:23:36.077713587 -0500
28126 @@ -1408,14 +1408,12 @@ static int compat_copy_strings(int argc,
28127 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
28130 -#ifdef CONFIG_STACK_GROWSUP
28131 ret = expand_stack_downwards(bprm->vma, pos);
28133 /* We've exceed the stack rlimit. */
28138 ret = get_user_pages(current, bprm->mm, pos,
28139 1, 1, 1, &page, NULL);
28141 @@ -1461,6 +1459,11 @@ int compat_do_execve(char * filename,
28142 compat_uptr_t __user *envp,
28143 struct pt_regs * regs)
28145 +#ifdef CONFIG_GRKERNSEC
28146 + struct file *old_exec_file;
28147 + struct acl_subject_label *old_acl;
28148 + struct rlimit old_rlim[RLIM_NLIMITS];
28150 struct linux_binprm *bprm;
28152 struct files_struct *displaced;
28153 @@ -1497,6 +1500,14 @@ int compat_do_execve(char * filename,
28154 bprm->filename = filename;
28155 bprm->interp = filename;
28157 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
28158 + retval = -EAGAIN;
28159 + if (gr_handle_nproc())
28161 + retval = -EACCES;
28162 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
28165 retval = bprm_mm_init(bprm);
28168 @@ -1526,9 +1537,40 @@ int compat_do_execve(char * filename,
28172 + if (!gr_tpe_allow(file)) {
28173 + retval = -EACCES;
28177 + if (gr_check_crash_exec(file)) {
28178 + retval = -EACCES;
28182 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
28184 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
28186 +#ifdef CONFIG_GRKERNSEC
28187 + old_acl = current->acl;
28188 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
28189 + old_exec_file = current->exec_file;
28191 + current->exec_file = file;
28194 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
28195 + bprm->unsafe & LSM_UNSAFE_SHARE);
28199 retval = search_binary_handler(bprm, regs);
28203 +#ifdef CONFIG_GRKERNSEC
28204 + if (old_exec_file)
28205 + fput(old_exec_file);
28208 current->stack_start = current->mm->start_stack;
28210 @@ -1541,6 +1583,14 @@ int compat_do_execve(char * filename,
28211 put_files_struct(displaced);
28215 +#ifdef CONFIG_GRKERNSEC
28216 + current->acl = old_acl;
28217 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
28218 + fput(current->exec_file);
28219 + current->exec_file = old_exec_file;
28225 diff -urNp linux-2.6.33/fs/debugfs/inode.c linux-2.6.33/fs/debugfs/inode.c
28226 --- linux-2.6.33/fs/debugfs/inode.c 2010-02-24 13:52:17.000000000 -0500
28227 +++ linux-2.6.33/fs/debugfs/inode.c 2010-03-07 12:23:36.077713587 -0500
28228 @@ -128,7 +128,7 @@ static inline int debugfs_positive(struc
28230 static int debug_fill_super(struct super_block *sb, void *data, int silent)
28232 - static struct tree_descr debug_files[] = {{""}};
28233 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
28235 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
28237 diff -urNp linux-2.6.33/fs/dlm/lockspace.c linux-2.6.33/fs/dlm/lockspace.c
28238 --- linux-2.6.33/fs/dlm/lockspace.c 2010-02-24 13:52:17.000000000 -0500
28239 +++ linux-2.6.33/fs/dlm/lockspace.c 2010-03-07 12:23:36.077713587 -0500
28240 @@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
28244 -static struct sysfs_ops dlm_attr_ops = {
28245 +static const struct sysfs_ops dlm_attr_ops = {
28246 .show = dlm_attr_show,
28247 .store = dlm_attr_store,
28249 diff -urNp linux-2.6.33/fs/ecryptfs/inode.c linux-2.6.33/fs/ecryptfs/inode.c
28250 --- linux-2.6.33/fs/ecryptfs/inode.c 2010-02-24 13:52:17.000000000 -0500
28251 +++ linux-2.6.33/fs/ecryptfs/inode.c 2010-03-07 12:23:36.077713587 -0500
28252 @@ -685,7 +685,7 @@ ecryptfs_readlink(struct dentry *dentry,
28255 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
28256 - (char __user *)lower_buf,
28257 + (__force char __user *)lower_buf,
28261 @@ -729,7 +729,7 @@ static void *ecryptfs_follow_link(struct
28265 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
28266 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
28270 @@ -744,7 +744,7 @@ out:
28272 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
28274 - char *buf = nd_get_link(nd);
28275 + const char *buf = nd_get_link(nd);
28276 if (!IS_ERR(buf)) {
28277 /* Free the char* */
28279 diff -urNp linux-2.6.33/fs/ecryptfs/miscdev.c linux-2.6.33/fs/ecryptfs/miscdev.c
28280 --- linux-2.6.33/fs/ecryptfs/miscdev.c 2010-02-24 13:52:17.000000000 -0500
28281 +++ linux-2.6.33/fs/ecryptfs/miscdev.c 2010-03-07 12:23:36.077713587 -0500
28282 @@ -327,7 +327,7 @@ check_list:
28283 goto out_unlock_msg_ctx;
28285 if (msg_ctx->msg) {
28286 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
28287 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
28288 goto out_unlock_msg_ctx;
28289 i += packet_length_size;
28290 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
28291 diff -urNp linux-2.6.33/fs/exec.c linux-2.6.33/fs/exec.c
28292 --- linux-2.6.33/fs/exec.c 2010-02-24 13:52:17.000000000 -0500
28293 +++ linux-2.6.33/fs/exec.c 2010-03-07 12:23:36.081714180 -0500
28294 @@ -55,12 +55,24 @@
28295 #include <linux/fsnotify.h>
28296 #include <linux/fs_struct.h>
28297 #include <linux/pipe_fs_i.h>
28298 +#include <linux/random.h>
28299 +#include <linux/seq_file.h>
28301 +#ifdef CONFIG_PAX_REFCOUNT
28302 +#include <linux/kallsyms.h>
28303 +#include <linux/kdebug.h>
28306 #include <asm/uaccess.h>
28307 #include <asm/mmu_context.h>
28308 #include <asm/tlb.h>
28309 #include "internal.h"
28311 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
28312 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
28313 +EXPORT_SYMBOL(pax_set_initial_flags_func);
28317 char core_pattern[CORENAME_MAX_SIZE] = "core";
28318 unsigned int core_pipe_limit;
28319 @@ -114,7 +126,7 @@ SYSCALL_DEFINE1(uselib, const char __use
28322 file = do_filp_open(AT_FDCWD, tmp,
28323 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
28324 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
28325 MAY_READ | MAY_EXEC | MAY_OPEN);
28327 error = PTR_ERR(file);
28328 @@ -162,18 +174,10 @@ static struct page *get_arg_page(struct
28334 -#ifdef CONFIG_STACK_GROWSUP
28336 - ret = expand_stack_downwards(bprm->vma, pos);
28341 - ret = get_user_pages(current, bprm->mm, pos,
28342 - 1, write, 1, &page, NULL);
28344 + if (0 > expand_stack_downwards(bprm->vma, pos))
28346 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
28350 @@ -245,6 +249,11 @@ static int __bprm_mm_init(struct linux_b
28351 vma->vm_end = STACK_TOP_MAX;
28352 vma->vm_start = vma->vm_end - PAGE_SIZE;
28353 vma->vm_flags = VM_STACK_FLAGS;
28355 +#ifdef CONFIG_PAX_SEGMEXEC
28356 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
28359 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
28360 err = insert_vm_struct(mm, vma);
28362 @@ -253,6 +262,12 @@ static int __bprm_mm_init(struct linux_b
28363 mm->stack_vm = mm->total_vm = 1;
28364 up_write(&mm->mmap_sem);
28365 bprm->p = vma->vm_end - sizeof(void *);
28367 +#ifdef CONFIG_PAX_RANDUSTACK
28368 + if (randomize_va_space)
28369 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
28374 up_write(&mm->mmap_sem);
28375 @@ -474,7 +489,7 @@ int copy_strings_kernel(int argc,char **
28377 mm_segment_t oldfs = get_fs();
28379 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
28380 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
28384 @@ -504,7 +519,8 @@ static int shift_arg_pages(struct vm_are
28385 unsigned long new_end = old_end - shift;
28386 struct mmu_gather *tlb;
28388 - BUG_ON(new_start > new_end);
28389 + if (new_start >= new_end || new_start < mmap_min_addr)
28393 * ensure there are no vmas between where we want to go
28394 @@ -513,6 +529,10 @@ static int shift_arg_pages(struct vm_are
28395 if (vma != find_vma(mm, new_start))
28398 +#ifdef CONFIG_PAX_SEGMEXEC
28399 + BUG_ON(pax_find_mirror_vma(vma));
28403 * cover the whole range: [new_start, old_end)
28405 @@ -604,8 +624,28 @@ int setup_arg_pages(struct linux_binprm
28406 bprm->exec -= stack_shift;
28408 down_write(&mm->mmap_sem);
28410 + /* Move stack pages down in memory. */
28411 + if (stack_shift) {
28412 + ret = shift_arg_pages(vma, stack_shift);
28417 vm_flags = VM_STACK_FLAGS;
28419 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28420 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
28421 + vm_flags &= ~VM_EXEC;
28423 +#ifdef CONFIG_PAX_MPROTECT
28424 + if (mm->pax_flags & MF_PAX_MPROTECT)
28425 + vm_flags &= ~VM_MAYEXEC;
28432 * Adjust stack execute permissions; explicitly enable for
28433 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
28434 @@ -623,13 +663,6 @@ int setup_arg_pages(struct linux_binprm
28436 BUG_ON(prev != vma);
28438 - /* Move stack pages down in memory. */
28439 - if (stack_shift) {
28440 - ret = shift_arg_pages(vma, stack_shift);
28445 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
28446 stack_size = vma->vm_end - vma->vm_start;
28448 @@ -666,7 +699,7 @@ struct file *open_exec(const char *name)
28451 file = do_filp_open(AT_FDCWD, name,
28452 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
28453 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
28454 MAY_EXEC | MAY_OPEN);
28457 @@ -703,7 +736,7 @@ int kernel_read(struct file *file, loff_
28460 /* The cast to a user pointer is valid due to the set_fs() */
28461 - result = vfs_read(file, (void __user *)addr, count, &pos);
28462 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
28466 @@ -1120,7 +1153,7 @@ int check_unsafe_exec(struct linux_binpr
28470 - if (p->fs->users > n_fs) {
28471 + if (atomic_read(&p->fs->users) > n_fs) {
28472 bprm->unsafe |= LSM_UNSAFE_SHARE;
28475 @@ -1316,6 +1349,11 @@ int do_execve(char * filename,
28476 char __user *__user *envp,
28477 struct pt_regs * regs)
28479 +#ifdef CONFIG_GRKERNSEC
28480 + struct file *old_exec_file;
28481 + struct acl_subject_label *old_acl;
28482 + struct rlimit old_rlim[RLIM_NLIMITS];
28484 struct linux_binprm *bprm;
28486 struct files_struct *displaced;
28487 @@ -1352,6 +1390,18 @@ int do_execve(char * filename,
28488 bprm->filename = filename;
28489 bprm->interp = filename;
28491 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
28493 + if (gr_handle_nproc()) {
28494 + retval = -EAGAIN;
28498 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
28499 + retval = -EACCES;
28503 retval = bprm_mm_init(bprm);
28506 @@ -1381,10 +1431,41 @@ int do_execve(char * filename,
28510 + if (!gr_tpe_allow(file)) {
28511 + retval = -EACCES;
28515 + if (gr_check_crash_exec(file)) {
28516 + retval = -EACCES;
28520 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
28522 + gr_handle_exec_args(bprm, argv);
28524 +#ifdef CONFIG_GRKERNSEC
28525 + old_acl = current->acl;
28526 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
28527 + old_exec_file = current->exec_file;
28529 + current->exec_file = file;
28532 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
28533 + bprm->unsafe & LSM_UNSAFE_SHARE);
28537 current->flags &= ~PF_KTHREAD;
28538 retval = search_binary_handler(bprm,regs);
28542 +#ifdef CONFIG_GRKERNSEC
28543 + if (old_exec_file)
28544 + fput(old_exec_file);
28547 current->stack_start = current->mm->start_stack;
28549 @@ -1397,6 +1478,14 @@ int do_execve(char * filename,
28550 put_files_struct(displaced);
28554 +#ifdef CONFIG_GRKERNSEC
28555 + current->acl = old_acl;
28556 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
28557 + fput(current->exec_file);
28558 + current->exec_file = old_exec_file;
28564 @@ -1560,6 +1649,169 @@ out:
28568 +int pax_check_flags(unsigned long *flags)
28572 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
28573 + if (*flags & MF_PAX_SEGMEXEC)
28575 + *flags &= ~MF_PAX_SEGMEXEC;
28576 + retval = -EINVAL;
28580 + if ((*flags & MF_PAX_PAGEEXEC)
28582 +#ifdef CONFIG_PAX_PAGEEXEC
28583 + && (*flags & MF_PAX_SEGMEXEC)
28588 + *flags &= ~MF_PAX_PAGEEXEC;
28589 + retval = -EINVAL;
28592 + if ((*flags & MF_PAX_MPROTECT)
28594 +#ifdef CONFIG_PAX_MPROTECT
28595 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
28600 + *flags &= ~MF_PAX_MPROTECT;
28601 + retval = -EINVAL;
28604 + if ((*flags & MF_PAX_EMUTRAMP)
28606 +#ifdef CONFIG_PAX_EMUTRAMP
28607 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
28612 + *flags &= ~MF_PAX_EMUTRAMP;
28613 + retval = -EINVAL;
28619 +EXPORT_SYMBOL(pax_check_flags);
28621 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28622 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
28624 + struct task_struct *tsk = current;
28625 + struct mm_struct *mm = current->mm;
28626 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
28627 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
28628 + char *path_exec = NULL;
28629 + char *path_fault = NULL;
28630 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
28632 + if (buffer_exec && buffer_fault) {
28633 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
28635 + down_read(&mm->mmap_sem);
28637 + while (vma && (!vma_exec || !vma_fault)) {
28638 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
28640 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
28642 + vma = vma->vm_next;
28645 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
28646 + if (IS_ERR(path_exec))
28647 + path_exec = "<path too long>";
28649 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
28652 + path_exec = buffer_exec;
28654 + path_exec = "<path too long>";
28658 + start = vma_fault->vm_start;
28659 + end = vma_fault->vm_end;
28660 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
28661 + if (vma_fault->vm_file) {
28662 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
28663 + if (IS_ERR(path_fault))
28664 + path_fault = "<path too long>";
28666 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
28667 + if (path_fault) {
28669 + path_fault = buffer_fault;
28671 + path_fault = "<path too long>";
28674 + path_fault = "<anonymous mapping>";
28676 + up_read(&mm->mmap_sem);
28678 + if (tsk->signal->curr_ip)
28679 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
28681 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
28682 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
28683 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
28684 + task_uid(tsk), task_euid(tsk), pc, sp);
28685 + free_page((unsigned long)buffer_exec);
28686 + free_page((unsigned long)buffer_fault);
28687 + pax_report_insns(pc, sp);
28688 + do_coredump(SIGKILL, SIGKILL, regs);
28692 +#ifdef CONFIG_PAX_REFCOUNT
28693 +void pax_report_refcount_overflow(struct pt_regs *regs)
28695 + if (current->signal->curr_ip)
28696 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
28697 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
28699 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
28700 + current->comm, task_pid_nr(current), current_uid(), current_euid());
28701 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
28703 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
28707 +#ifdef CONFIG_PAX_USERCOPY
28708 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
28710 + if (current->signal->curr_ip)
28711 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
28712 + ¤t->signal->curr_ip, ptr, len);
28714 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
28716 + do_group_exit(SIGKILL);
28719 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
28721 + if (current->signal->curr_ip)
28722 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
28723 + ¤t->signal->curr_ip, ptr, len);
28725 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
28727 + do_group_exit(SIGKILL);
28731 static int zap_process(struct task_struct *start)
28733 struct task_struct *t;
28734 @@ -1762,17 +2014,17 @@ static void wait_for_dump_helpers(struct
28735 pipe = file->f_path.dentry->d_inode->i_pipe;
28740 + atomic_inc(&pipe->readers);
28741 + atomic_dec(&pipe->writers);
28743 - while ((pipe->readers > 1) && (!signal_pending(current))) {
28744 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
28745 wake_up_interruptible_sync(&pipe->wait);
28746 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
28752 + atomic_dec(&pipe->readers);
28753 + atomic_inc(&pipe->writers);
28757 @@ -1846,6 +2098,10 @@ void do_coredump(long signr, int exit_co
28759 clear_thread_flag(TIF_SIGPENDING);
28761 + if (signr == SIGKILL || signr == SIGILL)
28762 + gr_handle_brute_attach(current);
28763 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
28766 * lock_kernel() because format_corename() is controlled by sysctl, which
28767 * uses lock_kernel()
28768 diff -urNp linux-2.6.33/fs/ext2/balloc.c linux-2.6.33/fs/ext2/balloc.c
28769 --- linux-2.6.33/fs/ext2/balloc.c 2010-02-24 13:52:17.000000000 -0500
28770 +++ linux-2.6.33/fs/ext2/balloc.c 2010-03-07 12:23:36.081714180 -0500
28771 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
28773 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
28774 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
28775 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
28776 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
28777 sbi->s_resuid != current_fsuid() &&
28778 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
28780 diff -urNp linux-2.6.33/fs/ext3/balloc.c linux-2.6.33/fs/ext3/balloc.c
28781 --- linux-2.6.33/fs/ext3/balloc.c 2010-02-24 13:52:17.000000000 -0500
28782 +++ linux-2.6.33/fs/ext3/balloc.c 2010-03-07 12:23:36.081714180 -0500
28783 @@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
28785 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
28786 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
28787 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
28788 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
28789 sbi->s_resuid != current_fsuid() &&
28790 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
28792 diff -urNp linux-2.6.33/fs/ext3/namei.c linux-2.6.33/fs/ext3/namei.c
28793 --- linux-2.6.33/fs/ext3/namei.c 2010-02-24 13:52:17.000000000 -0500
28794 +++ linux-2.6.33/fs/ext3/namei.c 2010-03-07 12:23:36.081714180 -0500
28795 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
28796 char *data1 = (*bh)->b_data, *data2;
28797 unsigned split, move, size;
28798 struct ext3_dir_entry_2 *de = NULL, *de2;
28802 bh2 = ext3_append (handle, dir, &newblock, &err);
28804 diff -urNp linux-2.6.33/fs/ext3/xattr.c linux-2.6.33/fs/ext3/xattr.c
28805 --- linux-2.6.33/fs/ext3/xattr.c 2010-02-24 13:52:17.000000000 -0500
28806 +++ linux-2.6.33/fs/ext3/xattr.c 2010-03-07 12:23:36.081714180 -0500
28811 -# define ea_idebug(f...)
28812 -# define ea_bdebug(f...)
28813 +# define ea_idebug(f...) do {} while (0)
28814 +# define ea_bdebug(f...) do {} while (0)
28817 static void ext3_xattr_cache_insert(struct buffer_head *);
28818 diff -urNp linux-2.6.33/fs/ext4/balloc.c linux-2.6.33/fs/ext4/balloc.c
28819 --- linux-2.6.33/fs/ext4/balloc.c 2010-02-24 13:52:17.000000000 -0500
28820 +++ linux-2.6.33/fs/ext4/balloc.c 2010-03-07 12:23:36.081714180 -0500
28821 @@ -535,7 +535,7 @@ int ext4_has_free_blocks(struct ext4_sb_
28822 /* Hm, nope. Are (enough) root reserved blocks available? */
28823 if (sbi->s_resuid == current_fsuid() ||
28824 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
28825 - capable(CAP_SYS_RESOURCE)) {
28826 + capable_nolog(CAP_SYS_RESOURCE)) {
28827 if (free_blocks >= (nblocks + dirty_blocks))
28830 diff -urNp linux-2.6.33/fs/ext4/ioctl.c linux-2.6.33/fs/ext4/ioctl.c
28831 --- linux-2.6.33/fs/ext4/ioctl.c 2010-02-24 13:52:17.000000000 -0500
28832 +++ linux-2.6.33/fs/ext4/ioctl.c 2010-03-07 12:23:36.081714180 -0500
28833 @@ -221,6 +221,9 @@ setversion_out:
28834 struct file *donor_filp;
28837 + /* temporary workaround for bugs in here */
28838 + return -EOPNOTSUPP;
28840 if (!(filp->f_mode & FMODE_READ) ||
28841 !(filp->f_mode & FMODE_WRITE))
28843 diff -urNp linux-2.6.33/fs/ext4/namei.c linux-2.6.33/fs/ext4/namei.c
28844 --- linux-2.6.33/fs/ext4/namei.c 2010-02-24 13:52:17.000000000 -0500
28845 +++ linux-2.6.33/fs/ext4/namei.c 2010-03-07 12:23:36.081714180 -0500
28846 @@ -1203,7 +1203,7 @@ static struct ext4_dir_entry_2 *do_split
28847 char *data1 = (*bh)->b_data, *data2;
28848 unsigned split, move, size;
28849 struct ext4_dir_entry_2 *de = NULL, *de2;
28853 bh2 = ext4_append (handle, dir, &newblock, &err);
28855 diff -urNp linux-2.6.33/fs/ext4/super.c linux-2.6.33/fs/ext4/super.c
28856 --- linux-2.6.33/fs/ext4/super.c 2010-02-24 13:52:17.000000000 -0500
28857 +++ linux-2.6.33/fs/ext4/super.c 2010-03-07 12:23:36.085722338 -0500
28858 @@ -2292,7 +2292,7 @@ static void ext4_sb_release(struct kobje
28862 -static struct sysfs_ops ext4_attr_ops = {
28863 +static const struct sysfs_ops ext4_attr_ops = {
28864 .show = ext4_attr_show,
28865 .store = ext4_attr_store,
28867 diff -urNp linux-2.6.33/fs/fcntl.c linux-2.6.33/fs/fcntl.c
28868 --- linux-2.6.33/fs/fcntl.c 2010-02-24 13:52:17.000000000 -0500
28869 +++ linux-2.6.33/fs/fcntl.c 2010-03-07 12:23:36.085722338 -0500
28870 @@ -344,6 +344,7 @@ static long do_fcntl(int fd, unsigned in
28873 case F_DUPFD_CLOEXEC:
28874 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
28875 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
28877 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
28878 @@ -500,7 +501,8 @@ static inline int sigio_perm(struct task
28879 ret = ((fown->euid == 0 ||
28880 fown->euid == cred->suid || fown->euid == cred->uid ||
28881 fown->uid == cred->suid || fown->uid == cred->uid) &&
28882 - !security_file_send_sigiotask(p, fown, sig));
28883 + !security_file_send_sigiotask(p, fown, sig) &&
28884 + !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
28888 diff -urNp linux-2.6.33/fs/fifo.c linux-2.6.33/fs/fifo.c
28889 --- linux-2.6.33/fs/fifo.c 2010-02-24 13:52:17.000000000 -0500
28890 +++ linux-2.6.33/fs/fifo.c 2010-03-07 12:23:36.085722338 -0500
28891 @@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
28893 filp->f_op = &read_pipefifo_fops;
28895 - if (pipe->readers++ == 0)
28896 + if (atomic_inc_return(&pipe->readers) == 1)
28897 wake_up_partner(inode);
28899 - if (!pipe->writers) {
28900 + if (!atomic_read(&pipe->writers)) {
28901 if ((filp->f_flags & O_NONBLOCK)) {
28902 /* suppress POLLHUP until we have
28904 @@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
28905 * errno=ENXIO when there is no process reading the FIFO.
28908 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
28909 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
28912 filp->f_op = &write_pipefifo_fops;
28914 - if (!pipe->writers++)
28915 + if (atomic_inc_return(&pipe->writers) == 1)
28916 wake_up_partner(inode);
28918 - if (!pipe->readers) {
28919 + if (!atomic_read(&pipe->readers)) {
28920 wait_for_partner(inode, &pipe->r_counter);
28921 if (signal_pending(current))
28923 @@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
28925 filp->f_op = &rdwr_pipefifo_fops;
28929 + atomic_inc(&pipe->readers);
28930 + atomic_inc(&pipe->writers);
28933 - if (pipe->readers == 1 || pipe->writers == 1)
28934 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
28935 wake_up_partner(inode);
28938 @@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
28942 - if (!--pipe->readers)
28943 + if (atomic_dec_and_test(&pipe->readers))
28944 wake_up_interruptible(&pipe->wait);
28945 ret = -ERESTARTSYS;
28949 - if (!--pipe->writers)
28950 + if (atomic_dec_and_test(&pipe->writers))
28951 wake_up_interruptible(&pipe->wait);
28952 ret = -ERESTARTSYS;
28956 - if (!pipe->readers && !pipe->writers)
28957 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
28958 free_pipe_info(inode);
28961 diff -urNp linux-2.6.33/fs/file.c linux-2.6.33/fs/file.c
28962 --- linux-2.6.33/fs/file.c 2010-02-24 13:52:17.000000000 -0500
28963 +++ linux-2.6.33/fs/file.c 2010-03-07 12:23:36.085722338 -0500
28965 #include <linux/slab.h>
28966 #include <linux/vmalloc.h>
28967 #include <linux/file.h>
28968 +#include <linux/security.h>
28969 #include <linux/fdtable.h>
28970 #include <linux/bitops.h>
28971 #include <linux/interrupt.h>
28972 @@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
28973 * N.B. For clone tasks sharing a files structure, this test
28974 * will limit the total number of files that can be opened.
28977 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
28978 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
28981 diff -urNp linux-2.6.33/fs/fs_struct.c linux-2.6.33/fs/fs_struct.c
28982 --- linux-2.6.33/fs/fs_struct.c 2010-02-24 13:52:17.000000000 -0500
28983 +++ linux-2.6.33/fs/fs_struct.c 2010-03-07 12:23:36.085722338 -0500
28984 @@ -45,10 +45,12 @@ void chroot_fs_refs(struct path *old_roo
28985 struct task_struct *g, *p;
28986 struct fs_struct *fs;
28988 + unsigned long flags;
28990 read_lock(&tasklist_lock);
28991 do_each_thread(g, p) {
28993 + gr_fs_write_lock_irqsave(p, flags);
28996 write_lock(&fs->lock);
28997 @@ -66,6 +68,7 @@ void chroot_fs_refs(struct path *old_roo
28999 write_unlock(&fs->lock);
29001 + gr_fs_write_unlock_irqrestore(p, flags);
29003 } while_each_thread(g, p);
29004 read_unlock(&tasklist_lock);
29005 @@ -83,14 +86,17 @@ void free_fs_struct(struct fs_struct *fs
29006 void exit_fs(struct task_struct *tsk)
29008 struct fs_struct *fs = tsk->fs;
29009 + unsigned long flags;
29014 + gr_fs_write_lock_irqsave(tsk, flags);
29015 write_lock(&fs->lock);
29017 - kill = !--fs->users;
29018 + kill = !atomic_dec_return(&fs->users);
29019 write_unlock(&fs->lock);
29020 + gr_fs_write_unlock_irqrestore(tsk, flags);
29023 free_fs_struct(fs);
29024 @@ -102,7 +108,7 @@ struct fs_struct *copy_fs_struct(struct
29025 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
29026 /* We don't need to lock fs - think why ;-) */
29029 + atomic_set(&fs->users, 1);
29031 rwlock_init(&fs->lock);
29032 fs->umask = old->umask;
29033 @@ -121,15 +127,18 @@ int unshare_fs_struct(void)
29034 struct fs_struct *fs = current->fs;
29035 struct fs_struct *new_fs = copy_fs_struct(fs);
29037 + unsigned long flags;
29042 task_lock(current);
29043 + gr_fs_write_lock_irqsave(current, flags);
29044 write_lock(&fs->lock);
29045 - kill = !--fs->users;
29046 + kill = !atomic_dec_return(&fs->users);
29047 current->fs = new_fs;
29048 write_unlock(&fs->lock);
29049 + gr_fs_write_unlock_irqrestore(current, flags);
29050 task_unlock(current);
29053 @@ -147,7 +156,7 @@ EXPORT_SYMBOL(current_umask);
29055 /* to be mentioned only in INIT_TASK */
29056 struct fs_struct init_fs = {
29058 + .users = ATOMIC_INIT(1),
29059 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
29062 @@ -155,6 +164,7 @@ struct fs_struct init_fs = {
29063 void daemonize_fs_struct(void)
29065 struct fs_struct *fs = current->fs;
29066 + unsigned long flags;
29070 @@ -162,13 +172,15 @@ void daemonize_fs_struct(void)
29071 task_lock(current);
29073 write_lock(&init_fs.lock);
29075 + atomic_inc(&init_fs.users);
29076 write_unlock(&init_fs.lock);
29078 + gr_fs_write_lock_irqsave(current, flags);
29079 write_lock(&fs->lock);
29080 current->fs = &init_fs;
29081 - kill = !--fs->users;
29082 + kill = !atomic_dec_return(&fs->users);
29083 write_unlock(&fs->lock);
29084 + gr_fs_write_unlock_irqrestore(current, flags);
29086 task_unlock(current);
29088 diff -urNp linux-2.6.33/fs/fuse/control.c linux-2.6.33/fs/fuse/control.c
29089 --- linux-2.6.33/fs/fuse/control.c 2010-02-24 13:52:17.000000000 -0500
29090 +++ linux-2.6.33/fs/fuse/control.c 2010-03-07 12:23:36.085722338 -0500
29091 @@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
29093 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
29095 - struct tree_descr empty_descr = {""};
29096 + struct tree_descr empty_descr = {"", NULL, 0};
29097 struct fuse_conn *fc;
29100 diff -urNp linux-2.6.33/fs/fuse/cuse.c linux-2.6.33/fs/fuse/cuse.c
29101 --- linux-2.6.33/fs/fuse/cuse.c 2010-02-24 13:52:17.000000000 -0500
29102 +++ linux-2.6.33/fs/fuse/cuse.c 2010-03-07 12:23:36.085722338 -0500
29103 @@ -528,8 +528,18 @@ static int cuse_channel_release(struct i
29107 -static struct file_operations cuse_channel_fops; /* initialized during init */
29109 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
29110 + .owner = THIS_MODULE,
29111 + .llseek = no_llseek,
29112 + .read = do_sync_read,
29113 + .aio_read = fuse_dev_read,
29114 + .write = do_sync_write,
29115 + .aio_write = fuse_dev_write,
29116 + .poll = fuse_dev_poll,
29117 + .open = cuse_channel_open,
29118 + .release = cuse_channel_release,
29119 + .fasync = fuse_dev_fasync,
29122 /**************************************************************************
29123 * Misc stuff and module initializatiion
29124 @@ -575,12 +585,6 @@ static int __init cuse_init(void)
29125 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
29126 INIT_LIST_HEAD(&cuse_conntbl[i]);
29128 - /* inherit and extend fuse_dev_operations */
29129 - cuse_channel_fops = fuse_dev_operations;
29130 - cuse_channel_fops.owner = THIS_MODULE;
29131 - cuse_channel_fops.open = cuse_channel_open;
29132 - cuse_channel_fops.release = cuse_channel_release;
29134 cuse_class = class_create(THIS_MODULE, "cuse");
29135 if (IS_ERR(cuse_class))
29136 return PTR_ERR(cuse_class);
29137 diff -urNp linux-2.6.33/fs/fuse/dev.c linux-2.6.33/fs/fuse/dev.c
29138 --- linux-2.6.33/fs/fuse/dev.c 2010-02-24 13:52:17.000000000 -0500
29139 +++ linux-2.6.33/fs/fuse/dev.c 2010-03-07 12:23:36.085722338 -0500
29140 @@ -745,7 +745,7 @@ __releases(&fc->lock)
29141 * request_end(). Otherwise add it to the processing list, and set
29144 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29145 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29146 unsigned long nr_segs, loff_t pos)
29149 @@ -828,6 +828,8 @@ static ssize_t fuse_dev_read(struct kioc
29153 +EXPORT_SYMBOL_GPL(fuse_dev_read);
29155 static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size,
29156 struct fuse_copy_state *cs)
29158 @@ -885,7 +887,7 @@ static int fuse_notify_inval_entry(struc
29160 struct fuse_notify_inval_entry_out outarg;
29162 - char buf[FUSE_NAME_MAX+1];
29163 + char *buf = NULL;
29166 if (size < sizeof(outarg))
29167 @@ -899,6 +901,11 @@ static int fuse_notify_inval_entry(struc
29168 if (outarg.namelen > FUSE_NAME_MAX)
29172 + buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
29177 name.len = outarg.namelen;
29178 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
29179 @@ -910,17 +917,15 @@ static int fuse_notify_inval_entry(struc
29181 down_read(&fc->killsb);
29186 - err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
29190 + err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
29191 up_read(&fc->killsb);
29196 fuse_copy_finish(cs);
29201 @@ -987,7 +992,7 @@ static int copy_out_args(struct fuse_cop
29202 * it from the list and copy the rest of the buffer to the request.
29203 * The request is finished by calling request_end()
29205 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29206 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29207 unsigned long nr_segs, loff_t pos)
29210 @@ -1084,7 +1089,9 @@ static ssize_t fuse_dev_write(struct kio
29214 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
29215 +EXPORT_SYMBOL_GPL(fuse_dev_write);
29217 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
29219 unsigned mask = POLLOUT | POLLWRNORM;
29220 struct fuse_conn *fc = fuse_get_conn(file);
29221 @@ -1103,6 +1110,8 @@ static unsigned fuse_dev_poll(struct fil
29225 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
29228 * Abort all requests on the given list (pending or processing)
29230 @@ -1210,7 +1219,7 @@ int fuse_dev_release(struct inode *inode
29232 EXPORT_SYMBOL_GPL(fuse_dev_release);
29234 -static int fuse_dev_fasync(int fd, struct file *file, int on)
29235 +int fuse_dev_fasync(int fd, struct file *file, int on)
29237 struct fuse_conn *fc = fuse_get_conn(file);
29239 @@ -1220,6 +1229,8 @@ static int fuse_dev_fasync(int fd, struc
29240 return fasync_helper(fd, file, on, &fc->fasync);
29243 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
29245 const struct file_operations fuse_dev_operations = {
29246 .owner = THIS_MODULE,
29247 .llseek = no_llseek,
29248 diff -urNp linux-2.6.33/fs/fuse/dir.c linux-2.6.33/fs/fuse/dir.c
29249 --- linux-2.6.33/fs/fuse/dir.c 2010-02-24 13:52:17.000000000 -0500
29250 +++ linux-2.6.33/fs/fuse/dir.c 2010-03-07 12:23:36.085722338 -0500
29251 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
29255 -static void free_link(char *link)
29256 +static void free_link(const char *link)
29259 free_page((unsigned long) link);
29260 diff -urNp linux-2.6.33/fs/fuse/fuse_i.h linux-2.6.33/fs/fuse/fuse_i.h
29261 --- linux-2.6.33/fs/fuse/fuse_i.h 2010-02-24 13:52:17.000000000 -0500
29262 +++ linux-2.6.33/fs/fuse/fuse_i.h 2010-03-07 12:23:36.085722338 -0500
29263 @@ -521,6 +521,16 @@ extern const struct file_operations fuse
29265 extern const struct dentry_operations fuse_dentry_operations;
29267 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29268 + unsigned long nr_segs, loff_t pos);
29270 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29271 + unsigned long nr_segs, loff_t pos);
29273 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
29275 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
29278 * Inode to nodeid comparison.
29280 diff -urNp linux-2.6.33/fs/gfs2/sys.c linux-2.6.33/fs/gfs2/sys.c
29281 --- linux-2.6.33/fs/gfs2/sys.c 2010-02-24 13:52:17.000000000 -0500
29282 +++ linux-2.6.33/fs/gfs2/sys.c 2010-03-07 12:23:36.085722338 -0500
29283 @@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
29284 return a->store ? a->store(sdp, buf, len) : len;
29287 -static struct sysfs_ops gfs2_attr_ops = {
29288 +static const struct sysfs_ops gfs2_attr_ops = {
29289 .show = gfs2_attr_show,
29290 .store = gfs2_attr_store,
29292 @@ -576,7 +576,7 @@ static int gfs2_uevent(struct kset *kset
29296 -static struct kset_uevent_ops gfs2_uevent_ops = {
29297 +static const struct kset_uevent_ops gfs2_uevent_ops = {
29298 .uevent = gfs2_uevent,
29301 diff -urNp linux-2.6.33/fs/hfs/inode.c linux-2.6.33/fs/hfs/inode.c
29302 --- linux-2.6.33/fs/hfs/inode.c 2010-02-24 13:52:17.000000000 -0500
29303 +++ linux-2.6.33/fs/hfs/inode.c 2010-03-07 12:23:36.085722338 -0500
29304 @@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
29306 if (S_ISDIR(main_inode->i_mode)) {
29307 if (fd.entrylength < sizeof(struct hfs_cat_dir))
29310 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
29311 sizeof(struct hfs_cat_dir));
29312 if (rec.type != HFS_CDR_DIR ||
29313 @@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
29314 sizeof(struct hfs_cat_file));
29316 if (fd.entrylength < sizeof(struct hfs_cat_file))
29319 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
29320 sizeof(struct hfs_cat_file));
29321 if (rec.type != HFS_CDR_FIL ||
29322 diff -urNp linux-2.6.33/fs/hfsplus/inode.c linux-2.6.33/fs/hfsplus/inode.c
29323 --- linux-2.6.33/fs/hfsplus/inode.c 2010-02-24 13:52:17.000000000 -0500
29324 +++ linux-2.6.33/fs/hfsplus/inode.c 2010-03-07 12:23:36.085722338 -0500
29325 @@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
29326 struct hfsplus_cat_folder *folder = &entry.folder;
29328 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
29331 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
29332 sizeof(struct hfsplus_cat_folder));
29333 hfsplus_get_perms(inode, &folder->permissions, 1);
29334 @@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
29335 struct hfsplus_cat_file *file = &entry.file;
29337 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
29340 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
29341 sizeof(struct hfsplus_cat_file));
29343 @@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
29344 struct hfsplus_cat_folder *folder = &entry.folder;
29346 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
29349 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
29350 sizeof(struct hfsplus_cat_folder));
29351 /* simple node checks? */
29352 @@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
29353 struct hfsplus_cat_file *file = &entry.file;
29355 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
29358 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
29359 sizeof(struct hfsplus_cat_file));
29360 hfsplus_inode_write_fork(inode, &file->data_fork);
29361 diff -urNp linux-2.6.33/fs/ioctl.c linux-2.6.33/fs/ioctl.c
29362 --- linux-2.6.33/fs/ioctl.c 2010-02-24 13:52:17.000000000 -0500
29363 +++ linux-2.6.33/fs/ioctl.c 2010-03-07 12:23:36.085722338 -0500
29364 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
29365 u64 phys, u64 len, u32 flags)
29367 struct fiemap_extent extent;
29368 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
29369 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
29371 /* only count the extents */
29372 if (fieinfo->fi_extents_max == 0) {
29373 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
29375 fieinfo.fi_flags = fiemap.fm_flags;
29376 fieinfo.fi_extents_max = fiemap.fm_extent_count;
29377 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
29378 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
29380 if (fiemap.fm_extent_count != 0 &&
29381 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
29382 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
29383 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
29384 fiemap.fm_flags = fieinfo.fi_flags;
29385 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
29386 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
29387 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
29391 diff -urNp linux-2.6.33/fs/jffs2/debug.h linux-2.6.33/fs/jffs2/debug.h
29392 --- linux-2.6.33/fs/jffs2/debug.h 2010-02-24 13:52:17.000000000 -0500
29393 +++ linux-2.6.33/fs/jffs2/debug.h 2010-03-07 12:23:36.085722338 -0500
29394 @@ -52,13 +52,13 @@
29395 #if CONFIG_JFFS2_FS_DEBUG > 0
29399 +#define D1(x) do {} while (0);
29402 #if CONFIG_JFFS2_FS_DEBUG > 1
29406 +#define D2(x) do {} while (0);
29409 /* The prefixes of JFFS2 messages */
29410 @@ -114,73 +114,73 @@
29411 #ifdef JFFS2_DBG_READINODE_MESSAGES
29412 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29414 -#define dbg_readinode(fmt, ...)
29415 +#define dbg_readinode(fmt, ...) do {} while (0)
29417 #ifdef JFFS2_DBG_READINODE2_MESSAGES
29418 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29420 -#define dbg_readinode2(fmt, ...)
29421 +#define dbg_readinode2(fmt, ...) do {} while (0)
29424 /* Fragtree build debugging messages */
29425 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
29426 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29428 -#define dbg_fragtree(fmt, ...)
29429 +#define dbg_fragtree(fmt, ...) do {} while (0)
29431 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
29432 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29434 -#define dbg_fragtree2(fmt, ...)
29435 +#define dbg_fragtree2(fmt, ...) do {} while (0)
29438 /* Directory entry list manilulation debugging messages */
29439 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
29440 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29442 -#define dbg_dentlist(fmt, ...)
29443 +#define dbg_dentlist(fmt, ...) do {} while (0)
29446 /* Print the messages about manipulating node_refs */
29447 #ifdef JFFS2_DBG_NODEREF_MESSAGES
29448 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29450 -#define dbg_noderef(fmt, ...)
29451 +#define dbg_noderef(fmt, ...) do {} while (0)
29454 /* Manipulations with the list of inodes (JFFS2 inocache) */
29455 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
29456 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29458 -#define dbg_inocache(fmt, ...)
29459 +#define dbg_inocache(fmt, ...) do {} while (0)
29462 /* Summary debugging messages */
29463 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
29464 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29466 -#define dbg_summary(fmt, ...)
29467 +#define dbg_summary(fmt, ...) do {} while (0)
29470 /* File system build messages */
29471 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
29472 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29474 -#define dbg_fsbuild(fmt, ...)
29475 +#define dbg_fsbuild(fmt, ...) do {} while (0)
29478 /* Watch the object allocations */
29479 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
29480 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29482 -#define dbg_memalloc(fmt, ...)
29483 +#define dbg_memalloc(fmt, ...) do {} while (0)
29486 /* Watch the XATTR subsystem */
29487 #ifdef JFFS2_DBG_XATTR_MESSAGES
29488 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29490 -#define dbg_xattr(fmt, ...)
29491 +#define dbg_xattr(fmt, ...) do {} while (0)
29494 /* "Sanity" checks */
29495 diff -urNp linux-2.6.33/fs/jffs2/erase.c linux-2.6.33/fs/jffs2/erase.c
29496 --- linux-2.6.33/fs/jffs2/erase.c 2010-02-24 13:52:17.000000000 -0500
29497 +++ linux-2.6.33/fs/jffs2/erase.c 2010-03-07 12:23:36.085722338 -0500
29498 @@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
29499 struct jffs2_unknown_node marker = {
29500 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
29501 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
29502 - .totlen = cpu_to_je32(c->cleanmarker_size)
29503 + .totlen = cpu_to_je32(c->cleanmarker_size),
29504 + .hdr_crc = cpu_to_je32(0)
29507 jffs2_prealloc_raw_node_refs(c, jeb, 1);
29508 diff -urNp linux-2.6.33/fs/jffs2/summary.h linux-2.6.33/fs/jffs2/summary.h
29509 --- linux-2.6.33/fs/jffs2/summary.h 2010-02-24 13:52:17.000000000 -0500
29510 +++ linux-2.6.33/fs/jffs2/summary.h 2010-03-07 12:23:36.089622247 -0500
29511 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
29513 #define jffs2_sum_active() (0)
29514 #define jffs2_sum_init(a) (0)
29515 -#define jffs2_sum_exit(a)
29516 -#define jffs2_sum_disable_collecting(a)
29517 +#define jffs2_sum_exit(a) do {} while (0)
29518 +#define jffs2_sum_disable_collecting(a) do {} while (0)
29519 #define jffs2_sum_is_disabled(a) (0)
29520 -#define jffs2_sum_reset_collected(a)
29521 +#define jffs2_sum_reset_collected(a) do {} while (0)
29522 #define jffs2_sum_add_kvec(a,b,c,d) (0)
29523 -#define jffs2_sum_move_collected(a,b)
29524 +#define jffs2_sum_move_collected(a,b) do {} while (0)
29525 #define jffs2_sum_write_sumnode(a) (0)
29526 -#define jffs2_sum_add_padding_mem(a,b)
29527 -#define jffs2_sum_add_inode_mem(a,b,c)
29528 -#define jffs2_sum_add_dirent_mem(a,b,c)
29529 -#define jffs2_sum_add_xattr_mem(a,b,c)
29530 -#define jffs2_sum_add_xref_mem(a,b,c)
29531 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
29532 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
29533 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
29534 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
29535 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
29536 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
29538 #endif /* CONFIG_JFFS2_SUMMARY */
29539 diff -urNp linux-2.6.33/fs/jffs2/wbuf.c linux-2.6.33/fs/jffs2/wbuf.c
29540 --- linux-2.6.33/fs/jffs2/wbuf.c 2010-02-24 13:52:17.000000000 -0500
29541 +++ linux-2.6.33/fs/jffs2/wbuf.c 2010-03-07 12:23:36.089622247 -0500
29542 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
29544 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
29545 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
29546 - .totlen = constant_cpu_to_je32(8)
29547 + .totlen = constant_cpu_to_je32(8),
29548 + .hdr_crc = constant_cpu_to_je32(0)
29552 diff -urNp linux-2.6.33/fs/lockd/svc.c linux-2.6.33/fs/lockd/svc.c
29553 --- linux-2.6.33/fs/lockd/svc.c 2010-02-24 13:52:17.000000000 -0500
29554 +++ linux-2.6.33/fs/lockd/svc.c 2010-03-07 12:23:36.089622247 -0500
29557 static struct svc_program nlmsvc_program;
29559 -struct nlmsvc_binding * nlmsvc_ops;
29560 +const struct nlmsvc_binding * nlmsvc_ops;
29561 EXPORT_SYMBOL_GPL(nlmsvc_ops);
29563 static DEFINE_MUTEX(nlmsvc_mutex);
29564 diff -urNp linux-2.6.33/fs/locks.c linux-2.6.33/fs/locks.c
29565 --- linux-2.6.33/fs/locks.c 2010-02-24 13:52:17.000000000 -0500
29566 +++ linux-2.6.33/fs/locks.c 2010-03-07 12:23:36.089622247 -0500
29567 @@ -2007,16 +2007,16 @@ void locks_remove_flock(struct file *fil
29570 if (filp->f_op && filp->f_op->flock) {
29571 - struct file_lock fl = {
29572 + struct file_lock flock = {
29573 .fl_pid = current->tgid,
29575 .fl_flags = FL_FLOCK,
29576 .fl_type = F_UNLCK,
29577 .fl_end = OFFSET_MAX,
29579 - filp->f_op->flock(filp, F_SETLKW, &fl);
29580 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
29581 - fl.fl_ops->fl_release_private(&fl);
29582 + filp->f_op->flock(filp, F_SETLKW, &flock);
29583 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
29584 + flock.fl_ops->fl_release_private(&flock);
29588 diff -urNp linux-2.6.33/fs/namei.c linux-2.6.33/fs/namei.c
29589 --- linux-2.6.33/fs/namei.c 2010-02-24 13:52:17.000000000 -0500
29590 +++ linux-2.6.33/fs/namei.c 2010-03-07 12:23:36.089622247 -0500
29591 @@ -565,7 +565,7 @@ static __always_inline int __do_follow_l
29592 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
29593 error = PTR_ERR(cookie);
29594 if (!IS_ERR(cookie)) {
29595 - char *s = nd_get_link(nd);
29596 + const char *s = nd_get_link(nd);
29599 error = __vfs_follow_link(nd, s);
29600 @@ -599,6 +599,13 @@ static inline int do_follow_link(struct
29601 err = security_inode_follow_link(path->dentry, nd);
29605 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
29606 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
29611 current->link_count++;
29612 current->total_link_count++;
29614 @@ -994,11 +1001,18 @@ return_reval:
29618 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
29619 + path_put(&nd->path);
29624 path_put_conditional(&next, nd);
29627 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
29630 path_put(&nd->path);
29633 @@ -1552,12 +1566,19 @@ static int __open_namei_create(struct na
29635 struct dentry *dir = nd->path.dentry;
29637 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
29642 if (!IS_POSIXACL(dir->d_inode))
29643 mode &= ~current_umask();
29644 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
29647 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
29649 + gr_handle_create(path->dentry, nd->path.mnt);
29651 mutex_unlock(&dir->d_inode->i_mutex);
29652 dput(nd->path.dentry);
29653 @@ -1665,6 +1686,22 @@ struct file *do_filp_open(int dfd, const
29654 release_open_intent(&nd);
29656 return ERR_PTR(error);
29658 + if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
29663 + if (gr_handle_rawio(nd.path.dentry->d_inode)) {
29668 + if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
29676 @@ -1758,6 +1795,24 @@ do_last:
29678 * It already exists.
29681 + if (gr_handle_rofs_blockwrite(path.dentry, nd.path.mnt, acc_mode)) {
29683 + goto exit_mutex_unlock;
29685 + if (gr_handle_rawio(path.dentry->d_inode)) {
29687 + goto exit_mutex_unlock;
29689 + if (!gr_acl_handle_open(path.dentry, nd.path.mnt, flag)) {
29691 + goto exit_mutex_unlock;
29693 + if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) {
29695 + goto exit_mutex_unlock;
29698 mutex_unlock(&dir->d_inode->i_mutex);
29699 audit_inode(pathname, path.dentry);
29701 @@ -1866,6 +1921,13 @@ do_link:
29702 error = security_inode_follow_link(path.dentry, &nd);
29706 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
29707 + path.dentry, nd.path.mnt)) {
29712 error = __do_follow_link(&path, &nd);
29715 @@ -2045,6 +2107,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
29716 error = may_mknod(mode);
29720 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
29725 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
29730 error = mnt_want_write(nd.path.mnt);
29733 @@ -2065,6 +2138,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
29736 mnt_drop_write(nd.path.mnt);
29739 + gr_handle_create(dentry, nd.path.mnt);
29743 @@ -2118,6 +2194,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
29744 if (IS_ERR(dentry))
29747 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
29752 if (!IS_POSIXACL(nd.path.dentry->d_inode))
29753 mode &= ~current_umask();
29754 error = mnt_want_write(nd.path.mnt);
29755 @@ -2129,6 +2210,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
29756 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
29758 mnt_drop_write(nd.path.mnt);
29761 + gr_handle_create(dentry, nd.path.mnt);
29766 @@ -2210,6 +2295,8 @@ static long do_rmdir(int dfd, const char
29768 struct dentry *dentry;
29769 struct nameidata nd;
29770 + ino_t saved_ino = 0;
29771 + dev_t saved_dev = 0;
29773 error = user_path_parent(dfd, pathname, &nd, &name);
29775 @@ -2234,6 +2321,19 @@ static long do_rmdir(int dfd, const char
29776 error = PTR_ERR(dentry);
29777 if (IS_ERR(dentry))
29780 + if (dentry->d_inode != NULL) {
29781 + if (dentry->d_inode->i_nlink <= 1) {
29782 + saved_ino = dentry->d_inode->i_ino;
29783 + saved_dev = dentry->d_inode->i_sb->s_dev;
29786 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
29792 error = mnt_want_write(nd.path.mnt);
29795 @@ -2241,6 +2341,8 @@ static long do_rmdir(int dfd, const char
29798 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
29799 + if (!error && (saved_dev || saved_ino))
29800 + gr_handle_delete(saved_ino, saved_dev);
29802 mnt_drop_write(nd.path.mnt);
29804 @@ -2302,6 +2404,8 @@ static long do_unlinkat(int dfd, const c
29805 struct dentry *dentry;
29806 struct nameidata nd;
29807 struct inode *inode = NULL;
29808 + ino_t saved_ino = 0;
29809 + dev_t saved_dev = 0;
29811 error = user_path_parent(dfd, pathname, &nd, &name);
29813 @@ -2321,8 +2425,19 @@ static long do_unlinkat(int dfd, const c
29814 if (nd.last.name[nd.last.len])
29816 inode = dentry->d_inode;
29819 + if (inode->i_nlink <= 1) {
29820 + saved_ino = inode->i_ino;
29821 + saved_dev = inode->i_sb->s_dev;
29824 atomic_inc(&inode->i_count);
29826 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
29831 error = mnt_want_write(nd.path.mnt);
29834 @@ -2330,6 +2445,8 @@ static long do_unlinkat(int dfd, const c
29837 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
29838 + if (!error && (saved_ino || saved_dev))
29839 + gr_handle_delete(saved_ino, saved_dev);
29841 mnt_drop_write(nd.path.mnt);
29843 @@ -2408,6 +2525,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
29844 if (IS_ERR(dentry))
29847 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
29852 error = mnt_want_write(nd.path.mnt);
29855 @@ -2415,6 +2537,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
29857 goto out_drop_write;
29858 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
29860 + gr_handle_create(dentry, nd.path.mnt);
29862 mnt_drop_write(nd.path.mnt);
29864 @@ -2508,6 +2632,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
29865 error = PTR_ERR(new_dentry);
29866 if (IS_ERR(new_dentry))
29869 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
29870 + old_path.dentry->d_inode,
29871 + old_path.dentry->d_inode->i_mode, to)) {
29876 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
29877 + old_path.dentry, old_path.mnt, to)) {
29882 error = mnt_want_write(nd.path.mnt);
29885 @@ -2515,6 +2653,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
29887 goto out_drop_write;
29888 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
29890 + gr_handle_create(new_dentry, nd.path.mnt);
29892 mnt_drop_write(nd.path.mnt);
29894 @@ -2748,6 +2888,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
29895 if (new_dentry == trap)
29898 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
29899 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
29904 error = mnt_want_write(oldnd.path.mnt);
29907 @@ -2757,6 +2903,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
29909 error = vfs_rename(old_dir->d_inode, old_dentry,
29910 new_dir->d_inode, new_dentry);
29912 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
29913 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
29915 mnt_drop_write(oldnd.path.mnt);
29917 diff -urNp linux-2.6.33/fs/namespace.c linux-2.6.33/fs/namespace.c
29918 --- linux-2.6.33/fs/namespace.c 2010-02-24 13:52:17.000000000 -0500
29919 +++ linux-2.6.33/fs/namespace.c 2010-03-07 12:23:36.089622247 -0500
29920 @@ -1085,6 +1085,9 @@ static int do_umount(struct vfsmount *mn
29921 if (!(sb->s_flags & MS_RDONLY))
29922 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
29923 up_write(&sb->s_umount);
29925 + gr_log_remount(mnt->mnt_devname, retval);
29930 @@ -1106,6 +1109,9 @@ static int do_umount(struct vfsmount *mn
29931 security_sb_umount_busy(mnt);
29932 up_write(&namespace_sem);
29933 release_mounts(&umount_list);
29935 + gr_log_unmount(mnt->mnt_devname, retval);
29940 @@ -1963,6 +1969,16 @@ long do_mount(char *dev_name, char *dir_
29941 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
29944 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
29949 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
29954 if (flags & MS_REMOUNT)
29955 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
29957 @@ -1977,6 +1993,9 @@ long do_mount(char *dev_name, char *dir_
29958 dev_name, data_page);
29962 + gr_log_mount(dev_name, dir_name, retval);
29967 @@ -2183,6 +2202,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
29971 + if (gr_handle_chroot_pivot()) {
29977 read_lock(¤t->fs->lock);
29978 root = current->fs->root;
29979 path_get(¤t->fs->root);
29980 diff -urNp linux-2.6.33/fs/nfs/inode.c linux-2.6.33/fs/nfs/inode.c
29981 --- linux-2.6.33/fs/nfs/inode.c 2010-02-24 13:52:17.000000000 -0500
29982 +++ linux-2.6.33/fs/nfs/inode.c 2010-03-07 12:23:36.089622247 -0500
29983 @@ -965,16 +965,16 @@ static int nfs_size_need_update(const st
29984 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
29987 -static atomic_long_t nfs_attr_generation_counter;
29988 +static atomic_long_unchecked_t nfs_attr_generation_counter;
29990 static unsigned long nfs_read_attr_generation_counter(void)
29992 - return atomic_long_read(&nfs_attr_generation_counter);
29993 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
29996 unsigned long nfs_inc_attr_generation_counter(void)
29998 - return atomic_long_inc_return(&nfs_attr_generation_counter);
29999 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
30002 void nfs_fattr_init(struct nfs_fattr *fattr)
30003 diff -urNp linux-2.6.33/fs/nfs/nfs4proc.c linux-2.6.33/fs/nfs/nfs4proc.c
30004 --- linux-2.6.33/fs/nfs/nfs4proc.c 2010-02-24 13:52:17.000000000 -0500
30005 +++ linux-2.6.33/fs/nfs/nfs4proc.c 2010-03-07 12:23:36.089622247 -0500
30006 @@ -1159,7 +1159,7 @@ static int _nfs4_do_open_reclaim(struct
30007 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
30009 struct nfs_server *server = NFS_SERVER(state->inode);
30010 - struct nfs4_exception exception = { };
30011 + struct nfs4_exception exception = {0, 0};
30014 err = _nfs4_do_open_reclaim(ctx, state);
30015 @@ -1201,7 +1201,7 @@ static int _nfs4_open_delegation_recall(
30017 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
30019 - struct nfs4_exception exception = { };
30020 + struct nfs4_exception exception = {0, 0};
30021 struct nfs_server *server = NFS_SERVER(state->inode);
30024 @@ -1572,7 +1572,7 @@ static int _nfs4_open_expired(struct nfs
30025 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
30027 struct nfs_server *server = NFS_SERVER(state->inode);
30028 - struct nfs4_exception exception = { };
30029 + struct nfs4_exception exception = {0, 0};
30033 @@ -1678,7 +1678,7 @@ out_err:
30035 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
30037 - struct nfs4_exception exception = { };
30038 + struct nfs4_exception exception = {0, 0};
30039 struct nfs4_state *res;
30042 @@ -1769,7 +1769,7 @@ static int nfs4_do_setattr(struct inode
30043 struct nfs4_state *state)
30045 struct nfs_server *server = NFS_SERVER(inode);
30046 - struct nfs4_exception exception = { };
30047 + struct nfs4_exception exception = {0, 0};
30050 err = nfs4_handle_exception(server,
30051 @@ -2146,7 +2146,7 @@ static int _nfs4_server_capabilities(str
30053 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
30055 - struct nfs4_exception exception = { };
30056 + struct nfs4_exception exception = {0, 0};
30059 err = nfs4_handle_exception(server,
30060 @@ -2180,7 +2180,7 @@ static int _nfs4_lookup_root(struct nfs_
30061 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
30062 struct nfs_fsinfo *info)
30064 - struct nfs4_exception exception = { };
30065 + struct nfs4_exception exception = {0, 0};
30068 err = nfs4_handle_exception(server,
30069 @@ -2269,7 +2269,7 @@ static int _nfs4_proc_getattr(struct nfs
30071 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
30073 - struct nfs4_exception exception = { };
30074 + struct nfs4_exception exception = {0, 0};
30077 err = nfs4_handle_exception(server,
30078 @@ -2357,7 +2357,7 @@ static int nfs4_proc_lookupfh(struct nfs
30079 struct qstr *name, struct nfs_fh *fhandle,
30080 struct nfs_fattr *fattr)
30082 - struct nfs4_exception exception = { };
30083 + struct nfs4_exception exception = {0, 0};
30086 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
30087 @@ -2386,7 +2386,7 @@ static int _nfs4_proc_lookup(struct inod
30089 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
30091 - struct nfs4_exception exception = { };
30092 + struct nfs4_exception exception = {0, 0};
30095 err = nfs4_handle_exception(NFS_SERVER(dir),
30096 @@ -2450,7 +2450,7 @@ static int _nfs4_proc_access(struct inod
30098 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
30100 - struct nfs4_exception exception = { };
30101 + struct nfs4_exception exception = {0, 0};
30104 err = nfs4_handle_exception(NFS_SERVER(inode),
30105 @@ -2506,7 +2506,7 @@ static int _nfs4_proc_readlink(struct in
30106 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
30107 unsigned int pgbase, unsigned int pglen)
30109 - struct nfs4_exception exception = { };
30110 + struct nfs4_exception exception = {0, 0};
30113 err = nfs4_handle_exception(NFS_SERVER(inode),
30114 @@ -2604,7 +2604,7 @@ static int _nfs4_proc_remove(struct inod
30116 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
30118 - struct nfs4_exception exception = { };
30119 + struct nfs4_exception exception = {0, 0};
30122 err = nfs4_handle_exception(NFS_SERVER(dir),
30123 @@ -2677,7 +2677,7 @@ static int _nfs4_proc_rename(struct inod
30124 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
30125 struct inode *new_dir, struct qstr *new_name)
30127 - struct nfs4_exception exception = { };
30128 + struct nfs4_exception exception = {0, 0};
30131 err = nfs4_handle_exception(NFS_SERVER(old_dir),
30132 @@ -2724,7 +2724,7 @@ static int _nfs4_proc_link(struct inode
30134 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
30136 - struct nfs4_exception exception = { };
30137 + struct nfs4_exception exception = {0, 0};
30140 err = nfs4_handle_exception(NFS_SERVER(inode),
30141 @@ -2816,7 +2816,7 @@ out:
30142 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
30143 struct page *page, unsigned int len, struct iattr *sattr)
30145 - struct nfs4_exception exception = { };
30146 + struct nfs4_exception exception = {0, 0};
30149 err = nfs4_handle_exception(NFS_SERVER(dir),
30150 @@ -2847,7 +2847,7 @@ out:
30151 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
30152 struct iattr *sattr)
30154 - struct nfs4_exception exception = { };
30155 + struct nfs4_exception exception = {0, 0};
30158 err = nfs4_handle_exception(NFS_SERVER(dir),
30159 @@ -2896,7 +2896,7 @@ static int _nfs4_proc_readdir(struct den
30160 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
30161 u64 cookie, struct page *page, unsigned int count, int plus)
30163 - struct nfs4_exception exception = { };
30164 + struct nfs4_exception exception = {0, 0};
30167 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
30168 @@ -2944,7 +2944,7 @@ out:
30169 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
30170 struct iattr *sattr, dev_t rdev)
30172 - struct nfs4_exception exception = { };
30173 + struct nfs4_exception exception = {0, 0};
30176 err = nfs4_handle_exception(NFS_SERVER(dir),
30177 @@ -2976,7 +2976,7 @@ static int _nfs4_proc_statfs(struct nfs_
30179 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
30181 - struct nfs4_exception exception = { };
30182 + struct nfs4_exception exception = {0, 0};
30185 err = nfs4_handle_exception(server,
30186 @@ -3007,7 +3007,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
30188 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
30190 - struct nfs4_exception exception = { };
30191 + struct nfs4_exception exception = {0, 0};
30195 @@ -3053,7 +3053,7 @@ static int _nfs4_proc_pathconf(struct nf
30196 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
30197 struct nfs_pathconf *pathconf)
30199 - struct nfs4_exception exception = { };
30200 + struct nfs4_exception exception = {0, 0};
30204 @@ -3348,7 +3348,7 @@ out_free:
30206 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
30208 - struct nfs4_exception exception = { };
30209 + struct nfs4_exception exception = {0, 0};
30212 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
30213 @@ -3404,7 +3404,7 @@ static int __nfs4_proc_set_acl(struct in
30215 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
30217 - struct nfs4_exception exception = { };
30218 + struct nfs4_exception exception = {0, 0};
30221 err = nfs4_handle_exception(NFS_SERVER(inode),
30222 @@ -3686,7 +3686,7 @@ out:
30223 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
30225 struct nfs_server *server = NFS_SERVER(inode);
30226 - struct nfs4_exception exception = { };
30227 + struct nfs4_exception exception = {0, 0};
30230 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
30231 @@ -3759,7 +3759,7 @@ out:
30233 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
30235 - struct nfs4_exception exception = { };
30236 + struct nfs4_exception exception = {0, 0};
30240 @@ -4171,7 +4171,7 @@ static int _nfs4_do_setlk(struct nfs4_st
30241 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
30243 struct nfs_server *server = NFS_SERVER(state->inode);
30244 - struct nfs4_exception exception = { };
30245 + struct nfs4_exception exception = {0, 0};
30249 @@ -4189,7 +4189,7 @@ static int nfs4_lock_reclaim(struct nfs4
30250 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
30252 struct nfs_server *server = NFS_SERVER(state->inode);
30253 - struct nfs4_exception exception = { };
30254 + struct nfs4_exception exception = {0, 0};
30257 err = nfs4_set_lock_state(state, request);
30258 @@ -4253,7 +4253,7 @@ out:
30260 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
30262 - struct nfs4_exception exception = { };
30263 + struct nfs4_exception exception = {0, 0};
30267 @@ -4313,7 +4313,7 @@ nfs4_proc_lock(struct file *filp, int cm
30268 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
30270 struct nfs_server *server = NFS_SERVER(state->inode);
30271 - struct nfs4_exception exception = { };
30272 + struct nfs4_exception exception = {0, 0};
30275 err = nfs4_set_lock_state(state, fl);
30276 diff -urNp linux-2.6.33/fs/nfsd/lockd.c linux-2.6.33/fs/nfsd/lockd.c
30277 --- linux-2.6.33/fs/nfsd/lockd.c 2010-02-24 13:52:17.000000000 -0500
30278 +++ linux-2.6.33/fs/nfsd/lockd.c 2010-03-07 12:23:36.089622247 -0500
30279 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
30283 -static struct nlmsvc_binding nfsd_nlm_ops = {
30284 +static const struct nlmsvc_binding nfsd_nlm_ops = {
30285 .fopen = nlm_fopen, /* open file for locking */
30286 .fclose = nlm_fclose, /* close file */
30288 diff -urNp linux-2.6.33/fs/nfsd/nfsctl.c linux-2.6.33/fs/nfsd/nfsctl.c
30289 --- linux-2.6.33/fs/nfsd/nfsctl.c 2010-02-24 13:52:17.000000000 -0500
30290 +++ linux-2.6.33/fs/nfsd/nfsctl.c 2010-03-07 12:23:36.093718866 -0500
30291 @@ -159,7 +159,7 @@ static int export_features_open(struct i
30292 return single_open(file, export_features_show, NULL);
30295 -static struct file_operations export_features_operations = {
30296 +static const struct file_operations export_features_operations = {
30297 .open = export_features_open,
30299 .llseek = seq_lseek,
30300 diff -urNp linux-2.6.33/fs/nfsd/vfs.c linux-2.6.33/fs/nfsd/vfs.c
30301 --- linux-2.6.33/fs/nfsd/vfs.c 2010-02-24 13:52:17.000000000 -0500
30302 +++ linux-2.6.33/fs/nfsd/vfs.c 2010-03-07 12:23:36.093718866 -0500
30303 @@ -945,7 +945,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
30307 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
30308 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
30312 @@ -1068,7 +1068,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
30314 /* Write the data. */
30315 oldfs = get_fs(); set_fs(KERNEL_DS);
30316 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
30317 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
30321 @@ -1543,7 +1543,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
30324 oldfs = get_fs(); set_fs(KERNEL_DS);
30325 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
30326 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
30330 diff -urNp linux-2.6.33/fs/nls/nls_base.c linux-2.6.33/fs/nls/nls_base.c
30331 --- linux-2.6.33/fs/nls/nls_base.c 2010-02-24 13:52:17.000000000 -0500
30332 +++ linux-2.6.33/fs/nls/nls_base.c 2010-03-07 12:23:36.093718866 -0500
30333 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
30334 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
30335 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
30336 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
30337 - {0, /* end of table */}
30338 + {0, 0, 0, 0, 0, /* end of table */}
30341 #define UNICODE_MAX 0x0010ffff
30342 diff -urNp linux-2.6.33/fs/ntfs/file.c linux-2.6.33/fs/ntfs/file.c
30343 --- linux-2.6.33/fs/ntfs/file.c 2010-02-24 13:52:17.000000000 -0500
30344 +++ linux-2.6.33/fs/ntfs/file.c 2010-03-07 12:23:36.093718866 -0500
30345 @@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
30346 #endif /* NTFS_RW */
30349 -const struct file_operations ntfs_empty_file_ops = {};
30350 +const struct file_operations ntfs_empty_file_ops __read_only;
30352 -const struct inode_operations ntfs_empty_inode_ops = {};
30353 +const struct inode_operations ntfs_empty_inode_ops __read_only;
30354 diff -urNp linux-2.6.33/fs/ocfs2/cluster/masklog.c linux-2.6.33/fs/ocfs2/cluster/masklog.c
30355 --- linux-2.6.33/fs/ocfs2/cluster/masklog.c 2010-02-24 13:52:17.000000000 -0500
30356 +++ linux-2.6.33/fs/ocfs2/cluster/masklog.c 2010-03-07 12:23:36.093718866 -0500
30357 @@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
30358 return mlog_mask_store(mlog_attr->mask, buf, count);
30361 -static struct sysfs_ops mlog_attr_ops = {
30362 +static const struct sysfs_ops mlog_attr_ops = {
30364 .store = mlog_store,
30366 diff -urNp linux-2.6.33/fs/ocfs2/localalloc.c linux-2.6.33/fs/ocfs2/localalloc.c
30367 --- linux-2.6.33/fs/ocfs2/localalloc.c 2010-02-24 13:52:17.000000000 -0500
30368 +++ linux-2.6.33/fs/ocfs2/localalloc.c 2010-03-07 12:23:36.093718866 -0500
30369 @@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
30373 - atomic_inc(&osb->alloc_stats.moves);
30374 + atomic_inc_unchecked(&osb->alloc_stats.moves);
30378 diff -urNp linux-2.6.33/fs/ocfs2/ocfs2.h linux-2.6.33/fs/ocfs2/ocfs2.h
30379 --- linux-2.6.33/fs/ocfs2/ocfs2.h 2010-02-24 13:52:17.000000000 -0500
30380 +++ linux-2.6.33/fs/ocfs2/ocfs2.h 2010-03-07 12:23:36.093718866 -0500
30381 @@ -221,11 +221,11 @@ enum ocfs2_vol_state
30383 struct ocfs2_alloc_stats
30386 - atomic_t local_data;
30387 - atomic_t bitmap_data;
30388 - atomic_t bg_allocs;
30389 - atomic_t bg_extends;
30390 + atomic_unchecked_t moves;
30391 + atomic_unchecked_t local_data;
30392 + atomic_unchecked_t bitmap_data;
30393 + atomic_unchecked_t bg_allocs;
30394 + atomic_unchecked_t bg_extends;
30397 enum ocfs2_local_alloc_state
30398 diff -urNp linux-2.6.33/fs/ocfs2/suballoc.c linux-2.6.33/fs/ocfs2/suballoc.c
30399 --- linux-2.6.33/fs/ocfs2/suballoc.c 2010-02-24 13:52:17.000000000 -0500
30400 +++ linux-2.6.33/fs/ocfs2/suballoc.c 2010-03-07 12:23:36.093718866 -0500
30401 @@ -620,7 +620,7 @@ static int ocfs2_reserve_suballoc_bits(s
30402 mlog_errno(status);
30405 - atomic_inc(&osb->alloc_stats.bg_extends);
30406 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
30408 /* You should never ask for this much metadata */
30409 BUG_ON(bits_wanted >
30410 @@ -1651,7 +1651,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
30411 mlog_errno(status);
30414 - atomic_inc(&osb->alloc_stats.bg_allocs);
30415 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
30417 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
30418 ac->ac_bits_given += (*num_bits);
30419 @@ -1725,7 +1725,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
30420 mlog_errno(status);
30423 - atomic_inc(&osb->alloc_stats.bg_allocs);
30424 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
30426 BUG_ON(num_bits != 1);
30428 @@ -1827,7 +1827,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
30432 - atomic_inc(&osb->alloc_stats.local_data);
30433 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
30435 if (min_clusters > (osb->bitmap_cpg - 1)) {
30436 /* The only paths asking for contiguousness
30437 @@ -1855,7 +1855,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
30438 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
30441 - atomic_inc(&osb->alloc_stats.bitmap_data);
30442 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
30446 diff -urNp linux-2.6.33/fs/ocfs2/super.c linux-2.6.33/fs/ocfs2/super.c
30447 --- linux-2.6.33/fs/ocfs2/super.c 2010-02-24 13:52:17.000000000 -0500
30448 +++ linux-2.6.33/fs/ocfs2/super.c 2010-03-07 12:23:36.093718866 -0500
30449 @@ -286,11 +286,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
30450 "%10s => GlobalAllocs: %d LocalAllocs: %d "
30451 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
30453 - atomic_read(&osb->alloc_stats.bitmap_data),
30454 - atomic_read(&osb->alloc_stats.local_data),
30455 - atomic_read(&osb->alloc_stats.bg_allocs),
30456 - atomic_read(&osb->alloc_stats.moves),
30457 - atomic_read(&osb->alloc_stats.bg_extends));
30458 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
30459 + atomic_read_unchecked(&osb->alloc_stats.local_data),
30460 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
30461 + atomic_read_unchecked(&osb->alloc_stats.moves),
30462 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
30464 out += snprintf(buf + out, len - out,
30465 "%10s => State: %u Descriptor: %llu Size: %u bits "
30466 @@ -1999,11 +1999,11 @@ static int ocfs2_initialize_super(struct
30467 spin_lock_init(&osb->osb_xattr_lock);
30468 ocfs2_init_inode_steal_slot(osb);
30470 - atomic_set(&osb->alloc_stats.moves, 0);
30471 - atomic_set(&osb->alloc_stats.local_data, 0);
30472 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
30473 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
30474 - atomic_set(&osb->alloc_stats.bg_extends, 0);
30475 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
30476 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
30477 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
30478 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
30479 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
30481 /* Copy the blockcheck stats from the superblock probe */
30482 osb->osb_ecc_stats = *stats;
30483 diff -urNp linux-2.6.33/fs/ocfs2/symlink.c linux-2.6.33/fs/ocfs2/symlink.c
30484 --- linux-2.6.33/fs/ocfs2/symlink.c 2010-02-24 13:52:17.000000000 -0500
30485 +++ linux-2.6.33/fs/ocfs2/symlink.c 2010-03-07 12:23:36.093718866 -0500
30486 @@ -148,7 +148,7 @@ bail:
30488 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
30490 - char *link = nd_get_link(nd);
30491 + const char *link = nd_get_link(nd);
30495 diff -urNp linux-2.6.33/fs/open.c linux-2.6.33/fs/open.c
30496 --- linux-2.6.33/fs/open.c 2010-02-24 13:52:17.000000000 -0500
30497 +++ linux-2.6.33/fs/open.c 2010-03-07 12:23:36.093718866 -0500
30498 @@ -209,6 +209,9 @@ int do_truncate(struct dentry *dentry, l
30502 + if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
30505 newattrs.ia_size = length;
30506 newattrs.ia_valid = ATTR_SIZE | time_attrs;
30508 @@ -514,6 +517,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
30509 if (__mnt_is_readonly(path.mnt))
30512 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
30518 @@ -540,6 +546,8 @@ SYSCALL_DEFINE1(chdir, const char __user
30522 + gr_log_chdir(path.dentry, path.mnt);
30524 set_fs_pwd(current->fs, &path);
30527 @@ -566,6 +574,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
30530 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
30532 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
30536 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
30539 set_fs_pwd(current->fs, &file->f_path);
30541 @@ -594,7 +609,18 @@ SYSCALL_DEFINE1(chroot, const char __use
30545 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
30546 + goto dput_and_out;
30548 + if (gr_handle_chroot_caps(&path)) {
30550 + goto dput_and_out;
30553 set_fs_root(current->fs, &path);
30555 + gr_handle_chroot_chdir(&path);
30560 @@ -622,6 +648,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
30561 err = mnt_want_write_file(file);
30565 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
30567 + goto out_drop_write;
30570 mutex_lock(&inode->i_mutex);
30571 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
30573 @@ -633,6 +665,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
30574 err = notify_change(dentry, &newattrs);
30576 mutex_unlock(&inode->i_mutex);
30578 mnt_drop_write(file->f_path.mnt);
30581 @@ -655,17 +688,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
30582 error = mnt_want_write(path.mnt);
30586 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
30588 + goto out_drop_write;
30591 mutex_lock(&inode->i_mutex);
30592 error = security_path_chmod(path.dentry, path.mnt, mode);
30595 if (mode == (mode_t) -1)
30596 mode = inode->i_mode;
30598 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
30603 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
30604 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
30605 error = notify_change(path.dentry, &newattrs);
30607 mutex_unlock(&inode->i_mutex);
30609 mnt_drop_write(path.mnt);
30612 @@ -684,6 +730,9 @@ static int chown_common(struct path *pat
30614 struct iattr newattrs;
30616 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
30619 newattrs.ia_valid = ATTR_CTIME;
30620 if (user != (uid_t) -1) {
30621 newattrs.ia_valid |= ATTR_UID;
30622 diff -urNp linux-2.6.33/fs/pipe.c linux-2.6.33/fs/pipe.c
30623 --- linux-2.6.33/fs/pipe.c 2010-02-24 13:52:17.000000000 -0500
30624 +++ linux-2.6.33/fs/pipe.c 2010-03-07 12:23:36.097602735 -0500
30625 @@ -401,9 +401,9 @@ redo:
30627 if (bufs) /* More to do? */
30629 - if (!pipe->writers)
30630 + if (!atomic_read(&pipe->writers))
30632 - if (!pipe->waiting_writers) {
30633 + if (!atomic_read(&pipe->waiting_writers)) {
30634 /* syscall merging: Usually we must not sleep
30635 * if O_NONBLOCK is set, or if we got some data.
30636 * But if a writer sleeps in kernel space, then
30637 @@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
30638 mutex_lock(&inode->i_mutex);
30639 pipe = inode->i_pipe;
30641 - if (!pipe->readers) {
30642 + if (!atomic_read(&pipe->readers)) {
30643 send_sig(SIGPIPE, current, 0);
30646 @@ -511,7 +511,7 @@ redo1:
30650 - if (!pipe->readers) {
30651 + if (!atomic_read(&pipe->readers)) {
30652 send_sig(SIGPIPE, current, 0);
30655 @@ -597,9 +597,9 @@ redo2:
30656 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
30659 - pipe->waiting_writers++;
30660 + atomic_inc(&pipe->waiting_writers);
30662 - pipe->waiting_writers--;
30663 + atomic_dec(&pipe->waiting_writers);
30666 mutex_unlock(&inode->i_mutex);
30667 @@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
30669 if (filp->f_mode & FMODE_READ) {
30670 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
30671 - if (!pipe->writers && filp->f_version != pipe->w_counter)
30672 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
30676 @@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
30677 * Most Unices do not set POLLERR for FIFOs but on Linux they
30678 * behave exactly like pipes for poll().
30680 - if (!pipe->readers)
30681 + if (!atomic_read(&pipe->readers))
30685 @@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
30687 mutex_lock(&inode->i_mutex);
30688 pipe = inode->i_pipe;
30689 - pipe->readers -= decr;
30690 - pipe->writers -= decw;
30691 + atomic_sub(decr, &pipe->readers);
30692 + atomic_sub(decw, &pipe->writers);
30694 - if (!pipe->readers && !pipe->writers) {
30695 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
30696 free_pipe_info(inode);
30698 wake_up_interruptible_sync(&pipe->wait);
30699 @@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
30701 if (inode->i_pipe) {
30703 - inode->i_pipe->readers++;
30704 + atomic_inc(&inode->i_pipe->readers);
30707 mutex_unlock(&inode->i_mutex);
30708 @@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
30710 if (inode->i_pipe) {
30712 - inode->i_pipe->writers++;
30713 + atomic_inc(&inode->i_pipe->writers);
30716 mutex_unlock(&inode->i_mutex);
30717 @@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
30718 if (inode->i_pipe) {
30720 if (filp->f_mode & FMODE_READ)
30721 - inode->i_pipe->readers++;
30722 + atomic_inc(&inode->i_pipe->readers);
30723 if (filp->f_mode & FMODE_WRITE)
30724 - inode->i_pipe->writers++;
30725 + atomic_inc(&inode->i_pipe->writers);
30728 mutex_unlock(&inode->i_mutex);
30729 @@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
30730 inode->i_pipe = NULL;
30733 -static struct vfsmount *pipe_mnt __read_mostly;
30734 +struct vfsmount *pipe_mnt __read_mostly;
30737 * pipefs_dname() is called from d_path().
30738 @@ -933,7 +933,8 @@ static struct inode * get_pipe_inode(voi
30740 inode->i_pipe = pipe;
30742 - pipe->readers = pipe->writers = 1;
30743 + atomic_set(&pipe->readers, 1);
30744 + atomic_set(&pipe->writers, 1);
30745 inode->i_fop = &rdwr_pipefifo_fops;
30748 diff -urNp linux-2.6.33/fs/proc/array.c linux-2.6.33/fs/proc/array.c
30749 --- linux-2.6.33/fs/proc/array.c 2010-02-24 13:52:17.000000000 -0500
30750 +++ linux-2.6.33/fs/proc/array.c 2010-03-07 12:23:36.097602735 -0500
30751 @@ -337,6 +337,21 @@ static void task_cpus_allowed(struct seq
30752 seq_printf(m, "\n");
30755 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30756 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
30759 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
30760 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
30761 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
30762 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
30763 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
30764 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
30766 + seq_printf(m, "PaX:\t-----\n");
30770 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
30771 struct pid *pid, struct task_struct *task)
30773 @@ -357,9 +372,20 @@ int proc_pid_status(struct seq_file *m,
30774 task_show_regs(m, task);
30776 task_context_switch_counts(m, task);
30778 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30779 + task_pax(m, task);
30785 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30786 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
30787 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
30788 + _mm->pax_flags & MF_PAX_SEGMEXEC))
30791 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
30792 struct pid *pid, struct task_struct *task, int whole)
30794 @@ -452,6 +478,19 @@ static int do_task_stat(struct seq_file
30795 gtime = task->gtime;
30798 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30799 + if (PAX_RAND_FLAGS(mm)) {
30805 +#ifdef CONFIG_GRKERNSEC_HIDESYM
30811 /* scale priority and nice values from timeslices to -20..20 */
30812 /* to make it look like a "normal" Unix priority/nice value */
30813 priority = task_prio(task);
30814 @@ -492,9 +531,15 @@ static int do_task_stat(struct seq_file
30816 mm ? get_mm_rss(mm) : 0,
30818 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30819 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
30820 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
30821 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? task->stack_start : 0),
30823 mm ? mm->start_code : 0,
30824 mm ? mm->end_code : 0,
30825 (permitted && mm) ? task->stack_start : 0,
30829 /* The signal information here is obsolete.
30830 @@ -547,3 +592,10 @@ int proc_pid_statm(struct seq_file *m, s
30835 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
30836 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
30838 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
30841 diff -urNp linux-2.6.33/fs/proc/base.c linux-2.6.33/fs/proc/base.c
30842 --- linux-2.6.33/fs/proc/base.c 2010-02-24 13:52:17.000000000 -0500
30843 +++ linux-2.6.33/fs/proc/base.c 2010-03-07 12:23:36.097602735 -0500
30844 @@ -102,6 +102,22 @@ struct pid_entry {
30848 +struct getdents_callback {
30849 + struct linux_dirent __user * current_dir;
30850 + struct linux_dirent __user * previous;
30851 + struct file * file;
30856 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
30857 + loff_t offset, u64 ino, unsigned int d_type)
30859 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
30860 + buf->error = -EINVAL;
30864 #define NOD(NAME, MODE, IOP, FOP, OP) { \
30866 .len = sizeof(NAME) - 1, \
30867 @@ -213,6 +229,9 @@ static int check_mem_permission(struct t
30868 if (task == current)
30871 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
30875 * If current is actively ptrace'ing, and would also be
30876 * permitted to freshly attach with ptrace now, permit it.
30877 @@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
30879 goto out_mm; /* Shh! No looking before we're done */
30881 + if (gr_acl_handle_procpidmem(task))
30884 len = mm->arg_end - mm->arg_start;
30886 if (len > PAGE_SIZE)
30887 @@ -287,12 +309,26 @@ out:
30891 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30892 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
30893 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
30894 + _mm->pax_flags & MF_PAX_SEGMEXEC))
30897 static int proc_pid_auxv(struct task_struct *task, char *buffer)
30900 struct mm_struct *mm = get_task_mm(task);
30902 unsigned int nwords = 0;
30904 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30905 + if (PAX_RAND_FLAGS(mm)) {
30913 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
30914 @@ -328,7 +364,7 @@ static int proc_pid_wchan(struct task_st
30916 #endif /* CONFIG_KALLSYMS */
30918 -#ifdef CONFIG_STACKTRACE
30919 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
30921 #define MAX_STACK_TRACE_DEPTH 64
30923 @@ -521,7 +557,7 @@ static int proc_pid_limits(struct task_s
30927 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
30928 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
30929 static int proc_pid_syscall(struct task_struct *task, char *buffer)
30932 @@ -935,6 +971,9 @@ static ssize_t environ_read(struct file
30936 + if (gr_acl_handle_procpidmem(task))
30939 if (!ptrace_may_access(task, PTRACE_MODE_READ))
30942 @@ -1520,7 +1559,11 @@ static struct inode *proc_pid_make_inode
30944 cred = __task_cred(task);
30945 inode->i_uid = cred->euid;
30946 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
30947 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
30949 inode->i_gid = cred->egid;
30953 security_task_to_inode(task, inode);
30954 @@ -1538,6 +1581,9 @@ static int pid_getattr(struct vfsmount *
30955 struct inode *inode = dentry->d_inode;
30956 struct task_struct *task;
30957 const struct cred *cred;
30958 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
30959 + const struct cred *tmpcred = current_cred();
30962 generic_fillattr(inode, stat);
30964 @@ -1545,12 +1591,34 @@ static int pid_getattr(struct vfsmount *
30967 task = pid_task(proc_pid(inode), PIDTYPE_PID);
30969 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
30970 + rcu_read_unlock();
30975 + cred = __task_cred(task);
30976 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
30977 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
30978 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
30979 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
30983 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
30984 +#ifdef CONFIG_GRKERNSEC_PROC_USER
30985 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
30986 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
30987 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
30989 task_dumpable(task)) {
30990 - cred = __task_cred(task);
30991 stat->uid = cred->euid;
30992 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
30993 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
30995 stat->gid = cred->egid;
31000 @@ -1582,11 +1650,20 @@ static int pid_revalidate(struct dentry
31003 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
31004 +#ifdef CONFIG_GRKERNSEC_PROC_USER
31005 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
31006 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31007 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
31009 task_dumpable(task)) {
31011 cred = __task_cred(task);
31012 inode->i_uid = cred->euid;
31013 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31014 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31016 inode->i_gid = cred->egid;
31021 @@ -1707,7 +1784,8 @@ static int proc_fd_info(struct inode *in
31022 int fd = proc_fd(inode);
31025 - files = get_files_struct(task);
31026 + if (!gr_acl_handle_procpidmem(task))
31027 + files = get_files_struct(task);
31028 put_task_struct(task);
31031 @@ -1959,12 +2037,22 @@ static const struct file_operations proc
31032 static int proc_fd_permission(struct inode *inode, int mask)
31035 + struct task_struct *task;
31037 rv = generic_permission(inode, mask, NULL);
31041 if (task_pid(current) == proc_pid(inode))
31044 + task = get_proc_task(inode);
31045 + if (task == NULL)
31048 + if (gr_acl_handle_procpidmem(task))
31051 + put_task_struct(task);
31056 @@ -2073,6 +2161,9 @@ static struct dentry *proc_pident_lookup
31060 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31064 * Yes, it does not scale. And it should not. Don't add
31065 * new entries into /proc/<tgid>/ without very good reasons.
31066 @@ -2117,6 +2208,9 @@ static int proc_pident_readdir(struct fi
31070 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31076 @@ -2384,7 +2478,7 @@ static void *proc_self_follow_link(struc
31077 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
31080 - char *s = nd_get_link(nd);
31081 + const char *s = nd_get_link(nd);
31085 @@ -2497,6 +2591,9 @@ static struct dentry *proc_base_lookup(s
31089 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31092 error = proc_base_instantiate(dir, dentry, task, p);
31095 @@ -2584,7 +2681,7 @@ static const struct pid_entry tgid_base_
31096 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
31098 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
31099 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
31100 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
31101 INF("syscall", S_IRUSR, proc_pid_syscall),
31103 INF("cmdline", S_IRUGO, proc_pid_cmdline),
31104 @@ -2612,7 +2709,7 @@ static const struct pid_entry tgid_base_
31105 #ifdef CONFIG_KALLSYMS
31106 INF("wchan", S_IRUGO, proc_pid_wchan),
31108 -#ifdef CONFIG_STACKTRACE
31109 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
31110 ONE("stack", S_IRUSR, proc_pid_stack),
31112 #ifdef CONFIG_SCHEDSTATS
31113 @@ -2642,6 +2739,9 @@ static const struct pid_entry tgid_base_
31114 #ifdef CONFIG_TASK_IO_ACCOUNTING
31115 INF("io", S_IRUGO, proc_tgid_io_accounting),
31117 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
31118 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
31122 static int proc_tgid_base_readdir(struct file * filp,
31123 diff -urNp linux-2.6.33/fs/proc/base.c linux-2.6.33/fs/proc/base.c
31124 --- linux-2.6.33/fs/proc/base.c 2010-02-24 13:52:17.000000000 -0500
31125 +++ linux-2.6.33/fs/proc/base.c 2010-03-07 12:23:36.097602735 -0500
31126 @@ -2766,7 +2766,14 @@ static struct dentry *proc_pid_instantia
31130 +#ifdef CONFIG_GRKERNSEC_PROC_USER
31131 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
31132 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31133 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31134 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
31136 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
31138 inode->i_op = &proc_tgid_base_inode_operations;
31139 inode->i_fop = &proc_tgid_base_operations;
31140 inode->i_flags|=S_IMMUTABLE;
31141 @@ -2808,7 +2815,11 @@ struct dentry *proc_pid_lookup(struct in
31145 + if (gr_check_hidden_task(task))
31146 + goto out_put_task;
31148 result = proc_pid_instantiate(dir, dentry, task, NULL);
31150 put_task_struct(task);
31153 diff -urNp linux-2.6.33/fs/proc/base.c linux-2.6.33/fs/proc/base.c
31154 --- linux-2.6.33/fs/proc/base.c 2010-02-24 13:52:17.000000000 -0500
31155 +++ linux-2.6.33/fs/proc/base.c 2010-03-07 12:23:36.097602735 -0500
31156 @@ -2873,6 +2873,11 @@ int proc_pid_readdir(struct file * filp,
31158 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
31159 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
31160 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31161 + const struct cred *tmpcred = current_cred();
31162 + const struct cred *itercred;
31164 + filldir_t __filldir = filldir;
31165 struct tgid_iter iter;
31166 struct pid_namespace *ns;
31168 @@ -2891,10 +2896,29 @@ int proc_pid_readdir(struct file * filp,
31169 for (iter = next_tgid(ns, iter);
31171 iter.tgid += 1, iter = next_tgid(ns, iter)) {
31172 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31174 + itercred = __task_cred(iter.task);
31176 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
31177 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31178 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
31179 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31180 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
31185 + __filldir = &gr_fake_filldir;
31187 + __filldir = filldir;
31188 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31189 + rcu_read_unlock();
31191 filp->f_pos = iter.tgid + TGID_OFFSET;
31192 if (!vx_proc_task_visible(iter.task))
31194 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
31195 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
31196 put_task_struct(iter.task);
31199 @@ -2919,7 +2943,7 @@ static const struct pid_entry tid_base_s
31200 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
31202 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
31203 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
31204 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
31205 INF("syscall", S_IRUSR, proc_pid_syscall),
31207 INF("cmdline", S_IRUGO, proc_pid_cmdline),
31208 @@ -2946,7 +2970,7 @@ static const struct pid_entry tid_base_s
31209 #ifdef CONFIG_KALLSYMS
31210 INF("wchan", S_IRUGO, proc_pid_wchan),
31212 -#ifdef CONFIG_STACKTRACE
31213 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
31214 ONE("stack", S_IRUSR, proc_pid_stack),
31216 #ifdef CONFIG_SCHEDSTATS
31217 diff -urNp linux-2.6.33/fs/proc/cmdline.c linux-2.6.33/fs/proc/cmdline.c
31218 --- linux-2.6.33/fs/proc/cmdline.c 2010-02-24 13:52:17.000000000 -0500
31219 +++ linux-2.6.33/fs/proc/cmdline.c 2010-03-07 12:23:36.097602735 -0500
31220 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
31222 static int __init proc_cmdline_init(void)
31224 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
31225 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
31227 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
31231 module_init(proc_cmdline_init);
31232 diff -urNp linux-2.6.33/fs/proc/devices.c linux-2.6.33/fs/proc/devices.c
31233 --- linux-2.6.33/fs/proc/devices.c 2010-02-24 13:52:17.000000000 -0500
31234 +++ linux-2.6.33/fs/proc/devices.c 2010-03-07 12:23:36.097602735 -0500
31235 @@ -64,7 +64,11 @@ static const struct file_operations proc
31237 static int __init proc_devices_init(void)
31239 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
31240 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
31242 proc_create("devices", 0, NULL, &proc_devinfo_operations);
31246 module_init(proc_devices_init);
31247 diff -urNp linux-2.6.33/fs/proc/inode.c linux-2.6.33/fs/proc/inode.c
31248 --- linux-2.6.33/fs/proc/inode.c 2010-02-24 13:52:17.000000000 -0500
31249 +++ linux-2.6.33/fs/proc/inode.c 2010-03-07 12:23:36.097602735 -0500
31250 @@ -434,7 +434,11 @@ struct inode *proc_get_inode(struct supe
31252 inode->i_mode = de->mode;
31253 inode->i_uid = de->uid;
31254 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31255 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31257 inode->i_gid = de->gid;
31261 inode->i_size = de->size;
31262 diff -urNp linux-2.6.33/fs/proc/internal.h linux-2.6.33/fs/proc/internal.h
31263 --- linux-2.6.33/fs/proc/internal.h 2010-02-24 13:52:17.000000000 -0500
31264 +++ linux-2.6.33/fs/proc/internal.h 2010-03-07 12:23:36.097602735 -0500
31266 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
31267 struct pid *pid, struct task_struct *task);
31269 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
31270 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
31273 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
31275 extern const struct file_operations proc_maps_operations;
31276 diff -urNp linux-2.6.33/fs/proc/Kconfig linux-2.6.33/fs/proc/Kconfig
31277 --- linux-2.6.33/fs/proc/Kconfig 2010-02-24 13:52:17.000000000 -0500
31278 +++ linux-2.6.33/fs/proc/Kconfig 2010-03-07 12:23:36.097602735 -0500
31279 @@ -30,12 +30,12 @@ config PROC_FS
31282 bool "/proc/kcore support" if !ARM
31283 - depends on PROC_FS && MMU
31284 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
31287 bool "/proc/vmcore support (EXPERIMENTAL)"
31288 - depends on PROC_FS && CRASH_DUMP
31290 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
31293 Exports the dump image of crashed kernel in ELF format.
31295 @@ -59,8 +59,8 @@ config PROC_SYSCTL
31298 config PROC_PAGE_MONITOR
31300 - depends on PROC_FS && MMU
31302 + depends on PROC_FS && MMU && !GRKERNSEC
31303 bool "Enable /proc page monitoring" if EMBEDDED
31305 Various /proc files exist to monitor process memory utilization:
31306 diff -urNp linux-2.6.33/fs/proc/kcore.c linux-2.6.33/fs/proc/kcore.c
31307 --- linux-2.6.33/fs/proc/kcore.c 2010-02-24 13:52:17.000000000 -0500
31308 +++ linux-2.6.33/fs/proc/kcore.c 2010-03-07 12:23:36.097602735 -0500
31309 @@ -541,6 +541,9 @@ read_kcore(struct file *file, char __use
31311 static int open_kcore(struct inode *inode, struct file *filp)
31313 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
31316 if (!capable(CAP_SYS_RAWIO))
31318 if (kcore_need_update)
31319 diff -urNp linux-2.6.33/fs/proc/meminfo.c linux-2.6.33/fs/proc/meminfo.c
31320 --- linux-2.6.33/fs/proc/meminfo.c 2010-02-24 13:52:17.000000000 -0500
31321 +++ linux-2.6.33/fs/proc/meminfo.c 2010-03-07 12:23:36.097602735 -0500
31322 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
31324 vmi.largest_chunk >> 10
31325 #ifdef CONFIG_MEMORY_FAILURE
31326 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
31327 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
31331 diff -urNp linux-2.6.33/fs/proc/nommu.c linux-2.6.33/fs/proc/nommu.c
31332 --- linux-2.6.33/fs/proc/nommu.c 2010-02-24 13:52:17.000000000 -0500
31333 +++ linux-2.6.33/fs/proc/nommu.c 2010-03-07 12:23:36.097602735 -0500
31334 @@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
31337 seq_printf(m, "%*c", len, ' ');
31338 - seq_path(m, &file->f_path, "");
31339 + seq_path(m, &file->f_path, "\n\\");
31343 diff -urNp linux-2.6.33/fs/proc/proc_net.c linux-2.6.33/fs/proc/proc_net.c
31344 --- linux-2.6.33/fs/proc/proc_net.c 2010-02-24 13:52:17.000000000 -0500
31345 +++ linux-2.6.33/fs/proc/proc_net.c 2010-03-07 12:23:36.097602735 -0500
31346 @@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
31347 struct task_struct *task;
31348 struct nsproxy *ns;
31349 struct net *net = NULL;
31350 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31351 + const struct cred *cred = current_cred();
31354 +#ifdef CONFIG_GRKERNSEC_PROC_USER
31357 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31358 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
31363 task = pid_task(proc_pid(dir), PIDTYPE_PID);
31364 diff -urNp linux-2.6.33/fs/proc/proc_sysctl.c linux-2.6.33/fs/proc/proc_sysctl.c
31365 --- linux-2.6.33/fs/proc/proc_sysctl.c 2010-02-24 13:52:17.000000000 -0500
31366 +++ linux-2.6.33/fs/proc/proc_sysctl.c 2010-03-07 12:23:36.097602735 -0500
31368 #include <linux/security.h>
31369 #include "internal.h"
31371 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
31373 static const struct dentry_operations proc_sys_dentry_operations;
31374 static const struct file_operations proc_sys_file_operations;
31375 static const struct inode_operations proc_sys_inode_operations;
31376 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
31380 + if (gr_handle_sysctl(p, MAY_EXEC))
31383 err = ERR_PTR(-ENOMEM);
31384 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
31386 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
31387 if (*pos < file->f_pos)
31390 + if (gr_handle_sysctl(table, 0))
31393 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
31396 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
31398 return PTR_ERR(head);
31400 + if (table && gr_handle_sysctl(table, MAY_EXEC))
31403 generic_fillattr(inode, stat);
31405 stat->mode = (stat->mode & S_IFMT) | table->mode;
31406 diff -urNp linux-2.6.33/fs/proc/root.c linux-2.6.33/fs/proc/root.c
31407 --- linux-2.6.33/fs/proc/root.c 2010-02-24 13:52:17.000000000 -0500
31408 +++ linux-2.6.33/fs/proc/root.c 2010-03-07 12:23:36.097602735 -0500
31409 @@ -134,7 +134,15 @@ void __init proc_root_init(void)
31410 #ifdef CONFIG_PROC_DEVICETREE
31411 proc_device_tree_init();
31413 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
31414 +#ifdef CONFIG_GRKERNSEC_PROC_USER
31415 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
31416 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31417 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
31420 proc_mkdir("bus", NULL);
31425 diff -urNp linux-2.6.33/fs/proc/task_mmu.c linux-2.6.33/fs/proc/task_mmu.c
31426 --- linux-2.6.33/fs/proc/task_mmu.c 2010-02-24 13:52:17.000000000 -0500
31427 +++ linux-2.6.33/fs/proc/task_mmu.c 2010-03-07 12:23:36.097602735 -0500
31428 @@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
31429 "VmStk:\t%8lu kB\n"
31430 "VmExe:\t%8lu kB\n"
31431 "VmLib:\t%8lu kB\n"
31432 - "VmPTE:\t%8lu kB\n",
31433 - hiwater_vm << (PAGE_SHIFT-10),
31434 + "VmPTE:\t%8lu kB\n"
31436 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
31437 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
31440 + ,hiwater_vm << (PAGE_SHIFT-10),
31441 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
31442 mm->locked_vm << (PAGE_SHIFT-10),
31443 hiwater_rss << (PAGE_SHIFT-10),
31444 total_rss << (PAGE_SHIFT-10),
31445 data << (PAGE_SHIFT-10),
31446 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
31447 - (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
31448 + (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
31450 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
31451 + , mm->context.user_cs_base, mm->context.user_cs_limit
31457 unsigned long task_vsize(struct mm_struct *mm)
31458 @@ -199,6 +210,12 @@ static int do_maps_open(struct inode *in
31462 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31463 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
31464 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
31465 + _mm->pax_flags & MF_PAX_SEGMEXEC))
31468 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
31470 struct mm_struct *mm = vma->vm_mm;
31471 @@ -217,13 +234,22 @@ static void show_map_vma(struct seq_file
31474 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
31475 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31476 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
31477 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
31482 flags & VM_READ ? 'r' : '-',
31483 flags & VM_WRITE ? 'w' : '-',
31484 flags & VM_EXEC ? 'x' : '-',
31485 flags & VM_MAYSHARE ? 's' : 'p',
31486 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31487 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
31491 MAJOR(dev), MINOR(dev), ino, &len);
31494 @@ -232,16 +258,16 @@ static void show_map_vma(struct seq_file
31497 pad_len_spaces(m, len);
31498 - seq_path(m, &file->f_path, "\n");
31499 + seq_path(m, &file->f_path, "\n\\");
31501 const char *name = arch_vma_name(vma);
31504 - if (vma->vm_start <= mm->start_brk &&
31505 - vma->vm_end >= mm->brk) {
31506 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
31508 - } else if (vma->vm_start <= mm->start_stack &&
31509 - vma->vm_end >= mm->start_stack) {
31510 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
31511 + (vma->vm_start <= mm->start_stack &&
31512 + vma->vm_end >= mm->start_stack)) {
31515 unsigned long stack_start;
31516 @@ -402,9 +428,16 @@ static int show_smap(struct seq_file *m,
31519 memset(&mss, 0, sizeof mss);
31521 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
31522 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
31524 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31525 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
31528 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
31529 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
31530 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31534 show_map_vma(m, vma);
31536 @@ -420,7 +453,11 @@ static int show_smap(struct seq_file *m,
31538 "KernelPageSize: %8lu kB\n"
31539 "MMUPageSize: %8lu kB\n",
31540 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31541 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
31543 (vma->vm_end - vma->vm_start) >> 10,
31545 mss.resident >> 10,
31546 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
31547 mss.shared_clean >> 10,
31548 diff -urNp linux-2.6.33/fs/proc/task_nommu.c linux-2.6.33/fs/proc/task_nommu.c
31549 --- linux-2.6.33/fs/proc/task_nommu.c 2010-02-24 13:52:17.000000000 -0500
31550 +++ linux-2.6.33/fs/proc/task_nommu.c 2010-03-07 12:23:36.097602735 -0500
31551 @@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
31553 bytes += kobjsize(mm);
31555 - if (current->fs && current->fs->users > 1)
31556 + if (current->fs && atomic_read(¤t->fs->users) > 1)
31557 sbytes += kobjsize(current->fs);
31559 bytes += kobjsize(current->fs);
31560 @@ -158,7 +158,7 @@ static int nommu_vma_show(struct seq_fil
31563 seq_printf(m, "%*c", len, ' ');
31564 - seq_path(m, &file->f_path, "");
31565 + seq_path(m, &file->f_path, "\n\\");
31569 diff -urNp linux-2.6.33/fs/readdir.c linux-2.6.33/fs/readdir.c
31570 --- linux-2.6.33/fs/readdir.c 2010-02-24 13:52:17.000000000 -0500
31571 +++ linux-2.6.33/fs/readdir.c 2010-03-07 12:23:36.097602735 -0500
31573 #include <linux/security.h>
31574 #include <linux/syscalls.h>
31575 #include <linux/unistd.h>
31576 +#include <linux/namei.h>
31578 #include <asm/uaccess.h>
31580 @@ -67,6 +68,7 @@ struct old_linux_dirent {
31582 struct readdir_callback {
31583 struct old_linux_dirent __user * dirent;
31584 + struct file * file;
31588 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
31589 buf->result = -EOVERFLOW;
31593 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31597 dirent = buf->dirent;
31598 if (!access_ok(VERIFY_WRITE, dirent,
31599 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
31602 buf.dirent = dirent;
31605 error = vfs_readdir(file, fillonedir, &buf);
31607 @@ -142,6 +149,7 @@ struct linux_dirent {
31608 struct getdents_callback {
31609 struct linux_dirent __user * current_dir;
31610 struct linux_dirent __user * previous;
31611 + struct file * file;
31615 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
31616 buf->error = -EOVERFLOW;
31620 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31623 dirent = buf->previous;
31625 if (__put_user(offset, &dirent->d_off))
31626 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
31627 buf.previous = NULL;
31632 error = vfs_readdir(file, filldir, &buf);
31634 @@ -228,6 +241,7 @@ out:
31635 struct getdents_callback64 {
31636 struct linux_dirent64 __user * current_dir;
31637 struct linux_dirent64 __user * previous;
31638 + struct file *file;
31642 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
31643 buf->error = -EINVAL; /* only used if we fail.. */
31644 if (reclen > buf->count)
31647 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31650 dirent = buf->previous;
31652 if (__put_user(offset, &dirent->d_off))
31653 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
31655 buf.current_dir = dirent;
31656 buf.previous = NULL;
31661 diff -urNp linux-2.6.33/fs/reiserfs/do_balan.c linux-2.6.33/fs/reiserfs/do_balan.c
31662 --- linux-2.6.33/fs/reiserfs/do_balan.c 2010-02-24 13:52:17.000000000 -0500
31663 +++ linux-2.6.33/fs/reiserfs/do_balan.c 2010-03-07 12:23:36.097602735 -0500
31664 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
31668 - atomic_inc(&(fs_generation(tb->tb_sb)));
31669 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
31670 do_balance_starts(tb);
31672 /* balance leaf returns 0 except if combining L R and S into
31673 diff -urNp linux-2.6.33/fs/reiserfs/item_ops.c linux-2.6.33/fs/reiserfs/item_ops.c
31674 --- linux-2.6.33/fs/reiserfs/item_ops.c 2010-02-24 13:52:17.000000000 -0500
31675 +++ linux-2.6.33/fs/reiserfs/item_ops.c 2010-03-07 12:23:36.097602735 -0500
31676 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
31677 vi->vi_index, vi->vi_type, vi->vi_ih);
31680 -static struct item_operations stat_data_ops = {
31681 +static const struct item_operations stat_data_ops = {
31682 .bytes_number = sd_bytes_number,
31683 .decrement_key = sd_decrement_key,
31684 .is_left_mergeable = sd_is_left_mergeable,
31685 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
31686 vi->vi_index, vi->vi_type, vi->vi_ih);
31689 -static struct item_operations direct_ops = {
31690 +static const struct item_operations direct_ops = {
31691 .bytes_number = direct_bytes_number,
31692 .decrement_key = direct_decrement_key,
31693 .is_left_mergeable = direct_is_left_mergeable,
31694 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
31695 vi->vi_index, vi->vi_type, vi->vi_ih);
31698 -static struct item_operations indirect_ops = {
31699 +static const struct item_operations indirect_ops = {
31700 .bytes_number = indirect_bytes_number,
31701 .decrement_key = indirect_decrement_key,
31702 .is_left_mergeable = indirect_is_left_mergeable,
31703 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
31707 -static struct item_operations direntry_ops = {
31708 +static const struct item_operations direntry_ops = {
31709 .bytes_number = direntry_bytes_number,
31710 .decrement_key = direntry_decrement_key,
31711 .is_left_mergeable = direntry_is_left_mergeable,
31712 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
31713 "Invalid item type observed, run fsck ASAP");
31716 -static struct item_operations errcatch_ops = {
31717 +static const struct item_operations errcatch_ops = {
31718 errcatch_bytes_number,
31719 errcatch_decrement_key,
31720 errcatch_is_left_mergeable,
31721 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
31722 #error Item types must use disk-format assigned values.
31725 -struct item_operations *item_ops[TYPE_ANY + 1] = {
31726 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
31730 diff -urNp linux-2.6.33/fs/reiserfs/procfs.c linux-2.6.33/fs/reiserfs/procfs.c
31731 --- linux-2.6.33/fs/reiserfs/procfs.c 2010-02-24 13:52:17.000000000 -0500
31732 +++ linux-2.6.33/fs/reiserfs/procfs.c 2010-03-07 12:23:36.101714273 -0500
31733 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
31734 "SMALL_TAILS " : "NO_TAILS ",
31735 replay_only(sb) ? "REPLAY_ONLY " : "",
31736 convert_reiserfs(sb) ? "CONV " : "",
31737 - atomic_read(&r->s_generation_counter),
31738 + atomic_read_unchecked(&r->s_generation_counter),
31739 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
31740 SF(s_do_balance), SF(s_unneeded_left_neighbor),
31741 SF(s_good_search_by_key_reada), SF(s_bmaps),
31742 diff -urNp linux-2.6.33/fs/select.c linux-2.6.33/fs/select.c
31743 --- linux-2.6.33/fs/select.c 2010-02-24 13:52:17.000000000 -0500
31744 +++ linux-2.6.33/fs/select.c 2010-03-07 12:23:36.101714273 -0500
31746 #include <linux/module.h>
31747 #include <linux/slab.h>
31748 #include <linux/poll.h>
31749 +#include <linux/security.h>
31750 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
31751 #include <linux/file.h>
31752 #include <linux/fdtable.h>
31753 @@ -821,6 +822,7 @@ int do_sys_poll(struct pollfd __user *uf
31754 struct poll_list *walk = head;
31755 unsigned long todo = nfds;
31757 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
31758 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
31761 diff -urNp linux-2.6.33/fs/seq_file.c linux-2.6.33/fs/seq_file.c
31762 --- linux-2.6.33/fs/seq_file.c 2010-02-24 13:52:17.000000000 -0500
31763 +++ linux-2.6.33/fs/seq_file.c 2010-03-07 12:23:36.101714273 -0500
31764 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
31768 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
31769 + m->size = PAGE_SIZE;
31770 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
31774 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
31778 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
31780 + m->buf = kmalloc(m->size, GFP_KERNEL);
31781 return !m->buf ? -ENOMEM : -EAGAIN;
31784 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
31785 m->version = file->f_version;
31786 /* grab buffer if we didn't have one */
31788 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
31789 + m->size = PAGE_SIZE;
31790 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
31794 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
31798 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
31800 + m->buf = kmalloc(m->size, GFP_KERNEL);
31804 diff -urNp linux-2.6.33/fs/smbfs/symlink.c linux-2.6.33/fs/smbfs/symlink.c
31805 --- linux-2.6.33/fs/smbfs/symlink.c 2010-02-24 13:52:17.000000000 -0500
31806 +++ linux-2.6.33/fs/smbfs/symlink.c 2010-03-07 12:23:36.101714273 -0500
31807 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
31809 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
31811 - char *s = nd_get_link(nd);
31812 + const char *s = nd_get_link(nd);
31816 diff -urNp linux-2.6.33/fs/splice.c linux-2.6.33/fs/splice.c
31817 --- linux-2.6.33/fs/splice.c 2010-02-24 13:52:17.000000000 -0500
31818 +++ linux-2.6.33/fs/splice.c 2010-03-07 12:23:36.101714273 -0500
31819 @@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
31823 - if (!pipe->readers) {
31824 + if (!atomic_read(&pipe->readers)) {
31825 send_sig(SIGPIPE, current, 0);
31828 @@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
31832 - pipe->waiting_writers++;
31833 + atomic_inc(&pipe->waiting_writers);
31835 - pipe->waiting_writers--;
31836 + atomic_dec(&pipe->waiting_writers);
31840 @@ -531,7 +531,7 @@ static ssize_t kernel_readv(struct file
31843 /* The cast to a user pointer is valid due to the set_fs() */
31844 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
31845 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
31849 @@ -546,7 +546,7 @@ static ssize_t kernel_write(struct file
31852 /* The cast to a user pointer is valid due to the set_fs() */
31853 - res = vfs_write(file, (const char __user *)buf, count, &pos);
31854 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
31858 @@ -588,7 +588,7 @@ ssize_t default_file_splice_read(struct
31861 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
31862 - vec[i].iov_base = (void __user *) page_address(page);
31863 + vec[i].iov_base = (__force void __user *) page_address(page);
31864 vec[i].iov_len = this_len;
31867 @@ -810,10 +810,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
31868 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
31870 while (!pipe->nrbufs) {
31871 - if (!pipe->writers)
31872 + if (!atomic_read(&pipe->writers))
31875 - if (!pipe->waiting_writers && sd->num_spliced)
31876 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
31879 if (sd->flags & SPLICE_F_NONBLOCK)
31880 @@ -1150,7 +1150,7 @@ ssize_t splice_direct_to_actor(struct fi
31881 * out of the pipe right after the splice_to_pipe(). So set
31882 * PIPE_READERS appropriately.
31884 - pipe->readers = 1;
31885 + atomic_set(&pipe->readers, 1);
31887 current->splice_pipe = pipe;
31889 @@ -1710,9 +1710,9 @@ static int ipipe_prep(struct pipe_inode_
31890 ret = -ERESTARTSYS;
31893 - if (!pipe->writers)
31894 + if (!atomic_read(&pipe->writers))
31896 - if (!pipe->waiting_writers) {
31897 + if (!atomic_read(&pipe->waiting_writers)) {
31898 if (flags & SPLICE_F_NONBLOCK) {
31901 @@ -1744,7 +1744,7 @@ static int opipe_prep(struct pipe_inode_
31904 while (pipe->nrbufs >= PIPE_BUFFERS) {
31905 - if (!pipe->readers) {
31906 + if (!atomic_read(&pipe->readers)) {
31907 send_sig(SIGPIPE, current, 0);
31910 @@ -1757,9 +1757,9 @@ static int opipe_prep(struct pipe_inode_
31911 ret = -ERESTARTSYS;
31914 - pipe->waiting_writers++;
31915 + atomic_inc(&pipe->waiting_writers);
31917 - pipe->waiting_writers--;
31918 + atomic_dec(&pipe->waiting_writers);
31922 @@ -1795,14 +1795,14 @@ retry:
31923 pipe_double_lock(ipipe, opipe);
31926 - if (!opipe->readers) {
31927 + if (!atomic_read(&opipe->readers)) {
31928 send_sig(SIGPIPE, current, 0);
31934 - if (!ipipe->nrbufs && !ipipe->writers)
31935 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
31939 @@ -1902,7 +1902,7 @@ static int link_pipe(struct pipe_inode_i
31940 pipe_double_lock(ipipe, opipe);
31943 - if (!opipe->readers) {
31944 + if (!atomic_read(&opipe->readers)) {
31945 send_sig(SIGPIPE, current, 0);
31948 @@ -1947,7 +1947,7 @@ static int link_pipe(struct pipe_inode_i
31949 * return EAGAIN if we have the potential of some data in the
31950 * future, otherwise just return 0
31952 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
31953 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
31956 pipe_unlock(ipipe);
31957 diff -urNp linux-2.6.33/fs/sysfs/file.c linux-2.6.33/fs/sysfs/file.c
31958 --- linux-2.6.33/fs/sysfs/file.c 2010-02-24 13:52:17.000000000 -0500
31959 +++ linux-2.6.33/fs/sysfs/file.c 2010-03-07 12:23:36.101714273 -0500
31960 @@ -53,7 +53,7 @@ struct sysfs_buffer {
31964 - struct sysfs_ops * ops;
31965 + const struct sysfs_ops * ops;
31966 struct mutex mutex;
31967 int needs_read_fill;
31969 @@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
31971 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
31972 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
31973 - struct sysfs_ops * ops = buffer->ops;
31974 + const struct sysfs_ops * ops = buffer->ops;
31978 @@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
31980 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
31981 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
31982 - struct sysfs_ops * ops = buffer->ops;
31983 + const struct sysfs_ops * ops = buffer->ops;
31986 /* need attr_sd for attr and ops, its parent for kobj */
31987 @@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
31988 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
31989 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
31990 struct sysfs_buffer *buffer;
31991 - struct sysfs_ops *ops;
31992 + const struct sysfs_ops *ops;
31993 int error = -EACCES;
31996 diff -urNp linux-2.6.33/fs/sysfs/symlink.c linux-2.6.33/fs/sysfs/symlink.c
31997 --- linux-2.6.33/fs/sysfs/symlink.c 2010-02-24 13:52:17.000000000 -0500
31998 +++ linux-2.6.33/fs/sysfs/symlink.c 2010-03-07 12:23:36.101714273 -0500
31999 @@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
32001 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
32003 - char *page = nd_get_link(nd);
32004 + const char *page = nd_get_link(nd);
32006 free_page((unsigned long)page);
32008 diff -urNp linux-2.6.33/fs/udf/balloc.c linux-2.6.33/fs/udf/balloc.c
32009 --- linux-2.6.33/fs/udf/balloc.c 2010-02-24 13:52:17.000000000 -0500
32010 +++ linux-2.6.33/fs/udf/balloc.c 2010-03-07 12:23:36.101714273 -0500
32011 @@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
32013 mutex_lock(&sbi->s_alloc_mutex);
32014 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
32015 - if (bloc->logicalBlockNum < 0 ||
32016 - (bloc->logicalBlockNum + count) >
32017 - partmap->s_partition_len) {
32018 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
32019 udf_debug("%d < %d || %d + %d > %d\n",
32020 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
32021 count, partmap->s_partition_len);
32022 @@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
32024 mutex_lock(&sbi->s_alloc_mutex);
32025 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
32026 - if (bloc->logicalBlockNum < 0 ||
32027 - (bloc->logicalBlockNum + count) >
32028 - partmap->s_partition_len) {
32029 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
32030 udf_debug("%d < %d || %d + %d > %d\n",
32031 bloc->logicalBlockNum, 0, bloc->logicalBlockNum, count,
32032 partmap->s_partition_len);
32033 diff -urNp linux-2.6.33/fs/utimes.c linux-2.6.33/fs/utimes.c
32034 --- linux-2.6.33/fs/utimes.c 2010-02-24 13:52:17.000000000 -0500
32035 +++ linux-2.6.33/fs/utimes.c 2010-03-07 12:23:36.101714273 -0500
32037 #include <linux/compiler.h>
32038 #include <linux/file.h>
32039 #include <linux/fs.h>
32040 +#include <linux/security.h>
32041 #include <linux/linkage.h>
32042 #include <linux/mount.h>
32043 #include <linux/namei.h>
32044 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
32045 goto mnt_drop_write_and_out;
32049 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
32051 + goto mnt_drop_write_and_out;
32054 mutex_lock(&inode->i_mutex);
32055 error = notify_change(path->dentry, &newattrs);
32056 mutex_unlock(&inode->i_mutex);
32057 diff -urNp linux-2.6.33/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.33/fs/xfs/linux-2.6/xfs_ioctl.c
32058 --- linux-2.6.33/fs/xfs/linux-2.6/xfs_ioctl.c 2010-02-24 13:52:17.000000000 -0500
32059 +++ linux-2.6.33/fs/xfs/linux-2.6/xfs_ioctl.c 2010-03-07 12:23:36.101714273 -0500
32060 @@ -135,7 +135,7 @@ xfs_find_handle(
32064 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
32065 + if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
32066 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
32069 diff -urNp linux-2.6.33/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.33/fs/xfs/linux-2.6/xfs_iops.c
32070 --- linux-2.6.33/fs/xfs/linux-2.6/xfs_iops.c 2010-02-24 13:52:17.000000000 -0500
32071 +++ linux-2.6.33/fs/xfs/linux-2.6/xfs_iops.c 2010-03-07 12:23:36.101714273 -0500
32072 @@ -469,7 +469,7 @@ xfs_vn_put_link(
32073 struct nameidata *nd,
32076 - char *s = nd_get_link(nd);
32077 + const char *s = nd_get_link(nd);
32081 diff -urNp linux-2.6.33/fs/xfs/xfs_bmap.c linux-2.6.33/fs/xfs/xfs_bmap.c
32082 --- linux-2.6.33/fs/xfs/xfs_bmap.c 2010-02-24 13:52:17.000000000 -0500
32083 +++ linux-2.6.33/fs/xfs/xfs_bmap.c 2010-03-07 12:23:36.101714273 -0500
32084 @@ -296,7 +296,7 @@ xfs_bmap_validate_ret(
32088 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
32089 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
32093 diff -urNp linux-2.6.33/grsecurity/gracl_alloc.c linux-2.6.33/grsecurity/gracl_alloc.c
32094 --- linux-2.6.33/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
32095 +++ linux-2.6.33/grsecurity/gracl_alloc.c 2010-03-07 12:23:36.101714273 -0500
32097 +#include <linux/kernel.h>
32098 +#include <linux/mm.h>
32099 +#include <linux/slab.h>
32100 +#include <linux/vmalloc.h>
32101 +#include <linux/gracl.h>
32102 +#include <linux/grsecurity.h>
32104 +static unsigned long alloc_stack_next = 1;
32105 +static unsigned long alloc_stack_size = 1;
32106 +static void **alloc_stack;
32108 +static __inline__ int
32111 + if (alloc_stack_next == 1)
32114 + kfree(alloc_stack[alloc_stack_next - 2]);
32116 + alloc_stack_next--;
32121 +static __inline__ int
32122 +alloc_push(void *buf)
32124 + if (alloc_stack_next >= alloc_stack_size)
32127 + alloc_stack[alloc_stack_next - 1] = buf;
32129 + alloc_stack_next++;
32135 +acl_alloc(unsigned long len)
32137 + void *ret = NULL;
32139 + if (!len || len > PAGE_SIZE)
32142 + ret = kmalloc(len, GFP_KERNEL);
32145 + if (alloc_push(ret)) {
32156 +acl_alloc_num(unsigned long num, unsigned long len)
32158 + if (!len || (num > (PAGE_SIZE / len)))
32161 + return acl_alloc(num * len);
32165 +acl_free_all(void)
32167 + if (gr_acl_is_enabled() || !alloc_stack)
32170 + while (alloc_pop()) ;
32172 + if (alloc_stack) {
32173 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
32174 + kfree(alloc_stack);
32176 + vfree(alloc_stack);
32179 + alloc_stack = NULL;
32180 + alloc_stack_size = 1;
32181 + alloc_stack_next = 1;
32187 +acl_alloc_stack_init(unsigned long size)
32189 + if ((size * sizeof (void *)) <= PAGE_SIZE)
32191 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
32193 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
32195 + alloc_stack_size = size;
32197 + if (!alloc_stack)
32202 diff -urNp linux-2.6.33/grsecurity/gracl.c linux-2.6.33/grsecurity/gracl.c
32203 --- linux-2.6.33/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
32204 +++ linux-2.6.33/grsecurity/gracl.c 2010-03-07 12:23:36.105670657 -0500
32206 +#include <linux/kernel.h>
32207 +#include <linux/module.h>
32208 +#include <linux/sched.h>
32209 +#include <linux/mm.h>
32210 +#include <linux/file.h>
32211 +#include <linux/fs.h>
32212 +#include <linux/namei.h>
32213 +#include <linux/mount.h>
32214 +#include <linux/tty.h>
32215 +#include <linux/proc_fs.h>
32216 +#include <linux/smp_lock.h>
32217 +#include <linux/slab.h>
32218 +#include <linux/vmalloc.h>
32219 +#include <linux/types.h>
32220 +#include <linux/sysctl.h>
32221 +#include <linux/netdevice.h>
32222 +#include <linux/ptrace.h>
32223 +#include <linux/gracl.h>
32224 +#include <linux/gralloc.h>
32225 +#include <linux/grsecurity.h>
32226 +#include <linux/grinternal.h>
32227 +#include <linux/pid_namespace.h>
32228 +#include <linux/fdtable.h>
32229 +#include <linux/percpu.h>
32231 +#include <asm/uaccess.h>
32232 +#include <asm/errno.h>
32233 +#include <asm/mman.h>
32235 +static struct acl_role_db acl_role_set;
32236 +static struct name_db name_set;
32237 +static struct inodev_db inodev_set;
32239 +/* for keeping track of userspace pointers used for subjects, so we
32240 + can share references in the kernel as well
32243 +static struct dentry *real_root;
32244 +static struct vfsmount *real_root_mnt;
32246 +static struct acl_subj_map_db subj_map_set;
32248 +static struct acl_role_label *default_role;
32250 +static struct acl_role_label *role_list;
32252 +static u16 acl_sp_role_value;
32254 +extern char *gr_shared_page[4];
32255 +static DECLARE_MUTEX(gr_dev_sem);
32256 +DEFINE_RWLOCK(gr_inode_lock);
32258 +struct gr_arg *gr_usermode;
32260 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
32262 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
32263 +extern void gr_clear_learn_entries(void);
32265 +#ifdef CONFIG_GRKERNSEC_RESLOG
32266 +extern void gr_log_resource(const struct task_struct *task,
32267 + const int res, const unsigned long wanted, const int gt);
32270 +unsigned char *gr_system_salt;
32271 +unsigned char *gr_system_sum;
32273 +static struct sprole_pw **acl_special_roles = NULL;
32274 +static __u16 num_sprole_pws = 0;
32276 +static struct acl_role_label *kernel_role = NULL;
32278 +static unsigned int gr_auth_attempts = 0;
32279 +static unsigned long gr_auth_expires = 0UL;
32281 +extern struct vfsmount *sock_mnt;
32282 +extern struct vfsmount *pipe_mnt;
32283 +extern struct vfsmount *shm_mnt;
32284 +static struct acl_object_label *fakefs_obj;
32286 +extern int gr_init_uidset(void);
32287 +extern void gr_free_uidset(void);
32288 +extern void gr_remove_uid(uid_t uid);
32289 +extern int gr_find_uid(uid_t uid);
32292 +gr_acl_is_enabled(void)
32294 + return (gr_status & GR_READY);
32297 +char gr_roletype_to_char(void)
32299 + switch (current->role->roletype &
32300 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
32301 + GR_ROLE_SPECIAL)) {
32302 + case GR_ROLE_DEFAULT:
32304 + case GR_ROLE_USER:
32306 + case GR_ROLE_GROUP:
32308 + case GR_ROLE_SPECIAL:
32316 +gr_acl_tpe_check(void)
32318 + if (unlikely(!(gr_status & GR_READY)))
32320 + if (current->role->roletype & GR_ROLE_TPE)
32327 +gr_handle_rawio(const struct inode *inode)
32329 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
32330 + if (inode && S_ISBLK(inode->i_mode) &&
32331 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
32332 + !capable(CAP_SYS_RAWIO))
32339 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
32342 + unsigned long *l1;
32343 + unsigned long *l2;
32344 + unsigned char *c1;
32345 + unsigned char *c2;
32348 + if (likely(lena != lenb))
32351 + l1 = (unsigned long *)a;
32352 + l2 = (unsigned long *)b;
32354 + num_longs = lena / sizeof(unsigned long);
32356 + for (i = num_longs; i--; l1++, l2++) {
32357 + if (unlikely(*l1 != *l2))
32361 + c1 = (unsigned char *) l1;
32362 + c2 = (unsigned char *) l2;
32364 + i = lena - (num_longs * sizeof(unsigned long));
32366 + for (; i--; c1++, c2++) {
32367 + if (unlikely(*c1 != *c2))
32374 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
32375 + struct dentry *root, struct vfsmount *rootmnt,
32376 + char *buffer, int buflen)
32378 + char * end = buffer+buflen;
32387 + /* Get '/' right */
32392 + struct dentry * parent;
32394 + if (dentry == root && vfsmnt == rootmnt)
32396 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
32397 + /* Global root? */
32398 + spin_lock(&vfsmount_lock);
32399 + if (vfsmnt->mnt_parent == vfsmnt) {
32400 + spin_unlock(&vfsmount_lock);
32401 + goto global_root;
32403 + dentry = vfsmnt->mnt_mountpoint;
32404 + vfsmnt = vfsmnt->mnt_parent;
32405 + spin_unlock(&vfsmount_lock);
32408 + parent = dentry->d_parent;
32409 + prefetch(parent);
32410 + namelen = dentry->d_name.len;
32411 + buflen -= namelen + 1;
32415 + memcpy(end, dentry->d_name.name, namelen);
32424 + namelen = dentry->d_name.len;
32425 + buflen -= namelen;
32428 + retval -= namelen-1; /* hit the slash */
32429 + memcpy(retval, dentry->d_name.name, namelen);
32432 + return ERR_PTR(-ENAMETOOLONG);
32436 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
32437 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
32441 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
32442 + if (unlikely(IS_ERR(retval)))
32443 + retval = strcpy(buf, "<path too long>");
32444 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
32445 + retval[1] = '\0';
32451 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
32452 + char *buf, int buflen)
32456 + /* we can use real_root, real_root_mnt, because this is only called
32457 + by the RBAC system */
32458 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
32464 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
32465 + char *buf, int buflen)
32468 + struct dentry *root;
32469 + struct vfsmount *rootmnt;
32470 + struct task_struct *reaper = &init_task;
32472 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
32473 + read_lock(&reaper->fs->lock);
32474 + root = dget(reaper->fs->root.dentry);
32475 + rootmnt = mntget(reaper->fs->root.mnt);
32476 + read_unlock(&reaper->fs->lock);
32478 + spin_lock(&dcache_lock);
32479 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
32480 + spin_unlock(&dcache_lock);
32488 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
32491 + spin_lock(&dcache_lock);
32492 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
32494 + spin_unlock(&dcache_lock);
32499 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
32501 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
32506 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
32508 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
32513 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
32515 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
32520 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
32522 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
32527 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
32529 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
32534 +to_gr_audit(const __u32 reqmode)
32536 + /* masks off auditable permission flags, then shifts them to create
32537 + auditing flags, and adds the special case of append auditing if
32538 + we're requesting write */
32539 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
32542 +struct acl_subject_label *
32543 +lookup_subject_map(const struct acl_subject_label *userp)
32545 + unsigned int index = shash(userp, subj_map_set.s_size);
32546 + struct subject_map *match;
32548 + match = subj_map_set.s_hash[index];
32550 + while (match && match->user != userp)
32551 + match = match->next;
32553 + if (match != NULL)
32554 + return match->kernel;
32560 +insert_subj_map_entry(struct subject_map *subjmap)
32562 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
32563 + struct subject_map **curr;
32565 + subjmap->prev = NULL;
32567 + curr = &subj_map_set.s_hash[index];
32568 + if (*curr != NULL)
32569 + (*curr)->prev = subjmap;
32571 + subjmap->next = *curr;
32577 +static struct acl_role_label *
32578 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
32581 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
32582 + struct acl_role_label *match;
32583 + struct role_allowed_ip *ipp;
32586 + match = acl_role_set.r_hash[index];
32589 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
32590 + for (x = 0; x < match->domain_child_num; x++) {
32591 + if (match->domain_children[x] == uid)
32594 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
32596 + match = match->next;
32599 + if (match == NULL) {
32601 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
32602 + match = acl_role_set.r_hash[index];
32605 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
32606 + for (x = 0; x < match->domain_child_num; x++) {
32607 + if (match->domain_children[x] == gid)
32610 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
32612 + match = match->next;
32615 + if (match == NULL)
32616 + match = default_role;
32617 + if (match->allowed_ips == NULL)
32620 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
32622 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
32623 + (ntohl(ipp->addr) & ipp->netmask)))
32626 + match = default_role;
32628 + } else if (match->allowed_ips == NULL) {
32631 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
32633 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
32634 + (ntohl(ipp->addr) & ipp->netmask)))
32643 +struct acl_subject_label *
32644 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
32645 + const struct acl_role_label *role)
32647 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
32648 + struct acl_subject_label *match;
32650 + match = role->subj_hash[index];
32652 + while (match && (match->inode != ino || match->device != dev ||
32653 + (match->mode & GR_DELETED))) {
32654 + match = match->next;
32657 + if (match && !(match->mode & GR_DELETED))
32663 +struct acl_subject_label *
32664 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
32665 + const struct acl_role_label *role)
32667 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
32668 + struct acl_subject_label *match;
32670 + match = role->subj_hash[index];
32672 + while (match && (match->inode != ino || match->device != dev ||
32673 + !(match->mode & GR_DELETED))) {
32674 + match = match->next;
32677 + if (match && (match->mode & GR_DELETED))
32683 +static struct acl_object_label *
32684 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
32685 + const struct acl_subject_label *subj)
32687 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
32688 + struct acl_object_label *match;
32690 + match = subj->obj_hash[index];
32692 + while (match && (match->inode != ino || match->device != dev ||
32693 + (match->mode & GR_DELETED))) {
32694 + match = match->next;
32697 + if (match && !(match->mode & GR_DELETED))
32703 +static struct acl_object_label *
32704 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
32705 + const struct acl_subject_label *subj)
32707 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
32708 + struct acl_object_label *match;
32710 + match = subj->obj_hash[index];
32712 + while (match && (match->inode != ino || match->device != dev ||
32713 + !(match->mode & GR_DELETED))) {
32714 + match = match->next;
32717 + if (match && (match->mode & GR_DELETED))
32720 + match = subj->obj_hash[index];
32722 + while (match && (match->inode != ino || match->device != dev ||
32723 + (match->mode & GR_DELETED))) {
32724 + match = match->next;
32727 + if (match && !(match->mode & GR_DELETED))
32733 +static struct name_entry *
32734 +lookup_name_entry(const char *name)
32736 + unsigned int len = strlen(name);
32737 + unsigned int key = full_name_hash(name, len);
32738 + unsigned int index = key % name_set.n_size;
32739 + struct name_entry *match;
32741 + match = name_set.n_hash[index];
32743 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
32744 + match = match->next;
32749 +static struct name_entry *
32750 +lookup_name_entry_create(const char *name)
32752 + unsigned int len = strlen(name);
32753 + unsigned int key = full_name_hash(name, len);
32754 + unsigned int index = key % name_set.n_size;
32755 + struct name_entry *match;
32757 + match = name_set.n_hash[index];
32759 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
32760 + !match->deleted))
32761 + match = match->next;
32763 + if (match && match->deleted)
32766 + match = name_set.n_hash[index];
32768 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
32770 + match = match->next;
32772 + if (match && !match->deleted)
32778 +static struct inodev_entry *
32779 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
32781 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
32782 + struct inodev_entry *match;
32784 + match = inodev_set.i_hash[index];
32786 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
32787 + match = match->next;
32793 +insert_inodev_entry(struct inodev_entry *entry)
32795 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
32796 + inodev_set.i_size);
32797 + struct inodev_entry **curr;
32799 + entry->prev = NULL;
32801 + curr = &inodev_set.i_hash[index];
32802 + if (*curr != NULL)
32803 + (*curr)->prev = entry;
32805 + entry->next = *curr;
32812 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
32814 + unsigned int index =
32815 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
32816 + struct acl_role_label **curr;
32817 + struct acl_role_label *tmp;
32819 + curr = &acl_role_set.r_hash[index];
32821 + /* if role was already inserted due to domains and already has
32822 + a role in the same bucket as it attached, then we need to
32823 + combine these two buckets
32825 + if (role->next) {
32826 + tmp = role->next;
32827 + while (tmp->next)
32829 + tmp->next = *curr;
32831 + role->next = *curr;
32838 +insert_acl_role_label(struct acl_role_label *role)
32842 + if (role_list == NULL) {
32843 + role_list = role;
32844 + role->prev = NULL;
32846 + role->prev = role_list;
32847 + role_list = role;
32850 + /* used for hash chains */
32851 + role->next = NULL;
32853 + if (role->roletype & GR_ROLE_DOMAIN) {
32854 + for (i = 0; i < role->domain_child_num; i++)
32855 + __insert_acl_role_label(role, role->domain_children[i]);
32857 + __insert_acl_role_label(role, role->uidgid);
32861 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
32863 + struct name_entry **curr, *nentry;
32864 + struct inodev_entry *ientry;
32865 + unsigned int len = strlen(name);
32866 + unsigned int key = full_name_hash(name, len);
32867 + unsigned int index = key % name_set.n_size;
32869 + curr = &name_set.n_hash[index];
32871 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
32872 + curr = &((*curr)->next);
32874 + if (*curr != NULL)
32877 + nentry = acl_alloc(sizeof (struct name_entry));
32878 + if (nentry == NULL)
32880 + ientry = acl_alloc(sizeof (struct inodev_entry));
32881 + if (ientry == NULL)
32883 + ientry->nentry = nentry;
32885 + nentry->key = key;
32886 + nentry->name = name;
32887 + nentry->inode = inode;
32888 + nentry->device = device;
32889 + nentry->len = len;
32890 + nentry->deleted = deleted;
32892 + nentry->prev = NULL;
32893 + curr = &name_set.n_hash[index];
32894 + if (*curr != NULL)
32895 + (*curr)->prev = nentry;
32896 + nentry->next = *curr;
32899 + /* insert us into the table searchable by inode/dev */
32900 + insert_inodev_entry(ientry);
32906 +insert_acl_obj_label(struct acl_object_label *obj,
32907 + struct acl_subject_label *subj)
32909 + unsigned int index =
32910 + fhash(obj->inode, obj->device, subj->obj_hash_size);
32911 + struct acl_object_label **curr;
32914 + obj->prev = NULL;
32916 + curr = &subj->obj_hash[index];
32917 + if (*curr != NULL)
32918 + (*curr)->prev = obj;
32920 + obj->next = *curr;
32927 +insert_acl_subj_label(struct acl_subject_label *obj,
32928 + struct acl_role_label *role)
32930 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
32931 + struct acl_subject_label **curr;
32933 + obj->prev = NULL;
32935 + curr = &role->subj_hash[index];
32936 + if (*curr != NULL)
32937 + (*curr)->prev = obj;
32939 + obj->next = *curr;
32945 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
32948 +create_table(__u32 * len, int elementsize)
32950 + unsigned int table_sizes[] = {
32951 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
32952 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
32953 + 4194301, 8388593, 16777213, 33554393, 67108859
32955 + void *newtable = NULL;
32956 + unsigned int pwr = 0;
32958 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
32959 + table_sizes[pwr] <= *len)
32962 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
32965 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
32967 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
32969 + newtable = vmalloc(table_sizes[pwr] * elementsize);
32971 + *len = table_sizes[pwr];
32977 +init_variables(const struct gr_arg *arg)
32979 + struct task_struct *reaper = &init_task;
32980 + unsigned int stacksize;
32982 + subj_map_set.s_size = arg->role_db.num_subjects;
32983 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
32984 + name_set.n_size = arg->role_db.num_objects;
32985 + inodev_set.i_size = arg->role_db.num_objects;
32987 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
32988 + !name_set.n_size || !inodev_set.i_size)
32991 + if (!gr_init_uidset())
32994 + /* set up the stack that holds allocation info */
32996 + stacksize = arg->role_db.num_pointers + 5;
32998 + if (!acl_alloc_stack_init(stacksize))
33001 + /* grab reference for the real root dentry and vfsmount */
33002 + read_lock(&reaper->fs->lock);
33003 + real_root_mnt = mntget(reaper->fs->root.mnt);
33004 + real_root = dget(reaper->fs->root.dentry);
33005 + read_unlock(&reaper->fs->lock);
33007 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
33008 + if (fakefs_obj == NULL)
33010 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
33012 + subj_map_set.s_hash =
33013 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
33014 + acl_role_set.r_hash =
33015 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
33016 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
33017 + inodev_set.i_hash =
33018 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
33020 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
33021 + !name_set.n_hash || !inodev_set.i_hash)
33024 + memset(subj_map_set.s_hash, 0,
33025 + sizeof(struct subject_map *) * subj_map_set.s_size);
33026 + memset(acl_role_set.r_hash, 0,
33027 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
33028 + memset(name_set.n_hash, 0,
33029 + sizeof (struct name_entry *) * name_set.n_size);
33030 + memset(inodev_set.i_hash, 0,
33031 + sizeof (struct inodev_entry *) * inodev_set.i_size);
33036 +/* free information not needed after startup
33037 + currently contains user->kernel pointer mappings for subjects
33041 +free_init_variables(void)
33045 + if (subj_map_set.s_hash) {
33046 + for (i = 0; i < subj_map_set.s_size; i++) {
33047 + if (subj_map_set.s_hash[i]) {
33048 + kfree(subj_map_set.s_hash[i]);
33049 + subj_map_set.s_hash[i] = NULL;
33053 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
33055 + kfree(subj_map_set.s_hash);
33057 + vfree(subj_map_set.s_hash);
33064 +free_variables(void)
33066 + struct acl_subject_label *s;
33067 + struct acl_role_label *r;
33068 + struct task_struct *task, *task2;
33071 + gr_clear_learn_entries();
33073 + read_lock(&tasklist_lock);
33074 + do_each_thread(task2, task) {
33075 + task->acl_sp_role = 0;
33076 + task->acl_role_id = 0;
33077 + task->acl = NULL;
33078 + task->role = NULL;
33079 + } while_each_thread(task2, task);
33080 + read_unlock(&tasklist_lock);
33082 + /* release the reference to the real root dentry and vfsmount */
33085 + real_root = NULL;
33086 + if (real_root_mnt)
33087 + mntput(real_root_mnt);
33088 + real_root_mnt = NULL;
33090 + /* free all object hash tables */
33092 + FOR_EACH_ROLE_START(r)
33093 + if (r->subj_hash == NULL)
33095 + FOR_EACH_SUBJECT_START(r, s, x)
33096 + if (s->obj_hash == NULL)
33098 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
33099 + kfree(s->obj_hash);
33101 + vfree(s->obj_hash);
33102 + FOR_EACH_SUBJECT_END(s, x)
33103 + FOR_EACH_NESTED_SUBJECT_START(r, s)
33104 + if (s->obj_hash == NULL)
33106 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
33107 + kfree(s->obj_hash);
33109 + vfree(s->obj_hash);
33110 + FOR_EACH_NESTED_SUBJECT_END(s)
33111 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
33112 + kfree(r->subj_hash);
33114 + vfree(r->subj_hash);
33115 + r->subj_hash = NULL;
33117 + FOR_EACH_ROLE_END(r)
33121 + if (acl_role_set.r_hash) {
33122 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
33124 + kfree(acl_role_set.r_hash);
33126 + vfree(acl_role_set.r_hash);
33128 + if (name_set.n_hash) {
33129 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
33131 + kfree(name_set.n_hash);
33133 + vfree(name_set.n_hash);
33136 + if (inodev_set.i_hash) {
33137 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
33139 + kfree(inodev_set.i_hash);
33141 + vfree(inodev_set.i_hash);
33144 + gr_free_uidset();
33146 + memset(&name_set, 0, sizeof (struct name_db));
33147 + memset(&inodev_set, 0, sizeof (struct inodev_db));
33148 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
33149 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
33151 + default_role = NULL;
33152 + role_list = NULL;
33158 +count_user_objs(struct acl_object_label *userp)
33160 + struct acl_object_label o_tmp;
33164 + if (copy_from_user(&o_tmp, userp,
33165 + sizeof (struct acl_object_label)))
33168 + userp = o_tmp.prev;
33175 +static struct acl_subject_label *
33176 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
33179 +copy_user_glob(struct acl_object_label *obj)
33181 + struct acl_object_label *g_tmp, **guser;
33182 + unsigned int len;
33185 + if (obj->globbed == NULL)
33188 + guser = &obj->globbed;
33190 + g_tmp = (struct acl_object_label *)
33191 + acl_alloc(sizeof (struct acl_object_label));
33192 + if (g_tmp == NULL)
33195 + if (copy_from_user(g_tmp, *guser,
33196 + sizeof (struct acl_object_label)))
33199 + len = strnlen_user(g_tmp->filename, PATH_MAX);
33201 + if (!len || len >= PATH_MAX)
33204 + if ((tmp = (char *) acl_alloc(len)) == NULL)
33207 + if (copy_from_user(tmp, g_tmp->filename, len))
33209 + tmp[len-1] = '\0';
33210 + g_tmp->filename = tmp;
33213 + guser = &(g_tmp->next);
33220 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
33221 + struct acl_role_label *role)
33223 + struct acl_object_label *o_tmp;
33224 + unsigned int len;
33229 + if ((o_tmp = (struct acl_object_label *)
33230 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
33233 + if (copy_from_user(o_tmp, userp,
33234 + sizeof (struct acl_object_label)))
33237 + userp = o_tmp->prev;
33239 + len = strnlen_user(o_tmp->filename, PATH_MAX);
33241 + if (!len || len >= PATH_MAX)
33244 + if ((tmp = (char *) acl_alloc(len)) == NULL)
33247 + if (copy_from_user(tmp, o_tmp->filename, len))
33249 + tmp[len-1] = '\0';
33250 + o_tmp->filename = tmp;
33252 + insert_acl_obj_label(o_tmp, subj);
33253 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
33254 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
33257 + ret = copy_user_glob(o_tmp);
33261 + if (o_tmp->nested) {
33262 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
33263 + if (IS_ERR(o_tmp->nested))
33264 + return PTR_ERR(o_tmp->nested);
33266 + /* insert into nested subject list */
33267 + o_tmp->nested->next = role->hash->first;
33268 + role->hash->first = o_tmp->nested;
33276 +count_user_subjs(struct acl_subject_label *userp)
33278 + struct acl_subject_label s_tmp;
33282 + if (copy_from_user(&s_tmp, userp,
33283 + sizeof (struct acl_subject_label)))
33286 + userp = s_tmp.prev;
33287 + /* do not count nested subjects against this count, since
33288 + they are not included in the hash table, but are
33289 + attached to objects. We have already counted
33290 + the subjects in userspace for the allocation
33293 + if (!(s_tmp.mode & GR_NESTED))
33301 +copy_user_allowedips(struct acl_role_label *rolep)
33303 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
33305 + ruserip = rolep->allowed_ips;
33307 + while (ruserip) {
33310 + if ((rtmp = (struct role_allowed_ip *)
33311 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
33314 + if (copy_from_user(rtmp, ruserip,
33315 + sizeof (struct role_allowed_ip)))
33318 + ruserip = rtmp->prev;
33321 + rtmp->prev = NULL;
33322 + rolep->allowed_ips = rtmp;
33324 + rlast->next = rtmp;
33325 + rtmp->prev = rlast;
33329 + rtmp->next = NULL;
33336 +copy_user_transitions(struct acl_role_label *rolep)
33338 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
33340 + unsigned int len;
33343 + rusertp = rolep->transitions;
33345 + while (rusertp) {
33348 + if ((rtmp = (struct role_transition *)
33349 + acl_alloc(sizeof (struct role_transition))) == NULL)
33352 + if (copy_from_user(rtmp, rusertp,
33353 + sizeof (struct role_transition)))
33356 + rusertp = rtmp->prev;
33358 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
33360 + if (!len || len >= GR_SPROLE_LEN)
33363 + if ((tmp = (char *) acl_alloc(len)) == NULL)
33366 + if (copy_from_user(tmp, rtmp->rolename, len))
33368 + tmp[len-1] = '\0';
33369 + rtmp->rolename = tmp;
33372 + rtmp->prev = NULL;
33373 + rolep->transitions = rtmp;
33375 + rlast->next = rtmp;
33376 + rtmp->prev = rlast;
33380 + rtmp->next = NULL;
33386 +static struct acl_subject_label *
33387 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
33389 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
33390 + unsigned int len;
33393 + struct acl_ip_label **i_tmp, *i_utmp2;
33394 + struct gr_hash_struct ghash;
33395 + struct subject_map *subjmap;
33396 + unsigned int i_num;
33399 + s_tmp = lookup_subject_map(userp);
33401 + /* we've already copied this subject into the kernel, just return
33402 + the reference to it, and don't copy it over again
33407 + if ((s_tmp = (struct acl_subject_label *)
33408 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
33409 + return ERR_PTR(-ENOMEM);
33411 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
33412 + if (subjmap == NULL)
33413 + return ERR_PTR(-ENOMEM);
33415 + subjmap->user = userp;
33416 + subjmap->kernel = s_tmp;
33417 + insert_subj_map_entry(subjmap);
33419 + if (copy_from_user(s_tmp, userp,
33420 + sizeof (struct acl_subject_label)))
33421 + return ERR_PTR(-EFAULT);
33423 + len = strnlen_user(s_tmp->filename, PATH_MAX);
33425 + if (!len || len >= PATH_MAX)
33426 + return ERR_PTR(-EINVAL);
33428 + if ((tmp = (char *) acl_alloc(len)) == NULL)
33429 + return ERR_PTR(-ENOMEM);
33431 + if (copy_from_user(tmp, s_tmp->filename, len))
33432 + return ERR_PTR(-EFAULT);
33433 + tmp[len-1] = '\0';
33434 + s_tmp->filename = tmp;
33436 + if (!strcmp(s_tmp->filename, "/"))
33437 + role->root_label = s_tmp;
33439 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
33440 + return ERR_PTR(-EFAULT);
33442 + /* copy user and group transition tables */
33444 + if (s_tmp->user_trans_num) {
33447 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
33448 + if (uidlist == NULL)
33449 + return ERR_PTR(-ENOMEM);
33450 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
33451 + return ERR_PTR(-EFAULT);
33453 + s_tmp->user_transitions = uidlist;
33456 + if (s_tmp->group_trans_num) {
33459 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
33460 + if (gidlist == NULL)
33461 + return ERR_PTR(-ENOMEM);
33462 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
33463 + return ERR_PTR(-EFAULT);
33465 + s_tmp->group_transitions = gidlist;
33468 + /* set up object hash table */
33469 + num_objs = count_user_objs(ghash.first);
33471 + s_tmp->obj_hash_size = num_objs;
33472 + s_tmp->obj_hash =
33473 + (struct acl_object_label **)
33474 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
33476 + if (!s_tmp->obj_hash)
33477 + return ERR_PTR(-ENOMEM);
33479 + memset(s_tmp->obj_hash, 0,
33480 + s_tmp->obj_hash_size *
33481 + sizeof (struct acl_object_label *));
33483 + /* add in objects */
33484 + err = copy_user_objs(ghash.first, s_tmp, role);
33487 + return ERR_PTR(err);
33489 + /* set pointer for parent subject */
33490 + if (s_tmp->parent_subject) {
33491 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
33493 + if (IS_ERR(s_tmp2))
33496 + s_tmp->parent_subject = s_tmp2;
33499 + /* add in ip acls */
33501 + if (!s_tmp->ip_num) {
33502 + s_tmp->ips = NULL;
33507 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
33508 + sizeof (struct acl_ip_label *));
33511 + return ERR_PTR(-ENOMEM);
33513 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
33514 + *(i_tmp + i_num) =
33515 + (struct acl_ip_label *)
33516 + acl_alloc(sizeof (struct acl_ip_label));
33517 + if (!*(i_tmp + i_num))
33518 + return ERR_PTR(-ENOMEM);
33520 + if (copy_from_user
33521 + (&i_utmp2, s_tmp->ips + i_num,
33522 + sizeof (struct acl_ip_label *)))
33523 + return ERR_PTR(-EFAULT);
33525 + if (copy_from_user
33526 + (*(i_tmp + i_num), i_utmp2,
33527 + sizeof (struct acl_ip_label)))
33528 + return ERR_PTR(-EFAULT);
33530 + if ((*(i_tmp + i_num))->iface == NULL)
33533 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
33534 + if (!len || len >= IFNAMSIZ)
33535 + return ERR_PTR(-EINVAL);
33536 + tmp = acl_alloc(len);
33538 + return ERR_PTR(-ENOMEM);
33539 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
33540 + return ERR_PTR(-EFAULT);
33541 + (*(i_tmp + i_num))->iface = tmp;
33544 + s_tmp->ips = i_tmp;
33547 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
33548 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
33549 + return ERR_PTR(-ENOMEM);
33555 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
33557 + struct acl_subject_label s_pre;
33558 + struct acl_subject_label * ret;
33562 + if (copy_from_user(&s_pre, userp,
33563 + sizeof (struct acl_subject_label)))
33566 + /* do not add nested subjects here, add
33567 + while parsing objects
33570 + if (s_pre.mode & GR_NESTED) {
33571 + userp = s_pre.prev;
33575 + ret = do_copy_user_subj(userp, role);
33577 + err = PTR_ERR(ret);
33581 + insert_acl_subj_label(ret, role);
33583 + userp = s_pre.prev;
33590 +copy_user_acl(struct gr_arg *arg)
33592 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
33593 + struct sprole_pw *sptmp;
33594 + struct gr_hash_struct *ghash;
33595 + uid_t *domainlist;
33596 + unsigned int r_num;
33597 + unsigned int len;
33603 + /* we need a default and kernel role */
33604 + if (arg->role_db.num_roles < 2)
33607 + /* copy special role authentication info from userspace */
33609 + num_sprole_pws = arg->num_sprole_pws;
33610 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
33612 + if (!acl_special_roles) {
33617 + for (i = 0; i < num_sprole_pws; i++) {
33618 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
33623 + if (copy_from_user(sptmp, arg->sprole_pws + i,
33624 + sizeof (struct sprole_pw))) {
33630 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
33632 + if (!len || len >= GR_SPROLE_LEN) {
33637 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
33642 + if (copy_from_user(tmp, sptmp->rolename, len)) {
33646 + tmp[len-1] = '\0';
33647 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
33648 + printk(KERN_ALERT "Copying special role %s\n", tmp);
33650 + sptmp->rolename = tmp;
33651 + acl_special_roles[i] = sptmp;
33654 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
33656 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
33657 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
33664 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
33665 + sizeof (struct acl_role_label *))) {
33670 + if (copy_from_user(r_tmp, r_utmp2,
33671 + sizeof (struct acl_role_label))) {
33676 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
33678 + if (!len || len >= PATH_MAX) {
33683 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
33687 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
33691 + tmp[len-1] = '\0';
33692 + r_tmp->rolename = tmp;
33694 + if (!strcmp(r_tmp->rolename, "default")
33695 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
33696 + default_role = r_tmp;
33697 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
33698 + kernel_role = r_tmp;
33701 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
33705 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
33710 + r_tmp->hash = ghash;
33712 + num_subjs = count_user_subjs(r_tmp->hash->first);
33714 + r_tmp->subj_hash_size = num_subjs;
33715 + r_tmp->subj_hash =
33716 + (struct acl_subject_label **)
33717 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
33719 + if (!r_tmp->subj_hash) {
33724 + err = copy_user_allowedips(r_tmp);
33728 + /* copy domain info */
33729 + if (r_tmp->domain_children != NULL) {
33730 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
33731 + if (domainlist == NULL) {
33735 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
33739 + r_tmp->domain_children = domainlist;
33742 + err = copy_user_transitions(r_tmp);
33746 + memset(r_tmp->subj_hash, 0,
33747 + r_tmp->subj_hash_size *
33748 + sizeof (struct acl_subject_label *));
33750 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
33755 + /* set nested subject list to null */
33756 + r_tmp->hash->first = NULL;
33758 + insert_acl_role_label(r_tmp);
33763 + free_variables();
33770 +gracl_init(struct gr_arg *args)
33774 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
33775 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
33777 + if (init_variables(args)) {
33778 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
33780 + free_variables();
33784 + error = copy_user_acl(args);
33785 + free_init_variables();
33787 + free_variables();
33791 + if ((error = gr_set_acls(0))) {
33792 + free_variables();
33796 + pax_open_kernel();
33797 + gr_status |= GR_READY;
33798 + pax_close_kernel();
33804 +/* derived from glibc fnmatch() 0: match, 1: no match*/
33807 +glob_match(const char *p, const char *n)
33811 + while ((c = *p++) != '\0') {
33816 + else if (*n == '/')
33824 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
33827 + else if (c == '?') {
33837 + const char *endp;
33839 + if ((endp = strchr(n, '/')) == NULL)
33840 + endp = n + strlen(n);
33843 + for (--p; n < endp; ++n)
33844 + if (!glob_match(p, n))
33846 + } else if (c == '/') {
33847 + while (*n != '\0' && *n != '/')
33849 + if (*n == '/' && !glob_match(p, n + 1))
33852 + for (--p; n < endp; ++n)
33853 + if (*n == c && !glob_match(p, n))
33864 + if (*n == '\0' || *n == '/')
33867 + not = (*p == '!' || *p == '^');
33873 + unsigned char fn = (unsigned char)*n;
33883 + if (c == '-' && *p != ']') {
33884 + unsigned char cend = *p++;
33886 + if (cend == '\0')
33889 + if (cold <= fn && fn <= cend)
33903 + while (c != ']') {
33930 +static struct acl_object_label *
33931 +chk_glob_label(struct acl_object_label *globbed,
33932 + struct dentry *dentry, struct vfsmount *mnt, char **path)
33934 + struct acl_object_label *tmp;
33936 + if (*path == NULL)
33937 + *path = gr_to_filename_nolock(dentry, mnt);
33942 + if (!glob_match(tmp->filename, *path))
33950 +static struct acl_object_label *
33951 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
33952 + const ino_t curr_ino, const dev_t curr_dev,
33953 + const struct acl_subject_label *subj, char **path, const int checkglob)
33955 + struct acl_subject_label *tmpsubj;
33956 + struct acl_object_label *retval;
33957 + struct acl_object_label *retval2;
33959 + tmpsubj = (struct acl_subject_label *) subj;
33960 + read_lock(&gr_inode_lock);
33962 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
33964 + if (checkglob && retval->globbed) {
33965 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
33966 + (struct vfsmount *)orig_mnt, path);
33968 + retval = retval2;
33972 + } while ((tmpsubj = tmpsubj->parent_subject));
33973 + read_unlock(&gr_inode_lock);
33978 +static __inline__ struct acl_object_label *
33979 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
33980 + const struct dentry *curr_dentry,
33981 + const struct acl_subject_label *subj, char **path, const int checkglob)
33983 + return __full_lookup(orig_dentry, orig_mnt,
33984 + curr_dentry->d_inode->i_ino,
33985 + curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
33988 +static struct acl_object_label *
33989 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
33990 + const struct acl_subject_label *subj, char *path, const int checkglob)
33992 + struct dentry *dentry = (struct dentry *) l_dentry;
33993 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
33994 + struct acl_object_label *retval;
33996 + spin_lock(&dcache_lock);
33998 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
33999 + /* ignore Eric Biederman */
34000 + IS_PRIVATE(l_dentry->d_inode))) {
34001 + retval = fakefs_obj;
34006 + if (dentry == real_root && mnt == real_root_mnt)
34009 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
34010 + if (mnt->mnt_parent == mnt)
34013 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
34014 + if (retval != NULL)
34017 + dentry = mnt->mnt_mountpoint;
34018 + mnt = mnt->mnt_parent;
34022 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
34023 + if (retval != NULL)
34026 + dentry = dentry->d_parent;
34029 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
34031 + if (retval == NULL)
34032 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
34034 + spin_unlock(&dcache_lock);
34038 +static __inline__ struct acl_object_label *
34039 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34040 + const struct acl_subject_label *subj)
34042 + char *path = NULL;
34043 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
34046 +static __inline__ struct acl_object_label *
34047 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34048 + const struct acl_subject_label *subj)
34050 + char *path = NULL;
34051 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
34054 +static __inline__ struct acl_object_label *
34055 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34056 + const struct acl_subject_label *subj, char *path)
34058 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
34061 +static struct acl_subject_label *
34062 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34063 + const struct acl_role_label *role)
34065 + struct dentry *dentry = (struct dentry *) l_dentry;
34066 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
34067 + struct acl_subject_label *retval;
34069 + spin_lock(&dcache_lock);
34072 + if (dentry == real_root && mnt == real_root_mnt)
34074 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
34075 + if (mnt->mnt_parent == mnt)
34078 + read_lock(&gr_inode_lock);
34080 + lookup_acl_subj_label(dentry->d_inode->i_ino,
34081 + dentry->d_inode->i_sb->s_dev, role);
34082 + read_unlock(&gr_inode_lock);
34083 + if (retval != NULL)
34086 + dentry = mnt->mnt_mountpoint;
34087 + mnt = mnt->mnt_parent;
34091 + read_lock(&gr_inode_lock);
34092 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
34093 + dentry->d_inode->i_sb->s_dev, role);
34094 + read_unlock(&gr_inode_lock);
34095 + if (retval != NULL)
34098 + dentry = dentry->d_parent;
34101 + read_lock(&gr_inode_lock);
34102 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
34103 + dentry->d_inode->i_sb->s_dev, role);
34104 + read_unlock(&gr_inode_lock);
34106 + if (unlikely(retval == NULL)) {
34107 + read_lock(&gr_inode_lock);
34108 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
34109 + real_root->d_inode->i_sb->s_dev, role);
34110 + read_unlock(&gr_inode_lock);
34113 + spin_unlock(&dcache_lock);
34119 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
34121 + struct task_struct *task = current;
34122 + const struct cred *cred = current_cred();
34124 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
34125 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34126 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
34127 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->curr_ip);
34133 +gr_log_learn_sysctl(const char *path, const __u32 mode)
34135 + struct task_struct *task = current;
34136 + const struct cred *cred = current_cred();
34138 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
34139 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34140 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
34141 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->curr_ip);
34147 +gr_log_learn_id_change(const char type, const unsigned int real,
34148 + const unsigned int effective, const unsigned int fs)
34150 + struct task_struct *task = current;
34151 + const struct cred *cred = current_cred();
34153 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
34154 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34155 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
34156 + type, real, effective, fs, &task->signal->curr_ip);
34162 +gr_check_link(const struct dentry * new_dentry,
34163 + const struct dentry * parent_dentry,
34164 + const struct vfsmount * parent_mnt,
34165 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
34167 + struct acl_object_label *obj;
34168 + __u32 oldmode, newmode;
34171 + if (unlikely(!(gr_status & GR_READY)))
34172 + return (GR_CREATE | GR_LINK);
34174 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
34175 + oldmode = obj->mode;
34177 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34178 + oldmode |= (GR_CREATE | GR_LINK);
34180 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
34181 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
34182 + needmode |= GR_SETID | GR_AUDIT_SETID;
34185 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
34186 + oldmode | needmode);
34188 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
34189 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
34190 + GR_INHERIT | GR_AUDIT_INHERIT);
34192 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
34195 + if ((oldmode & needmode) != needmode)
34198 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
34199 + if ((newmode & needmode) != needmode)
34202 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
34205 + needmode = oldmode;
34206 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
34207 + needmode |= GR_SETID;
34209 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
34210 + gr_log_learn(old_dentry, old_mnt, needmode);
34211 + return (GR_CREATE | GR_LINK);
34212 + } else if (newmode & GR_SUPPRESS)
34213 + return GR_SUPPRESS;
34219 +gr_search_file(const struct dentry * dentry, const __u32 mode,
34220 + const struct vfsmount * mnt)
34222 + __u32 retval = mode;
34223 + struct acl_subject_label *curracl;
34224 + struct acl_object_label *currobj;
34226 + if (unlikely(!(gr_status & GR_READY)))
34227 + return (mode & ~GR_AUDITS);
34229 + curracl = current->acl;
34231 + currobj = chk_obj_label(dentry, mnt, curracl);
34232 + retval = currobj->mode & mode;
34235 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
34236 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
34237 + __u32 new_mode = mode;
34239 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34241 + retval = new_mode;
34243 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
34244 + new_mode |= GR_INHERIT;
34246 + if (!(mode & GR_NOLEARN))
34247 + gr_log_learn(dentry, mnt, new_mode);
34254 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
34255 + const struct vfsmount * mnt, const __u32 mode)
34257 + struct name_entry *match;
34258 + struct acl_object_label *matchpo;
34259 + struct acl_subject_label *curracl;
34263 + if (unlikely(!(gr_status & GR_READY)))
34264 + return (mode & ~GR_AUDITS);
34266 + preempt_disable();
34267 + path = gr_to_filename_rbac(new_dentry, mnt);
34268 + match = lookup_name_entry_create(path);
34271 + goto check_parent;
34273 + curracl = current->acl;
34275 + read_lock(&gr_inode_lock);
34276 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
34277 + read_unlock(&gr_inode_lock);
34280 + if ((matchpo->mode & mode) !=
34281 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
34282 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
34283 + __u32 new_mode = mode;
34285 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34287 + gr_log_learn(new_dentry, mnt, new_mode);
34289 + preempt_enable();
34292 + preempt_enable();
34293 + return (matchpo->mode & mode);
34297 + curracl = current->acl;
34299 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
34300 + retval = matchpo->mode & mode;
34302 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
34303 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
34304 + __u32 new_mode = mode;
34306 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34308 + gr_log_learn(new_dentry, mnt, new_mode);
34309 + preempt_enable();
34313 + preempt_enable();
34318 +gr_check_hidden_task(const struct task_struct *task)
34320 + if (unlikely(!(gr_status & GR_READY)))
34323 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
34330 +gr_check_protected_task(const struct task_struct *task)
34332 + if (unlikely(!(gr_status & GR_READY) || !task))
34335 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
34336 + task->acl != current->acl)
34343 +gr_copy_label(struct task_struct *tsk)
34345 + tsk->signal->used_accept = 0;
34346 + tsk->acl_sp_role = 0;
34347 + tsk->acl_role_id = current->acl_role_id;
34348 + tsk->acl = current->acl;
34349 + tsk->role = current->role;
34350 + tsk->signal->curr_ip = current->signal->curr_ip;
34351 + if (current->exec_file)
34352 + get_file(current->exec_file);
34353 + tsk->exec_file = current->exec_file;
34354 + tsk->is_writable = current->is_writable;
34355 + if (unlikely(current->signal->used_accept))
34356 + current->signal->curr_ip = 0;
34362 +gr_set_proc_res(struct task_struct *task)
34364 + struct acl_subject_label *proc;
34365 + unsigned short i;
34367 + proc = task->acl;
34369 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
34372 + for (i = 0; i < RLIM_NLIMITS; i++) {
34373 + if (!(proc->resmask & (1 << i)))
34376 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
34377 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
34384 +gr_check_user_change(int real, int effective, int fs)
34391 + int effectiveok = 0;
34394 + if (unlikely(!(gr_status & GR_READY)))
34397 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34398 + gr_log_learn_id_change('u', real, effective, fs);
34400 + num = current->acl->user_trans_num;
34401 + uidlist = current->acl->user_transitions;
34403 + if (uidlist == NULL)
34408 + if (effective == -1)
34413 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
34414 + for (i = 0; i < num; i++) {
34415 + curuid = (int)uidlist[i];
34416 + if (real == curuid)
34418 + if (effective == curuid)
34420 + if (fs == curuid)
34423 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
34424 + for (i = 0; i < num; i++) {
34425 + curuid = (int)uidlist[i];
34426 + if (real == curuid)
34428 + if (effective == curuid)
34430 + if (fs == curuid)
34433 + /* not in deny list */
34441 + if (realok && effectiveok && fsok)
34444 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
34450 +gr_check_group_change(int real, int effective, int fs)
34457 + int effectiveok = 0;
34460 + if (unlikely(!(gr_status & GR_READY)))
34463 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34464 + gr_log_learn_id_change('g', real, effective, fs);
34466 + num = current->acl->group_trans_num;
34467 + gidlist = current->acl->group_transitions;
34469 + if (gidlist == NULL)
34474 + if (effective == -1)
34479 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
34480 + for (i = 0; i < num; i++) {
34481 + curgid = (int)gidlist[i];
34482 + if (real == curgid)
34484 + if (effective == curgid)
34486 + if (fs == curgid)
34489 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
34490 + for (i = 0; i < num; i++) {
34491 + curgid = (int)gidlist[i];
34492 + if (real == curgid)
34494 + if (effective == curgid)
34496 + if (fs == curgid)
34499 + /* not in deny list */
34507 + if (realok && effectiveok && fsok)
34510 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
34516 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
34518 + struct acl_role_label *role = task->role;
34519 + struct acl_subject_label *subj = NULL;
34520 + struct acl_object_label *obj;
34521 + struct file *filp;
34523 + if (unlikely(!(gr_status & GR_READY)))
34526 + filp = task->exec_file;
34528 + /* kernel process, we'll give them the kernel role */
34529 + if (unlikely(!filp)) {
34530 + task->role = kernel_role;
34531 + task->acl = kernel_role->root_label;
34533 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
34534 + role = lookup_acl_role_label(task, uid, gid);
34536 + /* perform subject lookup in possibly new role
34537 + we can use this result below in the case where role == task->role
34539 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
34541 + /* if we changed uid/gid, but result in the same role
34542 + and are using inheritance, don't lose the inherited subject
34543 + if current subject is other than what normal lookup
34544 + would result in, we arrived via inheritance, don't
34547 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
34548 + (subj == task->acl)))
34549 + task->acl = subj;
34551 + task->role = role;
34553 + task->is_writable = 0;
34555 + /* ignore additional mmap checks for processes that are writable
34556 + by the default ACL */
34557 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
34558 + if (unlikely(obj->mode & GR_WRITE))
34559 + task->is_writable = 1;
34560 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
34561 + if (unlikely(obj->mode & GR_WRITE))
34562 + task->is_writable = 1;
34564 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
34565 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
34568 + gr_set_proc_res(task);
34574 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
34575 + const int unsafe_share)
34577 + struct task_struct *task = current;
34578 + struct acl_subject_label *newacl;
34579 + struct acl_object_label *obj;
34582 + if (unlikely(!(gr_status & GR_READY)))
34585 + newacl = chk_subj_label(dentry, mnt, task->role);
34588 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
34589 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
34590 + !(task->role->roletype & GR_ROLE_GOD) &&
34591 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
34592 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
34593 + task_unlock(task);
34594 + if (unsafe_share)
34595 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
34597 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
34600 + task_unlock(task);
34602 + obj = chk_obj_label(dentry, mnt, task->acl);
34603 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
34605 + if (!(task->acl->mode & GR_INHERITLEARN) &&
34606 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
34608 + task->acl = obj->nested;
34610 + task->acl = newacl;
34611 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
34612 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
34614 + task->is_writable = 0;
34616 + /* ignore additional mmap checks for processes that are writable
34617 + by the default ACL */
34618 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
34619 + if (unlikely(obj->mode & GR_WRITE))
34620 + task->is_writable = 1;
34621 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
34622 + if (unlikely(obj->mode & GR_WRITE))
34623 + task->is_writable = 1;
34625 + gr_set_proc_res(task);
34627 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
34628 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
34633 +/* always called with valid inodev ptr */
34635 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
34637 + struct acl_object_label *matchpo;
34638 + struct acl_subject_label *matchps;
34639 + struct acl_subject_label *subj;
34640 + struct acl_role_label *role;
34643 + FOR_EACH_ROLE_START(role)
34644 + FOR_EACH_SUBJECT_START(role, subj, x)
34645 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
34646 + matchpo->mode |= GR_DELETED;
34647 + FOR_EACH_SUBJECT_END(subj,x)
34648 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
34649 + if (subj->inode == ino && subj->device == dev)
34650 + subj->mode |= GR_DELETED;
34651 + FOR_EACH_NESTED_SUBJECT_END(subj)
34652 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
34653 + matchps->mode |= GR_DELETED;
34654 + FOR_EACH_ROLE_END(role)
34656 + inodev->nentry->deleted = 1;
34662 +gr_handle_delete(const ino_t ino, const dev_t dev)
34664 + struct inodev_entry *inodev;
34666 + if (unlikely(!(gr_status & GR_READY)))
34669 + write_lock(&gr_inode_lock);
34670 + inodev = lookup_inodev_entry(ino, dev);
34671 + if (inodev != NULL)
34672 + do_handle_delete(inodev, ino, dev);
34673 + write_unlock(&gr_inode_lock);
34679 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
34680 + const ino_t newinode, const dev_t newdevice,
34681 + struct acl_subject_label *subj)
34683 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
34684 + struct acl_object_label *match;
34686 + match = subj->obj_hash[index];
34688 + while (match && (match->inode != oldinode ||
34689 + match->device != olddevice ||
34690 + !(match->mode & GR_DELETED)))
34691 + match = match->next;
34693 + if (match && (match->inode == oldinode)
34694 + && (match->device == olddevice)
34695 + && (match->mode & GR_DELETED)) {
34696 + if (match->prev == NULL) {
34697 + subj->obj_hash[index] = match->next;
34698 + if (match->next != NULL)
34699 + match->next->prev = NULL;
34701 + match->prev->next = match->next;
34702 + if (match->next != NULL)
34703 + match->next->prev = match->prev;
34705 + match->prev = NULL;
34706 + match->next = NULL;
34707 + match->inode = newinode;
34708 + match->device = newdevice;
34709 + match->mode &= ~GR_DELETED;
34711 + insert_acl_obj_label(match, subj);
34718 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
34719 + const ino_t newinode, const dev_t newdevice,
34720 + struct acl_role_label *role)
34722 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
34723 + struct acl_subject_label *match;
34725 + match = role->subj_hash[index];
34727 + while (match && (match->inode != oldinode ||
34728 + match->device != olddevice ||
34729 + !(match->mode & GR_DELETED)))
34730 + match = match->next;
34732 + if (match && (match->inode == oldinode)
34733 + && (match->device == olddevice)
34734 + && (match->mode & GR_DELETED)) {
34735 + if (match->prev == NULL) {
34736 + role->subj_hash[index] = match->next;
34737 + if (match->next != NULL)
34738 + match->next->prev = NULL;
34740 + match->prev->next = match->next;
34741 + if (match->next != NULL)
34742 + match->next->prev = match->prev;
34744 + match->prev = NULL;
34745 + match->next = NULL;
34746 + match->inode = newinode;
34747 + match->device = newdevice;
34748 + match->mode &= ~GR_DELETED;
34750 + insert_acl_subj_label(match, role);
34757 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
34758 + const ino_t newinode, const dev_t newdevice)
34760 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
34761 + struct inodev_entry *match;
34763 + match = inodev_set.i_hash[index];
34765 + while (match && (match->nentry->inode != oldinode ||
34766 + match->nentry->device != olddevice || !match->nentry->deleted))
34767 + match = match->next;
34769 + if (match && (match->nentry->inode == oldinode)
34770 + && (match->nentry->device == olddevice) &&
34771 + match->nentry->deleted) {
34772 + if (match->prev == NULL) {
34773 + inodev_set.i_hash[index] = match->next;
34774 + if (match->next != NULL)
34775 + match->next->prev = NULL;
34777 + match->prev->next = match->next;
34778 + if (match->next != NULL)
34779 + match->next->prev = match->prev;
34781 + match->prev = NULL;
34782 + match->next = NULL;
34783 + match->nentry->inode = newinode;
34784 + match->nentry->device = newdevice;
34785 + match->nentry->deleted = 0;
34787 + insert_inodev_entry(match);
34794 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
34795 + const struct vfsmount *mnt)
34797 + struct acl_subject_label *subj;
34798 + struct acl_role_label *role;
34801 + FOR_EACH_ROLE_START(role)
34802 + update_acl_subj_label(matchn->inode, matchn->device,
34803 + dentry->d_inode->i_ino,
34804 + dentry->d_inode->i_sb->s_dev, role);
34806 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
34807 + if ((subj->inode == dentry->d_inode->i_ino) &&
34808 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
34809 + subj->inode = dentry->d_inode->i_ino;
34810 + subj->device = dentry->d_inode->i_sb->s_dev;
34812 + FOR_EACH_NESTED_SUBJECT_END(subj)
34813 + FOR_EACH_SUBJECT_START(role, subj, x)
34814 + update_acl_obj_label(matchn->inode, matchn->device,
34815 + dentry->d_inode->i_ino,
34816 + dentry->d_inode->i_sb->s_dev, subj);
34817 + FOR_EACH_SUBJECT_END(subj,x)
34818 + FOR_EACH_ROLE_END(role)
34820 + update_inodev_entry(matchn->inode, matchn->device,
34821 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
34827 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
34829 + struct name_entry *matchn;
34831 + if (unlikely(!(gr_status & GR_READY)))
34834 + preempt_disable();
34835 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
34837 + if (unlikely((unsigned long)matchn)) {
34838 + write_lock(&gr_inode_lock);
34839 + do_handle_create(matchn, dentry, mnt);
34840 + write_unlock(&gr_inode_lock);
34842 + preempt_enable();
34848 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
34849 + struct dentry *old_dentry,
34850 + struct dentry *new_dentry,
34851 + struct vfsmount *mnt, const __u8 replace)
34853 + struct name_entry *matchn;
34854 + struct inodev_entry *inodev;
34856 + /* vfs_rename swaps the name and parent link for old_dentry and
34858 + at this point, old_dentry has the new name, parent link, and inode
34859 + for the renamed file
34860 + if a file is being replaced by a rename, new_dentry has the inode
34861 + and name for the replaced file
34864 + if (unlikely(!(gr_status & GR_READY)))
34867 + preempt_disable();
34868 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
34870 + /* we wouldn't have to check d_inode if it weren't for
34871 + NFS silly-renaming
34874 + write_lock(&gr_inode_lock);
34875 + if (unlikely(replace && new_dentry->d_inode)) {
34876 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
34877 + new_dentry->d_inode->i_sb->s_dev);
34878 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
34879 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
34880 + new_dentry->d_inode->i_sb->s_dev);
34883 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
34884 + old_dentry->d_inode->i_sb->s_dev);
34885 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
34886 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
34887 + old_dentry->d_inode->i_sb->s_dev);
34889 + if (unlikely((unsigned long)matchn))
34890 + do_handle_create(matchn, old_dentry, mnt);
34892 + write_unlock(&gr_inode_lock);
34893 + preempt_enable();
34899 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
34900 + unsigned char **sum)
34902 + struct acl_role_label *r;
34903 + struct role_allowed_ip *ipp;
34904 + struct role_transition *trans;
34908 + /* check transition table */
34910 + for (trans = current->role->transitions; trans; trans = trans->next) {
34911 + if (!strcmp(rolename, trans->rolename)) {
34920 + /* handle special roles that do not require authentication
34923 + FOR_EACH_ROLE_START(r)
34924 + if (!strcmp(rolename, r->rolename) &&
34925 + (r->roletype & GR_ROLE_SPECIAL)) {
34927 + if (r->allowed_ips != NULL) {
34928 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
34929 + if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
34930 + (ntohl(ipp->addr) & ipp->netmask))
34938 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
34939 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
34945 + FOR_EACH_ROLE_END(r)
34947 + for (i = 0; i < num_sprole_pws; i++) {
34948 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
34949 + *salt = acl_special_roles[i]->salt;
34950 + *sum = acl_special_roles[i]->sum;
34959 +assign_special_role(char *rolename)
34961 + struct acl_object_label *obj;
34962 + struct acl_role_label *r;
34963 + struct acl_role_label *assigned = NULL;
34964 + struct task_struct *tsk;
34965 + struct file *filp;
34967 + FOR_EACH_ROLE_START(r)
34968 + if (!strcmp(rolename, r->rolename) &&
34969 + (r->roletype & GR_ROLE_SPECIAL)) {
34973 + FOR_EACH_ROLE_END(r)
34978 + read_lock(&tasklist_lock);
34979 + read_lock(&grsec_exec_file_lock);
34981 + tsk = current->parent;
34985 + filp = tsk->exec_file;
34986 + if (filp == NULL)
34989 + tsk->is_writable = 0;
34991 + tsk->acl_sp_role = 1;
34992 + tsk->acl_role_id = ++acl_sp_role_value;
34993 + tsk->role = assigned;
34994 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
34996 + /* ignore additional mmap checks for processes that are writable
34997 + by the default ACL */
34998 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
34999 + if (unlikely(obj->mode & GR_WRITE))
35000 + tsk->is_writable = 1;
35001 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
35002 + if (unlikely(obj->mode & GR_WRITE))
35003 + tsk->is_writable = 1;
35005 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35006 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
35010 + read_unlock(&grsec_exec_file_lock);
35011 + read_unlock(&tasklist_lock);
35015 +int gr_check_secure_terminal(struct task_struct *task)
35017 + struct task_struct *p, *p2, *p3;
35018 + struct files_struct *files;
35019 + struct fdtable *fdt;
35020 + struct file *our_file = NULL, *file;
35023 + if (task->signal->tty == NULL)
35026 + files = get_files_struct(task);
35027 + if (files != NULL) {
35029 + fdt = files_fdtable(files);
35030 + for (i=0; i < fdt->max_fds; i++) {
35031 + file = fcheck_files(files, i);
35032 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
35037 + rcu_read_unlock();
35038 + put_files_struct(files);
35041 + if (our_file == NULL)
35044 + read_lock(&tasklist_lock);
35045 + do_each_thread(p2, p) {
35046 + files = get_files_struct(p);
35047 + if (files == NULL ||
35048 + (p->signal && p->signal->tty == task->signal->tty)) {
35049 + if (files != NULL)
35050 + put_files_struct(files);
35054 + fdt = files_fdtable(files);
35055 + for (i=0; i < fdt->max_fds; i++) {
35056 + file = fcheck_files(files, i);
35057 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
35058 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
35060 + while (p3->pid > 0) {
35067 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
35068 + gr_handle_alertkill(p);
35069 + rcu_read_unlock();
35070 + put_files_struct(files);
35071 + read_unlock(&tasklist_lock);
35076 + rcu_read_unlock();
35077 + put_files_struct(files);
35078 + } while_each_thread(p2, p);
35079 + read_unlock(&tasklist_lock);
35086 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
35088 + struct gr_arg_wrapper uwrap;
35089 + unsigned char *sprole_salt = NULL;
35090 + unsigned char *sprole_sum = NULL;
35091 + int error = sizeof (struct gr_arg_wrapper);
35094 + down(&gr_dev_sem);
35096 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
35101 + if (count != sizeof (struct gr_arg_wrapper)) {
35102 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
35108 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
35109 + gr_auth_expires = 0;
35110 + gr_auth_attempts = 0;
35113 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
35118 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
35123 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
35128 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
35129 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
35130 + time_after(gr_auth_expires, get_seconds())) {
35135 + /* if non-root trying to do anything other than use a special role,
35136 + do not attempt authentication, do not count towards authentication
35140 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
35141 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
35147 + /* ensure pw and special role name are null terminated */
35149 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
35150 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
35153 + * We have our enough of the argument structure..(we have yet
35154 + * to copy_from_user the tables themselves) . Copy the tables
35155 + * only if we need them, i.e. for loading operations. */
35157 + switch (gr_usermode->mode) {
35159 + if (gr_status & GR_READY) {
35161 + if (!gr_check_secure_terminal(current))
35166 + case GR_SHUTDOWN:
35167 + if ((gr_status & GR_READY)
35168 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35169 + pax_open_kernel();
35170 + gr_status &= ~GR_READY;
35171 + pax_close_kernel();
35173 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
35174 + free_variables();
35175 + memset(gr_usermode, 0, sizeof (struct gr_arg));
35176 + memset(gr_system_salt, 0, GR_SALT_LEN);
35177 + memset(gr_system_sum, 0, GR_SHA_LEN);
35178 + } else if (gr_status & GR_READY) {
35179 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
35182 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
35187 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
35188 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
35190 + if (gr_status & GR_READY)
35194 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
35198 + if (!(gr_status & GR_READY)) {
35199 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
35201 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35204 + pax_open_kernel();
35205 + gr_status &= ~GR_READY;
35206 + pax_close_kernel();
35208 + free_variables();
35209 + if (!(error2 = gracl_init(gr_usermode))) {
35211 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
35215 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
35218 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
35223 + if (unlikely(!(gr_status & GR_READY))) {
35224 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
35229 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35230 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
35231 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
35232 + struct acl_subject_label *segvacl;
35234 + lookup_acl_subj_label(gr_usermode->segv_inode,
35235 + gr_usermode->segv_device,
35238 + segvacl->crashes = 0;
35239 + segvacl->expires = 0;
35241 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
35242 + gr_remove_uid(gr_usermode->segv_uid);
35245 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
35250 + case GR_SPROLEPAM:
35251 + if (unlikely(!(gr_status & GR_READY))) {
35252 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
35257 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
35258 + current->role->expires = 0;
35259 + current->role->auth_attempts = 0;
35262 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
35263 + time_after(current->role->expires, get_seconds())) {
35268 + if (lookup_special_role_auth
35269 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
35270 + && ((!sprole_salt && !sprole_sum)
35271 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
35273 + assign_special_role(gr_usermode->sp_role);
35274 + read_lock(&tasklist_lock);
35275 + if (current->parent)
35276 + p = current->parent->role->rolename;
35277 + read_unlock(&tasklist_lock);
35278 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
35279 + p, acl_sp_role_value);
35281 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
35283 + if(!(current->role->auth_attempts++))
35284 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
35289 + case GR_UNSPROLE:
35290 + if (unlikely(!(gr_status & GR_READY))) {
35291 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
35296 + if (current->role->roletype & GR_ROLE_SPECIAL) {
35300 + read_lock(&tasklist_lock);
35301 + if (current->parent) {
35302 + p = current->parent->role->rolename;
35303 + i = current->parent->acl_role_id;
35305 + read_unlock(&tasklist_lock);
35307 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
35310 + gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
35316 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
35321 + if (error != -EPERM)
35324 + if(!(gr_auth_attempts++))
35325 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
35333 +gr_set_acls(const int type)
35335 + struct acl_object_label *obj;
35336 + struct task_struct *task, *task2;
35337 + struct file *filp;
35338 + struct acl_role_label *role = current->role;
35339 + __u16 acl_role_id = current->acl_role_id;
35340 + const struct cred *cred;
35342 + struct name_entry *nmatch;
35343 + struct acl_subject_label *tmpsubj;
35346 + read_lock(&tasklist_lock);
35347 + read_lock(&grsec_exec_file_lock);
35348 + do_each_thread(task2, task) {
35349 + /* check to see if we're called from the exit handler,
35350 + if so, only replace ACLs that have inherited the admin
35353 + if (type && (task->role != role ||
35354 + task->acl_role_id != acl_role_id))
35357 + task->acl_role_id = 0;
35358 + task->acl_sp_role = 0;
35360 + if ((filp = task->exec_file)) {
35361 + cred = __task_cred(task);
35362 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
35364 + /* the following is to apply the correct subject
35365 + on binaries running when the RBAC system
35366 + is enabled, when the binaries have been
35367 + replaced or deleted since their execution
35369 + when the RBAC system starts, the inode/dev
35370 + from exec_file will be one the RBAC system
35371 + is unaware of. It only knows the inode/dev
35372 + of the present file on disk, or the absence
35375 + preempt_disable();
35376 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
35378 + nmatch = lookup_name_entry(tmpname);
35379 + preempt_enable();
35382 + if (nmatch->deleted)
35383 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
35385 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
35386 + if (tmpsubj != NULL)
35387 + task->acl = tmpsubj;
35389 + if (tmpsubj == NULL)
35390 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
35393 + struct acl_subject_label *curr;
35394 + curr = task->acl;
35396 + task->is_writable = 0;
35397 + /* ignore additional mmap checks for processes that are writable
35398 + by the default ACL */
35399 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
35400 + if (unlikely(obj->mode & GR_WRITE))
35401 + task->is_writable = 1;
35402 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
35403 + if (unlikely(obj->mode & GR_WRITE))
35404 + task->is_writable = 1;
35406 + gr_set_proc_res(task);
35408 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35409 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
35412 + read_unlock(&grsec_exec_file_lock);
35413 + read_unlock(&tasklist_lock);
35414 + rcu_read_unlock();
35415 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
35419 + // it's a kernel process
35420 + task->role = kernel_role;
35421 + task->acl = kernel_role->root_label;
35422 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
35423 + task->acl->mode &= ~GR_PROCFIND;
35426 + } while_each_thread(task2, task);
35427 + read_unlock(&grsec_exec_file_lock);
35428 + read_unlock(&tasklist_lock);
35429 + rcu_read_unlock();
35435 +gr_learn_resource(const struct task_struct *task,
35436 + const int res, const unsigned long wanted, const int gt)
35438 + struct acl_subject_label *acl;
35439 + const struct cred *cred;
35441 + if (unlikely((gr_status & GR_READY) &&
35442 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
35443 + goto skip_reslog;
35445 +#ifdef CONFIG_GRKERNSEC_RESLOG
35446 + gr_log_resource(task, res, wanted, gt);
35450 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
35455 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
35456 + !(acl->resmask & (1 << (unsigned short) res))))
35459 + if (wanted >= acl->res[res].rlim_cur) {
35460 + unsigned long res_add;
35462 + res_add = wanted;
35465 + res_add += GR_RLIM_CPU_BUMP;
35467 + case RLIMIT_FSIZE:
35468 + res_add += GR_RLIM_FSIZE_BUMP;
35470 + case RLIMIT_DATA:
35471 + res_add += GR_RLIM_DATA_BUMP;
35473 + case RLIMIT_STACK:
35474 + res_add += GR_RLIM_STACK_BUMP;
35476 + case RLIMIT_CORE:
35477 + res_add += GR_RLIM_CORE_BUMP;
35480 + res_add += GR_RLIM_RSS_BUMP;
35482 + case RLIMIT_NPROC:
35483 + res_add += GR_RLIM_NPROC_BUMP;
35485 + case RLIMIT_NOFILE:
35486 + res_add += GR_RLIM_NOFILE_BUMP;
35488 + case RLIMIT_MEMLOCK:
35489 + res_add += GR_RLIM_MEMLOCK_BUMP;
35492 + res_add += GR_RLIM_AS_BUMP;
35494 + case RLIMIT_LOCKS:
35495 + res_add += GR_RLIM_LOCKS_BUMP;
35497 + case RLIMIT_SIGPENDING:
35498 + res_add += GR_RLIM_SIGPENDING_BUMP;
35500 + case RLIMIT_MSGQUEUE:
35501 + res_add += GR_RLIM_MSGQUEUE_BUMP;
35503 + case RLIMIT_NICE:
35504 + res_add += GR_RLIM_NICE_BUMP;
35506 + case RLIMIT_RTPRIO:
35507 + res_add += GR_RLIM_RTPRIO_BUMP;
35509 + case RLIMIT_RTTIME:
35510 + res_add += GR_RLIM_RTTIME_BUMP;
35514 + acl->res[res].rlim_cur = res_add;
35516 + if (wanted > acl->res[res].rlim_max)
35517 + acl->res[res].rlim_max = res_add;
35519 + /* only log the subject filename, since resource logging is supported for
35520 + single-subject learning only */
35522 + cred = __task_cred(task);
35523 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
35524 + task->role->roletype, cred->uid, cred->gid, acl->filename,
35525 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
35526 + "", (unsigned long) res, &task->signal->curr_ip);
35527 + rcu_read_unlock();
35533 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
35535 +pax_set_initial_flags(struct linux_binprm *bprm)
35537 + struct task_struct *task = current;
35538 + struct acl_subject_label *proc;
35539 + unsigned long flags;
35541 + if (unlikely(!(gr_status & GR_READY)))
35544 + flags = pax_get_flags(task);
35546 + proc = task->acl;
35548 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
35549 + flags &= ~MF_PAX_PAGEEXEC;
35550 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
35551 + flags &= ~MF_PAX_SEGMEXEC;
35552 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
35553 + flags &= ~MF_PAX_RANDMMAP;
35554 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
35555 + flags &= ~MF_PAX_EMUTRAMP;
35556 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
35557 + flags &= ~MF_PAX_MPROTECT;
35559 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
35560 + flags |= MF_PAX_PAGEEXEC;
35561 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
35562 + flags |= MF_PAX_SEGMEXEC;
35563 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
35564 + flags |= MF_PAX_RANDMMAP;
35565 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
35566 + flags |= MF_PAX_EMUTRAMP;
35567 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
35568 + flags |= MF_PAX_MPROTECT;
35570 + pax_set_flags(task, flags);
35576 +#ifdef CONFIG_SYSCTL
35577 +/* Eric Biederman likes breaking userland ABI and every inode-based security
35578 + system to save 35kb of memory */
35580 +/* we modify the passed in filename, but adjust it back before returning */
35581 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
35583 + struct name_entry *nmatch;
35584 + char *p, *lastp = NULL;
35585 + struct acl_object_label *obj = NULL, *tmp;
35586 + struct acl_subject_label *tmpsubj;
35589 + read_lock(&gr_inode_lock);
35591 + p = name + len - 1;
35593 + nmatch = lookup_name_entry(name);
35594 + if (lastp != NULL)
35597 + if (nmatch == NULL)
35598 + goto next_component;
35599 + tmpsubj = current->acl;
35601 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
35602 + if (obj != NULL) {
35603 + tmp = obj->globbed;
35605 + if (!glob_match(tmp->filename, name)) {
35613 + } while ((tmpsubj = tmpsubj->parent_subject));
35619 + while (*p != '/')
35631 + read_unlock(&gr_inode_lock);
35632 + /* obj returned will always be non-null */
35636 +/* returns 0 when allowing, non-zero on error
35637 + op of 0 is used for readdir, so we don't log the names of hidden files
35640 +gr_handle_sysctl(const struct ctl_table *table, const int op)
35643 + const char *proc_sys = "/proc/sys";
35645 + struct acl_object_label *obj;
35646 + unsigned short len = 0, pos = 0, depth = 0, i;
35650 + if (unlikely(!(gr_status & GR_READY)))
35653 + /* for now, ignore operations on non-sysctl entries if it's not a
35655 + if (table->child != NULL && op != 0)
35659 + /* it's only a read if it's an entry, read on dirs is for readdir */
35660 + if (op & MAY_READ)
35662 + if (op & MAY_WRITE)
35663 + mode |= GR_WRITE;
35665 + preempt_disable();
35667 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
35669 + /* it's only a read/write if it's an actual entry, not a dir
35670 + (which are opened for readdir)
35673 + /* convert the requested sysctl entry into a pathname */
35675 + for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
35676 + len += strlen(tmp->procname);
35681 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
35686 + memset(path, 0, PAGE_SIZE);
35688 + memcpy(path, proc_sys, strlen(proc_sys));
35690 + pos += strlen(proc_sys);
35692 + for (; depth > 0; depth--) {
35695 + for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
35696 + if (depth == i) {
35697 + memcpy(path + pos, tmp->procname,
35698 + strlen(tmp->procname));
35699 + pos += strlen(tmp->procname);
35705 + obj = gr_lookup_by_name(path, pos);
35706 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
35708 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
35709 + ((err & mode) != mode))) {
35710 + __u32 new_mode = mode;
35712 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
35715 + gr_log_learn_sysctl(path, new_mode);
35716 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
35717 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
35719 + } else if (!(err & GR_FIND)) {
35721 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
35722 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
35723 + path, (mode & GR_READ) ? " reading" : "",
35724 + (mode & GR_WRITE) ? " writing" : "");
35726 + } else if ((err & mode) != mode) {
35728 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
35729 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
35730 + path, (mode & GR_READ) ? " reading" : "",
35731 + (mode & GR_WRITE) ? " writing" : "");
35737 + preempt_enable();
35744 +gr_handle_proc_ptrace(struct task_struct *task)
35746 + struct file *filp;
35747 + struct task_struct *tmp = task;
35748 + struct task_struct *curtemp = current;
35751 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
35752 + if (unlikely(!(gr_status & GR_READY)))
35756 + read_lock(&tasklist_lock);
35757 + read_lock(&grsec_exec_file_lock);
35758 + filp = task->exec_file;
35760 + while (tmp->pid > 0) {
35761 + if (tmp == curtemp)
35763 + tmp = tmp->parent;
35766 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
35767 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
35768 + read_unlock(&grsec_exec_file_lock);
35769 + read_unlock(&tasklist_lock);
35773 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
35774 + if (!(gr_status & GR_READY)) {
35775 + read_unlock(&grsec_exec_file_lock);
35776 + read_unlock(&tasklist_lock);
35781 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
35782 + read_unlock(&grsec_exec_file_lock);
35783 + read_unlock(&tasklist_lock);
35785 + if (retmode & GR_NOPTRACE)
35788 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
35789 + && (current->acl != task->acl || (current->acl != current->role->root_label
35790 + && current->pid != task->pid)))
35797 +gr_handle_ptrace(struct task_struct *task, const long request)
35799 + struct task_struct *tmp = task;
35800 + struct task_struct *curtemp = current;
35803 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
35804 + if (unlikely(!(gr_status & GR_READY)))
35808 + read_lock(&tasklist_lock);
35809 + while (tmp->pid > 0) {
35810 + if (tmp == curtemp)
35812 + tmp = tmp->parent;
35815 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
35816 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
35817 + read_unlock(&tasklist_lock);
35818 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35821 + read_unlock(&tasklist_lock);
35823 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
35824 + if (!(gr_status & GR_READY))
35828 + read_lock(&grsec_exec_file_lock);
35829 + if (unlikely(!task->exec_file)) {
35830 + read_unlock(&grsec_exec_file_lock);
35834 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
35835 + read_unlock(&grsec_exec_file_lock);
35837 + if (retmode & GR_NOPTRACE) {
35838 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35842 + if (retmode & GR_PTRACERD) {
35843 + switch (request) {
35844 + case PTRACE_POKETEXT:
35845 + case PTRACE_POKEDATA:
35846 + case PTRACE_POKEUSR:
35847 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
35848 + case PTRACE_SETREGS:
35849 + case PTRACE_SETFPREGS:
35852 + case PTRACE_SETFPXREGS:
35854 +#ifdef CONFIG_ALTIVEC
35855 + case PTRACE_SETVRREGS:
35861 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
35862 + !(current->role->roletype & GR_ROLE_GOD) &&
35863 + (current->acl != task->acl)) {
35864 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35871 +static int is_writable_mmap(const struct file *filp)
35873 + struct task_struct *task = current;
35874 + struct acl_object_label *obj, *obj2;
35876 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
35877 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode)) {
35878 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
35879 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
35880 + task->role->root_label);
35881 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
35882 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
35890 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
35894 + if (unlikely(!file || !(prot & PROT_EXEC)))
35897 + if (is_writable_mmap(file))
35901 + gr_search_file(file->f_path.dentry,
35902 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
35903 + file->f_path.mnt);
35905 + if (!gr_tpe_allow(file))
35908 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
35909 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35911 + } else if (unlikely(!(mode & GR_EXEC))) {
35913 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
35914 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35922 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
35926 + if (unlikely(!file || !(prot & PROT_EXEC)))
35929 + if (is_writable_mmap(file))
35933 + gr_search_file(file->f_path.dentry,
35934 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
35935 + file->f_path.mnt);
35937 + if (!gr_tpe_allow(file))
35940 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
35941 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35943 + } else if (unlikely(!(mode & GR_EXEC))) {
35945 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
35946 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35954 +gr_acl_handle_psacct(struct task_struct *task, const long code)
35956 + unsigned long runtime;
35957 + unsigned long cputime;
35958 + unsigned int wday, cday;
35962 + struct timespec timeval;
35964 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
35965 + !(task->acl->mode & GR_PROCACCT)))
35968 + do_posix_clock_monotonic_gettime(&timeval);
35969 + runtime = timeval.tv_sec - task->start_time.tv_sec;
35970 + wday = runtime / (3600 * 24);
35971 + runtime -= wday * (3600 * 24);
35972 + whr = runtime / 3600;
35973 + runtime -= whr * 3600;
35974 + wmin = runtime / 60;
35975 + runtime -= wmin * 60;
35978 + cputime = (task->utime + task->stime) / HZ;
35979 + cday = cputime / (3600 * 24);
35980 + cputime -= cday * (3600 * 24);
35981 + chr = cputime / 3600;
35982 + cputime -= chr * 3600;
35983 + cmin = cputime / 60;
35984 + cputime -= cmin * 60;
35987 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
35992 +void gr_set_kernel_label(struct task_struct *task)
35994 + if (gr_status & GR_READY) {
35995 + task->role = kernel_role;
35996 + task->acl = kernel_role->root_label;
36001 +#ifdef CONFIG_TASKSTATS
36002 +int gr_is_taskstats_denied(int pid)
36004 + struct task_struct *task;
36005 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36006 + const struct cred *cred;
36010 + /* restrict taskstats viewing to un-chrooted root users
36011 + who have the 'view' subject flag if the RBAC system is enabled
36014 + read_lock(&tasklist_lock);
36015 + task = find_task_by_vpid(pid);
36017 + gr_fs_read_lock(task);
36018 +#ifdef CONFIG_GRKERNSEC_CHROOT
36019 + if (proc_is_chrooted(task))
36022 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36023 + cred = __task_cred(task);
36024 +#ifdef CONFIG_GRKERNSEC_PROC_USER
36025 + if (cred->uid != 0)
36027 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36028 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
36032 + if (gr_status & GR_READY) {
36033 + if (!(task->acl->mode & GR_VIEW))
36037 + gr_fs_read_unlock(task);
36041 + read_unlock(&tasklist_lock);
36047 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
36049 + struct task_struct *task = current;
36050 + struct dentry *dentry = file->f_path.dentry;
36051 + struct vfsmount *mnt = file->f_path.mnt;
36052 + struct acl_object_label *obj, *tmp;
36053 + struct acl_subject_label *subj;
36054 + unsigned int bufsize;
36058 + if (unlikely(!(gr_status & GR_READY)))
36061 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36064 + /* ignore Eric Biederman */
36065 + if (IS_PRIVATE(dentry->d_inode))
36068 + subj = task->acl;
36070 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
36072 + return (obj->mode & GR_FIND) ? 1 : 0;
36073 + } while ((subj = subj->parent_subject));
36075 + /* this is purely an optimization since we're looking for an object
36076 + for the directory we're doing a readdir on
36077 + if it's possible for any globbed object to match the entry we're
36078 + filling into the directory, then the object we find here will be
36079 + an anchor point with attached globbed objects
36081 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
36082 + if (obj->globbed == NULL)
36083 + return (obj->mode & GR_FIND) ? 1 : 0;
36085 + is_not_root = ((obj->filename[0] == '/') &&
36086 + (obj->filename[1] == '\0')) ? 0 : 1;
36087 + bufsize = PAGE_SIZE - namelen - is_not_root;
36089 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
36090 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
36093 + preempt_disable();
36094 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
36097 + bufsize = strlen(path);
36099 + /* if base is "/", don't append an additional slash */
36101 + *(path + bufsize) = '/';
36102 + memcpy(path + bufsize + is_not_root, name, namelen);
36103 + *(path + bufsize + namelen + is_not_root) = '\0';
36105 + tmp = obj->globbed;
36107 + if (!glob_match(tmp->filename, path)) {
36108 + preempt_enable();
36109 + return (tmp->mode & GR_FIND) ? 1 : 0;
36113 + preempt_enable();
36114 + return (obj->mode & GR_FIND) ? 1 : 0;
36117 +EXPORT_SYMBOL(gr_learn_resource);
36118 +EXPORT_SYMBOL(gr_set_kernel_label);
36119 +#ifdef CONFIG_SECURITY
36120 +EXPORT_SYMBOL(gr_check_user_change);
36121 +EXPORT_SYMBOL(gr_check_group_change);
36124 diff -urNp linux-2.6.33/grsecurity/gracl_cap.c linux-2.6.33/grsecurity/gracl_cap.c
36125 --- linux-2.6.33/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
36126 +++ linux-2.6.33/grsecurity/gracl_cap.c 2010-03-07 12:23:36.105670657 -0500
36128 +#include <linux/kernel.h>
36129 +#include <linux/module.h>
36130 +#include <linux/sched.h>
36131 +#include <linux/gracl.h>
36132 +#include <linux/grsecurity.h>
36133 +#include <linux/grinternal.h>
36135 +static const char *captab_log[] = {
36137 + "CAP_DAC_OVERRIDE",
36138 + "CAP_DAC_READ_SEARCH",
36145 + "CAP_LINUX_IMMUTABLE",
36146 + "CAP_NET_BIND_SERVICE",
36147 + "CAP_NET_BROADCAST",
36152 + "CAP_SYS_MODULE",
36154 + "CAP_SYS_CHROOT",
36155 + "CAP_SYS_PTRACE",
36160 + "CAP_SYS_RESOURCE",
36162 + "CAP_SYS_TTY_CONFIG",
36165 + "CAP_AUDIT_WRITE",
36166 + "CAP_AUDIT_CONTROL",
36168 + "CAP_MAC_OVERRIDE",
36172 +EXPORT_SYMBOL(gr_is_capable);
36173 +EXPORT_SYMBOL(gr_is_capable_nolog);
36176 +gr_is_capable(const int cap)
36178 + struct task_struct *task = current;
36179 + const struct cred *cred = current_cred();
36180 + struct acl_subject_label *curracl;
36181 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
36183 + if (!gr_acl_is_enabled())
36186 + curracl = task->acl;
36188 + cap_drop = curracl->cap_lower;
36189 + cap_mask = curracl->cap_mask;
36191 + while ((curracl = curracl->parent_subject)) {
36192 + /* if the cap isn't specified in the current computed mask but is specified in the
36193 + current level subject, and is lowered in the current level subject, then add
36194 + it to the set of dropped capabilities
36195 + otherwise, add the current level subject's mask to the current computed mask
36197 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
36198 + cap_raise(cap_mask, cap);
36199 + if (cap_raised(curracl->cap_lower, cap))
36200 + cap_raise(cap_drop, cap);
36204 + if (!cap_raised(cap_drop, cap))
36207 + curracl = task->acl;
36209 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
36210 + && cap_raised(cred->cap_effective, cap)) {
36211 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
36212 + task->role->roletype, cred->uid,
36213 + cred->gid, task->exec_file ?
36214 + gr_to_filename(task->exec_file->f_path.dentry,
36215 + task->exec_file->f_path.mnt) : curracl->filename,
36216 + curracl->filename, 0UL,
36217 + 0UL, "", (unsigned long) cap, &task->signal->curr_ip);
36221 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap))
36222 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
36227 +gr_is_capable_nolog(const int cap)
36229 + struct acl_subject_label *curracl;
36230 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
36232 + if (!gr_acl_is_enabled())
36235 + curracl = current->acl;
36237 + cap_drop = curracl->cap_lower;
36238 + cap_mask = curracl->cap_mask;
36240 + while ((curracl = curracl->parent_subject)) {
36241 + /* if the cap isn't specified in the current computed mask but is specified in the
36242 + current level subject, and is lowered in the current level subject, then add
36243 + it to the set of dropped capabilities
36244 + otherwise, add the current level subject's mask to the current computed mask
36246 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
36247 + cap_raise(cap_mask, cap);
36248 + if (cap_raised(curracl->cap_lower, cap))
36249 + cap_raise(cap_drop, cap);
36253 + if (!cap_raised(cap_drop, cap))
36259 diff -urNp linux-2.6.33/grsecurity/gracl_fs.c linux-2.6.33/grsecurity/gracl_fs.c
36260 --- linux-2.6.33/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
36261 +++ linux-2.6.33/grsecurity/gracl_fs.c 2010-03-07 12:23:36.105670657 -0500
36263 +#include <linux/kernel.h>
36264 +#include <linux/sched.h>
36265 +#include <linux/types.h>
36266 +#include <linux/fs.h>
36267 +#include <linux/file.h>
36268 +#include <linux/stat.h>
36269 +#include <linux/grsecurity.h>
36270 +#include <linux/grinternal.h>
36271 +#include <linux/gracl.h>
36274 +gr_acl_handle_hidden_file(const struct dentry * dentry,
36275 + const struct vfsmount * mnt)
36279 + if (unlikely(!dentry->d_inode))
36283 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
36285 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
36286 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
36288 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
36289 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
36291 + } else if (unlikely(!(mode & GR_FIND)))
36298 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
36301 + __u32 reqmode = GR_FIND;
36304 + if (unlikely(!dentry->d_inode))
36307 + if (unlikely(fmode & O_APPEND))
36308 + reqmode |= GR_APPEND;
36309 + else if (unlikely(fmode & FMODE_WRITE))
36310 + reqmode |= GR_WRITE;
36311 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
36312 + reqmode |= GR_READ;
36313 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
36314 + reqmode &= ~GR_READ;
36316 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
36319 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36320 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
36321 + reqmode & GR_READ ? " reading" : "",
36322 + reqmode & GR_WRITE ? " writing" : reqmode &
36323 + GR_APPEND ? " appending" : "");
36326 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36328 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
36329 + reqmode & GR_READ ? " reading" : "",
36330 + reqmode & GR_WRITE ? " writing" : reqmode &
36331 + GR_APPEND ? " appending" : "");
36333 + } else if (unlikely((mode & reqmode) != reqmode))
36340 +gr_acl_handle_creat(const struct dentry * dentry,
36341 + const struct dentry * p_dentry,
36342 + const struct vfsmount * p_mnt, const int fmode,
36345 + __u32 reqmode = GR_WRITE | GR_CREATE;
36348 + if (unlikely(fmode & O_APPEND))
36349 + reqmode |= GR_APPEND;
36350 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
36351 + reqmode |= GR_READ;
36352 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
36353 + reqmode |= GR_SETID;
36356 + gr_check_create(dentry, p_dentry, p_mnt,
36357 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
36359 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36360 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
36361 + reqmode & GR_READ ? " reading" : "",
36362 + reqmode & GR_WRITE ? " writing" : reqmode &
36363 + GR_APPEND ? " appending" : "");
36366 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36368 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
36369 + reqmode & GR_READ ? " reading" : "",
36370 + reqmode & GR_WRITE ? " writing" : reqmode &
36371 + GR_APPEND ? " appending" : "");
36373 + } else if (unlikely((mode & reqmode) != reqmode))
36380 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
36383 + __u32 mode, reqmode = GR_FIND;
36385 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
36386 + reqmode |= GR_EXEC;
36387 + if (fmode & S_IWOTH)
36388 + reqmode |= GR_WRITE;
36389 + if (fmode & S_IROTH)
36390 + reqmode |= GR_READ;
36393 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
36396 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36397 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
36398 + reqmode & GR_READ ? " reading" : "",
36399 + reqmode & GR_WRITE ? " writing" : "",
36400 + reqmode & GR_EXEC ? " executing" : "");
36403 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36405 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
36406 + reqmode & GR_READ ? " reading" : "",
36407 + reqmode & GR_WRITE ? " writing" : "",
36408 + reqmode & GR_EXEC ? " executing" : "");
36410 + } else if (unlikely((mode & reqmode) != reqmode))
36416 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
36420 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
36422 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
36423 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
36425 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
36426 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
36428 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
36431 + return (reqmode);
36435 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
36437 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
36441 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
36443 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
36447 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
36449 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
36453 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
36455 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
36459 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
36462 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
36465 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
36466 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
36467 + GR_FCHMOD_ACL_MSG);
36469 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
36474 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
36477 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
36478 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
36479 + GR_CHMOD_ACL_MSG);
36481 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
36486 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
36488 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
36492 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
36494 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
36498 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
36500 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
36501 + GR_UNIXCONNECT_ACL_MSG);
36504 +/* hardlinks require at minimum create permission,
36505 + any additional privilege required is based on the
36506 + privilege of the file being linked to
36509 +gr_acl_handle_link(const struct dentry * new_dentry,
36510 + const struct dentry * parent_dentry,
36511 + const struct vfsmount * parent_mnt,
36512 + const struct dentry * old_dentry,
36513 + const struct vfsmount * old_mnt, const char *to)
36516 + __u32 needmode = GR_CREATE | GR_LINK;
36517 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
36520 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
36523 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
36524 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
36526 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
36527 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
36529 + } else if (unlikely((mode & needmode) != needmode))
36536 +gr_acl_handle_symlink(const struct dentry * new_dentry,
36537 + const struct dentry * parent_dentry,
36538 + const struct vfsmount * parent_mnt, const char *from)
36540 + __u32 needmode = GR_WRITE | GR_CREATE;
36544 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
36545 + GR_CREATE | GR_AUDIT_CREATE |
36546 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
36548 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
36549 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
36551 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
36552 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
36554 + } else if (unlikely((mode & needmode) != needmode))
36557 + return (GR_WRITE | GR_CREATE);
36560 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
36564 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
36566 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
36567 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
36569 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
36570 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
36572 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
36575 + return (reqmode);
36579 +gr_acl_handle_mknod(const struct dentry * new_dentry,
36580 + const struct dentry * parent_dentry,
36581 + const struct vfsmount * parent_mnt,
36584 + __u32 reqmode = GR_WRITE | GR_CREATE;
36585 + if (unlikely(mode & (S_ISUID | S_ISGID)))
36586 + reqmode |= GR_SETID;
36588 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
36589 + reqmode, GR_MKNOD_ACL_MSG);
36593 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
36594 + const struct dentry *parent_dentry,
36595 + const struct vfsmount *parent_mnt)
36597 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
36598 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
36601 +#define RENAME_CHECK_SUCCESS(old, new) \
36602 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
36603 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
36606 +gr_acl_handle_rename(struct dentry *new_dentry,
36607 + struct dentry *parent_dentry,
36608 + const struct vfsmount *parent_mnt,
36609 + struct dentry *old_dentry,
36610 + struct inode *old_parent_inode,
36611 + struct vfsmount *old_mnt, const char *newname)
36613 + __u32 comp1, comp2;
36616 + if (unlikely(!gr_acl_is_enabled()))
36619 + if (!new_dentry->d_inode) {
36620 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
36621 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
36622 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
36623 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
36624 + GR_DELETE | GR_AUDIT_DELETE |
36625 + GR_AUDIT_READ | GR_AUDIT_WRITE |
36626 + GR_SUPPRESS, old_mnt);
36628 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
36629 + GR_CREATE | GR_DELETE |
36630 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
36631 + GR_AUDIT_READ | GR_AUDIT_WRITE |
36632 + GR_SUPPRESS, parent_mnt);
36634 + gr_search_file(old_dentry,
36635 + GR_READ | GR_WRITE | GR_AUDIT_READ |
36636 + GR_DELETE | GR_AUDIT_DELETE |
36637 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
36640 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
36641 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
36642 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
36643 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
36644 + && !(comp2 & GR_SUPPRESS)) {
36645 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
36647 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
36654 +gr_acl_handle_exit(void)
36658 + struct file *exec_file;
36660 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
36661 + id = current->acl_role_id;
36662 + rolename = current->role->rolename;
36664 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
36667 + write_lock(&grsec_exec_file_lock);
36668 + exec_file = current->exec_file;
36669 + current->exec_file = NULL;
36670 + write_unlock(&grsec_exec_file_lock);
36677 +gr_acl_handle_procpidmem(const struct task_struct *task)
36679 + if (unlikely(!gr_acl_is_enabled()))
36682 + if (task != current && task->acl->mode & GR_PROTPROCFD)
36687 diff -urNp linux-2.6.33/grsecurity/gracl_ip.c linux-2.6.33/grsecurity/gracl_ip.c
36688 --- linux-2.6.33/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
36689 +++ linux-2.6.33/grsecurity/gracl_ip.c 2010-03-07 12:23:36.105670657 -0500
36691 +#include <linux/kernel.h>
36692 +#include <asm/uaccess.h>
36693 +#include <asm/errno.h>
36694 +#include <net/sock.h>
36695 +#include <linux/file.h>
36696 +#include <linux/fs.h>
36697 +#include <linux/net.h>
36698 +#include <linux/in.h>
36699 +#include <linux/skbuff.h>
36700 +#include <linux/ip.h>
36701 +#include <linux/udp.h>
36702 +#include <linux/smp_lock.h>
36703 +#include <linux/types.h>
36704 +#include <linux/sched.h>
36705 +#include <linux/netdevice.h>
36706 +#include <linux/inetdevice.h>
36707 +#include <linux/gracl.h>
36708 +#include <linux/grsecurity.h>
36709 +#include <linux/grinternal.h>
36711 +#define GR_BIND 0x01
36712 +#define GR_CONNECT 0x02
36713 +#define GR_INVERT 0x04
36714 +#define GR_BINDOVERRIDE 0x08
36715 +#define GR_CONNECTOVERRIDE 0x10
36717 +static const char * gr_protocols[256] = {
36718 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
36719 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
36720 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
36721 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
36722 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
36723 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
36724 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
36725 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
36726 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
36727 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
36728 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
36729 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
36730 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
36731 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
36732 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
36733 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
36734 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
36735 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
36736 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
36737 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
36738 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
36739 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
36740 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
36741 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
36742 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
36743 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
36744 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
36745 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
36746 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
36747 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
36748 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
36749 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
36752 +static const char * gr_socktypes[11] = {
36753 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
36754 + "unknown:7", "unknown:8", "unknown:9", "packet"
36758 +gr_proto_to_name(unsigned char proto)
36760 + return gr_protocols[proto];
36764 +gr_socktype_to_name(unsigned char type)
36766 + return gr_socktypes[type];
36770 +gr_search_socket(const int domain, const int type, const int protocol)
36772 + struct acl_subject_label *curr;
36773 + const struct cred *cred = current_cred();
36775 + if (unlikely(!gr_acl_is_enabled()))
36778 + if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
36779 + || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
36780 + goto exit; // let the kernel handle it
36782 + curr = current->acl;
36787 + if ((curr->ip_type & (1 << type)) &&
36788 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
36791 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
36792 + /* we don't place acls on raw sockets , and sometimes
36793 + dgram/ip sockets are opened for ioctl and not
36794 + bind/connect, so we'll fake a bind learn log */
36795 + if (type == SOCK_RAW || type == SOCK_PACKET) {
36796 + __u32 fakeip = 0;
36797 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36798 + current->role->roletype, cred->uid,
36799 + cred->gid, current->exec_file ?
36800 + gr_to_filename(current->exec_file->f_path.dentry,
36801 + current->exec_file->f_path.mnt) :
36802 + curr->filename, curr->filename,
36803 + &fakeip, 0, type,
36804 + protocol, GR_CONNECT, ¤t->signal->curr_ip);
36805 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
36806 + __u32 fakeip = 0;
36807 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36808 + current->role->roletype, cred->uid,
36809 + cred->gid, current->exec_file ?
36810 + gr_to_filename(current->exec_file->f_path.dentry,
36811 + current->exec_file->f_path.mnt) :
36812 + curr->filename, curr->filename,
36813 + &fakeip, 0, type,
36814 + protocol, GR_BIND, ¤t->signal->curr_ip);
36816 + /* we'll log when they use connect or bind */
36820 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
36821 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
36828 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
36830 + if ((ip->mode & mode) &&
36831 + (ip_port >= ip->low) &&
36832 + (ip_port <= ip->high) &&
36833 + ((ntohl(ip_addr) & our_netmask) ==
36834 + (ntohl(our_addr) & our_netmask))
36835 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
36836 + && (ip->type & (1 << type))) {
36837 + if (ip->mode & GR_INVERT)
36838 + return 2; // specifically denied
36840 + return 1; // allowed
36843 + return 0; // not specifically allowed, may continue parsing
36847 +gr_search_connectbind(const int full_mode, struct sock *sk,
36848 + struct sockaddr_in *addr, const int type)
36850 + char iface[IFNAMSIZ] = {0};
36851 + struct acl_subject_label *curr;
36852 + struct acl_ip_label *ip;
36853 + struct inet_sock *isk;
36854 + struct net_device *dev;
36855 + struct in_device *idev;
36858 + int mode = full_mode & (GR_BIND | GR_CONNECT);
36859 + __u32 ip_addr = 0;
36861 + __u32 our_netmask;
36863 + __u16 ip_port = 0;
36864 + const struct cred *cred = current_cred();
36866 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
36869 + curr = current->acl;
36870 + isk = inet_sk(sk);
36872 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
36873 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
36874 + addr->sin_addr.s_addr = curr->inaddr_any_override;
36875 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
36876 + struct sockaddr_in saddr;
36879 + saddr.sin_family = AF_INET;
36880 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
36881 + saddr.sin_port = isk->inet_sport;
36883 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
36887 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
36895 + ip_addr = addr->sin_addr.s_addr;
36896 + ip_port = ntohs(addr->sin_port);
36898 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
36899 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36900 + current->role->roletype, cred->uid,
36901 + cred->gid, current->exec_file ?
36902 + gr_to_filename(current->exec_file->f_path.dentry,
36903 + current->exec_file->f_path.mnt) :
36904 + curr->filename, curr->filename,
36905 + &ip_addr, ip_port, type,
36906 + sk->sk_protocol, mode, ¤t->signal->curr_ip);
36910 + for (i = 0; i < curr->ip_num; i++) {
36911 + ip = *(curr->ips + i);
36912 + if (ip->iface != NULL) {
36913 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
36914 + p = strchr(iface, ':');
36917 + dev = dev_get_by_name(sock_net(sk), iface);
36920 + idev = in_dev_get(dev);
36921 + if (idev == NULL) {
36927 + if (!strcmp(ip->iface, ifa->ifa_label)) {
36928 + our_addr = ifa->ifa_address;
36929 + our_netmask = 0xffffffff;
36930 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
36932 + rcu_read_unlock();
36933 + in_dev_put(idev);
36936 + } else if (ret == 2) {
36937 + rcu_read_unlock();
36938 + in_dev_put(idev);
36943 + } endfor_ifa(idev);
36944 + rcu_read_unlock();
36945 + in_dev_put(idev);
36948 + our_addr = ip->addr;
36949 + our_netmask = ip->netmask;
36950 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
36953 + else if (ret == 2)
36959 + if (mode == GR_BIND)
36960 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
36961 + else if (mode == GR_CONNECT)
36962 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
36968 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
36970 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
36974 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
36976 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
36979 +int gr_search_listen(struct socket *sock)
36981 + struct sock *sk = sock->sk;
36982 + struct sockaddr_in addr;
36984 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
36985 + addr.sin_port = inet_sk(sk)->inet_sport;
36987 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
36990 +int gr_search_accept(struct socket *sock)
36992 + struct sock *sk = sock->sk;
36993 + struct sockaddr_in addr;
36995 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
36996 + addr.sin_port = inet_sk(sk)->inet_sport;
36998 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
37002 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
37005 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
37007 + struct sockaddr_in sin;
37008 + const struct inet_sock *inet = inet_sk(sk);
37010 + sin.sin_addr.s_addr = inet->inet_daddr;
37011 + sin.sin_port = inet->inet_dport;
37013 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
37018 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
37020 + struct sockaddr_in sin;
37022 + if (unlikely(skb->len < sizeof (struct udphdr)))
37023 + return 0; // skip this packet
37025 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
37026 + sin.sin_port = udp_hdr(skb)->source;
37028 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
37030 diff -urNp linux-2.6.33/grsecurity/gracl_learn.c linux-2.6.33/grsecurity/gracl_learn.c
37031 --- linux-2.6.33/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
37032 +++ linux-2.6.33/grsecurity/gracl_learn.c 2010-03-07 12:23:36.105670657 -0500
37034 +#include <linux/kernel.h>
37035 +#include <linux/mm.h>
37036 +#include <linux/sched.h>
37037 +#include <linux/poll.h>
37038 +#include <linux/smp_lock.h>
37039 +#include <linux/string.h>
37040 +#include <linux/file.h>
37041 +#include <linux/types.h>
37042 +#include <linux/vmalloc.h>
37043 +#include <linux/grinternal.h>
37045 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
37046 + size_t count, loff_t *ppos);
37047 +extern int gr_acl_is_enabled(void);
37049 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
37050 +static int gr_learn_attached;
37052 +/* use a 512k buffer */
37053 +#define LEARN_BUFFER_SIZE (512 * 1024)
37055 +static DEFINE_SPINLOCK(gr_learn_lock);
37056 +static DECLARE_MUTEX(gr_learn_user_sem);
37058 +/* we need to maintain two buffers, so that the kernel context of grlearn
37059 + uses a semaphore around the userspace copying, and the other kernel contexts
37060 + use a spinlock when copying into the buffer, since they cannot sleep
37062 +static char *learn_buffer;
37063 +static char *learn_buffer_user;
37064 +static int learn_buffer_len;
37065 +static int learn_buffer_user_len;
37068 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
37070 + DECLARE_WAITQUEUE(wait, current);
37071 + ssize_t retval = 0;
37073 + add_wait_queue(&learn_wait, &wait);
37074 + set_current_state(TASK_INTERRUPTIBLE);
37076 + down(&gr_learn_user_sem);
37077 + spin_lock(&gr_learn_lock);
37078 + if (learn_buffer_len)
37080 + spin_unlock(&gr_learn_lock);
37081 + up(&gr_learn_user_sem);
37082 + if (file->f_flags & O_NONBLOCK) {
37083 + retval = -EAGAIN;
37086 + if (signal_pending(current)) {
37087 + retval = -ERESTARTSYS;
37094 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
37095 + learn_buffer_user_len = learn_buffer_len;
37096 + retval = learn_buffer_len;
37097 + learn_buffer_len = 0;
37099 + spin_unlock(&gr_learn_lock);
37101 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
37102 + retval = -EFAULT;
37104 + up(&gr_learn_user_sem);
37106 + set_current_state(TASK_RUNNING);
37107 + remove_wait_queue(&learn_wait, &wait);
37111 +static unsigned int
37112 +poll_learn(struct file * file, poll_table * wait)
37114 + poll_wait(file, &learn_wait, wait);
37116 + if (learn_buffer_len)
37117 + return (POLLIN | POLLRDNORM);
37123 +gr_clear_learn_entries(void)
37127 + down(&gr_learn_user_sem);
37128 + if (learn_buffer != NULL) {
37129 + spin_lock(&gr_learn_lock);
37130 + tmp = learn_buffer;
37131 + learn_buffer = NULL;
37132 + spin_unlock(&gr_learn_lock);
37133 + vfree(learn_buffer);
37135 + if (learn_buffer_user != NULL) {
37136 + vfree(learn_buffer_user);
37137 + learn_buffer_user = NULL;
37139 + learn_buffer_len = 0;
37140 + up(&gr_learn_user_sem);
37146 +gr_add_learn_entry(const char *fmt, ...)
37149 + unsigned int len;
37151 + if (!gr_learn_attached)
37154 + spin_lock(&gr_learn_lock);
37156 + /* leave a gap at the end so we know when it's "full" but don't have to
37157 + compute the exact length of the string we're trying to append
37159 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
37160 + spin_unlock(&gr_learn_lock);
37161 + wake_up_interruptible(&learn_wait);
37164 + if (learn_buffer == NULL) {
37165 + spin_unlock(&gr_learn_lock);
37169 + va_start(args, fmt);
37170 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
37173 + learn_buffer_len += len + 1;
37175 + spin_unlock(&gr_learn_lock);
37176 + wake_up_interruptible(&learn_wait);
37182 +open_learn(struct inode *inode, struct file *file)
37184 + if (file->f_mode & FMODE_READ && gr_learn_attached)
37186 + if (file->f_mode & FMODE_READ) {
37188 + down(&gr_learn_user_sem);
37189 + if (learn_buffer == NULL)
37190 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
37191 + if (learn_buffer_user == NULL)
37192 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
37193 + if (learn_buffer == NULL) {
37194 + retval = -ENOMEM;
37197 + if (learn_buffer_user == NULL) {
37198 + retval = -ENOMEM;
37201 + learn_buffer_len = 0;
37202 + learn_buffer_user_len = 0;
37203 + gr_learn_attached = 1;
37205 + up(&gr_learn_user_sem);
37212 +close_learn(struct inode *inode, struct file *file)
37216 + if (file->f_mode & FMODE_READ) {
37217 + down(&gr_learn_user_sem);
37218 + if (learn_buffer != NULL) {
37219 + spin_lock(&gr_learn_lock);
37220 + tmp = learn_buffer;
37221 + learn_buffer = NULL;
37222 + spin_unlock(&gr_learn_lock);
37225 + if (learn_buffer_user != NULL) {
37226 + vfree(learn_buffer_user);
37227 + learn_buffer_user = NULL;
37229 + learn_buffer_len = 0;
37230 + learn_buffer_user_len = 0;
37231 + gr_learn_attached = 0;
37232 + up(&gr_learn_user_sem);
37238 +const struct file_operations grsec_fops = {
37239 + .read = read_learn,
37240 + .write = write_grsec_handler,
37241 + .open = open_learn,
37242 + .release = close_learn,
37243 + .poll = poll_learn,
37245 diff -urNp linux-2.6.33/grsecurity/gracl_res.c linux-2.6.33/grsecurity/gracl_res.c
37246 --- linux-2.6.33/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
37247 +++ linux-2.6.33/grsecurity/gracl_res.c 2010-03-07 12:23:36.109671795 -0500
37249 +#include <linux/kernel.h>
37250 +#include <linux/sched.h>
37251 +#include <linux/gracl.h>
37252 +#include <linux/grinternal.h>
37254 +static const char *restab_log[] = {
37255 + [RLIMIT_CPU] = "RLIMIT_CPU",
37256 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
37257 + [RLIMIT_DATA] = "RLIMIT_DATA",
37258 + [RLIMIT_STACK] = "RLIMIT_STACK",
37259 + [RLIMIT_CORE] = "RLIMIT_CORE",
37260 + [RLIMIT_RSS] = "RLIMIT_RSS",
37261 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
37262 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
37263 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
37264 + [RLIMIT_AS] = "RLIMIT_AS",
37265 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
37266 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
37267 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
37268 + [RLIMIT_NICE] = "RLIMIT_NICE",
37269 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
37270 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
37271 + [GR_CRASH_RES] = "RLIMIT_CRASH"
37275 +gr_log_resource(const struct task_struct *task,
37276 + const int res, const unsigned long wanted, const int gt)
37278 + const struct cred *cred;
37280 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
37283 + // not yet supported resource
37284 + if (!restab_log[res])
37288 + cred = __task_cred(task);
37290 + if (res == RLIMIT_NPROC &&
37291 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
37292 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
37293 + goto out_rcu_unlock;
37294 + else if (res == RLIMIT_MEMLOCK &&
37295 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
37296 + goto out_rcu_unlock;
37297 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
37298 + goto out_rcu_unlock;
37299 + rcu_read_unlock();
37301 + preempt_disable();
37303 + if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
37304 + (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
37305 + task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
37306 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
37307 + preempt_enable_no_resched();
37311 + rcu_read_unlock();
37314 diff -urNp linux-2.6.33/grsecurity/gracl_segv.c linux-2.6.33/grsecurity/gracl_segv.c
37315 --- linux-2.6.33/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
37316 +++ linux-2.6.33/grsecurity/gracl_segv.c 2010-03-07 12:23:36.109671795 -0500
37318 +#include <linux/kernel.h>
37319 +#include <linux/mm.h>
37320 +#include <asm/uaccess.h>
37321 +#include <asm/errno.h>
37322 +#include <asm/mman.h>
37323 +#include <net/sock.h>
37324 +#include <linux/file.h>
37325 +#include <linux/fs.h>
37326 +#include <linux/net.h>
37327 +#include <linux/in.h>
37328 +#include <linux/smp_lock.h>
37329 +#include <linux/slab.h>
37330 +#include <linux/types.h>
37331 +#include <linux/sched.h>
37332 +#include <linux/timer.h>
37333 +#include <linux/gracl.h>
37334 +#include <linux/grsecurity.h>
37335 +#include <linux/grinternal.h>
37337 +static struct crash_uid *uid_set;
37338 +static unsigned short uid_used;
37339 +static DEFINE_SPINLOCK(gr_uid_lock);
37340 +extern rwlock_t gr_inode_lock;
37341 +extern struct acl_subject_label *
37342 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
37343 + struct acl_role_label *role);
37344 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
37347 +gr_init_uidset(void)
37350 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
37353 + return uid_set ? 1 : 0;
37357 +gr_free_uidset(void)
37366 +gr_find_uid(const uid_t uid)
37368 + struct crash_uid *tmp = uid_set;
37370 + int low = 0, high = uid_used - 1, mid;
37372 + while (high >= low) {
37373 + mid = (low + high) >> 1;
37374 + buid = tmp[mid].uid;
37386 +static __inline__ void
37387 +gr_insertsort(void)
37389 + unsigned short i, j;
37390 + struct crash_uid index;
37392 + for (i = 1; i < uid_used; i++) {
37393 + index = uid_set[i];
37395 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
37396 + uid_set[j] = uid_set[j - 1];
37399 + uid_set[j] = index;
37405 +static __inline__ void
37406 +gr_insert_uid(const uid_t uid, const unsigned long expires)
37410 + if (uid_used == GR_UIDTABLE_MAX)
37413 + loc = gr_find_uid(uid);
37416 + uid_set[loc].expires = expires;
37420 + uid_set[uid_used].uid = uid;
37421 + uid_set[uid_used].expires = expires;
37430 +gr_remove_uid(const unsigned short loc)
37432 + unsigned short i;
37434 + for (i = loc + 1; i < uid_used; i++)
37435 + uid_set[i - 1] = uid_set[i];
37443 +gr_check_crash_uid(const uid_t uid)
37448 + if (unlikely(!gr_acl_is_enabled()))
37451 + spin_lock(&gr_uid_lock);
37452 + loc = gr_find_uid(uid);
37457 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
37458 + gr_remove_uid(loc);
37463 + spin_unlock(&gr_uid_lock);
37467 +static __inline__ int
37468 +proc_is_setxid(const struct cred *cred)
37470 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
37471 + cred->uid != cred->fsuid)
37473 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
37474 + cred->gid != cred->fsgid)
37479 +static __inline__ int
37480 +gr_fake_force_sig(int sig, struct task_struct *t)
37482 + unsigned long int flags;
37483 + int ret, blocked, ignored;
37484 + struct k_sigaction *action;
37486 + spin_lock_irqsave(&t->sighand->siglock, flags);
37487 + action = &t->sighand->action[sig-1];
37488 + ignored = action->sa.sa_handler == SIG_IGN;
37489 + blocked = sigismember(&t->blocked, sig);
37490 + if (blocked || ignored) {
37491 + action->sa.sa_handler = SIG_DFL;
37493 + sigdelset(&t->blocked, sig);
37494 + recalc_sigpending_and_wake(t);
37497 + if (action->sa.sa_handler == SIG_DFL)
37498 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
37499 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
37501 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
37507 +gr_handle_crash(struct task_struct *task, const int sig)
37509 + struct acl_subject_label *curr;
37510 + struct acl_subject_label *curr2;
37511 + struct task_struct *tsk, *tsk2;
37512 + const struct cred *cred;
37513 + const struct cred *cred2;
37515 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
37518 + if (unlikely(!gr_acl_is_enabled()))
37521 + curr = task->acl;
37523 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
37526 + if (time_before_eq(curr->expires, get_seconds())) {
37527 + curr->expires = 0;
37528 + curr->crashes = 0;
37533 + if (!curr->expires)
37534 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
37536 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
37537 + time_after(curr->expires, get_seconds())) {
37539 + cred = __task_cred(task);
37540 + if (cred->uid && proc_is_setxid(cred)) {
37541 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
37542 + spin_lock(&gr_uid_lock);
37543 + gr_insert_uid(cred->uid, curr->expires);
37544 + spin_unlock(&gr_uid_lock);
37545 + curr->expires = 0;
37546 + curr->crashes = 0;
37547 + read_lock(&tasklist_lock);
37548 + do_each_thread(tsk2, tsk) {
37549 + cred2 = __task_cred(tsk);
37550 + if (tsk != task && cred2->uid == cred->uid)
37551 + gr_fake_force_sig(SIGKILL, tsk);
37552 + } while_each_thread(tsk2, tsk);
37553 + read_unlock(&tasklist_lock);
37555 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
37556 + read_lock(&tasklist_lock);
37557 + do_each_thread(tsk2, tsk) {
37558 + if (likely(tsk != task)) {
37559 + curr2 = tsk->acl;
37561 + if (curr2->device == curr->device &&
37562 + curr2->inode == curr->inode)
37563 + gr_fake_force_sig(SIGKILL, tsk);
37565 + } while_each_thread(tsk2, tsk);
37566 + read_unlock(&tasklist_lock);
37568 + rcu_read_unlock();
37575 +gr_check_crash_exec(const struct file *filp)
37577 + struct acl_subject_label *curr;
37579 + if (unlikely(!gr_acl_is_enabled()))
37582 + read_lock(&gr_inode_lock);
37583 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
37584 + filp->f_path.dentry->d_inode->i_sb->s_dev,
37586 + read_unlock(&gr_inode_lock);
37588 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
37589 + (!curr->crashes && !curr->expires))
37592 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
37593 + time_after(curr->expires, get_seconds()))
37595 + else if (time_before_eq(curr->expires, get_seconds())) {
37596 + curr->crashes = 0;
37597 + curr->expires = 0;
37604 +gr_handle_alertkill(struct task_struct *task)
37606 + struct acl_subject_label *curracl;
37608 + struct task_struct *p, *p2;
37610 + if (unlikely(!gr_acl_is_enabled()))
37613 + curracl = task->acl;
37614 + curr_ip = task->signal->curr_ip;
37616 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
37617 + read_lock(&tasklist_lock);
37618 + do_each_thread(p2, p) {
37619 + if (p->signal->curr_ip == curr_ip)
37620 + gr_fake_force_sig(SIGKILL, p);
37621 + } while_each_thread(p2, p);
37622 + read_unlock(&tasklist_lock);
37623 + } else if (curracl->mode & GR_KILLPROC)
37624 + gr_fake_force_sig(SIGKILL, task);
37628 diff -urNp linux-2.6.33/grsecurity/gracl_shm.c linux-2.6.33/grsecurity/gracl_shm.c
37629 --- linux-2.6.33/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
37630 +++ linux-2.6.33/grsecurity/gracl_shm.c 2010-03-07 12:23:36.109671795 -0500
37632 +#include <linux/kernel.h>
37633 +#include <linux/mm.h>
37634 +#include <linux/sched.h>
37635 +#include <linux/file.h>
37636 +#include <linux/ipc.h>
37637 +#include <linux/gracl.h>
37638 +#include <linux/grsecurity.h>
37639 +#include <linux/grinternal.h>
37642 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
37643 + const time_t shm_createtime, const uid_t cuid, const int shmid)
37645 + struct task_struct *task;
37647 + if (!gr_acl_is_enabled())
37650 + read_lock(&tasklist_lock);
37652 + task = find_task_by_vpid(shm_cprid);
37654 + if (unlikely(!task))
37655 + task = find_task_by_vpid(shm_lapid);
37657 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
37658 + (task->pid == shm_lapid)) &&
37659 + (task->acl->mode & GR_PROTSHM) &&
37660 + (task->acl != current->acl))) {
37661 + read_unlock(&tasklist_lock);
37662 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
37665 + read_unlock(&tasklist_lock);
37669 diff -urNp linux-2.6.33/grsecurity/grsec_chdir.c linux-2.6.33/grsecurity/grsec_chdir.c
37670 --- linux-2.6.33/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
37671 +++ linux-2.6.33/grsecurity/grsec_chdir.c 2010-03-07 12:23:36.109671795 -0500
37673 +#include <linux/kernel.h>
37674 +#include <linux/sched.h>
37675 +#include <linux/fs.h>
37676 +#include <linux/file.h>
37677 +#include <linux/grsecurity.h>
37678 +#include <linux/grinternal.h>
37681 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
37683 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
37684 + if ((grsec_enable_chdir && grsec_enable_group &&
37685 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
37686 + !grsec_enable_group)) {
37687 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
37692 diff -urNp linux-2.6.33/grsecurity/grsec_chroot.c linux-2.6.33/grsecurity/grsec_chroot.c
37693 --- linux-2.6.33/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
37694 +++ linux-2.6.33/grsecurity/grsec_chroot.c 2010-03-07 12:23:36.109671795 -0500
37696 +#include <linux/kernel.h>
37697 +#include <linux/module.h>
37698 +#include <linux/sched.h>
37699 +#include <linux/file.h>
37700 +#include <linux/fs.h>
37701 +#include <linux/mount.h>
37702 +#include <linux/types.h>
37703 +#include <linux/pid_namespace.h>
37704 +#include <linux/grsecurity.h>
37705 +#include <linux/grinternal.h>
37708 +gr_handle_chroot_unix(const pid_t pid)
37710 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
37711 + struct pid *spid = NULL;
37713 + if (unlikely(!grsec_enable_chroot_unix))
37716 + if (likely(!proc_is_chrooted(current)))
37719 + read_lock(&tasklist_lock);
37721 + spid = find_vpid(pid);
37723 + struct task_struct *p;
37724 + p = pid_task(spid, PIDTYPE_PID);
37725 + gr_fs_read_lock(p);
37726 + if (unlikely(!have_same_root(current, p))) {
37727 + gr_fs_read_unlock(p);
37728 + read_unlock(&tasklist_lock);
37729 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
37732 + gr_fs_read_unlock(p);
37734 + read_unlock(&tasklist_lock);
37740 +gr_handle_chroot_nice(void)
37742 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
37743 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
37744 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
37752 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
37754 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
37755 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
37756 + && proc_is_chrooted(current)) {
37757 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
37765 +gr_handle_chroot_rawio(const struct inode *inode)
37767 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
37768 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
37769 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
37776 +gr_pid_is_chrooted(struct task_struct *p)
37778 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
37779 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
37782 + gr_fs_read_lock(p);
37783 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
37784 + !have_same_root(current, p)) {
37785 + gr_fs_read_unlock(p);
37788 + gr_fs_read_unlock(p);
37793 +EXPORT_SYMBOL(gr_pid_is_chrooted);
37795 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
37796 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
37798 + struct dentry *dentry = (struct dentry *)u_dentry;
37799 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
37800 + struct dentry *realroot;
37801 + struct vfsmount *realrootmnt;
37802 + struct dentry *currentroot;
37803 + struct vfsmount *currentmnt;
37804 + struct task_struct *reaper = &init_task;
37807 + read_lock(&reaper->fs->lock);
37808 + realrootmnt = mntget(reaper->fs->root.mnt);
37809 + realroot = dget(reaper->fs->root.dentry);
37810 + read_unlock(&reaper->fs->lock);
37812 + read_lock(¤t->fs->lock);
37813 + currentmnt = mntget(current->fs->root.mnt);
37814 + currentroot = dget(current->fs->root.dentry);
37815 + read_unlock(¤t->fs->lock);
37817 + spin_lock(&dcache_lock);
37819 + if (unlikely((dentry == realroot && mnt == realrootmnt)
37820 + || (dentry == currentroot && mnt == currentmnt)))
37822 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
37823 + if (mnt->mnt_parent == mnt)
37825 + dentry = mnt->mnt_mountpoint;
37826 + mnt = mnt->mnt_parent;
37829 + dentry = dentry->d_parent;
37831 + spin_unlock(&dcache_lock);
37833 + dput(currentroot);
37834 + mntput(currentmnt);
37836 + /* access is outside of chroot */
37837 + if (dentry == realroot && mnt == realrootmnt)
37841 + mntput(realrootmnt);
37847 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
37849 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
37850 + if (!grsec_enable_chroot_fchdir)
37853 + if (!proc_is_chrooted(current))
37855 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
37856 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
37864 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
37865 + const time_t shm_createtime)
37867 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
37868 + struct pid *pid = NULL;
37869 + time_t starttime;
37871 + if (unlikely(!grsec_enable_chroot_shmat))
37874 + if (likely(!proc_is_chrooted(current)))
37877 + read_lock(&tasklist_lock);
37879 + pid = find_vpid(shm_cprid);
37881 + struct task_struct *p;
37882 + p = pid_task(pid, PIDTYPE_PID);
37883 + gr_fs_read_lock(p);
37884 + starttime = p->start_time.tv_sec;
37885 + if (unlikely(!have_same_root(current, p) &&
37886 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
37887 + gr_fs_read_unlock(p);
37888 + read_unlock(&tasklist_lock);
37889 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
37892 + gr_fs_read_unlock(p);
37894 + pid = find_vpid(shm_lapid);
37896 + struct task_struct *p;
37897 + p = pid_task(pid, PIDTYPE_PID);
37898 + gr_fs_read_lock(p);
37899 + if (unlikely(!have_same_root(current, p))) {
37900 + gr_fs_read_unlock(p);
37901 + read_unlock(&tasklist_lock);
37902 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
37905 + gr_fs_read_unlock(p);
37909 + read_unlock(&tasklist_lock);
37915 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
37917 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
37918 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
37919 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
37925 +gr_handle_chroot_mknod(const struct dentry *dentry,
37926 + const struct vfsmount *mnt, const int mode)
37928 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
37929 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
37930 + proc_is_chrooted(current)) {
37931 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
37939 +gr_handle_chroot_mount(const struct dentry *dentry,
37940 + const struct vfsmount *mnt, const char *dev_name)
37942 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
37943 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
37944 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
37952 +gr_handle_chroot_pivot(void)
37954 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
37955 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
37956 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
37964 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
37966 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
37967 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
37968 + !gr_is_outside_chroot(dentry, mnt)) {
37969 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
37977 +gr_handle_chroot_caps(struct path *path)
37979 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
37980 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
37981 + (init_task.fs->root.dentry != path->dentry) &&
37982 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
37984 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
37985 + const struct cred *old = current_cred();
37986 + struct cred *new = prepare_creds();
37990 + new->cap_permitted = cap_drop(old->cap_permitted,
37992 + new->cap_inheritable = cap_drop(old->cap_inheritable,
37994 + new->cap_effective = cap_drop(old->cap_effective,
37997 + commit_creds(new);
38006 +gr_handle_chroot_sysctl(const int op)
38008 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
38009 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
38010 + proc_is_chrooted(current))
38017 +gr_handle_chroot_chdir(struct path *path)
38019 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
38020 + if (grsec_enable_chroot_chdir)
38021 + set_fs_pwd(current->fs, path);
38027 +gr_handle_chroot_chmod(const struct dentry *dentry,
38028 + const struct vfsmount *mnt, const int mode)
38030 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
38031 + if (grsec_enable_chroot_chmod &&
38032 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
38033 + proc_is_chrooted(current)) {
38034 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
38041 +#ifdef CONFIG_SECURITY
38042 +EXPORT_SYMBOL(gr_handle_chroot_caps);
38044 diff -urNp linux-2.6.33/grsecurity/grsec_disabled.c linux-2.6.33/grsecurity/grsec_disabled.c
38045 --- linux-2.6.33/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
38046 +++ linux-2.6.33/grsecurity/grsec_disabled.c 2010-03-07 12:23:36.109671795 -0500
38048 +#include <linux/kernel.h>
38049 +#include <linux/module.h>
38050 +#include <linux/sched.h>
38051 +#include <linux/file.h>
38052 +#include <linux/fs.h>
38053 +#include <linux/kdev_t.h>
38054 +#include <linux/net.h>
38055 +#include <linux/in.h>
38056 +#include <linux/ip.h>
38057 +#include <linux/skbuff.h>
38058 +#include <linux/sysctl.h>
38060 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
38062 +pax_set_initial_flags(struct linux_binprm *bprm)
38068 +#ifdef CONFIG_SYSCTL
38070 +gr_handle_sysctl(const struct ctl_table * table, const int op)
38076 +#ifdef CONFIG_TASKSTATS
38077 +int gr_is_taskstats_denied(int pid)
38084 +gr_acl_is_enabled(void)
38090 +gr_handle_rawio(const struct inode *inode)
38096 +gr_acl_handle_psacct(struct task_struct *task, const long code)
38102 +gr_handle_ptrace(struct task_struct *task, const long request)
38108 +gr_handle_proc_ptrace(struct task_struct *task)
38114 +gr_learn_resource(const struct task_struct *task,
38115 + const int res, const unsigned long wanted, const int gt)
38121 +gr_set_acls(const int type)
38127 +gr_check_hidden_task(const struct task_struct *tsk)
38133 +gr_check_protected_task(const struct task_struct *task)
38139 +gr_copy_label(struct task_struct *tsk)
38145 +gr_set_pax_flags(struct task_struct *task)
38151 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
38152 + const int unsafe_share)
38158 +gr_handle_delete(const ino_t ino, const dev_t dev)
38164 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
38170 +gr_handle_crash(struct task_struct *task, const int sig)
38176 +gr_check_crash_exec(const struct file *filp)
38182 +gr_check_crash_uid(const uid_t uid)
38188 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
38189 + struct dentry *old_dentry,
38190 + struct dentry *new_dentry,
38191 + struct vfsmount *mnt, const __u8 replace)
38197 +gr_search_socket(const int family, const int type, const int protocol)
38203 +gr_search_connectbind(const int mode, const struct socket *sock,
38204 + const struct sockaddr_in *addr)
38210 +gr_is_capable(const int cap)
38216 +gr_is_capable_nolog(const int cap)
38222 +gr_handle_alertkill(struct task_struct *task)
38228 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
38234 +gr_acl_handle_hidden_file(const struct dentry * dentry,
38235 + const struct vfsmount * mnt)
38241 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38248 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
38254 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
38260 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
38261 + unsigned int *vm_flags)
38267 +gr_acl_handle_truncate(const struct dentry * dentry,
38268 + const struct vfsmount * mnt)
38274 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
38280 +gr_acl_handle_access(const struct dentry * dentry,
38281 + const struct vfsmount * mnt, const int fmode)
38287 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
38294 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
38301 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
38307 +grsecurity_init(void)
38313 +gr_acl_handle_mknod(const struct dentry * new_dentry,
38314 + const struct dentry * parent_dentry,
38315 + const struct vfsmount * parent_mnt,
38322 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
38323 + const struct dentry * parent_dentry,
38324 + const struct vfsmount * parent_mnt)
38330 +gr_acl_handle_symlink(const struct dentry * new_dentry,
38331 + const struct dentry * parent_dentry,
38332 + const struct vfsmount * parent_mnt, const char *from)
38338 +gr_acl_handle_link(const struct dentry * new_dentry,
38339 + const struct dentry * parent_dentry,
38340 + const struct vfsmount * parent_mnt,
38341 + const struct dentry * old_dentry,
38342 + const struct vfsmount * old_mnt, const char *to)
38348 +gr_acl_handle_rename(const struct dentry *new_dentry,
38349 + const struct dentry *parent_dentry,
38350 + const struct vfsmount *parent_mnt,
38351 + const struct dentry *old_dentry,
38352 + const struct inode *old_parent_inode,
38353 + const struct vfsmount *old_mnt, const char *newname)
38359 +gr_acl_handle_filldir(const struct file *file, const char *name,
38360 + const int namelen, const ino_t ino)
38366 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
38367 + const time_t shm_createtime, const uid_t cuid, const int shmid)
38373 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
38379 +gr_search_accept(const struct socket *sock)
38385 +gr_search_listen(const struct socket *sock)
38391 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
38397 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
38403 +gr_acl_handle_creat(const struct dentry * dentry,
38404 + const struct dentry * p_dentry,
38405 + const struct vfsmount * p_mnt, const int fmode,
38412 +gr_acl_handle_exit(void)
38418 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38424 +gr_set_role_label(const uid_t uid, const gid_t gid)
38430 +gr_acl_handle_procpidmem(const struct task_struct *task)
38436 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
38442 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
38448 +gr_set_kernel_label(struct task_struct *task)
38454 +gr_check_user_change(int real, int effective, int fs)
38460 +gr_check_group_change(int real, int effective, int fs)
38466 +EXPORT_SYMBOL(gr_is_capable);
38467 +EXPORT_SYMBOL(gr_is_capable_nolog);
38468 +EXPORT_SYMBOL(gr_learn_resource);
38469 +EXPORT_SYMBOL(gr_set_kernel_label);
38470 +#ifdef CONFIG_SECURITY
38471 +EXPORT_SYMBOL(gr_check_user_change);
38472 +EXPORT_SYMBOL(gr_check_group_change);
38474 diff -urNp linux-2.6.33/grsecurity/grsec_exec.c linux-2.6.33/grsecurity/grsec_exec.c
38475 --- linux-2.6.33/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
38476 +++ linux-2.6.33/grsecurity/grsec_exec.c 2010-03-07 12:23:36.109671795 -0500
38478 +#include <linux/kernel.h>
38479 +#include <linux/sched.h>
38480 +#include <linux/file.h>
38481 +#include <linux/binfmts.h>
38482 +#include <linux/smp_lock.h>
38483 +#include <linux/fs.h>
38484 +#include <linux/types.h>
38485 +#include <linux/grdefs.h>
38486 +#include <linux/grinternal.h>
38487 +#include <linux/capability.h>
38489 +#include <asm/uaccess.h>
38491 +#ifdef CONFIG_GRKERNSEC_EXECLOG
38492 +static char gr_exec_arg_buf[132];
38493 +static DECLARE_MUTEX(gr_exec_arg_sem);
38497 +gr_handle_nproc(void)
38499 +#ifdef CONFIG_GRKERNSEC_EXECVE
38500 + const struct cred *cred = current_cred();
38501 + if (grsec_enable_execve && cred->user &&
38502 + (atomic_read(&cred->user->processes) >
38503 + current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
38504 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
38505 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
38513 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
38515 +#ifdef CONFIG_GRKERNSEC_EXECLOG
38516 + char *grarg = gr_exec_arg_buf;
38517 + unsigned int i, x, execlen = 0;
38520 + if (!((grsec_enable_execlog && grsec_enable_group &&
38521 + in_group_p(grsec_audit_gid))
38522 + || (grsec_enable_execlog && !grsec_enable_group)))
38525 + down(&gr_exec_arg_sem);
38526 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
38528 + if (unlikely(argv == NULL))
38531 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
38532 + const char __user *p;
38533 + unsigned int len;
38535 + if (copy_from_user(&p, argv + i, sizeof(p)))
38539 + len = strnlen_user(p, 128 - execlen);
38540 + if (len > 128 - execlen)
38541 + len = 128 - execlen;
38542 + else if (len > 0)
38544 + if (copy_from_user(grarg + execlen, p, len))
38547 + /* rewrite unprintable characters */
38548 + for (x = 0; x < len; x++) {
38549 + c = *(grarg + execlen + x);
38550 + if (c < 32 || c > 126)
38551 + *(grarg + execlen + x) = ' ';
38555 + *(grarg + execlen) = ' ';
38556 + *(grarg + execlen + 1) = '\0';
38561 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
38562 + bprm->file->f_path.mnt, grarg);
38563 + up(&gr_exec_arg_sem);
38567 diff -urNp linux-2.6.33/grsecurity/grsec_fifo.c linux-2.6.33/grsecurity/grsec_fifo.c
38568 --- linux-2.6.33/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
38569 +++ linux-2.6.33/grsecurity/grsec_fifo.c 2010-03-07 12:23:36.109671795 -0500
38571 +#include <linux/kernel.h>
38572 +#include <linux/sched.h>
38573 +#include <linux/fs.h>
38574 +#include <linux/file.h>
38575 +#include <linux/grinternal.h>
38578 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
38579 + const struct dentry *dir, const int flag, const int acc_mode)
38581 +#ifdef CONFIG_GRKERNSEC_FIFO
38582 + const struct cred *cred = current_cred();
38584 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
38585 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
38586 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
38587 + (cred->fsuid != dentry->d_inode->i_uid)) {
38588 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
38589 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
38595 diff -urNp linux-2.6.33/grsecurity/grsec_fork.c linux-2.6.33/grsecurity/grsec_fork.c
38596 --- linux-2.6.33/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
38597 +++ linux-2.6.33/grsecurity/grsec_fork.c 2010-03-07 12:23:36.109671795 -0500
38599 +#include <linux/kernel.h>
38600 +#include <linux/sched.h>
38601 +#include <linux/grsecurity.h>
38602 +#include <linux/grinternal.h>
38603 +#include <linux/errno.h>
38606 +gr_log_forkfail(const int retval)
38608 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
38609 + if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
38610 + gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
38614 diff -urNp linux-2.6.33/grsecurity/grsec_init.c linux-2.6.33/grsecurity/grsec_init.c
38615 --- linux-2.6.33/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
38616 +++ linux-2.6.33/grsecurity/grsec_init.c 2010-03-07 12:23:36.109671795 -0500
38618 +#include <linux/kernel.h>
38619 +#include <linux/sched.h>
38620 +#include <linux/mm.h>
38621 +#include <linux/smp_lock.h>
38622 +#include <linux/gracl.h>
38623 +#include <linux/slab.h>
38624 +#include <linux/vmalloc.h>
38625 +#include <linux/percpu.h>
38627 +int grsec_enable_link;
38628 +int grsec_enable_dmesg;
38629 +int grsec_enable_harden_ptrace;
38630 +int grsec_enable_fifo;
38631 +int grsec_enable_execve;
38632 +int grsec_enable_execlog;
38633 +int grsec_enable_signal;
38634 +int grsec_enable_forkfail;
38635 +int grsec_enable_audit_ptrace;
38636 +int grsec_enable_time;
38637 +int grsec_enable_audit_textrel;
38638 +int grsec_enable_group;
38639 +int grsec_audit_gid;
38640 +int grsec_enable_chdir;
38641 +int grsec_enable_mount;
38642 +int grsec_enable_rofs;
38643 +int grsec_enable_chroot_findtask;
38644 +int grsec_enable_chroot_mount;
38645 +int grsec_enable_chroot_shmat;
38646 +int grsec_enable_chroot_fchdir;
38647 +int grsec_enable_chroot_double;
38648 +int grsec_enable_chroot_pivot;
38649 +int grsec_enable_chroot_chdir;
38650 +int grsec_enable_chroot_chmod;
38651 +int grsec_enable_chroot_mknod;
38652 +int grsec_enable_chroot_nice;
38653 +int grsec_enable_chroot_execlog;
38654 +int grsec_enable_chroot_caps;
38655 +int grsec_enable_chroot_sysctl;
38656 +int grsec_enable_chroot_unix;
38657 +int grsec_enable_tpe;
38658 +int grsec_tpe_gid;
38659 +int grsec_enable_tpe_all;
38660 +int grsec_enable_socket_all;
38661 +int grsec_socket_all_gid;
38662 +int grsec_enable_socket_client;
38663 +int grsec_socket_client_gid;
38664 +int grsec_enable_socket_server;
38665 +int grsec_socket_server_gid;
38666 +int grsec_resource_logging;
38669 +DEFINE_SPINLOCK(grsec_alert_lock);
38670 +unsigned long grsec_alert_wtime = 0;
38671 +unsigned long grsec_alert_fyet = 0;
38673 +DEFINE_SPINLOCK(grsec_audit_lock);
38675 +DEFINE_RWLOCK(grsec_exec_file_lock);
38677 +char *gr_shared_page[4];
38679 +char *gr_alert_log_fmt;
38680 +char *gr_audit_log_fmt;
38681 +char *gr_alert_log_buf;
38682 +char *gr_audit_log_buf;
38684 +extern struct gr_arg *gr_usermode;
38685 +extern unsigned char *gr_system_salt;
38686 +extern unsigned char *gr_system_sum;
38689 +grsecurity_init(void)
38692 + /* create the per-cpu shared pages */
38695 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
38698 + for (j = 0; j < 4; j++) {
38699 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
38700 + if (gr_shared_page[j] == NULL) {
38701 + panic("Unable to allocate grsecurity shared page");
38706 + /* allocate log buffers */
38707 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
38708 + if (!gr_alert_log_fmt) {
38709 + panic("Unable to allocate grsecurity alert log format buffer");
38712 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
38713 + if (!gr_audit_log_fmt) {
38714 + panic("Unable to allocate grsecurity audit log format buffer");
38717 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
38718 + if (!gr_alert_log_buf) {
38719 + panic("Unable to allocate grsecurity alert log buffer");
38722 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
38723 + if (!gr_audit_log_buf) {
38724 + panic("Unable to allocate grsecurity audit log buffer");
38728 + /* allocate memory for authentication structure */
38729 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
38730 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
38731 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
38733 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
38734 + panic("Unable to allocate grsecurity authentication structure");
38738 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
38739 +#ifndef CONFIG_GRKERNSEC_SYSCTL
38742 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
38743 + grsec_enable_audit_textrel = 1;
38745 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
38746 + grsec_enable_group = 1;
38747 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
38749 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
38750 + grsec_enable_chdir = 1;
38752 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38753 + grsec_enable_harden_ptrace = 1;
38755 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
38756 + grsec_enable_mount = 1;
38758 +#ifdef CONFIG_GRKERNSEC_LINK
38759 + grsec_enable_link = 1;
38761 +#ifdef CONFIG_GRKERNSEC_DMESG
38762 + grsec_enable_dmesg = 1;
38764 +#ifdef CONFIG_GRKERNSEC_FIFO
38765 + grsec_enable_fifo = 1;
38767 +#ifdef CONFIG_GRKERNSEC_EXECVE
38768 + grsec_enable_execve = 1;
38770 +#ifdef CONFIG_GRKERNSEC_EXECLOG
38771 + grsec_enable_execlog = 1;
38773 +#ifdef CONFIG_GRKERNSEC_SIGNAL
38774 + grsec_enable_signal = 1;
38776 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
38777 + grsec_enable_forkfail = 1;
38779 +#ifdef CONFIG_GRKERNSEC_TIME
38780 + grsec_enable_time = 1;
38782 +#ifdef CONFIG_GRKERNSEC_RESLOG
38783 + grsec_resource_logging = 1;
38785 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
38786 + grsec_enable_chroot_findtask = 1;
38788 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
38789 + grsec_enable_chroot_unix = 1;
38791 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
38792 + grsec_enable_chroot_mount = 1;
38794 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
38795 + grsec_enable_chroot_fchdir = 1;
38797 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
38798 + grsec_enable_chroot_shmat = 1;
38800 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
38801 + grsec_enable_audit_ptrace = 1;
38803 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
38804 + grsec_enable_chroot_double = 1;
38806 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
38807 + grsec_enable_chroot_pivot = 1;
38809 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
38810 + grsec_enable_chroot_chdir = 1;
38812 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
38813 + grsec_enable_chroot_chmod = 1;
38815 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
38816 + grsec_enable_chroot_mknod = 1;
38818 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
38819 + grsec_enable_chroot_nice = 1;
38821 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
38822 + grsec_enable_chroot_execlog = 1;
38824 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
38825 + grsec_enable_chroot_caps = 1;
38827 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
38828 + grsec_enable_chroot_sysctl = 1;
38830 +#ifdef CONFIG_GRKERNSEC_TPE
38831 + grsec_enable_tpe = 1;
38832 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
38833 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
38834 + grsec_enable_tpe_all = 1;
38837 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
38838 + grsec_enable_socket_all = 1;
38839 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
38841 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
38842 + grsec_enable_socket_client = 1;
38843 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
38845 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
38846 + grsec_enable_socket_server = 1;
38847 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
38853 diff -urNp linux-2.6.33/grsecurity/grsec_link.c linux-2.6.33/grsecurity/grsec_link.c
38854 --- linux-2.6.33/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
38855 +++ linux-2.6.33/grsecurity/grsec_link.c 2010-03-07 12:23:36.109671795 -0500
38857 +#include <linux/kernel.h>
38858 +#include <linux/sched.h>
38859 +#include <linux/fs.h>
38860 +#include <linux/file.h>
38861 +#include <linux/grinternal.h>
38864 +gr_handle_follow_link(const struct inode *parent,
38865 + const struct inode *inode,
38866 + const struct dentry *dentry, const struct vfsmount *mnt)
38868 +#ifdef CONFIG_GRKERNSEC_LINK
38869 + const struct cred *cred = current_cred();
38871 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
38872 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
38873 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
38874 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
38882 +gr_handle_hardlink(const struct dentry *dentry,
38883 + const struct vfsmount *mnt,
38884 + struct inode *inode, const int mode, const char *to)
38886 +#ifdef CONFIG_GRKERNSEC_LINK
38887 + const struct cred *cred = current_cred();
38889 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
38890 + (!S_ISREG(mode) || (mode & S_ISUID) ||
38891 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
38892 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
38893 + !capable(CAP_FOWNER) && cred->uid) {
38894 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
38900 diff -urNp linux-2.6.33/grsecurity/grsec_log.c linux-2.6.33/grsecurity/grsec_log.c
38901 --- linux-2.6.33/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
38902 +++ linux-2.6.33/grsecurity/grsec_log.c 2010-03-07 12:23:36.109671795 -0500
38904 +#include <linux/kernel.h>
38905 +#include <linux/sched.h>
38906 +#include <linux/file.h>
38907 +#include <linux/tty.h>
38908 +#include <linux/fs.h>
38909 +#include <linux/grinternal.h>
38911 +#define BEGIN_LOCKS(x) \
38912 + rcu_read_lock(); \
38913 + read_lock(&tasklist_lock); \
38914 + read_lock(&grsec_exec_file_lock); \
38915 + if (x != GR_DO_AUDIT) \
38916 + spin_lock(&grsec_alert_lock); \
38918 + spin_lock(&grsec_audit_lock)
38920 +#define END_LOCKS(x) \
38921 + if (x != GR_DO_AUDIT) \
38922 + spin_unlock(&grsec_alert_lock); \
38924 + spin_unlock(&grsec_audit_lock); \
38925 + read_unlock(&grsec_exec_file_lock); \
38926 + read_unlock(&tasklist_lock); \
38927 + rcu_read_unlock(); \
38928 + if (x == GR_DONT_AUDIT) \
38929 + gr_handle_alertkill(current)
38936 +extern char *gr_alert_log_fmt;
38937 +extern char *gr_audit_log_fmt;
38938 +extern char *gr_alert_log_buf;
38939 +extern char *gr_audit_log_buf;
38941 +static int gr_log_start(int audit)
38943 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
38944 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
38945 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
38947 + if (audit == GR_DO_AUDIT)
38950 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
38951 + grsec_alert_wtime = jiffies;
38952 + grsec_alert_fyet = 0;
38953 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
38954 + grsec_alert_fyet++;
38955 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
38956 + grsec_alert_wtime = jiffies;
38957 + grsec_alert_fyet++;
38958 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
38960 + } else return FLOODING;
38963 + memset(buf, 0, PAGE_SIZE);
38964 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
38965 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
38966 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
38967 + } else if (current->signal->curr_ip) {
38968 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
38969 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
38970 + } else if (gr_acl_is_enabled()) {
38971 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
38972 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
38974 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
38975 + strcpy(buf, fmt);
38978 + return NO_FLOODING;
38981 +static void gr_log_middle(int audit, const char *msg, va_list ap)
38982 + __attribute__ ((format (printf, 2, 0)));
38984 +static void gr_log_middle(int audit, const char *msg, va_list ap)
38986 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
38987 + unsigned int len = strlen(buf);
38989 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
38994 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
38995 + __attribute__ ((format (printf, 2, 3)));
38997 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
38999 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
39000 + unsigned int len = strlen(buf);
39003 + va_start(ap, msg);
39004 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
39010 +static void gr_log_end(int audit)
39012 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
39013 + unsigned int len = strlen(buf);
39015 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->parent)));
39016 + printk("%s\n", buf);
39021 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
39024 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
39025 + char *str1, *str2, *str3;
39028 + unsigned long ulong1, ulong2;
39029 + struct dentry *dentry;
39030 + struct vfsmount *mnt;
39031 + struct file *file;
39032 + struct task_struct *task;
39033 + const struct cred *cred, *pcred;
39036 + BEGIN_LOCKS(audit);
39037 + logtype = gr_log_start(audit);
39038 + if (logtype == FLOODING) {
39039 + END_LOCKS(audit);
39042 + va_start(ap, argtypes);
39043 + switch (argtypes) {
39044 + case GR_TTYSNIFF:
39045 + task = va_arg(ap, struct task_struct *);
39046 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
39048 + case GR_SYSCTL_HIDDEN:
39049 + str1 = va_arg(ap, char *);
39050 + gr_log_middle_varargs(audit, msg, result, str1);
39053 + dentry = va_arg(ap, struct dentry *);
39054 + mnt = va_arg(ap, struct vfsmount *);
39055 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
39057 + case GR_RBAC_STR:
39058 + dentry = va_arg(ap, struct dentry *);
39059 + mnt = va_arg(ap, struct vfsmount *);
39060 + str1 = va_arg(ap, char *);
39061 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
39063 + case GR_STR_RBAC:
39064 + str1 = va_arg(ap, char *);
39065 + dentry = va_arg(ap, struct dentry *);
39066 + mnt = va_arg(ap, struct vfsmount *);
39067 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
39069 + case GR_RBAC_MODE2:
39070 + dentry = va_arg(ap, struct dentry *);
39071 + mnt = va_arg(ap, struct vfsmount *);
39072 + str1 = va_arg(ap, char *);
39073 + str2 = va_arg(ap, char *);
39074 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
39076 + case GR_RBAC_MODE3:
39077 + dentry = va_arg(ap, struct dentry *);
39078 + mnt = va_arg(ap, struct vfsmount *);
39079 + str1 = va_arg(ap, char *);
39080 + str2 = va_arg(ap, char *);
39081 + str3 = va_arg(ap, char *);
39082 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
39084 + case GR_FILENAME:
39085 + dentry = va_arg(ap, struct dentry *);
39086 + mnt = va_arg(ap, struct vfsmount *);
39087 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
39089 + case GR_STR_FILENAME:
39090 + str1 = va_arg(ap, char *);
39091 + dentry = va_arg(ap, struct dentry *);
39092 + mnt = va_arg(ap, struct vfsmount *);
39093 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
39095 + case GR_FILENAME_STR:
39096 + dentry = va_arg(ap, struct dentry *);
39097 + mnt = va_arg(ap, struct vfsmount *);
39098 + str1 = va_arg(ap, char *);
39099 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
39101 + case GR_FILENAME_TWO_INT:
39102 + dentry = va_arg(ap, struct dentry *);
39103 + mnt = va_arg(ap, struct vfsmount *);
39104 + num1 = va_arg(ap, int);
39105 + num2 = va_arg(ap, int);
39106 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
39108 + case GR_FILENAME_TWO_INT_STR:
39109 + dentry = va_arg(ap, struct dentry *);
39110 + mnt = va_arg(ap, struct vfsmount *);
39111 + num1 = va_arg(ap, int);
39112 + num2 = va_arg(ap, int);
39113 + str1 = va_arg(ap, char *);
39114 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
39117 + file = va_arg(ap, struct file *);
39118 + ulong1 = va_arg(ap, unsigned long);
39119 + ulong2 = va_arg(ap, unsigned long);
39120 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
39123 + task = va_arg(ap, struct task_struct *);
39124 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
39126 + case GR_RESOURCE:
39127 + task = va_arg(ap, struct task_struct *);
39128 + cred = __task_cred(task);
39129 + pcred = __task_cred(task->parent);
39130 + ulong1 = va_arg(ap, unsigned long);
39131 + str1 = va_arg(ap, char *);
39132 + ulong2 = va_arg(ap, unsigned long);
39133 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39136 + task = va_arg(ap, struct task_struct *);
39137 + cred = __task_cred(task);
39138 + pcred = __task_cred(task->parent);
39139 + str1 = va_arg(ap, char *);
39140 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39143 + str1 = va_arg(ap, char *);
39144 + voidptr = va_arg(ap, void *);
39145 + gr_log_middle_varargs(audit, msg, str1, voidptr);
39148 + task = va_arg(ap, struct task_struct *);
39149 + cred = __task_cred(task);
39150 + pcred = __task_cred(task->parent);
39151 + num1 = va_arg(ap, int);
39152 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39155 + task = va_arg(ap, struct task_struct *);
39156 + cred = __task_cred(task);
39157 + pcred = __task_cred(task->parent);
39158 + ulong1 = va_arg(ap, unsigned long);
39159 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
39162 + task = va_arg(ap, struct task_struct *);
39163 + cred = __task_cred(task);
39164 + pcred = __task_cred(task->parent);
39165 + ulong1 = va_arg(ap, unsigned long);
39166 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
39170 + unsigned int wday, cday;
39174 + char cur_tty[64] = { 0 };
39175 + char parent_tty[64] = { 0 };
39177 + task = va_arg(ap, struct task_struct *);
39178 + wday = va_arg(ap, unsigned int);
39179 + cday = va_arg(ap, unsigned int);
39180 + whr = va_arg(ap, int);
39181 + chr = va_arg(ap, int);
39182 + wmin = va_arg(ap, int);
39183 + cmin = va_arg(ap, int);
39184 + wsec = va_arg(ap, int);
39185 + csec = va_arg(ap, int);
39186 + ulong1 = va_arg(ap, unsigned long);
39187 + cred = __task_cred(task);
39188 + pcred = __task_cred(task->parent);
39190 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, &task->parent->signal->curr_ip, tty_name(task->parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39194 + gr_log_middle(audit, msg, ap);
39197 + gr_log_end(audit);
39198 + END_LOCKS(audit);
39200 diff -urNp linux-2.6.33/grsecurity/grsec_mem.c linux-2.6.33/grsecurity/grsec_mem.c
39201 --- linux-2.6.33/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
39202 +++ linux-2.6.33/grsecurity/grsec_mem.c 2010-03-07 12:23:36.109671795 -0500
39204 +#include <linux/kernel.h>
39205 +#include <linux/sched.h>
39206 +#include <linux/mm.h>
39207 +#include <linux/mman.h>
39208 +#include <linux/grinternal.h>
39211 +gr_handle_ioperm(void)
39213 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
39218 +gr_handle_iopl(void)
39220 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
39225 +gr_handle_mem_write(void)
39227 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
39232 +gr_handle_kmem_write(void)
39234 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
39239 +gr_handle_open_port(void)
39241 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
39246 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
39248 + unsigned long start, end;
39251 + end = start + vma->vm_end - vma->vm_start;
39253 + if (start > end) {
39254 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
39258 + /* allowed ranges : ISA I/O BIOS */
39259 + if ((start >= __pa(high_memory))
39260 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
39261 + || (start >= 0x000a0000 && end <= 0x00100000)
39262 + || (start >= 0x00000000 && end <= 0x00001000)
39267 + if (vma->vm_flags & VM_WRITE) {
39268 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
39271 + vma->vm_flags &= ~VM_MAYWRITE;
39277 +gr_log_nonroot_mod_load(const char *modname)
39279 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
39284 +gr_handle_vm86(void)
39286 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
39289 diff -urNp linux-2.6.33/grsecurity/grsec_mount.c linux-2.6.33/grsecurity/grsec_mount.c
39290 --- linux-2.6.33/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
39291 +++ linux-2.6.33/grsecurity/grsec_mount.c 2010-03-07 12:23:36.109671795 -0500
39293 +#include <linux/kernel.h>
39294 +#include <linux/sched.h>
39295 +#include <linux/mount.h>
39296 +#include <linux/grsecurity.h>
39297 +#include <linux/grinternal.h>
39300 +gr_log_remount(const char *devname, const int retval)
39302 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39303 + if (grsec_enable_mount && (retval >= 0))
39304 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
39310 +gr_log_unmount(const char *devname, const int retval)
39312 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39313 + if (grsec_enable_mount && (retval >= 0))
39314 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
39320 +gr_log_mount(const char *from, const char *to, const int retval)
39322 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39323 + if (grsec_enable_mount && (retval >= 0))
39324 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
39330 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
39332 +#ifdef CONFIG_GRKERNSEC_ROFS
39333 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
39334 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
39343 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
39345 +#ifdef CONFIG_GRKERNSEC_ROFS
39346 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
39347 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
39348 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
39355 diff -urNp linux-2.6.33/grsecurity/grsec_ptrace.c linux-2.6.33/grsecurity/grsec_ptrace.c
39356 --- linux-2.6.33/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
39357 +++ linux-2.6.33/grsecurity/grsec_ptrace.c 2010-03-07 12:23:36.109671795 -0500
39359 +#include <linux/kernel.h>
39360 +#include <linux/sched.h>
39361 +#include <linux/grinternal.h>
39362 +#include <linux/grsecurity.h>
39365 +gr_audit_ptrace(struct task_struct *task)
39367 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
39368 + if (grsec_enable_audit_ptrace)
39369 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
39373 diff -urNp linux-2.6.33/grsecurity/grsec_sig.c linux-2.6.33/grsecurity/grsec_sig.c
39374 --- linux-2.6.33/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
39375 +++ linux-2.6.33/grsecurity/grsec_sig.c 2010-03-07 12:23:36.109671795 -0500
39377 +#include <linux/kernel.h>
39378 +#include <linux/sched.h>
39379 +#include <linux/delay.h>
39380 +#include <linux/grsecurity.h>
39381 +#include <linux/grinternal.h>
39383 +char *signames[] = {
39384 + [SIGSEGV] = "Segmentation fault",
39385 + [SIGILL] = "Illegal instruction",
39386 + [SIGABRT] = "Abort",
39387 + [SIGBUS] = "Invalid alignment/Bus error"
39391 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
39393 +#ifdef CONFIG_GRKERNSEC_SIGNAL
39394 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
39395 + (sig == SIGABRT) || (sig == SIGBUS))) {
39396 + if (t->pid == current->pid) {
39397 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
39399 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
39407 +gr_handle_signal(const struct task_struct *p, const int sig)
39409 +#ifdef CONFIG_GRKERNSEC
39410 + if (current->pid > 1 && gr_check_protected_task(p)) {
39411 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
39413 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
39420 +void gr_handle_brute_attach(struct task_struct *p)
39422 +#ifdef CONFIG_GRKERNSEC_BRUTE
39423 + read_lock(&tasklist_lock);
39424 + read_lock(&grsec_exec_file_lock);
39425 + if (p->parent && p->parent->exec_file == p->exec_file)
39426 + p->parent->brute = 1;
39427 + read_unlock(&grsec_exec_file_lock);
39428 + read_unlock(&tasklist_lock);
39433 +void gr_handle_brute_check(void)
39435 +#ifdef CONFIG_GRKERNSEC_BRUTE
39436 + if (current->brute)
39437 + msleep(30 * 1000);
39442 diff -urNp linux-2.6.33/grsecurity/grsec_sock.c linux-2.6.33/grsecurity/grsec_sock.c
39443 --- linux-2.6.33/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
39444 +++ linux-2.6.33/grsecurity/grsec_sock.c 2010-03-07 12:23:36.109671795 -0500
39446 +#include <linux/kernel.h>
39447 +#include <linux/module.h>
39448 +#include <linux/sched.h>
39449 +#include <linux/file.h>
39450 +#include <linux/net.h>
39451 +#include <linux/in.h>
39452 +#include <linux/ip.h>
39453 +#include <net/sock.h>
39454 +#include <net/inet_sock.h>
39455 +#include <linux/grsecurity.h>
39456 +#include <linux/grinternal.h>
39457 +#include <linux/gracl.h>
39459 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
39460 +EXPORT_SYMBOL(gr_cap_rtnetlink);
39462 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
39463 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
39465 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
39466 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
39468 +#ifdef CONFIG_UNIX_MODULE
39469 +EXPORT_SYMBOL(gr_acl_handle_unix);
39470 +EXPORT_SYMBOL(gr_acl_handle_mknod);
39471 +EXPORT_SYMBOL(gr_handle_chroot_unix);
39472 +EXPORT_SYMBOL(gr_handle_create);
39475 +#ifdef CONFIG_GRKERNSEC
39476 +#define gr_conn_table_size 32749
39477 +struct conn_table_entry {
39478 + struct conn_table_entry *next;
39479 + struct signal_struct *sig;
39482 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
39483 +DEFINE_SPINLOCK(gr_conn_table_lock);
39485 +extern const char * gr_socktype_to_name(unsigned char type);
39486 +extern const char * gr_proto_to_name(unsigned char proto);
39488 +static __inline__ int
39489 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
39491 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
39494 +static __inline__ int
39495 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
39496 + __u16 sport, __u16 dport)
39498 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
39499 + sig->gr_sport == sport && sig->gr_dport == dport))
39505 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
39507 + struct conn_table_entry **match;
39508 + unsigned int index;
39510 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
39511 + sig->gr_sport, sig->gr_dport,
39512 + gr_conn_table_size);
39514 + newent->sig = sig;
39516 + match = &gr_conn_table[index];
39517 + newent->next = *match;
39523 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
39525 + struct conn_table_entry *match, *last = NULL;
39526 + unsigned int index;
39528 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
39529 + sig->gr_sport, sig->gr_dport,
39530 + gr_conn_table_size);
39532 + match = gr_conn_table[index];
39533 + while (match && !conn_match(match->sig,
39534 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
39535 + sig->gr_dport)) {
39537 + match = match->next;
39542 + last->next = match->next;
39544 + gr_conn_table[index] = NULL;
39551 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
39552 + __u16 sport, __u16 dport)
39554 + struct conn_table_entry *match;
39555 + unsigned int index;
39557 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
39559 + match = gr_conn_table[index];
39560 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
39561 + match = match->next;
39564 + return match->sig;
39571 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
39573 +#ifdef CONFIG_GRKERNSEC
39574 + struct signal_struct *sig = task->signal;
39575 + struct conn_table_entry *newent;
39577 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
39578 + if (newent == NULL)
39580 + /* no bh lock needed since we are called with bh disabled */
39581 + spin_lock(&gr_conn_table_lock);
39582 + gr_del_task_from_ip_table_nolock(sig);
39583 + sig->gr_saddr = inet->inet_rcv_saddr;
39584 + sig->gr_daddr = inet->inet_daddr;
39585 + sig->gr_sport = inet->inet_sport;
39586 + sig->gr_dport = inet->inet_dport;
39587 + gr_add_to_task_ip_table_nolock(sig, newent);
39588 + spin_unlock(&gr_conn_table_lock);
39593 +void gr_del_task_from_ip_table(struct task_struct *task)
39595 +#ifdef CONFIG_GRKERNSEC
39596 + spin_lock_bh(&gr_conn_table_lock);
39597 + gr_del_task_from_ip_table_nolock(task->signal);
39598 + spin_unlock_bh(&gr_conn_table_lock);
39604 +gr_attach_curr_ip(const struct sock *sk)
39606 +#ifdef CONFIG_GRKERNSEC
39607 + struct signal_struct *p, *set;
39608 + const struct inet_sock *inet = inet_sk(sk);
39610 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
39613 + set = current->signal;
39615 + spin_lock_bh(&gr_conn_table_lock);
39616 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
39617 + inet->inet_dport, inet->inet_sport);
39618 + if (unlikely(p != NULL)) {
39619 + set->curr_ip = p->curr_ip;
39620 + set->used_accept = 1;
39621 + gr_del_task_from_ip_table_nolock(p);
39622 + spin_unlock_bh(&gr_conn_table_lock);
39625 + spin_unlock_bh(&gr_conn_table_lock);
39627 + set->curr_ip = inet->inet_daddr;
39628 + set->used_accept = 1;
39634 +gr_handle_sock_all(const int family, const int type, const int protocol)
39636 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
39637 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
39638 + (family != AF_UNIX) && (family != AF_LOCAL)) {
39639 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
39647 +gr_handle_sock_server(const struct sockaddr *sck)
39649 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
39650 + if (grsec_enable_socket_server &&
39651 + in_group_p(grsec_socket_server_gid) &&
39652 + sck && (sck->sa_family != AF_UNIX) &&
39653 + (sck->sa_family != AF_LOCAL)) {
39654 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
39662 +gr_handle_sock_server_other(const struct sock *sck)
39664 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
39665 + if (grsec_enable_socket_server &&
39666 + in_group_p(grsec_socket_server_gid) &&
39667 + sck && (sck->sk_family != AF_UNIX) &&
39668 + (sck->sk_family != AF_LOCAL)) {
39669 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
39677 +gr_handle_sock_client(const struct sockaddr *sck)
39679 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
39680 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
39681 + sck && (sck->sa_family != AF_UNIX) &&
39682 + (sck->sa_family != AF_LOCAL)) {
39683 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
39691 +gr_cap_rtnetlink(struct sock *sock)
39693 +#ifdef CONFIG_GRKERNSEC
39694 + if (!gr_acl_is_enabled())
39695 + return current_cap();
39696 + else if (sock->sk_protocol == NETLINK_ISCSI &&
39697 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
39698 + gr_is_capable(CAP_SYS_ADMIN))
39699 + return current_cap();
39700 + else if (sock->sk_protocol == NETLINK_AUDIT &&
39701 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
39702 + gr_is_capable(CAP_AUDIT_WRITE) &&
39703 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
39704 + gr_is_capable(CAP_AUDIT_CONTROL))
39705 + return current_cap();
39706 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
39707 + ((sock->sk_protocol == NETLINK_ROUTE) ?
39708 + gr_is_capable_nolog(CAP_NET_ADMIN) :
39709 + gr_is_capable(CAP_NET_ADMIN)))
39710 + return current_cap();
39712 + return __cap_empty_set;
39714 + return current_cap();
39717 diff -urNp linux-2.6.33/grsecurity/grsec_sysctl.c linux-2.6.33/grsecurity/grsec_sysctl.c
39718 --- linux-2.6.33/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
39719 +++ linux-2.6.33/grsecurity/grsec_sysctl.c 2010-03-07 12:23:36.109671795 -0500
39721 +#include <linux/kernel.h>
39722 +#include <linux/sched.h>
39723 +#include <linux/sysctl.h>
39724 +#include <linux/grsecurity.h>
39725 +#include <linux/grinternal.h>
39728 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
39730 +#ifdef CONFIG_GRKERNSEC_SYSCTL
39731 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
39732 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
39739 +#ifdef CONFIG_GRKERNSEC_ROFS
39740 +static int __maybe_unused one = 1;
39743 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
39744 +ctl_table grsecurity_table[] = {
39745 +#ifdef CONFIG_GRKERNSEC_SYSCTL
39746 +#ifdef CONFIG_GRKERNSEC_LINK
39748 + .procname = "linking_restrictions",
39749 + .data = &grsec_enable_link,
39750 + .maxlen = sizeof(int),
39752 + .proc_handler = &proc_dointvec,
39755 +#ifdef CONFIG_GRKERNSEC_FIFO
39757 + .procname = "fifo_restrictions",
39758 + .data = &grsec_enable_fifo,
39759 + .maxlen = sizeof(int),
39761 + .proc_handler = &proc_dointvec,
39764 +#ifdef CONFIG_GRKERNSEC_EXECVE
39766 + .procname = "execve_limiting",
39767 + .data = &grsec_enable_execve,
39768 + .maxlen = sizeof(int),
39770 + .proc_handler = &proc_dointvec,
39773 +#ifdef CONFIG_GRKERNSEC_EXECLOG
39775 + .procname = "exec_logging",
39776 + .data = &grsec_enable_execlog,
39777 + .maxlen = sizeof(int),
39779 + .proc_handler = &proc_dointvec,
39782 +#ifdef CONFIG_GRKERNSEC_SIGNAL
39784 + .procname = "signal_logging",
39785 + .data = &grsec_enable_signal,
39786 + .maxlen = sizeof(int),
39788 + .proc_handler = &proc_dointvec,
39791 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
39793 + .procname = "forkfail_logging",
39794 + .data = &grsec_enable_forkfail,
39795 + .maxlen = sizeof(int),
39797 + .proc_handler = &proc_dointvec,
39800 +#ifdef CONFIG_GRKERNSEC_TIME
39802 + .procname = "timechange_logging",
39803 + .data = &grsec_enable_time,
39804 + .maxlen = sizeof(int),
39806 + .proc_handler = &proc_dointvec,
39809 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
39811 + .procname = "chroot_deny_shmat",
39812 + .data = &grsec_enable_chroot_shmat,
39813 + .maxlen = sizeof(int),
39815 + .proc_handler = &proc_dointvec,
39818 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
39820 + .procname = "chroot_deny_unix",
39821 + .data = &grsec_enable_chroot_unix,
39822 + .maxlen = sizeof(int),
39824 + .proc_handler = &proc_dointvec,
39827 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
39829 + .procname = "chroot_deny_mount",
39830 + .data = &grsec_enable_chroot_mount,
39831 + .maxlen = sizeof(int),
39833 + .proc_handler = &proc_dointvec,
39836 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
39838 + .procname = "chroot_deny_fchdir",
39839 + .data = &grsec_enable_chroot_fchdir,
39840 + .maxlen = sizeof(int),
39842 + .proc_handler = &proc_dointvec,
39845 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
39847 + .procname = "chroot_deny_chroot",
39848 + .data = &grsec_enable_chroot_double,
39849 + .maxlen = sizeof(int),
39851 + .proc_handler = &proc_dointvec,
39854 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
39856 + .procname = "chroot_deny_pivot",
39857 + .data = &grsec_enable_chroot_pivot,
39858 + .maxlen = sizeof(int),
39860 + .proc_handler = &proc_dointvec,
39863 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
39865 + .procname = "chroot_enforce_chdir",
39866 + .data = &grsec_enable_chroot_chdir,
39867 + .maxlen = sizeof(int),
39869 + .proc_handler = &proc_dointvec,
39872 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
39874 + .procname = "chroot_deny_chmod",
39875 + .data = &grsec_enable_chroot_chmod,
39876 + .maxlen = sizeof(int),
39878 + .proc_handler = &proc_dointvec,
39881 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
39883 + .procname = "chroot_deny_mknod",
39884 + .data = &grsec_enable_chroot_mknod,
39885 + .maxlen = sizeof(int),
39887 + .proc_handler = &proc_dointvec,
39890 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39892 + .procname = "chroot_restrict_nice",
39893 + .data = &grsec_enable_chroot_nice,
39894 + .maxlen = sizeof(int),
39896 + .proc_handler = &proc_dointvec,
39899 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
39901 + .procname = "chroot_execlog",
39902 + .data = &grsec_enable_chroot_execlog,
39903 + .maxlen = sizeof(int),
39905 + .proc_handler = &proc_dointvec,
39908 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39910 + .procname = "chroot_caps",
39911 + .data = &grsec_enable_chroot_caps,
39912 + .maxlen = sizeof(int),
39914 + .proc_handler = &proc_dointvec,
39917 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
39919 + .procname = "chroot_deny_sysctl",
39920 + .data = &grsec_enable_chroot_sysctl,
39921 + .maxlen = sizeof(int),
39923 + .proc_handler = &proc_dointvec,
39926 +#ifdef CONFIG_GRKERNSEC_TPE
39928 + .procname = "tpe",
39929 + .data = &grsec_enable_tpe,
39930 + .maxlen = sizeof(int),
39932 + .proc_handler = &proc_dointvec,
39935 + .procname = "tpe_gid",
39936 + .data = &grsec_tpe_gid,
39937 + .maxlen = sizeof(int),
39939 + .proc_handler = &proc_dointvec,
39942 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
39944 + .procname = "tpe_restrict_all",
39945 + .data = &grsec_enable_tpe_all,
39946 + .maxlen = sizeof(int),
39948 + .proc_handler = &proc_dointvec,
39951 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
39953 + .procname = "socket_all",
39954 + .data = &grsec_enable_socket_all,
39955 + .maxlen = sizeof(int),
39957 + .proc_handler = &proc_dointvec,
39960 + .procname = "socket_all_gid",
39961 + .data = &grsec_socket_all_gid,
39962 + .maxlen = sizeof(int),
39964 + .proc_handler = &proc_dointvec,
39967 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
39969 + .procname = "socket_client",
39970 + .data = &grsec_enable_socket_client,
39971 + .maxlen = sizeof(int),
39973 + .proc_handler = &proc_dointvec,
39976 + .procname = "socket_client_gid",
39977 + .data = &grsec_socket_client_gid,
39978 + .maxlen = sizeof(int),
39980 + .proc_handler = &proc_dointvec,
39983 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
39985 + .procname = "socket_server",
39986 + .data = &grsec_enable_socket_server,
39987 + .maxlen = sizeof(int),
39989 + .proc_handler = &proc_dointvec,
39992 + .procname = "socket_server_gid",
39993 + .data = &grsec_socket_server_gid,
39994 + .maxlen = sizeof(int),
39996 + .proc_handler = &proc_dointvec,
39999 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
40001 + .procname = "audit_group",
40002 + .data = &grsec_enable_group,
40003 + .maxlen = sizeof(int),
40005 + .proc_handler = &proc_dointvec,
40008 + .procname = "audit_gid",
40009 + .data = &grsec_audit_gid,
40010 + .maxlen = sizeof(int),
40012 + .proc_handler = &proc_dointvec,
40015 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40017 + .procname = "audit_chdir",
40018 + .data = &grsec_enable_chdir,
40019 + .maxlen = sizeof(int),
40021 + .proc_handler = &proc_dointvec,
40024 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
40026 + .procname = "audit_mount",
40027 + .data = &grsec_enable_mount,
40028 + .maxlen = sizeof(int),
40030 + .proc_handler = &proc_dointvec,
40033 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40035 + .procname = "audit_textrel",
40036 + .data = &grsec_enable_audit_textrel,
40037 + .maxlen = sizeof(int),
40039 + .proc_handler = &proc_dointvec,
40042 +#ifdef CONFIG_GRKERNSEC_DMESG
40044 + .procname = "dmesg",
40045 + .data = &grsec_enable_dmesg,
40046 + .maxlen = sizeof(int),
40048 + .proc_handler = &proc_dointvec,
40051 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40053 + .procname = "chroot_findtask",
40054 + .data = &grsec_enable_chroot_findtask,
40055 + .maxlen = sizeof(int),
40057 + .proc_handler = &proc_dointvec,
40060 +#ifdef CONFIG_GRKERNSEC_RESLOG
40062 + .procname = "resource_logging",
40063 + .data = &grsec_resource_logging,
40064 + .maxlen = sizeof(int),
40066 + .proc_handler = &proc_dointvec,
40069 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
40071 + .procname = "audit_ptrace",
40072 + .data = &grsec_enable_audit_ptrace,
40073 + .maxlen = sizeof(int),
40075 + .proc_handler = &proc_dointvec,
40078 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
40080 + .procname = "harden_ptrace",
40081 + .data = &grsec_enable_harden_ptrace,
40082 + .maxlen = sizeof(int),
40084 + .proc_handler = &proc_dointvec,
40088 + .procname = "grsec_lock",
40089 + .data = &grsec_lock,
40090 + .maxlen = sizeof(int),
40092 + .proc_handler = &proc_dointvec,
40095 +#ifdef CONFIG_GRKERNSEC_ROFS
40097 + .procname = "romount_protect",
40098 + .data = &grsec_enable_rofs,
40099 + .maxlen = sizeof(int),
40101 + .proc_handler = &proc_dointvec_minmax,
40109 diff -urNp linux-2.6.33/grsecurity/grsec_textrel.c linux-2.6.33/grsecurity/grsec_textrel.c
40110 --- linux-2.6.33/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
40111 +++ linux-2.6.33/grsecurity/grsec_textrel.c 2010-03-07 12:23:36.109671795 -0500
40113 +#include <linux/kernel.h>
40114 +#include <linux/sched.h>
40115 +#include <linux/mm.h>
40116 +#include <linux/file.h>
40117 +#include <linux/grinternal.h>
40118 +#include <linux/grsecurity.h>
40121 +gr_log_textrel(struct vm_area_struct * vma)
40123 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40124 + if (grsec_enable_audit_textrel)
40125 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
40129 diff -urNp linux-2.6.33/grsecurity/grsec_time.c linux-2.6.33/grsecurity/grsec_time.c
40130 --- linux-2.6.33/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
40131 +++ linux-2.6.33/grsecurity/grsec_time.c 2010-03-07 12:23:36.109671795 -0500
40133 +#include <linux/kernel.h>
40134 +#include <linux/sched.h>
40135 +#include <linux/grinternal.h>
40138 +gr_log_timechange(void)
40140 +#ifdef CONFIG_GRKERNSEC_TIME
40141 + if (grsec_enable_time)
40142 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
40146 diff -urNp linux-2.6.33/grsecurity/grsec_tpe.c linux-2.6.33/grsecurity/grsec_tpe.c
40147 --- linux-2.6.33/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
40148 +++ linux-2.6.33/grsecurity/grsec_tpe.c 2010-03-07 12:23:36.109671795 -0500
40150 +#include <linux/kernel.h>
40151 +#include <linux/sched.h>
40152 +#include <linux/file.h>
40153 +#include <linux/fs.h>
40154 +#include <linux/grinternal.h>
40156 +extern int gr_acl_tpe_check(void);
40159 +gr_tpe_allow(const struct file *file)
40161 +#ifdef CONFIG_GRKERNSEC
40162 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
40163 + const struct cred *cred = current_cred();
40165 + if (cred->uid && ((grsec_enable_tpe &&
40166 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
40167 + !in_group_p(grsec_tpe_gid)
40169 + in_group_p(grsec_tpe_gid)
40171 + ) || gr_acl_tpe_check()) &&
40172 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
40173 + (inode->i_mode & S_IWOTH))))) {
40174 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
40177 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
40178 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
40179 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
40180 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
40181 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
40188 diff -urNp linux-2.6.33/grsecurity/grsum.c linux-2.6.33/grsecurity/grsum.c
40189 --- linux-2.6.33/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
40190 +++ linux-2.6.33/grsecurity/grsum.c 2010-03-07 12:23:36.109671795 -0500
40192 +#include <linux/err.h>
40193 +#include <linux/kernel.h>
40194 +#include <linux/sched.h>
40195 +#include <linux/mm.h>
40196 +#include <linux/scatterlist.h>
40197 +#include <linux/crypto.h>
40198 +#include <linux/gracl.h>
40201 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
40202 +#error "crypto and sha256 must be built into the kernel"
40206 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
40209 + struct crypto_hash *tfm;
40210 + struct hash_desc desc;
40211 + struct scatterlist sg;
40212 + unsigned char temp_sum[GR_SHA_LEN];
40213 + volatile int retval = 0;
40214 + volatile int dummy = 0;
40217 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
40218 + if (IS_ERR(tfm)) {
40219 + /* should never happen, since sha256 should be built in */
40226 + crypto_hash_init(&desc);
40229 + sg_set_buf(&sg, p, GR_SALT_LEN);
40230 + crypto_hash_update(&desc, &sg, sg.length);
40233 + sg_set_buf(&sg, p, strlen(p));
40235 + crypto_hash_update(&desc, &sg, sg.length);
40237 + crypto_hash_final(&desc, temp_sum);
40239 + memset(entry->pw, 0, GR_PW_LEN);
40241 + for (i = 0; i < GR_SHA_LEN; i++)
40242 + if (sum[i] != temp_sum[i])
40245 + dummy = 1; // waste a cycle
40247 + crypto_free_hash(tfm);
40251 diff -urNp linux-2.6.33/grsecurity/Kconfig linux-2.6.33/grsecurity/Kconfig
40252 --- linux-2.6.33/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
40253 +++ linux-2.6.33/grsecurity/Kconfig 2010-03-07 12:23:36.109671795 -0500
40256 +# grecurity configuration
40262 + bool "Grsecurity"
40264 + select CRYPTO_SHA256
40266 + If you say Y here, you will be able to configure many features
40267 + that will enhance the security of your system. It is highly
40268 + recommended that you say Y here and read through the help
40269 + for each option so that you fully understand the features and
40270 + can evaluate their usefulness for your machine.
40273 + prompt "Security Level"
40274 + depends on GRKERNSEC
40275 + default GRKERNSEC_CUSTOM
40277 +config GRKERNSEC_LOW
40279 + select GRKERNSEC_LINK
40280 + select GRKERNSEC_FIFO
40281 + select GRKERNSEC_EXECVE
40282 + select GRKERNSEC_RANDNET
40283 + select GRKERNSEC_DMESG
40284 + select GRKERNSEC_CHROOT
40285 + select GRKERNSEC_CHROOT_CHDIR
40288 + If you choose this option, several of the grsecurity options will
40289 + be enabled that will give you greater protection against a number
40290 + of attacks, while assuring that none of your software will have any
40291 + conflicts with the additional security measures. If you run a lot
40292 + of unusual software, or you are having problems with the higher
40293 + security levels, you should say Y here. With this option, the
40294 + following features are enabled:
40296 + - Linking restrictions
40297 + - FIFO restrictions
40298 + - Enforcing RLIMIT_NPROC on execve
40299 + - Restricted dmesg
40300 + - Enforced chdir("/") on chroot
40301 + - Runtime module disabling
40303 +config GRKERNSEC_MEDIUM
40306 + select PAX_EI_PAX
40307 + select PAX_PT_PAX_FLAGS
40308 + select PAX_HAVE_ACL_FLAGS
40309 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
40310 + select GRKERNSEC_CHROOT
40311 + select GRKERNSEC_CHROOT_SYSCTL
40312 + select GRKERNSEC_LINK
40313 + select GRKERNSEC_FIFO
40314 + select GRKERNSEC_EXECVE
40315 + select GRKERNSEC_DMESG
40316 + select GRKERNSEC_RANDNET
40317 + select GRKERNSEC_FORKFAIL
40318 + select GRKERNSEC_TIME
40319 + select GRKERNSEC_SIGNAL
40320 + select GRKERNSEC_CHROOT
40321 + select GRKERNSEC_CHROOT_UNIX
40322 + select GRKERNSEC_CHROOT_MOUNT
40323 + select GRKERNSEC_CHROOT_PIVOT
40324 + select GRKERNSEC_CHROOT_DOUBLE
40325 + select GRKERNSEC_CHROOT_CHDIR
40326 + select GRKERNSEC_CHROOT_MKNOD
40327 + select GRKERNSEC_PROC
40328 + select GRKERNSEC_PROC_USERGROUP
40329 + select PAX_RANDUSTACK
40331 + select PAX_RANDMMAP
40332 + select PAX_REFCOUNT if (X86 || SPARC64)
40333 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC32 || PPC64) && (SLAB || SLUB || SLOB))
40336 + If you say Y here, several features in addition to those included
40337 + in the low additional security level will be enabled. These
40338 + features provide even more security to your system, though in rare
40339 + cases they may be incompatible with very old or poorly written
40340 + software. If you enable this option, make sure that your auth
40341 + service (identd) is running as gid 1001. With this option,
40342 + the following features (in addition to those provided in the
40343 + low additional security level) will be enabled:
40345 + - Failed fork logging
40346 + - Time change logging
40348 + - Deny mounts in chroot
40349 + - Deny double chrooting
40350 + - Deny sysctl writes in chroot
40351 + - Deny mknod in chroot
40352 + - Deny access to abstract AF_UNIX sockets out of chroot
40353 + - Deny pivot_root in chroot
40354 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
40355 + - /proc restrictions with special GID set to 10 (usually wheel)
40356 + - Address Space Layout Randomization (ASLR)
40357 + - Prevent exploitation of most refcount overflows
40358 + - Bounds checking of copying between the kernel and userland
40360 +config GRKERNSEC_HIGH
40362 + select GRKERNSEC_LINK
40363 + select GRKERNSEC_FIFO
40364 + select GRKERNSEC_EXECVE
40365 + select GRKERNSEC_DMESG
40366 + select GRKERNSEC_FORKFAIL
40367 + select GRKERNSEC_TIME
40368 + select GRKERNSEC_SIGNAL
40369 + select GRKERNSEC_CHROOT
40370 + select GRKERNSEC_CHROOT_SHMAT
40371 + select GRKERNSEC_CHROOT_UNIX
40372 + select GRKERNSEC_CHROOT_MOUNT
40373 + select GRKERNSEC_CHROOT_FCHDIR
40374 + select GRKERNSEC_CHROOT_PIVOT
40375 + select GRKERNSEC_CHROOT_DOUBLE
40376 + select GRKERNSEC_CHROOT_CHDIR
40377 + select GRKERNSEC_CHROOT_MKNOD
40378 + select GRKERNSEC_CHROOT_CAPS
40379 + select GRKERNSEC_CHROOT_SYSCTL
40380 + select GRKERNSEC_CHROOT_FINDTASK
40381 + select GRKERNSEC_PROC
40382 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
40383 + select GRKERNSEC_HIDESYM
40384 + select GRKERNSEC_BRUTE
40385 + select GRKERNSEC_PROC_USERGROUP
40386 + select GRKERNSEC_KMEM
40387 + select GRKERNSEC_RESLOG
40388 + select GRKERNSEC_RANDNET
40389 + select GRKERNSEC_PROC_ADD
40390 + select GRKERNSEC_CHROOT_CHMOD
40391 + select GRKERNSEC_CHROOT_NICE
40392 + select GRKERNSEC_AUDIT_MOUNT
40393 + select GRKERNSEC_MODHARDEN if (MODULES)
40394 + select GRKERNSEC_HARDEN_PTRACE
40395 + select GRKERNSEC_VM86 if (X86_32)
40397 + select PAX_RANDUSTACK
40399 + select PAX_RANDMMAP
40400 + select PAX_NOEXEC
40401 + select PAX_MPROTECT
40402 + select PAX_EI_PAX
40403 + select PAX_PT_PAX_FLAGS
40404 + select PAX_HAVE_ACL_FLAGS
40405 + select PAX_KERNEXEC if ((PPC32 || PPC64 || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
40406 + select PAX_MEMORY_UDEREF if (X86_32 && !XEN)
40407 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
40408 + select PAX_SEGMEXEC if (X86_32)
40409 + select PAX_PAGEEXEC
40410 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
40411 + select PAX_EMUTRAMP if (PARISC)
40412 + select PAX_EMUSIGRT if (PARISC)
40413 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
40414 + select PAX_REFCOUNT if (X86 || SPARC64)
40415 + select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
40417 + If you say Y here, many of the features of grsecurity will be
40418 + enabled, which will protect you against many kinds of attacks
40419 + against your system. The heightened security comes at a cost
40420 + of an increased chance of incompatibilities with rare software
40421 + on your machine. Since this security level enables PaX, you should
40422 + view <http://pax.grsecurity.net> and read about the PaX
40423 + project. While you are there, download chpax and run it on
40424 + binaries that cause problems with PaX. Also remember that
40425 + since the /proc restrictions are enabled, you must run your
40426 + identd as gid 1001. This security level enables the following
40427 + features in addition to those listed in the low and medium
40430 + - Additional /proc restrictions
40431 + - Chmod restrictions in chroot
40432 + - No signals, ptrace, or viewing of processes outside of chroot
40433 + - Capability restrictions in chroot
40434 + - Deny fchdir out of chroot
40435 + - Priority restrictions in chroot
40436 + - Segmentation-based implementation of PaX
40437 + - Mprotect restrictions
40438 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
40439 + - Kernel stack randomization
40440 + - Mount/unmount/remount logging
40441 + - Kernel symbol hiding
40442 + - Prevention of memory exhaustion-based exploits
40443 + - Hardening of module auto-loading
40444 + - Ptrace restrictions
40445 + - Restricted vm86 mode
40447 +config GRKERNSEC_CUSTOM
40450 + If you say Y here, you will be able to configure every grsecurity
40451 + option, which allows you to enable many more features that aren't
40452 + covered in the basic security levels. These additional features
40453 + include TPE, socket restrictions, and the sysctl system for
40454 + grsecurity. It is advised that you read through the help for
40455 + each option to determine its usefulness in your situation.
40459 +menu "Address Space Protection"
40460 +depends on GRKERNSEC
40462 +config GRKERNSEC_KMEM
40463 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
40465 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
40466 + be written to via mmap or otherwise to modify the running kernel.
40467 + /dev/port will also not be allowed to be opened. If you have module
40468 + support disabled, enabling this will close up four ways that are
40469 + currently used to insert malicious code into the running kernel.
40470 + Even with all these features enabled, we still highly recommend that
40471 + you use the RBAC system, as it is still possible for an attacker to
40472 + modify the running kernel through privileged I/O granted by ioperm/iopl.
40473 + If you are not using XFree86, you may be able to stop this additional
40474 + case by enabling the 'Disable privileged I/O' option. Though nothing
40475 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
40476 + but only to video memory, which is the only writing we allow in this
40477 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
40478 + not be allowed to mprotect it with PROT_WRITE later.
40479 + It is highly recommended that you say Y here if you meet all the
40480 + conditions above.
40482 +config GRKERNSEC_VM86
40483 + bool "Restrict VM86 mode"
40484 + depends on X86_32
40487 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
40488 + make use of a special execution mode on 32bit x86 processors called
40489 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
40490 + video cards and will still work with this option enabled. The purpose
40491 + of the option is to prevent exploitation of emulation errors in
40492 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
40493 + Nearly all users should be able to enable this option.
40495 +config GRKERNSEC_IO
40496 + bool "Disable privileged I/O"
40499 + select RTC_INTF_DEV
40500 + select RTC_DRV_CMOS
40503 + If you say Y here, all ioperm and iopl calls will return an error.
40504 + Ioperm and iopl can be used to modify the running kernel.
40505 + Unfortunately, some programs need this access to operate properly,
40506 + the most notable of which are XFree86 and hwclock. hwclock can be
40507 + remedied by having RTC support in the kernel, so real-time
40508 + clock support is enabled if this option is enabled, to ensure
40509 + that hwclock operates correctly. XFree86 still will not
40510 + operate correctly with this option enabled, so DO NOT CHOOSE Y
40511 + IF YOU USE XFree86. If you use XFree86 and you still want to
40512 + protect your kernel against modification, use the RBAC system.
40514 +config GRKERNSEC_PROC_MEMMAP
40515 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
40516 + default y if (PAX_NOEXEC || PAX_ASLR)
40517 + depends on PAX_NOEXEC || PAX_ASLR
40519 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
40520 + give no information about the addresses of its mappings if
40521 + PaX features that rely on random addresses are enabled on the task.
40522 + If you use PaX it is greatly recommended that you say Y here as it
40523 + closes up a hole that makes the full ASLR useless for suid
40526 +config GRKERNSEC_BRUTE
40527 + bool "Deter exploit bruteforcing"
40529 + If you say Y here, attempts to bruteforce exploits against forking
40530 + daemons such as apache or sshd will be deterred. When a child of a
40531 + forking daemon is killed by PaX or crashes due to an illegal
40532 + instruction, the parent process will be delayed 30 seconds upon every
40533 + subsequent fork until the administrator is able to assess the
40534 + situation and restart the daemon. It is recommended that you also
40535 + enable signal logging in the auditing section so that logs are
40536 + generated when a process performs an illegal instruction.
40538 +config GRKERNSEC_MODHARDEN
40539 + bool "Harden module auto-loading"
40540 + depends on MODULES
40542 + If you say Y here, module auto-loading in response to use of some
40543 + feature implemented by an unloaded module will be restricted to
40544 + root users. Enabling this option helps defend against attacks
40545 + by unprivileged users who abuse the auto-loading behavior to
40546 + cause a vulnerable module to load that is then exploited.
40548 + If this option prevents a legitimate use of auto-loading for a
40549 + non-root user, the administrator can execute modprobe manually
40550 + with the exact name of the module mentioned in the alert log.
40551 + Alternatively, the administrator can add the module to the list
40552 + of modules loaded at boot by modifying init scripts.
40554 + Modification of init scripts will most likely be needed on
40555 + Ubuntu servers with encrypted home directory support enabled,
40556 + as the first non-root user logging in will cause the ecb(aes),
40557 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
40559 +config GRKERNSEC_HIDESYM
40560 + bool "Hide kernel symbols"
40562 + If you say Y here, getting information on loaded modules, and
40563 + displaying all kernel symbols through a syscall will be restricted
40564 + to users with CAP_SYS_MODULE. For software compatibility reasons,
40565 + /proc/kallsyms will be restricted to the root user. The RBAC
40566 + system can hide that entry even from root. Note that this option
40567 + is only effective provided the following conditions are met:
40568 + 1) The kernel using grsecurity is not precompiled by some distribution
40569 + 2) You are using the RBAC system and hiding other files such as your
40570 + kernel image and System.map. Alternatively, enabling this option
40571 + causes the permissions on /boot, /lib/modules, and the kernel
40572 + source directory to change at compile time to prevent
40573 + reading by non-root users.
40574 + If the above conditions are met, this option will aid in providing a
40575 + useful protection against local kernel exploitation of overflows
40576 + and arbitrary read/write vulnerabilities.
40579 +menu "Role Based Access Control Options"
40580 +depends on GRKERNSEC
40582 +config GRKERNSEC_NO_RBAC
40583 + bool "Disable RBAC system"
40585 + If you say Y here, the /dev/grsec device will be removed from the kernel,
40586 + preventing the RBAC system from being enabled. You should only say Y
40587 + here if you have no intention of using the RBAC system, so as to prevent
40588 + an attacker with root access from misusing the RBAC system to hide files
40589 + and processes when loadable module support and /dev/[k]mem have been
40592 +config GRKERNSEC_ACL_HIDEKERN
40593 + bool "Hide kernel processes"
40595 + If you say Y here, all kernel threads will be hidden to all
40596 + processes but those whose subject has the "view hidden processes"
40599 +config GRKERNSEC_ACL_MAXTRIES
40600 + int "Maximum tries before password lockout"
40603 + This option enforces the maximum number of times a user can attempt
40604 + to authorize themselves with the grsecurity RBAC system before being
40605 + denied the ability to attempt authorization again for a specified time.
40606 + The lower the number, the harder it will be to brute-force a password.
40608 +config GRKERNSEC_ACL_TIMEOUT
40609 + int "Time to wait after max password tries, in seconds"
40612 + This option specifies the time the user must wait after attempting to
40613 + authorize to the RBAC system with the maximum number of invalid
40614 + passwords. The higher the number, the harder it will be to brute-force
40618 +menu "Filesystem Protections"
40619 +depends on GRKERNSEC
40621 +config GRKERNSEC_PROC
40622 + bool "Proc restrictions"
40624 + If you say Y here, the permissions of the /proc filesystem
40625 + will be altered to enhance system security and privacy. You MUST
40626 + choose either a user only restriction or a user and group restriction.
40627 + Depending upon the option you choose, you can either restrict users to
40628 + see only the processes they themselves run, or choose a group that can
40629 + view all processes and files normally restricted to root if you choose
40630 + the "restrict to user only" option. NOTE: If you're running identd as
40631 + a non-root user, you will have to run it as the group you specify here.
40633 +config GRKERNSEC_PROC_USER
40634 + bool "Restrict /proc to user only"
40635 + depends on GRKERNSEC_PROC
40637 + If you say Y here, non-root users will only be able to view their own
40638 + processes, and restricts them from viewing network-related information,
40639 + and viewing kernel symbol and module information.
40641 +config GRKERNSEC_PROC_USERGROUP
40642 + bool "Allow special group"
40643 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
40645 + If you say Y here, you will be able to select a group that will be
40646 + able to view all processes, network-related information, and
40647 + kernel and symbol information. This option is useful if you want
40648 + to run identd as a non-root user.
40650 +config GRKERNSEC_PROC_GID
40651 + int "GID for special group"
40652 + depends on GRKERNSEC_PROC_USERGROUP
40655 +config GRKERNSEC_PROC_ADD
40656 + bool "Additional restrictions"
40657 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
40659 + If you say Y here, additional restrictions will be placed on
40660 + /proc that keep normal users from viewing device information and
40661 + slabinfo information that could be useful for exploits.
40663 +config GRKERNSEC_LINK
40664 + bool "Linking restrictions"
40666 + If you say Y here, /tmp race exploits will be prevented, since users
40667 + will no longer be able to follow symlinks owned by other users in
40668 + world-writable +t directories (i.e. /tmp), unless the owner of the
40669 + symlink is the owner of the directory. users will also not be
40670 + able to hardlink to files they do not own. If the sysctl option is
40671 + enabled, a sysctl option with name "linking_restrictions" is created.
40673 +config GRKERNSEC_FIFO
40674 + bool "FIFO restrictions"
40676 + If you say Y here, users will not be able to write to FIFOs they don't
40677 + own in world-writable +t directories (i.e. /tmp), unless the owner of
40678 + the FIFO is the same owner of the directory it's held in. If the sysctl
40679 + option is enabled, a sysctl option with name "fifo_restrictions" is
40682 +config GRKERNSEC_ROFS
40683 + bool "Runtime read-only mount protection"
40685 + If you say Y here, a sysctl option with name "romount_protect" will
40686 + be created. By setting this option to 1 at runtime, filesystems
40687 + will be protected in the following ways:
40688 + * No new writable mounts will be allowed
40689 + * Existing read-only mounts won't be able to be remounted read/write
40690 + * Write operations will be denied on all block devices
40691 + This option acts independently of grsec_lock: once it is set to 1,
40692 + it cannot be turned off. Therefore, please be mindful of the resulting
40693 + behavior if this option is enabled in an init script on a read-only
40694 + filesystem. This feature is mainly intended for secure embedded systems.
40696 +config GRKERNSEC_CHROOT
40697 + bool "Chroot jail restrictions"
40699 + If you say Y here, you will be able to choose several options that will
40700 + make breaking out of a chrooted jail much more difficult. If you
40701 + encounter no software incompatibilities with the following options, it
40702 + is recommended that you enable each one.
40704 +config GRKERNSEC_CHROOT_MOUNT
40705 + bool "Deny mounts"
40706 + depends on GRKERNSEC_CHROOT
40708 + If you say Y here, processes inside a chroot will not be able to
40709 + mount or remount filesystems. If the sysctl option is enabled, a
40710 + sysctl option with name "chroot_deny_mount" is created.
40712 +config GRKERNSEC_CHROOT_DOUBLE
40713 + bool "Deny double-chroots"
40714 + depends on GRKERNSEC_CHROOT
40716 + If you say Y here, processes inside a chroot will not be able to chroot
40717 + again outside the chroot. This is a widely used method of breaking
40718 + out of a chroot jail and should not be allowed. If the sysctl
40719 + option is enabled, a sysctl option with name
40720 + "chroot_deny_chroot" is created.
40722 +config GRKERNSEC_CHROOT_PIVOT
40723 + bool "Deny pivot_root in chroot"
40724 + depends on GRKERNSEC_CHROOT
40726 + If you say Y here, processes inside a chroot will not be able to use
40727 + a function called pivot_root() that was introduced in Linux 2.3.41. It
40728 + works similar to chroot in that it changes the root filesystem. This
40729 + function could be misused in a chrooted process to attempt to break out
40730 + of the chroot, and therefore should not be allowed. If the sysctl
40731 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
40734 +config GRKERNSEC_CHROOT_CHDIR
40735 + bool "Enforce chdir(\"/\") on all chroots"
40736 + depends on GRKERNSEC_CHROOT
40738 + If you say Y here, the current working directory of all newly-chrooted
40739 + applications will be set to the the root directory of the chroot.
40740 + The man page on chroot(2) states:
40741 + Note that this call does not change the current working
40742 + directory, so that `.' can be outside the tree rooted at
40743 + `/'. In particular, the super-user can escape from a
40744 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
40746 + It is recommended that you say Y here, since it's not known to break
40747 + any software. If the sysctl option is enabled, a sysctl option with
40748 + name "chroot_enforce_chdir" is created.
40750 +config GRKERNSEC_CHROOT_CHMOD
40751 + bool "Deny (f)chmod +s"
40752 + depends on GRKERNSEC_CHROOT
40754 + If you say Y here, processes inside a chroot will not be able to chmod
40755 + or fchmod files to make them have suid or sgid bits. This protects
40756 + against another published method of breaking a chroot. If the sysctl
40757 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
40760 +config GRKERNSEC_CHROOT_FCHDIR
40761 + bool "Deny fchdir out of chroot"
40762 + depends on GRKERNSEC_CHROOT
40764 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
40765 + to a file descriptor of the chrooting process that points to a directory
40766 + outside the filesystem will be stopped. If the sysctl option
40767 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
40769 +config GRKERNSEC_CHROOT_MKNOD
40770 + bool "Deny mknod"
40771 + depends on GRKERNSEC_CHROOT
40773 + If you say Y here, processes inside a chroot will not be allowed to
40774 + mknod. The problem with using mknod inside a chroot is that it
40775 + would allow an attacker to create a device entry that is the same
40776 + as one on the physical root of your system, which could range from
40777 + anything from the console device to a device for your harddrive (which
40778 + they could then use to wipe the drive or steal data). It is recommended
40779 + that you say Y here, unless you run into software incompatibilities.
40780 + If the sysctl option is enabled, a sysctl option with name
40781 + "chroot_deny_mknod" is created.
40783 +config GRKERNSEC_CHROOT_SHMAT
40784 + bool "Deny shmat() out of chroot"
40785 + depends on GRKERNSEC_CHROOT
40787 + If you say Y here, processes inside a chroot will not be able to attach
40788 + to shared memory segments that were created outside of the chroot jail.
40789 + It is recommended that you say Y here. If the sysctl option is enabled,
40790 + a sysctl option with name "chroot_deny_shmat" is created.
40792 +config GRKERNSEC_CHROOT_UNIX
40793 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
40794 + depends on GRKERNSEC_CHROOT
40796 + If you say Y here, processes inside a chroot will not be able to
40797 + connect to abstract (meaning not belonging to a filesystem) Unix
40798 + domain sockets that were bound outside of a chroot. It is recommended
40799 + that you say Y here. If the sysctl option is enabled, a sysctl option
40800 + with name "chroot_deny_unix" is created.
40802 +config GRKERNSEC_CHROOT_FINDTASK
40803 + bool "Protect outside processes"
40804 + depends on GRKERNSEC_CHROOT
40806 + If you say Y here, processes inside a chroot will not be able to
40807 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
40808 + getsid, or view any process outside of the chroot. If the sysctl
40809 + option is enabled, a sysctl option with name "chroot_findtask" is
40812 +config GRKERNSEC_CHROOT_NICE
40813 + bool "Restrict priority changes"
40814 + depends on GRKERNSEC_CHROOT
40816 + If you say Y here, processes inside a chroot will not be able to raise
40817 + the priority of processes in the chroot, or alter the priority of
40818 + processes outside the chroot. This provides more security than simply
40819 + removing CAP_SYS_NICE from the process' capability set. If the
40820 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
40823 +config GRKERNSEC_CHROOT_SYSCTL
40824 + bool "Deny sysctl writes"
40825 + depends on GRKERNSEC_CHROOT
40827 + If you say Y here, an attacker in a chroot will not be able to
40828 + write to sysctl entries, either by sysctl(2) or through a /proc
40829 + interface. It is strongly recommended that you say Y here. If the
40830 + sysctl option is enabled, a sysctl option with name
40831 + "chroot_deny_sysctl" is created.
40833 +config GRKERNSEC_CHROOT_CAPS
40834 + bool "Capability restrictions"
40835 + depends on GRKERNSEC_CHROOT
40837 + If you say Y here, the capabilities on all root processes within a
40838 + chroot jail will be lowered to stop module insertion, raw i/o,
40839 + system and net admin tasks, rebooting the system, modifying immutable
40840 + files, modifying IPC owned by another, and changing the system time.
40841 + This is left an option because it can break some apps. Disable this
40842 + if your chrooted apps are having problems performing those kinds of
40843 + tasks. If the sysctl option is enabled, a sysctl option with
40844 + name "chroot_caps" is created.
40847 +menu "Kernel Auditing"
40848 +depends on GRKERNSEC
40850 +config GRKERNSEC_AUDIT_GROUP
40851 + bool "Single group for auditing"
40853 + If you say Y here, the exec, chdir, and (un)mount logging features
40854 + will only operate on a group you specify. This option is recommended
40855 + if you only want to watch certain users instead of having a large
40856 + amount of logs from the entire system. If the sysctl option is enabled,
40857 + a sysctl option with name "audit_group" is created.
40859 +config GRKERNSEC_AUDIT_GID
40860 + int "GID for auditing"
40861 + depends on GRKERNSEC_AUDIT_GROUP
40864 +config GRKERNSEC_EXECLOG
40865 + bool "Exec logging"
40867 + If you say Y here, all execve() calls will be logged (since the
40868 + other exec*() calls are frontends to execve(), all execution
40869 + will be logged). Useful for shell-servers that like to keep track
40870 + of their users. If the sysctl option is enabled, a sysctl option with
40871 + name "exec_logging" is created.
40872 + WARNING: This option when enabled will produce a LOT of logs, especially
40873 + on an active system.
40875 +config GRKERNSEC_RESLOG
40876 + bool "Resource logging"
40878 + If you say Y here, all attempts to overstep resource limits will
40879 + be logged with the resource name, the requested size, and the current
40880 + limit. It is highly recommended that you say Y here. If the sysctl
40881 + option is enabled, a sysctl option with name "resource_logging" is
40882 + created. If the RBAC system is enabled, the sysctl value is ignored.
40884 +config GRKERNSEC_CHROOT_EXECLOG
40885 + bool "Log execs within chroot"
40887 + If you say Y here, all executions inside a chroot jail will be logged
40888 + to syslog. This can cause a large amount of logs if certain
40889 + applications (eg. djb's daemontools) are installed on the system, and
40890 + is therefore left as an option. If the sysctl option is enabled, a
40891 + sysctl option with name "chroot_execlog" is created.
40893 +config GRKERNSEC_AUDIT_PTRACE
40894 + bool "Ptrace logging"
40896 + If you say Y here, all attempts to attach to a process via ptrace
40897 + will be logged. If the sysctl option is enabled, a sysctl option
40898 + with name "audit_ptrace" is created.
40900 +config GRKERNSEC_AUDIT_CHDIR
40901 + bool "Chdir logging"
40903 + If you say Y here, all chdir() calls will be logged. If the sysctl
40904 + option is enabled, a sysctl option with name "audit_chdir" is created.
40906 +config GRKERNSEC_AUDIT_MOUNT
40907 + bool "(Un)Mount logging"
40909 + If you say Y here, all mounts and unmounts will be logged. If the
40910 + sysctl option is enabled, a sysctl option with name "audit_mount" is
40913 +config GRKERNSEC_SIGNAL
40914 + bool "Signal logging"
40916 + If you say Y here, certain important signals will be logged, such as
40917 + SIGSEGV, which will as a result inform you of when a error in a program
40918 + occurred, which in some cases could mean a possible exploit attempt.
40919 + If the sysctl option is enabled, a sysctl option with name
40920 + "signal_logging" is created.
40922 +config GRKERNSEC_FORKFAIL
40923 + bool "Fork failure logging"
40925 + If you say Y here, all failed fork() attempts will be logged.
40926 + This could suggest a fork bomb, or someone attempting to overstep
40927 + their process limit. If the sysctl option is enabled, a sysctl option
40928 + with name "forkfail_logging" is created.
40930 +config GRKERNSEC_TIME
40931 + bool "Time change logging"
40933 + If you say Y here, any changes of the system clock will be logged.
40934 + If the sysctl option is enabled, a sysctl option with name
40935 + "timechange_logging" is created.
40937 +config GRKERNSEC_PROC_IPADDR
40938 + bool "/proc/<pid>/ipaddr support"
40940 + If you say Y here, a new entry will be added to each /proc/<pid>
40941 + directory that contains the IP address of the person using the task.
40942 + The IP is carried across local TCP and AF_UNIX stream sockets.
40943 + This information can be useful for IDS/IPSes to perform remote response
40944 + to a local attack. The entry is readable by only the owner of the
40945 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
40946 + the RBAC system), and thus does not create privacy concerns.
40948 +config GRKERNSEC_AUDIT_TEXTREL
40949 + bool 'ELF text relocations logging (READ HELP)'
40950 + depends on PAX_MPROTECT
40952 + If you say Y here, text relocations will be logged with the filename
40953 + of the offending library or binary. The purpose of the feature is
40954 + to help Linux distribution developers get rid of libraries and
40955 + binaries that need text relocations which hinder the future progress
40956 + of PaX. Only Linux distribution developers should say Y here, and
40957 + never on a production machine, as this option creates an information
40958 + leak that could aid an attacker in defeating the randomization of
40959 + a single memory region. If the sysctl option is enabled, a sysctl
40960 + option with name "audit_textrel" is created.
40964 +menu "Executable Protections"
40965 +depends on GRKERNSEC
40967 +config GRKERNSEC_EXECVE
40968 + bool "Enforce RLIMIT_NPROC on execs"
40970 + If you say Y here, users with a resource limit on processes will
40971 + have the value checked during execve() calls. The current system
40972 + only checks the system limit during fork() calls. If the sysctl option
40973 + is enabled, a sysctl option with name "execve_limiting" is created.
40975 +config GRKERNSEC_DMESG
40976 + bool "Dmesg(8) restriction"
40978 + If you say Y here, non-root users will not be able to use dmesg(8)
40979 + to view up to the last 4kb of messages in the kernel's log buffer.
40980 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
40983 +config GRKERNSEC_HARDEN_PTRACE
40984 + bool "Deter ptrace-based process snooping"
40986 + If you say Y here, TTY sniffers and other malicious monitoring
40987 + programs implemented through ptrace will be defeated. If you
40988 + have been using the RBAC system, this option has already been
40989 + enabled for several years for all users, with the ability to make
40990 + fine-grained exceptions.
40992 + This option only affects the ability of non-root users to ptrace
40993 + processes that are not a descendent of the ptracing process.
40994 + This means that strace ./binary and gdb ./binary will still work,
40995 + but attaching to arbitrary processes will not. If the sysctl
40996 + option is enabled, a sysctl option with name "harden_ptrace" is
40999 +config GRKERNSEC_TPE
41000 + bool "Trusted Path Execution (TPE)"
41002 + If you say Y here, you will be able to choose a gid to add to the
41003 + supplementary groups of users you want to mark as "untrusted."
41004 + These users will not be able to execute any files that are not in
41005 + root-owned directories writable only by root. If the sysctl option
41006 + is enabled, a sysctl option with name "tpe" is created.
41008 +config GRKERNSEC_TPE_ALL
41009 + bool "Partially restrict non-root users"
41010 + depends on GRKERNSEC_TPE
41012 + If you say Y here, All non-root users other than the ones in the
41013 + group specified in the main TPE option will only be allowed to
41014 + execute files in directories they own that are not group or
41015 + world-writable, or in directories owned by root and writable only by
41016 + root. If the sysctl option is enabled, a sysctl option with name
41017 + "tpe_restrict_all" is created.
41019 +config GRKERNSEC_TPE_INVERT
41020 + bool "Invert GID option"
41021 + depends on GRKERNSEC_TPE
41023 + If you say Y here, the group you specify in the TPE configuration will
41024 + decide what group TPE restrictions will be *disabled* for. This
41025 + option is useful if you want TPE restrictions to be applied to most
41026 + users on the system.
41028 +config GRKERNSEC_TPE_GID
41029 + int "GID for untrusted users"
41030 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
41033 + If you have selected the "Invert GID option" above, setting this
41034 + GID determines what group TPE restrictions will be *disabled* for.
41035 + If you have not selected the "Invert GID option" above, setting this
41036 + GID determines what group TPE restrictions will be *enabled* for.
41037 + If the sysctl option is enabled, a sysctl option with name "tpe_gid"
41040 +config GRKERNSEC_TPE_GID
41041 + int "GID for trusted users"
41042 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
41045 + If you have selected the "Invert GID option" above, setting this
41046 + GID determines what group TPE restrictions will be *disabled* for.
41047 + If you have not selected the "Invert GID option" above, setting this
41048 + GID determines what group TPE restrictions will be *enabled* for.
41049 + If the sysctl option is enabled, a sysctl option with name "tpe_gid"
41053 +menu "Network Protections"
41054 +depends on GRKERNSEC
41056 +config GRKERNSEC_RANDNET
41057 + bool "Larger entropy pools"
41059 + If you say Y here, the entropy pools used for many features of Linux
41060 + and grsecurity will be doubled in size. Since several grsecurity
41061 + features use additional randomness, it is recommended that you say Y
41062 + here. Saying Y here has a similar effect as modifying
41063 + /proc/sys/kernel/random/poolsize.
41065 +config GRKERNSEC_BLACKHOLE
41066 + bool "TCP/UDP blackhole"
41068 + If you say Y here, neither TCP resets nor ICMP
41069 + destination-unreachable packets will be sent in response to packets
41070 + send to ports for which no associated listening process exists.
41071 + This feature supports both IPV4 and IPV6 and exempts the
41072 + loopback interface from blackholing. Enabling this feature
41073 + makes a host more resilient to DoS attacks and reduces network
41074 + visibility against scanners.
41076 +config GRKERNSEC_SOCKET
41077 + bool "Socket restrictions"
41079 + If you say Y here, you will be able to choose from several options.
41080 + If you assign a GID on your system and add it to the supplementary
41081 + groups of users you want to restrict socket access to, this patch
41082 + will perform up to three things, based on the option(s) you choose.
41084 +config GRKERNSEC_SOCKET_ALL
41085 + bool "Deny any sockets to group"
41086 + depends on GRKERNSEC_SOCKET
41088 + If you say Y here, you will be able to choose a GID of whose users will
41089 + be unable to connect to other hosts from your machine or run server
41090 + applications from your machine. If the sysctl option is enabled, a
41091 + sysctl option with name "socket_all" is created.
41093 +config GRKERNSEC_SOCKET_ALL_GID
41094 + int "GID to deny all sockets for"
41095 + depends on GRKERNSEC_SOCKET_ALL
41098 + Here you can choose the GID to disable socket access for. Remember to
41099 + add the users you want socket access disabled for to the GID
41100 + specified here. If the sysctl option is enabled, a sysctl option
41101 + with name "socket_all_gid" is created.
41103 +config GRKERNSEC_SOCKET_CLIENT
41104 + bool "Deny client sockets to group"
41105 + depends on GRKERNSEC_SOCKET
41107 + If you say Y here, you will be able to choose a GID of whose users will
41108 + be unable to connect to other hosts from your machine, but will be
41109 + able to run servers. If this option is enabled, all users in the group
41110 + you specify will have to use passive mode when initiating ftp transfers
41111 + from the shell on your machine. If the sysctl option is enabled, a
41112 + sysctl option with name "socket_client" is created.
41114 +config GRKERNSEC_SOCKET_CLIENT_GID
41115 + int "GID to deny client sockets for"
41116 + depends on GRKERNSEC_SOCKET_CLIENT
41119 + Here you can choose the GID to disable client socket access for.
41120 + Remember to add the users you want client socket access disabled for to
41121 + the GID specified here. If the sysctl option is enabled, a sysctl
41122 + option with name "socket_client_gid" is created.
41124 +config GRKERNSEC_SOCKET_SERVER
41125 + bool "Deny server sockets to group"
41126 + depends on GRKERNSEC_SOCKET
41128 + If you say Y here, you will be able to choose a GID of whose users will
41129 + be unable to run server applications from your machine. If the sysctl
41130 + option is enabled, a sysctl option with name "socket_server" is created.
41132 +config GRKERNSEC_SOCKET_SERVER_GID
41133 + int "GID to deny server sockets for"
41134 + depends on GRKERNSEC_SOCKET_SERVER
41137 + Here you can choose the GID to disable server socket access for.
41138 + Remember to add the users you want server socket access disabled for to
41139 + the GID specified here. If the sysctl option is enabled, a sysctl
41140 + option with name "socket_server_gid" is created.
41143 +menu "Sysctl support"
41144 +depends on GRKERNSEC && SYSCTL
41146 +config GRKERNSEC_SYSCTL
41147 + bool "Sysctl support"
41149 + If you say Y here, you will be able to change the options that
41150 + grsecurity runs with at bootup, without having to recompile your
41151 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
41152 + to enable (1) or disable (0) various features. All the sysctl entries
41153 + are mutable until the "grsec_lock" entry is set to a non-zero value.
41154 + All features enabled in the kernel configuration are disabled at boot
41155 + if you do not say Y to the "Turn on features by default" option.
41156 + All options should be set at startup, and the grsec_lock entry should
41157 + be set to a non-zero value after all the options are set.
41158 + *THIS IS EXTREMELY IMPORTANT*
41160 +config GRKERNSEC_SYSCTL_ON
41161 + bool "Turn on features by default"
41162 + depends on GRKERNSEC_SYSCTL
41164 + If you say Y here, instead of having all features enabled in the
41165 + kernel configuration disabled at boot time, the features will be
41166 + enabled at boot time. It is recommended you say Y here unless
41167 + there is some reason you would want all sysctl-tunable features to
41168 + be disabled by default. As mentioned elsewhere, it is important
41169 + to enable the grsec_lock entry once you have finished modifying
41170 + the sysctl entries.
41173 +menu "Logging Options"
41174 +depends on GRKERNSEC
41176 +config GRKERNSEC_FLOODTIME
41177 + int "Seconds in between log messages (minimum)"
41180 + This option allows you to enforce the number of seconds between
41181 + grsecurity log messages. The default should be suitable for most
41182 + people, however, if you choose to change it, choose a value small enough
41183 + to allow informative logs to be produced, but large enough to
41184 + prevent flooding.
41186 +config GRKERNSEC_FLOODBURST
41187 + int "Number of messages in a burst (maximum)"
41190 + This option allows you to choose the maximum number of messages allowed
41191 + within the flood time interval you chose in a separate option. The
41192 + default should be suitable for most people, however if you find that
41193 + many of your logs are being interpreted as flooding, you may want to
41194 + raise this value.
41199 diff -urNp linux-2.6.33/grsecurity/Makefile linux-2.6.33/grsecurity/Makefile
41200 --- linux-2.6.33/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
41201 +++ linux-2.6.33/grsecurity/Makefile 2010-03-07 12:23:36.109671795 -0500
41203 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
41204 +# during 2001-2009 it has been completely redesigned by Brad Spengler
41205 +# into an RBAC system
41207 +# All code in this directory and various hooks inserted throughout the kernel
41208 +# are copyright Brad Spengler - Open Source Security, Inc., and released
41209 +# under the GPL v2 or higher
41211 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
41212 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
41213 + grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o grsec_ptrace.o
41215 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
41216 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
41217 + gracl_learn.o grsec_log.o
41218 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
41220 +ifndef CONFIG_GRKERNSEC
41221 +obj-y += grsec_disabled.o
41224 +ifdef CONFIG_GRKERNSEC_HIDESYM
41225 +extra-y := grsec_hidesym.o
41226 +$(obj)/grsec_hidesym.o:
41227 + @-chmod -f 500 /boot
41228 + @-chmod -f 500 /lib/modules
41230 + @echo ' grsec: protected kernel image paths'
41232 diff -urNp linux-2.6.33/include/acpi/acpi_drivers.h linux-2.6.33/include/acpi/acpi_drivers.h
41233 --- linux-2.6.33/include/acpi/acpi_drivers.h 2010-02-24 13:52:17.000000000 -0500
41234 +++ linux-2.6.33/include/acpi/acpi_drivers.h 2010-03-07 12:23:36.109671795 -0500
41235 @@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
41237 -------------------------------------------------------------------------- */
41238 struct acpi_dock_ops {
41239 - acpi_notify_handler handler;
41240 - acpi_notify_handler uevent;
41241 + const acpi_notify_handler handler;
41242 + const acpi_notify_handler uevent;
41245 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
41246 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
41247 extern int register_dock_notifier(struct notifier_block *nb);
41248 extern void unregister_dock_notifier(struct notifier_block *nb);
41249 extern int register_hotplug_dock_device(acpi_handle handle,
41250 - struct acpi_dock_ops *ops,
41251 + const struct acpi_dock_ops *ops,
41253 extern void unregister_hotplug_dock_device(acpi_handle handle);
41255 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
41258 static inline int register_hotplug_dock_device(acpi_handle handle,
41259 - struct acpi_dock_ops *ops,
41260 + const struct acpi_dock_ops *ops,
41264 diff -urNp linux-2.6.33/include/asm-generic/atomic-long.h linux-2.6.33/include/asm-generic/atomic-long.h
41265 --- linux-2.6.33/include/asm-generic/atomic-long.h 2010-02-24 13:52:17.000000000 -0500
41266 +++ linux-2.6.33/include/asm-generic/atomic-long.h 2010-03-07 12:23:36.113714966 -0500
41269 typedef atomic64_t atomic_long_t;
41271 +#ifdef CONFIG_PAX_REFCOUNT
41272 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
41274 +typedef atomic64_t atomic_long_unchecked_t;
41277 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
41279 static inline long atomic_long_read(atomic_long_t *l)
41280 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
41281 return (long)atomic64_read(v);
41284 +#ifdef CONFIG_PAX_REFCOUNT
41285 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
41287 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41289 + return (long)atomic64_read_unchecked(v);
41293 static inline void atomic_long_set(atomic_long_t *l, long i)
41295 atomic64_t *v = (atomic64_t *)l;
41296 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
41297 atomic64_set(v, i);
41300 +#ifdef CONFIG_PAX_REFCOUNT
41301 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
41303 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41305 + atomic64_set_unchecked(v, i);
41309 static inline void atomic_long_inc(atomic_long_t *l)
41311 atomic64_t *v = (atomic64_t *)l;
41312 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
41316 +#ifdef CONFIG_PAX_REFCOUNT
41317 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
41319 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41321 + atomic64_inc_unchecked(v);
41325 static inline void atomic_long_dec(atomic_long_t *l)
41327 atomic64_t *v = (atomic64_t *)l;
41328 @@ -59,6 +92,15 @@ static inline void atomic_long_add(long
41329 atomic64_add(i, v);
41332 +#ifdef CONFIG_PAX_REFCOUNT
41333 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
41335 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41337 + atomic64_add_unchecked(i, v);
41341 static inline void atomic_long_sub(long i, atomic_long_t *l)
41343 atomic64_t *v = (atomic64_t *)l;
41344 @@ -115,6 +157,15 @@ static inline long atomic_long_inc_retur
41345 return (long)atomic64_inc_return(v);
41348 +#ifdef CONFIG_PAX_REFCOUNT
41349 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
41351 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41353 + return (long)atomic64_inc_return_unchecked(v);
41357 static inline long atomic_long_dec_return(atomic_long_t *l)
41359 atomic64_t *v = (atomic64_t *)l;
41360 @@ -140,6 +191,12 @@ static inline long atomic_long_add_unles
41362 typedef atomic_t atomic_long_t;
41364 +#ifdef CONFIG_PAX_REFCOUNT
41365 +typedef atomic_unchecked_t atomic_long_unchecked_t;
41367 +typedef atomic_t atomic_long_unchecked_t;
41370 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
41371 static inline long atomic_long_read(atomic_long_t *l)
41373 @@ -148,6 +205,15 @@ static inline long atomic_long_read(atom
41374 return (long)atomic_read(v);
41377 +#ifdef CONFIG_PAX_REFCOUNT
41378 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
41380 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41382 + return (long)atomic_read_unchecked(v);
41386 static inline void atomic_long_set(atomic_long_t *l, long i)
41388 atomic_t *v = (atomic_t *)l;
41389 @@ -155,6 +221,15 @@ static inline void atomic_long_set(atomi
41393 +#ifdef CONFIG_PAX_REFCOUNT
41394 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
41396 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41398 + atomic_set_unchecked(v, i);
41402 static inline void atomic_long_inc(atomic_long_t *l)
41404 atomic_t *v = (atomic_t *)l;
41405 @@ -162,6 +237,15 @@ static inline void atomic_long_inc(atomi
41409 +#ifdef CONFIG_PAX_REFCOUNT
41410 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
41412 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41414 + atomic_inc_unchecked(v);
41418 static inline void atomic_long_dec(atomic_long_t *l)
41420 atomic_t *v = (atomic_t *)l;
41421 @@ -176,6 +260,15 @@ static inline void atomic_long_add(long
41425 +#ifdef CONFIG_PAX_REFCOUNT
41426 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
41428 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41430 + atomic_add_unchecked(i, v);
41434 static inline void atomic_long_sub(long i, atomic_long_t *l)
41436 atomic_t *v = (atomic_t *)l;
41437 @@ -232,6 +325,15 @@ static inline long atomic_long_inc_retur
41438 return (long)atomic_inc_return(v);
41441 +#ifdef CONFIG_PAX_REFCOUNT
41442 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
41444 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41446 + return (long)atomic_inc_return_unchecked(v);
41450 static inline long atomic_long_dec_return(atomic_long_t *l)
41452 atomic_t *v = (atomic_t *)l;
41453 @@ -255,4 +357,33 @@ static inline long atomic_long_add_unles
41455 #endif /* BITS_PER_LONG == 64 */
41457 +#ifdef CONFIG_PAX_REFCOUNT
41458 +static inline void pax_refcount_needs_these_functions(void)
41460 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
41461 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
41462 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
41463 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
41464 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
41466 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
41467 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
41468 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
41469 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
41470 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
41473 +#define atomic_read_unchecked(v) atomic_read(v)
41474 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
41475 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
41476 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
41477 +#define atomic_inc_unchecked(v) atomic_inc(v)
41479 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
41480 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
41481 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
41482 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
41483 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
41486 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
41487 diff -urNp linux-2.6.33/include/asm-generic/dma-mapping-common.h linux-2.6.33/include/asm-generic/dma-mapping-common.h
41488 --- linux-2.6.33/include/asm-generic/dma-mapping-common.h 2010-02-24 13:52:17.000000000 -0500
41489 +++ linux-2.6.33/include/asm-generic/dma-mapping-common.h 2010-03-07 12:23:36.113714966 -0500
41490 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
41491 enum dma_data_direction dir,
41492 struct dma_attrs *attrs)
41494 - struct dma_map_ops *ops = get_dma_ops(dev);
41495 + const struct dma_map_ops *ops = get_dma_ops(dev);
41498 kmemcheck_mark_initialized(ptr, size);
41499 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
41500 enum dma_data_direction dir,
41501 struct dma_attrs *attrs)
41503 - struct dma_map_ops *ops = get_dma_ops(dev);
41504 + const struct dma_map_ops *ops = get_dma_ops(dev);
41506 BUG_ON(!valid_dma_direction(dir));
41507 if (ops->unmap_page)
41508 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
41509 int nents, enum dma_data_direction dir,
41510 struct dma_attrs *attrs)
41512 - struct dma_map_ops *ops = get_dma_ops(dev);
41513 + const struct dma_map_ops *ops = get_dma_ops(dev);
41515 struct scatterlist *s;
41517 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
41518 int nents, enum dma_data_direction dir,
41519 struct dma_attrs *attrs)
41521 - struct dma_map_ops *ops = get_dma_ops(dev);
41522 + const struct dma_map_ops *ops = get_dma_ops(dev);
41524 BUG_ON(!valid_dma_direction(dir));
41525 debug_dma_unmap_sg(dev, sg, nents, dir);
41526 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
41527 size_t offset, size_t size,
41528 enum dma_data_direction dir)
41530 - struct dma_map_ops *ops = get_dma_ops(dev);
41531 + const struct dma_map_ops *ops = get_dma_ops(dev);
41534 kmemcheck_mark_initialized(page_address(page) + offset, size);
41535 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
41536 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
41537 size_t size, enum dma_data_direction dir)
41539 - struct dma_map_ops *ops = get_dma_ops(dev);
41540 + const struct dma_map_ops *ops = get_dma_ops(dev);
41542 BUG_ON(!valid_dma_direction(dir));
41543 if (ops->unmap_page)
41544 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
41546 enum dma_data_direction dir)
41548 - struct dma_map_ops *ops = get_dma_ops(dev);
41549 + const struct dma_map_ops *ops = get_dma_ops(dev);
41551 BUG_ON(!valid_dma_direction(dir));
41552 if (ops->sync_single_for_cpu)
41553 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
41554 dma_addr_t addr, size_t size,
41555 enum dma_data_direction dir)
41557 - struct dma_map_ops *ops = get_dma_ops(dev);
41558 + const struct dma_map_ops *ops = get_dma_ops(dev);
41560 BUG_ON(!valid_dma_direction(dir));
41561 if (ops->sync_single_for_device)
41562 @@ -123,7 +123,7 @@ static inline void dma_sync_single_range
41564 enum dma_data_direction dir)
41566 - struct dma_map_ops *ops = get_dma_ops(dev);
41567 + const struct dma_map_ops *ops = get_dma_ops(dev);
41569 BUG_ON(!valid_dma_direction(dir));
41570 if (ops->sync_single_range_for_cpu) {
41571 @@ -140,7 +140,7 @@ static inline void dma_sync_single_range
41573 enum dma_data_direction dir)
41575 - struct dma_map_ops *ops = get_dma_ops(dev);
41576 + const struct dma_map_ops *ops = get_dma_ops(dev);
41578 BUG_ON(!valid_dma_direction(dir));
41579 if (ops->sync_single_range_for_device) {
41580 @@ -155,7 +155,7 @@ static inline void
41581 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
41582 int nelems, enum dma_data_direction dir)
41584 - struct dma_map_ops *ops = get_dma_ops(dev);
41585 + const struct dma_map_ops *ops = get_dma_ops(dev);
41587 BUG_ON(!valid_dma_direction(dir));
41588 if (ops->sync_sg_for_cpu)
41589 @@ -167,7 +167,7 @@ static inline void
41590 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
41591 int nelems, enum dma_data_direction dir)
41593 - struct dma_map_ops *ops = get_dma_ops(dev);
41594 + const struct dma_map_ops *ops = get_dma_ops(dev);
41596 BUG_ON(!valid_dma_direction(dir));
41597 if (ops->sync_sg_for_device)
41598 diff -urNp linux-2.6.33/include/asm-generic/futex.h linux-2.6.33/include/asm-generic/futex.h
41599 --- linux-2.6.33/include/asm-generic/futex.h 2010-02-24 13:52:17.000000000 -0500
41600 +++ linux-2.6.33/include/asm-generic/futex.h 2010-03-07 12:23:36.113714966 -0500
41602 #include <asm/errno.h>
41605 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
41606 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
41608 int op = (encoded_op >> 28) & 7;
41609 int cmp = (encoded_op >> 24) & 15;
41610 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
41614 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
41615 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
41619 diff -urNp linux-2.6.33/include/asm-generic/int-l64.h linux-2.6.33/include/asm-generic/int-l64.h
41620 --- linux-2.6.33/include/asm-generic/int-l64.h 2010-02-24 13:52:17.000000000 -0500
41621 +++ linux-2.6.33/include/asm-generic/int-l64.h 2010-03-07 12:23:36.113714966 -0500
41622 @@ -46,6 +46,8 @@ typedef unsigned int u32;
41623 typedef signed long s64;
41624 typedef unsigned long u64;
41626 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
41629 #define U8_C(x) x ## U
41631 diff -urNp linux-2.6.33/include/asm-generic/int-ll64.h linux-2.6.33/include/asm-generic/int-ll64.h
41632 --- linux-2.6.33/include/asm-generic/int-ll64.h 2010-02-24 13:52:17.000000000 -0500
41633 +++ linux-2.6.33/include/asm-generic/int-ll64.h 2010-03-07 12:23:36.113714966 -0500
41634 @@ -51,6 +51,8 @@ typedef unsigned int u32;
41635 typedef signed long long s64;
41636 typedef unsigned long long u64;
41638 +typedef unsigned long long intoverflow_t;
41641 #define U8_C(x) x ## U
41643 diff -urNp linux-2.6.33/include/asm-generic/kmap_types.h linux-2.6.33/include/asm-generic/kmap_types.h
41644 --- linux-2.6.33/include/asm-generic/kmap_types.h 2010-02-24 13:52:17.000000000 -0500
41645 +++ linux-2.6.33/include/asm-generic/kmap_types.h 2010-03-07 12:23:36.113714966 -0500
41646 @@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
41647 KMAP_D(16) KM_IRQ_PTE,
41649 KMAP_D(18) KM_NMI_PTE,
41650 -KMAP_D(19) KM_TYPE_NR
41651 +KMAP_D(19) KM_CLEARPAGE,
41652 +KMAP_D(20) KM_TYPE_NR
41656 diff -urNp linux-2.6.33/include/asm-generic/pgtable.h linux-2.6.33/include/asm-generic/pgtable.h
41657 --- linux-2.6.33/include/asm-generic/pgtable.h 2010-02-24 13:52:17.000000000 -0500
41658 +++ linux-2.6.33/include/asm-generic/pgtable.h 2010-03-07 12:23:36.113714966 -0500
41659 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
41660 unsigned long size);
41663 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
41664 +static inline unsigned long pax_open_kernel(void) { return 0; }
41667 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
41668 +static inline unsigned long pax_close_kernel(void) { return 0; }
41671 #endif /* !__ASSEMBLY__ */
41673 #endif /* _ASM_GENERIC_PGTABLE_H */
41674 diff -urNp linux-2.6.33/include/asm-generic/vmlinux.lds.h linux-2.6.33/include/asm-generic/vmlinux.lds.h
41675 --- linux-2.6.33/include/asm-generic/vmlinux.lds.h 2010-02-24 13:52:17.000000000 -0500
41676 +++ linux-2.6.33/include/asm-generic/vmlinux.lds.h 2010-03-07 12:23:36.113714966 -0500
41677 @@ -203,6 +203,7 @@
41678 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
41679 VMLINUX_SYMBOL(__start_rodata) = .; \
41680 *(.rodata) *(.rodata.*) \
41681 + *(.data.read_only) \
41682 *(__vermagic) /* Kernel version magic */ \
41683 *(__markers_strings) /* Markers: strings */ \
41684 *(__tracepoints_strings)/* Tracepoints: strings */ \
41685 @@ -660,22 +661,24 @@
41686 * section in the linker script will go there too. @phdr should have
41689 - * Note that this macros defines __per_cpu_load as an absolute symbol.
41690 + * Note that this macros defines per_cpu_load as an absolute symbol.
41691 * If there is no need to put the percpu section at a predetermined
41692 * address, use PERCPU().
41694 #define PERCPU_VADDR(vaddr, phdr) \
41695 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
41696 - .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
41697 + per_cpu_load = .; \
41698 + .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
41700 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
41701 VMLINUX_SYMBOL(__per_cpu_start) = .; \
41702 *(.data.percpu.first) \
41703 - *(.data.percpu.page_aligned) \
41705 + . = ALIGN(PAGE_SIZE); \
41706 + *(.data.percpu.page_aligned) \
41707 *(.data.percpu.shared_aligned) \
41708 VMLINUX_SYMBOL(__per_cpu_end) = .; \
41710 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
41711 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
41714 * PERCPU - define output section for percpu area, simple version
41715 diff -urNp linux-2.6.33/include/drm/drm_pciids.h linux-2.6.33/include/drm/drm_pciids.h
41716 --- linux-2.6.33/include/drm/drm_pciids.h 2010-02-24 13:52:17.000000000 -0500
41717 +++ linux-2.6.33/include/drm/drm_pciids.h 2010-03-07 12:23:36.113714966 -0500
41718 @@ -375,7 +375,7 @@
41719 {0x1002, 0x9712, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41720 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41721 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41723 + {0, 0, 0, 0, 0, 0}
41725 #define r128_PCI_IDS \
41726 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41727 @@ -415,14 +415,14 @@
41728 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41729 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41730 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41732 + {0, 0, 0, 0, 0, 0}
41734 #define mga_PCI_IDS \
41735 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
41736 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
41737 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
41738 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
41740 + {0, 0, 0, 0, 0, 0}
41742 #define mach64_PCI_IDS \
41743 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41744 @@ -445,7 +445,7 @@
41745 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41746 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41747 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41749 + {0, 0, 0, 0, 0, 0}
41751 #define sisdrv_PCI_IDS \
41752 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41753 @@ -456,7 +456,7 @@
41754 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41755 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
41756 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
41758 + {0, 0, 0, 0, 0, 0}
41760 #define tdfx_PCI_IDS \
41761 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41762 @@ -465,7 +465,7 @@
41763 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41764 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41765 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41767 + {0, 0, 0, 0, 0, 0}
41769 #define viadrv_PCI_IDS \
41770 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41771 @@ -477,14 +477,14 @@
41772 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41773 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
41774 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
41776 + {0, 0, 0, 0, 0, 0}
41778 #define i810_PCI_IDS \
41779 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41780 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41781 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41782 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41784 + {0, 0, 0, 0, 0, 0}
41786 #define i830_PCI_IDS \
41787 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41788 @@ -492,11 +492,11 @@
41789 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41790 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41791 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41793 + {0, 0, 0, 0, 0, 0}
41795 #define gamma_PCI_IDS \
41796 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41798 + {0, 0, 0, 0, 0, 0}
41800 #define savage_PCI_IDS \
41801 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
41802 @@ -522,10 +522,10 @@
41803 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
41804 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
41805 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
41807 + {0, 0, 0, 0, 0, 0}
41809 #define ffb_PCI_IDS \
41811 + {0, 0, 0, 0, 0, 0}
41813 #define i915_PCI_IDS \
41814 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41815 @@ -558,4 +558,4 @@
41816 {0x8086, 0x35e8, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41817 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41818 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41820 + {0, 0, 0, 0, 0, 0}
41821 diff -urNp linux-2.6.33/include/drm/drmP.h linux-2.6.33/include/drm/drmP.h
41822 --- linux-2.6.33/include/drm/drmP.h 2010-02-24 13:52:17.000000000 -0500
41823 +++ linux-2.6.33/include/drm/drmP.h 2010-03-07 12:23:36.113714966 -0500
41824 @@ -806,7 +806,7 @@ struct drm_driver {
41825 void (*vgaarb_irq)(struct drm_device *dev, bool state);
41827 /* Driver private ops for this object */
41828 - struct vm_operations_struct *gem_vm_ops;
41829 + const struct vm_operations_struct *gem_vm_ops;
41833 @@ -915,7 +915,7 @@ struct drm_device {
41835 /** \name Usage Counters */
41837 - int open_count; /**< Outstanding files open */
41838 + atomic_t open_count; /**< Outstanding files open */
41839 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
41840 atomic_t vma_count; /**< Outstanding vma areas open */
41841 int buf_use; /**< Buffers in use -- cannot alloc */
41842 @@ -926,7 +926,7 @@ struct drm_device {
41844 unsigned long counters;
41845 enum drm_stat_type types[15];
41846 - atomic_t counts[15];
41847 + atomic_unchecked_t counts[15];
41850 struct list_head filelist;
41851 diff -urNp linux-2.6.33/include/linux/a.out.h linux-2.6.33/include/linux/a.out.h
41852 --- linux-2.6.33/include/linux/a.out.h 2010-02-24 13:52:17.000000000 -0500
41853 +++ linux-2.6.33/include/linux/a.out.h 2010-03-07 12:23:36.113714966 -0500
41854 @@ -39,6 +39,14 @@ enum machine_type {
41855 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
41858 +/* Constants for the N_FLAGS field */
41859 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
41860 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
41861 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
41862 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
41863 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
41864 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
41866 #if !defined (N_MAGIC)
41867 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
41869 diff -urNp linux-2.6.33/include/linux/atmdev.h linux-2.6.33/include/linux/atmdev.h
41870 --- linux-2.6.33/include/linux/atmdev.h 2010-02-24 13:52:17.000000000 -0500
41871 +++ linux-2.6.33/include/linux/atmdev.h 2010-03-07 12:23:36.113714966 -0500
41872 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
41875 struct k_atm_aal_stats {
41876 -#define __HANDLE_ITEM(i) atomic_t i
41877 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
41879 #undef __HANDLE_ITEM
41881 diff -urNp linux-2.6.33/include/linux/binfmts.h linux-2.6.33/include/linux/binfmts.h
41882 --- linux-2.6.33/include/linux/binfmts.h 2010-02-24 13:52:17.000000000 -0500
41883 +++ linux-2.6.33/include/linux/binfmts.h 2010-03-07 12:23:36.113714966 -0500
41884 @@ -86,6 +86,7 @@ struct linux_binfmt {
41885 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
41886 int (*load_shlib)(struct file *);
41887 int (*core_dump)(struct coredump_params *cprm);
41888 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
41889 unsigned long min_coredump; /* minimal dump size */
41892 diff -urNp linux-2.6.33/include/linux/blkdev.h linux-2.6.33/include/linux/blkdev.h
41893 --- linux-2.6.33/include/linux/blkdev.h 2010-02-24 13:52:17.000000000 -0500
41894 +++ linux-2.6.33/include/linux/blkdev.h 2010-03-07 12:23:36.113714966 -0500
41895 @@ -1287,19 +1287,19 @@ static inline int blk_integrity_rq(struc
41896 #endif /* CONFIG_BLK_DEV_INTEGRITY */
41898 struct block_device_operations {
41899 - int (*open) (struct block_device *, fmode_t);
41900 - int (*release) (struct gendisk *, fmode_t);
41901 - int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41902 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41903 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41904 - int (*direct_access) (struct block_device *, sector_t,
41905 + int (* const open) (struct block_device *, fmode_t);
41906 + int (* const release) (struct gendisk *, fmode_t);
41907 + int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41908 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41909 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41910 + int (* const direct_access) (struct block_device *, sector_t,
41911 void **, unsigned long *);
41912 - int (*media_changed) (struct gendisk *);
41913 - unsigned long long (*set_capacity) (struct gendisk *,
41914 + int (* const media_changed) (struct gendisk *);
41915 + unsigned long long (* const set_capacity) (struct gendisk *,
41916 unsigned long long);
41917 - int (*revalidate_disk) (struct gendisk *);
41918 - int (*getgeo)(struct block_device *, struct hd_geometry *);
41919 - struct module *owner;
41920 + int (* const revalidate_disk) (struct gendisk *);
41921 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
41922 + struct module * const owner;
41925 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
41926 diff -urNp linux-2.6.33/include/linux/cache.h linux-2.6.33/include/linux/cache.h
41927 --- linux-2.6.33/include/linux/cache.h 2010-02-24 13:52:17.000000000 -0500
41928 +++ linux-2.6.33/include/linux/cache.h 2010-03-07 12:23:36.113714966 -0500
41930 #define __read_mostly
41933 +#ifndef __read_only
41934 +#define __read_only __read_mostly
41937 #ifndef ____cacheline_aligned
41938 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
41940 diff -urNp linux-2.6.33/include/linux/capability.h linux-2.6.33/include/linux/capability.h
41941 --- linux-2.6.33/include/linux/capability.h 2010-02-24 13:52:17.000000000 -0500
41942 +++ linux-2.6.33/include/linux/capability.h 2010-03-07 12:23:36.117645366 -0500
41943 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
41944 (security_real_capable_noaudit((t), (cap)) == 0)
41946 extern int capable(int cap);
41947 +int capable_nolog(int cap);
41949 /* audit system wants to get cap info from files as well */
41951 diff -urNp linux-2.6.33/include/linux/compiler-gcc4.h linux-2.6.33/include/linux/compiler-gcc4.h
41952 --- linux-2.6.33/include/linux/compiler-gcc4.h 2010-02-24 13:52:17.000000000 -0500
41953 +++ linux-2.6.33/include/linux/compiler-gcc4.h 2010-03-07 12:23:36.117645366 -0500
41955 #define unreachable() __builtin_unreachable()
41958 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
41959 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
41960 +#define __bos0(ptr) __bos((ptr), 0)
41961 +#define __bos1(ptr) __bos((ptr), 1)
41964 #if __GNUC_MINOR__ > 0
41965 diff -urNp linux-2.6.33/include/linux/compiler.h linux-2.6.33/include/linux/compiler.h
41966 --- linux-2.6.33/include/linux/compiler.h 2010-02-24 13:52:17.000000000 -0500
41967 +++ linux-2.6.33/include/linux/compiler.h 2010-03-07 12:23:36.117645366 -0500
41968 @@ -267,6 +267,22 @@ void ftrace_likely_update(struct ftrace_
41972 +#ifndef __alloc_size
41973 +#define __alloc_size
41988 /* Simple shorthand for a section definition */
41990 # define __section(S) __attribute__ ((__section__(#S)))
41991 diff -urNp linux-2.6.33/include/linux/decompress/mm.h linux-2.6.33/include/linux/decompress/mm.h
41992 --- linux-2.6.33/include/linux/decompress/mm.h 2010-02-24 13:52:17.000000000 -0500
41993 +++ linux-2.6.33/include/linux/decompress/mm.h 2010-03-07 12:23:36.117645366 -0500
41994 @@ -68,7 +68,7 @@ static void free(void *where)
41995 * warnings when not needed (indeed large_malloc / large_free are not
41996 * needed by inflate */
41998 -#define malloc(a) kmalloc(a, GFP_KERNEL)
41999 +#define malloc(a) kmalloc((a), GFP_KERNEL)
42000 #define free(a) kfree(a)
42002 #define large_malloc(a) vmalloc(a)
42003 diff -urNp linux-2.6.33/include/linux/dma-mapping.h linux-2.6.33/include/linux/dma-mapping.h
42004 --- linux-2.6.33/include/linux/dma-mapping.h 2010-02-24 13:52:17.000000000 -0500
42005 +++ linux-2.6.33/include/linux/dma-mapping.h 2010-03-07 12:23:36.117645366 -0500
42006 @@ -16,50 +16,50 @@ enum dma_data_direction {
42009 struct dma_map_ops {
42010 - void* (*alloc_coherent)(struct device *dev, size_t size,
42011 + void* (* const alloc_coherent)(struct device *dev, size_t size,
42012 dma_addr_t *dma_handle, gfp_t gfp);
42013 - void (*free_coherent)(struct device *dev, size_t size,
42014 + void (* const free_coherent)(struct device *dev, size_t size,
42015 void *vaddr, dma_addr_t dma_handle);
42016 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
42017 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
42018 unsigned long offset, size_t size,
42019 enum dma_data_direction dir,
42020 struct dma_attrs *attrs);
42021 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
42022 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
42023 size_t size, enum dma_data_direction dir,
42024 struct dma_attrs *attrs);
42025 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
42026 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
42027 int nents, enum dma_data_direction dir,
42028 struct dma_attrs *attrs);
42029 - void (*unmap_sg)(struct device *dev,
42030 + void (* const unmap_sg)(struct device *dev,
42031 struct scatterlist *sg, int nents,
42032 enum dma_data_direction dir,
42033 struct dma_attrs *attrs);
42034 - void (*sync_single_for_cpu)(struct device *dev,
42035 + void (* const sync_single_for_cpu)(struct device *dev,
42036 dma_addr_t dma_handle, size_t size,
42037 enum dma_data_direction dir);
42038 - void (*sync_single_for_device)(struct device *dev,
42039 + void (* const sync_single_for_device)(struct device *dev,
42040 dma_addr_t dma_handle, size_t size,
42041 enum dma_data_direction dir);
42042 - void (*sync_single_range_for_cpu)(struct device *dev,
42043 + void (* const sync_single_range_for_cpu)(struct device *dev,
42044 dma_addr_t dma_handle,
42045 unsigned long offset,
42047 enum dma_data_direction dir);
42048 - void (*sync_single_range_for_device)(struct device *dev,
42049 + void (* const sync_single_range_for_device)(struct device *dev,
42050 dma_addr_t dma_handle,
42051 unsigned long offset,
42053 enum dma_data_direction dir);
42054 - void (*sync_sg_for_cpu)(struct device *dev,
42055 + void (* const sync_sg_for_cpu)(struct device *dev,
42056 struct scatterlist *sg, int nents,
42057 enum dma_data_direction dir);
42058 - void (*sync_sg_for_device)(struct device *dev,
42059 + void (* const sync_sg_for_device)(struct device *dev,
42060 struct scatterlist *sg, int nents,
42061 enum dma_data_direction dir);
42062 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
42063 - int (*dma_supported)(struct device *dev, u64 mask);
42064 - int (*set_dma_mask)(struct device *dev, u64 mask);
42066 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
42067 + int (* const dma_supported)(struct device *dev, u64 mask);
42068 + int (* set_dma_mask)(struct device *dev, u64 mask);
42069 + const int is_phys;
42072 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
42073 diff -urNp linux-2.6.33/include/linux/elf.h linux-2.6.33/include/linux/elf.h
42074 --- linux-2.6.33/include/linux/elf.h 2010-02-24 13:52:17.000000000 -0500
42075 +++ linux-2.6.33/include/linux/elf.h 2010-03-07 12:23:36.117645366 -0500
42076 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
42077 #define PT_GNU_EH_FRAME 0x6474e550
42079 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
42080 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
42082 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
42084 +/* Constants for the e_flags field */
42085 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
42086 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
42087 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
42088 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
42089 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
42090 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
42092 /* These constants define the different elf file types */
42094 @@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
42095 #define DT_DEBUG 21
42096 #define DT_TEXTREL 22
42097 #define DT_JMPREL 23
42098 +#define DT_FLAGS 30
42099 + #define DF_TEXTREL 0x00000004
42100 #define DT_ENCODING 32
42101 #define OLD_DT_LOOS 0x60000000
42102 #define DT_LOOS 0x6000000d
42103 @@ -230,6 +243,19 @@ typedef struct elf64_hdr {
42107 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
42108 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
42109 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
42110 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
42111 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
42112 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
42113 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
42114 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
42115 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
42116 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
42117 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
42118 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
42120 typedef struct elf32_phdr{
42122 Elf32_Off p_offset;
42123 @@ -322,6 +348,8 @@ typedef struct elf64_shdr {
42129 #define ELFMAG0 0x7f /* EI_MAG */
42130 #define ELFMAG1 'E'
42131 #define ELFMAG2 'L'
42132 @@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
42133 #define elf_phdr elf32_phdr
42134 #define elf_note elf32_note
42135 #define elf_addr_t Elf32_Off
42136 +#define elf_dyn Elf32_Dyn
42140 @@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
42141 #define elf_phdr elf64_phdr
42142 #define elf_note elf64_note
42143 #define elf_addr_t Elf64_Off
42144 +#define elf_dyn Elf64_Dyn
42148 diff -urNp linux-2.6.33/include/linux/fs.h linux-2.6.33/include/linux/fs.h
42149 --- linux-2.6.33/include/linux/fs.h 2010-02-24 13:52:17.000000000 -0500
42150 +++ linux-2.6.33/include/linux/fs.h 2010-03-07 12:23:36.117645366 -0500
42151 @@ -87,6 +87,10 @@ struct inodes_stat_t {
42153 #define FMODE_NOCMTIME ((__force fmode_t)2048)
42155 +/* Hack for grsec so as not to require read permission simply to execute
42157 +#define FMODE_GREXEC ((__force fmode_t)8192)
42160 * The below are the various read and write types that we support. Some of
42161 * them include behavioral modifiers that send information down to the
42162 @@ -567,38 +571,38 @@ typedef int (*read_actor_t)(read_descrip
42163 - int (*writepage)(struct page *page, struct writeback_control *wbc);
42164 - int (*readpage)(struct file *, struct page *);
42165 - void (*sync_page)(struct page *);
42166 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
42167 + int (* const readpage)(struct file *, struct page *);
42168 + void (* const sync_page)(struct page *);
42170 /* Write back some dirty pages from this mapping. */
42171 - int (*writepages)(struct address_space *, struct writeback_control *);
42172 + int (* const writepages)(struct address_space *, struct writeback_control *);
42174 /* Set a page dirty. Return true if this dirtied it */
42175 - int (*set_page_dirty)(struct page *page);
42176 + int (* const set_page_dirty)(struct page *page);
42178 - int (*readpages)(struct file *filp, struct address_space *mapping,
42179 + int (* const readpages)(struct file *filp, struct address_space *mapping,
42180 struct list_head *pages, unsigned nr_pages);
42182 - int (*write_begin)(struct file *, struct address_space *mapping,
42183 + int (* const write_begin)(struct file *, struct address_space *mapping,
42184 loff_t pos, unsigned len, unsigned flags,
42185 struct page **pagep, void **fsdata);
42186 - int (*write_end)(struct file *, struct address_space *mapping,
42187 + int (* const write_end)(struct file *, struct address_space *mapping,
42188 loff_t pos, unsigned len, unsigned copied,
42189 struct page *page, void *fsdata);
42191 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
42192 - sector_t (*bmap)(struct address_space *, sector_t);
42193 - void (*invalidatepage) (struct page *, unsigned long);
42194 - int (*releasepage) (struct page *, gfp_t);
42195 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
42196 + sector_t (* const bmap)(struct address_space *, sector_t);
42197 + void (* const invalidatepage) (struct page *, unsigned long);
42198 + int (* const releasepage) (struct page *, gfp_t);
42199 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
42200 loff_t offset, unsigned long nr_segs);
42201 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
42202 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
42203 void **, unsigned long *);
42204 /* migrate the contents of a page to the specified target */
42205 - int (*migratepage) (struct address_space *,
42206 + int (* const migratepage) (struct address_space *,
42207 struct page *, struct page *);
42208 - int (*launder_page) (struct page *);
42209 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
42210 + int (* const launder_page) (struct page *);
42211 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
42213 - int (*error_remove_page)(struct address_space *, struct page *);
42214 + int (* const error_remove_page)(struct address_space *, struct page *);
42218 @@ -1029,19 +1033,19 @@ static inline int file_check_writeable(s
42219 typedef struct files_struct *fl_owner_t;
42221 struct file_lock_operations {
42222 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
42223 - void (*fl_release_private)(struct file_lock *);
42224 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
42225 + void (* const fl_release_private)(struct file_lock *);
42228 struct lock_manager_operations {
42229 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
42230 - void (*fl_notify)(struct file_lock *); /* unblock callback */
42231 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
42232 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
42233 - void (*fl_release_private)(struct file_lock *);
42234 - void (*fl_break)(struct file_lock *);
42235 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
42236 - int (*fl_change)(struct file_lock **, int);
42237 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
42238 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
42239 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
42240 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
42241 + void (* const fl_release_private)(struct file_lock *);
42242 + void (* const fl_break)(struct file_lock *);
42243 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
42244 + int (* const fl_change)(struct file_lock **, int);
42247 struct lock_manager {
42248 @@ -1434,7 +1438,7 @@ struct fiemap_extent_info {
42249 unsigned int fi_flags; /* Flags as passed from user */
42250 unsigned int fi_extents_mapped; /* Number of mapped extents */
42251 unsigned int fi_extents_max; /* Size of fiemap_extent array */
42252 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
42253 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
42256 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
42257 @@ -1551,32 +1555,32 @@ extern ssize_t vfs_writev(struct file *,
42258 ssize_t vfs_sendfile(struct file *, struct file *, loff_t *, size_t, loff_t);
42260 struct super_operations {
42261 - struct inode *(*alloc_inode)(struct super_block *sb);
42262 - void (*destroy_inode)(struct inode *);
42263 + struct inode *(* const alloc_inode)(struct super_block *sb);
42264 + void (* const destroy_inode)(struct inode *);
42266 - void (*dirty_inode) (struct inode *);
42267 - int (*write_inode) (struct inode *, int);
42268 - void (*drop_inode) (struct inode *);
42269 - void (*delete_inode) (struct inode *);
42270 - void (*put_super) (struct super_block *);
42271 - void (*write_super) (struct super_block *);
42272 - int (*sync_fs)(struct super_block *sb, int wait);
42273 - int (*freeze_fs) (struct super_block *);
42274 - int (*unfreeze_fs) (struct super_block *);
42275 - int (*statfs) (struct dentry *, struct kstatfs *);
42276 - int (*remount_fs) (struct super_block *, int *, char *);
42277 - void (*clear_inode) (struct inode *);
42278 - void (*umount_begin) (struct super_block *);
42279 + void (* const dirty_inode) (struct inode *);
42280 + int (* const write_inode) (struct inode *, int);
42281 + void (* const drop_inode) (struct inode *);
42282 + void (* const delete_inode) (struct inode *);
42283 + void (* const put_super) (struct super_block *);
42284 + void (* const write_super) (struct super_block *);
42285 + int (* const sync_fs)(struct super_block *sb, int wait);
42286 + int (* const freeze_fs) (struct super_block *);
42287 + int (* const unfreeze_fs) (struct super_block *);
42288 + int (* const statfs) (struct dentry *, struct kstatfs *);
42289 + int (* const remount_fs) (struct super_block *, int *, char *);
42290 + void (* const clear_inode) (struct inode *);
42291 + void (* const umount_begin) (struct super_block *);
42293 - void (*sync_inodes)(struct super_block *sb,
42294 + void (* const sync_inodes)(struct super_block *sb,
42295 struct writeback_control *wbc);
42296 - int (*show_options)(struct seq_file *, struct vfsmount *);
42297 - int (*show_stats)(struct seq_file *, struct vfsmount *);
42298 + int (* const show_options)(struct seq_file *, struct vfsmount *);
42299 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
42300 #ifdef CONFIG_QUOTA
42301 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
42302 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
42303 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
42304 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
42306 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
42307 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
42311 diff -urNp linux-2.6.33/include/linux/fs_struct.h linux-2.6.33/include/linux/fs_struct.h
42312 --- linux-2.6.33/include/linux/fs_struct.h 2010-02-24 13:52:17.000000000 -0500
42313 +++ linux-2.6.33/include/linux/fs_struct.h 2010-03-07 12:23:36.117645366 -0500
42315 #include <linux/path.h>
42323 diff -urNp linux-2.6.33/include/linux/genhd.h linux-2.6.33/include/linux/genhd.h
42324 --- linux-2.6.33/include/linux/genhd.h 2010-02-24 13:52:17.000000000 -0500
42325 +++ linux-2.6.33/include/linux/genhd.h 2010-03-07 12:23:36.117645366 -0500
42326 @@ -162,7 +162,7 @@ struct gendisk {
42328 struct timer_rand_state *random;
42330 - atomic_t sync_io; /* RAID */
42331 + atomic_unchecked_t sync_io; /* RAID */
42332 struct work_struct async_notify;
42333 #ifdef CONFIG_BLK_DEV_INTEGRITY
42334 struct blk_integrity *integrity;
42335 diff -urNp linux-2.6.33/include/linux/gracl.h linux-2.6.33/include/linux/gracl.h
42336 --- linux-2.6.33/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
42337 +++ linux-2.6.33/include/linux/gracl.h 2010-03-07 12:23:36.117645366 -0500
42342 +#include <linux/grdefs.h>
42343 +#include <linux/resource.h>
42344 +#include <linux/capability.h>
42345 +#include <linux/dcache.h>
42346 +#include <asm/resource.h>
42348 +/* Major status information */
42350 +#define GR_VERSION "grsecurity 2.1.14"
42351 +#define GRSECURITY_VERSION 0x2114
42362 + GR_SPROLEPAM = 8,
42365 +/* Password setup definitions
42366 + * kernel/grhash.c */
42369 + GR_SALT_LEN = 16,
42374 + GR_SPROLE_LEN = 64,
42377 +#define GR_NLIMITS 32
42379 +/* Begin Data Structures */
42381 +struct sprole_pw {
42382 + unsigned char *rolename;
42383 + unsigned char salt[GR_SALT_LEN];
42384 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
42387 +struct name_entry {
42394 + struct name_entry *prev;
42395 + struct name_entry *next;
42398 +struct inodev_entry {
42399 + struct name_entry *nentry;
42400 + struct inodev_entry *prev;
42401 + struct inodev_entry *next;
42404 +struct acl_role_db {
42405 + struct acl_role_label **r_hash;
42409 +struct inodev_db {
42410 + struct inodev_entry **i_hash;
42415 + struct name_entry **n_hash;
42419 +struct crash_uid {
42421 + unsigned long expires;
42424 +struct gr_hash_struct {
42426 + void **nametable;
42428 + __u32 table_size;
42433 +/* Userspace Grsecurity ACL data structures */
42435 +struct acl_subject_label {
42440 + kernel_cap_t cap_mask;
42441 + kernel_cap_t cap_lower;
42443 + struct rlimit res[GR_NLIMITS];
42446 + __u8 user_trans_type;
42447 + __u8 group_trans_type;
42448 + uid_t *user_transitions;
42449 + gid_t *group_transitions;
42450 + __u16 user_trans_num;
42451 + __u16 group_trans_num;
42453 + __u32 ip_proto[8];
42455 + struct acl_ip_label **ips;
42457 + __u32 inaddr_any_override;
42460 + unsigned long expires;
42462 + struct acl_subject_label *parent_subject;
42463 + struct gr_hash_struct *hash;
42464 + struct acl_subject_label *prev;
42465 + struct acl_subject_label *next;
42467 + struct acl_object_label **obj_hash;
42468 + __u32 obj_hash_size;
42472 +struct role_allowed_ip {
42476 + struct role_allowed_ip *prev;
42477 + struct role_allowed_ip *next;
42480 +struct role_transition {
42483 + struct role_transition *prev;
42484 + struct role_transition *next;
42487 +struct acl_role_label {
42492 + __u16 auth_attempts;
42493 + unsigned long expires;
42495 + struct acl_subject_label *root_label;
42496 + struct gr_hash_struct *hash;
42498 + struct acl_role_label *prev;
42499 + struct acl_role_label *next;
42501 + struct role_transition *transitions;
42502 + struct role_allowed_ip *allowed_ips;
42503 + uid_t *domain_children;
42504 + __u16 domain_child_num;
42506 + struct acl_subject_label **subj_hash;
42507 + __u32 subj_hash_size;
42510 +struct user_acl_role_db {
42511 + struct acl_role_label **r_table;
42512 + __u32 num_pointers; /* Number of allocations to track */
42513 + __u32 num_roles; /* Number of roles */
42514 + __u32 num_domain_children; /* Number of domain children */
42515 + __u32 num_subjects; /* Number of subjects */
42516 + __u32 num_objects; /* Number of objects */
42519 +struct acl_object_label {
42525 + struct acl_subject_label *nested;
42526 + struct acl_object_label *globbed;
42528 + /* next two structures not used */
42530 + struct acl_object_label *prev;
42531 + struct acl_object_label *next;
42534 +struct acl_ip_label {
42543 + /* next two structures not used */
42545 + struct acl_ip_label *prev;
42546 + struct acl_ip_label *next;
42550 + struct user_acl_role_db role_db;
42551 + unsigned char pw[GR_PW_LEN];
42552 + unsigned char salt[GR_SALT_LEN];
42553 + unsigned char sum[GR_SHA_LEN];
42554 + unsigned char sp_role[GR_SPROLE_LEN];
42555 + struct sprole_pw *sprole_pws;
42556 + dev_t segv_device;
42557 + ino_t segv_inode;
42559 + __u16 num_sprole_pws;
42563 +struct gr_arg_wrapper {
42564 + struct gr_arg *arg;
42569 +struct subject_map {
42570 + struct acl_subject_label *user;
42571 + struct acl_subject_label *kernel;
42572 + struct subject_map *prev;
42573 + struct subject_map *next;
42576 +struct acl_subj_map_db {
42577 + struct subject_map **s_hash;
42581 +/* End Data Structures Section */
42583 +/* Hash functions generated by empirical testing by Brad Spengler
42584 + Makes good use of the low bits of the inode. Generally 0-1 times
42585 + in loop for successful match. 0-3 for unsuccessful match.
42586 + Shift/add algorithm with modulus of table size and an XOR*/
42588 +static __inline__ unsigned int
42589 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
42591 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
42594 + static __inline__ unsigned int
42595 +shash(const struct acl_subject_label *userp, const unsigned int sz)
42597 + return ((const unsigned long)userp % sz);
42600 +static __inline__ unsigned int
42601 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
42603 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
42606 +static __inline__ unsigned int
42607 +nhash(const char *name, const __u16 len, const unsigned int sz)
42609 + return full_name_hash((const unsigned char *)name, len) % sz;
42612 +#define FOR_EACH_ROLE_START(role) \
42613 + role = role_list; \
42616 +#define FOR_EACH_ROLE_END(role) \
42617 + role = role->prev; \
42620 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
42623 + while (iter < role->subj_hash_size) { \
42624 + if (subj == NULL) \
42625 + subj = role->subj_hash[iter]; \
42626 + if (subj == NULL) { \
42631 +#define FOR_EACH_SUBJECT_END(subj,iter) \
42632 + subj = subj->next; \
42633 + if (subj == NULL) \
42638 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
42639 + subj = role->hash->first; \
42640 + while (subj != NULL) {
42642 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
42643 + subj = subj->next; \
42648 diff -urNp linux-2.6.33/include/linux/gralloc.h linux-2.6.33/include/linux/gralloc.h
42649 --- linux-2.6.33/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
42650 +++ linux-2.6.33/include/linux/gralloc.h 2010-03-07 12:23:36.117645366 -0500
42652 +#ifndef __GRALLOC_H
42653 +#define __GRALLOC_H
42655 +void acl_free_all(void);
42656 +int acl_alloc_stack_init(unsigned long size);
42657 +void *acl_alloc(unsigned long len);
42658 +void *acl_alloc_num(unsigned long num, unsigned long len);
42661 diff -urNp linux-2.6.33/include/linux/grdefs.h linux-2.6.33/include/linux/grdefs.h
42662 --- linux-2.6.33/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
42663 +++ linux-2.6.33/include/linux/grdefs.h 2010-03-07 12:23:36.117645366 -0500
42668 +/* Begin grsecurity status declarations */
42672 + GR_STATUS_INIT = 0x00 // disabled state
42675 +/* Begin ACL declarations */
42680 + GR_ROLE_USER = 0x0001,
42681 + GR_ROLE_GROUP = 0x0002,
42682 + GR_ROLE_DEFAULT = 0x0004,
42683 + GR_ROLE_SPECIAL = 0x0008,
42684 + GR_ROLE_AUTH = 0x0010,
42685 + GR_ROLE_NOPW = 0x0020,
42686 + GR_ROLE_GOD = 0x0040,
42687 + GR_ROLE_LEARN = 0x0080,
42688 + GR_ROLE_TPE = 0x0100,
42689 + GR_ROLE_DOMAIN = 0x0200,
42690 + GR_ROLE_PAM = 0x0400
42693 +/* ACL Subject and Object mode flags */
42695 + GR_DELETED = 0x80000000
42698 +/* ACL Object-only mode flags */
42700 + GR_READ = 0x00000001,
42701 + GR_APPEND = 0x00000002,
42702 + GR_WRITE = 0x00000004,
42703 + GR_EXEC = 0x00000008,
42704 + GR_FIND = 0x00000010,
42705 + GR_INHERIT = 0x00000020,
42706 + GR_SETID = 0x00000040,
42707 + GR_CREATE = 0x00000080,
42708 + GR_DELETE = 0x00000100,
42709 + GR_LINK = 0x00000200,
42710 + GR_AUDIT_READ = 0x00000400,
42711 + GR_AUDIT_APPEND = 0x00000800,
42712 + GR_AUDIT_WRITE = 0x00001000,
42713 + GR_AUDIT_EXEC = 0x00002000,
42714 + GR_AUDIT_FIND = 0x00004000,
42715 + GR_AUDIT_INHERIT= 0x00008000,
42716 + GR_AUDIT_SETID = 0x00010000,
42717 + GR_AUDIT_CREATE = 0x00020000,
42718 + GR_AUDIT_DELETE = 0x00040000,
42719 + GR_AUDIT_LINK = 0x00080000,
42720 + GR_PTRACERD = 0x00100000,
42721 + GR_NOPTRACE = 0x00200000,
42722 + GR_SUPPRESS = 0x00400000,
42723 + GR_NOLEARN = 0x00800000
42726 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
42727 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
42728 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
42730 +/* ACL subject-only mode flags */
42732 + GR_KILL = 0x00000001,
42733 + GR_VIEW = 0x00000002,
42734 + GR_PROTECTED = 0x00000004,
42735 + GR_LEARN = 0x00000008,
42736 + GR_OVERRIDE = 0x00000010,
42737 + /* just a placeholder, this mode is only used in userspace */
42738 + GR_DUMMY = 0x00000020,
42739 + GR_PROTSHM = 0x00000040,
42740 + GR_KILLPROC = 0x00000080,
42741 + GR_KILLIPPROC = 0x00000100,
42742 + /* just a placeholder, this mode is only used in userspace */
42743 + GR_NOTROJAN = 0x00000200,
42744 + GR_PROTPROCFD = 0x00000400,
42745 + GR_PROCACCT = 0x00000800,
42746 + GR_RELAXPTRACE = 0x00001000,
42747 + GR_NESTED = 0x00002000,
42748 + GR_INHERITLEARN = 0x00004000,
42749 + GR_PROCFIND = 0x00008000,
42750 + GR_POVERRIDE = 0x00010000,
42751 + GR_KERNELAUTH = 0x00020000,
42755 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
42756 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
42757 + GR_PAX_ENABLE_MPROTECT = 0x0004,
42758 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
42759 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
42760 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
42761 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
42762 + GR_PAX_DISABLE_MPROTECT = 0x0400,
42763 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
42764 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
42768 + GR_ID_USER = 0x01,
42769 + GR_ID_GROUP = 0x02,
42773 + GR_ID_ALLOW = 0x01,
42774 + GR_ID_DENY = 0x02,
42777 +#define GR_CRASH_RES 31
42778 +#define GR_UIDTABLE_MAX 500
42780 +/* begin resource learning section */
42782 + GR_RLIM_CPU_BUMP = 60,
42783 + GR_RLIM_FSIZE_BUMP = 50000,
42784 + GR_RLIM_DATA_BUMP = 10000,
42785 + GR_RLIM_STACK_BUMP = 1000,
42786 + GR_RLIM_CORE_BUMP = 10000,
42787 + GR_RLIM_RSS_BUMP = 500000,
42788 + GR_RLIM_NPROC_BUMP = 1,
42789 + GR_RLIM_NOFILE_BUMP = 5,
42790 + GR_RLIM_MEMLOCK_BUMP = 50000,
42791 + GR_RLIM_AS_BUMP = 500000,
42792 + GR_RLIM_LOCKS_BUMP = 2,
42793 + GR_RLIM_SIGPENDING_BUMP = 5,
42794 + GR_RLIM_MSGQUEUE_BUMP = 10000,
42795 + GR_RLIM_NICE_BUMP = 1,
42796 + GR_RLIM_RTPRIO_BUMP = 1,
42797 + GR_RLIM_RTTIME_BUMP = 1000000
42801 diff -urNp linux-2.6.33/include/linux/grinternal.h linux-2.6.33/include/linux/grinternal.h
42802 --- linux-2.6.33/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
42803 +++ linux-2.6.33/include/linux/grinternal.h 2010-03-07 12:23:36.117645366 -0500
42805 +#ifndef __GRINTERNAL_H
42806 +#define __GRINTERNAL_H
42808 +#ifdef CONFIG_GRKERNSEC
42810 +#include <linux/fs.h>
42811 +#include <linux/mnt_namespace.h>
42812 +#include <linux/nsproxy.h>
42813 +#include <linux/gracl.h>
42814 +#include <linux/grdefs.h>
42815 +#include <linux/grmsg.h>
42817 +void gr_add_learn_entry(const char *fmt, ...)
42818 + __attribute__ ((format (printf, 1, 2)));
42819 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
42820 + const struct vfsmount *mnt);
42821 +__u32 gr_check_create(const struct dentry *new_dentry,
42822 + const struct dentry *parent,
42823 + const struct vfsmount *mnt, const __u32 mode);
42824 +int gr_check_protected_task(const struct task_struct *task);
42825 +__u32 to_gr_audit(const __u32 reqmode);
42826 +int gr_set_acls(const int type);
42828 +int gr_acl_is_enabled(void);
42829 +char gr_roletype_to_char(void);
42831 +void gr_handle_alertkill(struct task_struct *task);
42832 +char *gr_to_filename(const struct dentry *dentry,
42833 + const struct vfsmount *mnt);
42834 +char *gr_to_filename1(const struct dentry *dentry,
42835 + const struct vfsmount *mnt);
42836 +char *gr_to_filename2(const struct dentry *dentry,
42837 + const struct vfsmount *mnt);
42838 +char *gr_to_filename3(const struct dentry *dentry,
42839 + const struct vfsmount *mnt);
42841 +extern int grsec_enable_harden_ptrace;
42842 +extern int grsec_enable_link;
42843 +extern int grsec_enable_fifo;
42844 +extern int grsec_enable_execve;
42845 +extern int grsec_enable_shm;
42846 +extern int grsec_enable_execlog;
42847 +extern int grsec_enable_signal;
42848 +extern int grsec_enable_audit_ptrace;
42849 +extern int grsec_enable_forkfail;
42850 +extern int grsec_enable_time;
42851 +extern int grsec_enable_rofs;
42852 +extern int grsec_enable_chroot_shmat;
42853 +extern int grsec_enable_chroot_findtask;
42854 +extern int grsec_enable_chroot_mount;
42855 +extern int grsec_enable_chroot_double;
42856 +extern int grsec_enable_chroot_pivot;
42857 +extern int grsec_enable_chroot_chdir;
42858 +extern int grsec_enable_chroot_chmod;
42859 +extern int grsec_enable_chroot_mknod;
42860 +extern int grsec_enable_chroot_fchdir;
42861 +extern int grsec_enable_chroot_nice;
42862 +extern int grsec_enable_chroot_execlog;
42863 +extern int grsec_enable_chroot_caps;
42864 +extern int grsec_enable_chroot_sysctl;
42865 +extern int grsec_enable_chroot_unix;
42866 +extern int grsec_enable_tpe;
42867 +extern int grsec_tpe_gid;
42868 +extern int grsec_enable_tpe_all;
42869 +extern int grsec_enable_sidcaps;
42870 +extern int grsec_enable_socket_all;
42871 +extern int grsec_socket_all_gid;
42872 +extern int grsec_enable_socket_client;
42873 +extern int grsec_socket_client_gid;
42874 +extern int grsec_enable_socket_server;
42875 +extern int grsec_socket_server_gid;
42876 +extern int grsec_audit_gid;
42877 +extern int grsec_enable_group;
42878 +extern int grsec_enable_audit_textrel;
42879 +extern int grsec_enable_mount;
42880 +extern int grsec_enable_chdir;
42881 +extern int grsec_resource_logging;
42882 +extern int grsec_lock;
42884 +extern spinlock_t grsec_alert_lock;
42885 +extern unsigned long grsec_alert_wtime;
42886 +extern unsigned long grsec_alert_fyet;
42888 +extern spinlock_t grsec_audit_lock;
42890 +extern rwlock_t grsec_exec_file_lock;
42892 +#define gr_task_fullpath(tsk) (tsk->exec_file ? \
42893 + gr_to_filename2(tsk->exec_file->f_path.dentry, \
42894 + tsk->exec_file->f_vfsmnt) : "/")
42896 +#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
42897 + gr_to_filename3(tsk->parent->exec_file->f_path.dentry, \
42898 + tsk->parent->exec_file->f_vfsmnt) : "/")
42900 +#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
42901 + gr_to_filename(tsk->exec_file->f_path.dentry, \
42902 + tsk->exec_file->f_vfsmnt) : "/")
42904 +#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
42905 + gr_to_filename1(tsk->parent->exec_file->f_path.dentry, \
42906 + tsk->parent->exec_file->f_vfsmnt) : "/")
42908 +#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
42909 + ((init_task.fs->root.dentry != tsk_a->fs->root.dentry) && \
42910 + (tsk_a->nsproxy->mnt_ns->root->mnt_root != \
42911 + tsk_a->fs->root.dentry)))
42913 +#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
42914 + (tsk_a->fs->root.dentry == tsk_b->fs->root.dentry))
42916 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), task->comm, \
42917 + task->pid, cred->uid, \
42918 + cred->euid, cred->gid, cred->egid, \
42919 + gr_parent_task_fullpath(task), \
42920 + task->parent->comm, task->parent->pid, \
42921 + pcred->uid, pcred->euid, \
42922 + pcred->gid, pcred->egid
42924 +#define GR_CHROOT_CAPS {{ \
42925 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
42926 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
42927 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
42928 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
42929 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
42930 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
42932 +#define security_learn(normal_msg,args...) \
42934 + read_lock(&grsec_exec_file_lock); \
42935 + gr_add_learn_entry(normal_msg "\n", ## args); \
42936 + read_unlock(&grsec_exec_file_lock); \
42942 + GR_DONT_AUDIT_GOOD
42953 + GR_SYSCTL_HIDDEN,
42956 + GR_ONE_INT_TWO_STR,
42961 + GR_FIVE_INT_TWO_STR,
42967 + GR_FILENAME_TWO_INT,
42968 + GR_FILENAME_TWO_INT_STR,
42980 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
42981 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
42982 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
42983 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
42984 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
42985 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
42986 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
42987 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
42988 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
42989 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
42990 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
42991 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
42992 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
42993 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
42994 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
42995 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
42996 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
42997 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
42998 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
42999 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
43000 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
43001 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
43002 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
43003 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
43004 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
43005 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
43006 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
43007 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
43008 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
43009 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
43010 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
43011 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
43013 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
43018 diff -urNp linux-2.6.33/include/linux/grmsg.h linux-2.6.33/include/linux/grmsg.h
43019 --- linux-2.6.33/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
43020 +++ linux-2.6.33/include/linux/grmsg.h 2010-03-07 12:23:36.117645366 -0500
43022 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
43023 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
43024 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
43025 +#define GR_STOPMOD_MSG "denied modification of module state by "
43026 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
43027 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
43028 +#define GR_IOPERM_MSG "denied use of ioperm() by "
43029 +#define GR_IOPL_MSG "denied use of iopl() by "
43030 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
43031 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
43032 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
43033 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
43034 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
43035 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
43036 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
43037 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
43038 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
43039 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
43040 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
43041 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
43042 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
43043 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
43044 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
43045 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
43046 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
43047 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
43048 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
43049 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
43050 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
43051 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
43052 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
43053 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
43054 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
43055 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
43056 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
43057 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
43058 +#define GR_NPROC_MSG "denied overstep of process limit by "
43059 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
43060 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
43061 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
43062 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
43063 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
43064 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
43065 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
43066 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
43067 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
43068 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
43069 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
43070 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
43071 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
43072 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
43073 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
43074 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
43075 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
43076 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
43077 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
43078 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
43079 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
43080 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
43081 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
43082 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
43083 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
43084 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
43085 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
43086 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
43087 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
43088 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
43089 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
43090 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
43091 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
43092 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
43093 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
43094 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
43095 +#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
43096 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
43097 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
43098 +#define GR_FAILFORK_MSG "failed fork with errno %d by "
43099 +#define GR_NICE_CHROOT_MSG "denied priority change by "
43100 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
43101 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
43102 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
43103 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
43104 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
43105 +#define GR_TIME_MSG "time set by "
43106 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
43107 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
43108 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
43109 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
43110 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
43111 +#define GR_BIND_MSG "denied bind() by "
43112 +#define GR_CONNECT_MSG "denied connect() by "
43113 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
43114 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
43115 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
43116 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
43117 +#define GR_CAP_ACL_MSG "use of %s denied for "
43118 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
43119 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
43120 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
43121 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
43122 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
43123 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
43124 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
43125 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
43126 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
43127 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
43128 +#define GR_VM86_MSG "denied use of vm86 by "
43129 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
43130 diff -urNp linux-2.6.33/include/linux/grsecurity.h linux-2.6.33/include/linux/grsecurity.h
43131 --- linux-2.6.33/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
43132 +++ linux-2.6.33/include/linux/grsecurity.h 2010-03-07 12:23:36.117645366 -0500
43134 +#ifndef GR_SECURITY_H
43135 +#define GR_SECURITY_H
43136 +#include <linux/fs.h>
43137 +#include <linux/fs_struct.h>
43138 +#include <linux/binfmts.h>
43139 +#include <linux/gracl.h>
43141 +/* notify of brain-dead configs */
43142 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
43143 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
43145 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
43146 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
43148 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
43149 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
43151 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
43152 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
43154 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
43155 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
43158 +void gr_handle_brute_attach(struct task_struct *p);
43159 +void gr_handle_brute_check(void);
43161 +char gr_roletype_to_char(void);
43163 +int gr_check_user_change(int real, int effective, int fs);
43164 +int gr_check_group_change(int real, int effective, int fs);
43166 +void gr_del_task_from_ip_table(struct task_struct *p);
43168 +int gr_pid_is_chrooted(struct task_struct *p);
43169 +int gr_handle_chroot_nice(void);
43170 +int gr_handle_chroot_sysctl(const int op);
43171 +int gr_handle_chroot_setpriority(struct task_struct *p,
43172 + const int niceval);
43173 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
43174 +int gr_handle_chroot_chroot(const struct dentry *dentry,
43175 + const struct vfsmount *mnt);
43176 +int gr_handle_chroot_caps(struct path *path);
43177 +void gr_handle_chroot_chdir(struct path *path);
43178 +int gr_handle_chroot_chmod(const struct dentry *dentry,
43179 + const struct vfsmount *mnt, const int mode);
43180 +int gr_handle_chroot_mknod(const struct dentry *dentry,
43181 + const struct vfsmount *mnt, const int mode);
43182 +int gr_handle_chroot_mount(const struct dentry *dentry,
43183 + const struct vfsmount *mnt,
43184 + const char *dev_name);
43185 +int gr_handle_chroot_pivot(void);
43186 +int gr_handle_chroot_unix(const pid_t pid);
43188 +int gr_handle_rawio(const struct inode *inode);
43189 +int gr_handle_nproc(void);
43191 +void gr_handle_ioperm(void);
43192 +void gr_handle_iopl(void);
43194 +int gr_tpe_allow(const struct file *file);
43196 +int gr_random_pid(void);
43198 +void gr_log_forkfail(const int retval);
43199 +void gr_log_timechange(void);
43200 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
43201 +void gr_log_chdir(const struct dentry *dentry,
43202 + const struct vfsmount *mnt);
43203 +void gr_log_chroot_exec(const struct dentry *dentry,
43204 + const struct vfsmount *mnt);
43205 +void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
43206 +void gr_log_remount(const char *devname, const int retval);
43207 +void gr_log_unmount(const char *devname, const int retval);
43208 +void gr_log_mount(const char *from, const char *to, const int retval);
43209 +void gr_log_textrel(struct vm_area_struct *vma);
43211 +int gr_handle_follow_link(const struct inode *parent,
43212 + const struct inode *inode,
43213 + const struct dentry *dentry,
43214 + const struct vfsmount *mnt);
43215 +int gr_handle_fifo(const struct dentry *dentry,
43216 + const struct vfsmount *mnt,
43217 + const struct dentry *dir, const int flag,
43218 + const int acc_mode);
43219 +int gr_handle_hardlink(const struct dentry *dentry,
43220 + const struct vfsmount *mnt,
43221 + struct inode *inode,
43222 + const int mode, const char *to);
43224 +int gr_is_capable(const int cap);
43225 +int gr_is_capable_nolog(const int cap);
43226 +void gr_learn_resource(const struct task_struct *task, const int limit,
43227 + const unsigned long wanted, const int gt);
43228 +void gr_copy_label(struct task_struct *tsk);
43229 +void gr_handle_crash(struct task_struct *task, const int sig);
43230 +int gr_handle_signal(const struct task_struct *p, const int sig);
43231 +int gr_check_crash_uid(const uid_t uid);
43232 +int gr_check_protected_task(const struct task_struct *task);
43233 +int gr_acl_handle_mmap(const struct file *file,
43234 + const unsigned long prot);
43235 +int gr_acl_handle_mprotect(const struct file *file,
43236 + const unsigned long prot);
43237 +int gr_check_hidden_task(const struct task_struct *tsk);
43238 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
43239 + const struct vfsmount *mnt);
43240 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
43241 + const struct vfsmount *mnt);
43242 +__u32 gr_acl_handle_access(const struct dentry *dentry,
43243 + const struct vfsmount *mnt, const int fmode);
43244 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
43245 + const struct vfsmount *mnt, mode_t mode);
43246 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
43247 + const struct vfsmount *mnt, mode_t mode);
43248 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
43249 + const struct vfsmount *mnt);
43250 +int gr_handle_ptrace(struct task_struct *task, const long request);
43251 +int gr_handle_proc_ptrace(struct task_struct *task);
43252 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
43253 + const struct vfsmount *mnt);
43254 +int gr_check_crash_exec(const struct file *filp);
43255 +int gr_acl_is_enabled(void);
43256 +void gr_set_kernel_label(struct task_struct *task);
43257 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
43258 + const gid_t gid);
43259 +int gr_set_proc_label(const struct dentry *dentry,
43260 + const struct vfsmount *mnt,
43261 + const int unsafe_share);
43262 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
43263 + const struct vfsmount *mnt);
43264 +__u32 gr_acl_handle_open(const struct dentry *dentry,
43265 + const struct vfsmount *mnt, const int fmode);
43266 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
43267 + const struct dentry *p_dentry,
43268 + const struct vfsmount *p_mnt, const int fmode,
43269 + const int imode);
43270 +void gr_handle_create(const struct dentry *dentry,
43271 + const struct vfsmount *mnt);
43272 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
43273 + const struct dentry *parent_dentry,
43274 + const struct vfsmount *parent_mnt,
43276 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
43277 + const struct dentry *parent_dentry,
43278 + const struct vfsmount *parent_mnt);
43279 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
43280 + const struct vfsmount *mnt);
43281 +void gr_handle_delete(const ino_t ino, const dev_t dev);
43282 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
43283 + const struct vfsmount *mnt);
43284 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
43285 + const struct dentry *parent_dentry,
43286 + const struct vfsmount *parent_mnt,
43287 + const char *from);
43288 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
43289 + const struct dentry *parent_dentry,
43290 + const struct vfsmount *parent_mnt,
43291 + const struct dentry *old_dentry,
43292 + const struct vfsmount *old_mnt, const char *to);
43293 +int gr_acl_handle_rename(struct dentry *new_dentry,
43294 + struct dentry *parent_dentry,
43295 + const struct vfsmount *parent_mnt,
43296 + struct dentry *old_dentry,
43297 + struct inode *old_parent_inode,
43298 + struct vfsmount *old_mnt, const char *newname);
43299 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
43300 + struct dentry *old_dentry,
43301 + struct dentry *new_dentry,
43302 + struct vfsmount *mnt, const __u8 replace);
43303 +__u32 gr_check_link(const struct dentry *new_dentry,
43304 + const struct dentry *parent_dentry,
43305 + const struct vfsmount *parent_mnt,
43306 + const struct dentry *old_dentry,
43307 + const struct vfsmount *old_mnt);
43308 +int gr_acl_handle_filldir(const struct file *file, const char *name,
43309 + const unsigned int namelen, const ino_t ino);
43311 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
43312 + const struct vfsmount *mnt);
43313 +void gr_acl_handle_exit(void);
43314 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
43315 +int gr_acl_handle_procpidmem(const struct task_struct *task);
43316 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
43317 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
43318 +void gr_audit_ptrace(struct task_struct *task);
43320 +#ifdef CONFIG_GRKERNSEC
43321 +void gr_log_nonroot_mod_load(const char *modname);
43322 +void gr_handle_vm86(void);
43323 +void gr_handle_mem_write(void);
43324 +void gr_handle_kmem_write(void);
43325 +void gr_handle_open_port(void);
43326 +int gr_handle_mem_mmap(const unsigned long offset,
43327 + struct vm_area_struct *vma);
43329 +extern int grsec_enable_dmesg;
43330 +extern int grsec_enable_randsrc;
43331 +extern int grsec_enable_shm;
43335 diff -urNp linux-2.6.33/include/linux/grsock.h linux-2.6.33/include/linux/grsock.h
43336 --- linux-2.6.33/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
43337 +++ linux-2.6.33/include/linux/grsock.h 2010-03-07 12:23:36.117645366 -0500
43339 +#ifndef __GRSOCK_H
43340 +#define __GRSOCK_H
43342 +extern void gr_attach_curr_ip(const struct sock *sk);
43343 +extern int gr_handle_sock_all(const int family, const int type,
43344 + const int protocol);
43345 +extern int gr_handle_sock_server(const struct sockaddr *sck);
43346 +extern int gr_handle_sock_server_other(const struct socket *sck);
43347 +extern int gr_handle_sock_client(const struct sockaddr *sck);
43348 +extern int gr_search_connect(struct socket * sock,
43349 + struct sockaddr_in * addr);
43350 +extern int gr_search_bind(struct socket * sock,
43351 + struct sockaddr_in * addr);
43352 +extern int gr_search_listen(struct socket * sock);
43353 +extern int gr_search_accept(struct socket * sock);
43354 +extern int gr_search_socket(const int domain, const int type,
43355 + const int protocol);
43358 diff -urNp linux-2.6.33/include/linux/hdpu_features.h linux-2.6.33/include/linux/hdpu_features.h
43359 --- linux-2.6.33/include/linux/hdpu_features.h 2010-02-24 13:52:17.000000000 -0500
43360 +++ linux-2.6.33/include/linux/hdpu_features.h 2010-03-07 12:23:36.117645366 -0500
43362 struct cpustate_t {
43366 + atomic_t open_count;
43367 unsigned char cached_val;
43369 unsigned long *set_addr;
43370 diff -urNp linux-2.6.33/include/linux/highmem.h linux-2.6.33/include/linux/highmem.h
43371 --- linux-2.6.33/include/linux/highmem.h 2010-02-24 13:52:17.000000000 -0500
43372 +++ linux-2.6.33/include/linux/highmem.h 2010-03-07 12:23:36.117645366 -0500
43373 @@ -137,6 +137,18 @@ static inline void clear_highpage(struct
43374 kunmap_atomic(kaddr, KM_USER0);
43377 +static inline void sanitize_highpage(struct page *page)
43380 + unsigned long flags;
43382 + local_irq_save(flags);
43383 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
43384 + clear_page(kaddr);
43385 + kunmap_atomic(kaddr, KM_CLEARPAGE);
43386 + local_irq_restore(flags);
43389 static inline void zero_user_segments(struct page *page,
43390 unsigned start1, unsigned end1,
43391 unsigned start2, unsigned end2)
43392 diff -urNp linux-2.6.33/include/linux/init_task.h linux-2.6.33/include/linux/init_task.h
43393 --- linux-2.6.33/include/linux/init_task.h 2010-02-24 13:52:17.000000000 -0500
43394 +++ linux-2.6.33/include/linux/init_task.h 2010-03-07 12:23:36.117645366 -0500
43395 @@ -111,6 +111,13 @@ extern struct cred init_cred;
43396 # define INIT_PERF_EVENTS(tsk)
43399 +#ifdef CONFIG_GRKERNSEC
43400 +# define INIT_GR_FS_LOCK \
43401 + .gr_fs_lock = __RW_LOCK_UNLOCKED(gr_fs_lock),
43403 +# define INIT_GR_FS_LOCK
43407 * INIT_TASK is used to set up the first task table, touch at
43408 * your own risk!. Base=0, limit=0x1fffff (=2MB)
43409 @@ -180,6 +187,7 @@ extern struct cred init_cred;
43410 INIT_FTRACE_GRAPH \
43411 INIT_TRACE_RECURSION \
43412 INIT_TASK_RCU_PREEMPT(tsk) \
43413 + INIT_GR_FS_LOCK \
43417 diff -urNp linux-2.6.33/include/linux/interrupt.h linux-2.6.33/include/linux/interrupt.h
43418 --- linux-2.6.33/include/linux/interrupt.h 2010-02-24 13:52:17.000000000 -0500
43419 +++ linux-2.6.33/include/linux/interrupt.h 2010-03-07 12:23:36.117645366 -0500
43420 @@ -357,7 +357,7 @@ enum
43421 /* map softirq index to softirq name. update 'softirq_to_name' in
43422 * kernel/softirq.c when adding a new softirq.
43424 -extern char *softirq_to_name[NR_SOFTIRQS];
43425 +extern const char * const softirq_to_name[NR_SOFTIRQS];
43427 /* softirq mask and active fields moved to irq_cpustat_t in
43428 * asm/hardirq.h to get better cache usage. KAO
43429 @@ -365,12 +365,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
43431 struct softirq_action
43433 - void (*action)(struct softirq_action *);
43434 + void (*action)(void);
43437 asmlinkage void do_softirq(void);
43438 asmlinkage void __do_softirq(void);
43439 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
43440 +extern void open_softirq(int nr, void (*action)(void));
43441 extern void softirq_init(void);
43442 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
43443 extern void raise_softirq_irqoff(unsigned int nr);
43444 diff -urNp linux-2.6.33/include/linux/jbd2.h linux-2.6.33/include/linux/jbd2.h
43445 --- linux-2.6.33/include/linux/jbd2.h 2010-02-24 13:52:17.000000000 -0500
43446 +++ linux-2.6.33/include/linux/jbd2.h 2010-03-07 12:23:36.121768113 -0500
43447 @@ -66,7 +66,7 @@ extern u8 jbd2_journal_enable_debug;
43451 -#define jbd_debug(f, a...) /**/
43452 +#define jbd_debug(f, a...) do {} while (0)
43455 static inline void *jbd2_alloc(size_t size, gfp_t flags)
43456 diff -urNp linux-2.6.33/include/linux/jbd.h linux-2.6.33/include/linux/jbd.h
43457 --- linux-2.6.33/include/linux/jbd.h 2010-02-24 13:52:17.000000000 -0500
43458 +++ linux-2.6.33/include/linux/jbd.h 2010-03-07 12:23:36.121768113 -0500
43459 @@ -66,7 +66,7 @@ extern u8 journal_enable_debug;
43463 -#define jbd_debug(f, a...) /**/
43464 +#define jbd_debug(f, a...) do {} while (0)
43467 static inline void *jbd_alloc(size_t size, gfp_t flags)
43468 diff -urNp linux-2.6.33/include/linux/kallsyms.h linux-2.6.33/include/linux/kallsyms.h
43469 --- linux-2.6.33/include/linux/kallsyms.h 2010-02-24 13:52:17.000000000 -0500
43470 +++ linux-2.6.33/include/linux/kallsyms.h 2010-03-07 12:23:36.121768113 -0500
43475 -#ifdef CONFIG_KALLSYMS
43476 +#ifndef __INCLUDED_BY_HIDESYM
43477 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
43478 /* Lookup the address for a symbol. Returns 0 if not found. */
43479 unsigned long kallsyms_lookup_name(const char *name);
43481 @@ -92,6 +93,9 @@ static inline int lookup_symbol_attrs(un
43482 /* Stupid that this does nothing, but I didn't create this mess. */
43483 #define __print_symbol(fmt, addr)
43484 #endif /*CONFIG_KALLSYMS*/
43485 +#else /* when included by kallsyms.c, with HIDESYM enabled */
43486 +extern void __print_symbol(const char *fmt, unsigned long address);
43489 /* This macro allows us to keep printk typechecking */
43490 static void __check_printsym_format(const char *fmt, ...)
43491 diff -urNp linux-2.6.33/include/linux/kgdb.h linux-2.6.33/include/linux/kgdb.h
43492 --- linux-2.6.33/include/linux/kgdb.h 2010-02-24 13:52:17.000000000 -0500
43493 +++ linux-2.6.33/include/linux/kgdb.h 2010-03-07 12:23:36.121768113 -0500
43494 @@ -250,20 +250,20 @@ struct kgdb_arch {
43498 - int (*read_char) (void);
43499 - void (*write_char) (u8);
43500 - void (*flush) (void);
43501 - int (*init) (void);
43502 - void (*pre_exception) (void);
43503 - void (*post_exception) (void);
43504 + int (* const read_char) (void);
43505 + void (* const write_char) (u8);
43506 + void (* const flush) (void);
43507 + int (* const init) (void);
43508 + void (* const pre_exception) (void);
43509 + void (* const post_exception) (void);
43512 -extern struct kgdb_arch arch_kgdb_ops;
43513 +extern const struct kgdb_arch arch_kgdb_ops;
43515 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
43517 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
43518 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
43519 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
43520 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
43522 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
43523 extern int kgdb_mem2hex(char *mem, char *buf, int count);
43524 diff -urNp linux-2.6.33/include/linux/kobject.h linux-2.6.33/include/linux/kobject.h
43525 --- linux-2.6.33/include/linux/kobject.h 2010-02-24 13:52:17.000000000 -0500
43526 +++ linux-2.6.33/include/linux/kobject.h 2010-03-07 12:23:36.121768113 -0500
43527 @@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
43530 void (*release)(struct kobject *kobj);
43531 - struct sysfs_ops *sysfs_ops;
43532 + const struct sysfs_ops *sysfs_ops;
43533 struct attribute **default_attrs;
43536 @@ -118,9 +118,9 @@ struct kobj_uevent_env {
43539 struct kset_uevent_ops {
43540 - int (*filter)(struct kset *kset, struct kobject *kobj);
43541 - const char *(*name)(struct kset *kset, struct kobject *kobj);
43542 - int (*uevent)(struct kset *kset, struct kobject *kobj,
43543 + int (* const filter)(struct kset *kset, struct kobject *kobj);
43544 + const char *(* const name)(struct kset *kset, struct kobject *kobj);
43545 + int (* const uevent)(struct kset *kset, struct kobject *kobj,
43546 struct kobj_uevent_env *env);
43549 @@ -132,7 +132,7 @@ struct kobj_attribute {
43550 const char *buf, size_t count);
43553 -extern struct sysfs_ops kobj_sysfs_ops;
43554 +extern const struct sysfs_ops kobj_sysfs_ops;
43557 * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
43558 @@ -155,14 +155,14 @@ struct kset {
43559 struct list_head list;
43560 spinlock_t list_lock;
43561 struct kobject kobj;
43562 - struct kset_uevent_ops *uevent_ops;
43563 + const struct kset_uevent_ops *uevent_ops;
43566 extern void kset_init(struct kset *kset);
43567 extern int __must_check kset_register(struct kset *kset);
43568 extern void kset_unregister(struct kset *kset);
43569 extern struct kset * __must_check kset_create_and_add(const char *name,
43570 - struct kset_uevent_ops *u,
43571 + const struct kset_uevent_ops *u,
43572 struct kobject *parent_kobj);
43574 static inline struct kset *to_kset(struct kobject *kobj)
43575 diff -urNp linux-2.6.33/include/linux/kvm_host.h linux-2.6.33/include/linux/kvm_host.h
43576 --- linux-2.6.33/include/linux/kvm_host.h 2010-02-24 13:52:17.000000000 -0500
43577 +++ linux-2.6.33/include/linux/kvm_host.h 2010-03-07 12:23:36.121768113 -0500
43578 @@ -225,7 +225,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
43579 void vcpu_load(struct kvm_vcpu *vcpu);
43580 void vcpu_put(struct kvm_vcpu *vcpu);
43582 -int kvm_init(void *opaque, unsigned int vcpu_size,
43583 +int kvm_init(const void *opaque, unsigned int vcpu_size,
43584 struct module *module);
43585 void kvm_exit(void);
43587 @@ -332,7 +332,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
43588 struct kvm_guest_debug *dbg);
43589 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
43591 -int kvm_arch_init(void *opaque);
43592 +int kvm_arch_init(const void *opaque);
43593 void kvm_arch_exit(void);
43595 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
43596 diff -urNp linux-2.6.33/include/linux/libata.h linux-2.6.33/include/linux/libata.h
43597 --- linux-2.6.33/include/linux/libata.h 2010-02-24 13:52:17.000000000 -0500
43598 +++ linux-2.6.33/include/linux/libata.h 2010-03-07 12:23:36.121768113 -0500
43599 @@ -64,11 +64,11 @@
43600 #ifdef ATA_VERBOSE_DEBUG
43601 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
43603 -#define VPRINTK(fmt, args...)
43604 +#define VPRINTK(fmt, args...) do {} while (0)
43605 #endif /* ATA_VERBOSE_DEBUG */
43607 -#define DPRINTK(fmt, args...)
43608 -#define VPRINTK(fmt, args...)
43609 +#define DPRINTK(fmt, args...) do {} while (0)
43610 +#define VPRINTK(fmt, args...) do {} while (0)
43611 #endif /* ATA_DEBUG */
43613 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
43614 @@ -524,11 +524,11 @@ struct ata_ioports {
43618 - struct device *dev;
43619 + struct device *dev;
43620 void __iomem * const *iomap;
43621 unsigned int n_ports;
43622 void *private_data;
43623 - struct ata_port_operations *ops;
43624 + const struct ata_port_operations *ops;
43625 unsigned long flags;
43626 #ifdef CONFIG_ATA_ACPI
43627 acpi_handle acpi_handle;
43628 @@ -710,7 +710,7 @@ struct ata_link {
43631 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
43632 - struct ata_port_operations *ops;
43633 + const struct ata_port_operations *ops;
43635 /* Flags owned by the EH context. Only EH should touch these once the
43637 @@ -892,7 +892,7 @@ struct ata_port_info {
43638 unsigned long pio_mask;
43639 unsigned long mwdma_mask;
43640 unsigned long udma_mask;
43641 - struct ata_port_operations *port_ops;
43642 + const struct ata_port_operations *port_ops;
43643 void *private_data;
43646 @@ -916,7 +916,7 @@ extern const unsigned long sata_deb_timi
43647 extern const unsigned long sata_deb_timing_hotplug[];
43648 extern const unsigned long sata_deb_timing_long[];
43650 -extern struct ata_port_operations ata_dummy_port_ops;
43651 +extern const struct ata_port_operations ata_dummy_port_ops;
43652 extern const struct ata_port_info ata_dummy_port_info;
43654 static inline const unsigned long *
43655 @@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
43656 struct scsi_host_template *sht);
43657 extern void ata_host_detach(struct ata_host *host);
43658 extern void ata_host_init(struct ata_host *, struct device *,
43659 - unsigned long, struct ata_port_operations *);
43660 + unsigned long, const struct ata_port_operations *);
43661 extern int ata_scsi_detect(struct scsi_host_template *sht);
43662 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
43663 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
43664 diff -urNp linux-2.6.33/include/linux/lockd/bind.h linux-2.6.33/include/linux/lockd/bind.h
43665 --- linux-2.6.33/include/linux/lockd/bind.h 2010-02-24 13:52:17.000000000 -0500
43666 +++ linux-2.6.33/include/linux/lockd/bind.h 2010-03-07 12:23:36.121768113 -0500
43667 @@ -23,13 +23,13 @@ struct svc_rqst;
43668 * This is the set of functions for lockd->nfsd communication
43670 struct nlmsvc_binding {
43671 - __be32 (*fopen)(struct svc_rqst *,
43672 + __be32 (* const fopen)(struct svc_rqst *,
43675 - void (*fclose)(struct file *);
43676 + void (* const fclose)(struct file *);
43679 -extern struct nlmsvc_binding * nlmsvc_ops;
43680 +extern const struct nlmsvc_binding * nlmsvc_ops;
43683 * Similar to nfs_client_initdata, but without the NFS-specific
43684 diff -urNp linux-2.6.33/include/linux/mm.h linux-2.6.33/include/linux/mm.h
43685 --- linux-2.6.33/include/linux/mm.h 2010-02-24 13:52:17.000000000 -0500
43686 +++ linux-2.6.33/include/linux/mm.h 2010-03-07 12:23:36.121768113 -0500
43687 @@ -106,6 +106,10 @@ extern unsigned int kobjsize(const void
43688 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
43689 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
43691 +#ifdef CONFIG_PAX_PAGEEXEC
43692 +#define VM_PAGEEXEC 0x80000000 /* vma->vm_page_prot needs special handling */
43695 #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
43696 #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
43698 @@ -895,6 +899,8 @@ struct shrinker {
43699 extern void register_shrinker(struct shrinker *);
43700 extern void unregister_shrinker(struct shrinker *);
43702 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
43704 int vma_wants_writenotify(struct vm_area_struct *vma);
43706 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
43707 @@ -1171,6 +1177,7 @@ out:
43710 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
43711 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
43713 extern unsigned long do_brk(unsigned long, unsigned long);
43715 @@ -1225,6 +1232,10 @@ extern struct vm_area_struct * find_vma(
43716 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
43717 struct vm_area_struct **pprev);
43719 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
43720 +extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
43721 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
43723 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
43724 NULL if none. Assume start_addr < end_addr. */
43725 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
43726 @@ -1241,7 +1252,6 @@ static inline unsigned long vma_pages(st
43727 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
43730 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
43731 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
43732 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
43733 unsigned long pfn, unsigned long size, pgprot_t);
43734 @@ -1344,8 +1354,14 @@ extern int unpoison_memory(unsigned long
43735 extern int sysctl_memory_failure_early_kill;
43736 extern int sysctl_memory_failure_recovery;
43737 extern void shake_page(struct page *p, int access);
43738 -extern atomic_long_t mce_bad_pages;
43739 +extern atomic_long_unchecked_t mce_bad_pages;
43740 extern int soft_offline_page(struct page *page, int flags);
43742 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
43743 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
43745 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
43748 #endif /* __KERNEL__ */
43749 #endif /* _LINUX_MM_H */
43750 diff -urNp linux-2.6.33/include/linux/mm_types.h linux-2.6.33/include/linux/mm_types.h
43751 --- linux-2.6.33/include/linux/mm_types.h 2010-02-24 13:52:17.000000000 -0500
43752 +++ linux-2.6.33/include/linux/mm_types.h 2010-03-07 12:23:36.121768113 -0500
43753 @@ -188,6 +188,8 @@ struct vm_area_struct {
43755 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
43758 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
43761 struct core_thread {
43762 @@ -291,6 +293,24 @@ struct mm_struct {
43763 #ifdef CONFIG_MMU_NOTIFIER
43764 struct mmu_notifier_mm *mmu_notifier_mm;
43767 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43768 + unsigned long pax_flags;
43771 +#ifdef CONFIG_PAX_DLRESOLVE
43772 + unsigned long call_dl_resolve;
43775 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
43776 + unsigned long call_syscall;
43779 +#ifdef CONFIG_PAX_ASLR
43780 + unsigned long delta_mmap; /* randomized offset */
43781 + unsigned long delta_stack; /* randomized offset */
43786 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
43787 diff -urNp linux-2.6.33/include/linux/mmu_notifier.h linux-2.6.33/include/linux/mmu_notifier.h
43788 --- linux-2.6.33/include/linux/mmu_notifier.h 2010-02-24 13:52:17.000000000 -0500
43789 +++ linux-2.6.33/include/linux/mmu_notifier.h 2010-03-07 12:23:36.121768113 -0500
43790 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
43792 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
43796 struct vm_area_struct *___vma = __vma; \
43797 unsigned long ___address = __address; \
43798 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
43799 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
43800 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
43805 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
43806 diff -urNp linux-2.6.33/include/linux/mod_devicetable.h linux-2.6.33/include/linux/mod_devicetable.h
43807 --- linux-2.6.33/include/linux/mod_devicetable.h 2010-02-24 13:52:17.000000000 -0500
43808 +++ linux-2.6.33/include/linux/mod_devicetable.h 2010-03-07 12:23:36.121768113 -0500
43810 typedef unsigned long kernel_ulong_t;
43813 -#define PCI_ANY_ID (~0)
43814 +#define PCI_ANY_ID ((__u16)~0)
43816 struct pci_device_id {
43817 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
43818 @@ -131,7 +131,7 @@ struct usb_device_id {
43819 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
43820 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
43822 -#define HID_ANY_ID (~0)
43823 +#define HID_ANY_ID (~0U)
43825 struct hid_device_id {
43827 diff -urNp linux-2.6.33/include/linux/module.h linux-2.6.33/include/linux/module.h
43828 --- linux-2.6.33/include/linux/module.h 2010-02-24 13:52:17.000000000 -0500
43829 +++ linux-2.6.33/include/linux/module.h 2010-03-07 12:23:36.121768113 -0500
43830 @@ -289,16 +289,16 @@ struct module
43833 /* If this is non-NULL, vfree after init() returns */
43834 - void *module_init;
43835 + void *module_init_rx, *module_init_rw;
43837 /* Here is the actual code + data, vfree'd on unload. */
43838 - void *module_core;
43839 + void *module_core_rx, *module_core_rw;
43841 /* Here are the sizes of the init and core sections */
43842 - unsigned int init_size, core_size;
43843 + unsigned int init_size_rw, core_size_rw;
43845 /* The size of the executable code in each section. */
43846 - unsigned int init_text_size, core_text_size;
43847 + unsigned int init_size_rx, core_size_rx;
43849 /* Arch-specific module values */
43850 struct mod_arch_specific arch;
43851 @@ -395,16 +395,46 @@ struct module *__module_address(unsigned
43852 bool is_module_address(unsigned long addr);
43853 bool is_module_text_address(unsigned long addr);
43855 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
43858 +#ifdef CONFIG_PAX_KERNEXEC
43859 + if (ktla_ktva(addr) >= (unsigned long)start &&
43860 + ktla_ktva(addr) < (unsigned long)start + size)
43864 + return ((void *)addr >= start && (void *)addr < start + size);
43867 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
43869 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
43872 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
43874 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
43877 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
43879 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
43882 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
43884 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
43887 static inline int within_module_core(unsigned long addr, struct module *mod)
43889 - return (unsigned long)mod->module_core <= addr &&
43890 - addr < (unsigned long)mod->module_core + mod->core_size;
43891 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
43894 static inline int within_module_init(unsigned long addr, struct module *mod)
43896 - return (unsigned long)mod->module_init <= addr &&
43897 - addr < (unsigned long)mod->module_init + mod->init_size;
43898 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
43901 /* Search for module by name: must hold module_mutex. */
43902 diff -urNp linux-2.6.33/include/linux/moduleloader.h linux-2.6.33/include/linux/moduleloader.h
43903 --- linux-2.6.33/include/linux/moduleloader.h 2010-02-24 13:52:17.000000000 -0500
43904 +++ linux-2.6.33/include/linux/moduleloader.h 2010-03-07 12:23:36.121768113 -0500
43905 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
43906 sections. Returns NULL on failure. */
43907 void *module_alloc(unsigned long size);
43909 +#ifdef CONFIG_PAX_KERNEXEC
43910 +void *module_alloc_exec(unsigned long size);
43912 +#define module_alloc_exec(x) module_alloc(x)
43915 /* Free memory returned from module_alloc. */
43916 void module_free(struct module *mod, void *module_region);
43918 +#ifdef CONFIG_PAX_KERNEXEC
43919 +void module_free_exec(struct module *mod, void *module_region);
43921 +#define module_free_exec(x, y) module_free((x), (y))
43924 /* Apply the given relocation to the (simplified) ELF. Return -error
43926 int apply_relocate(Elf_Shdr *sechdrs,
43927 diff -urNp linux-2.6.33/include/linux/namei.h linux-2.6.33/include/linux/namei.h
43928 --- linux-2.6.33/include/linux/namei.h 2010-02-24 13:52:17.000000000 -0500
43929 +++ linux-2.6.33/include/linux/namei.h 2010-03-07 12:23:36.121768113 -0500
43930 @@ -22,7 +22,7 @@ struct nameidata {
43931 unsigned int flags;
43934 - char *saved_names[MAX_NESTED_LINKS + 1];
43935 + const char *saved_names[MAX_NESTED_LINKS + 1];
43939 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
43940 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
43941 extern void unlock_rename(struct dentry *, struct dentry *);
43943 -static inline void nd_set_link(struct nameidata *nd, char *path)
43944 +static inline void nd_set_link(struct nameidata *nd, const char *path)
43946 nd->saved_names[nd->depth] = path;
43949 -static inline char *nd_get_link(struct nameidata *nd)
43950 +static inline const char *nd_get_link(const struct nameidata *nd)
43952 return nd->saved_names[nd->depth];
43954 diff -urNp linux-2.6.33/include/linux/nodemask.h linux-2.6.33/include/linux/nodemask.h
43955 --- linux-2.6.33/include/linux/nodemask.h 2010-02-24 13:52:17.000000000 -0500
43956 +++ linux-2.6.33/include/linux/nodemask.h 2010-03-07 12:23:36.121768113 -0500
43957 @@ -469,11 +469,11 @@ static inline int num_node_state(enum no
43959 #define any_online_node(mask) \
43962 - for_each_node_mask(node, (mask)) \
43963 - if (node_online(node)) \
43965 + for_each_node_mask(__node, (mask)) \
43966 + if (node_online(__node)) \
43972 #define num_online_nodes() num_node_state(N_ONLINE)
43973 diff -urNp linux-2.6.33/include/linux/oprofile.h linux-2.6.33/include/linux/oprofile.h
43974 --- linux-2.6.33/include/linux/oprofile.h 2010-02-24 13:52:17.000000000 -0500
43975 +++ linux-2.6.33/include/linux/oprofile.h 2010-03-07 12:23:36.121768113 -0500
43976 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
43977 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
43978 char const * name, ulong * val);
43980 -/** Create a file for read-only access to an atomic_t. */
43981 +/** Create a file for read-only access to an atomic_unchecked_t. */
43982 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
43983 - char const * name, atomic_t * val);
43984 + char const * name, atomic_unchecked_t * val);
43986 /** create a directory */
43987 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
43988 diff -urNp linux-2.6.33/include/linux/pipe_fs_i.h linux-2.6.33/include/linux/pipe_fs_i.h
43989 --- linux-2.6.33/include/linux/pipe_fs_i.h 2010-02-24 13:52:17.000000000 -0500
43990 +++ linux-2.6.33/include/linux/pipe_fs_i.h 2010-03-07 12:23:36.125670889 -0500
43991 @@ -46,9 +46,9 @@ struct pipe_inode_info {
43992 wait_queue_head_t wait;
43993 unsigned int nrbufs, curbuf;
43994 struct page *tmp_page;
43995 - unsigned int readers;
43996 - unsigned int writers;
43997 - unsigned int waiting_writers;
43998 + atomic_t readers;
43999 + atomic_t writers;
44000 + atomic_t waiting_writers;
44001 unsigned int r_counter;
44002 unsigned int w_counter;
44003 struct fasync_struct *fasync_readers;
44004 diff -urNp linux-2.6.33/include/linux/poison.h linux-2.6.33/include/linux/poison.h
44005 --- linux-2.6.33/include/linux/poison.h 2010-02-24 13:52:17.000000000 -0500
44006 +++ linux-2.6.33/include/linux/poison.h 2010-03-07 12:23:36.125670889 -0500
44008 * under normal circumstances, used to verify that nobody uses
44009 * non-initialized list entries.
44011 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
44012 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
44013 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
44014 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
44016 /********** include/linux/timer.h **********/
44018 diff -urNp linux-2.6.33/include/linux/proc_fs.h linux-2.6.33/include/linux/proc_fs.h
44019 --- linux-2.6.33/include/linux/proc_fs.h 2010-02-24 13:52:17.000000000 -0500
44020 +++ linux-2.6.33/include/linux/proc_fs.h 2010-03-07 12:23:36.125670889 -0500
44021 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
44022 return proc_create_data(name, mode, parent, proc_fops, NULL);
44025 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
44026 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
44028 +#ifdef CONFIG_GRKERNSEC_PROC_USER
44029 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
44030 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
44031 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
44033 + return proc_create_data(name, mode, parent, proc_fops, NULL);
44038 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
44039 mode_t mode, struct proc_dir_entry *base,
44040 read_proc_t *read_proc, void * data)
44041 diff -urNp linux-2.6.33/include/linux/random.h linux-2.6.33/include/linux/random.h
44042 --- linux-2.6.33/include/linux/random.h 2010-02-24 13:52:17.000000000 -0500
44043 +++ linux-2.6.33/include/linux/random.h 2010-03-07 12:23:36.125670889 -0500
44044 @@ -74,6 +74,11 @@ unsigned long randomize_range(unsigned l
44045 u32 random32(void);
44046 void srandom32(u32 seed);
44048 +static inline unsigned long pax_get_random_long(void)
44050 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
44053 #endif /* __KERNEL___ */
44055 #endif /* _LINUX_RANDOM_H */
44056 diff -urNp linux-2.6.33/include/linux/reiserfs_fs.h linux-2.6.33/include/linux/reiserfs_fs.h
44057 --- linux-2.6.33/include/linux/reiserfs_fs.h 2010-02-24 13:52:17.000000000 -0500
44058 +++ linux-2.6.33/include/linux/reiserfs_fs.h 2010-03-07 12:23:36.125670889 -0500
44059 @@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
44060 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
44062 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
44063 -#define get_generation(s) atomic_read (&fs_generation(s))
44064 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
44065 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
44066 #define __fs_changed(gen,s) (gen != get_generation (s))
44067 #define fs_changed(gen,s) \
44068 @@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
44071 struct item_operations {
44072 - int (*bytes_number) (struct item_head * ih, int block_size);
44073 - void (*decrement_key) (struct cpu_key *);
44074 - int (*is_left_mergeable) (struct reiserfs_key * ih,
44075 + int (* const bytes_number) (struct item_head * ih, int block_size);
44076 + void (* const decrement_key) (struct cpu_key *);
44077 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
44078 unsigned long bsize);
44079 - void (*print_item) (struct item_head *, char *item);
44080 - void (*check_item) (struct item_head *, char *item);
44081 + void (* const print_item) (struct item_head *, char *item);
44082 + void (* const check_item) (struct item_head *, char *item);
44084 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
44085 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
44086 int is_affected, int insert_size);
44087 - int (*check_left) (struct virtual_item * vi, int free,
44088 + int (* const check_left) (struct virtual_item * vi, int free,
44089 int start_skip, int end_skip);
44090 - int (*check_right) (struct virtual_item * vi, int free);
44091 - int (*part_size) (struct virtual_item * vi, int from, int to);
44092 - int (*unit_num) (struct virtual_item * vi);
44093 - void (*print_vi) (struct virtual_item * vi);
44094 + int (* const check_right) (struct virtual_item * vi, int free);
44095 + int (* const part_size) (struct virtual_item * vi, int from, int to);
44096 + int (* const unit_num) (struct virtual_item * vi);
44097 + void (* const print_vi) (struct virtual_item * vi);
44100 -extern struct item_operations *item_ops[TYPE_ANY + 1];
44101 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
44103 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
44104 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
44105 diff -urNp linux-2.6.33/include/linux/reiserfs_fs_sb.h linux-2.6.33/include/linux/reiserfs_fs_sb.h
44106 --- linux-2.6.33/include/linux/reiserfs_fs_sb.h 2010-02-24 13:52:17.000000000 -0500
44107 +++ linux-2.6.33/include/linux/reiserfs_fs_sb.h 2010-03-07 12:23:36.125670889 -0500
44108 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
44109 /* Comment? -Hans */
44110 wait_queue_head_t s_wait;
44111 /* To be obsoleted soon by per buffer seals.. -Hans */
44112 - atomic_t s_generation_counter; // increased by one every time the
44113 + atomic_unchecked_t s_generation_counter; // increased by one every time the
44114 // tree gets re-balanced
44115 unsigned long s_properties; /* File system properties. Currently holds
44116 on-disk FS format */
44117 diff -urNp linux-2.6.33/include/linux/sched.h linux-2.6.33/include/linux/sched.h
44118 --- linux-2.6.33/include/linux/sched.h 2010-02-24 13:52:17.000000000 -0500
44119 +++ linux-2.6.33/include/linux/sched.h 2010-03-07 12:23:36.125670889 -0500
44120 @@ -101,6 +101,7 @@ struct bio;
44122 struct bts_context;
44123 struct perf_event_context;
44124 +struct linux_binprm;
44127 * List of flags we want to share for kernel threads,
44128 @@ -678,6 +679,15 @@ struct signal_struct {
44129 struct tty_audit_buf *tty_audit_buf;
44132 +#ifdef CONFIG_GRKERNSEC
44138 + u8 used_accept:1;
44141 int oom_adj; /* OOM kill score adjustment (bit shift) */
44144 @@ -1231,7 +1241,7 @@ struct rcu_node;
44146 struct task_struct {
44147 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
44149 + struct thread_info *stack;
44151 unsigned int flags; /* per process flags, defined below */
44152 unsigned int ptrace;
44153 @@ -1343,8 +1353,8 @@ struct task_struct {
44154 struct list_head thread_group;
44156 struct completion *vfork_done; /* for vfork() */
44157 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
44158 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
44159 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
44160 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
44162 cputime_t utime, stime, utimescaled, stimescaled;
44164 @@ -1360,16 +1370,6 @@ struct task_struct {
44165 struct task_cputime cputime_expires;
44166 struct list_head cpu_timers[3];
44168 -/* process credentials */
44169 - const struct cred *real_cred; /* objective and real subjective task
44170 - * credentials (COW) */
44171 - const struct cred *cred; /* effective (overridable) subjective task
44172 - * credentials (COW) */
44173 - struct mutex cred_guard_mutex; /* guard against foreign influences on
44174 - * credential calculations
44175 - * (notably. ptrace) */
44176 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
44178 char comm[TASK_COMM_LEN]; /* executable name excluding path
44179 - access with [gs]et_task_comm (which lock
44180 it with task_lock())
44181 @@ -1453,6 +1453,15 @@ struct task_struct {
44182 int softirqs_enabled;
44183 int softirq_context;
44186 +/* process credentials */
44187 + const struct cred *real_cred; /* objective and real subjective task
44188 + * credentials (COW) */
44189 + struct mutex cred_guard_mutex; /* guard against foreign influences on
44190 + * credential calculations
44191 + * (notably. ptrace) */
44192 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
44194 #ifdef CONFIG_LOCKDEP
44195 # define MAX_LOCK_DEPTH 48UL
44196 u64 curr_chain_key;
44197 @@ -1473,6 +1482,9 @@ struct task_struct {
44199 struct backing_dev_info *backing_dev_info;
44201 + const struct cred *cred; /* effective (overridable) subjective task
44202 + * credentials (COW) */
44204 struct io_context *io_context;
44206 unsigned long ptrace_message;
44207 @@ -1536,6 +1548,19 @@ struct task_struct {
44208 unsigned long default_timer_slack_ns;
44210 struct list_head *scm_work_list;
44212 +#ifdef CONFIG_GRKERNSEC
44214 + rwlock_t gr_fs_lock;
44215 + struct acl_subject_label *acl;
44216 + struct acl_role_label *role;
44217 + struct file *exec_file;
44224 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
44225 /* Index of current stored adress in ret_stack */
44226 int curr_ret_stack;
44227 @@ -1568,6 +1593,52 @@ struct task_struct {
44231 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
44232 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
44233 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
44234 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
44235 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
44236 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
44238 +#ifdef CONFIG_PAX_SOFTMODE
44239 +extern unsigned int pax_softmode;
44242 +extern int pax_check_flags(unsigned long *);
44244 +/* if tsk != current then task_lock must be held on it */
44245 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44246 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
44248 + if (likely(tsk->mm))
44249 + return tsk->mm->pax_flags;
44254 +/* if tsk != current then task_lock must be held on it */
44255 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
44257 + if (likely(tsk->mm)) {
44258 + tsk->mm->pax_flags = flags;
44265 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
44266 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
44267 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
44268 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
44271 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
44272 +void pax_report_insns(void *pc, void *sp);
44273 +void pax_report_refcount_overflow(struct pt_regs *regs);
44274 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
44275 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
44277 /* Future-safe accessor for struct task_struct's cpus_allowed. */
44278 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
44280 @@ -2169,7 +2240,7 @@ extern void __cleanup_sighand(struct sig
44281 extern void exit_itimers(struct signal_struct *);
44282 extern void flush_itimer_signals(void);
44284 -extern NORET_TYPE void do_group_exit(int);
44285 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
44287 extern void daemonize(const char *, ...);
44288 extern int allow_signal(int);
44289 @@ -2271,6 +2342,33 @@ static inline void task_unlock(struct ta
44290 spin_unlock(&p->alloc_lock);
44293 +/* grsec: protects only ->fs as task_lock is overkill and we can't
44294 + be using a spin_lock in interrupt context
44296 +#ifdef CONFIG_GRKERNSEC
44297 +#define gr_fs_write_lock_irqsave(x, y) \
44298 + write_lock_irqsave(&x->gr_fs_lock, y)
44299 +#define gr_fs_write_unlock_irqrestore(x, y) \
44300 + write_unlock_irqrestore(&x->gr_fs_lock, y)
44302 +#define gr_fs_write_lock_irqsave(x, y)
44303 +#define gr_fs_write_unlock_irqrestore(x, y)
44306 +static inline void gr_fs_read_lock(struct task_struct *p)
44308 +#ifdef CONFIG_GRKERNSEC
44309 + read_lock(&p->gr_fs_lock);
44313 +static inline void gr_fs_read_unlock(struct task_struct *p)
44315 +#ifdef CONFIG_GRKERNSEC
44316 + read_unlock(&p->gr_fs_lock);
44320 extern struct sighand_struct *lock_task_sighand(struct task_struct *tsk,
44321 unsigned long *flags);
44323 @@ -2282,8 +2380,8 @@ static inline void unlock_task_sighand(s
44325 #ifndef __HAVE_THREAD_FUNCTIONS
44327 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
44328 -#define task_stack_page(task) ((task)->stack)
44329 +#define task_thread_info(task) ((task)->stack)
44330 +#define task_stack_page(task) ((void *)(task)->stack)
44332 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
44334 @@ -2298,13 +2396,31 @@ static inline unsigned long *end_of_stac
44338 -static inline int object_is_on_stack(void *obj)
44339 +static inline int object_starts_on_stack(void *obj)
44341 - void *stack = task_stack_page(current);
44342 + const void *stack = task_stack_page(current);
44344 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
44347 +/* 0: not at all, 1: fully, -1: partially (implies an error) */
44348 +static inline int object_is_on_stack(const void *obj, unsigned long len)
44350 + const void *stack = task_stack_page(current);
44351 + const void *stackend = stack + THREAD_SIZE;
44353 + if (obj + len < obj)
44356 + if (stack <= obj && obj + len <= stackend)
44359 + if (obj + len <= stack || stackend <= obj)
44365 extern void thread_info_cache_init(void);
44367 #ifdef CONFIG_DEBUG_STACK_USAGE
44368 diff -urNp linux-2.6.33/include/linux/screen_info.h linux-2.6.33/include/linux/screen_info.h
44369 --- linux-2.6.33/include/linux/screen_info.h 2010-02-24 13:52:17.000000000 -0500
44370 +++ linux-2.6.33/include/linux/screen_info.h 2010-03-07 12:23:36.125670889 -0500
44371 @@ -43,7 +43,8 @@ struct screen_info {
44372 __u16 pages; /* 0x32 */
44373 __u16 vesa_attributes; /* 0x34 */
44374 __u32 capabilities; /* 0x36 */
44375 - __u8 _reserved[6]; /* 0x3a */
44376 + __u16 vesapm_size; /* 0x3a */
44377 + __u8 _reserved[4]; /* 0x3c */
44378 } __attribute__((packed));
44380 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
44381 diff -urNp linux-2.6.33/include/linux/security.h linux-2.6.33/include/linux/security.h
44382 --- linux-2.6.33/include/linux/security.h 2010-02-24 13:52:17.000000000 -0500
44383 +++ linux-2.6.33/include/linux/security.h 2010-03-07 12:23:36.125670889 -0500
44385 #include <linux/key.h>
44386 #include <linux/xfrm.h>
44387 #include <linux/gfp.h>
44388 +#include <linux/grsecurity.h>
44389 #include <net/flow.h>
44391 /* Maximum number of letters for an LSM name string */
44392 diff -urNp linux-2.6.33/include/linux/shm.h linux-2.6.33/include/linux/shm.h
44393 --- linux-2.6.33/include/linux/shm.h 2010-02-24 13:52:17.000000000 -0500
44394 +++ linux-2.6.33/include/linux/shm.h 2010-03-07 12:23:36.129711674 -0500
44395 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
44398 struct user_struct *mlock_user;
44399 +#ifdef CONFIG_GRKERNSEC
44400 + time_t shm_createtime;
44405 /* shm_mode upper byte flags */
44406 diff -urNp linux-2.6.33/include/linux/slab.h linux-2.6.33/include/linux/slab.h
44407 --- linux-2.6.33/include/linux/slab.h 2010-02-24 13:52:17.000000000 -0500
44408 +++ linux-2.6.33/include/linux/slab.h 2010-03-07 12:23:36.129711674 -0500
44411 #include <linux/gfp.h>
44412 #include <linux/types.h>
44413 +#include <linux/err.h>
44416 * Flags to pass to kmem_cache_create().
44417 @@ -82,10 +83,13 @@
44418 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
44419 * Both make kfree a no-op.
44421 -#define ZERO_SIZE_PTR ((void *)16)
44422 +#define ZERO_SIZE_PTR \
44424 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
44425 + (void *)(-MAX_ERRNO-1L); \
44428 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
44429 - (unsigned long)ZERO_SIZE_PTR)
44430 +#define ZERO_OR_NULL_PTR(x) (!(x) || (x) == ZERO_SIZE_PTR)
44433 * struct kmem_cache related prototypes
44434 @@ -138,6 +142,7 @@ void * __must_check krealloc(const void
44435 void kfree(const void *);
44436 void kzfree(const void *);
44437 size_t ksize(const void *);
44438 +void check_object_size(const void *ptr, unsigned long n, bool to);
44441 * Allocator specific definitions. These are mainly used to establish optimized
44442 @@ -328,4 +333,37 @@ static inline void *kzalloc_node(size_t
44444 void __init kmem_cache_init_late(void);
44446 +#define kmalloc(x, y) \
44448 + void *___retval; \
44449 + intoverflow_t ___x = (intoverflow_t)x; \
44450 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
44451 + ___retval = NULL; \
44453 + ___retval = kmalloc((size_t)___x, (y)); \
44457 +#define kmalloc_node(x, y, z) \
44459 + void *___retval; \
44460 + intoverflow_t ___x = (intoverflow_t)x; \
44461 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
44462 + ___retval = NULL; \
44464 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
44468 +#define kzalloc(x, y) \
44470 + void *___retval; \
44471 + intoverflow_t ___x = (intoverflow_t)x; \
44472 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
44473 + ___retval = NULL; \
44475 + ___retval = kzalloc((size_t)___x, (y)); \
44479 #endif /* _LINUX_SLAB_H */
44480 diff -urNp linux-2.6.33/include/linux/slub_def.h linux-2.6.33/include/linux/slub_def.h
44481 --- linux-2.6.33/include/linux/slub_def.h 2010-02-24 13:52:17.000000000 -0500
44482 +++ linux-2.6.33/include/linux/slub_def.h 2010-03-07 12:23:36.129711674 -0500
44483 @@ -86,7 +86,7 @@ struct kmem_cache {
44484 struct kmem_cache_order_objects max;
44485 struct kmem_cache_order_objects min;
44486 gfp_t allocflags; /* gfp flags to use on each alloc */
44487 - int refcount; /* Refcount for slab cache destroy */
44488 + atomic_t refcount; /* Refcount for slab cache destroy */
44489 void (*ctor)(void *);
44490 int inuse; /* Offset to metadata */
44491 int align; /* Alignment */
44492 diff -urNp linux-2.6.33/include/linux/sonet.h linux-2.6.33/include/linux/sonet.h
44493 --- linux-2.6.33/include/linux/sonet.h 2010-02-24 13:52:17.000000000 -0500
44494 +++ linux-2.6.33/include/linux/sonet.h 2010-03-07 12:23:36.129711674 -0500
44495 @@ -61,7 +61,7 @@ struct sonet_stats {
44496 #include <asm/atomic.h>
44498 struct k_sonet_stats {
44499 -#define __HANDLE_ITEM(i) atomic_t i
44500 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
44502 #undef __HANDLE_ITEM
44504 diff -urNp linux-2.6.33/include/linux/suspend.h linux-2.6.33/include/linux/suspend.h
44505 --- linux-2.6.33/include/linux/suspend.h 2010-02-24 13:52:17.000000000 -0500
44506 +++ linux-2.6.33/include/linux/suspend.h 2010-03-07 12:23:36.129711674 -0500
44507 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
44508 * which require special recovery actions in that situation.
44510 struct platform_suspend_ops {
44511 - int (*valid)(suspend_state_t state);
44512 - int (*begin)(suspend_state_t state);
44513 - int (*prepare)(void);
44514 - int (*prepare_late)(void);
44515 - int (*enter)(suspend_state_t state);
44516 - void (*wake)(void);
44517 - void (*finish)(void);
44518 - void (*end)(void);
44519 - void (*recover)(void);
44520 + int (* const valid)(suspend_state_t state);
44521 + int (* const begin)(suspend_state_t state);
44522 + int (* const prepare)(void);
44523 + int (* const prepare_late)(void);
44524 + int (* const enter)(suspend_state_t state);
44525 + void (* const wake)(void);
44526 + void (* const finish)(void);
44527 + void (* const end)(void);
44528 + void (* const recover)(void);
44531 #ifdef CONFIG_SUSPEND
44532 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
44533 * suspend_set_ops - set platform dependent suspend operations
44534 * @ops: The new suspend operations to set.
44536 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
44537 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
44538 extern int suspend_valid_only_mem(suspend_state_t state);
44541 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
44542 #else /* !CONFIG_SUSPEND */
44543 #define suspend_valid_only_mem NULL
44545 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
44546 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
44547 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
44548 #endif /* !CONFIG_SUSPEND */
44550 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
44551 * platforms which require special recovery actions in that situation.
44553 struct platform_hibernation_ops {
44554 - int (*begin)(void);
44555 - void (*end)(void);
44556 - int (*pre_snapshot)(void);
44557 - void (*finish)(void);
44558 - int (*prepare)(void);
44559 - int (*enter)(void);
44560 - void (*leave)(void);
44561 - int (*pre_restore)(void);
44562 - void (*restore_cleanup)(void);
44563 - void (*recover)(void);
44564 + int (* const begin)(void);
44565 + void (* const end)(void);
44566 + int (* const pre_snapshot)(void);
44567 + void (* const finish)(void);
44568 + int (* const prepare)(void);
44569 + int (* const enter)(void);
44570 + void (* const leave)(void);
44571 + int (* const pre_restore)(void);
44572 + void (* const restore_cleanup)(void);
44573 + void (* const recover)(void);
44576 #ifdef CONFIG_HIBERNATION
44577 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
44578 extern void swsusp_unset_page_free(struct page *);
44579 extern unsigned long get_safe_page(gfp_t gfp_mask);
44581 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
44582 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
44583 extern int hibernate(void);
44584 extern bool system_entering_hibernation(void);
44585 #else /* CONFIG_HIBERNATION */
44586 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
44587 static inline void swsusp_set_page_free(struct page *p) {}
44588 static inline void swsusp_unset_page_free(struct page *p) {}
44590 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
44591 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
44592 static inline int hibernate(void) { return -ENOSYS; }
44593 static inline bool system_entering_hibernation(void) { return false; }
44594 #endif /* CONFIG_HIBERNATION */
44595 diff -urNp linux-2.6.33/include/linux/sysctl.h linux-2.6.33/include/linux/sysctl.h
44596 --- linux-2.6.33/include/linux/sysctl.h 2010-02-24 13:52:17.000000000 -0500
44597 +++ linux-2.6.33/include/linux/sysctl.h 2010-03-07 12:23:36.129711674 -0500
44598 @@ -155,7 +155,11 @@ enum
44599 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
44603 +#ifdef CONFIG_PAX_SOFTMODE
44605 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
44609 /* CTL_VM names: */
44611 diff -urNp linux-2.6.33/include/linux/sysfs.h linux-2.6.33/include/linux/sysfs.h
44612 --- linux-2.6.33/include/linux/sysfs.h 2010-02-24 13:52:17.000000000 -0500
44613 +++ linux-2.6.33/include/linux/sysfs.h 2010-03-07 12:23:36.129711674 -0500
44614 @@ -75,8 +75,8 @@ struct bin_attribute {
44618 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
44619 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
44620 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
44621 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
44624 struct sysfs_dirent;
44625 diff -urNp linux-2.6.33/include/linux/thread_info.h linux-2.6.33/include/linux/thread_info.h
44626 --- linux-2.6.33/include/linux/thread_info.h 2010-02-24 13:52:17.000000000 -0500
44627 +++ linux-2.6.33/include/linux/thread_info.h 2010-03-07 12:23:36.129711674 -0500
44628 @@ -23,7 +23,7 @@ struct restart_block {
44630 /* For futex_wait and futex_wait_requeue_pi */
44633 + u32 __user *uaddr;
44637 diff -urNp linux-2.6.33/include/linux/tty.h linux-2.6.33/include/linux/tty.h
44638 --- linux-2.6.33/include/linux/tty.h 2010-02-24 13:52:17.000000000 -0500
44639 +++ linux-2.6.33/include/linux/tty.h 2010-03-07 12:23:36.129711674 -0500
44641 #include <linux/tty_driver.h>
44642 #include <linux/tty_ldisc.h>
44643 #include <linux/mutex.h>
44644 +#include <linux/poll.h>
44646 #include <asm/system.h>
44648 @@ -440,7 +441,6 @@ extern int tty_perform_flush(struct tty_
44649 extern dev_t tty_devnum(struct tty_struct *tty);
44650 extern void proc_clear_tty(struct task_struct *p);
44651 extern struct tty_struct *get_current_tty(void);
44652 -extern void tty_default_fops(struct file_operations *fops);
44653 extern struct tty_struct *alloc_tty_struct(void);
44654 extern void free_tty_struct(struct tty_struct *tty);
44655 extern void initialize_tty_struct(struct tty_struct *tty,
44656 @@ -501,6 +501,18 @@ extern void tty_ldisc_begin(void);
44657 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
44658 extern void tty_ldisc_enable(struct tty_struct *tty);
44661 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
44662 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
44663 +extern unsigned int tty_poll(struct file *, poll_table *);
44664 +#ifdef CONFIG_COMPAT
44665 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
44666 + unsigned long arg);
44668 +#define tty_compat_ioctl NULL
44670 +extern int tty_release(struct inode *, struct file *);
44671 +extern int tty_fasync(int fd, struct file *filp, int on);
44674 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
44675 diff -urNp linux-2.6.33/include/linux/tty_ldisc.h linux-2.6.33/include/linux/tty_ldisc.h
44676 --- linux-2.6.33/include/linux/tty_ldisc.h 2010-02-24 13:52:17.000000000 -0500
44677 +++ linux-2.6.33/include/linux/tty_ldisc.h 2010-03-07 12:23:36.129711674 -0500
44678 @@ -139,7 +139,7 @@ struct tty_ldisc_ops {
44680 struct module *owner;
44683 + atomic_t refcount;
44687 diff -urNp linux-2.6.33/include/linux/types.h linux-2.6.33/include/linux/types.h
44688 --- linux-2.6.33/include/linux/types.h 2010-02-24 13:52:17.000000000 -0500
44689 +++ linux-2.6.33/include/linux/types.h 2010-03-07 12:23:36.129711674 -0500
44690 @@ -191,10 +191,26 @@ typedef struct {
44691 volatile int counter;
44694 +#ifdef CONFIG_PAX_REFCOUNT
44696 + volatile int counter;
44697 +} atomic_unchecked_t;
44699 +typedef atomic_t atomic_unchecked_t;
44702 #ifdef CONFIG_64BIT
44704 volatile long counter;
44707 +#ifdef CONFIG_PAX_REFCOUNT
44709 + volatile long counter;
44710 +} atomic64_unchecked_t;
44712 +typedef atomic64_t atomic64_unchecked_t;
44717 diff -urNp linux-2.6.33/include/linux/uaccess.h linux-2.6.33/include/linux/uaccess.h
44718 --- linux-2.6.33/include/linux/uaccess.h 2010-02-24 13:52:17.000000000 -0500
44719 +++ linux-2.6.33/include/linux/uaccess.h 2010-03-07 12:23:36.129711674 -0500
44720 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
44722 mm_segment_t old_fs = get_fs(); \
44724 - set_fs(KERNEL_DS); \
44725 pagefault_disable(); \
44726 + set_fs(KERNEL_DS); \
44727 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
44728 - pagefault_enable(); \
44730 + pagefault_enable(); \
44734 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
44735 * Safely read from address @src to the buffer at @dst. If a kernel fault
44736 * happens, handle that and return -EFAULT.
44738 -extern long probe_kernel_read(void *dst, void *src, size_t size);
44739 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
44740 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
44741 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
44744 * probe_kernel_write(): safely attempt to write to a location
44745 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
44746 * Safely write to address @dst from the buffer at @src. If a kernel fault
44747 * happens, handle that and return -EFAULT.
44749 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
44750 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
44751 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
44752 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
44754 #endif /* __LINUX_UACCESS_H__ */
44755 diff -urNp linux-2.6.33/include/linux/vmalloc.h linux-2.6.33/include/linux/vmalloc.h
44756 --- linux-2.6.33/include/linux/vmalloc.h 2010-02-24 13:52:17.000000000 -0500
44757 +++ linux-2.6.33/include/linux/vmalloc.h 2010-03-07 12:23:36.129711674 -0500
44758 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
44759 #define VM_MAP 0x00000004 /* vmap()ed pages */
44760 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
44761 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
44763 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
44764 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
44767 /* bits [20..32] reserved for arch specific ioremap internals */
44770 @@ -121,4 +126,81 @@ struct vm_struct **pcpu_get_vm_areas(con
44772 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
44774 +#define vmalloc(x) \
44776 + void *___retval; \
44777 + intoverflow_t ___x = (intoverflow_t)x; \
44778 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
44779 + ___retval = NULL; \
44781 + ___retval = vmalloc((unsigned long)___x); \
44785 +#define __vmalloc(x, y, z) \
44787 + void *___retval; \
44788 + intoverflow_t ___x = (intoverflow_t)x; \
44789 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
44790 + ___retval = NULL; \
44792 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
44796 +#define vmalloc_user(x) \
44798 + void *___retval; \
44799 + intoverflow_t ___x = (intoverflow_t)x; \
44800 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
44801 + ___retval = NULL; \
44803 + ___retval = vmalloc_user((unsigned long)___x); \
44807 +#define vmalloc_exec(x) \
44809 + void *___retval; \
44810 + intoverflow_t ___x = (intoverflow_t)x; \
44811 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
44812 + ___retval = NULL; \
44814 + ___retval = vmalloc_exec((unsigned long)___x); \
44818 +#define vmalloc_node(x, y) \
44820 + void *___retval; \
44821 + intoverflow_t ___x = (intoverflow_t)x; \
44822 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
44823 + ___retval = NULL; \
44825 + ___retval = vmalloc_node((unsigned long)___x, (y));\
44829 +#define vmalloc_32(x) \
44831 + void *___retval; \
44832 + intoverflow_t ___x = (intoverflow_t)x; \
44833 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
44834 + ___retval = NULL; \
44836 + ___retval = vmalloc_32((unsigned long)___x); \
44840 +#define vmalloc_32_user(x) \
44842 + void *___retval; \
44843 + intoverflow_t ___x = (intoverflow_t)x; \
44844 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
44845 + ___retval = NULL; \
44847 + ___retval = vmalloc_32_user((unsigned long)___x);\
44851 #endif /* _LINUX_VMALLOC_H */
44852 diff -urNp linux-2.6.33/include/net/irda/ircomm_tty.h linux-2.6.33/include/net/irda/ircomm_tty.h
44853 --- linux-2.6.33/include/net/irda/ircomm_tty.h 2010-02-24 13:52:17.000000000 -0500
44854 +++ linux-2.6.33/include/net/irda/ircomm_tty.h 2010-03-07 12:23:36.129711674 -0500
44855 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
44856 unsigned short close_delay;
44857 unsigned short closing_wait; /* time to wait before closing */
44860 - int blocked_open; /* # of blocked opens */
44861 + atomic_t open_count;
44862 + atomic_t blocked_open; /* # of blocked opens */
44864 /* Protect concurent access to :
44865 * o self->open_count
44866 diff -urNp linux-2.6.33/include/net/neighbour.h linux-2.6.33/include/net/neighbour.h
44867 --- linux-2.6.33/include/net/neighbour.h 2010-02-24 13:52:17.000000000 -0500
44868 +++ linux-2.6.33/include/net/neighbour.h 2010-03-07 12:23:36.129711674 -0500
44869 @@ -116,12 +116,12 @@ struct neighbour {
44873 - void (*solicit)(struct neighbour *, struct sk_buff*);
44874 - void (*error_report)(struct neighbour *, struct sk_buff*);
44875 - int (*output)(struct sk_buff*);
44876 - int (*connected_output)(struct sk_buff*);
44877 - int (*hh_output)(struct sk_buff*);
44878 - int (*queue_xmit)(struct sk_buff*);
44879 + void (* const solicit)(struct neighbour *, struct sk_buff*);
44880 + void (* const error_report)(struct neighbour *, struct sk_buff*);
44881 + int (* const output)(struct sk_buff*);
44882 + int (* const connected_output)(struct sk_buff*);
44883 + int (* const hh_output)(struct sk_buff*);
44884 + int (* const queue_xmit)(struct sk_buff*);
44887 struct pneigh_entry {
44888 diff -urNp linux-2.6.33/include/net/sctp/sctp.h linux-2.6.33/include/net/sctp/sctp.h
44889 --- linux-2.6.33/include/net/sctp/sctp.h 2010-02-24 13:52:17.000000000 -0500
44890 +++ linux-2.6.33/include/net/sctp/sctp.h 2010-03-07 12:23:36.129711674 -0500
44891 @@ -304,8 +304,8 @@ extern int sctp_debug_flag;
44893 #else /* SCTP_DEBUG */
44895 -#define SCTP_DEBUG_PRINTK(whatever...)
44896 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
44897 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
44898 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
44899 #define SCTP_ENABLE_DEBUG
44900 #define SCTP_DISABLE_DEBUG
44901 #define SCTP_ASSERT(expr, str, func)
44902 diff -urNp linux-2.6.33/include/net/tcp.h linux-2.6.33/include/net/tcp.h
44903 --- linux-2.6.33/include/net/tcp.h 2010-02-24 13:52:17.000000000 -0500
44904 +++ linux-2.6.33/include/net/tcp.h 2010-03-07 12:23:36.129711674 -0500
44905 @@ -1392,6 +1392,7 @@ enum tcp_seq_states {
44906 struct tcp_seq_afinfo {
44908 sa_family_t family;
44909 + /* cannot be const */
44910 struct file_operations seq_fops;
44911 struct seq_operations seq_ops;
44913 diff -urNp linux-2.6.33/include/net/udp.h linux-2.6.33/include/net/udp.h
44914 --- linux-2.6.33/include/net/udp.h 2010-02-24 13:52:17.000000000 -0500
44915 +++ linux-2.6.33/include/net/udp.h 2010-03-07 12:23:36.129711674 -0500
44916 @@ -221,6 +221,7 @@ struct udp_seq_afinfo {
44918 sa_family_t family;
44919 struct udp_table *udp_table;
44920 + /* cannot be const */
44921 struct file_operations seq_fops;
44922 struct seq_operations seq_ops;
44924 diff -urNp linux-2.6.33/include/sound/ac97_codec.h linux-2.6.33/include/sound/ac97_codec.h
44925 --- linux-2.6.33/include/sound/ac97_codec.h 2010-02-24 13:52:17.000000000 -0500
44926 +++ linux-2.6.33/include/sound/ac97_codec.h 2010-03-07 12:23:36.129711674 -0500
44927 @@ -419,15 +419,15 @@
44930 struct snd_ac97_build_ops {
44931 - int (*build_3d) (struct snd_ac97 *ac97);
44932 - int (*build_specific) (struct snd_ac97 *ac97);
44933 - int (*build_spdif) (struct snd_ac97 *ac97);
44934 - int (*build_post_spdif) (struct snd_ac97 *ac97);
44935 + int (* const build_3d) (struct snd_ac97 *ac97);
44936 + int (* const build_specific) (struct snd_ac97 *ac97);
44937 + int (* const build_spdif) (struct snd_ac97 *ac97);
44938 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
44940 - void (*suspend) (struct snd_ac97 *ac97);
44941 - void (*resume) (struct snd_ac97 *ac97);
44942 + void (* const suspend) (struct snd_ac97 *ac97);
44943 + void (* const resume) (struct snd_ac97 *ac97);
44945 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
44946 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
44949 struct snd_ac97_bus_ops {
44950 @@ -477,7 +477,7 @@ struct snd_ac97_template {
44953 /* -- lowlevel (hardware) driver specific -- */
44954 - struct snd_ac97_build_ops * build_ops;
44955 + const struct snd_ac97_build_ops * build_ops;
44956 void *private_data;
44957 void (*private_free) (struct snd_ac97 *ac97);
44959 diff -urNp linux-2.6.33/include/trace/events/irq.h linux-2.6.33/include/trace/events/irq.h
44960 --- linux-2.6.33/include/trace/events/irq.h 2010-02-24 13:52:17.000000000 -0500
44961 +++ linux-2.6.33/include/trace/events/irq.h 2010-03-07 12:23:36.129711674 -0500
44964 TRACE_EVENT(irq_handler_entry,
44966 - TP_PROTO(int irq, struct irqaction *action),
44967 + TP_PROTO(int irq, const struct irqaction *action),
44969 TP_ARGS(irq, action),
44971 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
44973 TRACE_EVENT(irq_handler_exit,
44975 - TP_PROTO(int irq, struct irqaction *action, int ret),
44976 + TP_PROTO(int irq, const struct irqaction *action, int ret),
44978 TP_ARGS(irq, action, ret),
44980 @@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
44982 DECLARE_EVENT_CLASS(softirq,
44984 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
44985 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
44989 @@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
44991 DEFINE_EVENT(softirq, softirq_entry,
44993 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
44994 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
44998 @@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
45000 DEFINE_EVENT(softirq, softirq_exit,
45002 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
45003 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
45007 diff -urNp linux-2.6.33/include/video/uvesafb.h linux-2.6.33/include/video/uvesafb.h
45008 --- linux-2.6.33/include/video/uvesafb.h 2010-02-24 13:52:17.000000000 -0500
45009 +++ linux-2.6.33/include/video/uvesafb.h 2010-03-07 12:23:36.129711674 -0500
45010 @@ -177,6 +177,7 @@ struct uvesafb_par {
45011 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
45012 u8 pmi_setpal; /* PMI for palette changes */
45013 u16 *pmi_base; /* protected mode interface location */
45014 + u8 *pmi_code; /* protected mode code location */
45017 u8 *vbe_state_orig; /*
45018 diff -urNp linux-2.6.33/init/do_mounts.c linux-2.6.33/init/do_mounts.c
45019 --- linux-2.6.33/init/do_mounts.c 2010-02-24 13:52:17.000000000 -0500
45020 +++ linux-2.6.33/init/do_mounts.c 2010-03-07 12:23:36.133586895 -0500
45021 @@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
45023 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
45025 - int err = sys_mount(name, "/root", fs, flags, data);
45026 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
45030 - sys_chdir("/root");
45031 + sys_chdir((__force char __user *)"/root");
45032 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
45033 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
45034 current->fs->pwd.mnt->mnt_sb->s_type->name,
45035 @@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
45036 va_start(args, fmt);
45037 vsprintf(buf, fmt, args);
45039 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
45040 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
45042 sys_ioctl(fd, FDEJECT, 0);
45045 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
45046 - fd = sys_open("/dev/console", O_RDWR, 0);
45047 + fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
45049 sys_ioctl(fd, TCGETS, (long)&termios);
45050 termios.c_lflag &= ~ICANON;
45051 sys_ioctl(fd, TCSETSF, (long)&termios);
45052 - sys_read(fd, &c, 1);
45053 + sys_read(fd, (char __user *)&c, 1);
45054 termios.c_lflag |= ICANON;
45055 sys_ioctl(fd, TCSETSF, (long)&termios);
45057 @@ -416,6 +416,6 @@ void __init prepare_namespace(void)
45060 devtmpfs_mount("dev");
45061 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
45063 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
45064 + sys_chroot((__force char __user *)".");
45066 diff -urNp linux-2.6.33/init/do_mounts.h linux-2.6.33/init/do_mounts.h
45067 --- linux-2.6.33/init/do_mounts.h 2010-02-24 13:52:17.000000000 -0500
45068 +++ linux-2.6.33/init/do_mounts.h 2010-03-07 12:23:36.133586895 -0500
45069 @@ -15,15 +15,15 @@ extern int root_mountflags;
45071 static inline int create_dev(char *name, dev_t dev)
45073 - sys_unlink(name);
45074 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
45075 + sys_unlink((__force char __user *)name);
45076 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
45079 #if BITS_PER_LONG == 32
45080 static inline u32 bstat(char *name)
45082 struct stat64 stat;
45083 - if (sys_stat64(name, &stat) != 0)
45084 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
45086 if (!S_ISBLK(stat.st_mode))
45088 diff -urNp linux-2.6.33/init/do_mounts_initrd.c linux-2.6.33/init/do_mounts_initrd.c
45089 --- linux-2.6.33/init/do_mounts_initrd.c 2010-02-24 13:52:17.000000000 -0500
45090 +++ linux-2.6.33/init/do_mounts_initrd.c 2010-03-07 12:23:36.133586895 -0500
45091 @@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
45092 sys_close(old_fd);sys_close(root_fd);
45093 sys_close(0);sys_close(1);sys_close(2);
45095 - (void) sys_open("/dev/console",O_RDWR,0);
45096 + (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
45099 return kernel_execve(shell, argv, envp_init);
45100 @@ -47,13 +47,13 @@ static void __init handle_initrd(void)
45101 create_dev("/dev/root.old", Root_RAM0);
45102 /* mount initrd on rootfs' /root */
45103 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
45104 - sys_mkdir("/old", 0700);
45105 - root_fd = sys_open("/", 0, 0);
45106 - old_fd = sys_open("/old", 0, 0);
45107 + sys_mkdir((__force const char __user *)"/old", 0700);
45108 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
45109 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
45110 /* move initrd over / and chdir/chroot in initrd root */
45111 - sys_chdir("/root");
45112 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
45114 + sys_chdir((__force const char __user *)"/root");
45115 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
45116 + sys_chroot((__force const char __user *)".");
45119 * In case that a resume from disk is carried out by linuxrc or one of
45120 @@ -70,15 +70,15 @@ static void __init handle_initrd(void)
45122 /* move initrd to rootfs' /old */
45123 sys_fchdir(old_fd);
45124 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
45125 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
45126 /* switch root and cwd back to / of rootfs */
45127 sys_fchdir(root_fd);
45129 + sys_chroot((__force const char __user *)".");
45131 sys_close(root_fd);
45133 if (new_decode_dev(real_root_dev) == Root_RAM0) {
45134 - sys_chdir("/old");
45135 + sys_chdir((__force const char __user *)"/old");
45139 @@ -86,17 +86,17 @@ static void __init handle_initrd(void)
45142 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
45143 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
45144 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
45148 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
45149 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
45150 if (error == -ENOENT)
45151 printk("/initrd does not exist. Ignored.\n");
45153 printk("failed\n");
45154 printk(KERN_NOTICE "Unmounting old root\n");
45155 - sys_umount("/old", MNT_DETACH);
45156 + sys_umount((__force char __user *)"/old", MNT_DETACH);
45157 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
45160 @@ -119,11 +119,11 @@ int __init initrd_load(void)
45161 * mounted in the normal path.
45163 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
45164 - sys_unlink("/initrd.image");
45165 + sys_unlink((__force const char __user *)"/initrd.image");
45170 - sys_unlink("/initrd.image");
45171 + sys_unlink((__force const char __user *)"/initrd.image");
45174 diff -urNp linux-2.6.33/init/do_mounts_md.c linux-2.6.33/init/do_mounts_md.c
45175 --- linux-2.6.33/init/do_mounts_md.c 2010-02-24 13:52:17.000000000 -0500
45176 +++ linux-2.6.33/init/do_mounts_md.c 2010-03-07 12:23:36.133586895 -0500
45177 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
45178 partitioned ? "_d" : "", minor,
45179 md_setup_args[ent].device_names);
45181 - fd = sys_open(name, 0, 0);
45182 + fd = sys_open((__force char __user *)name, 0, 0);
45184 printk(KERN_ERR "md: open failed - cannot start "
45185 "array %s\n", name);
45186 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
45190 - fd = sys_open(name, 0, 0);
45191 + fd = sys_open((__force char __user *)name, 0, 0);
45192 sys_ioctl(fd, BLKRRPART, 0);
45195 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
45197 wait_for_device_probe();
45199 - fd = sys_open("/dev/md0", 0, 0);
45200 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
45202 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
45204 diff -urNp linux-2.6.33/init/initramfs.c linux-2.6.33/init/initramfs.c
45205 --- linux-2.6.33/init/initramfs.c 2010-02-24 13:52:17.000000000 -0500
45206 +++ linux-2.6.33/init/initramfs.c 2010-03-07 12:23:36.133586895 -0500
45207 @@ -74,7 +74,7 @@ static void __init free_hash(void)
45211 -static long __init do_utime(char __user *filename, time_t mtime)
45212 +static long __init do_utime(__force char __user *filename, time_t mtime)
45214 struct timespec t[2];
45216 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
45217 struct dir_entry *de, *tmp;
45218 list_for_each_entry_safe(de, tmp, &dir_list, list) {
45219 list_del(&de->list);
45220 - do_utime(de->name, de->mtime);
45221 + do_utime((__force char __user *)de->name, de->mtime);
45225 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
45227 char *old = find_link(major, minor, ino, mode, collected);
45229 - return (sys_link(old, collected) < 0) ? -1 : 1;
45230 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
45234 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
45238 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
45239 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
45240 if (S_ISDIR(st.st_mode))
45242 + sys_rmdir((__force char __user *)path);
45244 - sys_unlink(path);
45245 + sys_unlink((__force char __user *)path);
45249 @@ -305,7 +305,7 @@ static int __init do_name(void)
45250 int openflags = O_WRONLY|O_CREAT;
45252 openflags |= O_TRUNC;
45253 - wfd = sys_open(collected, openflags, mode);
45254 + wfd = sys_open((__force char __user *)collected, openflags, mode);
45257 sys_fchown(wfd, uid, gid);
45258 @@ -317,17 +317,17 @@ static int __init do_name(void)
45261 } else if (S_ISDIR(mode)) {
45262 - sys_mkdir(collected, mode);
45263 - sys_chown(collected, uid, gid);
45264 - sys_chmod(collected, mode);
45265 + sys_mkdir((__force char __user *)collected, mode);
45266 + sys_chown((__force char __user *)collected, uid, gid);
45267 + sys_chmod((__force char __user *)collected, mode);
45268 dir_add(collected, mtime);
45269 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
45270 S_ISFIFO(mode) || S_ISSOCK(mode)) {
45271 if (maybe_link() == 0) {
45272 - sys_mknod(collected, mode, rdev);
45273 - sys_chown(collected, uid, gid);
45274 - sys_chmod(collected, mode);
45275 - do_utime(collected, mtime);
45276 + sys_mknod((__force char __user *)collected, mode, rdev);
45277 + sys_chown((__force char __user *)collected, uid, gid);
45278 + sys_chmod((__force char __user *)collected, mode);
45279 + do_utime((__force char __user *)collected, mtime);
45283 @@ -336,15 +336,15 @@ static int __init do_name(void)
45284 static int __init do_copy(void)
45286 if (count >= body_len) {
45287 - sys_write(wfd, victim, body_len);
45288 + sys_write(wfd, (__force char __user *)victim, body_len);
45290 - do_utime(vcollected, mtime);
45291 + do_utime((__force char __user *)vcollected, mtime);
45297 - sys_write(wfd, victim, count);
45298 + sys_write(wfd, (__force char __user *)victim, count);
45302 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
45304 collected[N_ALIGN(name_len) + body_len] = '\0';
45305 clean_path(collected, 0);
45306 - sys_symlink(collected + N_ALIGN(name_len), collected);
45307 - sys_lchown(collected, uid, gid);
45308 - do_utime(collected, mtime);
45309 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
45310 + sys_lchown((__force char __user *)collected, uid, gid);
45311 + do_utime((__force char __user *)collected, mtime);
45313 next_state = Reset;
45315 diff -urNp linux-2.6.33/init/Kconfig linux-2.6.33/init/Kconfig
45316 --- linux-2.6.33/init/Kconfig 2010-02-24 13:52:17.000000000 -0500
45317 +++ linux-2.6.33/init/Kconfig 2010-03-07 12:23:36.133586895 -0500
45318 @@ -1046,7 +1046,7 @@ config SLUB_DEBUG
45321 bool "Disable heap randomization"
45325 Randomizing heap placement makes heap exploits harder, but it
45326 also breaks ancient binaries (including anything libc5 based).
45327 @@ -1158,9 +1158,9 @@ config HAVE_GENERIC_DMA_COHERENT
45331 - depends on PROC_FS
45332 + depends on PROC_FS && !GRKERNSEC_PROC_ADD
45333 depends on SLAB || SLUB_DEBUG
45339 diff -urNp linux-2.6.33/init/main.c linux-2.6.33/init/main.c
45340 --- linux-2.6.33/init/main.c 2010-02-24 13:52:17.000000000 -0500
45341 +++ linux-2.6.33/init/main.c 2010-03-07 12:23:36.133586895 -0500
45342 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
45344 extern void tc_init(void);
45346 +extern void grsecurity_init(void);
45348 enum system_states system_state __read_mostly;
45349 EXPORT_SYMBOL(system_state);
45350 @@ -183,6 +184,35 @@ static int __init set_reset_devices(char
45352 __setup("reset_devices", set_reset_devices);
45354 +#if defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32)
45355 +static int __init setup_pax_nouderef(char *str)
45357 + unsigned int cpu;
45359 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
45360 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
45361 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
45363 + asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
45364 + asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
45365 + asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
45369 +early_param("pax_nouderef", setup_pax_nouderef);
45372 +#ifdef CONFIG_PAX_SOFTMODE
45373 +unsigned int pax_softmode;
45375 +static int __init setup_pax_softmode(char *str)
45377 + get_option(&str, &pax_softmode);
45380 +__setup("pax_softmode=", setup_pax_softmode);
45383 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
45384 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
45385 static const char *panic_later, *panic_param;
45386 @@ -697,52 +727,53 @@ int initcall_debug;
45387 core_param(initcall_debug, initcall_debug, bool, 0644);
45389 static char msgbuf[64];
45390 -static struct boot_trace_call call;
45391 -static struct boot_trace_ret ret;
45392 +static struct boot_trace_call trace_call;
45393 +static struct boot_trace_ret trace_ret;
45395 int do_one_initcall(initcall_t fn)
45397 int count = preempt_count();
45398 ktime_t calltime, delta, rettime;
45399 + const char *msg1 = "", *msg2 = "";
45401 if (initcall_debug) {
45402 - call.caller = task_pid_nr(current);
45403 - printk("calling %pF @ %i\n", fn, call.caller);
45404 + trace_call.caller = task_pid_nr(current);
45405 + printk("calling %pF @ %i\n", fn, trace_call.caller);
45406 calltime = ktime_get();
45407 - trace_boot_call(&call, fn);
45408 + trace_boot_call(&trace_call, fn);
45409 enable_boot_trace();
45412 - ret.result = fn();
45413 + trace_ret.result = fn();
45415 if (initcall_debug) {
45416 disable_boot_trace();
45417 rettime = ktime_get();
45418 delta = ktime_sub(rettime, calltime);
45419 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
45420 - trace_boot_ret(&ret, fn);
45421 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
45422 + trace_boot_ret(&trace_ret, fn);
45423 printk("initcall %pF returned %d after %Ld usecs\n", fn,
45424 - ret.result, ret.duration);
45425 + trace_ret.result, trace_ret.duration);
45430 - if (ret.result && ret.result != -ENODEV && initcall_debug)
45431 - sprintf(msgbuf, "error code %d ", ret.result);
45432 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
45433 + sprintf(msgbuf, "error code %d ", trace_ret.result);
45435 if (preempt_count() != count) {
45436 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
45437 + msg1 = " preemption imbalance";
45438 preempt_count() = count;
45440 if (irqs_disabled()) {
45441 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
45442 + msg2 = " disabled interrupts";
45443 local_irq_enable();
45446 - printk("initcall %pF returned with %s\n", fn, msgbuf);
45447 + if (msgbuf[0] || *msg1 || *msg2) {
45448 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
45451 - return ret.result;
45452 + return trace_ret.result;
45456 @@ -881,11 +912,13 @@ static int __init kernel_init(void * unu
45457 if (!ramdisk_execute_command)
45458 ramdisk_execute_command = "/init";
45460 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
45461 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
45462 ramdisk_execute_command = NULL;
45463 prepare_namespace();
45466 + grsecurity_init();
45469 * Ok, we have completed the initial bootup, and
45470 * we're essentially up and running. Get rid of the
45471 diff -urNp linux-2.6.33/init/noinitramfs.c linux-2.6.33/init/noinitramfs.c
45472 --- linux-2.6.33/init/noinitramfs.c 2010-02-24 13:52:17.000000000 -0500
45473 +++ linux-2.6.33/init/noinitramfs.c 2010-03-07 12:23:36.133586895 -0500
45474 @@ -29,7 +29,7 @@ static int __init default_rootfs(void)
45478 - err = sys_mkdir("/dev", 0755);
45479 + err = sys_mkdir((const char __user *)"/dev", 0755);
45483 @@ -39,7 +39,7 @@ static int __init default_rootfs(void)
45487 - err = sys_mkdir("/root", 0700);
45488 + err = sys_mkdir((const char __user *)"/root", 0700);
45492 diff -urNp linux-2.6.33/ipc/mqueue.c linux-2.6.33/ipc/mqueue.c
45493 --- linux-2.6.33/ipc/mqueue.c 2010-02-24 13:52:17.000000000 -0500
45494 +++ linux-2.6.33/ipc/mqueue.c 2010-03-07 12:23:36.133586895 -0500
45495 @@ -149,6 +149,7 @@ static struct inode *mqueue_get_inode(st
45496 mq_bytes = (mq_msg_tblsz +
45497 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
45499 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
45500 spin_lock(&mq_lock);
45501 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
45502 u->mq_bytes + mq_bytes >
45503 diff -urNp linux-2.6.33/ipc/shm.c linux-2.6.33/ipc/shm.c
45504 --- linux-2.6.33/ipc/shm.c 2010-02-24 13:52:17.000000000 -0500
45505 +++ linux-2.6.33/ipc/shm.c 2010-03-07 12:23:36.133586895 -0500
45506 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
45507 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
45510 +#ifdef CONFIG_GRKERNSEC
45511 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
45512 + const time_t shm_createtime, const uid_t cuid,
45513 + const int shmid);
45514 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
45515 + const time_t shm_createtime);
45518 void shm_init_ns(struct ipc_namespace *ns)
45520 ns->shm_ctlmax = SHMMAX;
45521 @@ -398,6 +406,14 @@ static int newseg(struct ipc_namespace *
45522 shp->shm_lprid = 0;
45523 shp->shm_atim = shp->shm_dtim = 0;
45524 shp->shm_ctim = get_seconds();
45525 +#ifdef CONFIG_GRKERNSEC
45527 + struct timespec timeval;
45528 + do_posix_clock_monotonic_gettime(&timeval);
45530 + shp->shm_createtime = timeval.tv_sec;
45533 shp->shm_segsz = size;
45534 shp->shm_nattch = 0;
45535 shp->shm_file = file;
45536 @@ -881,9 +897,21 @@ long do_shmat(int shmid, char __user *sh
45540 +#ifdef CONFIG_GRKERNSEC
45541 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
45542 + shp->shm_perm.cuid, shmid) ||
45543 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
45549 path = shp->shm_file->f_path;
45552 +#ifdef CONFIG_GRKERNSEC
45553 + shp->shm_lapid = current->pid;
45555 size = i_size_read(path.dentry->d_inode);
45558 diff -urNp linux-2.6.33/kernel/acct.c linux-2.6.33/kernel/acct.c
45559 --- linux-2.6.33/kernel/acct.c 2010-02-24 13:52:17.000000000 -0500
45560 +++ linux-2.6.33/kernel/acct.c 2010-03-07 12:23:36.133586895 -0500
45561 @@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
45563 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
45564 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
45565 - file->f_op->write(file, (char *)&ac,
45566 + file->f_op->write(file, (__force char __user *)&ac,
45567 sizeof(acct_t), &file->f_pos);
45568 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
45570 diff -urNp linux-2.6.33/kernel/capability.c linux-2.6.33/kernel/capability.c
45571 --- linux-2.6.33/kernel/capability.c 2010-02-24 13:52:17.000000000 -0500
45572 +++ linux-2.6.33/kernel/capability.c 2010-03-07 12:23:36.133586895 -0500
45573 @@ -206,6 +206,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
45574 * before modification is attempted and the application
45577 + if (tocopy > ARRAY_SIZE(kdata))
45580 if (copy_to_user(dataptr, kdata, tocopy
45581 * sizeof(struct __user_cap_data_struct))) {
45583 @@ -307,10 +310,21 @@ int capable(int cap)
45587 - if (security_capable(cap) == 0) {
45588 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
45589 + current->flags |= PF_SUPERPRIV;
45595 +int capable_nolog(int cap)
45597 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
45598 current->flags |= PF_SUPERPRIV;
45604 EXPORT_SYMBOL(capable);
45605 +EXPORT_SYMBOL(capable_nolog);
45606 diff -urNp linux-2.6.33/kernel/configs.c linux-2.6.33/kernel/configs.c
45607 --- linux-2.6.33/kernel/configs.c 2010-02-24 13:52:17.000000000 -0500
45608 +++ linux-2.6.33/kernel/configs.c 2010-03-07 12:23:36.133586895 -0500
45609 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
45610 struct proc_dir_entry *entry;
45612 /* create the current config file */
45613 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
45614 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
45615 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
45616 + &ikconfig_file_ops);
45617 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45618 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
45619 + &ikconfig_file_ops);
45622 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
45623 &ikconfig_file_ops);
45629 diff -urNp linux-2.6.33/kernel/cpu.c linux-2.6.33/kernel/cpu.c
45630 --- linux-2.6.33/kernel/cpu.c 2010-02-24 13:52:17.000000000 -0500
45631 +++ linux-2.6.33/kernel/cpu.c 2010-03-07 12:23:36.133586895 -0500
45633 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
45634 static DEFINE_MUTEX(cpu_add_remove_lock);
45636 -static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
45637 +static RAW_NOTIFIER_HEAD(cpu_chain);
45639 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
45640 * Should always be manipulated under cpu_add_remove_lock
45641 diff -urNp linux-2.6.33/kernel/cred.c linux-2.6.33/kernel/cred.c
45642 --- linux-2.6.33/kernel/cred.c 2010-02-24 13:52:17.000000000 -0500
45643 +++ linux-2.6.33/kernel/cred.c 2010-03-07 12:23:36.133586895 -0500
45644 @@ -520,6 +520,8 @@ int commit_creds(struct cred *new)
45646 get_cred(new); /* we will require a ref for the subj creds too */
45648 + gr_set_role_label(task, new->uid, new->gid);
45650 /* dumpability changes */
45651 if (old->euid != new->euid ||
45652 old->egid != new->egid ||
45653 diff -urNp linux-2.6.33/kernel/exit.c linux-2.6.33/kernel/exit.c
45654 --- linux-2.6.33/kernel/exit.c 2010-02-24 13:52:17.000000000 -0500
45655 +++ linux-2.6.33/kernel/exit.c 2010-03-07 12:23:36.133586895 -0500
45657 #include <asm/mmu_context.h>
45658 #include "cred-internals.h"
45660 +#ifdef CONFIG_GRKERNSEC
45661 +extern rwlock_t grsec_exec_file_lock;
45664 static void exit_mm(struct task_struct * tsk);
45666 static void __unhash_process(struct task_struct *p)
45667 @@ -168,6 +172,8 @@ void release_task(struct task_struct * p
45668 struct task_struct *leader;
45671 + gr_del_task_from_ip_table(p);
45673 tracehook_prepare_release_task(p);
45674 /* don't need to get the RCU readlock here - the process is dead and
45675 * can't be modifying its own credentials */
45676 @@ -335,11 +341,22 @@ static void reparent_to_kthreadd(void)
45678 write_lock_irq(&tasklist_lock);
45680 +#ifdef CONFIG_GRKERNSEC
45681 + write_lock(&grsec_exec_file_lock);
45682 + if (current->exec_file) {
45683 + fput(current->exec_file);
45684 + current->exec_file = NULL;
45686 + write_unlock(&grsec_exec_file_lock);
45689 ptrace_unlink(current);
45690 /* Reparent to init */
45691 current->real_parent = current->parent = kthreadd_task;
45692 list_move_tail(¤t->sibling, ¤t->real_parent->children);
45694 + gr_set_kernel_label(current);
45696 /* Set the exit signal to SIGCHLD so we signal init on exit */
45697 current->exit_signal = SIGCHLD;
45699 @@ -391,7 +408,7 @@ int allow_signal(int sig)
45700 * know it'll be handled, so that they don't get converted to
45701 * SIGKILL or just silently dropped.
45703 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
45704 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
45705 recalc_sigpending();
45706 spin_unlock_irq(¤t->sighand->siglock);
45708 @@ -427,6 +444,17 @@ void daemonize(const char *name, ...)
45709 vsnprintf(current->comm, sizeof(current->comm), name, args);
45712 +#ifdef CONFIG_GRKERNSEC
45713 + write_lock(&grsec_exec_file_lock);
45714 + if (current->exec_file) {
45715 + fput(current->exec_file);
45716 + current->exec_file = NULL;
45718 + write_unlock(&grsec_exec_file_lock);
45721 + gr_set_kernel_label(current);
45724 * If we were started as result of loading a module, close all of the
45725 * user space pages. We don't need them, and if we didn't close them
45726 @@ -961,6 +989,9 @@ NORET_TYPE void do_exit(long code)
45727 tsk->exit_code = code;
45728 taskstats_exit(tsk, group_dead);
45730 + gr_acl_handle_psacct(tsk, code);
45731 + gr_acl_handle_exit();
45736 @@ -1180,7 +1211,7 @@ static int wait_task_zombie(struct wait_
45738 if (unlikely(wo->wo_flags & WNOWAIT)) {
45739 int exit_code = p->exit_code;
45743 get_task_struct(p);
45744 read_unlock(&tasklist_lock);
45745 diff -urNp linux-2.6.33/kernel/fork.c linux-2.6.33/kernel/fork.c
45746 --- linux-2.6.33/kernel/fork.c 2010-02-24 13:52:17.000000000 -0500
45747 +++ linux-2.6.33/kernel/fork.c 2010-03-07 12:23:36.133586895 -0500
45748 @@ -255,7 +255,7 @@ static struct task_struct *dup_task_stru
45749 *stackend = STACK_END_MAGIC; /* for overflow detection */
45751 #ifdef CONFIG_CC_STACKPROTECTOR
45752 - tsk->stack_canary = get_random_int();
45753 + tsk->stack_canary = pax_get_random_long();
45756 /* One for us, one for whoever does the "release_task()" (usually parent) */
45757 @@ -295,8 +295,8 @@ static int dup_mmap(struct mm_struct *mm
45760 mm->mmap_cache = NULL;
45761 - mm->free_area_cache = oldmm->mmap_base;
45762 - mm->cached_hole_size = ~0UL;
45763 + mm->free_area_cache = oldmm->free_area_cache;
45764 + mm->cached_hole_size = oldmm->cached_hole_size;
45766 cpumask_clear(mm_cpumask(mm));
45767 mm->mm_rb = RB_ROOT;
45768 @@ -336,6 +336,7 @@ static int dup_mmap(struct mm_struct *mm
45769 tmp->vm_flags &= ~VM_LOCKED;
45771 tmp->vm_next = NULL;
45772 + tmp->vm_mirror = NULL;
45773 anon_vma_link(tmp);
45774 file = tmp->vm_file;
45776 @@ -383,6 +384,31 @@ static int dup_mmap(struct mm_struct *mm
45781 +#ifdef CONFIG_PAX_SEGMEXEC
45782 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
45783 + struct vm_area_struct *mpnt_m;
45785 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
45786 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
45788 + if (!mpnt->vm_mirror)
45791 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
45792 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
45793 + mpnt->vm_mirror = mpnt_m;
45795 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
45796 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
45797 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
45798 + mpnt->vm_mirror->vm_mirror = mpnt;
45805 /* a new mm has just been created */
45806 arch_dup_mmap(oldmm, mm);
45808 @@ -733,7 +759,7 @@ static int copy_fs(unsigned long clone_f
45809 write_unlock(&fs->lock);
45813 + atomic_inc(&fs->users);
45814 write_unlock(&fs->lock);
45817 @@ -1032,10 +1058,10 @@ static struct task_struct *copy_process(
45819 if (!vx_nproc_avail(1))
45820 goto bad_fork_cleanup_vm;
45821 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
45822 if (atomic_read(&p->real_cred->user->processes) >=
45823 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
45824 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
45825 - p->real_cred->user != INIT_USER)
45826 + if (p->real_cred->user != INIT_USER && !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
45827 goto bad_fork_cleanup_vm;
45830 @@ -1064,6 +1090,10 @@ static struct task_struct *copy_process(
45831 p->vfork_done = NULL;
45832 spin_lock_init(&p->alloc_lock);
45834 +#ifdef CONFIG_GRKERNSEC
45835 + rwlock_init(&p->gr_fs_lock);
45838 init_sigpending(&p->pending);
45840 p->utime = cputime_zero;
45841 @@ -1190,6 +1220,8 @@ static struct task_struct *copy_process(
45842 goto bad_fork_free_pid;
45845 + gr_copy_label(p);
45847 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
45849 * Clear TID on mm_release()?
45850 @@ -1342,6 +1374,8 @@ bad_fork_cleanup_count:
45854 + gr_log_forkfail(retval);
45856 return ERR_PTR(retval);
45859 @@ -1435,6 +1469,8 @@ long do_fork(unsigned long clone_flags,
45860 if (clone_flags & CLONE_PARENT_SETTID)
45861 put_user(nr, parent_tidptr);
45863 + gr_handle_brute_check();
45865 if (clone_flags & CLONE_VFORK) {
45866 p->vfork_done = &vfork;
45867 init_completion(&vfork);
45868 @@ -1567,7 +1603,7 @@ static int unshare_fs(unsigned long unsh
45871 /* don't need lock here; in the worst case we'll do useless copy */
45872 - if (fs->users == 1)
45873 + if (atomic_read(&fs->users) == 1)
45876 *new_fsp = copy_fs_struct(fs);
45877 @@ -1687,14 +1723,18 @@ SYSCALL_DEFINE1(unshare, unsigned long,
45878 task_lock(current);
45881 + unsigned long flags;
45883 + gr_fs_write_lock_irqsave(current, flags);
45885 write_lock(&fs->lock);
45886 current->fs = new_fs;
45888 + if (atomic_dec_return(&fs->users))
45892 write_unlock(&fs->lock);
45893 + gr_fs_write_unlock_irqrestore(current, flags);
45897 diff -urNp linux-2.6.33/kernel/futex.c linux-2.6.33/kernel/futex.c
45898 --- linux-2.6.33/kernel/futex.c 2010-02-24 13:52:17.000000000 -0500
45899 +++ linux-2.6.33/kernel/futex.c 2010-03-07 12:23:36.137713527 -0500
45901 #include <linux/mount.h>
45902 #include <linux/pagemap.h>
45903 #include <linux/syscalls.h>
45904 +#include <linux/ptrace.h>
45905 #include <linux/signal.h>
45906 #include <linux/module.h>
45907 #include <linux/magic.h>
45908 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
45912 +#ifdef CONFIG_PAX_SEGMEXEC
45913 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
45918 * The futex address must be "naturally" aligned.
45920 @@ -1852,7 +1858,7 @@ retry:
45922 restart = ¤t_thread_info()->restart_block;
45923 restart->fn = futex_wait_restart;
45924 - restart->futex.uaddr = (u32 *)uaddr;
45925 + restart->futex.uaddr = uaddr;
45926 restart->futex.val = val;
45927 restart->futex.time = abs_time->tv64;
45928 restart->futex.bitset = bitset;
45929 @@ -2385,7 +2391,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
45931 struct robust_list_head __user *head;
45933 - const struct cred *cred = current_cred(), *pcred;
45934 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
45935 + const struct cred *cred = current_cred();
45936 + const struct cred *pcred;
45939 if (!futex_cmpxchg_enabled)
45941 @@ -2401,11 +2410,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
45945 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45946 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
45949 pcred = __task_cred(p);
45950 if (cred->euid != pcred->euid &&
45951 cred->euid != pcred->uid &&
45952 !capable(CAP_SYS_PTRACE))
45955 head = p->robust_list;
45958 @@ -2467,7 +2481,7 @@ retry:
45960 static inline int fetch_robust_entry(struct robust_list __user **entry,
45961 struct robust_list __user * __user *head,
45963 + unsigned int *pi)
45965 unsigned long uentry;
45967 diff -urNp linux-2.6.33/kernel/futex_compat.c linux-2.6.33/kernel/futex_compat.c
45968 --- linux-2.6.33/kernel/futex_compat.c 2010-02-24 13:52:17.000000000 -0500
45969 +++ linux-2.6.33/kernel/futex_compat.c 2010-03-07 12:23:36.137713527 -0500
45971 #include <linux/compat.h>
45972 #include <linux/nsproxy.h>
45973 #include <linux/futex.h>
45974 +#include <linux/ptrace.h>
45976 #include <asm/uaccess.h>
45978 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
45980 struct compat_robust_list_head __user *head;
45982 - const struct cred *cred = current_cred(), *pcred;
45983 + const struct cred *cred = current_cred();
45984 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
45985 + const struct cred *pcred;
45988 if (!futex_cmpxchg_enabled)
45990 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
45994 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45995 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
45998 pcred = __task_cred(p);
45999 if (cred->euid != pcred->euid &&
46000 cred->euid != pcred->uid &&
46001 !capable(CAP_SYS_PTRACE))
46004 head = p->compat_robust_list;
46005 read_unlock(&tasklist_lock);
46007 diff -urNp linux-2.6.33/kernel/gcov/base.c linux-2.6.33/kernel/gcov/base.c
46008 --- linux-2.6.33/kernel/gcov/base.c 2010-02-24 13:52:17.000000000 -0500
46009 +++ linux-2.6.33/kernel/gcov/base.c 2010-03-07 12:23:36.137713527 -0500
46010 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
46013 #ifdef CONFIG_MODULES
46014 -static inline int within(void *addr, void *start, unsigned long size)
46016 - return ((addr >= start) && (addr < start + size));
46019 /* Update list and generate events when modules are unloaded. */
46020 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
46022 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
46024 /* Remove entries located in module from linked list. */
46025 for (info = gcov_info_head; info; info = info->next) {
46026 - if (within(info, mod->module_core, mod->core_size)) {
46027 + if (within_module_core_rw((unsigned long)info, mod)) {
46029 prev->next = info->next;
46031 diff -urNp linux-2.6.33/kernel/hrtimer.c linux-2.6.33/kernel/hrtimer.c
46032 --- linux-2.6.33/kernel/hrtimer.c 2010-02-24 13:52:17.000000000 -0500
46033 +++ linux-2.6.33/kernel/hrtimer.c 2010-03-07 12:23:36.137713527 -0500
46034 @@ -1398,7 +1398,7 @@ void hrtimer_peek_ahead_timers(void)
46035 local_irq_restore(flags);
46038 -static void run_hrtimer_softirq(struct softirq_action *h)
46039 +static void run_hrtimer_softirq(void)
46041 hrtimer_peek_ahead_timers();
46043 diff -urNp linux-2.6.33/kernel/kallsyms.c linux-2.6.33/kernel/kallsyms.c
46044 --- linux-2.6.33/kernel/kallsyms.c 2010-02-24 13:52:17.000000000 -0500
46045 +++ linux-2.6.33/kernel/kallsyms.c 2010-03-07 12:23:36.137713527 -0500
46047 * Changed the compression method from stem compression to "table lookup"
46048 * compression (see scripts/kallsyms.c for a more complete description)
46050 +#ifdef CONFIG_GRKERNSEC_HIDESYM
46051 +#define __INCLUDED_BY_HIDESYM 1
46053 #include <linux/kallsyms.h>
46054 #include <linux/module.h>
46055 #include <linux/init.h>
46056 @@ -51,6 +54,9 @@ extern const unsigned long kallsyms_mark
46058 static inline int is_kernel_inittext(unsigned long addr)
46060 + if (system_state != SYSTEM_BOOTING)
46063 if (addr >= (unsigned long)_sinittext
46064 && addr <= (unsigned long)_einittext)
46066 @@ -67,6 +73,24 @@ static inline int is_kernel_text(unsigne
46068 static inline int is_kernel(unsigned long addr)
46070 + if (is_kernel_inittext(addr))
46073 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
46074 + if ((unsigned long)MODULES_EXEC_VADDR <= ktla_ktva(addr) && ktla_ktva(addr) <= (unsigned long)MODULES_EXEC_END)
46077 + if (is_kernel_text(addr))
46080 + if (ktla_ktva((unsigned long)_stext) <= addr && addr < ktla_ktva((unsigned long)_etext))
46083 + if ((addr >= (unsigned long)_sdata && addr <= (unsigned long)_end))
46085 + return in_gate_area_no_task(addr);
46088 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
46090 return in_gate_area_no_task(addr);
46091 @@ -414,7 +438,6 @@ static unsigned long get_ksymbol_core(st
46093 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
46095 - iter->name[0] = '\0';
46096 iter->nameoff = get_symbol_offset(new_pos);
46097 iter->pos = new_pos;
46099 @@ -462,6 +485,11 @@ static int s_show(struct seq_file *m, vo
46101 struct kallsym_iter *iter = m->private;
46103 +#ifdef CONFIG_GRKERNSEC_HIDESYM
46104 + if (current_uid())
46108 /* Some debugging symbols have no name. Ignore them. */
46109 if (!iter->name[0])
46111 @@ -502,7 +530,7 @@ static int kallsyms_open(struct inode *i
46112 struct kallsym_iter *iter;
46115 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
46116 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
46119 reset_iter(iter, 0);
46120 diff -urNp linux-2.6.33/kernel/kgdb.c linux-2.6.33/kernel/kgdb.c
46121 --- linux-2.6.33/kernel/kgdb.c 2010-02-24 13:52:17.000000000 -0500
46122 +++ linux-2.6.33/kernel/kgdb.c 2010-03-07 12:23:36.137713527 -0500
46123 @@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
46124 /* Guard for recursive entry */
46125 static int exception_level;
46127 -static struct kgdb_io *kgdb_io_ops;
46128 +static const struct kgdb_io *kgdb_io_ops;
46129 static DEFINE_SPINLOCK(kgdb_registration_lock);
46131 /* kgdb console driver is loaded */
46132 @@ -1664,7 +1664,7 @@ static void kgdb_initial_breakpoint(void
46134 * Register it with the KGDB core.
46136 -int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
46137 +int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
46141 @@ -1709,7 +1709,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
46143 * Unregister it with the KGDB core.
46145 -void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
46146 +void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
46148 BUG_ON(kgdb_connected);
46150 diff -urNp linux-2.6.33/kernel/kmod.c linux-2.6.33/kernel/kmod.c
46151 --- linux-2.6.33/kernel/kmod.c 2010-02-24 13:52:17.000000000 -0500
46152 +++ linux-2.6.33/kernel/kmod.c 2010-03-07 12:23:36.137713527 -0500
46153 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
46157 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
46158 + /* we could do a tighter check here, but some distros
46159 + are taking it upon themselves to remove CAP_SYS_MODULE
46160 + from even root-running apps which cause modules to be
46163 + if (current_uid()) {
46164 + gr_log_nonroot_mod_load(module_name);
46169 /* If modprobe needs a service that is in a module, we get a recursive
46170 * loop. Limit the number of running kmod threads to max_threads/2 or
46171 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
46172 diff -urNp linux-2.6.33/kernel/kprobes.c linux-2.6.33/kernel/kprobes.c
46173 --- linux-2.6.33/kernel/kprobes.c 2010-02-24 13:52:17.000000000 -0500
46174 +++ linux-2.6.33/kernel/kprobes.c 2010-03-07 12:23:36.137713527 -0500
46175 @@ -186,7 +186,7 @@ static kprobe_opcode_t __kprobes *__get_
46176 * kernel image and loaded module images reside. This is required
46177 * so x86_64 can correctly handle the %rip-relative fixups.
46179 - kip->insns = module_alloc(PAGE_SIZE);
46180 + kip->insns = module_alloc_exec(PAGE_SIZE);
46184 @@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
46186 if (!list_is_singular(&kprobe_insn_pages)) {
46187 list_del(&kip->list);
46188 - module_free(NULL, kip->insns);
46189 + module_free_exec(NULL, kip->insns);
46193 diff -urNp linux-2.6.33/kernel/lockdep.c linux-2.6.33/kernel/lockdep.c
46194 --- linux-2.6.33/kernel/lockdep.c 2010-02-24 13:52:17.000000000 -0500
46195 +++ linux-2.6.33/kernel/lockdep.c 2010-03-07 12:23:36.137713527 -0500
46196 @@ -586,6 +586,10 @@ static int static_obj(void *obj)
46200 +#ifdef CONFIG_PAX_KERNEXEC
46201 + start = ktla_ktva(start);
46207 @@ -601,8 +605,7 @@ static int static_obj(void *obj)
46209 for_each_possible_cpu(i) {
46210 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
46211 - end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
46212 - + per_cpu_offset(i);
46213 + end = start + PERCPU_ENOUGH_ROOM;
46215 if ((addr >= start) && (addr < end))
46217 @@ -719,6 +722,7 @@ register_lock_class(struct lockdep_map *
46218 if (!static_obj(lock->key)) {
46220 printk("INFO: trying to register non-static key.\n");
46221 + printk("lock:%pS key:%pS.\n", lock, lock->key);
46222 printk("the code is fine but needs lockdep annotation.\n");
46223 printk("turning off the locking correctness validator.\n");
46225 diff -urNp linux-2.6.33/kernel/module.c linux-2.6.33/kernel/module.c
46226 --- linux-2.6.33/kernel/module.c 2010-02-24 13:52:17.000000000 -0500
46227 +++ linux-2.6.33/kernel/module.c 2010-03-07 12:23:36.141632987 -0500
46228 @@ -89,7 +89,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
46229 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
46231 /* Bounds of module allocation, for speeding __module_address */
46232 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
46233 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
46234 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
46236 int register_module_notifier(struct notifier_block * nb)
46238 @@ -245,7 +246,7 @@ bool each_symbol(bool (*fn)(const struct
46241 list_for_each_entry_rcu(mod, &modules, list) {
46242 - struct symsearch arr[] = {
46243 + struct symsearch modarr[] = {
46244 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
46245 NOT_GPL_ONLY, false },
46246 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
46247 @@ -267,7 +268,7 @@ bool each_symbol(bool (*fn)(const struct
46251 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
46252 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
46256 @@ -375,7 +376,7 @@ static void *percpu_modalloc(unsigned lo
46260 - if (align > PAGE_SIZE) {
46261 + if (align-1 >= PAGE_SIZE) {
46262 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
46263 name, align, PAGE_SIZE);
46265 @@ -1393,7 +1394,8 @@ static void free_module(struct module *m
46266 destroy_params(mod->kp, mod->num_kp);
46268 /* This may be NULL, but that's OK */
46269 - module_free(mod, mod->module_init);
46270 + module_free(mod, mod->module_init_rw);
46271 + module_free_exec(mod, mod->module_init_rx);
46274 percpu_modfree(mod->percpu);
46275 @@ -1402,10 +1404,12 @@ static void free_module(struct module *m
46276 percpu_modfree(mod->refptr);
46278 /* Free lock-classes: */
46279 - lockdep_free_key_range(mod->module_core, mod->core_size);
46280 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
46281 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
46283 /* Finally, free the core (containing the module structure) */
46284 - module_free(mod, mod->module_core);
46285 + module_free_exec(mod, mod->module_core_rx);
46286 + module_free(mod, mod->module_core_rw);
46289 update_protections(current->mm);
46290 @@ -1499,7 +1503,9 @@ static int simplify_symbols(Elf_Shdr *se
46291 strtab + sym[i].st_name, mod);
46292 /* Ok if resolved. */
46294 + pax_open_kernel();
46295 sym[i].st_value = ksym->value;
46296 + pax_close_kernel();
46300 @@ -1518,7 +1524,9 @@ static int simplify_symbols(Elf_Shdr *se
46301 secbase = (unsigned long)mod->percpu;
46303 secbase = sechdrs[sym[i].st_shndx].sh_addr;
46304 + pax_open_kernel();
46305 sym[i].st_value += secbase;
46306 + pax_close_kernel();
46310 @@ -1579,11 +1587,12 @@ static void layout_sections(struct modul
46311 || s->sh_entsize != ~0UL
46312 || strstarts(secstrings + s->sh_name, ".init"))
46314 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
46315 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
46316 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
46318 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
46319 DEBUGP("\t%s\n", secstrings + s->sh_name);
46322 - mod->core_text_size = mod->core_size;
46325 DEBUGP("Init section allocation order:\n");
46326 @@ -1596,12 +1605,13 @@ static void layout_sections(struct modul
46327 || s->sh_entsize != ~0UL
46328 || !strstarts(secstrings + s->sh_name, ".init"))
46330 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
46331 - | INIT_OFFSET_MASK);
46332 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
46333 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
46335 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
46336 + s->sh_entsize |= INIT_OFFSET_MASK;
46337 DEBUGP("\t%s\n", secstrings + s->sh_name);
46340 - mod->init_text_size = mod->init_size;
46344 @@ -1705,9 +1715,8 @@ static int is_exported(const char *name,
46347 static char elf_type(const Elf_Sym *sym,
46348 - Elf_Shdr *sechdrs,
46349 - const char *secstrings,
46350 - struct module *mod)
46351 + const Elf_Shdr *sechdrs,
46352 + const char *secstrings)
46354 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
46355 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
46356 @@ -1782,7 +1791,7 @@ static unsigned long layout_symtab(struc
46358 /* Put symbol section at end of init part of module. */
46359 symsect->sh_flags |= SHF_ALLOC;
46360 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
46361 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
46362 symindex) | INIT_OFFSET_MASK;
46363 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
46365 @@ -1799,19 +1808,19 @@ static unsigned long layout_symtab(struc
46368 /* Append room for core symbols at end of core part. */
46369 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
46370 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
46371 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
46372 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
46374 /* Put string table section at end of init part of module. */
46375 strsect->sh_flags |= SHF_ALLOC;
46376 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
46377 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
46378 strindex) | INIT_OFFSET_MASK;
46379 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
46381 /* Append room for core symbols' strings at end of core part. */
46382 - *pstroffs = mod->core_size;
46383 + *pstroffs = mod->core_size_rx;
46384 __set_bit(0, strmap);
46385 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
46386 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
46390 @@ -1835,12 +1844,14 @@ static void add_kallsyms(struct module *
46391 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
46392 mod->strtab = (void *)sechdrs[strindex].sh_addr;
46394 + pax_open_kernel();
46396 /* Set types up while we still have access to sections. */
46397 for (i = 0; i < mod->num_symtab; i++)
46398 mod->symtab[i].st_info
46399 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
46400 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
46402 - mod->core_symtab = dst = mod->module_core + symoffs;
46403 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
46406 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
46407 @@ -1852,10 +1863,12 @@ static void add_kallsyms(struct module *
46409 mod->core_num_syms = ndst;
46411 - mod->core_strtab = s = mod->module_core + stroffs;
46412 + mod->core_strtab = s = mod->module_core_rx + stroffs;
46413 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
46414 if (test_bit(i, strmap))
46415 *++s = mod->strtab[i];
46417 + pax_close_kernel();
46420 static inline unsigned long layout_symtab(struct module *mod,
46421 @@ -1892,16 +1905,30 @@ static void dynamic_debug_setup(struct _
46425 -static void *module_alloc_update_bounds(unsigned long size)
46426 +static void *module_alloc_update_bounds_rw(unsigned long size)
46428 void *ret = module_alloc(size);
46431 /* Update module bounds. */
46432 - if ((unsigned long)ret < module_addr_min)
46433 - module_addr_min = (unsigned long)ret;
46434 - if ((unsigned long)ret + size > module_addr_max)
46435 - module_addr_max = (unsigned long)ret + size;
46436 + if ((unsigned long)ret < module_addr_min_rw)
46437 + module_addr_min_rw = (unsigned long)ret;
46438 + if ((unsigned long)ret + size > module_addr_max_rw)
46439 + module_addr_max_rw = (unsigned long)ret + size;
46444 +static void *module_alloc_update_bounds_rx(unsigned long size)
46446 + void *ret = module_alloc_exec(size);
46449 + /* Update module bounds. */
46450 + if ((unsigned long)ret < module_addr_min_rx)
46451 + module_addr_min_rx = (unsigned long)ret;
46452 + if ((unsigned long)ret + size > module_addr_max_rx)
46453 + module_addr_max_rx = (unsigned long)ret + size;
46457 @@ -2108,7 +2135,7 @@ static noinline struct module *load_modu
46458 secstrings, &stroffs, strmap);
46460 /* Do the allocs. */
46461 - ptr = module_alloc_update_bounds(mod->core_size);
46462 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
46464 * The pointer to this block is stored in the module structure
46465 * which is inside the block. Just mark it as not being a
46466 @@ -2119,23 +2146,47 @@ static noinline struct module *load_modu
46470 - memset(ptr, 0, mod->core_size);
46471 - mod->module_core = ptr;
46472 + memset(ptr, 0, mod->core_size_rw);
46473 + mod->module_core_rw = ptr;
46475 - ptr = module_alloc_update_bounds(mod->init_size);
46476 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
46478 * The pointer to this block is stored in the module structure
46479 * which is inside the block. This block doesn't need to be
46480 * scanned as it contains data and code that will be freed
46481 * after the module is initialized.
46483 - kmemleak_ignore(ptr);
46484 - if (!ptr && mod->init_size) {
46485 + kmemleak_not_leak(ptr);
46486 + if (!ptr && mod->init_size_rw) {
46488 + goto free_core_rw;
46490 + memset(ptr, 0, mod->init_size_rw);
46491 + mod->module_init_rw = ptr;
46493 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
46494 + kmemleak_not_leak(ptr);
46498 + goto free_init_rw;
46500 - memset(ptr, 0, mod->init_size);
46501 - mod->module_init = ptr;
46503 + pax_open_kernel();
46504 + memset(ptr, 0, mod->core_size_rx);
46505 + pax_close_kernel();
46506 + mod->module_core_rx = ptr;
46508 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
46509 + kmemleak_not_leak(ptr);
46510 + if (!ptr && mod->init_size_rx) {
46512 + goto free_core_rx;
46515 + pax_open_kernel();
46516 + memset(ptr, 0, mod->init_size_rx);
46517 + pax_close_kernel();
46518 + mod->module_init_rx = ptr;
46520 /* Transfer each section which specifies SHF_ALLOC */
46521 DEBUGP("final section addresses:\n");
46522 @@ -2145,17 +2196,41 @@ static noinline struct module *load_modu
46523 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
46526 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
46527 - dest = mod->module_init
46528 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46530 - dest = mod->module_core + sechdrs[i].sh_entsize;
46531 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
46532 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
46533 + dest = mod->module_init_rw
46534 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46536 + dest = mod->module_init_rx
46537 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46539 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
46540 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
46542 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
46545 + if (sechdrs[i].sh_type != SHT_NOBITS) {
46547 +#ifdef CONFIG_PAX_KERNEXEC
46548 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
46549 + pax_open_kernel();
46550 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
46551 + pax_close_kernel();
46555 - if (sechdrs[i].sh_type != SHT_NOBITS)
46556 - memcpy(dest, (void *)sechdrs[i].sh_addr,
46557 - sechdrs[i].sh_size);
46558 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
46560 /* Update sh_addr to point to copy in image. */
46561 - sechdrs[i].sh_addr = (unsigned long)dest;
46563 +#ifdef CONFIG_PAX_KERNEXEC
46564 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
46565 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
46569 + sechdrs[i].sh_addr = (unsigned long)dest;
46570 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
46572 /* Module has been moved. */
46573 @@ -2167,7 +2242,7 @@ static noinline struct module *load_modu
46575 if (!mod->refptr) {
46578 + goto free_init_rx;
46581 /* Now we've moved module, initialize linked lists, etc. */
46582 @@ -2282,8 +2357,8 @@ static noinline struct module *load_modu
46584 /* Now do relocations. */
46585 for (i = 1; i < hdr->e_shnum; i++) {
46586 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
46587 unsigned int info = sechdrs[i].sh_info;
46588 + strtab = (char *)sechdrs[strindex].sh_addr;
46590 /* Not a valid relocation section? */
46591 if (info >= hdr->e_shnum)
46592 @@ -2344,12 +2419,12 @@ static noinline struct module *load_modu
46593 * Do it before processing of module parameters, so the module
46594 * can provide parameter accessor functions of its own.
46596 - if (mod->module_init)
46597 - flush_icache_range((unsigned long)mod->module_init,
46598 - (unsigned long)mod->module_init
46599 - + mod->init_size);
46600 - flush_icache_range((unsigned long)mod->module_core,
46601 - (unsigned long)mod->module_core + mod->core_size);
46602 + if (mod->module_init_rx)
46603 + flush_icache_range((unsigned long)mod->module_init_rx,
46604 + (unsigned long)mod->module_init_rx
46605 + + mod->init_size_rx);
46606 + flush_icache_range((unsigned long)mod->module_core_rx,
46607 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
46611 @@ -2397,12 +2472,16 @@ static noinline struct module *load_modu
46613 module_unload_free(mod);
46614 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
46616 percpu_modfree(mod->refptr);
46619 - module_free(mod, mod->module_init);
46621 - module_free(mod, mod->module_core);
46622 + module_free_exec(mod, mod->module_init_rx);
46624 + module_free_exec(mod, mod->module_core_rx);
46626 + module_free(mod, mod->module_init_rw);
46628 + module_free(mod, mod->module_core_rw);
46629 /* mod will be freed with core. Don't access it beyond this line! */
46632 @@ -2504,10 +2583,12 @@ SYSCALL_DEFINE3(init_module, void __user
46633 mod->symtab = mod->core_symtab;
46634 mod->strtab = mod->core_strtab;
46636 - module_free(mod, mod->module_init);
46637 - mod->module_init = NULL;
46638 - mod->init_size = 0;
46639 - mod->init_text_size = 0;
46640 + module_free(mod, mod->module_init_rw);
46641 + module_free_exec(mod, mod->module_init_rx);
46642 + mod->module_init_rw = NULL;
46643 + mod->module_init_rx = NULL;
46644 + mod->init_size_rw = 0;
46645 + mod->init_size_rx = 0;
46646 mutex_unlock(&module_mutex);
46649 @@ -2538,10 +2619,16 @@ static const char *get_ksymbol(struct mo
46650 unsigned long nextval;
46652 /* At worse, next value is at end of module */
46653 - if (within_module_init(addr, mod))
46654 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
46655 + if (within_module_init_rx(addr, mod))
46656 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
46657 + else if (within_module_init_rw(addr, mod))
46658 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
46659 + else if (within_module_core_rx(addr, mod))
46660 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
46661 + else if (within_module_core_rw(addr, mod))
46662 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
46664 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
46667 /* Scan for closest preceeding symbol, and next symbol. (ELF
46668 starts real symbols at 1). */
46669 @@ -2787,7 +2874,7 @@ static int m_show(struct seq_file *m, vo
46672 seq_printf(m, "%s %u",
46673 - mod->name, mod->init_size + mod->core_size);
46674 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
46675 print_unload_info(m, mod);
46677 /* Informative for users. */
46678 @@ -2796,7 +2883,7 @@ static int m_show(struct seq_file *m, vo
46679 mod->state == MODULE_STATE_COMING ? "Loading":
46681 /* Used by oprofile and other similar tools. */
46682 - seq_printf(m, " 0x%p", mod->module_core);
46683 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
46687 @@ -2832,7 +2919,17 @@ static const struct file_operations proc
46689 static int __init proc_modules_init(void)
46691 +#ifndef CONFIG_GRKERNSEC_HIDESYM
46692 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46693 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
46694 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46695 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
46697 proc_create("modules", 0, NULL, &proc_modules_operations);
46700 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
46704 module_init(proc_modules_init);
46705 @@ -2891,12 +2988,12 @@ struct module *__module_address(unsigned
46707 struct module *mod;
46709 - if (addr < module_addr_min || addr > module_addr_max)
46710 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
46711 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
46714 list_for_each_entry_rcu(mod, &modules, list)
46715 - if (within_module_core(addr, mod)
46716 - || within_module_init(addr, mod))
46717 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
46721 @@ -2930,11 +3027,20 @@ bool is_module_text_address(unsigned lon
46723 struct module *__module_text_address(unsigned long addr)
46725 - struct module *mod = __module_address(addr);
46726 + struct module *mod;
46728 +#ifdef CONFIG_X86_32
46729 + addr = ktla_ktva(addr);
46732 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
46735 + mod = __module_address(addr);
46738 /* Make sure it's within the text section. */
46739 - if (!within(addr, mod->module_init, mod->init_text_size)
46740 - && !within(addr, mod->module_core, mod->core_text_size))
46741 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
46745 diff -urNp linux-2.6.33/kernel/panic.c linux-2.6.33/kernel/panic.c
46746 --- linux-2.6.33/kernel/panic.c 2010-02-24 13:52:17.000000000 -0500
46747 +++ linux-2.6.33/kernel/panic.c 2010-03-07 12:23:36.141632987 -0500
46748 @@ -396,7 +396,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
46750 void __stack_chk_fail(void)
46752 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
46754 + panic("stack-protector: Kernel stack is corrupted in: %pS\n",
46755 __builtin_return_address(0));
46757 EXPORT_SYMBOL(__stack_chk_fail);
46758 diff -urNp linux-2.6.33/kernel/params.c linux-2.6.33/kernel/params.c
46759 --- linux-2.6.33/kernel/params.c 2010-02-24 13:52:17.000000000 -0500
46760 +++ linux-2.6.33/kernel/params.c 2010-03-07 12:23:36.141632987 -0500
46761 @@ -723,7 +723,7 @@ static ssize_t module_attr_store(struct
46765 -static struct sysfs_ops module_sysfs_ops = {
46766 +static const struct sysfs_ops module_sysfs_ops = {
46767 .show = module_attr_show,
46768 .store = module_attr_store,
46770 @@ -737,7 +737,7 @@ static int uevent_filter(struct kset *ks
46774 -static struct kset_uevent_ops module_uevent_ops = {
46775 +static const struct kset_uevent_ops module_uevent_ops = {
46776 .filter = uevent_filter,
46779 diff -urNp linux-2.6.33/kernel/pid.c linux-2.6.33/kernel/pid.c
46780 --- linux-2.6.33/kernel/pid.c 2010-02-24 13:52:17.000000000 -0500
46781 +++ linux-2.6.33/kernel/pid.c 2010-03-07 12:23:36.141632987 -0500
46783 #include <linux/rculist.h>
46784 #include <linux/bootmem.h>
46785 #include <linux/hash.h>
46786 +#include <linux/security.h>
46787 #include <linux/pid_namespace.h>
46788 #include <linux/init_task.h>
46789 #include <linux/syscalls.h>
46790 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
46792 int pid_max = PID_MAX_DEFAULT;
46794 -#define RESERVED_PIDS 300
46795 +#define RESERVED_PIDS 500
46797 int pid_max_min = RESERVED_PIDS + 1;
46798 int pid_max_max = PID_MAX_LIMIT;
46799 @@ -380,7 +381,14 @@ EXPORT_SYMBOL(pid_task);
46801 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
46803 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
46804 + struct task_struct *task;
46806 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
46808 + if (gr_pid_is_chrooted(task))
46813 EXPORT_SYMBOL_GPL(find_task_by_pid_ns);
46815 diff -urNp linux-2.6.33/kernel/posix-cpu-timers.c linux-2.6.33/kernel/posix-cpu-timers.c
46816 --- linux-2.6.33/kernel/posix-cpu-timers.c 2010-02-24 13:52:17.000000000 -0500
46817 +++ linux-2.6.33/kernel/posix-cpu-timers.c 2010-03-07 12:23:36.141632987 -0500
46819 #include <linux/posix-timers.h>
46820 #include <linux/errno.h>
46821 #include <linux/math64.h>
46822 +#include <linux/security.h>
46823 #include <asm/uaccess.h>
46824 #include <linux/kernel_stat.h>
46825 #include <trace/events/timer.h>
46826 @@ -1043,6 +1044,7 @@ static void check_thread_timers(struct t
46827 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
46830 + gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout, 1);
46831 if (tsk->rt.timeout > DIV_ROUND_UP(*soft, USEC_PER_SEC/HZ)) {
46833 * At the soft limit, send a SIGXCPU every second.
46834 @@ -1205,6 +1207,7 @@ static void check_process_timers(struct
46835 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
46838 + gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
46839 if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
46841 * At the soft limit, send a SIGXCPU every second.
46842 diff -urNp linux-2.6.33/kernel/power/hibernate.c linux-2.6.33/kernel/power/hibernate.c
46843 --- linux-2.6.33/kernel/power/hibernate.c 2010-02-24 13:52:17.000000000 -0500
46844 +++ linux-2.6.33/kernel/power/hibernate.c 2010-03-07 12:23:36.141632987 -0500
46845 @@ -49,14 +49,14 @@ enum {
46847 static int hibernation_mode = HIBERNATION_SHUTDOWN;
46849 -static struct platform_hibernation_ops *hibernation_ops;
46850 +static const struct platform_hibernation_ops *hibernation_ops;
46853 * hibernation_set_ops - set the global hibernate operations
46854 * @ops: the hibernation operations to use in subsequent hibernation transitions
46857 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
46858 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
46860 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
46861 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
46862 diff -urNp linux-2.6.33/kernel/power/poweroff.c linux-2.6.33/kernel/power/poweroff.c
46863 --- linux-2.6.33/kernel/power/poweroff.c 2010-02-24 13:52:17.000000000 -0500
46864 +++ linux-2.6.33/kernel/power/poweroff.c 2010-03-07 12:23:36.141632987 -0500
46865 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
46866 .enable_mask = SYSRQ_ENABLE_BOOT,
46869 -static int pm_sysrq_init(void)
46870 +static int __init pm_sysrq_init(void)
46872 register_sysrq_key('o', &sysrq_poweroff_op);
46874 diff -urNp linux-2.6.33/kernel/power/process.c linux-2.6.33/kernel/power/process.c
46875 --- linux-2.6.33/kernel/power/process.c 2010-02-24 13:52:17.000000000 -0500
46876 +++ linux-2.6.33/kernel/power/process.c 2010-03-07 12:23:36.141632987 -0500
46877 @@ -38,12 +38,15 @@ static int try_to_freeze_tasks(bool sig_
46878 struct timeval start, end;
46879 u64 elapsed_csecs64;
46880 unsigned int elapsed_csecs;
46881 + bool timedout = false;
46883 do_gettimeofday(&start);
46885 end_time = jiffies + TIMEOUT;
46888 + if (time_after(jiffies, end_time))
46890 read_lock(&tasklist_lock);
46891 do_each_thread(g, p) {
46892 if (frozen(p) || !freezeable(p))
46893 @@ -58,12 +61,16 @@ static int try_to_freeze_tasks(bool sig_
46894 * It is "frozen enough". If the task does wake
46895 * up, it will immediately call try_to_freeze.
46897 - if (!task_is_stopped_or_traced(p) &&
46898 - !freezer_should_skip(p))
46899 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
46902 + printk(KERN_ERR "Task refusing to freeze:\n");
46903 + sched_show_task(p);
46906 } while_each_thread(g, p);
46907 read_unlock(&tasklist_lock);
46908 - if (!todo || time_after(jiffies, end_time))
46909 + if (!todo || timedout)
46913 diff -urNp linux-2.6.33/kernel/power/suspend.c linux-2.6.33/kernel/power/suspend.c
46914 --- linux-2.6.33/kernel/power/suspend.c 2010-02-24 13:52:17.000000000 -0500
46915 +++ linux-2.6.33/kernel/power/suspend.c 2010-03-07 12:23:36.141632987 -0500
46916 @@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
46917 [PM_SUSPEND_MEM] = "mem",
46920 -static struct platform_suspend_ops *suspend_ops;
46921 +static const struct platform_suspend_ops *suspend_ops;
46924 * suspend_set_ops - Set the global suspend method table.
46925 * @ops: Pointer to ops structure.
46927 -void suspend_set_ops(struct platform_suspend_ops *ops)
46928 +void suspend_set_ops(const struct platform_suspend_ops *ops)
46930 mutex_lock(&pm_mutex);
46932 diff -urNp linux-2.6.33/kernel/printk.c linux-2.6.33/kernel/printk.c
46933 --- linux-2.6.33/kernel/printk.c 2010-02-24 13:52:17.000000000 -0500
46934 +++ linux-2.6.33/kernel/printk.c 2010-03-07 12:23:36.141632987 -0500
46935 @@ -280,6 +280,11 @@ int do_syslog(int type, char __user *buf
46939 +#ifdef CONFIG_GRKERNSEC_DMESG
46940 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
46944 error = security_syslog(type);
46947 diff -urNp linux-2.6.33/kernel/ptrace.c linux-2.6.33/kernel/ptrace.c
46948 --- linux-2.6.33/kernel/ptrace.c 2010-02-24 13:52:17.000000000 -0500
46949 +++ linux-2.6.33/kernel/ptrace.c 2010-03-07 12:23:36.141632987 -0500
46950 @@ -141,7 +141,7 @@ int __ptrace_may_access(struct task_stru
46951 cred->gid != tcred->egid ||
46952 cred->gid != tcred->sgid ||
46953 cred->gid != tcred->gid) &&
46954 - !capable(CAP_SYS_PTRACE)) {
46955 + !capable_nolog(CAP_SYS_PTRACE)) {
46959 @@ -149,7 +149,7 @@ int __ptrace_may_access(struct task_stru
46962 dumpable = get_dumpable(task->mm);
46963 - if (!dumpable && !capable(CAP_SYS_PTRACE))
46964 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
46967 return security_ptrace_access_check(task, mode);
46968 @@ -199,7 +199,7 @@ int ptrace_attach(struct task_struct *ta
46969 goto unlock_tasklist;
46971 task->ptrace = PT_PTRACED;
46972 - if (capable(CAP_SYS_PTRACE))
46973 + if (capable_nolog(CAP_SYS_PTRACE))
46974 task->ptrace |= PT_PTRACE_CAP;
46976 __ptrace_link(task, current);
46977 @@ -362,7 +362,7 @@ int ptrace_readdata(struct task_struct *
46981 - if (copy_to_user(dst, buf, retval))
46982 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
46986 @@ -532,18 +532,18 @@ int ptrace_request(struct task_struct *c
46987 ret = ptrace_setoptions(child, data);
46989 case PTRACE_GETEVENTMSG:
46990 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
46991 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
46994 case PTRACE_GETSIGINFO:
46995 ret = ptrace_getsiginfo(child, &siginfo);
46997 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
46998 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
47002 case PTRACE_SETSIGINFO:
47003 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
47004 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
47008 @@ -621,13 +621,20 @@ SYSCALL_DEFINE4(ptrace, long, request, l
47012 + if (gr_handle_ptrace(child, request)) {
47014 + goto out_put_task_struct;
47017 if (request == PTRACE_ATTACH) {
47018 ret = ptrace_attach(child);
47020 * Some architectures need to do book-keeping after
47025 arch_ptrace_attach(child);
47026 + gr_audit_ptrace(child);
47028 goto out_put_task_struct;
47031 --- a/kernel/ptrace.c~ 2010-03-08 09:26:25.319192059 +0100
47032 +++ b/kernel/ptrace.c 2010-03-08 09:27:37.812101426 +0100
47033 @@ -656,21 +656,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
47036 int generic_ptrace_peekdata(struct task_struct *tsk, long addr, long data)
47041 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
47042 if (copied != sizeof(tmp))
47044 - return put_user(tmp, (unsigned long __user *)data);
47045 + return put_user(tmp, (__force unsigned long __user *)data);
47048 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
47052 copied = access_process_vm(tsk, addr, &data, sizeof(data), 1);
47053 return (copied == sizeof(data)) ? 0 : -EIO;
47056 diff -urNp linux-2.6.33/kernel/rcutree.c linux-2.6.33/kernel/rcutree.c
47057 --- linux-2.6.33/kernel/rcutree.c 2010-02-24 13:52:17.000000000 -0500
47058 +++ linux-2.6.33/kernel/rcutree.c 2010-03-07 12:23:36.141632987 -0500
47059 @@ -1315,7 +1315,7 @@ __rcu_process_callbacks(struct rcu_state
47061 * Do softirq processing for the current CPU.
47063 -static void rcu_process_callbacks(struct softirq_action *unused)
47064 +static void rcu_process_callbacks(void)
47067 * Memory references from any prior RCU read-side critical sections
47068 diff -urNp linux-2.6.33/kernel/relay.c linux-2.6.33/kernel/relay.c
47069 --- linux-2.6.33/kernel/relay.c 2010-02-24 13:52:17.000000000 -0500
47070 +++ linux-2.6.33/kernel/relay.c 2010-03-07 12:23:36.141632987 -0500
47071 @@ -1292,7 +1292,7 @@ static int subbuf_splice_actor(struct fi
47074 ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
47075 - if (ret < 0 || ret < total_len)
47076 + if ((int)ret < 0 || ret < total_len)
47079 if (read_start + ret == nonpad_end)
47080 diff -urNp linux-2.6.33/kernel/resource.c linux-2.6.33/kernel/resource.c
47081 --- linux-2.6.33/kernel/resource.c 2010-02-24 13:52:17.000000000 -0500
47082 +++ linux-2.6.33/kernel/resource.c 2010-03-07 12:23:36.141632987 -0500
47083 @@ -132,8 +132,18 @@ static const struct file_operations proc
47085 static int __init ioresources_init(void)
47087 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
47088 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47089 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
47090 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
47091 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47092 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
47093 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
47096 proc_create("ioports", 0, NULL, &proc_ioports_operations);
47097 proc_create("iomem", 0, NULL, &proc_iomem_operations);
47101 __initcall(ioresources_init);
47102 diff -urNp linux-2.6.33/kernel/sched.c linux-2.6.33/kernel/sched.c
47103 --- linux-2.6.33/kernel/sched.c 2010-02-24 13:52:17.000000000 -0500
47104 +++ linux-2.6.33/kernel/sched.c 2010-03-07 12:23:48.703416643 -0500
47105 @@ -4844,7 +4844,7 @@ out:
47106 * In CONFIG_NO_HZ case, the idle load balance owner will do the
47107 * rebalancing for all the cpus for whom scheduler ticks are stopped.
47109 -static void run_rebalance_domains(struct softirq_action *h)
47110 +static void run_rebalance_domains(void)
47112 int this_cpu = smp_processor_id();
47113 struct rq *this_rq = cpu_rq(this_cpu);
47114 @@ -6146,6 +6146,8 @@ int can_nice(const struct task_struct *p
47115 /* convert nice value [19,-20] to rlimit style value [1,40] */
47116 int nice_rlim = 20 - nice;
47118 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
47120 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
47121 capable(CAP_SYS_NICE));
47123 @@ -6179,7 +6181,7 @@ SYSCALL_DEFINE1(nice, int, increment)
47127 - if (increment < 0 && !can_nice(current, nice))
47128 + if (increment < 0 && (!can_nice(current, nice) || gr_handle_chroot_nice()))
47129 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
47131 retval = security_task_setnice(current, nice);
47132 @@ -6321,6 +6323,8 @@ recheck:
47133 if (rt_policy(policy)) {
47134 unsigned long rlim_rtprio;
47136 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
47138 if (!lock_task_sighand(p, &flags))
47140 rlim_rtprio = p->signal->rlim[RLIMIT_RTPRIO].rlim_cur;
47141 diff -urNp linux-2.6.33/kernel/signal.c linux-2.6.33/kernel/signal.c
47142 --- linux-2.6.33/kernel/signal.c 2010-02-24 13:52:17.000000000 -0500
47143 +++ linux-2.6.33/kernel/signal.c 2010-03-07 12:23:36.145647031 -0500
47144 @@ -226,6 +226,9 @@ __sigqueue_alloc(int sig, struct task_st
47145 atomic_inc(&user->sigpending);
47148 + if (!override_rlimit)
47149 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
47151 if (override_rlimit ||
47152 atomic_read(&user->sigpending) <=
47153 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) {
47154 @@ -687,6 +687,9 @@ static int check_kill_permission(int sig
47158 + if (gr_handle_signal(t, sig))
47161 return security_task_kill(t, info, sig, 0);
47164 @@ -1006,7 +1013,7 @@ __group_send_sig_info(int sig, struct si
47165 return send_signal(sig, info, p, 1);
47170 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
47172 return send_signal(sig, info, t, 0);
47173 @@ -1060,6 +1067,9 @@ force_sig_info(int sig, struct siginfo *
47174 ret = specific_send_sig_info(sig, info, t);
47175 spin_unlock_irqrestore(&t->sighand->siglock, flags);
47177 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
47178 + gr_handle_crash(t, sig);
47183 @@ -1113,8 +1123,11 @@ int group_send_sig_info(int sig, struct
47185 int ret = check_kill_permission(sig, info, p);
47188 + if (!ret && sig) {
47189 ret = do_send_sig_info(sig, info, p, true);
47191 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
47196 diff -urNp linux-2.6.33/kernel/smp.c linux-2.6.33/kernel/smp.c
47197 --- linux-2.6.33/kernel/smp.c 2010-02-24 13:52:17.000000000 -0500
47198 +++ linux-2.6.33/kernel/smp.c 2010-03-07 12:23:36.145647031 -0500
47199 @@ -498,22 +498,22 @@ int smp_call_function(void (*func)(void
47201 EXPORT_SYMBOL(smp_call_function);
47203 -void ipi_call_lock(void)
47204 +void ipi_call_lock(void) __acquires(call_function.lock)
47206 raw_spin_lock(&call_function.lock);
47209 -void ipi_call_unlock(void)
47210 +void ipi_call_unlock(void) __releases(call_function.lock)
47212 raw_spin_unlock(&call_function.lock);
47215 -void ipi_call_lock_irq(void)
47216 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
47218 raw_spin_lock_irq(&call_function.lock);
47221 -void ipi_call_unlock_irq(void)
47222 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
47224 raw_spin_unlock_irq(&call_function.lock);
47226 diff -urNp linux-2.6.33/kernel/softirq.c linux-2.6.33/kernel/softirq.c
47227 --- linux-2.6.33/kernel/softirq.c 2010-02-24 13:52:17.000000000 -0500
47228 +++ linux-2.6.33/kernel/softirq.c 2010-03-07 12:23:36.145647031 -0500
47229 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
47231 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
47233 -char *softirq_to_name[NR_SOFTIRQS] = {
47234 +const char * const softirq_to_name[NR_SOFTIRQS] = {
47235 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
47236 "TASKLET", "SCHED", "HRTIMER", "RCU"
47238 @@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
47240 asmlinkage void __do_softirq(void)
47242 - struct softirq_action *h;
47243 + const struct softirq_action *h;
47245 int max_restart = MAX_SOFTIRQ_RESTART;
47247 @@ -216,7 +216,7 @@ restart:
47248 kstat_incr_softirqs_this_cpu(h - softirq_vec);
47250 trace_softirq_entry(h, softirq_vec);
47253 trace_softirq_exit(h, softirq_vec);
47254 if (unlikely(prev_count != preempt_count())) {
47255 printk(KERN_ERR "huh, entered softirq %td %s %p"
47256 @@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
47257 local_irq_restore(flags);
47260 -void open_softirq(int nr, void (*action)(struct softirq_action *))
47261 +void open_softirq(int nr, void (*action)(void))
47263 softirq_vec[nr].action = action;
47265 @@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
47267 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
47269 -static void tasklet_action(struct softirq_action *a)
47270 +static void tasklet_action(void)
47272 struct tasklet_struct *list;
47274 @@ -431,7 +431,7 @@ static void tasklet_action(struct softir
47278 -static void tasklet_hi_action(struct softirq_action *a)
47279 +static void tasklet_hi_action(void)
47281 struct tasklet_struct *list;
47283 diff -urNp linux-2.6.33/kernel/sys.c linux-2.6.33/kernel/sys.c
47284 --- linux-2.6.33/kernel/sys.c 2010-02-24 13:52:17.000000000 -0500
47285 +++ linux-2.6.33/kernel/sys.c 2010-03-07 12:23:36.145647031 -0500
47286 @@ -132,6 +132,12 @@ static int set_one_prio(struct task_stru
47291 + if (gr_handle_chroot_setpriority(p, niceval)) {
47296 no_nice = security_task_setnice(p, niceval);
47299 @@ -513,6 +519,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
47303 + if (gr_check_group_change(new->gid, new->egid, -1))
47306 if (rgid != (gid_t) -1 ||
47307 (egid != (gid_t) -1 && egid != old->gid))
47308 new->sgid = new->egid;
47309 @@ -546,6 +555,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
47314 + if (gr_check_group_change(gid, gid, gid))
47317 if (capable(CAP_SETGID))
47318 new->gid = new->egid = new->sgid = new->fsgid = gid;
47319 else if (gid == old->gid || gid == old->sgid)
47320 @@ -636,6 +649,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
47324 + if (gr_check_user_change(new->uid, new->euid, -1))
47327 if (new->uid != old->uid) {
47328 retval = set_user(new);
47330 @@ -684,6 +700,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
47335 + if (gr_check_crash_uid(uid))
47337 + if (gr_check_user_change(uid, uid, uid))
47340 if (capable(CAP_SETUID)) {
47341 new->suid = new->uid = uid;
47342 if (uid != old->uid) {
47343 @@ -741,6 +763,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
47347 + if (gr_check_user_change(ruid, euid, -1))
47350 if (ruid != (uid_t) -1) {
47352 if (ruid != old->uid) {
47353 @@ -809,6 +834,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
47357 + if (gr_check_group_change(rgid, egid, -1))
47360 if (rgid != (gid_t) -1)
47362 if (egid != (gid_t) -1)
47363 @@ -858,6 +886,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
47364 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
47367 + if (gr_check_user_change(-1, -1, uid))
47370 if (uid == old->uid || uid == old->euid ||
47371 uid == old->suid || uid == old->fsuid ||
47372 capable(CAP_SETUID)) {
47373 @@ -898,6 +929,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
47374 if (gid == old->gid || gid == old->egid ||
47375 gid == old->sgid || gid == old->fsgid ||
47376 capable(CAP_SETGID)) {
47377 + if (gr_check_group_change(-1, -1, gid))
47380 if (gid != old_fsgid) {
47383 @@ -1460,7 +1494,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
47384 error = get_dumpable(me->mm);
47386 case PR_SET_DUMPABLE:
47387 - if (arg2 < 0 || arg2 > 1) {
47392 diff -urNp linux-2.6.33/kernel/sysctl.c linux-2.6.33/kernel/sysctl.c
47393 --- linux-2.6.33/kernel/sysctl.c 2010-02-24 13:52:17.000000000 -0500
47394 +++ linux-2.6.33/kernel/sysctl.c 2010-03-07 12:23:36.145647031 -0500
47398 #if defined(CONFIG_SYSCTL)
47399 +#include <linux/grsecurity.h>
47400 +#include <linux/grinternal.h>
47402 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
47403 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
47405 +extern int gr_handle_chroot_sysctl(const int op);
47407 /* External variables not in a header file. */
47409 @@ -169,6 +176,7 @@ static int proc_do_cad_pid(struct ctl_ta
47410 static int proc_taint(struct ctl_table *table, int write,
47411 void __user *buffer, size_t *lenp, loff_t *ppos);
47413 +extern ctl_table grsecurity_table[];
47415 static struct ctl_table root_table[];
47416 static struct ctl_table_root sysctl_table_root;
47417 @@ -201,6 +209,20 @@ extern struct ctl_table epoll_table[];
47418 int sysctl_legacy_va_layout;
47421 +#ifdef CONFIG_PAX_SOFTMODE
47422 +static ctl_table pax_table[] = {
47424 + .procname = "softmode",
47425 + .data = &pax_softmode,
47426 + .maxlen = sizeof(unsigned int),
47428 + .proc_handler = &proc_dointvec,
47435 extern int prove_locking;
47436 extern int lock_stat;
47438 @@ -251,6 +273,22 @@ static int max_sched_shares_ratelimit =
47441 static struct ctl_table kern_table[] = {
47442 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
47444 + .procname = "grsecurity",
47446 + .child = grsecurity_table,
47450 +#ifdef CONFIG_PAX_SOFTMODE
47452 + .procname = "pax",
47454 + .child = pax_table,
47459 .procname = "sched_child_runs_first",
47460 .data = &sysctl_sched_child_runs_first,
47461 @@ -1629,6 +1667,16 @@ int sysctl_perm(struct ctl_table_root *r
47465 + if (table->parent != NULL && table->parent->procname != NULL &&
47466 + table->procname != NULL &&
47467 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
47469 + if (gr_handle_chroot_sysctl(op))
47471 + error = gr_handle_sysctl(table, op);
47475 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
47478 @@ -2137,6 +2185,8 @@ static int __do_proc_dointvec(void *tbl_
47482 + if (len > sizeof(buf))
47483 + len = sizeof(buf);
47484 if(copy_to_user(s, buf, len))
47487 @@ -2362,6 +2412,8 @@ static int __do_proc_doulongvec_minmax(v
47491 + if (len > sizeof(buf))
47492 + len = sizeof(buf);
47493 if(copy_to_user(s, buf, len))
47496 diff -urNp linux-2.6.33/kernel/taskstats.c linux-2.6.33/kernel/taskstats.c
47497 --- linux-2.6.33/kernel/taskstats.c 2010-02-24 13:52:17.000000000 -0500
47498 +++ linux-2.6.33/kernel/taskstats.c 2010-03-07 12:23:36.145647031 -0500
47500 #include <linux/cgroup.h>
47501 #include <linux/fs.h>
47502 #include <linux/file.h>
47503 +#include <linux/grsecurity.h>
47504 #include <net/genetlink.h>
47505 #include <asm/atomic.h>
47507 +extern int gr_is_taskstats_denied(int pid);
47510 * Maximum length of a cpumask that can be specified in
47511 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
47512 @@ -433,6 +436,9 @@ static int taskstats_user_cmd(struct sk_
47514 cpumask_var_t mask;
47516 + if (gr_is_taskstats_denied(current->pid))
47519 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
47522 diff -urNp linux-2.6.33/kernel/time/tick-broadcast.c linux-2.6.33/kernel/time/tick-broadcast.c
47523 --- linux-2.6.33/kernel/time/tick-broadcast.c 2010-02-24 13:52:17.000000000 -0500
47524 +++ linux-2.6.33/kernel/time/tick-broadcast.c 2010-03-07 12:23:36.145647031 -0500
47525 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
47526 * then clear the broadcast bit.
47528 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
47529 - int cpu = smp_processor_id();
47530 + cpu = smp_processor_id();
47532 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
47533 tick_broadcast_clear_oneshot(cpu);
47534 diff -urNp linux-2.6.33/kernel/time.c linux-2.6.33/kernel/time.c
47535 --- linux-2.6.33/kernel/time.c 2010-02-24 13:52:17.000000000 -0500
47536 +++ linux-2.6.33/kernel/time.c 2010-03-07 12:23:36.149712570 -0500
47537 @@ -94,6 +94,9 @@ SYSCALL_DEFINE1(stime, time_t __user *,
47540 vx_settimeofday(&tv);
47542 + gr_log_timechange();
47547 @@ -202,6 +205,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
47551 + gr_log_timechange();
47553 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
47556 @@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
47557 * Avoid unnecessary multiplications/divisions in the
47558 * two most common HZ cases:
47560 -unsigned int inline jiffies_to_msecs(const unsigned long j)
47561 +inline unsigned int jiffies_to_msecs(const unsigned long j)
47563 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
47564 return (MSEC_PER_SEC / HZ) * j;
47565 @@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
47567 EXPORT_SYMBOL(jiffies_to_msecs);
47569 -unsigned int inline jiffies_to_usecs(const unsigned long j)
47570 +inline unsigned int jiffies_to_usecs(const unsigned long j)
47572 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
47573 return (USEC_PER_SEC / HZ) * j;
47574 diff -urNp linux-2.6.33/kernel/timer.c linux-2.6.33/kernel/timer.c
47575 --- linux-2.6.33/kernel/timer.c 2010-02-24 13:52:17.000000000 -0500
47576 +++ linux-2.6.33/kernel/timer.c 2010-03-07 12:23:36.149712570 -0500
47577 @@ -1206,7 +1206,7 @@ void update_process_times(int user_tick)
47579 * This function runs timers and the timer-tq in bottom half context.
47581 -static void run_timer_softirq(struct softirq_action *h)
47582 +static void run_timer_softirq(void)
47584 struct tvec_base *base = __get_cpu_var(tvec_bases);
47586 diff -urNp linux-2.6.33/kernel/trace/ftrace.c linux-2.6.33/kernel/trace/ftrace.c
47587 --- linux-2.6.33/kernel/trace/ftrace.c 2010-02-24 13:52:17.000000000 -0500
47588 +++ linux-2.6.33/kernel/trace/ftrace.c 2010-03-07 12:23:36.149712570 -0500
47589 @@ -1102,13 +1102,18 @@ ftrace_code_disable(struct module *mod,
47593 + ret = ftrace_arch_code_modify_prepare();
47594 + FTRACE_WARN_ON(ret);
47598 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
47599 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
47601 ftrace_bug(ret, ip);
47602 rec->flags |= FTRACE_FL_FAILED;
47606 + return ret ? 0 : 1;
47610 diff -urNp linux-2.6.33/kernel/trace/Kconfig linux-2.6.33/kernel/trace/Kconfig
47611 --- linux-2.6.33/kernel/trace/Kconfig 2010-02-24 13:52:17.000000000 -0500
47612 +++ linux-2.6.33/kernel/trace/Kconfig 2010-03-07 12:23:36.149712570 -0500
47613 @@ -124,6 +124,7 @@ if FTRACE
47614 config FUNCTION_TRACER
47615 bool "Kernel Function Tracer"
47616 depends on HAVE_FUNCTION_TRACER
47617 + depends on !PAX_KERNEXEC
47618 select FRAME_POINTER
47620 select GENERIC_TRACER
47621 @@ -362,6 +363,7 @@ config PROFILE_KSYM_TRACER
47622 config STACK_TRACER
47623 bool "Trace max stack"
47624 depends on HAVE_FUNCTION_TRACER
47625 + depends on !PAX_KERNEXEC
47626 select FUNCTION_TRACER
47629 diff -urNp linux-2.6.33/kernel/trace/trace.c linux-2.6.33/kernel/trace/trace.c
47630 --- linux-2.6.33/kernel/trace/trace.c 2010-02-24 13:52:17.000000000 -0500
47631 +++ linux-2.6.33/kernel/trace/trace.c 2010-03-07 12:23:36.149712570 -0500
47632 @@ -3820,10 +3820,9 @@ static const struct file_operations trac
47636 -static struct dentry *d_tracer;
47638 struct dentry *tracing_init_dentry(void)
47640 + static struct dentry *d_tracer;
47644 @@ -3843,10 +3842,9 @@ struct dentry *tracing_init_dentry(void)
47648 -static struct dentry *d_percpu;
47650 struct dentry *tracing_dentry_percpu(void)
47652 + static struct dentry *d_percpu;
47654 struct dentry *d_tracer;
47656 diff -urNp linux-2.6.33/kernel/trace/trace_output.c linux-2.6.33/kernel/trace/trace_output.c
47657 --- linux-2.6.33/kernel/trace/trace_output.c 2010-02-24 13:52:17.000000000 -0500
47658 +++ linux-2.6.33/kernel/trace/trace_output.c 2010-03-07 12:23:36.149712570 -0500
47659 @@ -280,7 +280,7 @@ int trace_seq_path(struct trace_seq *s,
47661 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
47663 - p = mangle_path(s->buffer + s->len, p, "\n");
47664 + p = mangle_path(s->buffer + s->len, p, "\n\\");
47666 s->len = p - s->buffer;
47668 diff -urNp linux-2.6.33/kernel/trace/trace_stack.c linux-2.6.33/kernel/trace/trace_stack.c
47669 --- linux-2.6.33/kernel/trace/trace_stack.c 2010-02-24 13:52:17.000000000 -0500
47670 +++ linux-2.6.33/kernel/trace/trace_stack.c 2010-03-07 12:23:36.149712570 -0500
47671 @@ -50,7 +50,7 @@ static inline void check_stack(void)
47674 /* we do not handle interrupt stacks yet */
47675 - if (!object_is_on_stack(&this_size))
47676 + if (!object_starts_on_stack(&this_size))
47679 local_irq_save(flags);
47680 diff -urNp linux-2.6.33/lib/bug.c linux-2.6.33/lib/bug.c
47681 --- linux-2.6.33/lib/bug.c 2010-02-24 13:52:17.000000000 -0500
47682 +++ linux-2.6.33/lib/bug.c 2010-03-07 12:23:36.149712570 -0500
47683 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
47684 return BUG_TRAP_TYPE_NONE;
47686 bug = find_bug(bugaddr);
47688 + return BUG_TRAP_TYPE_NONE;
47690 printk(KERN_EMERG "------------[ cut here ]------------\n");
47692 diff -urNp linux-2.6.33/lib/debugobjects.c linux-2.6.33/lib/debugobjects.c
47693 --- linux-2.6.33/lib/debugobjects.c 2010-02-24 13:52:17.000000000 -0500
47694 +++ linux-2.6.33/lib/debugobjects.c 2010-03-07 12:23:36.149712570 -0500
47695 @@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
47699 - is_on_stack = object_is_on_stack(addr);
47700 + is_on_stack = object_starts_on_stack(addr);
47701 if (is_on_stack == onstack)
47704 diff -urNp linux-2.6.33/lib/dma-debug.c linux-2.6.33/lib/dma-debug.c
47705 --- linux-2.6.33/lib/dma-debug.c 2010-02-24 13:52:17.000000000 -0500
47706 +++ linux-2.6.33/lib/dma-debug.c 2010-03-07 12:23:36.149712570 -0500
47707 @@ -861,7 +861,7 @@ out:
47709 static void check_for_stack(struct device *dev, void *addr)
47711 - if (object_is_on_stack(addr))
47712 + if (object_starts_on_stack(addr))
47713 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
47714 "stack [addr=%p]\n", addr);
47716 diff -urNp linux-2.6.33/lib/inflate.c linux-2.6.33/lib/inflate.c
47717 --- linux-2.6.33/lib/inflate.c 2010-02-24 13:52:17.000000000 -0500
47718 +++ linux-2.6.33/lib/inflate.c 2010-03-07 12:23:36.149712570 -0500
47719 @@ -266,7 +266,7 @@ static void free(void *where)
47720 malloc_ptr = free_mem_ptr;
47723 -#define malloc(a) kmalloc(a, GFP_KERNEL)
47724 +#define malloc(a) kmalloc((a), GFP_KERNEL)
47725 #define free(a) kfree(a)
47728 diff -urNp linux-2.6.33/lib/Kconfig.debug linux-2.6.33/lib/Kconfig.debug
47729 --- linux-2.6.33/lib/Kconfig.debug 2010-02-24 13:52:17.000000000 -0500
47730 +++ linux-2.6.33/lib/Kconfig.debug 2010-03-07 12:23:36.149712570 -0500
47731 @@ -914,7 +914,7 @@ config LATENCYTOP
47735 - depends on HAVE_LATENCYTOP_SUPPORT
47736 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
47738 Enable this option if you want to use the LatencyTOP tool
47739 to find out which userspace is blocking on what kernel operations.
47740 diff -urNp linux-2.6.33/lib/kobject.c linux-2.6.33/lib/kobject.c
47741 --- linux-2.6.33/lib/kobject.c 2010-02-24 13:52:17.000000000 -0500
47742 +++ linux-2.6.33/lib/kobject.c 2010-03-07 12:23:36.149712570 -0500
47743 @@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
47747 -struct sysfs_ops kobj_sysfs_ops = {
47748 +const struct sysfs_ops kobj_sysfs_ops = {
47749 .show = kobj_attr_show,
47750 .store = kobj_attr_store,
47752 @@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
47753 * If the kset was not able to be created, NULL will be returned.
47755 static struct kset *kset_create(const char *name,
47756 - struct kset_uevent_ops *uevent_ops,
47757 + const struct kset_uevent_ops *uevent_ops,
47758 struct kobject *parent_kobj)
47761 @@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
47762 * If the kset was not able to be created, NULL will be returned.
47764 struct kset *kset_create_and_add(const char *name,
47765 - struct kset_uevent_ops *uevent_ops,
47766 + const struct kset_uevent_ops *uevent_ops,
47767 struct kobject *parent_kobj)
47770 diff -urNp linux-2.6.33/lib/kobject_uevent.c linux-2.6.33/lib/kobject_uevent.c
47771 --- linux-2.6.33/lib/kobject_uevent.c 2010-02-24 13:52:17.000000000 -0500
47772 +++ linux-2.6.33/lib/kobject_uevent.c 2010-03-07 12:23:36.153640756 -0500
47773 @@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
47774 const char *subsystem;
47775 struct kobject *top_kobj;
47777 - struct kset_uevent_ops *uevent_ops;
47778 + const struct kset_uevent_ops *uevent_ops;
47782 diff -urNp linux-2.6.33/lib/parser.c linux-2.6.33/lib/parser.c
47783 --- linux-2.6.33/lib/parser.c 2010-02-24 13:52:17.000000000 -0500
47784 +++ linux-2.6.33/lib/parser.c 2010-03-07 12:23:36.153640756 -0500
47785 @@ -129,7 +129,7 @@ static int match_number(substring_t *s,
47789 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
47790 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
47793 memcpy(buf, s->from, s->to - s->from);
47794 diff -urNp linux-2.6.33/lib/radix-tree.c linux-2.6.33/lib/radix-tree.c
47795 --- linux-2.6.33/lib/radix-tree.c 2010-02-24 13:52:17.000000000 -0500
47796 +++ linux-2.6.33/lib/radix-tree.c 2010-03-07 12:23:36.153640756 -0500
47797 @@ -81,7 +81,7 @@ struct radix_tree_preload {
47799 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
47801 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
47802 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
47804 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
47806 diff -urNp linux-2.6.33/lib/random32.c linux-2.6.33/lib/random32.c
47807 --- linux-2.6.33/lib/random32.c 2010-02-24 13:52:17.000000000 -0500
47808 +++ linux-2.6.33/lib/random32.c 2010-03-07 12:23:36.153640756 -0500
47809 @@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
47811 static inline u32 __seed(u32 x, u32 m)
47813 - return (x < m) ? x + m : x;
47814 + return (x <= m) ? x + m + 1 : x;
47818 diff -urNp linux-2.6.33/localversion-grsec linux-2.6.33/localversion-grsec
47819 --- linux-2.6.33/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
47820 +++ linux-2.6.33/localversion-grsec 2010-03-07 12:23:36.153640756 -0500
47823 diff -urNp linux-2.6.33/Makefile linux-2.6.33/Makefile
47824 --- linux-2.6.33/Makefile 2010-02-24 13:52:17.000000000 -0500
47825 +++ linux-2.6.33/Makefile 2010-03-07 12:23:36.153640756 -0500
47826 @@ -227,8 +227,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
47830 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
47831 -HOSTCXXFLAGS = -O2
47832 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
47833 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
47835 # Decide whether to build built-in, modular, or both.
47836 # Normally, just do built-in.
47837 @@ -650,7 +650,7 @@ export mod_strip_cmd
47840 ifeq ($(KBUILD_EXTMOD),)
47841 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
47842 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
47844 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
47845 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
47846 diff -urNp linux-2.6.33/mm/filemap.c linux-2.6.33/mm/filemap.c
47847 --- linux-2.6.33/mm/filemap.c 2010-02-24 13:52:17.000000000 -0500
47848 +++ linux-2.6.33/mm/filemap.c 2010-03-07 12:23:36.153640756 -0500
47849 @@ -1601,7 +1601,7 @@ int generic_file_mmap(struct file * file
47850 struct address_space *mapping = file->f_mapping;
47852 if (!mapping->a_ops->readpage)
47855 file_accessed(file);
47856 vma->vm_ops = &generic_file_vm_ops;
47857 vma->vm_flags |= VM_CAN_NONLINEAR;
47858 @@ -1997,6 +1997,7 @@ inline int generic_write_checks(struct f
47859 *pos = i_size_read(inode);
47861 if (limit != RLIM_INFINITY) {
47862 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
47863 if (*pos >= limit) {
47864 send_sig(SIGXFSZ, current, 0);
47866 diff -urNp linux-2.6.33/mm/fremap.c linux-2.6.33/mm/fremap.c
47867 --- linux-2.6.33/mm/fremap.c 2010-02-24 13:52:17.000000000 -0500
47868 +++ linux-2.6.33/mm/fremap.c 2010-03-07 12:23:36.153640756 -0500
47869 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
47871 vma = find_vma(mm, start);
47873 +#ifdef CONFIG_PAX_SEGMEXEC
47874 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
47879 * Make sure the vma is shared, that it supports prefaulting,
47880 * and that the remapped range is valid and fully within
47881 diff -urNp linux-2.6.33/mm/highmem.c linux-2.6.33/mm/highmem.c
47882 --- linux-2.6.33/mm/highmem.c 2010-02-24 13:52:17.000000000 -0500
47883 +++ linux-2.6.33/mm/highmem.c 2010-03-07 12:23:36.153640756 -0500
47884 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
47885 * So no dangers, even with speculative execution.
47887 page = pte_page(pkmap_page_table[i]);
47888 + pax_open_kernel();
47889 pte_clear(&init_mm, (unsigned long)page_address(page),
47890 &pkmap_page_table[i]);
47892 + pax_close_kernel();
47893 set_page_address(page, NULL);
47896 @@ -177,9 +178,11 @@ start:
47899 vaddr = PKMAP_ADDR(last_pkmap_nr);
47901 + pax_open_kernel();
47902 set_pte_at(&init_mm, vaddr,
47903 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
47905 + pax_close_kernel();
47906 pkmap_count[last_pkmap_nr] = 1;
47907 set_page_address(page, (void *)vaddr);
47909 diff -urNp linux-2.6.33/mm/hugetlb.c linux-2.6.33/mm/hugetlb.c
47910 --- linux-2.6.33/mm/hugetlb.c 2010-02-24 13:52:17.000000000 -0500
47911 +++ linux-2.6.33/mm/hugetlb.c 2010-03-07 12:23:36.153640756 -0500
47912 @@ -2267,6 +2267,26 @@ static int unmap_ref_private(struct mm_s
47916 +#ifdef CONFIG_PAX_SEGMEXEC
47917 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
47919 + struct mm_struct *mm = vma->vm_mm;
47920 + struct vm_area_struct *vma_m;
47921 + unsigned long address_m;
47924 + vma_m = pax_find_mirror_vma(vma);
47928 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
47929 + address_m = address + SEGMEXEC_TASK_SIZE;
47930 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
47931 + get_page(page_m);
47932 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
47936 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
47937 unsigned long address, pte_t *ptep, pte_t pte,
47938 struct page *pagecache_page)
47939 @@ -2347,6 +2367,11 @@ retry_avoidcopy:
47940 huge_ptep_clear_flush(vma, address, ptep);
47941 set_huge_pte_at(mm, address, ptep,
47942 make_huge_pte(vma, new_page, 1));
47944 +#ifdef CONFIG_PAX_SEGMEXEC
47945 + pax_mirror_huge_pte(vma, address, new_page);
47948 /* Make the old page be freed below */
47949 new_page = old_page;
47951 @@ -2476,6 +2501,10 @@ retry:
47952 && (vma->vm_flags & VM_SHARED)));
47953 set_huge_pte_at(mm, address, ptep, new_pte);
47955 +#ifdef CONFIG_PAX_SEGMEXEC
47956 + pax_mirror_huge_pte(vma, address, page);
47959 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
47960 /* Optimization, do the COW without a second fault */
47961 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
47962 @@ -2504,6 +2533,28 @@ int hugetlb_fault(struct mm_struct *mm,
47963 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
47964 struct hstate *h = hstate_vma(vma);
47966 +#ifdef CONFIG_PAX_SEGMEXEC
47967 + struct vm_area_struct *vma_m;
47969 + vma_m = pax_find_mirror_vma(vma);
47971 + unsigned long address_m;
47973 + if (vma->vm_start > vma_m->vm_start) {
47974 + address_m = address;
47975 + address -= SEGMEXEC_TASK_SIZE;
47977 + h = hstate_vma(vma);
47979 + address_m = address + SEGMEXEC_TASK_SIZE;
47981 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
47982 + return VM_FAULT_OOM;
47983 + address_m &= HPAGE_MASK;
47984 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
47988 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
47990 return VM_FAULT_OOM;
47991 diff -urNp linux-2.6.33/mm/Kconfig linux-2.6.33/mm/Kconfig
47992 --- linux-2.6.33/mm/Kconfig 2010-02-24 13:52:17.000000000 -0500
47993 +++ linux-2.6.33/mm/Kconfig 2010-03-07 12:23:36.153640756 -0500
47994 @@ -222,7 +222,7 @@ config KSM
47995 config DEFAULT_MMAP_MIN_ADDR
47996 int "Low address space to protect from user allocation"
48001 This is the portion of low virtual memory which should be protected
48002 from userspace allocation. Keeping a user from writing to low pages
48003 diff -urNp linux-2.6.33/mm/maccess.c linux-2.6.33/mm/maccess.c
48004 --- linux-2.6.33/mm/maccess.c 2010-02-24 13:52:17.000000000 -0500
48005 +++ linux-2.6.33/mm/maccess.c 2010-03-07 12:23:36.153640756 -0500
48006 @@ -15,10 +15,10 @@
48007 * happens, handle that and return -EFAULT.
48010 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
48011 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
48012 __attribute__((alias("__probe_kernel_read")));
48014 -long __probe_kernel_read(void *dst, void *src, size_t size)
48015 +long __probe_kernel_read(void *dst, const void *src, size_t size)
48018 mm_segment_t old_fs = get_fs();
48019 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
48020 * Safely write to address @dst from the buffer at @src. If a kernel fault
48021 * happens, handle that and return -EFAULT.
48023 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
48024 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
48025 __attribute__((alias("__probe_kernel_write")));
48027 -long __probe_kernel_write(void *dst, void *src, size_t size)
48028 +long __probe_kernel_write(void *dst, const void *src, size_t size)
48031 mm_segment_t old_fs = get_fs();
48032 diff -urNp linux-2.6.33/mm/madvise.c linux-2.6.33/mm/madvise.c
48033 --- linux-2.6.33/mm/madvise.c 2010-02-24 13:52:17.000000000 -0500
48034 +++ linux-2.6.33/mm/madvise.c 2010-03-07 12:23:36.153640756 -0500
48035 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
48037 unsigned long new_flags = vma->vm_flags;
48039 +#ifdef CONFIG_PAX_SEGMEXEC
48040 + struct vm_area_struct *vma_m;
48043 switch (behavior) {
48045 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
48046 @@ -104,6 +108,13 @@ success:
48048 * vm_flags is protected by the mmap_sem held in write mode.
48051 +#ifdef CONFIG_PAX_SEGMEXEC
48052 + vma_m = pax_find_mirror_vma(vma);
48054 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
48057 vma->vm_flags = new_flags;
48060 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
48061 struct vm_area_struct ** prev,
48062 unsigned long start, unsigned long end)
48065 +#ifdef CONFIG_PAX_SEGMEXEC
48066 + struct vm_area_struct *vma_m;
48070 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
48072 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
48073 zap_page_range(vma, start, end - start, &details);
48075 zap_page_range(vma, start, end - start, NULL);
48077 +#ifdef CONFIG_PAX_SEGMEXEC
48078 + vma_m = pax_find_mirror_vma(vma);
48080 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
48081 + struct zap_details details = {
48082 + .nonlinear_vma = vma_m,
48083 + .last_index = ULONG_MAX,
48085 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
48087 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
48094 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
48098 +#ifdef CONFIG_PAX_SEGMEXEC
48099 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
48100 + if (end > SEGMEXEC_TASK_SIZE)
48105 + if (end > TASK_SIZE)
48111 diff -urNp linux-2.6.33/mm/memory.c linux-2.6.33/mm/memory.c
48112 --- linux-2.6.33/mm/memory.c 2010-02-24 13:52:17.000000000 -0500
48113 +++ linux-2.6.33/mm/memory.c 2010-03-07 12:23:36.153640756 -0500
48115 #include <linux/ksm.h>
48116 #include <linux/rmap.h>
48117 #include <linux/module.h>
48118 +#include <linux/security.h>
48119 #include <linux/delayacct.h>
48120 #include <linux/init.h>
48121 #include <linux/writeback.h>
48122 @@ -1266,10 +1267,10 @@ int __get_user_pages(struct task_struct
48123 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
48127 + while (nr_pages) {
48128 struct vm_area_struct *vma;
48130 - vma = find_extend_vma(mm, start);
48131 + vma = find_vma(mm, start);
48132 if (!vma && in_gate_area(tsk, start)) {
48133 unsigned long pg = start & PAGE_MASK;
48134 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
48135 @@ -1311,7 +1312,7 @@ int __get_user_pages(struct task_struct
48140 + if (!vma || start < vma->vm_start ||
48141 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
48142 !(vm_flags & vma->vm_flags))
48143 return i ? : -EFAULT;
48144 @@ -1386,7 +1387,7 @@ int __get_user_pages(struct task_struct
48145 start += PAGE_SIZE;
48147 } while (nr_pages && start < vma->vm_end);
48148 - } while (nr_pages);
48153 @@ -1982,6 +1983,186 @@ static inline void cow_user_page(struct
48154 copy_user_highpage(dst, src, va, vma);
48157 +#ifdef CONFIG_PAX_SEGMEXEC
48158 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
48160 + struct mm_struct *mm = vma->vm_mm;
48162 + pte_t *pte, entry;
48164 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
48166 + if (!pte_present(entry)) {
48167 + if (!pte_none(entry)) {
48168 + BUG_ON(pte_file(entry));
48169 + free_swap_and_cache(pte_to_swp_entry(entry));
48170 + pte_clear_not_present_full(mm, address, pte, 0);
48173 + struct page *page;
48175 + flush_cache_page(vma, address, pte_pfn(entry));
48176 + entry = ptep_clear_flush(vma, address, pte);
48177 + BUG_ON(pte_dirty(entry));
48178 + page = vm_normal_page(vma, address, entry);
48180 + update_hiwater_rss(mm);
48181 + if (PageAnon(page))
48182 + dec_mm_counter(mm, anon_rss);
48184 + dec_mm_counter(mm, file_rss);
48185 + page_remove_rmap(page);
48186 + page_cache_release(page);
48189 + pte_unmap_unlock(pte, ptl);
48192 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
48194 + * the ptl of the lower mapped page is held on entry and is not released on exit
48195 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
48197 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
48199 + struct mm_struct *mm = vma->vm_mm;
48200 + unsigned long address_m;
48201 + spinlock_t *ptl_m;
48202 + struct vm_area_struct *vma_m;
48204 + pte_t *pte_m, entry_m;
48206 + BUG_ON(!page_m || !PageAnon(page_m));
48208 + vma_m = pax_find_mirror_vma(vma);
48212 + BUG_ON(!PageLocked(page_m));
48213 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48214 + address_m = address + SEGMEXEC_TASK_SIZE;
48215 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48216 + pte_m = pte_offset_map_nested(pmd_m, address_m);
48217 + ptl_m = pte_lockptr(mm, pmd_m);
48218 + if (ptl != ptl_m) {
48219 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48220 + if (!pte_none(*pte_m))
48224 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
48225 + page_cache_get(page_m);
48226 + page_add_anon_rmap(page_m, vma_m, address_m);
48227 + inc_mm_counter(mm, anon_rss);
48228 + set_pte_at(mm, address_m, pte_m, entry_m);
48229 + update_mmu_cache(vma_m, address_m, entry_m);
48231 + if (ptl != ptl_m)
48232 + spin_unlock(ptl_m);
48233 + pte_unmap_nested(pte_m);
48234 + unlock_page(page_m);
48237 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
48239 + struct mm_struct *mm = vma->vm_mm;
48240 + unsigned long address_m;
48241 + spinlock_t *ptl_m;
48242 + struct vm_area_struct *vma_m;
48244 + pte_t *pte_m, entry_m;
48246 + BUG_ON(!page_m || PageAnon(page_m));
48248 + vma_m = pax_find_mirror_vma(vma);
48252 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48253 + address_m = address + SEGMEXEC_TASK_SIZE;
48254 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48255 + pte_m = pte_offset_map_nested(pmd_m, address_m);
48256 + ptl_m = pte_lockptr(mm, pmd_m);
48257 + if (ptl != ptl_m) {
48258 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48259 + if (!pte_none(*pte_m))
48263 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
48264 + page_cache_get(page_m);
48265 + page_add_file_rmap(page_m);
48266 + inc_mm_counter(mm, file_rss);
48267 + set_pte_at(mm, address_m, pte_m, entry_m);
48268 + update_mmu_cache(vma_m, address_m, entry_m);
48270 + if (ptl != ptl_m)
48271 + spin_unlock(ptl_m);
48272 + pte_unmap_nested(pte_m);
48275 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
48277 + struct mm_struct *mm = vma->vm_mm;
48278 + unsigned long address_m;
48279 + spinlock_t *ptl_m;
48280 + struct vm_area_struct *vma_m;
48282 + pte_t *pte_m, entry_m;
48284 + vma_m = pax_find_mirror_vma(vma);
48288 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48289 + address_m = address + SEGMEXEC_TASK_SIZE;
48290 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48291 + pte_m = pte_offset_map_nested(pmd_m, address_m);
48292 + ptl_m = pte_lockptr(mm, pmd_m);
48293 + if (ptl != ptl_m) {
48294 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48295 + if (!pte_none(*pte_m))
48299 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
48300 + set_pte_at(mm, address_m, pte_m, entry_m);
48302 + if (ptl != ptl_m)
48303 + spin_unlock(ptl_m);
48304 + pte_unmap_nested(pte_m);
48307 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
48309 + struct page *page_m;
48312 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
48316 + page_m = vm_normal_page(vma, address, entry);
48318 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
48319 + else if (PageAnon(page_m)) {
48320 + if (pax_find_mirror_vma(vma)) {
48321 + pte_unmap_unlock(pte, ptl);
48322 + lock_page(page_m);
48323 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
48324 + if (pte_same(entry, *pte))
48325 + pax_mirror_anon_pte(vma, address, page_m, ptl);
48327 + unlock_page(page_m);
48330 + pax_mirror_file_pte(vma, address, page_m, ptl);
48333 + pte_unmap_unlock(pte, ptl);
48338 * This routine handles present pages, when users try to write
48339 * to a shared page. It is done by copying the page to a new address
48340 @@ -2161,6 +2342,12 @@ gotten:
48342 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
48343 if (likely(pte_same(*page_table, orig_pte))) {
48345 +#ifdef CONFIG_PAX_SEGMEXEC
48346 + if (pax_find_mirror_vma(vma))
48347 + BUG_ON(!trylock_page(new_page));
48351 if (!PageAnon(old_page)) {
48352 dec_mm_counter(mm, file_rss);
48353 @@ -2212,6 +2399,10 @@ gotten:
48354 page_remove_rmap(old_page);
48357 +#ifdef CONFIG_PAX_SEGMEXEC
48358 + pax_mirror_anon_pte(vma, address, new_page, ptl);
48361 /* Free the old page.. */
48362 new_page = old_page;
48363 ret |= VM_FAULT_WRITE;
48364 @@ -2619,6 +2810,11 @@ static int do_swap_page(struct mm_struct
48366 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
48367 try_to_free_swap(page);
48369 +#ifdef CONFIG_PAX_SEGMEXEC
48370 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
48375 if (flags & FAULT_FLAG_WRITE) {
48376 @@ -2630,6 +2826,11 @@ static int do_swap_page(struct mm_struct
48378 /* No need to invalidate - it was non-present before */
48379 update_mmu_cache(vma, address, pte);
48381 +#ifdef CONFIG_PAX_SEGMEXEC
48382 + pax_mirror_anon_pte(vma, address, page, ptl);
48386 pte_unmap_unlock(page_table, ptl);
48388 @@ -2653,7 +2854,7 @@ static int do_anonymous_page(struct mm_s
48389 unsigned long address, pte_t *page_table, pmd_t *pmd,
48390 unsigned int flags)
48392 - struct page *page;
48393 + struct page *page = NULL;
48397 @@ -2688,6 +2889,11 @@ static int do_anonymous_page(struct mm_s
48398 if (!pte_none(*page_table))
48401 +#ifdef CONFIG_PAX_SEGMEXEC
48402 + if (pax_find_mirror_vma(vma))
48403 + BUG_ON(!trylock_page(page));
48406 inc_mm_counter(mm, anon_rss);
48407 page_add_new_anon_rmap(page, vma, address);
48409 @@ -2695,6 +2901,12 @@ setpte:
48411 /* No need to invalidate - it was non-present before */
48412 update_mmu_cache(vma, address, entry);
48414 +#ifdef CONFIG_PAX_SEGMEXEC
48416 + pax_mirror_anon_pte(vma, address, page, ptl);
48420 pte_unmap_unlock(page_table, ptl);
48422 @@ -2837,6 +3049,12 @@ static int __do_fault(struct mm_struct *
48424 /* Only go through if we didn't race with anybody else... */
48425 if (likely(pte_same(*page_table, orig_pte))) {
48427 +#ifdef CONFIG_PAX_SEGMEXEC
48428 + if (anon && pax_find_mirror_vma(vma))
48429 + BUG_ON(!trylock_page(page));
48432 flush_icache_page(vma, page);
48433 entry = mk_pte(page, vma->vm_page_prot);
48434 if (flags & FAULT_FLAG_WRITE)
48435 @@ -2856,6 +3074,14 @@ static int __do_fault(struct mm_struct *
48437 /* no need to invalidate: a not-present page won't be cached */
48438 update_mmu_cache(vma, address, entry);
48440 +#ifdef CONFIG_PAX_SEGMEXEC
48442 + pax_mirror_anon_pte(vma, address, page, ptl);
48444 + pax_mirror_file_pte(vma, address, page, ptl);
48449 mem_cgroup_uncharge_page(page);
48450 @@ -3003,6 +3229,12 @@ static inline int handle_pte_fault(struc
48451 if (flags & FAULT_FLAG_WRITE)
48452 flush_tlb_page(vma, address);
48455 +#ifdef CONFIG_PAX_SEGMEXEC
48456 + pax_mirror_pte(vma, address, pte, pmd, ptl);
48461 pte_unmap_unlock(pte, ptl);
48463 @@ -3019,6 +3251,10 @@ int handle_mm_fault(struct mm_struct *mm
48467 +#ifdef CONFIG_PAX_SEGMEXEC
48468 + struct vm_area_struct *vma_m;
48471 __set_current_state(TASK_RUNNING);
48473 count_vm_event(PGFAULT);
48474 @@ -3026,6 +3262,34 @@ int handle_mm_fault(struct mm_struct *mm
48475 if (unlikely(is_vm_hugetlb_page(vma)))
48476 return hugetlb_fault(mm, vma, address, flags);
48478 +#ifdef CONFIG_PAX_SEGMEXEC
48479 + vma_m = pax_find_mirror_vma(vma);
48481 + unsigned long address_m;
48486 + if (vma->vm_start > vma_m->vm_start) {
48487 + address_m = address;
48488 + address -= SEGMEXEC_TASK_SIZE;
48491 + address_m = address + SEGMEXEC_TASK_SIZE;
48493 + pgd_m = pgd_offset(mm, address_m);
48494 + pud_m = pud_alloc(mm, pgd_m, address_m);
48496 + return VM_FAULT_OOM;
48497 + pmd_m = pmd_alloc(mm, pud_m, address_m);
48499 + return VM_FAULT_OOM;
48500 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
48501 + return VM_FAULT_OOM;
48502 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
48506 pgd = pgd_offset(mm, address);
48507 pud = pud_alloc(mm, pgd, address);
48509 @@ -3123,7 +3387,7 @@ static int __init gate_vma_init(void)
48510 gate_vma.vm_start = FIXADDR_USER_START;
48511 gate_vma.vm_end = FIXADDR_USER_END;
48512 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
48513 - gate_vma.vm_page_prot = __P101;
48514 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
48516 * Make sure the vDSO gets into every core dump.
48517 * Dumping its contents makes post-mortem fully interpretable later
48518 diff -urNp linux-2.6.33/mm/memory-failure.c linux-2.6.33/mm/memory-failure.c
48519 --- linux-2.6.33/mm/memory-failure.c 2010-02-24 13:52:17.000000000 -0500
48520 +++ linux-2.6.33/mm/memory-failure.c 2010-03-07 12:23:36.153640756 -0500
48521 @@ -50,7 +50,7 @@ int sysctl_memory_failure_early_kill __r
48523 int sysctl_memory_failure_recovery __read_mostly = 1;
48525 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
48526 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
48528 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
48530 @@ -935,7 +935,7 @@ int __memory_failure(unsigned long pfn,
48534 - atomic_long_add(1, &mce_bad_pages);
48535 + atomic_long_add_unchecked(1, &mce_bad_pages);
48538 * We need/can do nothing about count=0 pages.
48539 diff -urNp linux-2.6.33/mm/mempolicy.c linux-2.6.33/mm/mempolicy.c
48540 --- linux-2.6.33/mm/mempolicy.c 2010-02-24 13:52:17.000000000 -0500
48541 +++ linux-2.6.33/mm/mempolicy.c 2010-03-07 12:23:36.157715101 -0500
48542 @@ -569,6 +569,10 @@ static int mbind_range(struct vm_area_st
48543 struct vm_area_struct *next;
48546 +#ifdef CONFIG_PAX_SEGMEXEC
48547 + struct vm_area_struct *vma_m;
48551 for (; vma && vma->vm_start < end; vma = next) {
48552 next = vma->vm_next;
48553 @@ -580,6 +584,16 @@ static int mbind_range(struct vm_area_st
48554 err = policy_vma(vma, new);
48558 +#ifdef CONFIG_PAX_SEGMEXEC
48559 + vma_m = pax_find_mirror_vma(vma);
48561 + err = policy_vma(vma_m, new);
48570 @@ -1000,6 +1014,17 @@ static long do_mbind(unsigned long start
48575 +#ifdef CONFIG_PAX_SEGMEXEC
48576 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
48577 + if (end > SEGMEXEC_TASK_SIZE)
48582 + if (end > TASK_SIZE)
48588 @@ -1205,6 +1230,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
48592 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48593 + if (mm != current->mm &&
48594 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
48601 * Check if this process has the right to modify the specified
48602 * process. The right exists if the process has administrative
48603 @@ -1214,8 +1247,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
48605 tcred = __task_cred(task);
48606 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
48607 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
48608 - !capable(CAP_SYS_NICE)) {
48609 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
48613 @@ -2431,7 +2463,7 @@ int show_numa_map(struct seq_file *m, vo
48616 seq_printf(m, " file=");
48617 - seq_path(m, &file->f_path, "\n\t= ");
48618 + seq_path(m, &file->f_path, "\n\t\\= ");
48619 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
48620 seq_printf(m, " heap");
48621 } else if (vma->vm_start <= mm->start_stack &&
48622 diff -urNp linux-2.6.33/mm/migrate.c linux-2.6.33/mm/migrate.c
48623 --- linux-2.6.33/mm/migrate.c 2010-02-24 13:52:17.000000000 -0500
48624 +++ linux-2.6.33/mm/migrate.c 2010-03-07 12:23:36.157715101 -0500
48625 @@ -1059,6 +1059,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
48629 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48630 + if (mm != current->mm &&
48631 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
48638 * Check if this process has the right to modify the specified
48639 * process. The right exists if the process has administrative
48640 @@ -1068,8 +1076,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
48642 tcred = __task_cred(task);
48643 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
48644 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
48645 - !capable(CAP_SYS_NICE)) {
48646 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
48650 diff -urNp linux-2.6.33/mm/mlock.c linux-2.6.33/mm/mlock.c
48651 --- linux-2.6.33/mm/mlock.c 2010-02-24 13:52:17.000000000 -0500
48652 +++ linux-2.6.33/mm/mlock.c 2010-03-07 12:23:36.157715101 -0500
48654 #include <linux/pagemap.h>
48655 #include <linux/mempolicy.h>
48656 #include <linux/syscalls.h>
48657 +#include <linux/security.h>
48658 #include <linux/sched.h>
48659 #include <linux/module.h>
48660 #include <linux/rmap.h>
48661 @@ -432,6 +433,17 @@ static int do_mlock(unsigned long start,
48666 +#ifdef CONFIG_PAX_SEGMEXEC
48667 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
48668 + if (end > SEGMEXEC_TASK_SIZE)
48673 + if (end > TASK_SIZE)
48676 vma = find_vma_prev(current->mm, start, &prev);
48677 if (!vma || vma->vm_start > start)
48679 @@ -506,6 +518,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
48680 lock_limit >>= PAGE_SHIFT;
48682 /* check against resource limits */
48683 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
48684 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
48685 error = do_mlock(start, len, 1);
48687 diff -urNp linux-2.6.33/mm/mlock.c linux-2.6.33/mm/mlock.c
48688 --- linux-2.6.33/mm/mlock.c 2010-02-24 13:52:17.000000000 -0500
48689 +++ linux-2.6.33/mm/mlock.c 2010-03-07 12:23:36.157715101 -0500
48690 @@ -528,10 +528,10 @@ SYSCALL_DEFINE2(munlock, unsigned long,
48691 static int do_mlockall(int flags)
48693 struct vm_area_struct * vma, * prev = NULL;
48694 - unsigned int def_flags = 0;
48695 + unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
48697 if (flags & MCL_FUTURE)
48698 - def_flags = VM_LOCKED;
48699 + def_flags |= VM_LOCKED;
48700 current->mm->def_flags = def_flags;
48701 if (flags == MCL_FUTURE)
48703 @@ -539,6 +539,13 @@ static int do_mlockall(int flags)
48704 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
48705 unsigned int newflags;
48707 +#ifdef CONFIG_PAX_SEGMEXEC
48708 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
48712 + BUG_ON(vma->vm_end > TASK_SIZE);
48714 newflags = vma->vm_flags | VM_LOCKED;
48715 if (!(flags & MCL_CURRENT))
48716 newflags &= ~VM_LOCKED;
48717 diff -urNp linux-2.6.33/mm/mlock.c linux-2.6.33/mm/mlock.c
48718 --- linux-2.6.33/mm/mlock.c 2010-02-24 13:52:17.000000000 -0500
48719 +++ linux-2.6.33/mm/mlock.c 2010-03-07 12:23:36.157715101 -0500
48720 @@ -580,6 +580,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
48722 if (!vx_vmlocked_avail(current->mm, current->mm->total_vm))
48724 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
48725 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
48726 capable(CAP_IPC_LOCK))
48727 ret = do_mlockall(flags);
48728 diff -urNp linux-2.6.33/mm/mmap.c linux-2.6.33/mm/mmap.c
48729 --- linux-2.6.33/mm/mmap.c 2010-02-24 13:52:17.000000000 -0500
48730 +++ linux-2.6.33/mm/mmap.c 2010-03-07 12:23:36.157715101 -0500
48732 #define arch_rebalance_pgtables(addr, len) (addr)
48735 +static inline void verify_mm_writelocked(struct mm_struct *mm)
48737 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
48738 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
48739 + up_read(&mm->mmap_sem);
48745 static void unmap_region(struct mm_struct *mm,
48746 struct vm_area_struct *vma, struct vm_area_struct *prev,
48747 unsigned long start, unsigned long end);
48748 @@ -69,16 +79,25 @@ static void unmap_region(struct mm_struc
48749 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
48752 -pgprot_t protection_map[16] = {
48753 +pgprot_t protection_map[16] __read_only = {
48754 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
48755 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
48758 pgprot_t vm_get_page_prot(unsigned long vm_flags)
48760 - return __pgprot(pgprot_val(protection_map[vm_flags &
48761 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
48762 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
48763 pgprot_val(arch_vm_get_page_prot(vm_flags)));
48765 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
48766 + if (!(__supported_pte_mask & _PAGE_NX) &&
48767 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
48768 + (vm_flags & (VM_READ | VM_WRITE)))
48769 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
48774 EXPORT_SYMBOL(vm_get_page_prot);
48776 @@ -230,6 +249,7 @@ static struct vm_area_struct *remove_vma
48777 struct vm_area_struct *next = vma->vm_next;
48780 + BUG_ON(vma->vm_mirror);
48781 if (vma->vm_ops && vma->vm_ops->close)
48782 vma->vm_ops->close(vma);
48783 if (vma->vm_file) {
48784 @@ -266,6 +286,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
48785 * not page aligned -Ram Gupta
48787 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
48788 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
48789 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
48790 (mm->end_data - mm->start_data) > rlim)
48792 @@ -693,6 +714,12 @@ static int
48793 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
48794 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
48797 +#ifdef CONFIG_PAX_SEGMEXEC
48798 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
48802 if (is_mergeable_vma(vma, file, vm_flags) &&
48803 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
48804 if (vma->vm_pgoff == vm_pgoff)
48805 @@ -712,6 +739,12 @@ static int
48806 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
48807 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
48810 +#ifdef CONFIG_PAX_SEGMEXEC
48811 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
48815 if (is_mergeable_vma(vma, file, vm_flags) &&
48816 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
48818 @@ -754,12 +787,19 @@ can_vma_merge_after(struct vm_area_struc
48819 struct vm_area_struct *vma_merge(struct mm_struct *mm,
48820 struct vm_area_struct *prev, unsigned long addr,
48821 unsigned long end, unsigned long vm_flags,
48822 - struct anon_vma *anon_vma, struct file *file,
48823 + struct anon_vma *anon_vma, struct file *file,
48824 pgoff_t pgoff, struct mempolicy *policy)
48826 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
48827 struct vm_area_struct *area, *next;
48829 +#ifdef CONFIG_PAX_SEGMEXEC
48830 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
48831 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
48833 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
48837 * We later require that vma->vm_flags == vm_flags,
48838 * so this tests vma->vm_flags & VM_SPECIAL, too.
48839 @@ -775,6 +815,15 @@ struct vm_area_struct *vma_merge(struct
48840 if (next && next->vm_end == end) /* cases 6, 7, 8 */
48841 next = next->vm_next;
48843 +#ifdef CONFIG_PAX_SEGMEXEC
48845 + prev_m = pax_find_mirror_vma(prev);
48847 + area_m = pax_find_mirror_vma(area);
48849 + next_m = pax_find_mirror_vma(next);
48853 * Can it merge with the predecessor?
48855 @@ -794,9 +843,24 @@ struct vm_area_struct *vma_merge(struct
48857 vma_adjust(prev, prev->vm_start,
48858 next->vm_end, prev->vm_pgoff, NULL);
48859 - } else /* cases 2, 5, 7 */
48861 +#ifdef CONFIG_PAX_SEGMEXEC
48863 + vma_adjust(prev_m, prev_m->vm_start,
48864 + next_m->vm_end, prev_m->vm_pgoff, NULL);
48867 + } else { /* cases 2, 5, 7 */
48868 vma_adjust(prev, prev->vm_start,
48869 end, prev->vm_pgoff, NULL);
48871 +#ifdef CONFIG_PAX_SEGMEXEC
48873 + vma_adjust(prev_m, prev_m->vm_start,
48874 + end_m, prev_m->vm_pgoff, NULL);
48881 @@ -807,12 +871,27 @@ struct vm_area_struct *vma_merge(struct
48882 mpol_equal(policy, vma_policy(next)) &&
48883 can_vma_merge_before(next, vm_flags,
48884 anon_vma, file, pgoff+pglen)) {
48885 - if (prev && addr < prev->vm_end) /* case 4 */
48886 + if (prev && addr < prev->vm_end) { /* case 4 */
48887 vma_adjust(prev, prev->vm_start,
48888 addr, prev->vm_pgoff, NULL);
48889 - else /* cases 3, 8 */
48891 +#ifdef CONFIG_PAX_SEGMEXEC
48893 + vma_adjust(prev_m, prev_m->vm_start,
48894 + addr_m, prev_m->vm_pgoff, NULL);
48897 + } else { /* cases 3, 8 */
48898 vma_adjust(area, addr, next->vm_end,
48899 next->vm_pgoff - pglen, NULL);
48901 +#ifdef CONFIG_PAX_SEGMEXEC
48903 + vma_adjust(area_m, addr_m, next_m->vm_end,
48904 + next_m->vm_pgoff - pglen, NULL);
48911 @@ -887,14 +966,11 @@ none:
48912 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
48913 struct file *file, long pages)
48915 - const unsigned long stack_flags
48916 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
48919 mm->shared_vm += pages;
48920 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
48921 mm->exec_vm += pages;
48922 - } else if (flags & stack_flags)
48923 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
48924 mm->stack_vm += pages;
48925 if (flags & (VM_RESERVED|VM_IO))
48926 mm->reserved_vm += pages;
48927 @@ -921,7 +997,7 @@ unsigned long do_mmap_pgoff(struct file
48928 * (the exception is when the underlying filesystem is noexec
48929 * mounted, in which case we dont add PROT_EXEC.)
48931 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
48932 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
48933 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
48936 @@ -947,7 +1023,7 @@ unsigned long do_mmap_pgoff(struct file
48937 /* Obtain the address to map to. we verify (or select) it and ensure
48938 * that it represents a valid section of the address space.
48940 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
48941 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
48942 if (addr & ~PAGE_MASK)
48945 @@ -958,6 +1034,26 @@ unsigned long do_mmap_pgoff(struct file
48946 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
48947 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
48949 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
48950 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
48952 +#ifdef CONFIG_PAX_MPROTECT
48953 + if (mm->pax_flags & MF_PAX_MPROTECT) {
48954 + if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
48955 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
48957 + vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
48964 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
48965 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
48966 + vm_flags &= ~VM_PAGEEXEC;
48969 if (flags & MAP_LOCKED)
48970 if (!can_do_mlock())
48972 @@ -969,6 +1065,7 @@ unsigned long do_mmap_pgoff(struct file
48973 locked += mm->locked_vm;
48974 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
48975 lock_limit >>= PAGE_SHIFT;
48976 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
48977 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
48980 @@ -1039,6 +1136,9 @@ unsigned long do_mmap_pgoff(struct file
48984 + if (!gr_acl_handle_mmap(file, prot))
48987 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
48989 EXPORT_SYMBOL(do_mmap_pgoff);
48990 @@ -1091,10 +1191,10 @@ out:
48992 int vma_wants_writenotify(struct vm_area_struct *vma)
48994 - unsigned int vm_flags = vma->vm_flags;
48995 + unsigned long vm_flags = vma->vm_flags;
48997 /* If it was private or non-writable, the write bit is already clear */
48998 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
48999 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
49002 /* The backer wishes to know when pages are first written to? */
49003 @@ -1143,14 +1243,24 @@ unsigned long mmap_region(struct file *f
49004 unsigned long charged = 0;
49005 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
49007 +#ifdef CONFIG_PAX_SEGMEXEC
49008 + struct vm_area_struct *vma_m = NULL;
49012 + * mm->mmap_sem is required to protect against another thread
49013 + * changing the mappings in case we sleep.
49015 + verify_mm_writelocked(mm);
49017 /* Clear old maps */
49020 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49021 if (vma && vma->vm_start < addr + len) {
49022 if (do_munmap(mm, addr, len))
49024 - goto munmap_back;
49025 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49026 + BUG_ON(vma && vma->vm_start < addr + len);
49029 /* Check against address space limit. */
49030 @@ -1199,6 +1309,16 @@ munmap_back:
49034 +#ifdef CONFIG_PAX_SEGMEXEC
49035 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
49036 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49045 vma->vm_start = addr;
49046 vma->vm_end = addr + len;
49047 @@ -1221,6 +1341,19 @@ munmap_back:
49048 error = file->f_op->mmap(file, vma);
49050 goto unmap_and_free_vma;
49052 +#ifdef CONFIG_PAX_SEGMEXEC
49053 + if (vma_m && (vm_flags & VM_EXECUTABLE))
49054 + added_exe_file_vma(mm);
49057 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
49058 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
49059 + vma->vm_flags |= VM_PAGEEXEC;
49060 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
49064 if (vm_flags & VM_EXECUTABLE)
49065 added_exe_file_vma(mm);
49067 @@ -1256,6 +1389,11 @@ munmap_back:
49068 vma_link(mm, vma, prev, rb_link, rb_parent);
49069 file = vma->vm_file;
49071 +#ifdef CONFIG_PAX_SEGMEXEC
49073 + pax_mirror_vma(vma_m, vma);
49076 /* Once vma denies write, undo our temporary denial count */
49077 if (correct_wcount)
49078 atomic_inc(&inode->i_writecount);
49079 @@ -1264,6 +1402,7 @@ out:
49081 mm->total_vm += len >> PAGE_SHIFT;
49082 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
49083 + track_exec_limit(mm, addr, addr + len, vm_flags);
49084 if (vm_flags & VM_LOCKED) {
49086 * makes pages present; downgrades, drops, reacquires mmap_sem
49087 @@ -1286,6 +1425,12 @@ unmap_and_free_vma:
49088 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
49092 +#ifdef CONFIG_PAX_SEGMEXEC
49094 + kmem_cache_free(vm_area_cachep, vma_m);
49097 kmem_cache_free(vm_area_cachep, vma);
49100 @@ -1319,6 +1464,10 @@ arch_get_unmapped_area(struct file *filp
49101 if (flags & MAP_FIXED)
49104 +#ifdef CONFIG_PAX_RANDMMAP
49105 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
49109 addr = PAGE_ALIGN(addr);
49110 vma = find_vma(mm, addr);
49111 @@ -1327,10 +1476,10 @@ arch_get_unmapped_area(struct file *filp
49114 if (len > mm->cached_hole_size) {
49115 - start_addr = addr = mm->free_area_cache;
49116 + start_addr = addr = mm->free_area_cache;
49118 - start_addr = addr = TASK_UNMAPPED_BASE;
49119 - mm->cached_hole_size = 0;
49120 + start_addr = addr = mm->mmap_base;
49121 + mm->cached_hole_size = 0;
49125 @@ -1341,9 +1490,8 @@ full_search:
49126 * Start a new search - just in case we missed
49129 - if (start_addr != TASK_UNMAPPED_BASE) {
49130 - addr = TASK_UNMAPPED_BASE;
49131 - start_addr = addr;
49132 + if (start_addr != mm->mmap_base) {
49133 + start_addr = addr = mm->mmap_base;
49134 mm->cached_hole_size = 0;
49137 @@ -1365,10 +1513,16 @@ full_search:
49139 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
49142 +#ifdef CONFIG_PAX_SEGMEXEC
49143 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
49148 * Is this a new hole at the lowest possible address?
49150 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
49151 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
49152 mm->free_area_cache = addr;
49153 mm->cached_hole_size = ~0UL;
49155 @@ -1386,7 +1540,7 @@ arch_get_unmapped_area_topdown(struct fi
49157 struct vm_area_struct *vma;
49158 struct mm_struct *mm = current->mm;
49159 - unsigned long addr = addr0;
49160 + unsigned long base = mm->mmap_base, addr = addr0;
49162 /* requested length too big for entire address space */
49163 if (len > TASK_SIZE)
49164 @@ -1395,6 +1549,10 @@ arch_get_unmapped_area_topdown(struct fi
49165 if (flags & MAP_FIXED)
49168 +#ifdef CONFIG_PAX_RANDMMAP
49169 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
49172 /* requesting a specific address */
49174 addr = PAGE_ALIGN(addr);
49175 @@ -1452,13 +1610,21 @@ bottomup:
49176 * can happen with large stack limits and large mmap()
49179 + mm->mmap_base = TASK_UNMAPPED_BASE;
49181 +#ifdef CONFIG_PAX_RANDMMAP
49182 + if (mm->pax_flags & MF_PAX_RANDMMAP)
49183 + mm->mmap_base += mm->delta_mmap;
49186 + mm->free_area_cache = mm->mmap_base;
49187 mm->cached_hole_size = ~0UL;
49188 - mm->free_area_cache = TASK_UNMAPPED_BASE;
49189 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
49191 * Restore the topdown base:
49193 - mm->free_area_cache = mm->mmap_base;
49194 + mm->mmap_base = base;
49195 + mm->free_area_cache = base;
49196 mm->cached_hole_size = ~0UL;
49199 @@ -1467,6 +1633,12 @@ bottomup:
49201 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
49204 +#ifdef CONFIG_PAX_SEGMEXEC
49205 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
49210 * Is this a new hole at the highest possible address?
49212 @@ -1474,8 +1646,10 @@ void arch_unmap_area_topdown(struct mm_s
49213 mm->free_area_cache = addr;
49215 /* dont allow allocations above current base */
49216 - if (mm->free_area_cache > mm->mmap_base)
49217 + if (mm->free_area_cache > mm->mmap_base) {
49218 mm->free_area_cache = mm->mmap_base;
49219 + mm->cached_hole_size = ~0UL;
49224 @@ -1583,6 +1757,27 @@ out:
49225 return prev ? prev->vm_next : vma;
49228 +#ifdef CONFIG_PAX_SEGMEXEC
49229 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
49231 + struct vm_area_struct *vma_m;
49233 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
49234 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
49235 + BUG_ON(vma->vm_mirror);
49238 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
49239 + vma_m = vma->vm_mirror;
49240 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
49241 + BUG_ON(vma->vm_file != vma_m->vm_file);
49242 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
49243 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
49244 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
49250 * Verify that the stack growth is acceptable and
49251 * update accounting. This is shared with both the
49252 @@ -1599,6 +1794,7 @@ static int acct_stack_growth(struct vm_a
49255 /* Stack limit test */
49256 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
49257 if (size > rlim[RLIMIT_STACK].rlim_cur)
49260 @@ -1608,6 +1804,7 @@ static int acct_stack_growth(struct vm_a
49261 unsigned long limit;
49262 locked = mm->locked_vm + grow;
49263 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
49264 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
49265 if (locked > limit && !capable(CAP_IPC_LOCK))
49268 @@ -1643,35 +1840,40 @@ static
49270 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
49273 + int error, locknext;
49275 if (!(vma->vm_flags & VM_GROWSUP))
49278 + /* Also guard against wrapping around to address 0. */
49279 + if (address < PAGE_ALIGN(address+1))
49280 + address = PAGE_ALIGN(address+1);
49285 * We must make sure the anon_vma is allocated
49286 * so that the anon_vma locking is not a noop.
49288 if (unlikely(anon_vma_prepare(vma)))
49290 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
49291 + if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
49293 anon_vma_lock(vma);
49295 + anon_vma_lock(vma->vm_next);
49298 * vma->vm_start/vm_end cannot change under us because the caller
49299 * is required to hold the mmap_sem in read mode. We need the
49300 - * anon_vma lock to serialize against concurrent expand_stacks.
49301 - * Also guard against wrapping around to address 0.
49302 + * anon_vma locks to serialize against concurrent expand_stacks
49303 + * and expand_upwards.
49305 - if (address < PAGE_ALIGN(address+4))
49306 - address = PAGE_ALIGN(address+4);
49308 - anon_vma_unlock(vma);
49313 /* Somebody else might have raced and expanded it already */
49314 - if (address > vma->vm_end) {
49315 + if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
49316 unsigned long size, grow;
49318 size = address - vma->vm_start;
49319 @@ -1681,6 +1883,8 @@ int expand_upwards(struct vm_area_struct
49321 vma->vm_end = address;
49324 + anon_vma_unlock(vma->vm_next);
49325 anon_vma_unlock(vma);
49328 @@ -1692,7 +1896,8 @@ int expand_upwards(struct vm_area_struct
49329 static int expand_downwards(struct vm_area_struct *vma,
49330 unsigned long address)
49333 + int error, lockprev = 0;
49334 + struct vm_area_struct *prev = NULL;
49337 * We must make sure the anon_vma is allocated
49338 @@ -1706,6 +1911,15 @@ static int expand_downwards(struct vm_ar
49342 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
49343 + find_vma_prev(vma->vm_mm, address, &prev);
49344 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
49346 + if (lockprev && unlikely(anon_vma_prepare(prev)))
49349 + anon_vma_lock(prev);
49351 anon_vma_lock(vma);
49354 @@ -1715,9 +1929,15 @@ static int expand_downwards(struct vm_ar
49357 /* Somebody else might have raced and expanded it already */
49358 - if (address < vma->vm_start) {
49359 + if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
49360 unsigned long size, grow;
49362 +#ifdef CONFIG_PAX_SEGMEXEC
49363 + struct vm_area_struct *vma_m;
49365 + vma_m = pax_find_mirror_vma(vma);
49368 size = vma->vm_end - address;
49369 grow = (vma->vm_start - address) >> PAGE_SHIFT;
49371 @@ -1725,9 +1945,20 @@ static int expand_downwards(struct vm_ar
49373 vma->vm_start = address;
49374 vma->vm_pgoff -= grow;
49375 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
49377 +#ifdef CONFIG_PAX_SEGMEXEC
49379 + vma_m->vm_start -= grow << PAGE_SHIFT;
49380 + vma_m->vm_pgoff -= grow;
49386 anon_vma_unlock(vma);
49388 + anon_vma_unlock(prev);
49392 @@ -1803,7 +2034,14 @@ static void remove_vma_list(struct mm_st
49394 long nrpages = vma_pages(vma);
49396 +#ifdef CONFIG_PAX_SEGMEXEC
49397 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
49398 + vma = remove_vma(vma);
49403 // mm->total_vm -= nrpages;
49404 vx_vmpages_sub(mm, nrpages);
49405 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
49406 vma = remove_vma(vma);
49407 @@ -1847,6 +2085,16 @@ detach_vmas_to_be_unmapped(struct mm_str
49409 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
49412 +#ifdef CONFIG_PAX_SEGMEXEC
49413 + if (vma->vm_mirror) {
49414 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
49415 + vma->vm_mirror->vm_mirror = NULL;
49416 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
49417 + vma->vm_mirror = NULL;
49421 rb_erase(&vma->vm_rb, &mm->mm_rb);
49424 @@ -1872,14 +2120,33 @@ static int __split_vma(struct mm_struct
49425 struct mempolicy *pol;
49426 struct vm_area_struct *new;
49428 +#ifdef CONFIG_PAX_SEGMEXEC
49429 + struct vm_area_struct *vma_m, *new_m = NULL;
49430 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
49433 if (is_vm_hugetlb_page(vma) && (addr &
49434 ~(huge_page_mask(hstate_vma(vma)))))
49437 +#ifdef CONFIG_PAX_SEGMEXEC
49438 + vma_m = pax_find_mirror_vma(vma);
49441 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49445 +#ifdef CONFIG_PAX_SEGMEXEC
49447 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49449 + kmem_cache_free(vm_area_cachep, new);
49455 /* most fields are the same, copy all, and then fixup */
49458 @@ -1890,8 +2157,29 @@ static int __split_vma(struct mm_struct
49459 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
49462 +#ifdef CONFIG_PAX_SEGMEXEC
49465 + new_m->vm_mirror = new;
49466 + new->vm_mirror = new_m;
49469 + new_m->vm_end = addr_m;
49471 + new_m->vm_start = addr_m;
49472 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
49477 pol = mpol_dup(vma_policy(vma));
49480 +#ifdef CONFIG_PAX_SEGMEXEC
49482 + kmem_cache_free(vm_area_cachep, new_m);
49485 kmem_cache_free(vm_area_cachep, new);
49486 return PTR_ERR(pol);
49488 @@ -1912,6 +2200,28 @@ static int __split_vma(struct mm_struct
49490 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
49492 +#ifdef CONFIG_PAX_SEGMEXEC
49495 + vma_set_policy(new_m, pol);
49497 + if (new_m->vm_file) {
49498 + get_file(new_m->vm_file);
49499 + if (vma_m->vm_flags & VM_EXECUTABLE)
49500 + added_exe_file_vma(mm);
49503 + if (new_m->vm_ops && new_m->vm_ops->open)
49504 + new_m->vm_ops->open(new_m);
49507 + vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
49508 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
49510 + vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
49517 @@ -1922,6 +2232,15 @@ static int __split_vma(struct mm_struct
49518 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
49519 unsigned long addr, int new_below)
49522 +#ifdef CONFIG_PAX_SEGMEXEC
49523 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
49524 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
49525 + if (mm->map_count >= sysctl_max_map_count-1)
49530 if (mm->map_count >= sysctl_max_map_count)
49533 @@ -1933,11 +2252,30 @@ int split_vma(struct mm_struct *mm, stru
49534 * work. This now handles partial unmappings.
49535 * Jeremy Fitzhardinge <jeremy@goop.org>
49537 +#ifdef CONFIG_PAX_SEGMEXEC
49538 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49540 + int ret = __do_munmap(mm, start, len);
49541 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
49544 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
49547 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49549 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49553 struct vm_area_struct *vma, *prev, *last;
49556 + * mm->mmap_sem is required to protect against another thread
49557 + * changing the mappings in case we sleep.
49559 + verify_mm_writelocked(mm);
49561 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
49564 @@ -2011,6 +2349,8 @@ int do_munmap(struct mm_struct *mm, unsi
49565 /* Fix up all other VM information */
49566 remove_vma_list(mm, vma);
49568 + track_exec_limit(mm, start, end, 0UL);
49573 @@ -2023,22 +2363,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
49575 profile_munmap(addr);
49577 +#ifdef CONFIG_PAX_SEGMEXEC
49578 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
49579 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
49583 down_write(&mm->mmap_sem);
49584 ret = do_munmap(mm, addr, len);
49585 up_write(&mm->mmap_sem);
49589 -static inline void verify_mm_writelocked(struct mm_struct *mm)
49591 -#ifdef CONFIG_DEBUG_VM
49592 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
49594 - up_read(&mm->mmap_sem);
49600 * this is really a simplified "do_mmap". it only handles
49601 * anonymous maps. eventually we may be able to do some
49602 @@ -2052,6 +2388,11 @@ unsigned long do_brk(unsigned long addr,
49603 struct rb_node ** rb_link, * rb_parent;
49604 pgoff_t pgoff = addr >> PAGE_SHIFT;
49606 + unsigned long charged;
49608 +#ifdef CONFIG_PAX_SEGMEXEC
49609 + struct vm_area_struct *vma_m = NULL;
49612 len = PAGE_ALIGN(len);
49614 @@ -2063,16 +2404,30 @@ unsigned long do_brk(unsigned long addr,
49616 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
49618 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
49619 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49620 + flags &= ~VM_EXEC;
49622 +#ifdef CONFIG_PAX_MPROTECT
49623 + if (mm->pax_flags & MF_PAX_MPROTECT)
49624 + flags &= ~VM_MAYEXEC;
49630 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
49631 if (error & ~PAGE_MASK)
49634 + charged = len >> PAGE_SHIFT;
49637 * mlock MCL_FUTURE?
49639 if (mm->def_flags & VM_LOCKED) {
49640 unsigned long locked, lock_limit;
49641 - locked = len >> PAGE_SHIFT;
49642 + locked = charged;
49643 locked += mm->locked_vm;
49644 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
49645 lock_limit >>= PAGE_SHIFT;
49646 @@ -2443,23 +2798,23 @@ unsigned long do_brk(unsigned long addr,
49648 * Clear old maps. this also does some error checking for us
49651 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49652 if (vma && vma->vm_start < addr + len) {
49653 if (do_munmap(mm, addr, len))
49655 - goto munmap_back;
49656 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49657 + BUG_ON(vma && vma->vm_start < addr + len);
49660 /* Check against address space limits *after* clearing old maps... */
49661 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
49662 + if (!may_expand_vm(mm, charged))
49665 if (mm->map_count > sysctl_max_map_count)
49668 - if (security_vm_enough_memory(len >> PAGE_SHIFT) ||
49669 - !vx_vmpages_avail(mm, len >> PAGE_SHIFT))
49670 + if (security_vm_enough_memory(charged) ||
49671 + !vx_vmpages_avail(mm, charged))
49674 /* Can we just expand an old private anonymous mapping? */
49675 @@ -2118,10 +2473,21 @@ unsigned long do_brk(unsigned long addr,
49677 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49679 - vm_unacct_memory(len >> PAGE_SHIFT);
49680 + vm_unacct_memory(charged);
49684 +#ifdef CONFIG_PAX_SEGMEXEC
49685 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
49686 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49688 + kmem_cache_free(vm_area_cachep, vma);
49689 + vm_unacct_memory(charged);
49696 vma->vm_start = addr;
49697 vma->vm_end = addr + len;
49698 @@ -2181,8 +2547,10 @@ void exit_mmap(struct mm_struct *mm)
49699 * Walk the list again, actually closing and freeing it,
49700 * with preemption enabled, without holding any MM locks.
49704 + vma->vm_mirror = NULL;
49705 vma = remove_vma(vma);
49708 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
49710 @@ -2196,6 +2564,10 @@ int insert_vm_struct(struct mm_struct *
49711 struct vm_area_struct * __vma, * prev;
49712 struct rb_node ** rb_link, * rb_parent;
49714 +#ifdef CONFIG_PAX_SEGMEXEC
49715 + struct vm_area_struct *vma_m = NULL;
49719 * The vm_pgoff of a purely anonymous vma should be irrelevant
49720 * until its first write fault, when page's anon_vma and index
49721 @@ -2218,7 +2590,22 @@ int insert_vm_struct(struct mm_struct *
49722 if ((vma->vm_flags & VM_ACCOUNT) &&
49723 security_vm_enough_memory_mm(mm, vma_pages(vma)))
49726 +#ifdef CONFIG_PAX_SEGMEXEC
49727 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
49728 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49734 vma_link(mm, vma, prev, rb_link, rb_parent);
49736 +#ifdef CONFIG_PAX_SEGMEXEC
49738 + pax_mirror_vma(vma_m, vma);
49744 @@ -2236,6 +2623,8 @@ struct vm_area_struct *copy_vma(struct v
49745 struct rb_node **rb_link, *rb_parent;
49746 struct mempolicy *pol;
49748 + BUG_ON(vma->vm_mirror);
49751 * If anonymous vma has not yet been faulted, update new pgoff
49752 * to match new location, to increase its chance of merging.
49753 @@ -2279,6 +2668,35 @@ struct vm_area_struct *copy_vma(struct v
49757 +#ifdef CONFIG_PAX_SEGMEXEC
49758 +void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
49760 + struct vm_area_struct *prev_m;
49761 + struct rb_node **rb_link_m, *rb_parent_m;
49762 + struct mempolicy *pol_m;
49764 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
49765 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
49766 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
49768 + pol_m = vma_policy(vma_m);
49770 + vma_set_policy(vma_m, pol_m);
49771 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
49772 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
49773 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
49774 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
49775 + if (vma_m->vm_file)
49776 + get_file(vma_m->vm_file);
49777 + if (vma_m->vm_ops && vma_m->vm_ops->open)
49778 + vma_m->vm_ops->open(vma_m);
49779 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
49780 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
49781 + vma_m->vm_mirror = vma;
49782 + vma->vm_mirror = vma_m;
49787 * Return true if the calling process may expand its vm space by the passed
49789 @@ -2289,7 +2707,7 @@ int may_expand_vm(struct mm_struct *mm,
49792 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
49794 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
49795 if (cur + npages > lim)
49798 @@ -2358,5 +2776,14 @@ int install_special_mapping(struct mm_st
49799 vma->vm_start = addr;
49800 vma->vm_end = addr + len;
49802 +#ifdef CONFIG_PAX_MPROTECT
49803 + if (mm->pax_flags & MF_PAX_MPROTECT) {
49804 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
49805 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
49807 + vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
49811 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
49812 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
49814 --- a/mm/mmap.c~ 2010-03-08 09:52:23.802000093 +0100
49815 +++ b/mm/mmap.c 2010-03-08 09:53:10.178415334 +0100
49816 @@ -2502,17 +2502,18 @@ unsigned long do_brk(unsigned long addr,
49817 vma->vm_flags = flags;
49818 vma->vm_page_prot = vm_get_page_prot(flags);
49819 vma_link(mm, vma, prev, rb_link, rb_parent);
49821 // mm->total_vm += len >> PAGE_SHIFT;
49822 - vx_vmpages_add(mm, len >> PAGE_SHIFT);
49823 + vx_vmpages_add(mm, charged);
49825 if (flags & VM_LOCKED) {
49826 if (!mlock_vma_pages_range(vma, addr, addr + len))
49827 // mm->locked_vm += (len >> PAGE_SHIFT);
49828 - vx_vmlocked_add(mm, len >> PAGE_SHIFT);
49829 + vx_vmlocked_add(mm, charged);
49831 + track_exec_limit(mm, addr, addr + len, flags);
49835 EXPORT_SYMBOL(do_brk);
49837 diff -urNp linux-2.6.33/mm/mprotect.c linux-2.6.33/mm/mprotect.c
49838 --- linux-2.6.33/mm/mprotect.c 2010-02-24 13:52:17.000000000 -0500
49839 +++ linux-2.6.33/mm/mprotect.c 2010-03-07 12:23:36.161647154 -0500
49840 @@ -24,10 +24,16 @@
49841 #include <linux/mmu_notifier.h>
49842 #include <linux/migrate.h>
49843 #include <linux/perf_event.h>
49845 +#ifdef CONFIG_PAX_MPROTECT
49846 +#include <linux/elf.h>
49849 #include <asm/uaccess.h>
49850 #include <asm/pgtable.h>
49851 #include <asm/cacheflush.h>
49852 #include <asm/tlbflush.h>
49853 +#include <asm/mmu_context.h>
49855 #ifndef pgprot_modify
49856 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
49857 @@ -132,6 +138,48 @@ static void change_protection(struct vm_
49858 flush_tlb_range(vma, start, end);
49861 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
49862 +/* called while holding the mmap semaphor for writing except stack expansion */
49863 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
49865 + unsigned long oldlimit, newlimit = 0UL;
49867 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
49870 + spin_lock(&mm->page_table_lock);
49871 + oldlimit = mm->context.user_cs_limit;
49872 + if ((prot & VM_EXEC) && oldlimit < end)
49873 + /* USER_CS limit moved up */
49875 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
49876 + /* USER_CS limit moved down */
49877 + newlimit = start;
49880 + mm->context.user_cs_limit = newlimit;
49884 + cpus_clear(mm->context.cpu_user_cs_mask);
49885 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
49888 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
49890 + spin_unlock(&mm->page_table_lock);
49891 + if (newlimit == end) {
49892 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
49894 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
49895 + if (is_vm_hugetlb_page(vma))
49896 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
49898 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
49904 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
49905 unsigned long start, unsigned long end, unsigned long newflags)
49906 @@ -144,6 +192,14 @@ mprotect_fixup(struct vm_area_struct *vm
49908 int dirty_accountable = 0;
49910 +#ifdef CONFIG_PAX_SEGMEXEC
49911 + struct vm_area_struct *vma_m = NULL;
49912 + unsigned long start_m, end_m;
49914 + start_m = start + SEGMEXEC_TASK_SIZE;
49915 + end_m = end + SEGMEXEC_TASK_SIZE;
49918 if (newflags == oldflags) {
49921 @@ -165,6 +221,38 @@ mprotect_fixup(struct vm_area_struct *vm
49925 +#ifdef CONFIG_PAX_SEGMEXEC
49926 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
49927 + if (start != vma->vm_start) {
49928 + error = split_vma(mm, vma, start, 1);
49931 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
49932 + *pprev = (*pprev)->vm_next;
49935 + if (end != vma->vm_end) {
49936 + error = split_vma(mm, vma, end, 0);
49941 + if (pax_find_mirror_vma(vma)) {
49942 + error = __do_munmap(mm, start_m, end_m - start_m);
49946 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49951 + vma->vm_flags = newflags;
49952 + pax_mirror_vma(vma_m, vma);
49958 * First try to merge with previous and/or next vma.
49960 @@ -196,8 +284,14 @@ success:
49961 * held in write mode.
49963 vma->vm_flags = newflags;
49965 +#ifdef CONFIG_PAX_MPROTECT
49966 + if (mm->binfmt && mm->binfmt->handle_mprotect)
49967 + mm->binfmt->handle_mprotect(vma, newflags);
49970 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
49971 - vm_get_page_prot(newflags));
49972 + vm_get_page_prot(vma->vm_flags));
49974 if (vma_wants_writenotify(vma)) {
49975 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
49976 @@ -238,6 +332,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
49981 +#ifdef CONFIG_PAX_SEGMEXEC
49982 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
49983 + if (end > SEGMEXEC_TASK_SIZE)
49988 + if (end > TASK_SIZE)
49991 if (!arch_validate_prot(prot))
49994 @@ -245,7 +350,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
49996 * Does the application expect PROT_READ to imply PROT_EXEC:
49998 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
49999 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
50002 vm_flags = calc_vm_prot_bits(prot);
50003 @@ -277,6 +382,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50004 if (start > vma->vm_start)
50007 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
50012 +#ifdef CONFIG_PAX_MPROTECT
50013 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
50014 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
50017 for (nstart = start ; ; ) {
50018 unsigned long newflags;
50020 @@ -301,6 +416,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50023 perf_event_mmap(vma);
50025 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
50029 if (nstart < prev->vm_end)
50030 diff -urNp linux-2.6.33/mm/mremap.c linux-2.6.33/mm/mremap.c
50031 --- linux-2.6.33/mm/mremap.c 2010-02-24 13:52:17.000000000 -0500
50032 +++ linux-2.6.33/mm/mremap.c 2010-03-07 12:23:36.161647154 -0500
50033 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
50035 pte = ptep_clear_flush(vma, old_addr, old_pte);
50036 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
50038 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
50039 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
50040 + pte = pte_exprotect(pte);
50043 set_pte_at(mm, new_addr, new_pte, pte);
50046 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
50047 if (is_vm_hugetlb_page(vma))
50050 +#ifdef CONFIG_PAX_SEGMEXEC
50051 + if (pax_find_mirror_vma(vma))
50055 /* We can't remap across vm area boundaries */
50056 if (old_len > vma->vm_end - addr)
50058 @@ -322,20 +333,23 @@ static unsigned long mremap_to(unsigned
50059 unsigned long ret = -EINVAL;
50060 unsigned long charged = 0;
50061 unsigned long map_flags;
50062 + unsigned long pax_task_size = TASK_SIZE;
50064 if (new_addr & ~PAGE_MASK)
50067 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
50068 +#ifdef CONFIG_PAX_SEGMEXEC
50069 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
50070 + pax_task_size = SEGMEXEC_TASK_SIZE;
50073 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
50076 /* Check if the location we're moving into overlaps the
50077 * old location at all, and fail if it does.
50079 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
50082 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
50083 + if (addr + old_len > new_addr && new_addr + new_len > addr)
50086 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
50087 @@ -407,6 +421,7 @@ unsigned long do_mremap(unsigned long ad
50088 struct vm_area_struct *vma;
50089 unsigned long ret = -EINVAL;
50090 unsigned long charged = 0;
50091 + unsigned long pax_task_size = TASK_SIZE;
50093 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
50095 @@ -425,6 +440,15 @@ unsigned long do_mremap(unsigned long ad
50099 +#ifdef CONFIG_PAX_SEGMEXEC
50100 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
50101 + pax_task_size = SEGMEXEC_TASK_SIZE;
50104 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
50105 + old_len > pax_task_size || addr > pax_task_size-old_len)
50108 if (flags & MREMAP_FIXED) {
50109 if (flags & MREMAP_MAYMOVE)
50110 ret = mremap_to(addr, old_len, new_addr, new_len);
50111 @@ -471,6 +495,7 @@ unsigned long do_mremap(unsigned long ad
50115 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
50119 @@ -497,7 +522,13 @@ unsigned long do_mremap(unsigned long ad
50120 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
50124 + map_flags = vma->vm_flags;
50125 ret = move_vma(vma, addr, old_len, new_len, new_addr);
50126 + if (!(ret & ~PAGE_MASK)) {
50127 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
50128 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
50132 if (ret & ~PAGE_MASK)
50133 diff -urNp linux-2.6.33/mm/nommu.c linux-2.6.33/mm/nommu.c
50134 --- linux-2.6.33/mm/nommu.c 2010-02-24 13:52:17.000000000 -0500
50135 +++ linux-2.6.33/mm/nommu.c 2010-03-07 12:23:36.161647154 -0500
50136 @@ -759,15 +759,6 @@ struct vm_area_struct *find_vma(struct m
50137 EXPORT_SYMBOL(find_vma);
50141 - * - we don't extend stack VMAs under NOMMU conditions
50143 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
50145 - return find_vma(mm, addr);
50149 * expand a stack to a given address
50150 * - not supported under NOMMU conditions
50152 diff -urNp linux-2.6.33/mm/page_alloc.c linux-2.6.33/mm/page_alloc.c
50153 --- linux-2.6.33/mm/page_alloc.c 2010-02-24 13:52:17.000000000 -0500
50154 +++ linux-2.6.33/mm/page_alloc.c 2010-03-07 12:23:36.161647154 -0500
50155 @@ -583,6 +583,10 @@ static void __free_pages_ok(struct page
50157 int wasMlocked = __TestClearPageMlocked(page);
50159 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
50160 + unsigned long index = 1UL << order;
50163 kmemcheck_free_shadow(page, order);
50165 for (i = 0 ; i < (1 << order) ; ++i)
50166 @@ -595,6 +599,12 @@ static void __free_pages_ok(struct page
50167 debug_check_no_obj_freed(page_address(page),
50168 PAGE_SIZE << order);
50171 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
50172 + for (; index; --index)
50173 + sanitize_highpage(page + index - 1);
50176 arch_free_page(page, order);
50177 kernel_map_pages(page, 1 << order, 0);
50179 @@ -698,8 +708,10 @@ static int prep_new_page(struct page *pa
50180 arch_alloc_page(page, order);
50181 kernel_map_pages(page, 1 << order, 1);
50183 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
50184 if (gfp_flags & __GFP_ZERO)
50185 prep_zero_page(page, order, gfp_flags);
50188 if (order && (gfp_flags & __GFP_COMP))
50189 prep_compound_page(page, order);
50190 @@ -1093,6 +1105,11 @@ static void free_hot_cold_page(struct pa
50191 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
50192 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
50195 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
50196 + sanitize_highpage(page);
50199 arch_free_page(page, 0);
50200 kernel_map_pages(page, 1, 0);
50202 diff -urNp linux-2.6.33/mm/percpu.c linux-2.6.33/mm/percpu.c
50203 --- linux-2.6.33/mm/percpu.c 2010-02-24 13:52:17.000000000 -0500
50204 +++ linux-2.6.33/mm/percpu.c 2010-03-07 12:23:36.161647154 -0500
50205 @@ -114,7 +114,7 @@ static unsigned int pcpu_first_unit_cpu
50206 static unsigned int pcpu_last_unit_cpu __read_mostly;
50208 /* the address of the first chunk which starts with the kernel static area */
50209 -void *pcpu_base_addr __read_mostly;
50210 +void *pcpu_base_addr __read_only;
50211 EXPORT_SYMBOL_GPL(pcpu_base_addr);
50213 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
50214 diff -urNp linux-2.6.33/mm/rmap.c linux-2.6.33/mm/rmap.c
50215 --- linux-2.6.33/mm/rmap.c 2010-02-24 13:52:17.000000000 -0500
50216 +++ linux-2.6.33/mm/rmap.c 2010-03-07 12:23:36.161647154 -0500
50217 @@ -109,6 +109,10 @@ int anon_vma_prepare(struct vm_area_stru
50218 struct mm_struct *mm = vma->vm_mm;
50219 struct anon_vma *allocated;
50221 +#ifdef CONFIG_PAX_SEGMEXEC
50222 + struct vm_area_struct *vma_m;
50225 anon_vma = find_mergeable_anon_vma(vma);
50228 @@ -122,6 +126,15 @@ int anon_vma_prepare(struct vm_area_stru
50229 /* page_table_lock to protect against threads */
50230 spin_lock(&mm->page_table_lock);
50231 if (likely(!vma->anon_vma)) {
50233 +#ifdef CONFIG_PAX_SEGMEXEC
50234 + vma_m = pax_find_mirror_vma(vma);
50236 + vma_m->anon_vma = anon_vma;
50237 + __anon_vma_link(vma_m);
50241 vma->anon_vma = anon_vma;
50242 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
50244 diff -urNp linux-2.6.33/mm/shmem.c linux-2.6.33/mm/shmem.c
50245 --- linux-2.6.33/mm/shmem.c 2010-02-24 13:52:17.000000000 -0500
50246 +++ linux-2.6.33/mm/shmem.c 2010-03-07 12:23:36.161647154 -0500
50248 #include <linux/module.h>
50249 #include <linux/swap.h>
50251 -static struct vfsmount *shm_mnt;
50252 +struct vfsmount *shm_mnt;
50254 #ifdef CONFIG_SHMEM
50256 diff -urNp linux-2.6.33/mm/slab.c linux-2.6.33/mm/slab.c
50257 --- linux-2.6.33/mm/slab.c 2010-02-24 13:52:17.000000000 -0500
50258 +++ linux-2.6.33/mm/slab.c 2010-03-07 12:23:36.161647154 -0500
50259 @@ -308,7 +308,7 @@ struct kmem_list3 {
50260 * Need this for bootstrapping a per node allocator.
50262 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
50263 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
50264 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
50265 #define CACHE_CACHE 0
50266 #define SIZE_AC MAX_NUMNODES
50267 #define SIZE_L3 (2 * MAX_NUMNODES)
50268 @@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
50269 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
50271 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
50272 - const struct slab *slab, void *obj)
50273 + const struct slab *slab, const void *obj)
50275 u32 offset = (obj - slab->s_mem);
50276 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
50277 @@ -584,14 +584,14 @@ struct cache_names {
50278 static struct cache_names __initdata cache_names[] = {
50279 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
50280 #include <linux/kmalloc_sizes.h>
50286 static struct arraycache_init initarray_cache __initdata =
50287 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
50288 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
50289 static struct arraycache_init initarray_generic =
50290 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
50291 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
50293 /* internal cache of cache description objs */
50294 static struct kmem_cache cache_cache = {
50295 @@ -4106,7 +4106,7 @@ out:
50296 schedule_delayed_work(work, round_jiffies_relative(REAPTIMEOUT_CPUC));
50299 -#ifdef CONFIG_SLABINFO
50300 +#if defined(CONFIG_SLABINFO) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
50302 static void print_slabinfo_header(struct seq_file *m)
50304 @@ -4504,6 +4504,51 @@ static int __init slab_proc_init(void)
50305 module_init(slab_proc_init);
50308 +void check_object_size(const void *ptr, unsigned long n, bool to)
50311 +#ifdef CONFIG_PAX_USERCOPY
50312 + struct kmem_cache *cachep;
50313 + struct slab *slabp;
50314 + struct page *page;
50315 + unsigned int objnr;
50316 + unsigned long offset;
50321 + if (ZERO_OR_NULL_PTR(ptr))
50324 + if (!virt_addr_valid(ptr))
50327 + page = virt_to_head_page(ptr);
50329 + if (!PageSlab(page)) {
50330 + if (object_is_on_stack(ptr, n) == -1)
50335 + cachep = page_get_cache(page);
50336 + slabp = page_get_slab(page);
50337 + objnr = obj_to_index(cachep, slabp, ptr);
50338 + BUG_ON(objnr >= cachep->num);
50339 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
50340 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
50345 + pax_report_leak_to_user(ptr, n);
50347 + pax_report_overflow_from_user(ptr, n);
50351 +EXPORT_SYMBOL(check_object_size);
50354 * ksize - get the actual amount of memory allocated for a given object
50355 * @objp: Pointer to the object
50356 diff -urNp linux-2.6.33/mm/slob.c linux-2.6.33/mm/slob.c
50357 --- linux-2.6.33/mm/slob.c 2010-02-24 13:52:17.000000000 -0500
50358 +++ linux-2.6.33/mm/slob.c 2010-03-07 12:23:36.165648287 -0500
50360 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
50361 * alloc_pages() directly, allocating compound pages so the page order
50362 * does not have to be separately tracked, and also stores the exact
50363 - * allocation size in page->private so that it can be used to accurately
50364 + * allocation size in slob_page->size so that it can be used to accurately
50365 * provide ksize(). These objects are detected in kfree() because slob_page()
50366 * is false for them.
50371 #include <linux/kernel.h>
50372 +#include <linux/sched.h>
50373 #include <linux/slab.h>
50374 #include <linux/mm.h>
50375 #include <linux/swap.h> /* struct reclaim_state */
50376 @@ -100,7 +101,8 @@ struct slob_page {
50377 unsigned long flags; /* mandatory */
50378 atomic_t _count; /* mandatory */
50379 slobidx_t units; /* free units left in page */
50380 - unsigned long pad[2];
50381 + unsigned long pad[1];
50382 + unsigned long size; /* size when >=PAGE_SIZE */
50383 slob_t *free; /* first free slob_t in page */
50384 struct list_head list; /* linked list of free pages */
50386 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
50388 static inline int is_slob_page(struct slob_page *sp)
50390 - return PageSlab((struct page *)sp);
50391 + return PageSlab((struct page *)sp) && !sp->size;
50394 static inline void set_slob_page(struct slob_page *sp)
50395 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
50397 static inline struct slob_page *slob_page(const void *addr)
50399 - return (struct slob_page *)virt_to_page(addr);
50400 + return (struct slob_page *)virt_to_head_page(addr);
50404 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
50406 * Return the size of a slob block.
50408 -static slobidx_t slob_units(slob_t *s)
50409 +static slobidx_t slob_units(const slob_t *s)
50413 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
50415 * Return the next free slob block pointer after this one.
50417 -static slob_t *slob_next(slob_t *s)
50418 +static slob_t *slob_next(const slob_t *s)
50420 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
50422 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
50424 * Returns true if s is the last free block in its page.
50426 -static int slob_last(slob_t *s)
50427 +static int slob_last(const slob_t *s)
50429 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
50431 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
50435 + set_slob_page(page);
50436 return page_address(page);
50439 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
50443 - set_slob_page(sp);
50445 spin_lock_irqsave(&slob_lock, flags);
50446 sp->units = SLOB_UNITS(PAGE_SIZE);
50449 INIT_LIST_HEAD(&sp->list);
50450 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
50451 set_slob_page_free(sp, slob_list);
50452 @@ -475,10 +478,9 @@ out:
50453 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
50456 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
50457 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
50460 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50464 lockdep_trace_alloc(gfp);
50465 @@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
50470 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
50471 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
50472 + m[0].units = size;
50473 + m[1].units = align;
50474 ret = (void *)m + align;
50476 trace_kmalloc_node(_RET_IP_, ret,
50477 @@ -501,9 +506,9 @@ void *__kmalloc_node(size_t size, gfp_t
50479 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
50481 - struct page *page;
50482 - page = virt_to_page(ret);
50483 - page->private = size;
50484 + struct slob_page *sp;
50485 + sp = slob_page(ret);
50489 trace_kmalloc_node(_RET_IP_, ret,
50490 @@ -513,6 +518,13 @@ void *__kmalloc_node(size_t size, gfp_t
50491 kmemleak_alloc(ret, size, 1, gfp);
50495 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
50497 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50499 + return __kmalloc_node_align(size, gfp, node, align);
50501 EXPORT_SYMBOL(__kmalloc_node);
50503 void kfree(const void *block)
50504 @@ -528,13 +540,84 @@ void kfree(const void *block)
50505 sp = slob_page(block);
50506 if (is_slob_page(sp)) {
50507 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50508 - unsigned int *m = (unsigned int *)(block - align);
50509 - slob_free(m, *m + align);
50511 + slob_t *m = (slob_t *)(block - align);
50512 + slob_free(m, m[0].units + align);
50514 + clear_slob_page(sp);
50515 + free_slob_page(sp);
50517 put_page(&sp->page);
50520 EXPORT_SYMBOL(kfree);
50522 +void check_object_size(const void *ptr, unsigned long n, bool to)
50525 +#ifdef CONFIG_PAX_USERCOPY
50526 + struct slob_page *sp;
50527 + const slob_t *free;
50528 + const void *base;
50533 + if (ZERO_OR_NULL_PTR(ptr))
50536 + if (!virt_addr_valid(ptr))
50539 + sp = slob_page(ptr);
50540 + if (!PageSlab((struct page*)sp)) {
50541 + if (object_is_on_stack(ptr, n) == -1)
50547 + base = page_address(&sp->page);
50548 + if (base <= ptr && n <= sp->size - (ptr - base))
50553 + /* some tricky double walking to find the chunk */
50554 + base = (void *)((unsigned long)ptr & PAGE_MASK);
50557 + while (!slob_last(free) && (void *)free <= ptr) {
50558 + base = free + slob_units(free);
50559 + free = slob_next(free);
50562 + while (base < (void *)free) {
50563 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
50564 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
50567 + if (ptr < base + align)
50570 + offset = ptr - base - align;
50571 + if (offset < m) {
50572 + if (n <= m - offset)
50581 + pax_report_leak_to_user(ptr, n);
50583 + pax_report_overflow_from_user(ptr, n);
50587 +EXPORT_SYMBOL(check_object_size);
50589 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
50590 size_t ksize(const void *block)
50592 @@ -547,10 +630,10 @@ size_t ksize(const void *block)
50593 sp = slob_page(block);
50594 if (is_slob_page(sp)) {
50595 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50596 - unsigned int *m = (unsigned int *)(block - align);
50597 - return SLOB_UNITS(*m) * SLOB_UNIT;
50598 + slob_t *m = (slob_t *)(block - align);
50599 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
50601 - return sp->page.private;
50604 EXPORT_SYMBOL(ksize);
50606 @@ -605,17 +688,25 @@ void *kmem_cache_alloc_node(struct kmem_
50610 +#ifdef CONFIG_PAX_USERCOPY
50611 + b = __kmalloc_node_align(c->size, flags, node, c->align);
50613 if (c->size < PAGE_SIZE) {
50614 b = slob_alloc(c->size, flags, c->align, node);
50615 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
50616 SLOB_UNITS(c->size) * SLOB_UNIT,
50619 + struct slob_page *sp;
50621 b = slob_new_pages(flags, get_order(c->size), node);
50622 + sp = slob_page(b);
50623 + sp->size = c->size;
50624 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
50625 PAGE_SIZE << get_order(c->size),
50632 @@ -627,10 +718,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
50634 static void __kmem_cache_free(void *b, int size)
50636 - if (size < PAGE_SIZE)
50637 + struct slob_page *sp = slob_page(b);
50639 + if (is_slob_page(sp))
50640 slob_free(b, size);
50643 + clear_slob_page(sp);
50644 + free_slob_page(sp);
50646 slob_free_pages(b, get_order(size));
50650 static void kmem_rcu_free(struct rcu_head *head)
50651 @@ -643,15 +740,24 @@ static void kmem_rcu_free(struct rcu_hea
50653 void kmem_cache_free(struct kmem_cache *c, void *b)
50655 + int size = c->size;
50657 +#ifdef CONFIG_PAX_USERCOPY
50658 + if (size + c->align < PAGE_SIZE) {
50659 + size += c->align;
50664 kmemleak_free_recursive(b, c->flags);
50665 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
50666 struct slob_rcu *slob_rcu;
50667 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
50668 + slob_rcu = b + (size - sizeof(struct slob_rcu));
50669 INIT_RCU_HEAD(&slob_rcu->head);
50670 - slob_rcu->size = c->size;
50671 + slob_rcu->size = size;
50672 call_rcu(&slob_rcu->head, kmem_rcu_free);
50674 - __kmem_cache_free(b, c->size);
50675 + __kmem_cache_free(b, size);
50678 trace_kmem_cache_free(_RET_IP_, b);
50679 diff -urNp linux-2.6.33/mm/slub.c linux-2.6.33/mm/slub.c
50680 --- linux-2.6.33/mm/slub.c 2010-02-24 13:52:17.000000000 -0500
50681 +++ linux-2.6.33/mm/slub.c 2010-03-07 12:23:36.165648287 -0500
50682 @@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
50684 page = virt_to_head_page(x);
50686 + BUG_ON(!PageSlab(page));
50688 slab_free(s, page, x, _RET_IP_);
50690 trace_kmem_cache_free(_RET_IP_, x);
50691 @@ -1937,7 +1939,7 @@ static int slub_min_objects;
50692 * Merge control. If this is set then no merging of slab caches will occur.
50693 * (Could be removed. This was introduced to pacify the merge skeptics.)
50695 -static int slub_nomerge;
50696 +static int slub_nomerge = 1;
50699 * Calculate the order of allocation given an slab object size.
50700 @@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
50701 * list to avoid pounding the page allocator excessively.
50703 set_min_partial(s, ilog2(s->size));
50705 + atomic_set(&s->refcount, 1);
50707 s->remote_node_defrag_ratio = 1000;
50709 @@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
50710 void kmem_cache_destroy(struct kmem_cache *s)
50712 down_write(&slub_lock);
50714 - if (!s->refcount) {
50715 + if (atomic_dec_and_test(&s->refcount)) {
50716 list_del(&s->list);
50717 up_write(&slub_lock);
50718 if (kmem_cache_close(s)) {
50719 @@ -2915,6 +2916,46 @@ void *__kmalloc_node(size_t size, gfp_t
50720 EXPORT_SYMBOL(__kmalloc_node);
50723 +void check_object_size(const void *ptr, unsigned long n, bool to)
50726 +#ifdef CONFIG_PAX_USERCOPY
50727 + struct page *page;
50728 + struct kmem_cache *s;
50729 + unsigned long offset;
50734 + if (ZERO_OR_NULL_PTR(ptr))
50737 + if (!virt_addr_valid(ptr))
50740 + page = get_object_page(ptr);
50743 + if (object_is_on_stack(ptr, n) == -1)
50749 + offset = (ptr - page_address(page)) % s->size;
50750 + if (offset <= s->objsize && n <= s->objsize - offset)
50755 + pax_report_leak_to_user(ptr, n);
50757 + pax_report_overflow_from_user(ptr, n);
50761 +EXPORT_SYMBOL(check_object_size);
50763 size_t ksize(const void *object)
50766 @@ -3186,7 +3227,7 @@ void __init kmem_cache_init(void)
50768 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
50769 sizeof(struct kmem_cache_node), GFP_NOWAIT);
50770 - kmalloc_caches[0].refcount = -1;
50771 + atomic_set(&kmalloc_caches[0].refcount, -1);
50774 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
50775 @@ -3293,7 +3334,7 @@ static int slab_unmergeable(struct kmem_
50777 * We may have set a slab to be unmergeable during bootstrap.
50779 - if (s->refcount < 0)
50780 + if (atomic_read(&s->refcount) < 0)
50784 @@ -3353,7 +3394,7 @@ struct kmem_cache *kmem_cache_create(con
50789 + atomic_inc(&s->refcount);
50791 * Adjust the object sizes so that we clear
50792 * the complete object on kzalloc.
50793 @@ -3372,7 +3413,7 @@ struct kmem_cache *kmem_cache_create(con
50795 if (sysfs_slab_alias(s, name)) {
50796 down_write(&slub_lock);
50798 + atomic_dec(&s->refcount);
50799 up_write(&slub_lock);
50802 @@ -4101,7 +4142,7 @@ SLAB_ATTR_RO(ctor);
50804 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
50806 - return sprintf(buf, "%d\n", s->refcount - 1);
50807 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
50809 SLAB_ATTR_RO(aliases);
50811 @@ -4519,7 +4560,7 @@ static void kmem_cache_release(struct ko
50815 -static struct sysfs_ops slab_sysfs_ops = {
50816 +static const struct sysfs_ops slab_sysfs_ops = {
50817 .show = slab_attr_show,
50818 .store = slab_attr_store,
50820 @@ -4538,7 +4579,7 @@ static int uevent_filter(struct kset *ks
50824 -static struct kset_uevent_ops slab_uevent_ops = {
50825 +static const struct kset_uevent_ops slab_uevent_ops = {
50826 .filter = uevent_filter,
50829 @@ -4712,7 +4753,7 @@ __initcall(slab_sysfs_init);
50831 * The /proc/slabinfo ABI
50833 -#ifdef CONFIG_SLABINFO
50834 +#if defined(CONFIG_SLABINFO) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
50835 static void print_slabinfo_header(struct seq_file *m)
50837 seq_puts(m, "slabinfo - version: 2.1\n");
50838 diff -urNp linux-2.6.33/mm/util.c linux-2.6.33/mm/util.c
50839 --- linux-2.6.33/mm/util.c 2010-02-24 13:52:17.000000000 -0500
50840 +++ linux-2.6.33/mm/util.c 2010-03-07 12:23:36.165648287 -0500
50841 @@ -224,6 +224,12 @@ EXPORT_SYMBOL(strndup_user);
50842 void arch_pick_mmap_layout(struct mm_struct *mm)
50844 mm->mmap_base = TASK_UNMAPPED_BASE;
50846 +#ifdef CONFIG_PAX_RANDMMAP
50847 + if (mm->pax_flags & MF_PAX_RANDMMAP)
50848 + mm->mmap_base += mm->delta_mmap;
50851 mm->get_unmapped_area = arch_get_unmapped_area;
50852 mm->unmap_area = arch_unmap_area;
50854 diff -urNp linux-2.6.33/mm/vmalloc.c linux-2.6.33/mm/vmalloc.c
50855 --- linux-2.6.33/mm/vmalloc.c 2010-02-24 13:52:17.000000000 -0500
50856 +++ linux-2.6.33/mm/vmalloc.c 2010-03-07 12:23:36.165648287 -0500
50857 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
50859 pte = pte_offset_kernel(pmd, addr);
50861 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
50862 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
50864 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50865 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
50866 + BUG_ON(!pte_exec(*pte));
50867 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
50873 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
50874 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
50876 } while (pte++, addr += PAGE_SIZE, addr != end);
50879 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
50880 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
50883 + int ret = -ENOMEM;
50886 * nr is a running index into the array which helps higher level
50887 @@ -101,17 +113,30 @@ static int vmap_pte_range(pmd_t *pmd, un
50888 pte = pte_alloc_kernel(pmd, addr);
50892 + pax_open_kernel();
50894 struct page *page = pages[*nr];
50896 - if (WARN_ON(!pte_none(*pte)))
50898 - if (WARN_ON(!page))
50900 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50901 + if (pgprot_val(prot) & _PAGE_NX)
50904 + if (WARN_ON(!pte_none(*pte))) {
50908 + if (WARN_ON(!page)) {
50912 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
50914 } while (pte++, addr += PAGE_SIZE, addr != end);
50918 + pax_close_kernel();
50922 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
50923 @@ -192,11 +217,20 @@ int is_vmalloc_or_module_addr(const void
50924 * and fall back on vmalloc() if that fails. Others
50925 * just put it in the vmalloc space.
50927 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
50928 +#ifdef CONFIG_MODULES
50929 +#ifdef MODULES_VADDR
50930 unsigned long addr = (unsigned long)x;
50931 if (addr >= MODULES_VADDR && addr < MODULES_END)
50935 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50936 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
50942 return is_vmalloc_addr(x);
50945 @@ -292,13 +326,13 @@ static void __insert_vmap_area(struct vm
50946 struct rb_node *tmp;
50949 - struct vmap_area *tmp;
50950 + struct vmap_area *varea;
50953 - tmp = rb_entry(parent, struct vmap_area, rb_node);
50954 - if (va->va_start < tmp->va_end)
50955 + varea = rb_entry(parent, struct vmap_area, rb_node);
50956 + if (va->va_start < varea->va_end)
50957 p = &(*p)->rb_left;
50958 - else if (va->va_end > tmp->va_start)
50959 + else if (va->va_end > varea->va_start)
50960 p = &(*p)->rb_right;
50963 @@ -1224,6 +1258,16 @@ static struct vm_struct *__get_vm_area_n
50964 struct vm_struct *area;
50966 BUG_ON(in_interrupt());
50968 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50969 + if (flags & VM_KERNEXEC) {
50970 + if (start != VMALLOC_START || end != VMALLOC_END)
50972 + start = (unsigned long)&MODULES_EXEC_VADDR;
50973 + end = (unsigned long)&MODULES_EXEC_END;
50977 if (flags & VM_IOREMAP) {
50978 int bit = fls(size);
50980 @@ -1449,6 +1493,11 @@ void *vmap(struct page **pages, unsigned
50981 if (count > totalram_pages)
50984 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50985 + if (!(pgprot_val(prot) & _PAGE_NX))
50986 + flags |= VM_KERNEXEC;
50989 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
50990 __builtin_return_address(0));
50992 @@ -1558,6 +1607,13 @@ static void *__vmalloc_node(unsigned lon
50993 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
50996 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50997 + if (!(pgprot_val(prot) & _PAGE_NX))
50998 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
50999 + node, gfp_mask, caller);
51003 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
51004 VMALLOC_END, node, gfp_mask, caller);
51006 @@ -1576,6 +1632,7 @@ static void *__vmalloc_node(unsigned lon
51011 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
51013 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
51014 @@ -1592,6 +1649,7 @@ EXPORT_SYMBOL(__vmalloc);
51015 * For tight control over page level allocator and protection flags
51016 * use __vmalloc() instead.
51019 void *vmalloc(unsigned long size)
51021 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
51022 @@ -1606,6 +1664,7 @@ EXPORT_SYMBOL(vmalloc);
51023 * The resulting memory area is zeroed so it can be mapped to userspace
51024 * without leaking data.
51026 +#undef vmalloc_user
51027 void *vmalloc_user(unsigned long size)
51029 struct vm_struct *area;
51030 @@ -1633,6 +1692,7 @@ EXPORT_SYMBOL(vmalloc_user);
51031 * For tight control over page level allocator and protection flags
51032 * use __vmalloc() instead.
51034 +#undef vmalloc_node
51035 void *vmalloc_node(unsigned long size, int node)
51037 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
51038 @@ -1655,10 +1715,10 @@ EXPORT_SYMBOL(vmalloc_node);
51039 * For tight control over page level allocator and protection flags
51040 * use __vmalloc() instead.
51043 +#undef vmalloc_exec
51044 void *vmalloc_exec(unsigned long size)
51046 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
51047 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
51048 -1, __builtin_return_address(0));
51051 @@ -1677,6 +1737,7 @@ void *vmalloc_exec(unsigned long size)
51052 * Allocate enough 32bit PA addressable pages to cover @size from the
51053 * page level allocator and map them into contiguous kernel virtual space.
51056 void *vmalloc_32(unsigned long size)
51058 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
51059 @@ -1691,6 +1752,7 @@ EXPORT_SYMBOL(vmalloc_32);
51060 * The resulting memory area is 32bit addressable and zeroed so it can be
51061 * mapped to userspace without leaking data.
51063 +#undef vmalloc_32_user
51064 void *vmalloc_32_user(unsigned long size)
51066 struct vm_struct *area;
51067 diff -urNp linux-2.6.33/net/atm/atm_misc.c linux-2.6.33/net/atm/atm_misc.c
51068 --- linux-2.6.33/net/atm/atm_misc.c 2010-02-24 13:52:17.000000000 -0500
51069 +++ linux-2.6.33/net/atm/atm_misc.c 2010-03-07 12:23:36.165648287 -0500
51070 @@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
51071 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
51073 atm_return(vcc,truesize);
51074 - atomic_inc(&vcc->stats->rx_drop);
51075 + atomic_inc_unchecked(&vcc->stats->rx_drop);
51079 @@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
51082 atm_return(vcc,guess);
51083 - atomic_inc(&vcc->stats->rx_drop);
51084 + atomic_inc_unchecked(&vcc->stats->rx_drop);
51088 @@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
51090 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
51092 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
51093 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
51095 #undef __HANDLE_ITEM
51097 @@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
51099 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
51101 -#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
51102 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
51104 #undef __HANDLE_ITEM
51106 diff -urNp linux-2.6.33/net/atm/proc.c linux-2.6.33/net/atm/proc.c
51107 --- linux-2.6.33/net/atm/proc.c 2010-02-24 13:52:17.000000000 -0500
51108 +++ linux-2.6.33/net/atm/proc.c 2010-03-07 12:23:36.165648287 -0500
51109 @@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
51110 const struct k_atm_aal_stats *stats)
51112 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
51113 - atomic_read(&stats->tx),atomic_read(&stats->tx_err),
51114 - atomic_read(&stats->rx),atomic_read(&stats->rx_err),
51115 - atomic_read(&stats->rx_drop));
51116 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
51117 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
51118 + atomic_read_unchecked(&stats->rx_drop));
51121 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
51122 diff -urNp linux-2.6.33/net/atm/resources.c linux-2.6.33/net/atm/resources.c
51123 --- linux-2.6.33/net/atm/resources.c 2010-02-24 13:52:17.000000000 -0500
51124 +++ linux-2.6.33/net/atm/resources.c 2010-03-07 12:23:36.165648287 -0500
51125 @@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
51126 static void copy_aal_stats(struct k_atm_aal_stats *from,
51127 struct atm_aal_stats *to)
51129 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
51130 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
51132 #undef __HANDLE_ITEM
51134 @@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
51135 static void subtract_aal_stats(struct k_atm_aal_stats *from,
51136 struct atm_aal_stats *to)
51138 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
51139 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
51141 #undef __HANDLE_ITEM
51143 diff -urNp linux-2.6.33/net/bridge/br_private.h linux-2.6.33/net/bridge/br_private.h
51144 --- linux-2.6.33/net/bridge/br_private.h 2010-02-24 13:52:17.000000000 -0500
51145 +++ linux-2.6.33/net/bridge/br_private.h 2010-03-07 12:23:36.165648287 -0500
51146 @@ -254,7 +254,7 @@ extern void br_ifinfo_notify(int event,
51148 #ifdef CONFIG_SYSFS
51149 /* br_sysfs_if.c */
51150 -extern struct sysfs_ops brport_sysfs_ops;
51151 +extern const struct sysfs_ops brport_sysfs_ops;
51152 extern int br_sysfs_addif(struct net_bridge_port *p);
51154 /* br_sysfs_br.c */
51155 diff -urNp linux-2.6.33/net/bridge/br_stp_if.c linux-2.6.33/net/bridge/br_stp_if.c
51156 --- linux-2.6.33/net/bridge/br_stp_if.c 2010-02-24 13:52:17.000000000 -0500
51157 +++ linux-2.6.33/net/bridge/br_stp_if.c 2010-03-07 12:23:36.165648287 -0500
51158 @@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
51159 char *envp[] = { NULL };
51161 if (br->stp_enabled == BR_USER_STP) {
51162 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
51163 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
51164 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
51167 diff -urNp linux-2.6.33/net/bridge/br_sysfs_if.c linux-2.6.33/net/bridge/br_sysfs_if.c
51168 --- linux-2.6.33/net/bridge/br_sysfs_if.c 2010-02-24 13:52:17.000000000 -0500
51169 +++ linux-2.6.33/net/bridge/br_sysfs_if.c 2010-03-07 12:23:36.165648287 -0500
51170 @@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
51174 -struct sysfs_ops brport_sysfs_ops = {
51175 +const struct sysfs_ops brport_sysfs_ops = {
51176 .show = brport_show,
51177 .store = brport_store,
51179 diff -urNp linux-2.6.33/net/bridge/netfilter/ebtables.c linux-2.6.33/net/bridge/netfilter/ebtables.c
51180 --- linux-2.6.33/net/bridge/netfilter/ebtables.c 2010-02-24 13:52:17.000000000 -0500
51181 +++ linux-2.6.33/net/bridge/netfilter/ebtables.c 2010-03-07 12:23:36.165648287 -0500
51182 @@ -1456,7 +1456,7 @@ static int do_ebt_get_ctl(struct sock *s
51183 tmp.valid_hooks = t->table->valid_hooks;
51185 mutex_unlock(&ebt_mutex);
51186 - if (copy_to_user(user, &tmp, *len) != 0){
51187 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
51188 BUGPRINT("c2u Didn't work\n");
51191 diff -urNp linux-2.6.33/net/core/dev.c linux-2.6.33/net/core/dev.c
51192 --- linux-2.6.33/net/core/dev.c 2010-02-24 13:52:17.000000000 -0500
51193 +++ linux-2.6.33/net/core/dev.c 2010-03-07 12:23:36.165648287 -0500
51194 @@ -2183,7 +2183,7 @@ int netif_rx_ni(struct sk_buff *skb)
51196 EXPORT_SYMBOL(netif_rx_ni);
51198 -static void net_tx_action(struct softirq_action *h)
51199 +static void net_tx_action(void)
51201 struct softnet_data *sd = &__get_cpu_var(softnet_data);
51203 @@ -2939,7 +2939,7 @@ void netif_napi_del(struct napi_struct *
51204 EXPORT_SYMBOL(netif_napi_del);
51207 -static void net_rx_action(struct softirq_action *h)
51208 +static void net_rx_action(void)
51210 struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
51211 unsigned long time_limit = jiffies + 2;
51212 diff -urNp linux-2.6.33/net/core/flow.c linux-2.6.33/net/core/flow.c
51213 --- linux-2.6.33/net/core/flow.c 2010-02-24 13:52:17.000000000 -0500
51214 +++ linux-2.6.33/net/core/flow.c 2010-03-07 12:23:36.165648287 -0500
51215 @@ -39,7 +39,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
51217 static u32 flow_hash_shift;
51218 #define flow_hash_size (1 << flow_hash_shift)
51219 -static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
51220 +static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
51222 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
51224 @@ -52,7 +52,7 @@ struct flow_percpu_info {
51228 -static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
51229 +static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
51231 #define flow_hash_rnd_recalc(cpu) \
51232 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
51233 @@ -69,7 +69,7 @@ struct flow_flush_info {
51235 struct completion completion;
51237 -static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
51238 +static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
51240 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
51242 diff -urNp linux-2.6.33/net/core/sock.c linux-2.6.33/net/core/sock.c
51243 --- linux-2.6.33/net/core/sock.c 2010-02-24 13:52:17.000000000 -0500
51244 +++ linux-2.6.33/net/core/sock.c 2010-03-07 12:23:36.169632867 -0500
51245 @@ -896,7 +896,7 @@ int sock_getsockopt(struct socket *sock,
51249 - if (copy_to_user(optval, address, len))
51250 + if (len > sizeof(address) || copy_to_user(optval, address, len))
51254 @@ -929,7 +929,7 @@ int sock_getsockopt(struct socket *sock,
51258 - if (copy_to_user(optval, &v, len))
51259 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
51262 if (put_user(len, optlen))
51263 diff -urNp linux-2.6.33/net/dccp/ccids/ccid3.c linux-2.6.33/net/dccp/ccids/ccid3.c
51264 --- linux-2.6.33/net/dccp/ccids/ccid3.c 2010-02-24 13:52:17.000000000 -0500
51265 +++ linux-2.6.33/net/dccp/ccids/ccid3.c 2010-03-07 12:23:36.169632867 -0500
51267 static int ccid3_debug;
51268 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
51270 -#define ccid3_pr_debug(format, a...)
51271 +#define ccid3_pr_debug(format, a...) do {} while (0)
51275 diff -urNp linux-2.6.33/net/dccp/dccp.h linux-2.6.33/net/dccp/dccp.h
51276 --- linux-2.6.33/net/dccp/dccp.h 2010-02-24 13:52:17.000000000 -0500
51277 +++ linux-2.6.33/net/dccp/dccp.h 2010-03-07 12:23:36.169632867 -0500
51278 @@ -44,9 +44,9 @@ extern int dccp_debug;
51279 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
51280 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
51282 -#define dccp_pr_debug(format, a...)
51283 -#define dccp_pr_debug_cat(format, a...)
51284 -#define dccp_debug(format, a...)
51285 +#define dccp_pr_debug(format, a...) do {} while (0)
51286 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
51287 +#define dccp_debug(format, a...) do {} while (0)
51290 extern struct inet_hashinfo dccp_hashinfo;
51291 diff -urNp linux-2.6.33/net/decnet/sysctl_net_decnet.c linux-2.6.33/net/decnet/sysctl_net_decnet.c
51292 --- linux-2.6.33/net/decnet/sysctl_net_decnet.c 2010-02-24 13:52:17.000000000 -0500
51293 +++ linux-2.6.33/net/decnet/sysctl_net_decnet.c 2010-03-07 12:23:36.169632867 -0500
51294 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
51296 if (len > *lenp) len = *lenp;
51298 - if (copy_to_user(buffer, addr, len))
51299 + if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
51303 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
51305 if (len > *lenp) len = *lenp;
51307 - if (copy_to_user(buffer, devname, len))
51308 + if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
51312 diff -urNp linux-2.6.33/net/ipv4/inet_hashtables.c linux-2.6.33/net/ipv4/inet_hashtables.c
51313 --- linux-2.6.33/net/ipv4/inet_hashtables.c 2010-02-24 13:52:17.000000000 -0500
51314 +++ linux-2.6.33/net/ipv4/inet_hashtables.c 2010-03-07 12:23:36.169632867 -0500
51315 @@ -18,11 +18,14 @@
51316 #include <linux/sched.h>
51317 #include <linux/slab.h>
51318 #include <linux/wait.h>
51319 +#include <linux/security.h>
51321 #include <net/inet_connection_sock.h>
51322 #include <net/inet_hashtables.h>
51323 #include <net/route.h>
51324 #include <net/ip.h>
51326 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
51329 * Allocate and initialize a new local port bind bucket.
51330 @@ -506,6 +509,8 @@ ok:
51331 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
51332 spin_unlock(&head->lock);
51334 + gr_update_task_in_ip_table(current, inet_sk(sk));
51337 inet_twsk_deschedule(tw, death_row);
51339 diff -urNp linux-2.6.33/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.33/net/ipv4/netfilter/nf_nat_snmp_basic.c
51340 --- linux-2.6.33/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-02-24 13:52:17.000000000 -0500
51341 +++ linux-2.6.33/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-03-07 12:23:36.169632867 -0500
51342 @@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
51346 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
51347 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
51348 if (*octets == NULL) {
51349 if (net_ratelimit())
51350 printk("OOM in bsalg (%d)\n", __LINE__);
51351 diff -urNp linux-2.6.33/net/ipv4/tcp_ipv4.c linux-2.6.33/net/ipv4/tcp_ipv4.c
51352 --- linux-2.6.33/net/ipv4/tcp_ipv4.c 2010-02-24 13:52:17.000000000 -0500
51353 +++ linux-2.6.33/net/ipv4/tcp_ipv4.c 2010-03-07 12:23:36.169632867 -0500
51354 @@ -1585,6 +1585,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
51358 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51359 + if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK))
51361 tcp_v4_send_reset(rsk, skb);
51364 @@ -1693,6 +1696,9 @@ no_tcp_socket:
51366 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
51368 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51369 + if (skb->dev->flags & IFF_LOOPBACK)
51371 tcp_v4_send_reset(NULL, skb);
51374 diff -urNp linux-2.6.33/net/ipv4/tcp_minisocks.c linux-2.6.33/net/ipv4/tcp_minisocks.c
51375 --- linux-2.6.33/net/ipv4/tcp_minisocks.c 2010-02-24 13:52:17.000000000 -0500
51376 +++ linux-2.6.33/net/ipv4/tcp_minisocks.c 2010-03-07 12:23:36.169632867 -0500
51377 @@ -698,8 +698,11 @@ listen_overflow:
51380 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
51382 +#ifndef CONFIG_GRKERNSEC_BLACKHOLE
51383 if (!(flg & TCP_FLAG_RST))
51384 req->rsk_ops->send_reset(sk, skb);
51387 inet_csk_reqsk_queue_drop(sk, req, prev);
51389 diff -urNp linux-2.6.33/net/ipv4/tcp_probe.c linux-2.6.33/net/ipv4/tcp_probe.c
51390 --- linux-2.6.33/net/ipv4/tcp_probe.c 2010-02-24 13:52:17.000000000 -0500
51391 +++ linux-2.6.33/net/ipv4/tcp_probe.c 2010-03-07 12:23:36.169632867 -0500
51392 @@ -201,7 +201,7 @@ static ssize_t tcpprobe_read(struct file
51393 if (cnt + width >= len)
51396 - if (copy_to_user(buf + cnt, tbuf, width))
51397 + if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
51401 diff -urNp linux-2.6.33/net/ipv4/udp.c linux-2.6.33/net/ipv4/udp.c
51402 --- linux-2.6.33/net/ipv4/udp.c 2010-02-24 13:52:17.000000000 -0500
51403 +++ linux-2.6.33/net/ipv4/udp.c 2010-03-07 12:23:36.169632867 -0500
51405 #include <linux/types.h>
51406 #include <linux/fcntl.h>
51407 #include <linux/module.h>
51408 +#include <linux/security.h>
51409 #include <linux/socket.h>
51410 #include <linux/sockios.h>
51411 #include <linux/igmp.h>
51412 @@ -562,6 +563,9 @@ found:
51416 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
51417 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
51420 * This routine is called by the ICMP module when it gets some
51421 * sort of error condition. If err < 0 then the socket should
51422 @@ -830,9 +834,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
51423 dport = usin->sin_port;
51427 + err = gr_search_udp_sendmsg(sk, usin);
51431 if (sk->sk_state != TCP_ESTABLISHED)
51432 return -EDESTADDRREQ;
51434 + err = gr_search_udp_sendmsg(sk, NULL);
51438 daddr = inet->inet_daddr;
51439 dport = inet->inet_dport;
51440 /* Open fast path for connected socket.
51441 @@ -1137,6 +1150,10 @@ try_again:
51445 + err = gr_search_udp_recvmsg(sk, skb);
51449 ulen = skb->len - sizeof(struct udphdr);
51452 @@ -1568,6 +1585,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
51455 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
51456 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51457 + if (skb->dev->flags & IFF_LOOPBACK)
51459 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
51462 diff -urNp linux-2.6.33/net/ipv6/exthdrs.c linux-2.6.33/net/ipv6/exthdrs.c
51463 --- linux-2.6.33/net/ipv6/exthdrs.c 2010-02-24 13:52:17.000000000 -0500
51464 +++ linux-2.6.33/net/ipv6/exthdrs.c 2010-03-07 12:23:36.169632867 -0500
51465 @@ -635,7 +635,7 @@ static struct tlvtype_proc tlvprochopopt
51466 .type = IPV6_TLV_JUMBO,
51467 .func = ipv6_hop_jumbo,
51473 int ipv6_parse_hopopts(struct sk_buff *skb)
51474 diff -urNp linux-2.6.33/net/ipv6/raw.c linux-2.6.33/net/ipv6/raw.c
51475 --- linux-2.6.33/net/ipv6/raw.c 2010-02-24 13:52:17.000000000 -0500
51476 +++ linux-2.6.33/net/ipv6/raw.c 2010-03-07 12:23:36.169632867 -0500
51477 @@ -597,7 +597,7 @@ out:
51481 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
51482 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
51483 struct flowi *fl, struct rt6_info *rt,
51484 unsigned int flags)
51486 diff -urNp linux-2.6.33/net/ipv6/tcp_ipv6.c linux-2.6.33/net/ipv6/tcp_ipv6.c
51487 --- linux-2.6.33/net/ipv6/tcp_ipv6.c 2010-02-24 13:52:17.000000000 -0500
51488 +++ linux-2.6.33/net/ipv6/tcp_ipv6.c 2010-03-07 12:23:36.169632867 -0500
51489 @@ -1625,6 +1625,9 @@ static int tcp_v6_do_rcv(struct sock *sk
51493 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51494 + if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK))
51496 tcp_v6_send_reset(sk, skb);
51499 @@ -1747,6 +1750,9 @@ no_tcp_socket:
51501 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
51503 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51504 + if (skb->dev->flags & IFF_LOOPBACK)
51506 tcp_v6_send_reset(NULL, skb);
51509 diff -urNp linux-2.6.33/net/ipv6/udp.c linux-2.6.33/net/ipv6/udp.c
51510 --- linux-2.6.33/net/ipv6/udp.c 2010-02-24 13:52:17.000000000 -0500
51511 +++ linux-2.6.33/net/ipv6/udp.c 2010-03-07 12:23:36.169632867 -0500
51512 @@ -745,6 +745,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
51513 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
51514 proto == IPPROTO_UDPLITE);
51516 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51517 + if (skb->dev->flags & IFF_LOOPBACK)
51519 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
51522 diff -urNp linux-2.6.33/net/irda/ircomm/ircomm_tty.c linux-2.6.33/net/irda/ircomm/ircomm_tty.c
51523 --- linux-2.6.33/net/irda/ircomm/ircomm_tty.c 2010-02-24 13:52:17.000000000 -0500
51524 +++ linux-2.6.33/net/irda/ircomm/ircomm_tty.c 2010-03-07 12:23:36.173612095 -0500
51525 @@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
51526 add_wait_queue(&self->open_wait, &wait);
51528 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
51529 - __FILE__,__LINE__, tty->driver->name, self->open_count );
51530 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
51532 /* As far as I can see, we protect open_count - Jean II */
51533 spin_lock_irqsave(&self->spinlock, flags);
51534 if (!tty_hung_up_p(filp)) {
51536 - self->open_count--;
51537 + atomic_dec(&self->open_count);
51539 spin_unlock_irqrestore(&self->spinlock, flags);
51540 - self->blocked_open++;
51541 + atomic_inc(&self->blocked_open);
51544 if (tty->termios->c_cflag & CBAUD) {
51545 @@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
51548 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
51549 - __FILE__,__LINE__, tty->driver->name, self->open_count );
51550 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
51554 @@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
51556 /* ++ is not atomic, so this should be protected - Jean II */
51557 spin_lock_irqsave(&self->spinlock, flags);
51558 - self->open_count++;
51559 + atomic_inc(&self->open_count);
51560 spin_unlock_irqrestore(&self->spinlock, flags);
51562 - self->blocked_open--;
51563 + atomic_dec(&self->blocked_open);
51565 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
51566 - __FILE__,__LINE__, tty->driver->name, self->open_count);
51567 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
51570 self->flags |= ASYNC_NORMAL_ACTIVE;
51571 @@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
51573 /* ++ is not atomic, so this should be protected - Jean II */
51574 spin_lock_irqsave(&self->spinlock, flags);
51575 - self->open_count++;
51576 + atomic_inc(&self->open_count);
51578 tty->driver_data = self;
51580 spin_unlock_irqrestore(&self->spinlock, flags);
51582 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
51583 - self->line, self->open_count);
51584 + self->line, atomic_read(&self->open_count));
51586 /* Not really used by us, but lets do it anyway */
51587 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
51588 @@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
51592 - if ((tty->count == 1) && (self->open_count != 1)) {
51593 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
51595 * Uh, oh. tty->count is 1, which means that the tty
51596 * structure will be freed. state->count should always
51597 @@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
51599 IRDA_DEBUG(0, "%s(), bad serial port count; "
51600 "tty->count is 1, state->count is %d\n", __func__ ,
51601 - self->open_count);
51602 - self->open_count = 1;
51603 + atomic_read(&self->open_count));
51604 + atomic_set(&self->open_count, 1);
51607 - if (--self->open_count < 0) {
51608 + if (atomic_dec_return(&self->open_count) < 0) {
51609 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
51610 - __func__, self->line, self->open_count);
51611 - self->open_count = 0;
51612 + __func__, self->line, atomic_read(&self->open_count));
51613 + atomic_set(&self->open_count, 0);
51615 - if (self->open_count) {
51616 + if (atomic_read(&self->open_count)) {
51617 spin_unlock_irqrestore(&self->spinlock, flags);
51619 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
51620 @@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
51624 - if (self->blocked_open) {
51625 + if (atomic_read(&self->blocked_open)) {
51626 if (self->close_delay)
51627 schedule_timeout_interruptible(self->close_delay);
51628 wake_up_interruptible(&self->open_wait);
51629 @@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
51630 spin_lock_irqsave(&self->spinlock, flags);
51631 self->flags &= ~ASYNC_NORMAL_ACTIVE;
51633 - self->open_count = 0;
51634 + atomic_set(&self->open_count, 0);
51635 spin_unlock_irqrestore(&self->spinlock, flags);
51637 wake_up_interruptible(&self->open_wait);
51638 @@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
51641 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
51642 - seq_printf(m, "Open count: %d\n", self->open_count);
51643 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
51644 seq_printf(m, "Max data size: %d\n", self->max_data_size);
51645 seq_printf(m, "Max header size: %d\n", self->max_header_size);
51647 diff -urNp linux-2.6.33/net/mac80211/ieee80211_i.h linux-2.6.33/net/mac80211/ieee80211_i.h
51648 --- linux-2.6.33/net/mac80211/ieee80211_i.h 2010-02-24 13:52:17.000000000 -0500
51649 +++ linux-2.6.33/net/mac80211/ieee80211_i.h 2010-03-07 12:23:36.173612095 -0500
51650 @@ -574,7 +574,7 @@ struct ieee80211_local {
51651 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
51652 spinlock_t queue_stop_reason_lock;
51655 + atomic_t open_count;
51656 int monitors, cooked_mntrs;
51657 /* number of interfaces with corresponding FIF_ flags */
51658 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
51659 diff -urNp linux-2.6.33/net/mac80211/iface.c linux-2.6.33/net/mac80211/iface.c
51660 --- linux-2.6.33/net/mac80211/iface.c 2010-02-24 13:52:17.000000000 -0500
51661 +++ linux-2.6.33/net/mac80211/iface.c 2010-03-07 12:23:36.173612095 -0500
51662 @@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
51666 - if (local->open_count == 0) {
51667 + if (atomic_read(&local->open_count) == 0) {
51668 res = drv_start(local);
51671 @@ -198,7 +198,7 @@ static int ieee80211_open(struct net_dev
51672 * Validate the MAC address for this device.
51674 if (!is_valid_ether_addr(dev->dev_addr)) {
51675 - if (!local->open_count)
51676 + if (!atomic_read(&local->open_count))
51678 return -EADDRNOTAVAIL;
51680 @@ -294,7 +294,7 @@ static int ieee80211_open(struct net_dev
51682 hw_reconf_flags |= __ieee80211_recalc_idle(local);
51684 - local->open_count++;
51685 + atomic_inc(&local->open_count);
51686 if (hw_reconf_flags) {
51687 ieee80211_hw_config(local, hw_reconf_flags);
51689 @@ -322,7 +322,7 @@ static int ieee80211_open(struct net_dev
51691 drv_remove_interface(local, &conf);
51693 - if (!local->open_count)
51694 + if (!atomic_read(&local->open_count))
51698 @@ -422,7 +422,7 @@ static int ieee80211_stop(struct net_dev
51699 WARN_ON(!list_empty(&sdata->u.ap.vlans));
51702 - local->open_count--;
51703 + atomic_dec(&local->open_count);
51705 switch (sdata->vif.type) {
51706 case NL80211_IFTYPE_AP_VLAN:
51707 @@ -528,7 +528,7 @@ static int ieee80211_stop(struct net_dev
51709 ieee80211_recalc_ps(local, -1);
51711 - if (local->open_count == 0) {
51712 + if (atomic_read(&local->open_count) == 0) {
51713 ieee80211_clear_tx_pending(local);
51714 ieee80211_stop_device(local);
51716 diff -urNp linux-2.6.33/net/mac80211/main.c linux-2.6.33/net/mac80211/main.c
51717 --- linux-2.6.33/net/mac80211/main.c 2010-02-24 13:52:17.000000000 -0500
51718 +++ linux-2.6.33/net/mac80211/main.c 2010-03-07 12:23:36.173612095 -0500
51719 @@ -129,7 +129,7 @@ int ieee80211_hw_config(struct ieee80211
51720 local->hw.conf.power_level = power;
51723 - if (changed && local->open_count) {
51724 + if (changed && atomic_read(&local->open_count)) {
51725 ret = drv_config(local, changed);
51728 diff -urNp linux-2.6.33/net/mac80211/pm.c linux-2.6.33/net/mac80211/pm.c
51729 --- linux-2.6.33/net/mac80211/pm.c 2010-02-24 13:52:17.000000000 -0500
51730 +++ linux-2.6.33/net/mac80211/pm.c 2010-03-07 12:23:36.173612095 -0500
51731 @@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
51734 /* stop hardware - this must stop RX */
51735 - if (local->open_count)
51736 + if (atomic_read(&local->open_count))
51737 ieee80211_stop_device(local);
51739 local->suspended = true;
51740 diff -urNp linux-2.6.33/net/mac80211/rate.c linux-2.6.33/net/mac80211/rate.c
51741 --- linux-2.6.33/net/mac80211/rate.c 2010-02-24 13:52:17.000000000 -0500
51742 +++ linux-2.6.33/net/mac80211/rate.c 2010-03-07 12:23:36.173612095 -0500
51743 @@ -288,7 +288,7 @@ int ieee80211_init_rate_ctrl_alg(struct
51747 - if (local->open_count)
51748 + if (atomic_read(&local->open_count))
51751 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
51752 diff -urNp linux-2.6.33/net/mac80211/rc80211_pid_debugfs.c linux-2.6.33/net/mac80211/rc80211_pid_debugfs.c
51753 --- linux-2.6.33/net/mac80211/rc80211_pid_debugfs.c 2010-02-24 13:52:17.000000000 -0500
51754 +++ linux-2.6.33/net/mac80211/rc80211_pid_debugfs.c 2010-03-07 12:23:36.173612095 -0500
51755 @@ -191,7 +191,7 @@ static ssize_t rate_control_pid_events_r
51757 spin_unlock_irqrestore(&events->lock, status);
51759 - if (copy_to_user(buf, pb, p))
51760 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
51764 diff -urNp linux-2.6.33/net/mac80211/util.c linux-2.6.33/net/mac80211/util.c
51765 --- linux-2.6.33/net/mac80211/util.c 2010-02-24 13:52:17.000000000 -0500
51766 +++ linux-2.6.33/net/mac80211/util.c 2010-03-07 12:23:36.173612095 -0500
51767 @@ -1050,14 +1050,14 @@ int ieee80211_reconfig(struct ieee80211_
51768 local->resuming = true;
51770 /* restart hardware */
51771 - if (local->open_count) {
51772 + if (atomic_read(&local->open_count)) {
51774 * Upon resume hardware can sometimes be goofy due to
51775 * various platform / driver / bus issues, so restarting
51776 * the device may at times not work immediately. Propagate
51779 - res = drv_start(local);
51780 + res = drv_start(local);
51782 WARN(local->suspended, "Harware became unavailable "
51783 "upon resume. This is could be a software issue"
51784 diff -urNp linux-2.6.33/net/packet/af_packet.c linux-2.6.33/net/packet/af_packet.c
51785 --- linux-2.6.33/net/packet/af_packet.c 2010-02-24 13:52:17.000000000 -0500
51786 +++ linux-2.6.33/net/packet/af_packet.c 2010-03-07 12:23:36.173612095 -0500
51787 @@ -1886,7 +1886,7 @@ static int packet_getsockopt(struct sock
51788 case PACKET_HDRLEN:
51789 if (len > sizeof(int))
51791 - if (copy_from_user(&val, optval, len))
51792 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
51796 @@ -1919,7 +1919,7 @@ static int packet_getsockopt(struct sock
51798 if (put_user(len, optlen))
51800 - if (copy_to_user(optval, data, len))
51801 + if (len > sizeof(st) || copy_to_user(optval, data, len))
51805 diff -urNp linux-2.6.33/net/sctp/socket.c linux-2.6.33/net/sctp/socket.c
51806 --- linux-2.6.33/net/sctp/socket.c 2010-02-24 13:52:17.000000000 -0500
51807 +++ linux-2.6.33/net/sctp/socket.c 2010-03-07 12:23:36.173612095 -0500
51808 @@ -1482,7 +1482,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
51809 struct sctp_sndrcvinfo *sinfo;
51810 struct sctp_initmsg *sinit;
51811 sctp_assoc_t associd = 0;
51812 - sctp_cmsgs_t cmsgs = { NULL };
51813 + sctp_cmsgs_t cmsgs = { NULL, NULL };
51815 sctp_scope_t scope;
51817 @@ -4386,7 +4386,7 @@ static int sctp_getsockopt_peer_addrs(st
51818 addrlen = sctp_get_af_specific(sk->sk_family)->sockaddr_len;
51819 if (space_left < addrlen)
51821 - if (copy_to_user(to, &temp, addrlen))
51822 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
51826 @@ -5478,7 +5478,6 @@ pp_found:
51828 int reuse = sk->sk_reuse;
51830 - struct hlist_node *node;
51832 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
51833 if (pp->fastreuse && sk->sk_reuse &&
51834 diff -urNp linux-2.6.33/net/socket.c linux-2.6.33/net/socket.c
51835 --- linux-2.6.33/net/socket.c 2010-02-24 13:52:17.000000000 -0500
51836 +++ linux-2.6.33/net/socket.c 2010-03-07 12:23:36.173612095 -0500
51838 #include <linux/wireless.h>
51839 #include <linux/nsproxy.h>
51840 #include <linux/magic.h>
51841 +#include <linux/in.h>
51843 #include <asm/uaccess.h>
51844 #include <asm/unistd.h>
51845 @@ -103,6 +104,8 @@
51846 #include <linux/sockios.h>
51847 #include <linux/atalk.h>
51849 +#include <linux/grsock.h>
51851 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
51852 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
51853 unsigned long nr_segs, loff_t pos);
51854 @@ -304,7 +307,7 @@ static int sockfs_get_sb(struct file_sys
51858 -static struct vfsmount *sock_mnt __read_mostly;
51859 +struct vfsmount *sock_mnt __read_mostly;
51861 static struct file_system_type sock_fs_type = {
51863 @@ -1310,6 +1313,16 @@ SYSCALL_DEFINE3(socket, int, family, int
51864 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
51865 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
51867 + if(!gr_search_socket(family, type, protocol)) {
51868 + retval = -EACCES;
51872 + if (gr_handle_sock_all(family, type, protocol)) {
51873 + retval = -EACCES;
51877 retval = sock_create(family, type, protocol, &sock);
51880 @@ -1422,6 +1435,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
51882 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
51884 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
51888 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
51892 err = security_socket_bind(sock,
51893 (struct sockaddr *)&address,
51895 @@ -1430,6 +1451,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
51896 (struct sockaddr *)
51897 &address, addrlen);
51900 fput_light(sock->file, fput_needed);
51903 @@ -1453,10 +1475,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
51904 if ((unsigned)backlog > somaxconn)
51905 backlog = somaxconn;
51907 + if (gr_handle_sock_server_other(sock)) {
51912 + err = gr_search_listen(sock);
51916 err = security_socket_listen(sock, backlog);
51918 err = sock->ops->listen(sock, backlog);
51921 fput_light(sock->file, fput_needed);
51924 @@ -1499,6 +1531,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
51925 newsock->type = sock->type;
51926 newsock->ops = sock->ops;
51928 + if (gr_handle_sock_server_other(sock)) {
51930 + sock_release(newsock);
51934 + err = gr_search_accept(sock);
51936 + sock_release(newsock);
51941 * We don't need try_module_get here, as the listening socket (sock)
51942 * has the protocol module (sock->ops->owner) held.
51943 @@ -1537,6 +1581,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
51944 fd_install(newfd, newfile);
51947 + gr_attach_curr_ip(newsock->sk);
51950 fput_light(sock->file, fput_needed);
51952 @@ -1569,6 +1615,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
51955 struct socket *sock;
51956 + struct sockaddr *sck;
51957 struct sockaddr_storage address;
51958 int err, fput_needed;
51960 @@ -1579,6 +1626,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
51964 + sck = (struct sockaddr *)&address;
51966 + if (gr_handle_sock_client(sck)) {
51971 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
51976 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
51978 diff -urNp linux-2.6.33/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.33/net/sunrpc/xprtrdma/svc_rdma.c
51979 --- linux-2.6.33/net/sunrpc/xprtrdma/svc_rdma.c 2010-02-24 13:52:17.000000000 -0500
51980 +++ linux-2.6.33/net/sunrpc/xprtrdma/svc_rdma.c 2010-03-07 12:23:36.173612095 -0500
51981 @@ -105,7 +105,7 @@ static int read_reset_stat(ctl_table *ta
51985 - if (len && copy_to_user(buffer, str_buf, len))
51986 + if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
51990 diff -urNp linux-2.6.33/net/sysctl_net.c linux-2.6.33/net/sysctl_net.c
51991 --- linux-2.6.33/net/sysctl_net.c 2010-02-24 13:52:17.000000000 -0500
51992 +++ linux-2.6.33/net/sysctl_net.c 2010-03-07 12:23:36.173612095 -0500
51993 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
51994 struct ctl_table *table)
51996 /* Allow network administrator to have same access as root. */
51997 - if (capable(CAP_NET_ADMIN)) {
51998 + if (capable_nolog(CAP_NET_ADMIN)) {
51999 int mode = (table->mode >> 6) & 7;
52000 return (mode << 6) | (mode << 3) | mode;
52002 diff -urNp linux-2.6.33/net/unix/af_unix.c linux-2.6.33/net/unix/af_unix.c
52003 --- linux-2.6.33/net/unix/af_unix.c 2010-02-24 13:52:17.000000000 -0500
52004 +++ linux-2.6.33/net/unix/af_unix.c 2010-03-07 12:23:36.177657977 -0500
52005 @@ -735,6 +735,12 @@ static struct sock *unix_find_other(stru
52006 err = -ECONNREFUSED;
52007 if (!S_ISSOCK(inode->i_mode))
52010 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
52015 u = unix_find_socket_byinode(net, inode);
52018 @@ -755,6 +761,13 @@ static struct sock *unix_find_other(stru
52020 struct dentry *dentry;
52021 dentry = unix_sk(u)->dentry;
52023 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
52030 touch_atime(unix_sk(u)->mnt, dentry);
52032 @@ -840,11 +853,18 @@ static int unix_bind(struct socket *sock
52033 err = security_path_mknod(&nd.path, dentry, mode, 0);
52035 goto out_mknod_drop_write;
52036 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
52038 + goto out_mknod_drop_write;
52040 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
52041 out_mknod_drop_write:
52042 mnt_drop_write(nd.path.mnt);
52044 goto out_mknod_dput;
52046 + gr_handle_create(dentry, nd.path.mnt);
52048 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
52049 dput(nd.path.dentry);
52050 nd.path.dentry = dentry;
52051 @@ -862,6 +882,10 @@ out_mknod_drop_write:
52055 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
52056 + sk->sk_peercred.pid = current->pid;
52059 list = &unix_socket_table[addr->hash];
52061 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
52062 diff -urNp linux-2.6.33/samples/kobject/kset-example.c linux-2.6.33/samples/kobject/kset-example.c
52063 --- linux-2.6.33/samples/kobject/kset-example.c 2010-02-24 13:52:17.000000000 -0500
52064 +++ linux-2.6.33/samples/kobject/kset-example.c 2010-03-07 12:23:36.177657977 -0500
52065 @@ -87,7 +87,7 @@ static ssize_t foo_attr_store(struct kob
52068 /* Our custom sysfs_ops that we will associate with our ktype later on */
52069 -static struct sysfs_ops foo_sysfs_ops = {
52070 +static const struct sysfs_ops foo_sysfs_ops = {
52071 .show = foo_attr_show,
52072 .store = foo_attr_store,
52074 diff -urNp linux-2.6.33/scripts/basic/fixdep.c linux-2.6.33/scripts/basic/fixdep.c
52075 --- linux-2.6.33/scripts/basic/fixdep.c 2010-02-24 13:52:17.000000000 -0500
52076 +++ linux-2.6.33/scripts/basic/fixdep.c 2010-03-07 12:23:36.177657977 -0500
52077 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
52079 static void parse_config_file(char *map, size_t len)
52081 - int *end = (int *) (map + len);
52082 + unsigned int *end = (unsigned int *) (map + len);
52083 /* start at +1, so that p can never be < map */
52084 - int *m = (int *) map + 1;
52085 + unsigned int *m = (unsigned int *) map + 1;
52088 for (; m < end; m++) {
52089 @@ -371,7 +371,7 @@ static void print_deps(void)
52090 static void traps(void)
52092 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
52093 - int *p = (int *)test;
52094 + unsigned int *p = (unsigned int *)test;
52096 if (*p != INT_CONF) {
52097 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
52098 diff -urNp linux-2.6.33/scripts/kallsyms.c linux-2.6.33/scripts/kallsyms.c
52099 --- linux-2.6.33/scripts/kallsyms.c 2010-02-24 13:52:17.000000000 -0500
52100 +++ linux-2.6.33/scripts/kallsyms.c 2010-03-07 12:23:36.177657977 -0500
52101 @@ -43,10 +43,10 @@ struct text_range {
52103 static unsigned long long _text;
52104 static struct text_range text_ranges[] = {
52105 - { "_stext", "_etext" },
52106 - { "_sinittext", "_einittext" },
52107 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
52108 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
52109 + { "_stext", "_etext", 0, 0 },
52110 + { "_sinittext", "_einittext", 0, 0 },
52111 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
52112 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
52114 #define text_range_text (&text_ranges[0])
52115 #define text_range_inittext (&text_ranges[1])
52116 diff -urNp linux-2.6.33/scripts/mod/file2alias.c linux-2.6.33/scripts/mod/file2alias.c
52117 --- linux-2.6.33/scripts/mod/file2alias.c 2010-02-24 13:52:17.000000000 -0500
52118 +++ linux-2.6.33/scripts/mod/file2alias.c 2010-03-07 12:23:36.177657977 -0500
52119 @@ -72,7 +72,7 @@ static void device_id_check(const char *
52120 unsigned long size, unsigned long id_size,
52126 if (size % id_size || size < id_size) {
52127 if (cross_build != 0)
52128 @@ -102,7 +102,7 @@ static void device_id_check(const char *
52129 /* USB is special because the bcdDevice can be matched against a numeric range */
52130 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
52131 static void do_usb_entry(struct usb_device_id *id,
52132 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
52133 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
52134 unsigned char range_lo, unsigned char range_hi,
52135 unsigned char max, struct module *mod)
52137 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
52138 for (i = 0; i < count; i++) {
52139 const char *id = (char *)devs[i].id;
52140 char acpi_id[sizeof(devs[0].id)];
52144 buf_printf(&mod->dev_table_buf,
52145 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
52146 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
52148 for (j = 0; j < PNP_MAX_DEVICES; j++) {
52149 const char *id = (char *)card->devs[j].id;
52151 + unsigned int i2, j2;
52155 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
52156 /* add an individual alias for every device entry */
52158 char acpi_id[sizeof(card->devs[0].id)];
52162 buf_printf(&mod->dev_table_buf,
52163 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
52164 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
52165 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
52169 + unsigned int i, j;
52171 sprintf(alias, "dmi*");
52173 diff -urNp linux-2.6.33/scripts/mod/modpost.c linux-2.6.33/scripts/mod/modpost.c
52174 --- linux-2.6.33/scripts/mod/modpost.c 2010-02-24 13:52:17.000000000 -0500
52175 +++ linux-2.6.33/scripts/mod/modpost.c 2010-03-07 12:23:36.177657977 -0500
52176 @@ -842,6 +842,7 @@ enum mismatch {
52179 EXPORT_TO_INIT_EXIT,
52183 struct sectioncheck {
52184 @@ -927,6 +928,12 @@ const struct sectioncheck sectioncheck[]
52185 .fromsec = { "__ksymtab*", NULL },
52186 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
52187 .mismatch = EXPORT_TO_INIT_EXIT
52189 +/* Do not reference code from writable data */
52191 + .fromsec = { DATA_SECTIONS, NULL },
52192 + .tosec = { TEXT_SECTIONS, NULL },
52193 + .mismatch = DATA_TO_TEXT
52197 @@ -1031,10 +1038,10 @@ static Elf_Sym *find_elf_symbol(struct e
52199 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
52201 - if (sym->st_value == addr)
52203 /* Find a symbol nearby - addr are maybe negative */
52204 d = sym->st_value - addr;
52208 d = addr - sym->st_value;
52209 if (d < distance) {
52210 @@ -1275,6 +1282,14 @@ static void report_sec_mismatch(const ch
52211 "Fix this by removing the %sannotation of %s "
52212 "or drop the export.\n",
52213 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
52214 + case DATA_TO_TEXT:
52217 + "The variable %s references\n"
52218 + "the %s %s%s%s\n",
52219 + fromsym, to, sec2annotation(tosec), tosym, to_p);
52223 /* To get warnings on missing members */
52225 @@ -1600,7 +1615,7 @@ void __attribute__((format(printf, 2, 3)
52229 -void buf_write(struct buffer *buf, const char *s, int len)
52230 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
52232 if (buf->size - buf->pos < len) {
52233 buf->size += len + SZ;
52234 @@ -1812,7 +1827,7 @@ static void write_if_changed(struct buff
52235 if (fstat(fileno(file), &st) < 0)
52238 - if (st.st_size != b->pos)
52239 + if (st.st_size != (off_t)b->pos)
52242 tmp = NOFAIL(malloc(b->pos));
52243 diff -urNp linux-2.6.33/scripts/mod/modpost.h linux-2.6.33/scripts/mod/modpost.h
52244 --- linux-2.6.33/scripts/mod/modpost.h 2010-02-24 13:52:17.000000000 -0500
52245 +++ linux-2.6.33/scripts/mod/modpost.h 2010-03-07 12:23:36.177657977 -0500
52246 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
52252 + unsigned int pos;
52253 + unsigned int size;
52256 void __attribute__((format(printf, 2, 3)))
52257 buf_printf(struct buffer *buf, const char *fmt, ...);
52260 -buf_write(struct buffer *buf, const char *s, int len);
52261 +buf_write(struct buffer *buf, const char *s, unsigned int len);
52264 struct module *next;
52265 diff -urNp linux-2.6.33/scripts/mod/sumversion.c linux-2.6.33/scripts/mod/sumversion.c
52266 --- linux-2.6.33/scripts/mod/sumversion.c 2010-02-24 13:52:17.000000000 -0500
52267 +++ linux-2.6.33/scripts/mod/sumversion.c 2010-03-07 12:23:36.177657977 -0500
52268 @@ -455,7 +455,7 @@ static void write_version(const char *fi
52272 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
52273 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
52274 warn("writing sum in %s failed: %s\n",
52275 filename, strerror(errno));
52277 diff -urNp linux-2.6.33/scripts/pnmtologo.c linux-2.6.33/scripts/pnmtologo.c
52278 --- linux-2.6.33/scripts/pnmtologo.c 2010-02-24 13:52:17.000000000 -0500
52279 +++ linux-2.6.33/scripts/pnmtologo.c 2010-03-07 12:23:36.177657977 -0500
52280 @@ -237,14 +237,14 @@ static void write_header(void)
52281 fprintf(out, " * Linux logo %s\n", logoname);
52282 fputs(" */\n\n", out);
52283 fputs("#include <linux/linux_logo.h>\n\n", out);
52284 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
52285 + fprintf(out, "static unsigned char %s_data[] = {\n",
52289 static void write_footer(void)
52291 fputs("\n};\n\n", out);
52292 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
52293 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
52294 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
52295 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
52296 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
52297 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
52298 fputs("\n};\n\n", out);
52300 /* write logo clut */
52301 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
52302 + fprintf(out, "static unsigned char %s_clut[] = {\n",
52305 for (i = 0; i < logo_clutsize; i++) {
52306 diff -urNp linux-2.6.33/security/commoncap.c linux-2.6.33/security/commoncap.c
52307 --- linux-2.6.33/security/commoncap.c 2010-02-24 13:52:17.000000000 -0500
52308 +++ linux-2.6.33/security/commoncap.c 2010-03-07 12:23:36.177657977 -0500
52310 #include <linux/prctl.h>
52311 #include <linux/securebits.h>
52312 #include <linux/vs_context.h>
52314 +#include <net/sock.h>
52316 * If a non-root user executes a setuid-root binary in
52317 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
52322 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
52324 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
52326 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
52327 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
52331 diff -urNp linux-2.6.33/security/integrity/ima/ima_api.c linux-2.6.33/security/integrity/ima/ima_api.c
52332 --- linux-2.6.33/security/integrity/ima/ima_api.c 2010-02-24 13:52:17.000000000 -0500
52333 +++ linux-2.6.33/security/integrity/ima/ima_api.c 2010-03-07 12:23:36.177657977 -0500
52334 @@ -74,7 +74,7 @@ void ima_add_violation(struct inode *ino
52337 /* can overflow, only indicator */
52338 - atomic_long_inc(&ima_htable.violations);
52339 + atomic_long_inc_unchecked(&ima_htable.violations);
52341 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
52343 diff -urNp linux-2.6.33/security/integrity/ima/ima_fs.c linux-2.6.33/security/integrity/ima/ima_fs.c
52344 --- linux-2.6.33/security/integrity/ima/ima_fs.c 2010-02-24 13:52:17.000000000 -0500
52345 +++ linux-2.6.33/security/integrity/ima/ima_fs.c 2010-03-07 12:23:36.177657977 -0500
52346 @@ -27,12 +27,12 @@
52347 static int valid_policy = 1;
52348 #define TMPBUFLEN 12
52349 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
52350 - loff_t *ppos, atomic_long_t *val)
52351 + loff_t *ppos, atomic_long_unchecked_t *val)
52353 char tmpbuf[TMPBUFLEN];
52356 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
52357 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
52358 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
52361 diff -urNp linux-2.6.33/security/integrity/ima/ima.h linux-2.6.33/security/integrity/ima/ima.h
52362 --- linux-2.6.33/security/integrity/ima/ima.h 2010-02-24 13:52:17.000000000 -0500
52363 +++ linux-2.6.33/security/integrity/ima/ima.h 2010-03-07 12:23:36.177657977 -0500
52364 @@ -83,8 +83,8 @@ void ima_add_violation(struct inode *ino
52365 extern spinlock_t ima_queue_lock;
52367 struct ima_h_table {
52368 - atomic_long_t len; /* number of stored measurements in the list */
52369 - atomic_long_t violations;
52370 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
52371 + atomic_long_unchecked_t violations;
52372 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
52374 extern struct ima_h_table ima_htable;
52375 diff -urNp linux-2.6.33/security/integrity/ima/ima_queue.c linux-2.6.33/security/integrity/ima/ima_queue.c
52376 --- linux-2.6.33/security/integrity/ima/ima_queue.c 2010-02-24 13:52:17.000000000 -0500
52377 +++ linux-2.6.33/security/integrity/ima/ima_queue.c 2010-03-07 12:23:36.177657977 -0500
52378 @@ -78,7 +78,7 @@ static int ima_add_digest_entry(struct i
52379 INIT_LIST_HEAD(&qe->later);
52380 list_add_tail_rcu(&qe->later, &ima_measurements);
52382 - atomic_long_inc(&ima_htable.len);
52383 + atomic_long_inc_unchecked(&ima_htable.len);
52384 key = ima_hash_key(entry->digest);
52385 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
52387 diff -urNp linux-2.6.33/security/Kconfig linux-2.6.33/security/Kconfig
52388 --- linux-2.6.33/security/Kconfig 2010-02-24 13:52:17.000000000 -0500
52389 +++ linux-2.6.33/security/Kconfig 2010-03-07 12:23:36.177657977 -0500
52392 menu "Security options"
52394 +source grsecurity/Kconfig
52399 + bool "Enable various PaX features"
52400 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86)
52402 + This allows you to enable various PaX features. PaX adds
52403 + intrusion prevention mechanisms to the kernel that reduce
52404 + the risks posed by exploitable memory corruption bugs.
52406 +menu "PaX Control"
52409 +config PAX_SOFTMODE
52410 + bool 'Support soft mode'
52411 + select PAX_PT_PAX_FLAGS
52413 + Enabling this option will allow you to run PaX in soft mode, that
52414 + is, PaX features will not be enforced by default, only on executables
52415 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
52416 + is the only way to mark executables for soft mode use.
52418 + Soft mode can be activated by using the "pax_softmode=1" kernel command
52419 + line option on boot. Furthermore you can control various PaX features
52420 + at runtime via the entries in /proc/sys/kernel/pax.
52423 + bool 'Use legacy ELF header marking'
52425 + Enabling this option will allow you to control PaX features on
52426 + a per executable basis via the 'chpax' utility available at
52427 + http://pax.grsecurity.net/. The control flags will be read from
52428 + an otherwise reserved part of the ELF header. This marking has
52429 + numerous drawbacks (no support for soft-mode, toolchain does not
52430 + know about the non-standard use of the ELF header) therefore it
52431 + has been deprecated in favour of PT_PAX_FLAGS support.
52433 + If you have applications not marked by the PT_PAX_FLAGS ELF
52434 + program header then you MUST enable this option otherwise they
52435 + will not get any protection.
52437 + Note that if you enable PT_PAX_FLAGS marking support as well,
52438 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
52440 +config PAX_PT_PAX_FLAGS
52441 + bool 'Use ELF program header marking'
52443 + Enabling this option will allow you to control PaX features on
52444 + a per executable basis via the 'paxctl' utility available at
52445 + http://pax.grsecurity.net/. The control flags will be read from
52446 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
52447 + has the benefits of supporting both soft mode and being fully
52448 + integrated into the toolchain (the binutils patch is available
52449 + from http://pax.grsecurity.net).
52451 + If you have applications not marked by the PT_PAX_FLAGS ELF
52452 + program header then you MUST enable the EI_PAX marking support
52453 + otherwise they will not get any protection.
52455 + Note that if you enable the legacy EI_PAX marking support as well,
52456 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
52459 + prompt 'MAC system integration'
52460 + default PAX_HAVE_ACL_FLAGS
52462 + Mandatory Access Control systems have the option of controlling
52463 + PaX flags on a per executable basis, choose the method supported
52464 + by your particular system.
52466 + - "none": if your MAC system does not interact with PaX,
52467 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
52468 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
52470 + NOTE: this option is for developers/integrators only.
52472 + config PAX_NO_ACL_FLAGS
52475 + config PAX_HAVE_ACL_FLAGS
52478 + config PAX_HOOK_ACL_FLAGS
52484 +menu "Non-executable pages"
52488 + bool "Enforce non-executable pages"
52489 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || S390 || SPARC32 || SPARC64 || X86)
52491 + By design some architectures do not allow for protecting memory
52492 + pages against execution or even if they do, Linux does not make
52493 + use of this feature. In practice this means that if a page is
52494 + readable (such as the stack or heap) it is also executable.
52496 + There is a well known exploit technique that makes use of this
52497 + fact and a common programming mistake where an attacker can
52498 + introduce code of his choice somewhere in the attacked program's
52499 + memory (typically the stack or the heap) and then execute it.
52501 + If the attacked program was running with different (typically
52502 + higher) privileges than that of the attacker, then he can elevate
52503 + his own privilege level (e.g. get a root shell, write to files for
52504 + which he does not have write access to, etc).
52506 + Enabling this option will let you choose from various features
52507 + that prevent the injection and execution of 'foreign' code in
52510 + This will also break programs that rely on the old behaviour and
52511 + expect that dynamically allocated memory via the malloc() family
52512 + of functions is executable (which it is not). Notable examples
52513 + are the XFree86 4.x server, the java runtime and wine.
52515 +config PAX_PAGEEXEC
52516 + bool "Paging based non-executable pages"
52517 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
52518 + select S390_SWITCH_AMODE if S390
52519 + select S390_EXEC_PROTECT if S390
52521 + This implementation is based on the paging feature of the CPU.
52522 + On i386 without hardware non-executable bit support there is a
52523 + variable but usually low performance impact, however on Intel's
52524 + P4 core based CPUs it is very high so you should not enable this
52525 + for kernels meant to be used on such CPUs.
52527 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
52528 + with hardware non-executable bit support there is no performance
52529 + impact, on ppc the impact is negligible.
52531 + Note that several architectures require various emulations due to
52532 + badly designed userland ABIs, this will cause a performance impact
52533 + but will disappear as soon as userland is fixed. For example, ppc
52534 + userland MUST have been built with secure-plt by a recent toolchain.
52536 +config PAX_SEGMEXEC
52537 + bool "Segmentation based non-executable pages"
52538 + depends on PAX_NOEXEC && X86_32
52540 + This implementation is based on the segmentation feature of the
52541 + CPU and has a very small performance impact, however applications
52542 + will be limited to a 1.5 GB address space instead of the normal
52545 +config PAX_EMUTRAMP
52546 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
52547 + default y if PARISC
52549 + There are some programs and libraries that for one reason or
52550 + another attempt to execute special small code snippets from
52551 + non-executable memory pages. Most notable examples are the
52552 + signal handler return code generated by the kernel itself and
52553 + the GCC trampolines.
52555 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
52556 + such programs will no longer work under your kernel.
52558 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
52559 + utilities to enable trampoline emulation for the affected programs
52560 + yet still have the protection provided by the non-executable pages.
52562 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
52563 + your system will not even boot.
52565 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
52566 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
52567 + for the affected files.
52569 + NOTE: enabling this feature *may* open up a loophole in the
52570 + protection provided by non-executable pages that an attacker
52571 + could abuse. Therefore the best solution is to not have any
52572 + files on your system that would require this option. This can
52573 + be achieved by not using libc5 (which relies on the kernel
52574 + signal handler return code) and not using or rewriting programs
52575 + that make use of the nested function implementation of GCC.
52576 + Skilled users can just fix GCC itself so that it implements
52577 + nested function calls in a way that does not interfere with PaX.
52579 +config PAX_EMUSIGRT
52580 + bool "Automatically emulate sigreturn trampolines"
52581 + depends on PAX_EMUTRAMP && PARISC
52584 + Enabling this option will have the kernel automatically detect
52585 + and emulate signal return trampolines executing on the stack
52586 + that would otherwise lead to task termination.
52588 + This solution is intended as a temporary one for users with
52589 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
52590 + Modula-3 runtime, etc) or executables linked to such, basically
52591 + everything that does not specify its own SA_RESTORER function in
52592 + normal executable memory like glibc 2.1+ does.
52594 + On parisc you MUST enable this option, otherwise your system will
52597 + NOTE: this feature cannot be disabled on a per executable basis
52598 + and since it *does* open up a loophole in the protection provided
52599 + by non-executable pages, the best solution is to not have any
52600 + files on your system that would require this option.
52602 +config PAX_MPROTECT
52603 + bool "Restrict mprotect()"
52604 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
52606 + Enabling this option will prevent programs from
52607 + - changing the executable status of memory pages that were
52608 + not originally created as executable,
52609 + - making read-only executable pages writable again,
52610 + - creating executable pages from anonymous memory.
52612 + You should say Y here to complete the protection provided by
52613 + the enforcement of non-executable pages.
52615 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
52616 + this feature on a per file basis.
52618 +config PAX_NOELFRELOCS
52619 + bool "Disallow ELF text relocations"
52620 + depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || PPC || X86)
52622 + Non-executable pages and mprotect() restrictions are effective
52623 + in preventing the introduction of new executable code into an
52624 + attacked task's address space. There remain only two venues
52625 + for this kind of attack: if the attacker can execute already
52626 + existing code in the attacked task then he can either have it
52627 + create and mmap() a file containing his code or have it mmap()
52628 + an already existing ELF library that does not have position
52629 + independent code in it and use mprotect() on it to make it
52630 + writable and copy his code there. While protecting against
52631 + the former approach is beyond PaX, the latter can be prevented
52632 + by having only PIC ELF libraries on one's system (which do not
52633 + need to relocate their code). If you are sure this is your case,
52634 + then enable this option otherwise be careful as you may not even
52635 + be able to boot or log on your system (for example, some PAM
52636 + modules are erroneously compiled as non-PIC by default).
52638 + NOTE: if you are using dynamic ELF executables (as suggested
52639 + when using ASLR) then you must have made sure that you linked
52640 + your files using the PIC version of crt1 (the et_dyn.tar.gz package
52641 + referenced there has already been updated to support this).
52643 +config PAX_ETEXECRELOCS
52644 + bool "Allow ELF ET_EXEC text relocations"
52645 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
52648 + On some architectures there are incorrectly created applications
52649 + that require text relocations and would not work without enabling
52650 + this option. If you are an alpha, ia64 or parisc user, you should
52651 + enable this option and disable it once you have made sure that
52652 + none of your applications need it.
52655 + bool "Automatically emulate ELF PLT"
52656 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC32 || SPARC64)
52659 + Enabling this option will have the kernel automatically detect
52660 + and emulate the Procedure Linkage Table entries in ELF files.
52661 + On some architectures such entries are in writable memory, and
52662 + become non-executable leading to task termination. Therefore
52663 + it is mandatory that you enable this option on alpha, parisc,
52664 + sparc and sparc64, otherwise your system would not even boot.
52666 + NOTE: this feature *does* open up a loophole in the protection
52667 + provided by the non-executable pages, therefore the proper
52668 + solution is to modify the toolchain to produce a PLT that does
52669 + not need to be writable.
52671 +config PAX_DLRESOLVE
52672 + bool 'Emulate old glibc resolver stub'
52673 + depends on PAX_EMUPLT && (SPARC32 || SPARC64)
52676 + This option is needed if userland has an old glibc (before 2.4)
52677 + that puts a 'save' instruction into the runtime generated resolver
52678 + stub that needs special emulation.
52680 +config PAX_KERNEXEC
52681 + bool "Enforce non-executable kernel pages"
52682 + depends on PAX_NOEXEC && (PPC32 || PPC64 || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
52684 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
52685 + that is, enabling this option will make it harder to inject
52686 + and execute 'foreign' code in kernel memory itself.
52688 +config PAX_KERNEXEC_MODULE_TEXT
52689 + int "Minimum amount of memory reserved for module code"
52691 + depends on PAX_KERNEXEC && X86_32 && MODULES
52693 + Due to implementation details the kernel must reserve a fixed
52694 + amount of memory for module code at compile time that cannot be
52695 + changed at runtime. Here you can specify the minimum amount
52696 + in MB that will be reserved. Due to the same implementation
52697 + details this size will always be rounded up to the next 2/4 MB
52698 + boundary (depends on PAE) so the actually available memory for
52699 + module code will usually be more than this minimum.
52701 + The default 4 MB should be enough for most users but if you have
52702 + an excessive number of modules (e.g., most distribution configs
52703 + compile many drivers as modules) or use huge modules such as
52704 + nvidia's kernel driver, you will need to adjust this amount.
52705 + A good rule of thumb is to look at your currently loaded kernel
52706 + modules and add up their sizes.
52710 +menu "Address Space Layout Randomization"
52714 + bool "Address Space Layout Randomization"
52715 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
52717 + Many if not most exploit techniques rely on the knowledge of
52718 + certain addresses in the attacked program. The following options
52719 + will allow the kernel to apply a certain amount of randomization
52720 + to specific parts of the program thereby forcing an attacker to
52721 + guess them in most cases. Any failed guess will most likely crash
52722 + the attacked program which allows the kernel to detect such attempts
52723 + and react on them. PaX itself provides no reaction mechanisms,
52724 + instead it is strongly encouraged that you make use of Nergal's
52725 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
52726 + (http://www.grsecurity.net/) built-in crash detection features or
52727 + develop one yourself.
52729 + By saying Y here you can choose to randomize the following areas:
52730 + - top of the task's kernel stack
52731 + - top of the task's userland stack
52732 + - base address for mmap() requests that do not specify one
52733 + (this includes all libraries)
52734 + - base address of the main executable
52736 + It is strongly recommended to say Y here as address space layout
52737 + randomization has negligible impact on performance yet it provides
52738 + a very effective protection.
52740 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
52741 + this feature on a per file basis.
52743 +config PAX_RANDKSTACK
52744 + bool "Randomize kernel stack base"
52745 + depends on PAX_ASLR && X86_TSC && X86_32
52747 + By saying Y here the kernel will randomize every task's kernel
52748 + stack on every system call. This will not only force an attacker
52749 + to guess it but also prevent him from making use of possible
52750 + leaked information about it.
52752 + Since the kernel stack is a rather scarce resource, randomization
52753 + may cause unexpected stack overflows, therefore you should very
52754 + carefully test your system. Note that once enabled in the kernel
52755 + configuration, this feature cannot be disabled on a per file basis.
52757 +config PAX_RANDUSTACK
52758 + bool "Randomize user stack base"
52759 + depends on PAX_ASLR
52761 + By saying Y here the kernel will randomize every task's userland
52762 + stack. The randomization is done in two steps where the second
52763 + one may apply a big amount of shift to the top of the stack and
52764 + cause problems for programs that want to use lots of memory (more
52765 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
52766 + For this reason the second step can be controlled by 'chpax' or
52767 + 'paxctl' on a per file basis.
52769 +config PAX_RANDMMAP
52770 + bool "Randomize mmap() base"
52771 + depends on PAX_ASLR
52773 + By saying Y here the kernel will use a randomized base address for
52774 + mmap() requests that do not specify one themselves. As a result
52775 + all dynamically loaded libraries will appear at random addresses
52776 + and therefore be harder to exploit by a technique where an attacker
52777 + attempts to execute library code for his purposes (e.g. spawn a
52778 + shell from an exploited program that is running at an elevated
52779 + privilege level).
52781 + Furthermore, if a program is relinked as a dynamic ELF file, its
52782 + base address will be randomized as well, completing the full
52783 + randomization of the address space layout. Attacking such programs
52784 + becomes a guess game. You can find an example of doing this at
52785 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
52786 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
52788 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
52789 + feature on a per file basis.
52793 +menu "Miscellaneous hardening features"
52795 +config PAX_MEMORY_SANITIZE
52796 + bool "Sanitize all freed memory"
52798 + By saying Y here the kernel will erase memory pages as soon as they
52799 + are freed. This in turn reduces the lifetime of data stored in the
52800 + pages, making it less likely that sensitive information such as
52801 + passwords, cryptographic secrets, etc stay in memory for too long.
52803 + This is especially useful for programs whose runtime is short, long
52804 + lived processes and the kernel itself benefit from this as long as
52805 + they operate on whole memory pages and ensure timely freeing of pages
52806 + that may hold sensitive information.
52808 + The tradeoff is performance impact, on a single CPU system kernel
52809 + compilation sees a 3% slowdown, other systems and workloads may vary
52810 + and you are advised to test this feature on your expected workload
52811 + before deploying it.
52813 + Note that this feature does not protect data stored in live pages,
52814 + e.g., process memory swapped to disk may stay there for a long time.
52816 +config PAX_MEMORY_UDEREF
52817 + bool "Prevent invalid userland pointer dereference"
52818 + depends on X86_32 && !UML_X86 && !XEN
52820 + By saying Y here the kernel will be prevented from dereferencing
52821 + userland pointers in contexts where the kernel expects only kernel
52822 + pointers. This is both a useful runtime debugging feature and a
52823 + security measure that prevents exploiting a class of kernel bugs.
52825 + The tradeoff is that some virtualization solutions may experience
52826 + a huge slowdown and therefore you should not enable this feature
52827 + for kernels meant to run in such environments. Whether a given VM
52828 + solution is affected or not is best determined by simply trying it
52829 + out, the performance impact will be obvious right on boot as this
52830 + mechanism engages from very early on. A good rule of thumb is that
52831 + VMs running on CPUs without hardware virtualization support (i.e.,
52832 + the majority of IA-32 CPUs) will likely experience the slowdown.
52834 +config PAX_REFCOUNT
52835 + bool "Prevent various kernel object reference counter overflows"
52836 + depends on GRKERNSEC && (X86 || SPARC64)
52838 + By saying Y here the kernel will detect and prevent overflowing
52839 + various (but not all) kinds of object reference counters. Such
52840 + overflows can normally occur due to bugs only and are often, if
52841 + not always, exploitable.
52843 + The tradeoff is that data structures protected by an overflowed
52844 + refcount will never be freed and therefore will leak memory. Note
52845 + that this leak also happens even without this protection but in
52846 + that case the overflow can eventually trigger the freeing of the
52847 + data structure while it is still being used elsewhere, resulting
52848 + in the exploitable situation that this feature prevents.
52850 + Since this has a negligible performance impact, you should enable
52853 +config PAX_USERCOPY
52854 + bool "Bounds check heap object copies between kernel and userland"
52855 + depends on X86 || PPC32 || PPC64 || SPARC32 || SPARC64
52856 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
52858 + By saying Y here the kernel will enforce the size of heap objects
52859 + when they are copied in either direction between the kernel and
52860 + userland, even if only a part of the heap object is copied.
52862 + Specifically, this checking prevents information leaking from the
52863 + kernel heap during kernel to userland copies (if the kernel heap
52864 + object is otherwise fully initialized) and prevents kernel heap
52865 + overflows during userland to kernel copies.
52867 + Note that the current implementation provides the strictest checks
52868 + for the SLUB allocator.
52870 + Since this has a negligible performance impact, you should enable
52877 bool "Enable access key retention support"
52879 @@ -124,7 +606,7 @@ config INTEL_TXT
52880 config LSM_MMAP_MIN_ADDR
52881 int "Low address space for LSM to protect from user allocation"
52882 depends on SECURITY && SECURITY_SELINUX
52886 This is the portion of low virtual memory which should be protected
52887 from userspace allocation. Keeping a user from writing to low pages
52888 diff -urNp linux-2.6.33/security/min_addr.c linux-2.6.33/security/min_addr.c
52889 --- linux-2.6.33/security/min_addr.c 2010-02-24 13:52:17.000000000 -0500
52890 +++ linux-2.6.33/security/min_addr.c 2010-03-07 12:23:36.177657977 -0500
52891 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
52893 static void update_mmap_min_addr(void)
52896 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
52897 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
52898 mmap_min_addr = dac_mmap_min_addr;
52899 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
52901 mmap_min_addr = dac_mmap_min_addr;
52907 diff -urNp linux-2.6.33/sound/aoa/codecs/onyx.c linux-2.6.33/sound/aoa/codecs/onyx.c
52908 --- linux-2.6.33/sound/aoa/codecs/onyx.c 2010-02-24 13:52:17.000000000 -0500
52909 +++ linux-2.6.33/sound/aoa/codecs/onyx.c 2010-03-07 12:23:36.177657977 -0500
52910 @@ -53,7 +53,7 @@ struct onyx {
52915 + atomic_t open_count;
52916 struct codec_info *codec_info;
52918 /* mutex serializes concurrent access to the device
52919 @@ -752,7 +752,7 @@ static int onyx_open(struct codec_info_i
52920 struct onyx *onyx = cii->codec_data;
52922 mutex_lock(&onyx->mutex);
52923 - onyx->open_count++;
52924 + atomic_inc(&onyx->open_count);
52925 mutex_unlock(&onyx->mutex);
52928 @@ -764,8 +764,7 @@ static int onyx_close(struct codec_info_
52929 struct onyx *onyx = cii->codec_data;
52931 mutex_lock(&onyx->mutex);
52932 - onyx->open_count--;
52933 - if (!onyx->open_count)
52934 + if (atomic_dec_and_test(&onyx->open_count))
52935 onyx->spdif_locked = onyx->analog_locked = 0;
52936 mutex_unlock(&onyx->mutex);
52938 diff -urNp linux-2.6.33/sound/core/oss/pcm_oss.c linux-2.6.33/sound/core/oss/pcm_oss.c
52939 --- linux-2.6.33/sound/core/oss/pcm_oss.c 2010-02-24 13:52:17.000000000 -0500
52940 +++ linux-2.6.33/sound/core/oss/pcm_oss.c 2010-03-07 12:23:36.177657977 -0500
52941 @@ -2949,8 +2949,8 @@ static void snd_pcm_oss_proc_done(struct
52944 #else /* !CONFIG_SND_VERBOSE_PROCFS */
52945 -#define snd_pcm_oss_proc_init(pcm)
52946 -#define snd_pcm_oss_proc_done(pcm)
52947 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
52948 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
52949 #endif /* CONFIG_SND_VERBOSE_PROCFS */
52952 diff -urNp linux-2.6.33/sound/core/seq/seq_lock.h linux-2.6.33/sound/core/seq/seq_lock.h
52953 --- linux-2.6.33/sound/core/seq/seq_lock.h 2010-02-24 13:52:17.000000000 -0500
52954 +++ linux-2.6.33/sound/core/seq/seq_lock.h 2010-03-07 12:23:36.177657977 -0500
52955 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
52956 #else /* SMP || CONFIG_SND_DEBUG */
52958 typedef spinlock_t snd_use_lock_t; /* dummy */
52959 -#define snd_use_lock_init(lockp) /**/
52960 -#define snd_use_lock_use(lockp) /**/
52961 -#define snd_use_lock_free(lockp) /**/
52962 -#define snd_use_lock_sync(lockp) /**/
52963 +#define snd_use_lock_init(lockp) do {} while (0)
52964 +#define snd_use_lock_use(lockp) do {} while (0)
52965 +#define snd_use_lock_free(lockp) do {} while (0)
52966 +#define snd_use_lock_sync(lockp) do {} while (0)
52968 #endif /* SMP || CONFIG_SND_DEBUG */
52970 diff -urNp linux-2.6.33/sound/drivers/mts64.c linux-2.6.33/sound/drivers/mts64.c
52971 --- linux-2.6.33/sound/drivers/mts64.c 2010-02-24 13:52:17.000000000 -0500
52972 +++ linux-2.6.33/sound/drivers/mts64.c 2010-03-07 12:23:36.181703000 -0500
52973 @@ -65,7 +65,7 @@ struct mts64 {
52974 struct pardevice *pardev;
52975 int pardev_claimed;
52978 + atomic_t open_count;
52979 int current_midi_output_port;
52980 int current_midi_input_port;
52981 u8 mode[MTS64_NUM_INPUT_PORTS];
52982 @@ -695,7 +695,7 @@ static int snd_mts64_rawmidi_open(struct
52984 struct mts64 *mts = substream->rmidi->private_data;
52986 - if (mts->open_count == 0) {
52987 + if (atomic_read(&mts->open_count) == 0) {
52988 /* We don't need a spinlock here, because this is just called
52989 if the device has not been opened before.
52990 So there aren't any IRQs from the device */
52991 @@ -703,7 +703,7 @@ static int snd_mts64_rawmidi_open(struct
52995 - ++(mts->open_count);
52996 + atomic_inc(&mts->open_count);
53000 @@ -713,8 +713,7 @@ static int snd_mts64_rawmidi_close(struc
53001 struct mts64 *mts = substream->rmidi->private_data;
53002 unsigned long flags;
53004 - --(mts->open_count);
53005 - if (mts->open_count == 0) {
53006 + if (atomic_dec_return(&mts->open_count) == 0) {
53007 /* We need the spinlock_irqsave here because we can still
53008 have IRQs at this point */
53009 spin_lock_irqsave(&mts->lock, flags);
53010 @@ -723,8 +722,8 @@ static int snd_mts64_rawmidi_close(struc
53014 - } else if (mts->open_count < 0)
53015 - mts->open_count = 0;
53016 + } else if (atomic_read(&mts->open_count) < 0)
53017 + atomic_set(&mts->open_count, 0);
53021 diff -urNp linux-2.6.33/sound/drivers/portman2x4.c linux-2.6.33/sound/drivers/portman2x4.c
53022 --- linux-2.6.33/sound/drivers/portman2x4.c 2010-02-24 13:52:17.000000000 -0500
53023 +++ linux-2.6.33/sound/drivers/portman2x4.c 2010-03-07 12:23:36.181703000 -0500
53024 @@ -83,7 +83,7 @@ struct portman {
53025 struct pardevice *pardev;
53026 int pardev_claimed;
53029 + atomic_t open_count;
53030 int mode[PORTMAN_NUM_INPUT_PORTS];
53031 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
53033 diff -urNp linux-2.6.33/sound/oss/sb_audio.c linux-2.6.33/sound/oss/sb_audio.c
53034 --- linux-2.6.33/sound/oss/sb_audio.c 2010-02-24 13:52:17.000000000 -0500
53035 +++ linux-2.6.33/sound/oss/sb_audio.c 2010-03-07 12:23:36.181703000 -0500
53036 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
53037 buf16 = (signed short *)(localbuf + localoffs);
53040 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
53041 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
53042 if (copy_from_user(lbuf8,
53043 userbuf+useroffs + p,
53045 diff -urNp linux-2.6.33/sound/pci/ac97/ac97_codec.c linux-2.6.33/sound/pci/ac97/ac97_codec.c
53046 --- linux-2.6.33/sound/pci/ac97/ac97_codec.c 2010-02-24 13:52:17.000000000 -0500
53047 +++ linux-2.6.33/sound/pci/ac97/ac97_codec.c 2010-03-07 12:23:36.181703000 -0500
53048 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
53051 /* build_ops to do nothing */
53052 -static struct snd_ac97_build_ops null_build_ops;
53053 +static const struct snd_ac97_build_ops null_build_ops;
53055 #ifdef CONFIG_SND_AC97_POWER_SAVE
53056 static void do_update_power(struct work_struct *work)
53057 diff -urNp linux-2.6.33/sound/pci/ac97/ac97_patch.c linux-2.6.33/sound/pci/ac97/ac97_patch.c
53058 --- linux-2.6.33/sound/pci/ac97/ac97_patch.c 2010-02-24 13:52:17.000000000 -0500
53059 +++ linux-2.6.33/sound/pci/ac97/ac97_patch.c 2010-03-07 12:23:36.181703000 -0500
53060 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
53064 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
53065 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
53066 .build_spdif = patch_yamaha_ymf743_build_spdif,
53067 .build_3d = patch_yamaha_ymf7x3_3d,
53069 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
53073 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
53074 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
53075 .build_3d = patch_yamaha_ymf7x3_3d,
53076 .build_post_spdif = patch_yamaha_ymf753_post_spdif
53078 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
53082 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
53083 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
53084 .build_specific = patch_wolfson_wm9703_specific,
53087 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
53091 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
53092 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
53093 .build_specific = patch_wolfson_wm9704_specific,
53096 @@ -555,7 +555,7 @@ static int patch_wolfson_wm9705_specific
53100 -static struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
53101 +static const struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
53102 .build_specific = patch_wolfson_wm9705_specific,
53105 @@ -692,7 +692,7 @@ static int patch_wolfson_wm9711_specific
53109 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
53110 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
53111 .build_specific = patch_wolfson_wm9711_specific,
53114 @@ -886,7 +886,7 @@ static void patch_wolfson_wm9713_resume
53118 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
53119 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
53120 .build_specific = patch_wolfson_wm9713_specific,
53121 .build_3d = patch_wolfson_wm9713_3d,
53123 @@ -991,7 +991,7 @@ static int patch_sigmatel_stac97xx_speci
53127 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
53128 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
53129 .build_3d = patch_sigmatel_stac9700_3d,
53130 .build_specific = patch_sigmatel_stac97xx_specific
53132 @@ -1038,7 +1038,7 @@ static int patch_sigmatel_stac9708_speci
53133 return patch_sigmatel_stac97xx_specific(ac97);
53136 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
53137 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
53138 .build_3d = patch_sigmatel_stac9708_3d,
53139 .build_specific = patch_sigmatel_stac9708_specific
53141 @@ -1267,7 +1267,7 @@ static int patch_sigmatel_stac9758_speci
53145 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
53146 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
53147 .build_3d = patch_sigmatel_stac9700_3d,
53148 .build_specific = patch_sigmatel_stac9758_specific
53150 @@ -1342,7 +1342,7 @@ static int patch_cirrus_build_spdif(stru
53154 -static struct snd_ac97_build_ops patch_cirrus_ops = {
53155 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
53156 .build_spdif = patch_cirrus_build_spdif
53159 @@ -1399,7 +1399,7 @@ static int patch_conexant_build_spdif(st
53163 -static struct snd_ac97_build_ops patch_conexant_ops = {
53164 +static const struct snd_ac97_build_ops patch_conexant_ops = {
53165 .build_spdif = patch_conexant_build_spdif
53168 @@ -1501,7 +1501,7 @@ static const struct snd_ac97_res_table a
53169 { AC97_VIDEO, 0x9f1f },
53170 { AC97_AUX, 0x9f1f },
53171 { AC97_PCM, 0x9f1f },
53172 - { } /* terminator */
53173 + { 0, 0 } /* terminator */
53176 static int patch_ad1819(struct snd_ac97 * ac97)
53177 @@ -1575,7 +1575,7 @@ static void patch_ad1881_chained(struct
53181 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
53182 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
53184 .resume = ad18xx_resume
53186 @@ -1662,7 +1662,7 @@ static int patch_ad1885_specific(struct
53190 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
53191 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
53192 .build_specific = &patch_ad1885_specific,
53194 .resume = ad18xx_resume
53195 @@ -1689,7 +1689,7 @@ static int patch_ad1886_specific(struct
53199 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
53200 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
53201 .build_specific = &patch_ad1886_specific,
53203 .resume = ad18xx_resume
53204 @@ -1894,7 +1894,7 @@ static int patch_ad1981a_specific(struct
53205 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
53208 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
53209 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
53210 .build_post_spdif = patch_ad198x_post_spdif,
53211 .build_specific = patch_ad1981a_specific,
53213 @@ -1949,7 +1949,7 @@ static int patch_ad1981b_specific(struct
53214 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
53217 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
53218 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
53219 .build_post_spdif = patch_ad198x_post_spdif,
53220 .build_specific = patch_ad1981b_specific,
53222 @@ -2088,7 +2088,7 @@ static int patch_ad1888_specific(struct
53223 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
53226 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
53227 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
53228 .build_post_spdif = patch_ad198x_post_spdif,
53229 .build_specific = patch_ad1888_specific,
53231 @@ -2137,7 +2137,7 @@ static int patch_ad1980_specific(struct
53232 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
53235 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
53236 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
53237 .build_post_spdif = patch_ad198x_post_spdif,
53238 .build_specific = patch_ad1980_specific,
53240 @@ -2252,7 +2252,7 @@ static int patch_ad1985_specific(struct
53241 ARRAY_SIZE(snd_ac97_ad1985_controls));
53244 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
53245 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
53246 .build_post_spdif = patch_ad198x_post_spdif,
53247 .build_specific = patch_ad1985_specific,
53249 @@ -2544,7 +2544,7 @@ static int patch_ad1986_specific(struct
53250 ARRAY_SIZE(snd_ac97_ad1985_controls));
53253 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
53254 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
53255 .build_post_spdif = patch_ad198x_post_spdif,
53256 .build_specific = patch_ad1986_specific,
53258 @@ -2649,7 +2649,7 @@ static int patch_alc650_specific(struct
53262 -static struct snd_ac97_build_ops patch_alc650_ops = {
53263 +static const struct snd_ac97_build_ops patch_alc650_ops = {
53264 .build_specific = patch_alc650_specific,
53265 .update_jacks = alc650_update_jacks
53267 @@ -2801,7 +2801,7 @@ static int patch_alc655_specific(struct
53271 -static struct snd_ac97_build_ops patch_alc655_ops = {
53272 +static const struct snd_ac97_build_ops patch_alc655_ops = {
53273 .build_specific = patch_alc655_specific,
53274 .update_jacks = alc655_update_jacks
53276 @@ -2913,7 +2913,7 @@ static int patch_alc850_specific(struct
53280 -static struct snd_ac97_build_ops patch_alc850_ops = {
53281 +static const struct snd_ac97_build_ops patch_alc850_ops = {
53282 .build_specific = patch_alc850_specific,
53283 .update_jacks = alc850_update_jacks
53285 @@ -2975,7 +2975,7 @@ static int patch_cm9738_specific(struct
53286 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
53289 -static struct snd_ac97_build_ops patch_cm9738_ops = {
53290 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
53291 .build_specific = patch_cm9738_specific,
53292 .update_jacks = cm9738_update_jacks
53294 @@ -3066,7 +3066,7 @@ static int patch_cm9739_post_spdif(struc
53295 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
53298 -static struct snd_ac97_build_ops patch_cm9739_ops = {
53299 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
53300 .build_specific = patch_cm9739_specific,
53301 .build_post_spdif = patch_cm9739_post_spdif,
53302 .update_jacks = cm9739_update_jacks
53303 @@ -3240,7 +3240,7 @@ static int patch_cm9761_specific(struct
53304 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
53307 -static struct snd_ac97_build_ops patch_cm9761_ops = {
53308 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
53309 .build_specific = patch_cm9761_specific,
53310 .build_post_spdif = patch_cm9761_post_spdif,
53311 .update_jacks = cm9761_update_jacks
53312 @@ -3336,7 +3336,7 @@ static int patch_cm9780_specific(struct
53313 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
53316 -static struct snd_ac97_build_ops patch_cm9780_ops = {
53317 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
53318 .build_specific = patch_cm9780_specific,
53319 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
53321 @@ -3456,7 +3456,7 @@ static int patch_vt1616_specific(struct
53325 -static struct snd_ac97_build_ops patch_vt1616_ops = {
53326 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
53327 .build_specific = patch_vt1616_specific
53330 @@ -3810,7 +3810,7 @@ static int patch_it2646_specific(struct
53334 -static struct snd_ac97_build_ops patch_it2646_ops = {
53335 +static const struct snd_ac97_build_ops patch_it2646_ops = {
53336 .build_specific = patch_it2646_specific,
53337 .update_jacks = it2646_update_jacks
53339 @@ -3844,7 +3844,7 @@ static int patch_si3036_specific(struct
53343 -static struct snd_ac97_build_ops patch_si3036_ops = {
53344 +static const struct snd_ac97_build_ops patch_si3036_ops = {
53345 .build_specific = patch_si3036_specific,
53348 @@ -3877,7 +3877,7 @@ static struct snd_ac97_res_table lm4550_
53349 { AC97_AUX, 0x1f1f },
53350 { AC97_PCM, 0x1f1f },
53351 { AC97_REC_GAIN, 0x0f0f },
53352 - { } /* terminator */
53353 + { 0, 0 } /* terminator */
53356 static int patch_lm4550(struct snd_ac97 *ac97)
53357 @@ -3911,7 +3911,7 @@ static int patch_ucb1400_specific(struct
53361 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
53362 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
53363 .build_specific = patch_ucb1400_specific,
53366 diff -urNp linux-2.6.33/sound/pci/ens1370.c linux-2.6.33/sound/pci/ens1370.c
53367 --- linux-2.6.33/sound/pci/ens1370.c 2010-02-24 13:52:17.000000000 -0500
53368 +++ linux-2.6.33/sound/pci/ens1370.c 2010-03-07 12:23:36.181703000 -0500
53369 @@ -452,7 +452,7 @@ static struct pci_device_id snd_audiopci
53370 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
53371 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
53374 + { 0, 0, 0, 0, 0, 0, 0 }
53377 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
53378 diff -urNp linux-2.6.33/sound/pci/intel8x0.c linux-2.6.33/sound/pci/intel8x0.c
53379 --- linux-2.6.33/sound/pci/intel8x0.c 2010-02-24 13:52:17.000000000 -0500
53380 +++ linux-2.6.33/sound/pci/intel8x0.c 2010-03-07 12:23:36.181703000 -0500
53381 @@ -444,7 +444,7 @@ static struct pci_device_id snd_intel8x0
53382 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
53383 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
53384 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
53386 + { 0, 0, 0, 0, 0, 0, 0 }
53389 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
53390 @@ -2129,7 +2129,7 @@ static struct ac97_quirk ac97_quirks[] _
53391 .type = AC97_TUNE_HP_ONLY
53394 - { } /* terminator */
53395 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
53398 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
53399 diff -urNp linux-2.6.33/sound/pci/intel8x0m.c linux-2.6.33/sound/pci/intel8x0m.c
53400 --- linux-2.6.33/sound/pci/intel8x0m.c 2010-02-24 13:52:17.000000000 -0500
53401 +++ linux-2.6.33/sound/pci/intel8x0m.c 2010-03-07 12:23:36.181703000 -0500
53402 @@ -239,7 +239,7 @@ static struct pci_device_id snd_intel8x0
53403 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
53404 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
53407 + { 0, 0, 0, 0, 0, 0, 0 }
53410 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
53411 @@ -1264,7 +1264,7 @@ static struct shortname_table {
53412 { 0x5455, "ALi M5455" },
53413 { 0x746d, "AMD AMD8111" },
53419 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
53420 diff -urNp linux-2.6.33/usr/gen_init_cpio.c linux-2.6.33/usr/gen_init_cpio.c
53421 --- linux-2.6.33/usr/gen_init_cpio.c 2010-02-24 13:52:17.000000000 -0500
53422 +++ linux-2.6.33/usr/gen_init_cpio.c 2010-03-07 12:23:36.181703000 -0500
53423 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
53432 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
53433 *env_var = *expanded = '\0';
53434 strncat(env_var, start + 2, end - start - 2);
53435 strncat(expanded, new_location, start - new_location);
53436 - strncat(expanded, getenv(env_var), PATH_MAX);
53437 - strncat(expanded, end + 1, PATH_MAX);
53438 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
53439 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
53440 strncpy(new_location, expanded, PATH_MAX);
53441 + new_location[PATH_MAX] = 0;
53445 diff -urNp linux-2.6.33/virt/kvm/kvm_main.c linux-2.6.33/virt/kvm/kvm_main.c
53446 --- linux-2.6.33/virt/kvm/kvm_main.c 2010-02-24 13:52:17.000000000 -0500
53447 +++ linux-2.6.33/virt/kvm/kvm_main.c 2010-03-07 12:23:36.181703000 -0500
53448 @@ -1168,6 +1168,7 @@ static int kvm_vcpu_release(struct inode
53452 +/* cannot be const */
53453 static struct file_operations kvm_vcpu_fops = {
53454 .release = kvm_vcpu_release,
53455 .unlocked_ioctl = kvm_vcpu_ioctl,
53456 @@ -1624,6 +1625,7 @@ static int kvm_vm_mmap(struct file *file
53460 +/* cannot be const */
53461 static struct file_operations kvm_vm_fops = {
53462 .release = kvm_vm_release,
53463 .unlocked_ioctl = kvm_vm_ioctl,
53464 @@ -1714,6 +1716,7 @@ out:
53468 +/* cannot be const */
53469 static struct file_operations kvm_chardev_ops = {
53470 .unlocked_ioctl = kvm_dev_ioctl,
53471 .compat_ioctl = kvm_dev_ioctl,
53472 @@ -1723,6 +1726,9 @@ static struct miscdevice kvm_dev = {
53481 static void hardware_enable(void *junk)
53482 @@ -2050,7 +2056,7 @@ static void kvm_sched_out(struct preempt
53483 kvm_arch_vcpu_put(vcpu);
53486 -int kvm_init(void *opaque, unsigned int vcpu_size,
53487 +int kvm_init(const void *opaque, unsigned int vcpu_size,
53488 struct module *module)
53491 diff -u linux-2.6.33/arch/x86/include/asm/paravirt.h linux-2.6.33/arch/x86/include/asm/paravirt.h
53492 --- linux-2.6.33/arch/x86/include/asm/paravirt.h 2010-03-07 12:23:55.597717555 -0500
53493 +++ linux-2.6.33/arch/x86/include/asm/paravirt.h 2010-03-11 20:27:00.890138882 -0500
53494 @@ -1076,28 +1076,30 @@
53497 #define PAX_EXIT_KERNEL \
53498 - push %rax; push %rcx; \
53499 + PV_SAVE_REGS(CLBR_NONE); \
53501 cmp $__KERNEXEC_KERNEL_CS, %eax; \
53503 call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
53505 + mov %rax, %rdi; \
53506 ljmpq __KERNEL_CS, 1f; \
53507 1: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
53508 -2: pop %rcx; pop %rax; \
53509 +2: PV_RESTORE_REGS(CLBR_NONE);
53511 #define PAX_ENTER_KERNEL \
53512 - push %rax; push %rcx; \
53513 + PV_SAVE_REGS(CLBR_NONE); \
53514 call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
53518 - cmp $__KERNEL_CS, %ecx; \
53520 + cmp $__KERNEL_CS, %eax; \
53522 ljmpq __KERNEL_CS, 3f; \
53523 -1: ljmpq __KERNEXEC_KERNEL_CS, 2f; \
53524 +1: mov %rax, %rdi; \
53525 + ljmpq __KERNEXEC_KERNEL_CS, 2f; \
53526 2: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
53527 -3: pop %rcx; pop %rax;
53528 +3: PV_RESTORE_REGS(CLBR_NONE);
53530 #define PAX_EXIT_KERNEL
53531 #define PAX_ENTER_KERNEL
53532 diff -u linux-2.6.33/arch/x86/include/asm/uaccess.h linux-2.6.33/arch/x86/include/asm/uaccess.h
53533 --- linux-2.6.33/arch/x86/include/asm/uaccess.h 2010-03-07 12:23:35.925702533 -0500
53534 +++ linux-2.6.33/arch/x86/include/asm/uaccess.h 2010-03-11 20:27:00.910802934 -0500
53535 @@ -94,16 +94,20 @@
53536 unsigned long __end_ao = __addr + __size - 1; \
53537 bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
53538 if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
53539 - for (; __addr_ao <= __end_ao; __addr_ao += PAGE_SIZE) { \
53540 + while(__addr_ao <= __end_ao) { \
53542 + __addr_ao += PAGE_SIZE; \
53543 if (__size > PAGE_SIZE) \
53545 - if (__get_user(__c_ao, (char __user *)__addr_ao))\
53546 + if (__get_user(__c_ao, (char __user *)__addr)) \
53548 - if (type != VERIFY_WRITE) \
53549 + if (type != VERIFY_WRITE) { \
53550 + __addr = __addr_ao; \
53552 - if (__put_user(__c_ao, (char __user *)__addr_ao))\
53554 + if (__put_user(__c_ao, (char __user *)__addr)) \
53556 + __addr = __addr_ao; \
53560 diff -u linux-2.6.33/arch/x86/kernel/e820.c linux-2.6.33/arch/x86/kernel/e820.c
53561 --- linux-2.6.33/arch/x86/kernel/e820.c 2010-03-07 12:23:35.933601961 -0500
53562 +++ linux-2.6.33/arch/x86/kernel/e820.c 2010-03-11 20:27:00.913600776 -0500
53563 @@ -743,18 +743,6 @@
53565 { PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE", 1 },
53567 -#ifdef CONFIG_VM86
53568 -#ifdef CONFIG_ACPI_SLEEP
53569 -#define ACPI_EXTRA WAKEUP_SIZE
53571 -#define ACPI_EXTRA 0
53573 -#if defined(CONFIG_X86_32) && defined(CONFIG_X86_TRAMPOLINE)
53574 - { 3*PAGE_SIZE + ACPI_EXTRA, ISA_START_ADDRESS, "V86 mode memory", 1 },
53576 - { 2*PAGE_SIZE + ACPI_EXTRA, ISA_START_ADDRESS, "V86 mode memory", 1 },
53582 diff -u linux-2.6.33/arch/x86/kernel/head_32.S linux-2.6.33/arch/x86/kernel/head_32.S
53583 --- linux-2.6.33/arch/x86/kernel/head_32.S 2010-03-07 12:23:35.937701195 -0500
53584 +++ linux-2.6.33/arch/x86/kernel/head_32.S 2010-03-11 20:27:00.913600776 -0500
53585 @@ -850,7 +850,7 @@
53587 .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
53588 .quad 0x0040930000000000 /* 0xd8 - PERCPU */
53589 - .quad 0x0040930000000018 /* 0xe0 - STACK_CANARY */
53590 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
53591 .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
53592 .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
53593 .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
53594 diff -u linux-2.6.33/arch/x86/kernel/head_64.S linux-2.6.33/arch/x86/kernel/head_64.S
53595 --- linux-2.6.33/arch/x86/kernel/head_64.S 2010-03-07 16:45:32.258187459 -0500
53596 +++ linux-2.6.33/arch/x86/kernel/head_64.S 2010-03-11 20:28:25.245605911 -0500
53598 #include <asm/cache.h>
53599 #include <asm/processor-flags.h>
53600 #include <asm/percpu.h>
53601 +#include <asm/cpufeature.h>
53603 #ifdef CONFIG_PARAVIRT
53604 #include <asm/asm-offsets.h>
53605 @@ -175,14 +176,14 @@
53606 movl $MSR_EFER, %ecx
53608 btsl $_EFER_SCE, %eax /* Enable System Call */
53609 - btl $20,%edi /* No Execute supported? */
53610 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
53612 btsl $_EFER_NX, %eax
53613 leaq init_level4_pgt(%rip), %rdi
53614 btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
53615 btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
53616 btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
53617 - btsq $_PAGE_BIT_NX, (__supported_pte_mask)
53618 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
53619 1: wrmsr /* Make changes effective */
53622 diff -u linux-2.6.33/arch/x86/kernel/setup_percpu.c linux-2.6.33/arch/x86/kernel/setup_percpu.c
53623 --- linux-2.6.33/arch/x86/kernel/setup_percpu.c 2010-03-07 12:23:35.941628368 -0500
53624 +++ linux-2.6.33/arch/x86/kernel/setup_percpu.c 2010-03-11 20:27:00.921810331 -0500
53625 @@ -158,15 +158,13 @@
53626 static inline void setup_percpu_segment(int cpu)
53628 #ifdef CONFIG_X86_32
53629 - struct desc_struct d, *gdt = get_cpu_gdt_table(cpu);
53630 + struct desc_struct gdt;
53631 unsigned long base = per_cpu_offset(cpu);
53632 - const unsigned long limit = VMALLOC_END - base - 1;
53634 - if (limit < 64*1024)
53635 - pack_descriptor(&d, base, limit, 0x80 | DESCTYPE_S | 0x3, 0x4);
53637 - pack_descriptor(&d, base, limit >> PAGE_SHIFT, 0x80 | DESCTYPE_S | 0x3, 0xC);
53638 - write_gdt_entry(gdt, GDT_ENTRY_PERCPU, &d, DESCTYPE_S);
53639 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
53640 + 0x83 | DESCTYPE_S, 0xC);
53641 + write_gdt_entry(get_cpu_gdt_table(cpu),
53642 + GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
53646 diff -u linux-2.6.33/arch/x86/lib/putuser.S linux-2.6.33/arch/x86/lib/putuser.S
53647 --- linux-2.6.33/arch/x86/lib/putuser.S 2010-03-07 12:23:35.949701331 -0500
53648 +++ linux-2.6.33/arch/x86/lib/putuser.S 2010-03-11 20:27:03.470423501 -0500
53649 @@ -30,25 +30,26 @@
53650 * as they get called from within inline assembly.
53653 -#define ENTER CFI_STARTPROC ; \
53654 - GET_THREAD_INFO(%_ASM_BX)
53655 +#define ENTER CFI_STARTPROC
53656 #define EXIT ret ; \
53660 ENTRY(__put_user_1)
53662 - cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
53665 -#ifdef CONFIG_X86_32
53666 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
53670 + GET_THREAD_INFO(%_ASM_BX)
53671 + cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
53675 1: movb %al,(%_ASM_CX)
53677 -#ifdef CONFIG_X86_32
53678 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
53682 @@ -59,19 +60,21 @@
53684 ENTRY(__put_user_2)
53687 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
53688 + pushl $(__USER_DS)
53691 + GET_THREAD_INFO(%_ASM_BX)
53692 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
53694 cmp %_ASM_BX,%_ASM_CX
53697 -#ifdef CONFIG_X86_32
53698 - pushl $(__USER_DS)
53702 2: movw %ax,(%_ASM_CX)
53704 -#ifdef CONFIG_X86_32
53705 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
53709 @@ -82,19 +85,21 @@
53711 ENTRY(__put_user_4)
53714 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
53715 + pushl $(__USER_DS)
53718 + GET_THREAD_INFO(%_ASM_BX)
53719 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
53721 cmp %_ASM_BX,%_ASM_CX
53724 -#ifdef CONFIG_X86_32
53725 - pushl $(__USER_DS)
53729 3: movl %eax,(%_ASM_CX)
53731 -#ifdef CONFIG_X86_32
53732 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
53736 @@ -105,14 +110,16 @@
53738 ENTRY(__put_user_8)
53741 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
53742 + pushl $(__USER_DS)
53745 + GET_THREAD_INFO(%_ASM_BX)
53746 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
53748 cmp %_ASM_BX,%_ASM_CX
53751 -#ifdef CONFIG_X86_32
53752 - pushl $(__USER_DS)
53756 4: mov %_ASM_AX,(%_ASM_CX)
53757 @@ -120,7 +127,7 @@
53758 5: movl %edx,4(%_ASM_CX)
53761 -#ifdef CONFIG_X86_32
53762 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
53766 @@ -132,7 +139,7 @@
53770 -#ifdef CONFIG_X86_32
53771 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
53775 diff -u linux-2.6.33/arch/x86/mm/init_32.c linux-2.6.33/arch/x86/mm/init_32.c
53776 --- linux-2.6.33/arch/x86/mm/init_32.c 2010-03-07 12:23:35.953604355 -0500
53777 +++ linux-2.6.33/arch/x86/mm/init_32.c 2010-03-11 20:27:03.478424672 -0500
53778 @@ -776,7 +776,7 @@
53779 * Initialize the boot-time allocator (with low memory only):
53781 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
53782 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
53783 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
53785 if (bootmap == -1L)
53786 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
53787 diff -u linux-2.6.33/arch/x86/mm/init.c linux-2.6.33/arch/x86/mm/init.c
53788 --- linux-2.6.33/arch/x86/mm/init.c 2010-03-07 12:23:35.953604355 -0500
53789 +++ linux-2.6.33/arch/x86/mm/init.c 2010-03-11 20:27:03.478424672 -0500
53791 * cause a hotspot and fill up ZONE_DMA. The page tables
53792 * need roughly 0.5KB per GB.
53794 -#ifdef CONFIG_X86_32
53799 + start = 0x100000;
53800 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
53801 tables, PAGE_SIZE);
53802 if (e820_table_start == -1UL)
53803 diff -u linux-2.6.33/Documentation/dontdiff linux-2.6.33/Documentation/dontdiff
53804 --- linux-2.6.33/Documentation/dontdiff 2010-03-07 12:23:35.961598666 -0500
53805 +++ linux-2.6.33/Documentation/dontdiff 2010-03-11 20:27:00.849752306 -0500
53806 @@ -119,6 +119,7 @@
53811 initramfs_data.cpio
53812 initramfs_data.cpio.bz2
53813 initramfs_data.cpio.gz