1 diff -urNp linux-2.6.38.4/arch/alpha/include/asm/dma-mapping.h linux-2.6.38.4/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.38.4/arch/alpha/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3 +++ linux-2.6.38.4/arch/alpha/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.38.4/arch/alpha/include/asm/elf.h linux-2.6.38.4/arch/alpha/include/asm/elf.h
17 --- linux-2.6.38.4/arch/alpha/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
18 +++ linux-2.6.38.4/arch/alpha/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.38.4/arch/alpha/include/asm/pgtable.h linux-2.6.38.4/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.38.4/arch/alpha/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
35 +++ linux-2.6.38.4/arch/alpha/include/asm/pgtable.h 2011-04-17 15:57:32.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.38.4/arch/alpha/kernel/module.c linux-2.6.38.4/arch/alpha/kernel/module.c
55 --- linux-2.6.38.4/arch/alpha/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
56 +++ linux-2.6.38.4/arch/alpha/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.38.4/arch/alpha/kernel/osf_sys.c linux-2.6.38.4/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.38.4/arch/alpha/kernel/osf_sys.c 2011-03-14 21:20:32.000000000 -0400
68 +++ linux-2.6.38.4/arch/alpha/kernel/osf_sys.c 2011-04-17 15:57:32.000000000 -0400
69 @@ -1162,7 +1162,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1198,6 +1198,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1205,8 +1209,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.38.4/arch/alpha/kernel/pci_iommu.c linux-2.6.38.4/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.38.4/arch/alpha/kernel/pci_iommu.c 2011-03-14 21:20:32.000000000 -0400
102 +++ linux-2.6.38.4/arch/alpha/kernel/pci_iommu.c 2011-04-17 15:57:32.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.38.4/arch/alpha/kernel/pci-noop.c linux-2.6.38.4/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.38.4/arch/alpha/kernel/pci-noop.c 2011-03-14 21:20:32.000000000 -0400
121 +++ linux-2.6.38.4/arch/alpha/kernel/pci-noop.c 2011-04-17 15:57:32.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.38.4/arch/alpha/mm/fault.c linux-2.6.38.4/arch/alpha/mm/fault.c
141 --- linux-2.6.38.4/arch/alpha/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
142 +++ linux-2.6.38.4/arch/alpha/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.38.4/arch/arm/include/asm/elf.h linux-2.6.38.4/arch/arm/include/asm/elf.h
300 --- linux-2.6.38.4/arch/arm/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
301 +++ linux-2.6.38.4/arch/arm/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
302 @@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 @@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t
319 extern void elf_set_personality(const struct elf32_hdr *);
320 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
323 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
324 -#define arch_randomize_brk arch_randomize_brk
326 extern int vectors_user_mapping(void);
327 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
328 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
329 diff -urNp linux-2.6.38.4/arch/arm/include/asm/kmap_types.h linux-2.6.38.4/arch/arm/include/asm/kmap_types.h
330 --- linux-2.6.38.4/arch/arm/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
331 +++ linux-2.6.38.4/arch/arm/include/asm/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
332 @@ -21,6 +21,7 @@ enum km_type {
340 diff -urNp linux-2.6.38.4/arch/arm/include/asm/uaccess.h linux-2.6.38.4/arch/arm/include/asm/uaccess.h
341 --- linux-2.6.38.4/arch/arm/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
342 +++ linux-2.6.38.4/arch/arm/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
343 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
345 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
350 if (access_ok(VERIFY_READ, from, n))
351 n = __copy_from_user(to, from, n);
352 else /* security hole - plug it */
353 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
355 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
360 if (access_ok(VERIFY_WRITE, to, n))
361 n = __copy_to_user(to, from, n);
363 diff -urNp linux-2.6.38.4/arch/arm/kernel/kgdb.c linux-2.6.38.4/arch/arm/kernel/kgdb.c
364 --- linux-2.6.38.4/arch/arm/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
365 +++ linux-2.6.38.4/arch/arm/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
366 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
367 * and we handle the normal undef case within the do_undefinstr
370 -struct kgdb_arch arch_kgdb_ops = {
371 +const struct kgdb_arch arch_kgdb_ops = {
373 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
374 #else /* ! __ARMEB__ */
375 diff -urNp linux-2.6.38.4/arch/arm/kernel/process.c linux-2.6.38.4/arch/arm/kernel/process.c
376 --- linux-2.6.38.4/arch/arm/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
377 +++ linux-2.6.38.4/arch/arm/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
379 #include <linux/tick.h>
380 #include <linux/utsname.h>
381 #include <linux/uaccess.h>
382 -#include <linux/random.h>
383 #include <linux/hw_breakpoint.h>
385 #include <asm/cacheflush.h>
386 @@ -477,12 +476,6 @@ unsigned long get_wchan(struct task_stru
390 -unsigned long arch_randomize_brk(struct mm_struct *mm)
392 - unsigned long range_end = mm->brk + 0x02000000;
393 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
398 * The vectors page is always readable from user space for the
399 diff -urNp linux-2.6.38.4/arch/arm/mach-msm/last_radio_log.c linux-2.6.38.4/arch/arm/mach-msm/last_radio_log.c
400 --- linux-2.6.38.4/arch/arm/mach-msm/last_radio_log.c 2011-03-14 21:20:32.000000000 -0400
401 +++ linux-2.6.38.4/arch/arm/mach-msm/last_radio_log.c 2011-04-17 15:57:32.000000000 -0400
402 @@ -47,7 +47,7 @@ static ssize_t last_radio_log_read(struc
406 -static struct file_operations last_radio_log_fops = {
407 +static struct file_operations last_radio_log_fops = { /* cannot be const, see msm_init_last_radio_log */
408 .read = last_radio_log_read,
409 .llseek = default_llseek,
411 diff -urNp linux-2.6.38.4/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.38.4/arch/arm/mach-ux500/mbox-db5500.c
412 --- linux-2.6.38.4/arch/arm/mach-ux500/mbox-db5500.c 2011-03-14 21:20:32.000000000 -0400
413 +++ linux-2.6.38.4/arch/arm/mach-ux500/mbox-db5500.c 2011-04-17 15:57:32.000000000 -0400
414 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
415 return sprintf(buf, "0x%X\n", mbox_value);
418 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
419 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
421 static int mbox_show(struct seq_file *s, void *data)
423 diff -urNp linux-2.6.38.4/arch/arm/mm/fault.c linux-2.6.38.4/arch/arm/mm/fault.c
424 --- linux-2.6.38.4/arch/arm/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
425 +++ linux-2.6.38.4/arch/arm/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
426 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
430 +#ifdef CONFIG_PAX_PAGEEXEC
431 + if (fsr & FSR_LNX_PF) {
432 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
433 + do_group_exit(SIGKILL);
437 tsk->thread.address = addr;
438 tsk->thread.error_code = fsr;
439 tsk->thread.trap_no = 14;
440 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
442 #endif /* CONFIG_MMU */
444 +#ifdef CONFIG_PAX_PAGEEXEC
445 +void pax_report_insns(void *pc, void *sp)
449 + printk(KERN_ERR "PAX: bytes at PC: ");
450 + for (i = 0; i < 20; i++) {
452 + if (get_user(c, (__force unsigned char __user *)pc+i))
453 + printk(KERN_CONT "?? ");
455 + printk(KERN_CONT "%02x ", c);
459 + printk(KERN_ERR "PAX: bytes at SP-4: ");
460 + for (i = -1; i < 20; i++) {
462 + if (get_user(c, (__force unsigned long __user *)sp+i))
463 + printk(KERN_CONT "???????? ");
465 + printk(KERN_CONT "%08lx ", c);
472 * First Level Translation Fault Handler
474 diff -urNp linux-2.6.38.4/arch/arm/mm/mmap.c linux-2.6.38.4/arch/arm/mm/mmap.c
475 --- linux-2.6.38.4/arch/arm/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
476 +++ linux-2.6.38.4/arch/arm/mm/mmap.c 2011-04-17 15:57:32.000000000 -0400
477 @@ -64,6 +64,10 @@ arch_get_unmapped_area(struct file *filp
481 +#ifdef CONFIG_PAX_RANDMMAP
482 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
487 addr = COLOUR_ALIGN(addr, pgoff);
488 @@ -71,15 +75,14 @@ arch_get_unmapped_area(struct file *filp
489 addr = PAGE_ALIGN(addr);
491 vma = find_vma(mm, addr);
492 - if (TASK_SIZE - len >= addr &&
493 - (!vma || addr + len <= vma->vm_start))
494 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
497 if (len > mm->cached_hole_size) {
498 - start_addr = addr = mm->free_area_cache;
499 + start_addr = addr = mm->free_area_cache;
501 - start_addr = addr = TASK_UNMAPPED_BASE;
502 - mm->cached_hole_size = 0;
503 + start_addr = addr = mm->mmap_base;
504 + mm->cached_hole_size = 0;
506 /* 8 bits of randomness in 20 address space bits */
507 if (current->flags & PF_RANDOMIZE)
508 @@ -98,14 +101,14 @@ full_search:
509 * Start a new search - just in case we missed
512 - if (start_addr != TASK_UNMAPPED_BASE) {
513 - start_addr = addr = TASK_UNMAPPED_BASE;
514 + if (start_addr != mm->mmap_base) {
515 + start_addr = addr = mm->mmap_base;
516 mm->cached_hole_size = 0;
521 - if (!vma || addr + len <= vma->vm_start) {
522 + if (check_heap_stack_gap(vma, addr, len)) {
524 * Remember the place where we stopped the search:
526 diff -urNp linux-2.6.38.4/arch/avr32/include/asm/elf.h linux-2.6.38.4/arch/avr32/include/asm/elf.h
527 --- linux-2.6.38.4/arch/avr32/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
528 +++ linux-2.6.38.4/arch/avr32/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
529 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
530 the loader. We need to make sure that it is out of the way of the program
531 that it will "exec", and that there is sufficient room for the brk. */
533 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
534 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
536 +#ifdef CONFIG_PAX_ASLR
537 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
539 +#define PAX_DELTA_MMAP_LEN 15
540 +#define PAX_DELTA_STACK_LEN 15
543 /* This yields a mask that user programs can use to figure out what
544 instruction set this CPU supports. This could be done in user space,
545 diff -urNp linux-2.6.38.4/arch/avr32/include/asm/kmap_types.h linux-2.6.38.4/arch/avr32/include/asm/kmap_types.h
546 --- linux-2.6.38.4/arch/avr32/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
547 +++ linux-2.6.38.4/arch/avr32/include/asm/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
548 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
558 diff -urNp linux-2.6.38.4/arch/avr32/mm/fault.c linux-2.6.38.4/arch/avr32/mm/fault.c
559 --- linux-2.6.38.4/arch/avr32/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
560 +++ linux-2.6.38.4/arch/avr32/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
561 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
563 int exception_trace = 1;
565 +#ifdef CONFIG_PAX_PAGEEXEC
566 +void pax_report_insns(void *pc, void *sp)
570 + printk(KERN_ERR "PAX: bytes at PC: ");
571 + for (i = 0; i < 20; i++) {
573 + if (get_user(c, (unsigned char *)pc+i))
574 + printk(KERN_CONT "???????? ");
576 + printk(KERN_CONT "%02x ", c);
583 * This routine handles page faults. It determines the address and the
584 * problem, and then passes it off to one of the appropriate routines.
585 @@ -156,6 +173,16 @@ bad_area:
586 up_read(&mm->mmap_sem);
588 if (user_mode(regs)) {
590 +#ifdef CONFIG_PAX_PAGEEXEC
591 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
592 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
593 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
594 + do_group_exit(SIGKILL);
599 if (exception_trace && printk_ratelimit())
600 printk("%s%s[%d]: segfault at %08lx pc %08lx "
601 "sp %08lx ecr %lu\n",
602 diff -urNp linux-2.6.38.4/arch/blackfin/kernel/kgdb.c linux-2.6.38.4/arch/blackfin/kernel/kgdb.c
603 --- linux-2.6.38.4/arch/blackfin/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
604 +++ linux-2.6.38.4/arch/blackfin/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
605 @@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto
606 return -1; /* this means that we do not want to exit from the handler */
609 -struct kgdb_arch arch_kgdb_ops = {
610 +const struct kgdb_arch arch_kgdb_ops = {
611 .gdb_bpt_instr = {0xa1},
613 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
614 diff -urNp linux-2.6.38.4/arch/blackfin/mm/maccess.c linux-2.6.38.4/arch/blackfin/mm/maccess.c
615 --- linux-2.6.38.4/arch/blackfin/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
616 +++ linux-2.6.38.4/arch/blackfin/mm/maccess.c 2011-04-17 15:57:32.000000000 -0400
617 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
618 return bfin_mem_access_type(addr, size);
621 -long probe_kernel_read(void *dst, void *src, size_t size)
622 +long probe_kernel_read(void *dst, const void *src, size_t size)
624 unsigned long lsrc = (unsigned long)src;
626 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
630 -long probe_kernel_write(void *dst, void *src, size_t size)
631 +long probe_kernel_write(void *dst, const void *src, size_t size)
633 unsigned long ldst = (unsigned long)dst;
635 diff -urNp linux-2.6.38.4/arch/frv/include/asm/kmap_types.h linux-2.6.38.4/arch/frv/include/asm/kmap_types.h
636 --- linux-2.6.38.4/arch/frv/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
637 +++ linux-2.6.38.4/arch/frv/include/asm/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
638 @@ -23,6 +23,7 @@ enum km_type {
646 diff -urNp linux-2.6.38.4/arch/frv/mm/elf-fdpic.c linux-2.6.38.4/arch/frv/mm/elf-fdpic.c
647 --- linux-2.6.38.4/arch/frv/mm/elf-fdpic.c 2011-03-14 21:20:32.000000000 -0400
648 +++ linux-2.6.38.4/arch/frv/mm/elf-fdpic.c 2011-04-17 15:57:32.000000000 -0400
649 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
651 addr = PAGE_ALIGN(addr);
652 vma = find_vma(current->mm, addr);
653 - if (TASK_SIZE - len >= addr &&
654 - (!vma || addr + len <= vma->vm_start))
655 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
659 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
660 for (; vma; vma = vma->vm_next) {
663 - if (addr + len <= vma->vm_start)
664 + if (check_heap_stack_gap(vma, addr, len))
668 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
669 for (; vma; vma = vma->vm_next) {
672 - if (addr + len <= vma->vm_start)
673 + if (check_heap_stack_gap(vma, addr, len))
677 diff -urNp linux-2.6.38.4/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.38.4/arch/ia64/hp/common/hwsw_iommu.c
678 --- linux-2.6.38.4/arch/ia64/hp/common/hwsw_iommu.c 2011-03-14 21:20:32.000000000 -0400
679 +++ linux-2.6.38.4/arch/ia64/hp/common/hwsw_iommu.c 2011-04-17 15:57:32.000000000 -0400
681 #include <linux/swiotlb.h>
682 #include <asm/machvec.h>
684 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
685 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
687 /* swiotlb declarations & definitions: */
688 extern int swiotlb_late_init_with_default_size (size_t size);
689 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
690 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
693 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
694 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
696 if (use_swiotlb(dev))
697 return &swiotlb_dma_ops;
698 diff -urNp linux-2.6.38.4/arch/ia64/hp/common/sba_iommu.c linux-2.6.38.4/arch/ia64/hp/common/sba_iommu.c
699 --- linux-2.6.38.4/arch/ia64/hp/common/sba_iommu.c 2011-03-14 21:20:32.000000000 -0400
700 +++ linux-2.6.38.4/arch/ia64/hp/common/sba_iommu.c 2011-04-17 15:57:32.000000000 -0400
701 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
705 -extern struct dma_map_ops swiotlb_dma_ops;
706 +extern const struct dma_map_ops swiotlb_dma_ops;
710 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
712 __setup("sbapagesize=",sba_page_override);
714 -struct dma_map_ops sba_dma_ops = {
715 +const struct dma_map_ops sba_dma_ops = {
716 .alloc_coherent = sba_alloc_coherent,
717 .free_coherent = sba_free_coherent,
718 .map_page = sba_map_page,
719 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/dma-mapping.h linux-2.6.38.4/arch/ia64/include/asm/dma-mapping.h
720 --- linux-2.6.38.4/arch/ia64/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
721 +++ linux-2.6.38.4/arch/ia64/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
724 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
726 -extern struct dma_map_ops *dma_ops;
727 +extern const struct dma_map_ops *dma_ops;
728 extern struct ia64_machine_vector ia64_mv;
729 extern void set_iommu_machvec(void);
731 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
732 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
733 dma_addr_t *daddr, gfp_t gfp)
735 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
736 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
739 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
740 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
741 static inline void dma_free_coherent(struct device *dev, size_t size,
742 void *caddr, dma_addr_t daddr)
744 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
745 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
746 debug_dma_free_coherent(dev, size, caddr, daddr);
747 ops->free_coherent(dev, size, caddr, daddr);
749 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
751 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
753 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
754 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
755 return ops->mapping_error(dev, daddr);
758 static inline int dma_supported(struct device *dev, u64 mask)
760 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
761 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
762 return ops->dma_supported(dev, mask);
765 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/elf.h linux-2.6.38.4/arch/ia64/include/asm/elf.h
766 --- linux-2.6.38.4/arch/ia64/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
767 +++ linux-2.6.38.4/arch/ia64/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
770 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
772 +#ifdef CONFIG_PAX_ASLR
773 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
775 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
776 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
779 #define PT_IA_64_UNWIND 0x70000001
781 /* IA-64 relocations: */
782 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/machvec.h linux-2.6.38.4/arch/ia64/include/asm/machvec.h
783 --- linux-2.6.38.4/arch/ia64/include/asm/machvec.h 2011-03-14 21:20:32.000000000 -0400
784 +++ linux-2.6.38.4/arch/ia64/include/asm/machvec.h 2011-04-17 15:57:32.000000000 -0400
785 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
786 /* DMA-mapping interface: */
787 typedef void ia64_mv_dma_init (void);
788 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
789 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
790 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
793 * WARNING: The legacy I/O space is _architected_. Platforms are
794 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
795 # endif /* CONFIG_IA64_GENERIC */
797 extern void swiotlb_dma_init(void);
798 -extern struct dma_map_ops *dma_get_ops(struct device *);
799 +extern const struct dma_map_ops *dma_get_ops(struct device *);
802 * Define default versions so we can extend machvec for new platforms without having
803 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/pgtable.h linux-2.6.38.4/arch/ia64/include/asm/pgtable.h
804 --- linux-2.6.38.4/arch/ia64/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
805 +++ linux-2.6.38.4/arch/ia64/include/asm/pgtable.h 2011-04-17 15:57:32.000000000 -0400
807 * David Mosberger-Tang <davidm@hpl.hp.com>
811 +#include <linux/const.h>
812 #include <asm/mman.h>
813 #include <asm/page.h>
814 #include <asm/processor.h>
816 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
817 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
818 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
820 +#ifdef CONFIG_PAX_PAGEEXEC
821 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
822 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
823 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
825 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
826 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
827 +# define PAGE_COPY_NOEXEC PAGE_COPY
830 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
831 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
832 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
833 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/spinlock.h linux-2.6.38.4/arch/ia64/include/asm/spinlock.h
834 --- linux-2.6.38.4/arch/ia64/include/asm/spinlock.h 2011-03-14 21:20:32.000000000 -0400
835 +++ linux-2.6.38.4/arch/ia64/include/asm/spinlock.h 2011-04-17 15:57:32.000000000 -0400
836 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
837 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
839 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
840 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
841 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
844 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
845 diff -urNp linux-2.6.38.4/arch/ia64/include/asm/uaccess.h linux-2.6.38.4/arch/ia64/include/asm/uaccess.h
846 --- linux-2.6.38.4/arch/ia64/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
847 +++ linux-2.6.38.4/arch/ia64/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
848 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
849 const void *__cu_from = (from); \
850 long __cu_len = (n); \
852 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
853 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
854 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
857 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
858 long __cu_len = (n); \
860 __chk_user_ptr(__cu_from); \
861 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
862 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
863 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
866 diff -urNp linux-2.6.38.4/arch/ia64/kernel/dma-mapping.c linux-2.6.38.4/arch/ia64/kernel/dma-mapping.c
867 --- linux-2.6.38.4/arch/ia64/kernel/dma-mapping.c 2011-03-14 21:20:32.000000000 -0400
868 +++ linux-2.6.38.4/arch/ia64/kernel/dma-mapping.c 2011-04-17 15:57:32.000000000 -0400
870 /* Set this to 1 if there is a HW IOMMU in the system */
871 int iommu_detected __read_mostly;
873 -struct dma_map_ops *dma_ops;
874 +const struct dma_map_ops *dma_ops;
875 EXPORT_SYMBOL(dma_ops);
877 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
878 @@ -16,7 +16,7 @@ static int __init dma_init(void)
880 fs_initcall(dma_init);
882 -struct dma_map_ops *dma_get_ops(struct device *dev)
883 +const struct dma_map_ops *dma_get_ops(struct device *dev)
887 diff -urNp linux-2.6.38.4/arch/ia64/kernel/module.c linux-2.6.38.4/arch/ia64/kernel/module.c
888 --- linux-2.6.38.4/arch/ia64/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
889 +++ linux-2.6.38.4/arch/ia64/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
890 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
892 module_free (struct module *mod, void *module_region)
894 - if (mod && mod->arch.init_unw_table &&
895 - module_region == mod->module_init) {
896 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
897 unw_remove_unwind_table(mod->arch.init_unw_table);
898 mod->arch.init_unw_table = NULL;
900 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
904 +in_init_rx (const struct module *mod, uint64_t addr)
906 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
910 +in_init_rw (const struct module *mod, uint64_t addr)
912 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
916 in_init (const struct module *mod, uint64_t addr)
918 - return addr - (uint64_t) mod->module_init < mod->init_size;
919 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
923 +in_core_rx (const struct module *mod, uint64_t addr)
925 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
929 +in_core_rw (const struct module *mod, uint64_t addr)
931 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
935 in_core (const struct module *mod, uint64_t addr)
937 - return addr - (uint64_t) mod->module_core < mod->core_size;
938 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
942 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
946 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
947 + if (in_init_rx(mod, val))
948 + val -= (uint64_t) mod->module_init_rx;
949 + else if (in_init_rw(mod, val))
950 + val -= (uint64_t) mod->module_init_rw;
951 + else if (in_core_rx(mod, val))
952 + val -= (uint64_t) mod->module_core_rx;
953 + else if (in_core_rw(mod, val))
954 + val -= (uint64_t) mod->module_core_rw;
958 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
959 * addresses have been selected...
962 - if (mod->core_size > MAX_LTOFF)
963 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
965 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
966 * at the end of the module.
968 - gp = mod->core_size - MAX_LTOFF / 2;
969 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
971 - gp = mod->core_size / 2;
972 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
973 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
974 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
976 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
978 diff -urNp linux-2.6.38.4/arch/ia64/kernel/pci-dma.c linux-2.6.38.4/arch/ia64/kernel/pci-dma.c
979 --- linux-2.6.38.4/arch/ia64/kernel/pci-dma.c 2011-03-14 21:20:32.000000000 -0400
980 +++ linux-2.6.38.4/arch/ia64/kernel/pci-dma.c 2011-04-17 15:57:32.000000000 -0400
981 @@ -43,7 +43,7 @@ struct device fallback_dev = {
982 .dma_mask = &fallback_dev.coherent_dma_mask,
985 -extern struct dma_map_ops intel_dma_ops;
986 +extern const struct dma_map_ops intel_dma_ops;
988 static int __init pci_iommu_init(void)
990 diff -urNp linux-2.6.38.4/arch/ia64/kernel/pci-swiotlb.c linux-2.6.38.4/arch/ia64/kernel/pci-swiotlb.c
991 --- linux-2.6.38.4/arch/ia64/kernel/pci-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
992 +++ linux-2.6.38.4/arch/ia64/kernel/pci-swiotlb.c 2011-04-17 15:57:32.000000000 -0400
993 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
994 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
997 -struct dma_map_ops swiotlb_dma_ops = {
998 +const struct dma_map_ops swiotlb_dma_ops = {
999 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1000 .free_coherent = swiotlb_free_coherent,
1001 .map_page = swiotlb_map_page,
1002 diff -urNp linux-2.6.38.4/arch/ia64/kernel/sys_ia64.c linux-2.6.38.4/arch/ia64/kernel/sys_ia64.c
1003 --- linux-2.6.38.4/arch/ia64/kernel/sys_ia64.c 2011-03-14 21:20:32.000000000 -0400
1004 +++ linux-2.6.38.4/arch/ia64/kernel/sys_ia64.c 2011-04-17 15:57:32.000000000 -0400
1005 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1006 if (REGION_NUMBER(addr) == RGN_HPAGE)
1010 +#ifdef CONFIG_PAX_RANDMMAP
1011 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1012 + addr = mm->free_area_cache;
1017 addr = mm->free_area_cache;
1019 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1020 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1021 /* At this point: (!vma || addr < vma->vm_end). */
1022 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1023 - if (start_addr != TASK_UNMAPPED_BASE) {
1024 + if (start_addr != mm->mmap_base) {
1025 /* Start a new search --- just in case we missed some holes. */
1026 - addr = TASK_UNMAPPED_BASE;
1027 + addr = mm->mmap_base;
1032 - if (!vma || addr + len <= vma->vm_start) {
1033 + if (check_heap_stack_gap(vma, addr, len)) {
1034 /* Remember the address where we stopped this search: */
1035 mm->free_area_cache = addr + len;
1037 diff -urNp linux-2.6.38.4/arch/ia64/kernel/vmlinux.lds.S linux-2.6.38.4/arch/ia64/kernel/vmlinux.lds.S
1038 --- linux-2.6.38.4/arch/ia64/kernel/vmlinux.lds.S 2011-03-14 21:20:32.000000000 -0400
1039 +++ linux-2.6.38.4/arch/ia64/kernel/vmlinux.lds.S 2011-04-17 15:57:32.000000000 -0400
1040 @@ -199,7 +199,7 @@ SECTIONS {
1042 . = ALIGN(PERCPU_PAGE_SIZE);
1043 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1044 - __phys_per_cpu_start = __per_cpu_load;
1045 + __phys_per_cpu_start = per_cpu_load;
1047 * ensure percpu data fits
1048 * into percpu page size
1049 diff -urNp linux-2.6.38.4/arch/ia64/mm/fault.c linux-2.6.38.4/arch/ia64/mm/fault.c
1050 --- linux-2.6.38.4/arch/ia64/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1051 +++ linux-2.6.38.4/arch/ia64/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
1052 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1053 return pte_present(pte);
1056 +#ifdef CONFIG_PAX_PAGEEXEC
1057 +void pax_report_insns(void *pc, void *sp)
1061 + printk(KERN_ERR "PAX: bytes at PC: ");
1062 + for (i = 0; i < 8; i++) {
1064 + if (get_user(c, (unsigned int *)pc+i))
1065 + printk(KERN_CONT "???????? ");
1067 + printk(KERN_CONT "%08x ", c);
1074 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1076 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1077 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1078 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1080 - if ((vma->vm_flags & mask) != mask)
1081 + if ((vma->vm_flags & mask) != mask) {
1083 +#ifdef CONFIG_PAX_PAGEEXEC
1084 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1085 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1088 + up_read(&mm->mmap_sem);
1089 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1090 + do_group_exit(SIGKILL);
1099 * If for any reason at all we couldn't handle the fault, make
1100 * sure we exit gracefully rather than endlessly redo the
1101 diff -urNp linux-2.6.38.4/arch/ia64/mm/hugetlbpage.c linux-2.6.38.4/arch/ia64/mm/hugetlbpage.c
1102 --- linux-2.6.38.4/arch/ia64/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
1103 +++ linux-2.6.38.4/arch/ia64/mm/hugetlbpage.c 2011-04-17 15:57:32.000000000 -0400
1104 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1105 /* At this point: (!vmm || addr < vmm->vm_end). */
1106 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1108 - if (!vmm || (addr + len) <= vmm->vm_start)
1109 + if (check_heap_stack_gap(vmm, addr, len))
1111 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1113 diff -urNp linux-2.6.38.4/arch/ia64/mm/init.c linux-2.6.38.4/arch/ia64/mm/init.c
1114 --- linux-2.6.38.4/arch/ia64/mm/init.c 2011-03-14 21:20:32.000000000 -0400
1115 +++ linux-2.6.38.4/arch/ia64/mm/init.c 2011-04-17 15:57:32.000000000 -0400
1116 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1117 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1118 vma->vm_end = vma->vm_start + PAGE_SIZE;
1119 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1121 +#ifdef CONFIG_PAX_PAGEEXEC
1122 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1123 + vma->vm_flags &= ~VM_EXEC;
1125 +#ifdef CONFIG_PAX_MPROTECT
1126 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1127 + vma->vm_flags &= ~VM_MAYEXEC;
1133 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1134 down_write(¤t->mm->mmap_sem);
1135 if (insert_vm_struct(current->mm, vma)) {
1136 diff -urNp linux-2.6.38.4/arch/ia64/sn/pci/pci_dma.c linux-2.6.38.4/arch/ia64/sn/pci/pci_dma.c
1137 --- linux-2.6.38.4/arch/ia64/sn/pci/pci_dma.c 2011-03-14 21:20:32.000000000 -0400
1138 +++ linux-2.6.38.4/arch/ia64/sn/pci/pci_dma.c 2011-04-17 15:57:32.000000000 -0400
1139 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1143 -static struct dma_map_ops sn_dma_ops = {
1144 +static const struct dma_map_ops sn_dma_ops = {
1145 .alloc_coherent = sn_dma_alloc_coherent,
1146 .free_coherent = sn_dma_free_coherent,
1147 .map_page = sn_dma_map_page,
1148 diff -urNp linux-2.6.38.4/arch/m32r/lib/usercopy.c linux-2.6.38.4/arch/m32r/lib/usercopy.c
1149 --- linux-2.6.38.4/arch/m32r/lib/usercopy.c 2011-03-14 21:20:32.000000000 -0400
1150 +++ linux-2.6.38.4/arch/m32r/lib/usercopy.c 2011-04-17 15:57:32.000000000 -0400
1153 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1159 if (access_ok(VERIFY_WRITE, to, n))
1160 __copy_user(to,from,n);
1161 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1163 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1169 if (access_ok(VERIFY_READ, from, n))
1170 __copy_user_zeroing(to,from,n);
1171 diff -urNp linux-2.6.38.4/arch/microblaze/include/asm/device.h linux-2.6.38.4/arch/microblaze/include/asm/device.h
1172 --- linux-2.6.38.4/arch/microblaze/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1173 +++ linux-2.6.38.4/arch/microblaze/include/asm/device.h 2011-04-17 15:57:32.000000000 -0400
1174 @@ -13,7 +13,7 @@ struct device_node;
1176 struct dev_archdata {
1177 /* DMA operations on that device */
1178 - struct dma_map_ops *dma_ops;
1179 + const struct dma_map_ops *dma_ops;
1183 diff -urNp linux-2.6.38.4/arch/microblaze/include/asm/dma-mapping.h linux-2.6.38.4/arch/microblaze/include/asm/dma-mapping.h
1184 --- linux-2.6.38.4/arch/microblaze/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1185 +++ linux-2.6.38.4/arch/microblaze/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
1186 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1187 return 0xfffffffful;
1190 -extern struct dma_map_ops *dma_ops;
1191 +extern const struct dma_map_ops *dma_ops;
1194 * Available generic sets of operations
1196 -extern struct dma_map_ops dma_direct_ops;
1197 +extern const struct dma_map_ops dma_direct_ops;
1199 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1200 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1202 /* We don't handle the NULL dev case for ISA for now. We could
1203 * do it via an out of line call but it is not needed for now. The
1204 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1205 return dev->archdata.dma_ops;
1208 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1209 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1211 dev->archdata.dma_ops = ops;
1214 static inline int dma_supported(struct device *dev, u64 mask)
1216 - struct dma_map_ops *ops = get_dma_ops(dev);
1217 + const struct dma_map_ops *ops = get_dma_ops(dev);
1221 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
1223 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1225 - struct dma_map_ops *ops = get_dma_ops(dev);
1226 + const struct dma_map_ops *ops = get_dma_ops(dev);
1228 if (unlikely(ops == NULL))
1230 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
1232 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1234 - struct dma_map_ops *ops = get_dma_ops(dev);
1235 + const struct dma_map_ops *ops = get_dma_ops(dev);
1236 if (ops->mapping_error)
1237 return ops->mapping_error(dev, dma_addr);
1239 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
1240 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1241 dma_addr_t *dma_handle, gfp_t flag)
1243 - struct dma_map_ops *ops = get_dma_ops(dev);
1244 + const struct dma_map_ops *ops = get_dma_ops(dev);
1248 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
1249 static inline void dma_free_coherent(struct device *dev, size_t size,
1250 void *cpu_addr, dma_addr_t dma_handle)
1252 - struct dma_map_ops *ops = get_dma_ops(dev);
1253 + const struct dma_map_ops *ops = get_dma_ops(dev);
1256 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1257 diff -urNp linux-2.6.38.4/arch/microblaze/include/asm/pci.h linux-2.6.38.4/arch/microblaze/include/asm/pci.h
1258 --- linux-2.6.38.4/arch/microblaze/include/asm/pci.h 2011-03-14 21:20:32.000000000 -0400
1259 +++ linux-2.6.38.4/arch/microblaze/include/asm/pci.h 2011-04-17 15:57:32.000000000 -0400
1260 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1264 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1265 -extern struct dma_map_ops *get_pci_dma_ops(void);
1266 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1267 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1268 #else /* CONFIG_PCI */
1269 #define set_pci_dma_ops(d)
1270 #define get_pci_dma_ops() NULL
1271 diff -urNp linux-2.6.38.4/arch/microblaze/kernel/dma.c linux-2.6.38.4/arch/microblaze/kernel/dma.c
1272 --- linux-2.6.38.4/arch/microblaze/kernel/dma.c 2011-03-14 21:20:32.000000000 -0400
1273 +++ linux-2.6.38.4/arch/microblaze/kernel/dma.c 2011-04-17 15:57:32.000000000 -0400
1274 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1275 __dma_sync_page(dma_address, 0 , size, direction);
1278 -struct dma_map_ops dma_direct_ops = {
1279 +const struct dma_map_ops dma_direct_ops = {
1280 .alloc_coherent = dma_direct_alloc_coherent,
1281 .free_coherent = dma_direct_free_coherent,
1282 .map_sg = dma_direct_map_sg,
1283 diff -urNp linux-2.6.38.4/arch/microblaze/kernel/kgdb.c linux-2.6.38.4/arch/microblaze/kernel/kgdb.c
1284 --- linux-2.6.38.4/arch/microblaze/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
1285 +++ linux-2.6.38.4/arch/microblaze/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
1286 @@ -141,10 +141,11 @@ void kgdb_arch_exit(void)
1290 -struct kgdb_arch arch_kgdb_ops = {
1291 +const struct kgdb_arch arch_kgdb_ops = {
1292 #ifdef __MICROBLAZEEL__
1293 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
1296 .gdb_bpt_instr = {0xba, 0x0c, 0x00, 0x18}, /* brki r16, 0x18 */
1299 diff -urNp linux-2.6.38.4/arch/microblaze/pci/pci-common.c linux-2.6.38.4/arch/microblaze/pci/pci-common.c
1300 --- linux-2.6.38.4/arch/microblaze/pci/pci-common.c 2011-03-14 21:20:32.000000000 -0400
1301 +++ linux-2.6.38.4/arch/microblaze/pci/pci-common.c 2011-04-17 15:57:32.000000000 -0400
1302 @@ -47,14 +47,14 @@ resource_size_t isa_mem_base;
1303 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1304 unsigned int pci_flags;
1306 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1307 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1309 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1310 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1312 pci_dma_ops = dma_ops;
1315 -struct dma_map_ops *get_pci_dma_ops(void)
1316 +const struct dma_map_ops *get_pci_dma_ops(void)
1320 diff -urNp linux-2.6.38.4/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.38.4/arch/mips/cavium-octeon/dma-octeon.c
1321 --- linux-2.6.38.4/arch/mips/cavium-octeon/dma-octeon.c 2011-03-14 21:20:32.000000000 -0400
1322 +++ linux-2.6.38.4/arch/mips/cavium-octeon/dma-octeon.c 2011-04-17 15:57:32.000000000 -0400
1323 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
1326 struct octeon_dma_map_ops {
1327 - struct dma_map_ops dma_map_ops;
1328 + const struct dma_map_ops dma_map_ops;
1329 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
1330 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
1332 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
1336 -struct dma_map_ops *octeon_pci_dma_map_ops;
1337 +const struct dma_map_ops *octeon_pci_dma_map_ops;
1339 void __init octeon_pci_dma_init(void)
1341 diff -urNp linux-2.6.38.4/arch/mips/include/asm/device.h linux-2.6.38.4/arch/mips/include/asm/device.h
1342 --- linux-2.6.38.4/arch/mips/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1343 +++ linux-2.6.38.4/arch/mips/include/asm/device.h 2011-04-17 15:57:32.000000000 -0400
1344 @@ -10,7 +10,7 @@ struct dma_map_ops;
1346 struct dev_archdata {
1347 /* DMA operations on that device */
1348 - struct dma_map_ops *dma_ops;
1349 + const struct dma_map_ops *dma_ops;
1352 struct pdev_archdata {
1353 diff -urNp linux-2.6.38.4/arch/mips/include/asm/dma-mapping.h linux-2.6.38.4/arch/mips/include/asm/dma-mapping.h
1354 --- linux-2.6.38.4/arch/mips/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1355 +++ linux-2.6.38.4/arch/mips/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
1358 #include <dma-coherence.h>
1360 -extern struct dma_map_ops *mips_dma_map_ops;
1361 +extern const struct dma_map_ops *mips_dma_map_ops;
1363 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1364 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1366 if (dev && dev->archdata.dma_ops)
1367 return dev->archdata.dma_ops;
1368 @@ -31,13 +31,13 @@ static inline void dma_mark_clean(void *
1370 static inline int dma_supported(struct device *dev, u64 mask)
1372 - struct dma_map_ops *ops = get_dma_ops(dev);
1373 + const struct dma_map_ops *ops = get_dma_ops(dev);
1374 return ops->dma_supported(dev, mask);
1377 static inline int dma_mapping_error(struct device *dev, u64 mask)
1379 - struct dma_map_ops *ops = get_dma_ops(dev);
1380 + const struct dma_map_ops *ops = get_dma_ops(dev);
1381 return ops->mapping_error(dev, mask);
1384 @@ -59,7 +59,7 @@ static inline void *dma_alloc_coherent(s
1385 dma_addr_t *dma_handle, gfp_t gfp)
1388 - struct dma_map_ops *ops = get_dma_ops(dev);
1389 + const struct dma_map_ops *ops = get_dma_ops(dev);
1391 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
1393 @@ -71,7 +71,7 @@ static inline void *dma_alloc_coherent(s
1394 static inline void dma_free_coherent(struct device *dev, size_t size,
1395 void *vaddr, dma_addr_t dma_handle)
1397 - struct dma_map_ops *ops = get_dma_ops(dev);
1398 + const struct dma_map_ops *ops = get_dma_ops(dev);
1400 ops->free_coherent(dev, size, vaddr, dma_handle);
1402 diff -urNp linux-2.6.38.4/arch/mips/include/asm/elf.h linux-2.6.38.4/arch/mips/include/asm/elf.h
1403 --- linux-2.6.38.4/arch/mips/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
1404 +++ linux-2.6.38.4/arch/mips/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
1405 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
1406 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1409 +#ifdef CONFIG_PAX_ASLR
1410 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1412 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1413 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1416 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1417 struct linux_binprm;
1418 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1422 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1423 -#define arch_randomize_brk arch_randomize_brk
1425 #endif /* _ASM_ELF_H */
1426 diff -urNp linux-2.6.38.4/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.38.4/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
1427 --- linux-2.6.38.4/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-03-14 21:20:32.000000000 -0400
1428 +++ linux-2.6.38.4/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-04-17 15:57:32.000000000 -0400
1429 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
1430 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
1433 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
1434 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
1435 extern char *octeon_swiotlb;
1437 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
1438 diff -urNp linux-2.6.38.4/arch/mips/include/asm/page.h linux-2.6.38.4/arch/mips/include/asm/page.h
1439 --- linux-2.6.38.4/arch/mips/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
1440 +++ linux-2.6.38.4/arch/mips/include/asm/page.h 2011-04-17 15:57:32.000000000 -0400
1441 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1442 #ifdef CONFIG_CPU_MIPS32
1443 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1444 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1445 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1446 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1448 typedef struct { unsigned long long pte; } pte_t;
1449 #define pte_val(x) ((x).pte)
1450 diff -urNp linux-2.6.38.4/arch/mips/include/asm/system.h linux-2.6.38.4/arch/mips/include/asm/system.h
1451 --- linux-2.6.38.4/arch/mips/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
1452 +++ linux-2.6.38.4/arch/mips/include/asm/system.h 2011-04-17 15:57:32.000000000 -0400
1453 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1455 #define __ARCH_WANT_UNLOCKED_CTXSW
1457 -extern unsigned long arch_align_stack(unsigned long sp);
1458 +#define arch_align_stack(x) ((x) & ~0xfUL)
1460 #endif /* _ASM_SYSTEM_H */
1461 diff -urNp linux-2.6.38.4/arch/mips/kernel/binfmt_elfn32.c linux-2.6.38.4/arch/mips/kernel/binfmt_elfn32.c
1462 --- linux-2.6.38.4/arch/mips/kernel/binfmt_elfn32.c 2011-03-14 21:20:32.000000000 -0400
1463 +++ linux-2.6.38.4/arch/mips/kernel/binfmt_elfn32.c 2011-04-17 15:57:32.000000000 -0400
1464 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1465 #undef ELF_ET_DYN_BASE
1466 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1468 +#ifdef CONFIG_PAX_ASLR
1469 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1471 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1472 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1475 #include <asm/processor.h>
1476 #include <linux/module.h>
1477 #include <linux/elfcore.h>
1478 diff -urNp linux-2.6.38.4/arch/mips/kernel/binfmt_elfo32.c linux-2.6.38.4/arch/mips/kernel/binfmt_elfo32.c
1479 --- linux-2.6.38.4/arch/mips/kernel/binfmt_elfo32.c 2011-03-14 21:20:32.000000000 -0400
1480 +++ linux-2.6.38.4/arch/mips/kernel/binfmt_elfo32.c 2011-04-17 15:57:32.000000000 -0400
1481 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1482 #undef ELF_ET_DYN_BASE
1483 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1485 +#ifdef CONFIG_PAX_ASLR
1486 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1488 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1489 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1492 #include <asm/processor.h>
1495 diff -urNp linux-2.6.38.4/arch/mips/kernel/kgdb.c linux-2.6.38.4/arch/mips/kernel/kgdb.c
1496 --- linux-2.6.38.4/arch/mips/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
1497 +++ linux-2.6.38.4/arch/mips/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
1498 @@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto
1502 -struct kgdb_arch arch_kgdb_ops;
1503 +struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */
1506 * We use kgdb_early_setup so that functions we need to call now don't
1507 diff -urNp linux-2.6.38.4/arch/mips/kernel/process.c linux-2.6.38.4/arch/mips/kernel/process.c
1508 --- linux-2.6.38.4/arch/mips/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
1509 +++ linux-2.6.38.4/arch/mips/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
1510 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
1516 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1517 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1519 -unsigned long arch_align_stack(unsigned long sp)
1521 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1522 - sp -= get_random_int() & ~PAGE_MASK;
1524 - return sp & ALMASK;
1526 diff -urNp linux-2.6.38.4/arch/mips/kernel/syscall.c linux-2.6.38.4/arch/mips/kernel/syscall.c
1527 --- linux-2.6.38.4/arch/mips/kernel/syscall.c 2011-03-14 21:20:32.000000000 -0400
1528 +++ linux-2.6.38.4/arch/mips/kernel/syscall.c 2011-04-17 15:57:32.000000000 -0400
1529 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
1531 if (filp || (flags & MAP_SHARED))
1534 +#ifdef CONFIG_PAX_RANDMMAP
1535 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1540 addr = COLOUR_ALIGN(addr, pgoff);
1542 addr = PAGE_ALIGN(addr);
1543 vmm = find_vma(current->mm, addr);
1544 - if (task_size - len >= addr &&
1545 - (!vmm || addr + len <= vmm->vm_start))
1546 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1549 addr = current->mm->mmap_base;
1550 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
1551 /* At this point: (!vmm || addr < vmm->vm_end). */
1552 if (task_size - len < addr)
1554 - if (!vmm || addr + len <= vmm->vm_start)
1555 + if (check_heap_stack_gap(vmm, addr, len))
1559 @@ -168,19 +172,6 @@ static inline unsigned long brk_rnd(void
1563 -unsigned long arch_randomize_brk(struct mm_struct *mm)
1565 - unsigned long base = mm->brk;
1566 - unsigned long ret;
1568 - ret = PAGE_ALIGN(base + brk_rnd());
1570 - if (ret < mm->brk)
1576 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
1577 unsigned long, prot, unsigned long, flags, unsigned long,
1579 diff -urNp linux-2.6.38.4/arch/mips/mm/dma-default.c linux-2.6.38.4/arch/mips/mm/dma-default.c
1580 --- linux-2.6.38.4/arch/mips/mm/dma-default.c 2011-03-14 21:20:32.000000000 -0400
1581 +++ linux-2.6.38.4/arch/mips/mm/dma-default.c 2011-04-17 15:57:32.000000000 -0400
1582 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
1584 EXPORT_SYMBOL(dma_cache_sync);
1586 -static struct dma_map_ops mips_default_dma_map_ops = {
1587 +static const struct dma_map_ops mips_default_dma_map_ops = {
1588 .alloc_coherent = mips_dma_alloc_coherent,
1589 .free_coherent = mips_dma_free_coherent,
1590 .map_page = mips_dma_map_page,
1591 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
1592 .dma_supported = mips_dma_supported
1595 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1596 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1597 EXPORT_SYMBOL(mips_dma_map_ops);
1599 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1600 diff -urNp linux-2.6.38.4/arch/mips/mm/fault.c linux-2.6.38.4/arch/mips/mm/fault.c
1601 --- linux-2.6.38.4/arch/mips/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1602 +++ linux-2.6.38.4/arch/mips/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
1604 #include <asm/highmem.h> /* For VMALLOC_END */
1605 #include <linux/kdebug.h>
1607 +#ifdef CONFIG_PAX_PAGEEXEC
1608 +void pax_report_insns(void *pc, void *sp)
1612 + printk(KERN_ERR "PAX: bytes at PC: ");
1613 + for (i = 0; i < 5; i++) {
1615 + if (get_user(c, (unsigned int *)pc+i))
1616 + printk(KERN_CONT "???????? ");
1618 + printk(KERN_CONT "%08x ", c);
1625 * This routine handles page faults. It determines the address,
1626 * and the problem, and then passes it off to one of the appropriate
1627 diff -urNp linux-2.6.38.4/arch/parisc/include/asm/elf.h linux-2.6.38.4/arch/parisc/include/asm/elf.h
1628 --- linux-2.6.38.4/arch/parisc/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
1629 +++ linux-2.6.38.4/arch/parisc/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
1630 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1632 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1634 +#ifdef CONFIG_PAX_ASLR
1635 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1637 +#define PAX_DELTA_MMAP_LEN 16
1638 +#define PAX_DELTA_STACK_LEN 16
1641 /* This yields a mask that user programs can use to figure out what
1642 instruction set this CPU supports. This could be done in user space,
1643 but it's not easy, and we've already done it here. */
1644 diff -urNp linux-2.6.38.4/arch/parisc/include/asm/pgtable.h linux-2.6.38.4/arch/parisc/include/asm/pgtable.h
1645 --- linux-2.6.38.4/arch/parisc/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
1646 +++ linux-2.6.38.4/arch/parisc/include/asm/pgtable.h 2011-04-17 15:57:32.000000000 -0400
1647 @@ -209,6 +209,17 @@ struct vm_area_struct;
1648 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1649 #define PAGE_COPY PAGE_EXECREAD
1650 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1652 +#ifdef CONFIG_PAX_PAGEEXEC
1653 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1654 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1655 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1657 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1658 +# define PAGE_COPY_NOEXEC PAGE_COPY
1659 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1662 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1663 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1664 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1665 diff -urNp linux-2.6.38.4/arch/parisc/kernel/module.c linux-2.6.38.4/arch/parisc/kernel/module.c
1666 --- linux-2.6.38.4/arch/parisc/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
1667 +++ linux-2.6.38.4/arch/parisc/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
1670 /* three functions to determine where in the module core
1671 * or init pieces the location is */
1672 +static inline int in_init_rx(struct module *me, void *loc)
1674 + return (loc >= me->module_init_rx &&
1675 + loc < (me->module_init_rx + me->init_size_rx));
1678 +static inline int in_init_rw(struct module *me, void *loc)
1680 + return (loc >= me->module_init_rw &&
1681 + loc < (me->module_init_rw + me->init_size_rw));
1684 static inline int in_init(struct module *me, void *loc)
1686 - return (loc >= me->module_init &&
1687 - loc <= (me->module_init + me->init_size));
1688 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1691 +static inline int in_core_rx(struct module *me, void *loc)
1693 + return (loc >= me->module_core_rx &&
1694 + loc < (me->module_core_rx + me->core_size_rx));
1697 +static inline int in_core_rw(struct module *me, void *loc)
1699 + return (loc >= me->module_core_rw &&
1700 + loc < (me->module_core_rw + me->core_size_rw));
1703 static inline int in_core(struct module *me, void *loc)
1705 - return (loc >= me->module_core &&
1706 - loc <= (me->module_core + me->core_size));
1707 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1710 static inline int in_local(struct module *me, void *loc)
1711 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1714 /* align things a bit */
1715 - me->core_size = ALIGN(me->core_size, 16);
1716 - me->arch.got_offset = me->core_size;
1717 - me->core_size += gots * sizeof(struct got_entry);
1719 - me->core_size = ALIGN(me->core_size, 16);
1720 - me->arch.fdesc_offset = me->core_size;
1721 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1722 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1723 + me->arch.got_offset = me->core_size_rw;
1724 + me->core_size_rw += gots * sizeof(struct got_entry);
1726 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1727 + me->arch.fdesc_offset = me->core_size_rw;
1728 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1730 me->arch.got_max = gots;
1731 me->arch.fdesc_max = fdescs;
1732 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1736 - got = me->module_core + me->arch.got_offset;
1737 + got = me->module_core_rw + me->arch.got_offset;
1738 for (i = 0; got[i].addr; i++)
1739 if (got[i].addr == value)
1741 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1743 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1745 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1746 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1749 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1750 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1752 /* Create new one */
1753 fdesc->addr = value;
1754 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1755 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1756 return (Elf_Addr)fdesc;
1758 #endif /* CONFIG_64BIT */
1759 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1761 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1762 end = table + sechdrs[me->arch.unwind_section].sh_size;
1763 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1764 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1766 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1767 me->arch.unwind_section, table, end, gp);
1768 diff -urNp linux-2.6.38.4/arch/parisc/kernel/sys_parisc.c linux-2.6.38.4/arch/parisc/kernel/sys_parisc.c
1769 --- linux-2.6.38.4/arch/parisc/kernel/sys_parisc.c 2011-03-14 21:20:32.000000000 -0400
1770 +++ linux-2.6.38.4/arch/parisc/kernel/sys_parisc.c 2011-04-17 15:57:32.000000000 -0400
1771 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1772 /* At this point: (!vma || addr < vma->vm_end). */
1773 if (TASK_SIZE - len < addr)
1775 - if (!vma || addr + len <= vma->vm_start)
1776 + if (check_heap_stack_gap(vma, addr, len))
1780 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1781 /* At this point: (!vma || addr < vma->vm_end). */
1782 if (TASK_SIZE - len < addr)
1784 - if (!vma || addr + len <= vma->vm_start)
1785 + if (check_heap_stack_gap(vma, addr, len))
1787 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1788 if (addr < vma->vm_end) /* handle wraparound */
1789 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1790 if (flags & MAP_FIXED)
1793 - addr = TASK_UNMAPPED_BASE;
1794 + addr = current->mm->mmap_base;
1797 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1798 diff -urNp linux-2.6.38.4/arch/parisc/kernel/traps.c linux-2.6.38.4/arch/parisc/kernel/traps.c
1799 --- linux-2.6.38.4/arch/parisc/kernel/traps.c 2011-03-14 21:20:32.000000000 -0400
1800 +++ linux-2.6.38.4/arch/parisc/kernel/traps.c 2011-04-17 15:57:32.000000000 -0400
1801 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1803 down_read(¤t->mm->mmap_sem);
1804 vma = find_vma(current->mm,regs->iaoq[0]);
1805 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1806 - && (vma->vm_flags & VM_EXEC)) {
1808 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1809 fault_address = regs->iaoq[0];
1810 fault_space = regs->iasq[0];
1812 diff -urNp linux-2.6.38.4/arch/parisc/mm/fault.c linux-2.6.38.4/arch/parisc/mm/fault.c
1813 --- linux-2.6.38.4/arch/parisc/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1814 +++ linux-2.6.38.4/arch/parisc/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
1816 #include <linux/sched.h>
1817 #include <linux/interrupt.h>
1818 #include <linux/module.h>
1819 +#include <linux/unistd.h>
1821 #include <asm/uaccess.h>
1822 #include <asm/traps.h>
1823 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1824 static unsigned long
1825 parisc_acctyp(unsigned long code, unsigned int inst)
1827 - if (code == 6 || code == 16)
1828 + if (code == 6 || code == 7 || code == 16)
1831 switch (inst & 0xf0000000) {
1832 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1836 +#ifdef CONFIG_PAX_PAGEEXEC
1838 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1840 + * returns 1 when task should be killed
1841 + * 2 when rt_sigreturn trampoline was detected
1842 + * 3 when unpatched PLT trampoline was detected
1844 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1847 +#ifdef CONFIG_PAX_EMUPLT
1850 + do { /* PaX: unpatched PLT emulation */
1851 + unsigned int bl, depwi;
1853 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1854 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1859 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1860 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1862 + err = get_user(ldw, (unsigned int *)addr);
1863 + err |= get_user(bv, (unsigned int *)(addr+4));
1864 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1869 + if (ldw == 0x0E801096U &&
1870 + bv == 0xEAC0C000U &&
1871 + ldw2 == 0x0E881095U)
1873 + unsigned int resolver, map;
1875 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1876 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1880 + regs->gr[20] = instruction_pointer(regs)+8;
1881 + regs->gr[21] = map;
1882 + regs->gr[22] = resolver;
1883 + regs->iaoq[0] = resolver | 3UL;
1884 + regs->iaoq[1] = regs->iaoq[0] + 4;
1891 +#ifdef CONFIG_PAX_EMUTRAMP
1893 +#ifndef CONFIG_PAX_EMUSIGRT
1894 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1898 + do { /* PaX: rt_sigreturn emulation */
1899 + unsigned int ldi1, ldi2, bel, nop;
1901 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1902 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1903 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1904 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1909 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1910 + ldi2 == 0x3414015AU &&
1911 + bel == 0xE4008200U &&
1912 + nop == 0x08000240U)
1914 + regs->gr[25] = (ldi1 & 2) >> 1;
1915 + regs->gr[20] = __NR_rt_sigreturn;
1916 + regs->gr[31] = regs->iaoq[1] + 16;
1917 + regs->sr[0] = regs->iasq[1];
1918 + regs->iaoq[0] = 0x100UL;
1919 + regs->iaoq[1] = regs->iaoq[0] + 4;
1920 + regs->iasq[0] = regs->sr[2];
1921 + regs->iasq[1] = regs->sr[2];
1930 +void pax_report_insns(void *pc, void *sp)
1934 + printk(KERN_ERR "PAX: bytes at PC: ");
1935 + for (i = 0; i < 5; i++) {
1937 + if (get_user(c, (unsigned int *)pc+i))
1938 + printk(KERN_CONT "???????? ");
1940 + printk(KERN_CONT "%08x ", c);
1946 int fixup_exception(struct pt_regs *regs)
1948 const struct exception_table_entry *fix;
1949 @@ -192,8 +303,33 @@ good_area:
1951 acc_type = parisc_acctyp(code,regs->iir);
1953 - if ((vma->vm_flags & acc_type) != acc_type)
1954 + if ((vma->vm_flags & acc_type) != acc_type) {
1956 +#ifdef CONFIG_PAX_PAGEEXEC
1957 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1958 + (address & ~3UL) == instruction_pointer(regs))
1960 + up_read(&mm->mmap_sem);
1961 + switch (pax_handle_fetch_fault(regs)) {
1963 +#ifdef CONFIG_PAX_EMUPLT
1968 +#ifdef CONFIG_PAX_EMUTRAMP
1974 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1975 + do_group_exit(SIGKILL);
1983 * If for any reason at all we couldn't handle the fault, make
1984 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/device.h linux-2.6.38.4/arch/powerpc/include/asm/device.h
1985 --- linux-2.6.38.4/arch/powerpc/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1986 +++ linux-2.6.38.4/arch/powerpc/include/asm/device.h 2011-04-17 15:57:32.000000000 -0400
1987 @@ -17,7 +17,7 @@ struct device_node;
1989 struct dev_archdata {
1990 /* DMA operations on that device */
1991 - struct dma_map_ops *dma_ops;
1992 + const struct dma_map_ops *dma_ops;
1995 * When an iommu is in use, dma_data is used as a ptr to the base of the
1996 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/dma-mapping.h linux-2.6.38.4/arch/powerpc/include/asm/dma-mapping.h
1997 --- linux-2.6.38.4/arch/powerpc/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1998 +++ linux-2.6.38.4/arch/powerpc/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
1999 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2001 * Available generic sets of operations
2003 +/* cannot be const */
2005 -extern struct dma_map_ops dma_iommu_ops;
2006 +extern const struct dma_map_ops dma_iommu_ops;
2008 -extern struct dma_map_ops dma_direct_ops;
2009 +extern const struct dma_map_ops dma_direct_ops;
2011 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2012 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2014 /* We don't handle the NULL dev case for ISA for now. We could
2015 * do it via an out of line call but it is not needed for now. The
2016 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
2017 return dev->archdata.dma_ops;
2020 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2021 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2023 dev->archdata.dma_ops = ops;
2025 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
2027 static inline int dma_supported(struct device *dev, u64 mask)
2029 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2030 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2032 if (unlikely(dma_ops == NULL))
2034 @@ -132,7 +133,7 @@ extern int dma_set_mask(struct device *d
2035 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2036 dma_addr_t *dma_handle, gfp_t flag)
2038 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2039 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2043 @@ -147,7 +148,7 @@ static inline void *dma_alloc_coherent(s
2044 static inline void dma_free_coherent(struct device *dev, size_t size,
2045 void *cpu_addr, dma_addr_t dma_handle)
2047 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2048 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2052 @@ -158,7 +159,7 @@ static inline void dma_free_coherent(str
2054 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2056 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2057 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2059 if (dma_ops->mapping_error)
2060 return dma_ops->mapping_error(dev, dma_addr);
2061 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/elf.h linux-2.6.38.4/arch/powerpc/include/asm/elf.h
2062 --- linux-2.6.38.4/arch/powerpc/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
2063 +++ linux-2.6.38.4/arch/powerpc/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
2064 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2065 the loader. We need to make sure that it is out of the way of the program
2066 that it will "exec", and that there is sufficient room for the brk. */
2068 -extern unsigned long randomize_et_dyn(unsigned long base);
2069 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2070 +#define ELF_ET_DYN_BASE (0x20000000)
2072 +#ifdef CONFIG_PAX_ASLR
2073 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2075 +#ifdef __powerpc64__
2076 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
2077 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
2079 +#define PAX_DELTA_MMAP_LEN 15
2080 +#define PAX_DELTA_STACK_LEN 15
2085 * Our registers are always unsigned longs, whether we're a 32 bit
2086 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2087 (0x7ff >> (PAGE_SHIFT - 12)) : \
2088 (0x3ffff >> (PAGE_SHIFT - 12)))
2090 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2091 -#define arch_randomize_brk arch_randomize_brk
2093 #endif /* __KERNEL__ */
2096 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/iommu.h linux-2.6.38.4/arch/powerpc/include/asm/iommu.h
2097 --- linux-2.6.38.4/arch/powerpc/include/asm/iommu.h 2011-03-14 21:20:32.000000000 -0400
2098 +++ linux-2.6.38.4/arch/powerpc/include/asm/iommu.h 2011-04-17 15:57:32.000000000 -0400
2099 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2100 extern void iommu_init_early_dart(void);
2101 extern void iommu_init_early_pasemi(void);
2104 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2107 extern void pci_iommu_init(void);
2108 extern void pci_direct_iommu_init(void);
2109 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/kmap_types.h linux-2.6.38.4/arch/powerpc/include/asm/kmap_types.h
2110 --- linux-2.6.38.4/arch/powerpc/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
2111 +++ linux-2.6.38.4/arch/powerpc/include/asm/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
2112 @@ -27,6 +27,7 @@ enum km_type {
2120 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/page_64.h linux-2.6.38.4/arch/powerpc/include/asm/page_64.h
2121 --- linux-2.6.38.4/arch/powerpc/include/asm/page_64.h 2011-03-14 21:20:32.000000000 -0400
2122 +++ linux-2.6.38.4/arch/powerpc/include/asm/page_64.h 2011-04-17 15:57:32.000000000 -0400
2123 @@ -172,15 +172,18 @@ do { \
2124 * stack by default, so in the absense of a PT_GNU_STACK program header
2125 * we turn execute permission off.
2127 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2128 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2129 +#define VM_STACK_DEFAULT_FLAGS32 \
2130 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2131 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2133 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2134 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2136 +#ifndef CONFIG_PAX_PAGEEXEC
2137 #define VM_STACK_DEFAULT_FLAGS \
2138 (is_32bit_task() ? \
2139 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2142 #include <asm-generic/getorder.h>
2144 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/page.h linux-2.6.38.4/arch/powerpc/include/asm/page.h
2145 --- linux-2.6.38.4/arch/powerpc/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
2146 +++ linux-2.6.38.4/arch/powerpc/include/asm/page.h 2011-04-17 15:57:32.000000000 -0400
2147 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2148 * and needs to be executable. This means the whole heap ends
2149 * up being executable.
2151 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2152 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2153 +#define VM_DATA_DEFAULT_FLAGS32 \
2154 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2155 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2157 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2158 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2159 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2160 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2163 +#define ktla_ktva(addr) (addr)
2164 +#define ktva_ktla(addr) (addr)
2166 #ifndef __ASSEMBLY__
2168 #undef STRICT_MM_TYPECHECKS
2169 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/pci.h linux-2.6.38.4/arch/powerpc/include/asm/pci.h
2170 --- linux-2.6.38.4/arch/powerpc/include/asm/pci.h 2011-03-14 21:20:32.000000000 -0400
2171 +++ linux-2.6.38.4/arch/powerpc/include/asm/pci.h 2011-04-17 15:57:32.000000000 -0400
2172 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2176 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2177 -extern struct dma_map_ops *get_pci_dma_ops(void);
2178 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2179 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2180 #else /* CONFIG_PCI */
2181 #define set_pci_dma_ops(d)
2182 #define get_pci_dma_ops() NULL
2183 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/pgtable.h linux-2.6.38.4/arch/powerpc/include/asm/pgtable.h
2184 --- linux-2.6.38.4/arch/powerpc/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
2185 +++ linux-2.6.38.4/arch/powerpc/include/asm/pgtable.h 2011-04-17 15:57:32.000000000 -0400
2187 #define _ASM_POWERPC_PGTABLE_H
2190 +#include <linux/const.h>
2191 #ifndef __ASSEMBLY__
2192 #include <asm/processor.h> /* For TASK_SIZE */
2193 #include <asm/mmu.h>
2194 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/pte-hash32.h linux-2.6.38.4/arch/powerpc/include/asm/pte-hash32.h
2195 --- linux-2.6.38.4/arch/powerpc/include/asm/pte-hash32.h 2011-03-14 21:20:32.000000000 -0400
2196 +++ linux-2.6.38.4/arch/powerpc/include/asm/pte-hash32.h 2011-04-17 15:57:32.000000000 -0400
2198 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2199 #define _PAGE_USER 0x004 /* usermode access allowed */
2200 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2201 +#define _PAGE_EXEC _PAGE_GUARDED
2202 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2203 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2204 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2205 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/reg.h linux-2.6.38.4/arch/powerpc/include/asm/reg.h
2206 --- linux-2.6.38.4/arch/powerpc/include/asm/reg.h 2011-04-18 17:27:13.000000000 -0400
2207 +++ linux-2.6.38.4/arch/powerpc/include/asm/reg.h 2011-04-17 15:57:32.000000000 -0400
2209 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2210 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2211 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2212 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2213 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2214 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2215 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2216 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/swiotlb.h linux-2.6.38.4/arch/powerpc/include/asm/swiotlb.h
2217 --- linux-2.6.38.4/arch/powerpc/include/asm/swiotlb.h 2011-03-14 21:20:32.000000000 -0400
2218 +++ linux-2.6.38.4/arch/powerpc/include/asm/swiotlb.h 2011-04-17 15:57:32.000000000 -0400
2221 #include <linux/swiotlb.h>
2223 -extern struct dma_map_ops swiotlb_dma_ops;
2224 +extern const struct dma_map_ops swiotlb_dma_ops;
2226 static inline void dma_mark_clean(void *addr, size_t size) {}
2228 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/system.h linux-2.6.38.4/arch/powerpc/include/asm/system.h
2229 --- linux-2.6.38.4/arch/powerpc/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
2230 +++ linux-2.6.38.4/arch/powerpc/include/asm/system.h 2011-04-17 15:57:32.000000000 -0400
2231 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2232 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2235 -extern unsigned long arch_align_stack(unsigned long sp);
2236 +#define arch_align_stack(x) ((x) & ~0xfUL)
2238 /* Used in very early kernel initialization. */
2239 extern unsigned long reloc_offset(void);
2240 diff -urNp linux-2.6.38.4/arch/powerpc/include/asm/uaccess.h linux-2.6.38.4/arch/powerpc/include/asm/uaccess.h
2241 --- linux-2.6.38.4/arch/powerpc/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
2242 +++ linux-2.6.38.4/arch/powerpc/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
2244 #define VERIFY_READ 0
2245 #define VERIFY_WRITE 1
2247 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2250 * The fs value determines whether argument validity checking should be
2251 * performed or not. If get_fs() == USER_DS, checking is performed, with
2252 @@ -327,52 +329,6 @@ do { \
2253 extern unsigned long __copy_tofrom_user(void __user *to,
2254 const void __user *from, unsigned long size);
2256 -#ifndef __powerpc64__
2258 -static inline unsigned long copy_from_user(void *to,
2259 - const void __user *from, unsigned long n)
2261 - unsigned long over;
2263 - if (access_ok(VERIFY_READ, from, n))
2264 - return __copy_tofrom_user((__force void __user *)to, from, n);
2265 - if ((unsigned long)from < TASK_SIZE) {
2266 - over = (unsigned long)from + n - TASK_SIZE;
2267 - return __copy_tofrom_user((__force void __user *)to, from,
2273 -static inline unsigned long copy_to_user(void __user *to,
2274 - const void *from, unsigned long n)
2276 - unsigned long over;
2278 - if (access_ok(VERIFY_WRITE, to, n))
2279 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2280 - if ((unsigned long)to < TASK_SIZE) {
2281 - over = (unsigned long)to + n - TASK_SIZE;
2282 - return __copy_tofrom_user(to, (__force void __user *)from,
2288 -#else /* __powerpc64__ */
2290 -#define __copy_in_user(to, from, size) \
2291 - __copy_tofrom_user((to), (from), (size))
2293 -extern unsigned long copy_from_user(void *to, const void __user *from,
2295 -extern unsigned long copy_to_user(void __user *to, const void *from,
2297 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2300 -#endif /* __powerpc64__ */
2302 static inline unsigned long __copy_from_user_inatomic(void *to,
2303 const void __user *from, unsigned long n)
2305 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2310 + if (!__builtin_constant_p(n))
2311 + check_object_size(to, n, false);
2313 return __copy_tofrom_user((__force void __user *)to, from, n);
2316 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2321 + if (!__builtin_constant_p(n))
2322 + check_object_size(from, n, true);
2324 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2327 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2328 return __copy_to_user_inatomic(to, from, size);
2331 +#ifndef __powerpc64__
2333 +static inline unsigned long __must_check copy_from_user(void *to,
2334 + const void __user *from, unsigned long n)
2336 + unsigned long over;
2341 + if (access_ok(VERIFY_READ, from, n)) {
2342 + if (!__builtin_constant_p(n))
2343 + check_object_size(to, n, false);
2344 + return __copy_tofrom_user((__force void __user *)to, from, n);
2346 + if ((unsigned long)from < TASK_SIZE) {
2347 + over = (unsigned long)from + n - TASK_SIZE;
2348 + if (!__builtin_constant_p(n - over))
2349 + check_object_size(to, n - over, false);
2350 + return __copy_tofrom_user((__force void __user *)to, from,
2356 +static inline unsigned long __must_check copy_to_user(void __user *to,
2357 + const void *from, unsigned long n)
2359 + unsigned long over;
2364 + if (access_ok(VERIFY_WRITE, to, n)) {
2365 + if (!__builtin_constant_p(n))
2366 + check_object_size(from, n, true);
2367 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2369 + if ((unsigned long)to < TASK_SIZE) {
2370 + over = (unsigned long)to + n - TASK_SIZE;
2371 + if (!__builtin_constant_p(n))
2372 + check_object_size(from, n - over, true);
2373 + return __copy_tofrom_user(to, (__force void __user *)from,
2379 +#else /* __powerpc64__ */
2381 +#define __copy_in_user(to, from, size) \
2382 + __copy_tofrom_user((to), (from), (size))
2384 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2386 + if ((long)n < 0 || n > INT_MAX)
2389 + if (!__builtin_constant_p(n))
2390 + check_object_size(to, n, false);
2392 + if (likely(access_ok(VERIFY_READ, from, n)))
2393 + n = __copy_from_user(to, from, n);
2399 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2401 + if ((long)n < 0 || n > INT_MAX)
2404 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2405 + if (!__builtin_constant_p(n))
2406 + check_object_size(from, n, true);
2407 + n = __copy_to_user(to, from, n);
2412 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2415 +#endif /* __powerpc64__ */
2417 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2419 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2420 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/dma.c linux-2.6.38.4/arch/powerpc/kernel/dma.c
2421 --- linux-2.6.38.4/arch/powerpc/kernel/dma.c 2011-03-14 21:20:32.000000000 -0400
2422 +++ linux-2.6.38.4/arch/powerpc/kernel/dma.c 2011-04-17 15:57:32.000000000 -0400
2423 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
2427 -struct dma_map_ops dma_direct_ops = {
2428 +const struct dma_map_ops dma_direct_ops = {
2429 .alloc_coherent = dma_direct_alloc_coherent,
2430 .free_coherent = dma_direct_free_coherent,
2431 .map_sg = dma_direct_map_sg,
2432 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
2434 int dma_set_mask(struct device *dev, u64 dma_mask)
2436 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2437 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2439 if (ppc_md.dma_set_mask)
2440 return ppc_md.dma_set_mask(dev, dma_mask);
2441 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/dma-iommu.c linux-2.6.38.4/arch/powerpc/kernel/dma-iommu.c
2442 --- linux-2.6.38.4/arch/powerpc/kernel/dma-iommu.c 2011-03-14 21:20:32.000000000 -0400
2443 +++ linux-2.6.38.4/arch/powerpc/kernel/dma-iommu.c 2011-04-17 15:57:32.000000000 -0400
2444 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2447 /* We support DMA to/from any memory page via the iommu */
2448 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2449 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2451 struct iommu_table *tbl = get_iommu_table_base(dev);
2453 @@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc
2457 -struct dma_map_ops dma_iommu_ops = {
2458 +struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
2459 .alloc_coherent = dma_iommu_alloc_coherent,
2460 .free_coherent = dma_iommu_free_coherent,
2461 .map_sg = dma_iommu_map_sg,
2462 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.38.4/arch/powerpc/kernel/dma-swiotlb.c
2463 --- linux-2.6.38.4/arch/powerpc/kernel/dma-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
2464 +++ linux-2.6.38.4/arch/powerpc/kernel/dma-swiotlb.c 2011-04-17 15:57:32.000000000 -0400
2465 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2466 * map_page, and unmap_page on highmem, use normal dma_ops
2467 * for everything else.
2469 -struct dma_map_ops swiotlb_dma_ops = {
2470 +const struct dma_map_ops swiotlb_dma_ops = {
2471 .alloc_coherent = dma_direct_alloc_coherent,
2472 .free_coherent = dma_direct_free_coherent,
2473 .map_sg = swiotlb_map_sg_attrs,
2474 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/exceptions-64e.S linux-2.6.38.4/arch/powerpc/kernel/exceptions-64e.S
2475 --- linux-2.6.38.4/arch/powerpc/kernel/exceptions-64e.S 2011-03-14 21:20:32.000000000 -0400
2476 +++ linux-2.6.38.4/arch/powerpc/kernel/exceptions-64e.S 2011-04-17 15:57:32.000000000 -0400
2477 @@ -495,6 +495,7 @@ storage_fault_common:
2480 addi r3,r1,STACK_FRAME_OVERHEAD
2484 ld r14,PACA_EXGEN+EX_R14(r13)
2485 @@ -504,8 +505,7 @@ storage_fault_common:
2488 b .ret_from_except_lite
2492 addi r3,r1,STACK_FRAME_OVERHEAD
2495 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/exceptions-64s.S linux-2.6.38.4/arch/powerpc/kernel/exceptions-64s.S
2496 --- linux-2.6.38.4/arch/powerpc/kernel/exceptions-64s.S 2011-03-14 21:20:32.000000000 -0400
2497 +++ linux-2.6.38.4/arch/powerpc/kernel/exceptions-64s.S 2011-04-17 15:57:32.000000000 -0400
2498 @@ -848,10 +848,10 @@ handle_page_fault:
2501 addi r3,r1,STACK_FRAME_OVERHEAD
2508 addi r3,r1,STACK_FRAME_OVERHEAD
2510 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/ibmebus.c linux-2.6.38.4/arch/powerpc/kernel/ibmebus.c
2511 --- linux-2.6.38.4/arch/powerpc/kernel/ibmebus.c 2011-03-14 21:20:32.000000000 -0400
2512 +++ linux-2.6.38.4/arch/powerpc/kernel/ibmebus.c 2011-04-17 15:57:32.000000000 -0400
2513 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2517 -static struct dma_map_ops ibmebus_dma_ops = {
2518 +static const struct dma_map_ops ibmebus_dma_ops = {
2519 .alloc_coherent = ibmebus_alloc_coherent,
2520 .free_coherent = ibmebus_free_coherent,
2521 .map_sg = ibmebus_map_sg,
2522 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/kgdb.c linux-2.6.38.4/arch/powerpc/kernel/kgdb.c
2523 --- linux-2.6.38.4/arch/powerpc/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
2524 +++ linux-2.6.38.4/arch/powerpc/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
2525 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
2529 -struct kgdb_arch arch_kgdb_ops = {
2530 +const struct kgdb_arch arch_kgdb_ops = {
2531 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2534 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/module_32.c linux-2.6.38.4/arch/powerpc/kernel/module_32.c
2535 --- linux-2.6.38.4/arch/powerpc/kernel/module_32.c 2011-03-14 21:20:32.000000000 -0400
2536 +++ linux-2.6.38.4/arch/powerpc/kernel/module_32.c 2011-04-17 15:57:32.000000000 -0400
2537 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2538 me->arch.core_plt_section = i;
2540 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2541 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2542 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2546 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2548 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2549 /* Init, or core PLT? */
2550 - if (location >= mod->module_core
2551 - && location < mod->module_core + mod->core_size)
2552 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2553 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2554 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2556 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2557 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2558 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2560 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2564 /* Find this entry, or if that fails, the next avail. entry */
2565 while (entry->jump[0]) {
2566 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/module.c linux-2.6.38.4/arch/powerpc/kernel/module.c
2567 --- linux-2.6.38.4/arch/powerpc/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
2568 +++ linux-2.6.38.4/arch/powerpc/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
2571 LIST_HEAD(module_bug_list);
2573 +#ifdef CONFIG_PAX_KERNEXEC
2574 void *module_alloc(unsigned long size)
2579 + return vmalloc(size);
2582 +void *module_alloc_exec(unsigned long size)
2584 +void *module_alloc(unsigned long size)
2591 return vmalloc_exec(size);
2594 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2595 vfree(module_region);
2598 +#ifdef CONFIG_PAX_KERNEXEC
2599 +void module_free_exec(struct module *mod, void *module_region)
2601 + module_free(mod, module_region);
2605 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2606 const Elf_Shdr *sechdrs,
2608 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/pci-common.c linux-2.6.38.4/arch/powerpc/kernel/pci-common.c
2609 --- linux-2.6.38.4/arch/powerpc/kernel/pci-common.c 2011-03-14 21:20:32.000000000 -0400
2610 +++ linux-2.6.38.4/arch/powerpc/kernel/pci-common.c 2011-04-17 15:57:32.000000000 -0400
2611 @@ -52,14 +52,14 @@ resource_size_t isa_mem_base;
2612 unsigned int ppc_pci_flags = 0;
2615 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2616 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2618 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2619 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2621 pci_dma_ops = dma_ops;
2624 -struct dma_map_ops *get_pci_dma_ops(void)
2625 +const struct dma_map_ops *get_pci_dma_ops(void)
2629 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/process.c linux-2.6.38.4/arch/powerpc/kernel/process.c
2630 --- linux-2.6.38.4/arch/powerpc/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
2631 +++ linux-2.6.38.4/arch/powerpc/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
2632 @@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs)
2633 * Lookup NIP late so we have the best change of getting the
2634 * above info out without failing
2636 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2637 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2638 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2639 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2641 show_stack(current, (unsigned long *) regs->gpr[1]);
2642 if (!user_mode(regs))
2643 @@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk,
2645 ip = stack[STACK_FRAME_LR_SAVE];
2646 if (!firstframe || ip != lr) {
2647 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2648 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2649 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2650 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2653 (void *)current->ret_stack[curr_frame].ret);
2656 @@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk,
2657 struct pt_regs *regs = (struct pt_regs *)
2658 (sp + STACK_FRAME_OVERHEAD);
2660 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2661 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2662 regs->trap, (void *)regs->nip, (void *)lr);
2665 @@ -1244,58 +1244,3 @@ void thread_info_cache_init(void)
2668 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2670 -unsigned long arch_align_stack(unsigned long sp)
2672 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2673 - sp -= get_random_int() & ~PAGE_MASK;
2677 -static inline unsigned long brk_rnd(void)
2679 - unsigned long rnd = 0;
2681 - /* 8MB for 32bit, 1GB for 64bit */
2682 - if (is_32bit_task())
2683 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2685 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2687 - return rnd << PAGE_SHIFT;
2690 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2692 - unsigned long base = mm->brk;
2693 - unsigned long ret;
2695 -#ifdef CONFIG_PPC_STD_MMU_64
2697 - * If we are using 1TB segments and we are allowed to randomise
2698 - * the heap, we can put it above 1TB so it is backed by a 1TB
2699 - * segment. Otherwise the heap will be in the bottom 1TB
2700 - * which always uses 256MB segments and this may result in a
2701 - * performance penalty.
2703 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2704 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2707 - ret = PAGE_ALIGN(base + brk_rnd());
2709 - if (ret < mm->brk)
2715 -unsigned long randomize_et_dyn(unsigned long base)
2717 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2724 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/signal_32.c linux-2.6.38.4/arch/powerpc/kernel/signal_32.c
2725 --- linux-2.6.38.4/arch/powerpc/kernel/signal_32.c 2011-03-14 21:20:32.000000000 -0400
2726 +++ linux-2.6.38.4/arch/powerpc/kernel/signal_32.c 2011-04-17 15:57:32.000000000 -0400
2727 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
2728 /* Save user registers on the stack */
2729 frame = &rt_sf->uc.uc_mcontext;
2731 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2732 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2733 if (save_user_regs(regs, frame, 0, 1))
2735 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2736 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/signal_64.c linux-2.6.38.4/arch/powerpc/kernel/signal_64.c
2737 --- linux-2.6.38.4/arch/powerpc/kernel/signal_64.c 2011-03-14 21:20:32.000000000 -0400
2738 +++ linux-2.6.38.4/arch/powerpc/kernel/signal_64.c 2011-04-17 15:57:32.000000000 -0400
2739 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2740 current->thread.fpscr.val = 0;
2742 /* Set up to return from userspace. */
2743 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2744 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2745 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2747 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2748 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/vdso.c linux-2.6.38.4/arch/powerpc/kernel/vdso.c
2749 --- linux-2.6.38.4/arch/powerpc/kernel/vdso.c 2011-03-14 21:20:32.000000000 -0400
2750 +++ linux-2.6.38.4/arch/powerpc/kernel/vdso.c 2011-04-17 15:57:32.000000000 -0400
2752 #include <asm/firmware.h>
2753 #include <asm/vdso.h>
2754 #include <asm/vdso_datapage.h>
2755 +#include <asm/mman.h>
2759 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2760 vdso_base = VDSO32_MBASE;
2763 - current->mm->context.vdso_base = 0;
2764 + current->mm->context.vdso_base = ~0UL;
2766 /* vDSO has a problem and was disabled, just don't "enable" it for the
2768 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2769 vdso_base = get_unmapped_area(NULL, vdso_base,
2770 (vdso_pages << PAGE_SHIFT) +
2771 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2773 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2774 if (IS_ERR_VALUE(vdso_base)) {
2777 diff -urNp linux-2.6.38.4/arch/powerpc/kernel/vio.c linux-2.6.38.4/arch/powerpc/kernel/vio.c
2778 --- linux-2.6.38.4/arch/powerpc/kernel/vio.c 2011-03-14 21:20:32.000000000 -0400
2779 +++ linux-2.6.38.4/arch/powerpc/kernel/vio.c 2011-04-17 15:57:32.000000000 -0400
2780 @@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s
2781 return dma_iommu_ops.dma_supported(dev, mask);
2784 -struct dma_map_ops vio_dma_mapping_ops = {
2785 +const struct dma_map_ops vio_dma_mapping_ops = {
2786 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2787 .free_coherent = vio_dma_iommu_free_coherent,
2788 .map_sg = vio_dma_iommu_map_sg,
2789 .unmap_sg = vio_dma_iommu_unmap_sg,
2790 + .dma_supported = dma_iommu_dma_supported,
2791 .map_page = vio_dma_iommu_map_page,
2792 .unmap_page = vio_dma_iommu_unmap_page,
2793 .dma_supported = vio_dma_iommu_dma_supported,
2794 diff -urNp linux-2.6.38.4/arch/powerpc/lib/usercopy_64.c linux-2.6.38.4/arch/powerpc/lib/usercopy_64.c
2795 --- linux-2.6.38.4/arch/powerpc/lib/usercopy_64.c 2011-03-14 21:20:32.000000000 -0400
2796 +++ linux-2.6.38.4/arch/powerpc/lib/usercopy_64.c 2011-04-17 15:57:32.000000000 -0400
2798 #include <linux/module.h>
2799 #include <asm/uaccess.h>
2801 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2803 - if (likely(access_ok(VERIFY_READ, from, n)))
2804 - n = __copy_from_user(to, from, n);
2810 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2812 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2813 - n = __copy_to_user(to, from, n);
2817 unsigned long copy_in_user(void __user *to, const void __user *from,
2820 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2824 -EXPORT_SYMBOL(copy_from_user);
2825 -EXPORT_SYMBOL(copy_to_user);
2826 EXPORT_SYMBOL(copy_in_user);
2828 diff -urNp linux-2.6.38.4/arch/powerpc/mm/fault.c linux-2.6.38.4/arch/powerpc/mm/fault.c
2829 --- linux-2.6.38.4/arch/powerpc/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
2830 +++ linux-2.6.38.4/arch/powerpc/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
2832 #include <linux/kdebug.h>
2833 #include <linux/perf_event.h>
2834 #include <linux/magic.h>
2835 +#include <linux/slab.h>
2836 +#include <linux/pagemap.h>
2837 +#include <linux/compiler.h>
2838 +#include <linux/unistd.h>
2840 #include <asm/firmware.h>
2841 #include <asm/page.h>
2843 #include <asm/tlbflush.h>
2844 #include <asm/siginfo.h>
2845 #include <mm/mmu_decl.h>
2846 +#include <asm/ptrace.h>
2848 #ifdef CONFIG_KPROBES
2849 static inline int notify_page_fault(struct pt_regs *regs)
2850 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
2854 +#ifdef CONFIG_PAX_PAGEEXEC
2856 + * PaX: decide what to do with offenders (regs->nip = fault address)
2858 + * returns 1 when task should be killed
2860 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2865 +void pax_report_insns(void *pc, void *sp)
2869 + printk(KERN_ERR "PAX: bytes at PC: ");
2870 + for (i = 0; i < 5; i++) {
2872 + if (get_user(c, (unsigned int __user *)pc+i))
2873 + printk(KERN_CONT "???????? ");
2875 + printk(KERN_CONT "%08x ", c);
2882 * Check whether the instruction at regs->nip is a store using
2883 * an update addressing form which will update r1.
2884 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
2885 * indicate errors in DSISR but can validly be set in SRR1.
2888 - error_code &= 0x48200000;
2889 + error_code &= 0x58200000;
2891 is_write = error_code & DSISR_ISSTORE;
2893 @@ -258,7 +290,7 @@ good_area:
2894 * "undefined". Of those that can be set, this is the only
2895 * one which seems bad.
2897 - if (error_code & 0x10000000)
2898 + if (error_code & DSISR_GUARDED)
2899 /* Guarded storage error. */
2901 #endif /* CONFIG_8xx */
2902 @@ -273,7 +305,7 @@ good_area:
2903 * processors use the same I/D cache coherency mechanism
2906 - if (error_code & DSISR_PROTFAULT)
2907 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2909 #endif /* CONFIG_PPC_STD_MMU */
2911 @@ -342,6 +374,23 @@ bad_area:
2912 bad_area_nosemaphore:
2913 /* User mode accesses cause a SIGSEGV */
2914 if (user_mode(regs)) {
2916 +#ifdef CONFIG_PAX_PAGEEXEC
2917 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2918 +#ifdef CONFIG_PPC_STD_MMU
2919 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2921 + if (is_exec && regs->nip == address) {
2923 + switch (pax_handle_fetch_fault(regs)) {
2926 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2927 + do_group_exit(SIGKILL);
2932 _exception(SIGSEGV, regs, code, address);
2935 diff -urNp linux-2.6.38.4/arch/powerpc/mm/mmap_64.c linux-2.6.38.4/arch/powerpc/mm/mmap_64.c
2936 --- linux-2.6.38.4/arch/powerpc/mm/mmap_64.c 2011-03-14 21:20:32.000000000 -0400
2937 +++ linux-2.6.38.4/arch/powerpc/mm/mmap_64.c 2011-04-17 15:57:32.000000000 -0400
2938 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2940 if (mmap_is_legacy()) {
2941 mm->mmap_base = TASK_UNMAPPED_BASE;
2943 +#ifdef CONFIG_PAX_RANDMMAP
2944 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2945 + mm->mmap_base += mm->delta_mmap;
2948 mm->get_unmapped_area = arch_get_unmapped_area;
2949 mm->unmap_area = arch_unmap_area;
2951 mm->mmap_base = mmap_base();
2953 +#ifdef CONFIG_PAX_RANDMMAP
2954 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2955 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2958 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2959 mm->unmap_area = arch_unmap_area_topdown;
2961 diff -urNp linux-2.6.38.4/arch/powerpc/mm/slice.c linux-2.6.38.4/arch/powerpc/mm/slice.c
2962 --- linux-2.6.38.4/arch/powerpc/mm/slice.c 2011-03-14 21:20:32.000000000 -0400
2963 +++ linux-2.6.38.4/arch/powerpc/mm/slice.c 2011-04-17 15:57:32.000000000 -0400
2964 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2965 if ((mm->task_size - len) < addr)
2967 vma = find_vma(mm, addr);
2968 - return (!vma || (addr + len) <= vma->vm_start);
2969 + return check_heap_stack_gap(vma, addr, len);
2972 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2973 @@ -256,7 +256,7 @@ full_search:
2974 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2977 - if (!vma || addr + len <= vma->vm_start) {
2978 + if (check_heap_stack_gap(vma, addr, len)) {
2980 * Remember the place where we stopped the search:
2982 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
2986 - addr = mm->mmap_base;
2987 - while (addr > len) {
2988 + if (mm->mmap_base < len)
2991 + addr = mm->mmap_base - len;
2993 + while (!IS_ERR_VALUE(addr)) {
2994 /* Go down by chunk size */
2995 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
2996 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
2998 /* Check for hit with different page size */
2999 mask = slice_range_to_mask(addr, len);
3000 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3001 * return with success:
3003 vma = find_vma(mm, addr);
3004 - if (!vma || (addr + len) <= vma->vm_start) {
3005 + if (check_heap_stack_gap(vma, addr, len)) {
3006 /* remember the address as a hint for next time */
3008 mm->free_area_cache = addr;
3009 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3010 mm->cached_hole_size = vma->vm_start - addr;
3012 /* try just below the current vma->vm_start */
3013 - addr = vma->vm_start;
3014 + addr = skip_heap_stack_gap(vma, len);
3018 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3019 if (fixed && addr > (mm->task_size - len))
3022 +#ifdef CONFIG_PAX_RANDMMAP
3023 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3027 /* If hint, make sure it matches our alignment restrictions */
3028 if (!fixed && addr) {
3029 addr = _ALIGN_UP(addr, 1ul << pshift);
3030 diff -urNp linux-2.6.38.4/arch/powerpc/platforms/cell/iommu.c linux-2.6.38.4/arch/powerpc/platforms/cell/iommu.c
3031 --- linux-2.6.38.4/arch/powerpc/platforms/cell/iommu.c 2011-03-14 21:20:32.000000000 -0400
3032 +++ linux-2.6.38.4/arch/powerpc/platforms/cell/iommu.c 2011-04-17 15:57:32.000000000 -0400
3033 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3035 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3037 -struct dma_map_ops dma_iommu_fixed_ops = {
3038 +const struct dma_map_ops dma_iommu_fixed_ops = {
3039 .alloc_coherent = dma_fixed_alloc_coherent,
3040 .free_coherent = dma_fixed_free_coherent,
3041 .map_sg = dma_fixed_map_sg,
3042 diff -urNp linux-2.6.38.4/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.38.4/arch/powerpc/platforms/ps3/system-bus.c
3043 --- linux-2.6.38.4/arch/powerpc/platforms/ps3/system-bus.c 2011-03-14 21:20:32.000000000 -0400
3044 +++ linux-2.6.38.4/arch/powerpc/platforms/ps3/system-bus.c 2011-04-17 15:57:32.000000000 -0400
3045 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
3046 return mask >= DMA_BIT_MASK(32);
3049 -static struct dma_map_ops ps3_sb_dma_ops = {
3050 +static const struct dma_map_ops ps3_sb_dma_ops = {
3051 .alloc_coherent = ps3_alloc_coherent,
3052 .free_coherent = ps3_free_coherent,
3053 .map_sg = ps3_sb_map_sg,
3054 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3055 .unmap_page = ps3_unmap_page,
3058 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3059 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3060 .alloc_coherent = ps3_alloc_coherent,
3061 .free_coherent = ps3_free_coherent,
3062 .map_sg = ps3_ioc0_map_sg,
3063 diff -urNp linux-2.6.38.4/arch/powerpc/sysdev/ppc4xx_cpm.c linux-2.6.38.4/arch/powerpc/sysdev/ppc4xx_cpm.c
3064 --- linux-2.6.38.4/arch/powerpc/sysdev/ppc4xx_cpm.c 2011-03-14 21:20:32.000000000 -0400
3065 +++ linux-2.6.38.4/arch/powerpc/sysdev/ppc4xx_cpm.c 2011-04-17 15:57:32.000000000 -0400
3066 @@ -240,7 +240,7 @@ static int cpm_suspend_enter(suspend_sta
3070 -static struct platform_suspend_ops cpm_suspend_ops = {
3071 +static const struct platform_suspend_ops cpm_suspend_ops = {
3072 .valid = cpm_suspend_valid,
3073 .enter = cpm_suspend_enter,
3075 diff -urNp linux-2.6.38.4/arch/s390/include/asm/elf.h linux-2.6.38.4/arch/s390/include/asm/elf.h
3076 --- linux-2.6.38.4/arch/s390/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
3077 +++ linux-2.6.38.4/arch/s390/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
3078 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
3079 the loader. We need to make sure that it is out of the way of the program
3080 that it will "exec", and that there is sufficient room for the brk. */
3082 -extern unsigned long randomize_et_dyn(unsigned long base);
3083 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
3084 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3086 +#ifdef CONFIG_PAX_ASLR
3087 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3089 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3090 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3093 /* This yields a mask that user programs can use to figure out what
3094 instruction set this CPU supports. */
3095 @@ -222,7 +228,4 @@ struct linux_binprm;
3096 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
3097 int arch_setup_additional_pages(struct linux_binprm *, int);
3099 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
3100 -#define arch_randomize_brk arch_randomize_brk
3103 diff -urNp linux-2.6.38.4/arch/s390/include/asm/system.h linux-2.6.38.4/arch/s390/include/asm/system.h
3104 --- linux-2.6.38.4/arch/s390/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
3105 +++ linux-2.6.38.4/arch/s390/include/asm/system.h 2011-04-17 15:57:32.000000000 -0400
3106 @@ -449,7 +449,7 @@ extern void (*_machine_restart)(char *co
3107 extern void (*_machine_halt)(void);
3108 extern void (*_machine_power_off)(void);
3110 -extern unsigned long arch_align_stack(unsigned long sp);
3111 +#define arch_align_stack(x) ((x) & ~0xfUL)
3113 static inline int tprot(unsigned long addr)
3115 diff -urNp linux-2.6.38.4/arch/s390/include/asm/uaccess.h linux-2.6.38.4/arch/s390/include/asm/uaccess.h
3116 --- linux-2.6.38.4/arch/s390/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
3117 +++ linux-2.6.38.4/arch/s390/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
3118 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3119 copy_to_user(void __user *to, const void *from, unsigned long n)
3126 if (access_ok(VERIFY_WRITE, to, n))
3127 n = __copy_to_user(to, from, n);
3129 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3130 static inline unsigned long __must_check
3131 __copy_from_user(void *to, const void __user *from, unsigned long n)
3136 if (__builtin_constant_p(n) && (n <= 256))
3137 return uaccess.copy_from_user_small(n, from, to);
3139 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3140 unsigned int sz = __compiletime_object_size(to);
3147 if (unlikely(sz != -1 && sz < n)) {
3148 copy_from_user_overflow();
3150 diff -urNp linux-2.6.38.4/arch/s390/Kconfig linux-2.6.38.4/arch/s390/Kconfig
3151 --- linux-2.6.38.4/arch/s390/Kconfig 2011-03-14 21:20:32.000000000 -0400
3152 +++ linux-2.6.38.4/arch/s390/Kconfig 2011-04-17 15:57:32.000000000 -0400
3153 @@ -233,11 +233,9 @@ config S390_EXEC_PROTECT
3154 prompt "Data execute protection"
3156 This option allows to enable a buffer overflow protection for user
3157 - space programs and it also selects the addressing mode option above.
3158 - The kernel parameter noexec=on will enable this feature and also
3159 - switch the addressing modes, default is disabled. Enabling this (via
3160 - kernel parameter) on machines earlier than IBM System z9 this will
3161 - reduce system performance.
3163 + Enabling this (via kernel parameter) on machines earlier than IBM
3164 + System z9 this will reduce system performance.
3166 comment "Code generation options"
3168 diff -urNp linux-2.6.38.4/arch/s390/kernel/module.c linux-2.6.38.4/arch/s390/kernel/module.c
3169 --- linux-2.6.38.4/arch/s390/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
3170 +++ linux-2.6.38.4/arch/s390/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
3171 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3173 /* Increase core size by size of got & plt and set start
3174 offsets for got and plt. */
3175 - me->core_size = ALIGN(me->core_size, 4);
3176 - me->arch.got_offset = me->core_size;
3177 - me->core_size += me->arch.got_size;
3178 - me->arch.plt_offset = me->core_size;
3179 - me->core_size += me->arch.plt_size;
3180 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3181 + me->arch.got_offset = me->core_size_rw;
3182 + me->core_size_rw += me->arch.got_size;
3183 + me->arch.plt_offset = me->core_size_rx;
3184 + me->core_size_rx += me->arch.plt_size;
3188 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3189 if (info->got_initialized == 0) {
3192 - gotent = me->module_core + me->arch.got_offset +
3193 + gotent = me->module_core_rw + me->arch.got_offset +
3196 info->got_initialized = 1;
3197 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3198 else if (r_type == R_390_GOTENT ||
3199 r_type == R_390_GOTPLTENT)
3200 *(unsigned int *) loc =
3201 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3202 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3203 else if (r_type == R_390_GOT64 ||
3204 r_type == R_390_GOTPLT64)
3205 *(unsigned long *) loc = val;
3206 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3207 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3208 if (info->plt_initialized == 0) {
3210 - ip = me->module_core + me->arch.plt_offset +
3211 + ip = me->module_core_rx + me->arch.plt_offset +
3213 #ifndef CONFIG_64BIT
3214 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3215 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3216 val - loc + 0xffffUL < 0x1ffffeUL) ||
3217 (r_type == R_390_PLT32DBL &&
3218 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3219 - val = (Elf_Addr) me->module_core +
3220 + val = (Elf_Addr) me->module_core_rx +
3221 me->arch.plt_offset +
3223 val += rela->r_addend - loc;
3224 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3225 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3226 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3227 val = val + rela->r_addend -
3228 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3229 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3230 if (r_type == R_390_GOTOFF16)
3231 *(unsigned short *) loc = val;
3232 else if (r_type == R_390_GOTOFF32)
3233 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3235 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3236 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3237 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3238 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3239 rela->r_addend - loc;
3240 if (r_type == R_390_GOTPC)
3241 *(unsigned int *) loc = val;
3242 diff -urNp linux-2.6.38.4/arch/s390/kernel/process.c linux-2.6.38.4/arch/s390/kernel/process.c
3243 --- linux-2.6.38.4/arch/s390/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
3244 +++ linux-2.6.38.4/arch/s390/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
3245 @@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru
3250 -unsigned long arch_align_stack(unsigned long sp)
3252 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
3253 - sp -= get_random_int() & ~PAGE_MASK;
3257 -static inline unsigned long brk_rnd(void)
3259 - /* 8MB for 32bit, 1GB for 64bit */
3260 - if (is_32bit_task())
3261 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
3263 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
3266 -unsigned long arch_randomize_brk(struct mm_struct *mm)
3268 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
3270 - if (ret < mm->brk)
3275 -unsigned long randomize_et_dyn(unsigned long base)
3277 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
3279 - if (!(current->flags & PF_RANDOMIZE))
3285 diff -urNp linux-2.6.38.4/arch/s390/kernel/setup.c linux-2.6.38.4/arch/s390/kernel/setup.c
3286 --- linux-2.6.38.4/arch/s390/kernel/setup.c 2011-03-14 21:20:32.000000000 -0400
3287 +++ linux-2.6.38.4/arch/s390/kernel/setup.c 2011-04-17 15:57:32.000000000 -0400
3288 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3290 early_param("mem", early_parse_mem);
3292 -unsigned int user_mode = HOME_SPACE_MODE;
3293 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3294 EXPORT_SYMBOL_GPL(user_mode);
3296 static int set_amode_and_uaccess(unsigned long user_amode,
3297 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3302 - * Switch kernel/user addressing modes?
3304 -static int __init early_parse_switch_amode(char *p)
3306 - if (user_mode != SECONDARY_SPACE_MODE)
3307 - user_mode = PRIMARY_SPACE_MODE;
3310 -early_param("switch_amode", early_parse_switch_amode);
3312 static int __init early_parse_user_mode(char *p)
3314 if (p && strcmp(p, "primary") == 0)
3315 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3317 early_param("user_mode", early_parse_user_mode);
3319 -#ifdef CONFIG_S390_EXEC_PROTECT
3321 - * Enable execute protection?
3323 -static int __init early_parse_noexec(char *p)
3325 - if (!strncmp(p, "off", 3))
3327 - user_mode = SECONDARY_SPACE_MODE;
3330 -early_param("noexec", early_parse_noexec);
3331 -#endif /* CONFIG_S390_EXEC_PROTECT */
3333 static void setup_addressing_mode(void)
3335 if (user_mode == SECONDARY_SPACE_MODE) {
3336 diff -urNp linux-2.6.38.4/arch/s390/mm/maccess.c linux-2.6.38.4/arch/s390/mm/maccess.c
3337 --- linux-2.6.38.4/arch/s390/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
3338 +++ linux-2.6.38.4/arch/s390/mm/maccess.c 2011-04-17 15:57:32.000000000 -0400
3339 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3340 return rc ? rc : count;
3343 -long probe_kernel_write(void *dst, void *src, size_t size)
3344 +long probe_kernel_write(void *dst, const void *src, size_t size)
3348 diff -urNp linux-2.6.38.4/arch/s390/mm/mmap.c linux-2.6.38.4/arch/s390/mm/mmap.c
3349 --- linux-2.6.38.4/arch/s390/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
3350 +++ linux-2.6.38.4/arch/s390/mm/mmap.c 2011-04-17 15:57:32.000000000 -0400
3351 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
3353 if (mmap_is_legacy()) {
3354 mm->mmap_base = TASK_UNMAPPED_BASE;
3356 +#ifdef CONFIG_PAX_RANDMMAP
3357 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3358 + mm->mmap_base += mm->delta_mmap;
3361 mm->get_unmapped_area = arch_get_unmapped_area;
3362 mm->unmap_area = arch_unmap_area;
3364 mm->mmap_base = mmap_base();
3366 +#ifdef CONFIG_PAX_RANDMMAP
3367 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3368 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3371 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3372 mm->unmap_area = arch_unmap_area_topdown;
3374 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
3376 if (mmap_is_legacy()) {
3377 mm->mmap_base = TASK_UNMAPPED_BASE;
3379 +#ifdef CONFIG_PAX_RANDMMAP
3380 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3381 + mm->mmap_base += mm->delta_mmap;
3384 mm->get_unmapped_area = s390_get_unmapped_area;
3385 mm->unmap_area = arch_unmap_area;
3387 mm->mmap_base = mmap_base();
3389 +#ifdef CONFIG_PAX_RANDMMAP
3390 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3391 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3394 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3395 mm->unmap_area = arch_unmap_area_topdown;
3397 diff -urNp linux-2.6.38.4/arch/score/include/asm/system.h linux-2.6.38.4/arch/score/include/asm/system.h
3398 --- linux-2.6.38.4/arch/score/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
3399 +++ linux-2.6.38.4/arch/score/include/asm/system.h 2011-04-17 15:57:32.000000000 -0400
3400 @@ -17,7 +17,7 @@ do { \
3401 #define finish_arch_switch(prev) do {} while (0)
3403 typedef void (*vi_handler_t)(void);
3404 -extern unsigned long arch_align_stack(unsigned long sp);
3405 +#define arch_align_stack(x) (x)
3407 #define mb() barrier()
3408 #define rmb() barrier()
3409 diff -urNp linux-2.6.38.4/arch/score/kernel/process.c linux-2.6.38.4/arch/score/kernel/process.c
3410 --- linux-2.6.38.4/arch/score/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
3411 +++ linux-2.6.38.4/arch/score/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
3412 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3414 return task_pt_regs(task)->cp0_epc;
3417 -unsigned long arch_align_stack(unsigned long sp)
3421 diff -urNp linux-2.6.38.4/arch/sh/include/asm/dma-mapping.h linux-2.6.38.4/arch/sh/include/asm/dma-mapping.h
3422 --- linux-2.6.38.4/arch/sh/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3423 +++ linux-2.6.38.4/arch/sh/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
3425 #ifndef __ASM_SH_DMA_MAPPING_H
3426 #define __ASM_SH_DMA_MAPPING_H
3428 -extern struct dma_map_ops *dma_ops;
3429 +extern const struct dma_map_ops *dma_ops;
3430 extern void no_iommu_init(void);
3432 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3433 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3437 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3439 static inline int dma_supported(struct device *dev, u64 mask)
3441 - struct dma_map_ops *ops = get_dma_ops(dev);
3442 + const struct dma_map_ops *ops = get_dma_ops(dev);
3444 if (ops->dma_supported)
3445 return ops->dma_supported(dev, mask);
3446 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3448 static inline int dma_set_mask(struct device *dev, u64 mask)
3450 - struct dma_map_ops *ops = get_dma_ops(dev);
3451 + const struct dma_map_ops *ops = get_dma_ops(dev);
3453 if (!dev->dma_mask || !dma_supported(dev, mask))
3455 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
3457 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3459 - struct dma_map_ops *ops = get_dma_ops(dev);
3460 + const struct dma_map_ops *ops = get_dma_ops(dev);
3462 if (ops->mapping_error)
3463 return ops->mapping_error(dev, dma_addr);
3464 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
3465 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3466 dma_addr_t *dma_handle, gfp_t gfp)
3468 - struct dma_map_ops *ops = get_dma_ops(dev);
3469 + const struct dma_map_ops *ops = get_dma_ops(dev);
3472 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3473 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
3474 static inline void dma_free_coherent(struct device *dev, size_t size,
3475 void *vaddr, dma_addr_t dma_handle)
3477 - struct dma_map_ops *ops = get_dma_ops(dev);
3478 + const struct dma_map_ops *ops = get_dma_ops(dev);
3480 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3482 diff -urNp linux-2.6.38.4/arch/sh/kernel/dma-nommu.c linux-2.6.38.4/arch/sh/kernel/dma-nommu.c
3483 --- linux-2.6.38.4/arch/sh/kernel/dma-nommu.c 2011-03-14 21:20:32.000000000 -0400
3484 +++ linux-2.6.38.4/arch/sh/kernel/dma-nommu.c 2011-04-17 15:57:32.000000000 -0400
3485 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3489 -struct dma_map_ops nommu_dma_ops = {
3490 +const struct dma_map_ops nommu_dma_ops = {
3491 .alloc_coherent = dma_generic_alloc_coherent,
3492 .free_coherent = dma_generic_free_coherent,
3493 .map_page = nommu_map_page,
3494 diff -urNp linux-2.6.38.4/arch/sh/kernel/kgdb.c linux-2.6.38.4/arch/sh/kernel/kgdb.c
3495 --- linux-2.6.38.4/arch/sh/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
3496 +++ linux-2.6.38.4/arch/sh/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
3497 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3498 unregister_die_notifier(&kgdb_notifier);
3501 -struct kgdb_arch arch_kgdb_ops = {
3502 +const struct kgdb_arch arch_kgdb_ops = {
3503 /* Breakpoint instruction: trapa #0x3c */
3504 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3505 .gdb_bpt_instr = { 0x3c, 0xc3 },
3506 diff -urNp linux-2.6.38.4/arch/sh/mm/consistent.c linux-2.6.38.4/arch/sh/mm/consistent.c
3507 --- linux-2.6.38.4/arch/sh/mm/consistent.c 2011-03-14 21:20:32.000000000 -0400
3508 +++ linux-2.6.38.4/arch/sh/mm/consistent.c 2011-04-17 15:57:32.000000000 -0400
3511 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3513 -struct dma_map_ops *dma_ops;
3514 +const struct dma_map_ops *dma_ops;
3515 EXPORT_SYMBOL(dma_ops);
3517 static int __init dma_init(void)
3518 diff -urNp linux-2.6.38.4/arch/sh/mm/mmap.c linux-2.6.38.4/arch/sh/mm/mmap.c
3519 --- linux-2.6.38.4/arch/sh/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
3520 +++ linux-2.6.38.4/arch/sh/mm/mmap.c 2011-04-17 15:57:32.000000000 -0400
3521 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3522 addr = PAGE_ALIGN(addr);
3524 vma = find_vma(mm, addr);
3525 - if (TASK_SIZE - len >= addr &&
3526 - (!vma || addr + len <= vma->vm_start))
3527 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3531 @@ -106,7 +105,7 @@ full_search:
3535 - if (likely(!vma || addr + len <= vma->vm_start)) {
3536 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3538 * Remember the place where we stopped the search:
3540 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3541 addr = PAGE_ALIGN(addr);
3543 vma = find_vma(mm, addr);
3544 - if (TASK_SIZE - len >= addr &&
3545 - (!vma || addr + len <= vma->vm_start))
3546 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3550 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3551 /* make sure it can fit in the remaining address space */
3552 if (likely(addr > len)) {
3553 vma = find_vma(mm, addr-len);
3554 - if (!vma || addr <= vma->vm_start) {
3555 + if (check_heap_stack_gap(vma, addr - len, len)) {
3556 /* remember the address as a hint for next time */
3557 return (mm->free_area_cache = addr-len);
3559 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3560 if (unlikely(mm->mmap_base < len))
3563 - addr = mm->mmap_base-len;
3564 - if (do_colour_align)
3565 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3566 + addr = mm->mmap_base - len;
3569 + if (do_colour_align)
3570 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3572 * Lookup failure means no vma is above this address,
3573 * else if new region fits below vma->vm_start,
3574 * return with success:
3576 vma = find_vma(mm, addr);
3577 - if (likely(!vma || addr+len <= vma->vm_start)) {
3578 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3579 /* remember the address as a hint for next time */
3580 return (mm->free_area_cache = addr);
3582 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3583 mm->cached_hole_size = vma->vm_start - addr;
3585 /* try just below the current vma->vm_start */
3586 - addr = vma->vm_start-len;
3587 - if (do_colour_align)
3588 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3589 - } while (likely(len < vma->vm_start));
3590 + addr = skip_heap_stack_gap(vma, len);
3591 + } while (!IS_ERR_VALUE(addr));
3595 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/atomic_64.h linux-2.6.38.4/arch/sparc/include/asm/atomic_64.h
3596 --- linux-2.6.38.4/arch/sparc/include/asm/atomic_64.h 2011-03-14 21:20:32.000000000 -0400
3597 +++ linux-2.6.38.4/arch/sparc/include/asm/atomic_64.h 2011-04-17 15:57:32.000000000 -0400
3599 #define ATOMIC64_INIT(i) { (i) }
3601 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3602 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3604 + return v->counter;
3606 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3607 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3609 + return v->counter;
3612 #define atomic_set(v, i) (((v)->counter) = i)
3613 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3617 #define atomic64_set(v, i) (((v)->counter) = i)
3618 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3623 extern void atomic_add(int, atomic_t *);
3624 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3625 extern void atomic64_add(long, atomic64_t *);
3626 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3627 extern void atomic_sub(int, atomic_t *);
3628 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3629 extern void atomic64_sub(long, atomic64_t *);
3630 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3632 extern int atomic_add_ret(int, atomic_t *);
3633 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3634 extern long atomic64_add_ret(long, atomic64_t *);
3635 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3636 extern int atomic_sub_ret(int, atomic_t *);
3637 extern long atomic64_sub_ret(long, atomic64_t *);
3639 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
3640 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3642 #define atomic_inc_return(v) atomic_add_ret(1, v)
3643 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3645 + return atomic_add_ret_unchecked(1, v);
3647 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3648 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3650 + return atomic64_add_ret_unchecked(1, v);
3653 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3654 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3656 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3657 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3659 + return atomic_add_ret_unchecked(i, v);
3661 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3664 @@ -59,10 +93,26 @@ extern long atomic64_sub_ret(long, atomi
3665 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3667 #define atomic_inc(v) atomic_add(1, v)
3668 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3670 + atomic_add_unchecked(1, v);
3672 #define atomic64_inc(v) atomic64_add(1, v)
3673 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3675 + atomic64_add_unchecked(1, v);
3678 #define atomic_dec(v) atomic_sub(1, v)
3679 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3681 + atomic_sub_unchecked(1, v);
3683 #define atomic64_dec(v) atomic64_sub(1, v)
3684 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3686 + atomic64_sub_unchecked(1, v);
3689 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3690 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3691 @@ -72,17 +122,28 @@ extern long atomic64_sub_ret(long, atomi
3693 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3699 - if (unlikely(c == (u)))
3700 + if (unlikely(c == u))
3702 - old = atomic_cmpxchg((v), c, c + (a));
3704 + asm volatile("addcc %2, %0, %0\n"
3706 +#ifdef CONFIG_PAX_REFCOUNT
3711 + : "0" (c), "ir" (a)
3714 + old = atomic_cmpxchg(v, c, new);
3715 if (likely(old == c))
3723 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3724 @@ -93,17 +154,28 @@ static inline int atomic_add_unless(atom
3726 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3730 c = atomic64_read(v);
3732 - if (unlikely(c == (u)))
3733 + if (unlikely(c == u))
3735 - old = atomic64_cmpxchg((v), c, c + (a));
3737 + asm volatile("addcc %2, %0, %0\n"
3739 +#ifdef CONFIG_PAX_REFCOUNT
3744 + : "0" (c), "ir" (a)
3747 + old = atomic64_cmpxchg(v, c, new);
3748 if (likely(old == c))
3756 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3757 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/dma-mapping.h linux-2.6.38.4/arch/sparc/include/asm/dma-mapping.h
3758 --- linux-2.6.38.4/arch/sparc/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3759 +++ linux-2.6.38.4/arch/sparc/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
3760 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
3761 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
3762 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3764 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3765 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3766 extern struct bus_type pci_bus_type;
3768 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3769 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3771 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3772 if (dev->bus == &pci_bus_type)
3773 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
3774 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3775 dma_addr_t *dma_handle, gfp_t flag)
3777 - struct dma_map_ops *ops = get_dma_ops(dev);
3778 + const struct dma_map_ops *ops = get_dma_ops(dev);
3781 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3782 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
3783 static inline void dma_free_coherent(struct device *dev, size_t size,
3784 void *cpu_addr, dma_addr_t dma_handle)
3786 - struct dma_map_ops *ops = get_dma_ops(dev);
3787 + const struct dma_map_ops *ops = get_dma_ops(dev);
3789 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3790 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3791 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/elf_32.h linux-2.6.38.4/arch/sparc/include/asm/elf_32.h
3792 --- linux-2.6.38.4/arch/sparc/include/asm/elf_32.h 2011-03-14 21:20:32.000000000 -0400
3793 +++ linux-2.6.38.4/arch/sparc/include/asm/elf_32.h 2011-04-17 15:57:32.000000000 -0400
3794 @@ -114,6 +114,13 @@ typedef struct {
3796 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3798 +#ifdef CONFIG_PAX_ASLR
3799 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3801 +#define PAX_DELTA_MMAP_LEN 16
3802 +#define PAX_DELTA_STACK_LEN 16
3805 /* This yields a mask that user programs can use to figure out what
3806 instruction set this cpu supports. This can NOT be done in userspace
3808 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/elf_64.h linux-2.6.38.4/arch/sparc/include/asm/elf_64.h
3809 --- linux-2.6.38.4/arch/sparc/include/asm/elf_64.h 2011-03-14 21:20:32.000000000 -0400
3810 +++ linux-2.6.38.4/arch/sparc/include/asm/elf_64.h 2011-04-17 15:57:32.000000000 -0400
3811 @@ -162,6 +162,12 @@ typedef struct {
3812 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3813 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3815 +#ifdef CONFIG_PAX_ASLR
3816 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3818 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3819 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3822 /* This yields a mask that user programs can use to figure out what
3823 instruction set this cpu supports. */
3824 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/pgtable_32.h linux-2.6.38.4/arch/sparc/include/asm/pgtable_32.h
3825 --- linux-2.6.38.4/arch/sparc/include/asm/pgtable_32.h 2011-03-14 21:20:32.000000000 -0400
3826 +++ linux-2.6.38.4/arch/sparc/include/asm/pgtable_32.h 2011-04-17 15:57:32.000000000 -0400
3827 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3828 BTFIXUPDEF_INT(page_none)
3829 BTFIXUPDEF_INT(page_copy)
3830 BTFIXUPDEF_INT(page_readonly)
3832 +#ifdef CONFIG_PAX_PAGEEXEC
3833 +BTFIXUPDEF_INT(page_shared_noexec)
3834 +BTFIXUPDEF_INT(page_copy_noexec)
3835 +BTFIXUPDEF_INT(page_readonly_noexec)
3838 BTFIXUPDEF_INT(page_kernel)
3840 #define PMD_SHIFT SUN4C_PMD_SHIFT
3841 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3842 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3843 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3845 +#ifdef CONFIG_PAX_PAGEEXEC
3846 +extern pgprot_t PAGE_SHARED_NOEXEC;
3847 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3848 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3850 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3851 +# define PAGE_COPY_NOEXEC PAGE_COPY
3852 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3855 extern unsigned long page_kernel;
3858 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.38.4/arch/sparc/include/asm/pgtsrmmu.h
3859 --- linux-2.6.38.4/arch/sparc/include/asm/pgtsrmmu.h 2011-03-14 21:20:32.000000000 -0400
3860 +++ linux-2.6.38.4/arch/sparc/include/asm/pgtsrmmu.h 2011-04-17 15:57:32.000000000 -0400
3861 @@ -115,6 +115,13 @@
3862 SRMMU_EXEC | SRMMU_REF)
3863 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3864 SRMMU_EXEC | SRMMU_REF)
3866 +#ifdef CONFIG_PAX_PAGEEXEC
3867 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3868 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3869 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3872 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3873 SRMMU_DIRTY | SRMMU_REF)
3875 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/spinlock_64.h linux-2.6.38.4/arch/sparc/include/asm/spinlock_64.h
3876 --- linux-2.6.38.4/arch/sparc/include/asm/spinlock_64.h 2011-03-14 21:20:32.000000000 -0400
3877 +++ linux-2.6.38.4/arch/sparc/include/asm/spinlock_64.h 2011-04-17 15:57:32.000000000 -0400
3878 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3879 __asm__ __volatile__ (
3880 "1: ldsw [%2], %0\n"
3882 -"4: add %0, 1, %1\n"
3883 +"4: addcc %0, 1, %1\n"
3885 +#ifdef CONFIG_PAX_REFCOUNT
3889 " cas [%2], %0, %1\n"
3891 " bne,pn %%icc, 1b\n"
3892 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3894 : "=&r" (tmp1), "=&r" (tmp2)
3897 + : "memory", "cc");
3900 static int inline arch_read_trylock(arch_rwlock_t *lock)
3901 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3902 "1: ldsw [%2], %0\n"
3903 " brlz,a,pn %0, 2f\n"
3906 +" addcc %0, 1, %1\n"
3908 +#ifdef CONFIG_PAX_REFCOUNT
3912 " cas [%2], %0, %1\n"
3914 " bne,pn %%icc, 1b\n"
3915 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3917 __asm__ __volatile__(
3918 "1: lduw [%2], %0\n"
3920 +" subcc %0, 1, %1\n"
3922 +#ifdef CONFIG_PAX_REFCOUNT
3926 " cas [%2], %0, %1\n"
3928 " bne,pn %%xcc, 1b\n"
3929 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/uaccess_32.h linux-2.6.38.4/arch/sparc/include/asm/uaccess_32.h
3930 --- linux-2.6.38.4/arch/sparc/include/asm/uaccess_32.h 2011-03-14 21:20:32.000000000 -0400
3931 +++ linux-2.6.38.4/arch/sparc/include/asm/uaccess_32.h 2011-04-17 15:57:32.000000000 -0400
3932 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3934 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3936 - if (n && __access_ok((unsigned long) to, n))
3940 + if (n && __access_ok((unsigned long) to, n)) {
3941 + if (!__builtin_constant_p(n))
3942 + check_object_size(from, n, true);
3943 return __copy_user(to, (__force void __user *) from, n);
3949 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3954 + if (!__builtin_constant_p(n))
3955 + check_object_size(from, n, true);
3957 return __copy_user(to, (__force void __user *) from, n);
3960 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3962 - if (n && __access_ok((unsigned long) from, n))
3966 + if (n && __access_ok((unsigned long) from, n)) {
3967 + if (!__builtin_constant_p(n))
3968 + check_object_size(to, n, false);
3969 return __copy_user((__force void __user *) to, from, n);
3975 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3980 return __copy_user((__force void __user *) to, from, n);
3983 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/uaccess_64.h linux-2.6.38.4/arch/sparc/include/asm/uaccess_64.h
3984 --- linux-2.6.38.4/arch/sparc/include/asm/uaccess_64.h 2011-03-14 21:20:32.000000000 -0400
3985 +++ linux-2.6.38.4/arch/sparc/include/asm/uaccess_64.h 2011-04-17 15:57:32.000000000 -0400
3987 #include <linux/compiler.h>
3988 #include <linux/string.h>
3989 #include <linux/thread_info.h>
3990 +#include <linux/kernel.h>
3991 #include <asm/asi.h>
3992 #include <asm/system.h>
3993 #include <asm/spitfire.h>
3994 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
3995 static inline unsigned long __must_check
3996 copy_from_user(void *to, const void __user *from, unsigned long size)
3998 - unsigned long ret = ___copy_from_user(to, from, size);
3999 + unsigned long ret;
4001 + if ((long)size < 0 || size > INT_MAX)
4004 + if (!__builtin_constant_p(size))
4005 + check_object_size(to, size, false);
4007 + ret = ___copy_from_user(to, from, size);
4009 ret = copy_from_user_fixup(to, from, size);
4011 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
4012 static inline unsigned long __must_check
4013 copy_to_user(void __user *to, const void *from, unsigned long size)
4015 - unsigned long ret = ___copy_to_user(to, from, size);
4016 + unsigned long ret;
4018 + if ((long)size < 0 || size > INT_MAX)
4021 + if (!__builtin_constant_p(size))
4022 + check_object_size(from, size, true);
4024 + ret = ___copy_to_user(to, from, size);
4026 ret = copy_to_user_fixup(to, from, size);
4028 diff -urNp linux-2.6.38.4/arch/sparc/include/asm/uaccess.h linux-2.6.38.4/arch/sparc/include/asm/uaccess.h
4029 --- linux-2.6.38.4/arch/sparc/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
4030 +++ linux-2.6.38.4/arch/sparc/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
4032 #ifndef ___ASM_SPARC_UACCESS_H
4033 #define ___ASM_SPARC_UACCESS_H
4036 +#ifndef __ASSEMBLY__
4037 +#include <linux/types.h>
4038 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4042 #if defined(__sparc__) && defined(__arch64__)
4043 #include <asm/uaccess_64.h>
4045 diff -urNp linux-2.6.38.4/arch/sparc/kernel/iommu.c linux-2.6.38.4/arch/sparc/kernel/iommu.c
4046 --- linux-2.6.38.4/arch/sparc/kernel/iommu.c 2011-04-22 19:20:59.000000000 -0400
4047 +++ linux-2.6.38.4/arch/sparc/kernel/iommu.c 2011-04-22 19:21:10.000000000 -0400
4048 @@ -824,7 +824,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4049 spin_unlock_irqrestore(&iommu->lock, flags);
4052 -static struct dma_map_ops sun4u_dma_ops = {
4053 +static const struct dma_map_ops sun4u_dma_ops = {
4054 .alloc_coherent = dma_4u_alloc_coherent,
4055 .free_coherent = dma_4u_free_coherent,
4056 .map_page = dma_4u_map_page,
4057 @@ -835,7 +835,7 @@ static struct dma_map_ops sun4u_dma_ops
4058 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4061 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4062 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4063 EXPORT_SYMBOL(dma_ops);
4065 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4066 diff -urNp linux-2.6.38.4/arch/sparc/kernel/ioport.c linux-2.6.38.4/arch/sparc/kernel/ioport.c
4067 --- linux-2.6.38.4/arch/sparc/kernel/ioport.c 2011-03-14 21:20:32.000000000 -0400
4068 +++ linux-2.6.38.4/arch/sparc/kernel/ioport.c 2011-04-17 15:57:32.000000000 -0400
4069 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
4073 -struct dma_map_ops sbus_dma_ops = {
4074 +const struct dma_map_ops sbus_dma_ops = {
4075 .alloc_coherent = sbus_alloc_coherent,
4076 .free_coherent = sbus_free_coherent,
4077 .map_page = sbus_map_page,
4078 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
4079 .sync_sg_for_device = sbus_sync_sg_for_device,
4082 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4083 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4084 EXPORT_SYMBOL(dma_ops);
4086 static int __init sparc_register_ioport(void)
4087 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
4091 -struct dma_map_ops pci32_dma_ops = {
4092 +const struct dma_map_ops pci32_dma_ops = {
4093 .alloc_coherent = pci32_alloc_coherent,
4094 .free_coherent = pci32_free_coherent,
4095 .map_page = pci32_map_page,
4096 diff -urNp linux-2.6.38.4/arch/sparc/kernel/kgdb_32.c linux-2.6.38.4/arch/sparc/kernel/kgdb_32.c
4097 --- linux-2.6.38.4/arch/sparc/kernel/kgdb_32.c 2011-03-14 21:20:32.000000000 -0400
4098 +++ linux-2.6.38.4/arch/sparc/kernel/kgdb_32.c 2011-04-17 15:57:32.000000000 -0400
4099 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4100 regs->npc = regs->pc + 4;
4103 -struct kgdb_arch arch_kgdb_ops = {
4104 +const struct kgdb_arch arch_kgdb_ops = {
4105 /* Breakpoint instruction: ta 0x7d */
4106 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4108 diff -urNp linux-2.6.38.4/arch/sparc/kernel/kgdb_64.c linux-2.6.38.4/arch/sparc/kernel/kgdb_64.c
4109 --- linux-2.6.38.4/arch/sparc/kernel/kgdb_64.c 2011-03-14 21:20:32.000000000 -0400
4110 +++ linux-2.6.38.4/arch/sparc/kernel/kgdb_64.c 2011-04-17 15:57:32.000000000 -0400
4111 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4112 regs->tnpc = regs->tpc + 4;
4115 -struct kgdb_arch arch_kgdb_ops = {
4116 +const struct kgdb_arch arch_kgdb_ops = {
4117 /* Breakpoint instruction: ta 0x72 */
4118 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4120 diff -urNp linux-2.6.38.4/arch/sparc/kernel/Makefile linux-2.6.38.4/arch/sparc/kernel/Makefile
4121 --- linux-2.6.38.4/arch/sparc/kernel/Makefile 2011-03-14 21:20:32.000000000 -0400
4122 +++ linux-2.6.38.4/arch/sparc/kernel/Makefile 2011-04-17 15:57:32.000000000 -0400
4127 -ccflags-y := -Werror
4128 +#ccflags-y := -Werror
4130 extra-y := head_$(BITS).o
4131 extra-y += init_task.o
4132 diff -urNp linux-2.6.38.4/arch/sparc/kernel/pci_sun4v.c linux-2.6.38.4/arch/sparc/kernel/pci_sun4v.c
4133 --- linux-2.6.38.4/arch/sparc/kernel/pci_sun4v.c 2011-04-22 19:20:59.000000000 -0400
4134 +++ linux-2.6.38.4/arch/sparc/kernel/pci_sun4v.c 2011-04-22 19:21:10.000000000 -0400
4135 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4136 spin_unlock_irqrestore(&iommu->lock, flags);
4139 -static struct dma_map_ops sun4v_dma_ops = {
4140 +static const struct dma_map_ops sun4v_dma_ops = {
4141 .alloc_coherent = dma_4v_alloc_coherent,
4142 .free_coherent = dma_4v_free_coherent,
4143 .map_page = dma_4v_map_page,
4144 diff -urNp linux-2.6.38.4/arch/sparc/kernel/process_32.c linux-2.6.38.4/arch/sparc/kernel/process_32.c
4145 --- linux-2.6.38.4/arch/sparc/kernel/process_32.c 2011-03-14 21:20:32.000000000 -0400
4146 +++ linux-2.6.38.4/arch/sparc/kernel/process_32.c 2011-04-17 15:57:32.000000000 -0400
4147 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4148 rw->ins[4], rw->ins[5],
4151 - printk("%pS\n", (void *) rw->ins[7]);
4152 + printk("%pA\n", (void *) rw->ins[7]);
4153 rw = (struct reg_window32 *) rw->ins[6];
4155 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4156 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4158 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4159 r->psr, r->pc, r->npc, r->y, print_tainted());
4160 - printk("PC: <%pS>\n", (void *) r->pc);
4161 + printk("PC: <%pA>\n", (void *) r->pc);
4162 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4163 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4164 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4165 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4166 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4167 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4168 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4169 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4171 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4172 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4173 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4174 rw = (struct reg_window32 *) fp;
4176 printk("[%08lx : ", pc);
4177 - printk("%pS ] ", (void *) pc);
4178 + printk("%pA ] ", (void *) pc);
4180 } while (++count < 16);
4182 diff -urNp linux-2.6.38.4/arch/sparc/kernel/process_64.c linux-2.6.38.4/arch/sparc/kernel/process_64.c
4183 --- linux-2.6.38.4/arch/sparc/kernel/process_64.c 2011-03-14 21:20:32.000000000 -0400
4184 +++ linux-2.6.38.4/arch/sparc/kernel/process_64.c 2011-04-17 15:57:32.000000000 -0400
4185 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4186 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4187 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4188 if (regs->tstate & TSTATE_PRIV)
4189 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4190 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4193 void show_regs(struct pt_regs *regs)
4195 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4196 regs->tpc, regs->tnpc, regs->y, print_tainted());
4197 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4198 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4199 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4200 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4202 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4203 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4204 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4206 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4207 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4208 show_regwindow(regs);
4209 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
4211 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
4212 ((tp && tp->task) ? tp->task->pid : -1));
4214 if (gp->tstate & TSTATE_PRIV) {
4215 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4216 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4220 diff -urNp linux-2.6.38.4/arch/sparc/kernel/sys_sparc_32.c linux-2.6.38.4/arch/sparc/kernel/sys_sparc_32.c
4221 --- linux-2.6.38.4/arch/sparc/kernel/sys_sparc_32.c 2011-03-14 21:20:32.000000000 -0400
4222 +++ linux-2.6.38.4/arch/sparc/kernel/sys_sparc_32.c 2011-04-17 15:57:32.000000000 -0400
4223 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
4224 if (ARCH_SUN4C && len > 0x20000000)
4227 - addr = TASK_UNMAPPED_BASE;
4228 + addr = current->mm->mmap_base;
4230 if (flags & MAP_SHARED)
4231 addr = COLOUR_ALIGN(addr);
4232 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
4234 if (TASK_SIZE - PAGE_SIZE - len < addr)
4236 - if (!vmm || addr + len <= vmm->vm_start)
4237 + if (check_heap_stack_gap(vmm, addr, len))
4240 if (flags & MAP_SHARED)
4241 diff -urNp linux-2.6.38.4/arch/sparc/kernel/sys_sparc_64.c linux-2.6.38.4/arch/sparc/kernel/sys_sparc_64.c
4242 --- linux-2.6.38.4/arch/sparc/kernel/sys_sparc_64.c 2011-03-14 21:20:32.000000000 -0400
4243 +++ linux-2.6.38.4/arch/sparc/kernel/sys_sparc_64.c 2011-04-17 15:57:32.000000000 -0400
4244 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
4245 /* We do not accept a shared mapping if it would violate
4246 * cache aliasing constraints.
4248 - if ((flags & MAP_SHARED) &&
4249 + if ((filp || (flags & MAP_SHARED)) &&
4250 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4253 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4254 if (filp || (flags & MAP_SHARED))
4257 +#ifdef CONFIG_PAX_RANDMMAP
4258 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4263 addr = COLOUR_ALIGN(addr, pgoff);
4264 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4265 addr = PAGE_ALIGN(addr);
4267 vma = find_vma(mm, addr);
4268 - if (task_size - len >= addr &&
4269 - (!vma || addr + len <= vma->vm_start))
4270 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4274 if (len > mm->cached_hole_size) {
4275 - start_addr = addr = mm->free_area_cache;
4276 + start_addr = addr = mm->free_area_cache;
4278 - start_addr = addr = TASK_UNMAPPED_BASE;
4279 + start_addr = addr = mm->mmap_base;
4280 mm->cached_hole_size = 0;
4283 @@ -174,14 +177,14 @@ full_search:
4284 vma = find_vma(mm, VA_EXCLUDE_END);
4286 if (unlikely(task_size < addr)) {
4287 - if (start_addr != TASK_UNMAPPED_BASE) {
4288 - start_addr = addr = TASK_UNMAPPED_BASE;
4289 + if (start_addr != mm->mmap_base) {
4290 + start_addr = addr = mm->mmap_base;
4291 mm->cached_hole_size = 0;
4296 - if (likely(!vma || addr + len <= vma->vm_start)) {
4297 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4299 * Remember the place where we stopped the search:
4301 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4302 /* We do not accept a shared mapping if it would violate
4303 * cache aliasing constraints.
4305 - if ((flags & MAP_SHARED) &&
4306 + if ((filp || (flags & MAP_SHARED)) &&
4307 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4310 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4311 addr = PAGE_ALIGN(addr);
4313 vma = find_vma(mm, addr);
4314 - if (task_size - len >= addr &&
4315 - (!vma || addr + len <= vma->vm_start))
4316 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4320 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4321 /* make sure it can fit in the remaining address space */
4322 if (likely(addr > len)) {
4323 vma = find_vma(mm, addr-len);
4324 - if (!vma || addr <= vma->vm_start) {
4325 + if (check_heap_stack_gap(vma, addr - len, len)) {
4326 /* remember the address as a hint for next time */
4327 return (mm->free_area_cache = addr-len);
4329 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
4330 if (unlikely(mm->mmap_base < len))
4333 - addr = mm->mmap_base-len;
4334 - if (do_color_align)
4335 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4336 + addr = mm->mmap_base - len;
4339 + if (do_color_align)
4340 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4342 * Lookup failure means no vma is above this address,
4343 * else if new region fits below vma->vm_start,
4344 * return with success:
4346 vma = find_vma(mm, addr);
4347 - if (likely(!vma || addr+len <= vma->vm_start)) {
4348 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4349 /* remember the address as a hint for next time */
4350 return (mm->free_area_cache = addr);
4352 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
4353 mm->cached_hole_size = vma->vm_start - addr;
4355 /* try just below the current vma->vm_start */
4356 - addr = vma->vm_start-len;
4357 - if (do_color_align)
4358 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4359 - } while (likely(len < vma->vm_start));
4360 + addr = skip_heap_stack_gap(vma, len);
4361 + } while (!IS_ERR_VALUE(addr));
4365 @@ -385,6 +385,12 @@ void arch_pick_mmap_layout(struct mm_str
4366 gap == RLIM_INFINITY ||
4367 sysctl_legacy_va_layout) {
4368 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4370 +#ifdef CONFIG_PAX_RANDMMAP
4371 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4372 + mm->mmap_base += mm->delta_mmap;
4375 mm->get_unmapped_area = arch_get_unmapped_area;
4376 mm->unmap_area = arch_unmap_area;
4378 @@ -397,6 +403,12 @@ void arch_pick_mmap_layout(struct mm_str
4379 gap = (task_size / 6 * 5);
4381 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4383 +#ifdef CONFIG_PAX_RANDMMAP
4384 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4385 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4388 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4389 mm->unmap_area = arch_unmap_area_topdown;
4391 diff -urNp linux-2.6.38.4/arch/sparc/kernel/traps_32.c linux-2.6.38.4/arch/sparc/kernel/traps_32.c
4392 --- linux-2.6.38.4/arch/sparc/kernel/traps_32.c 2011-03-14 21:20:32.000000000 -0400
4393 +++ linux-2.6.38.4/arch/sparc/kernel/traps_32.c 2011-04-17 15:57:32.000000000 -0400
4394 @@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
4396 (((unsigned long) rw) >= PAGE_OFFSET) &&
4397 !(((unsigned long) rw) & 0x7)) {
4398 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4399 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4400 (void *) rw->ins[7]);
4401 rw = (struct reg_window32 *)rw->ins[6];
4403 diff -urNp linux-2.6.38.4/arch/sparc/kernel/traps_64.c linux-2.6.38.4/arch/sparc/kernel/traps_64.c
4404 --- linux-2.6.38.4/arch/sparc/kernel/traps_64.c 2011-04-22 19:20:59.000000000 -0400
4405 +++ linux-2.6.38.4/arch/sparc/kernel/traps_64.c 2011-04-22 19:21:10.000000000 -0400
4406 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
4408 p->trapstack[i].tstate, p->trapstack[i].tpc,
4409 p->trapstack[i].tnpc, p->trapstack[i].tt);
4410 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4411 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4415 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4418 if (regs->tstate & TSTATE_PRIV) {
4420 +#ifdef CONFIG_PAX_REFCOUNT
4422 + pax_report_refcount_overflow(regs);
4425 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4426 die_if_kernel(buffer, regs);
4428 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4429 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4434 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4435 0, lvl, SIGTRAP) == NOTIFY_STOP)
4438 +#ifdef CONFIG_PAX_REFCOUNT
4440 + pax_report_refcount_overflow(regs);
4443 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4445 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4446 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
4447 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4448 printk("%s" "ERROR(%d): ",
4449 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4450 - printk("TPC<%pS>\n", (void *) regs->tpc);
4451 + printk("TPC<%pA>\n", (void *) regs->tpc);
4452 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4453 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4454 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4455 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
4457 (type & 0x1) ? 'I' : 'D',
4459 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4460 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4461 panic("Irrecoverable Cheetah+ parity error.");
4464 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
4466 (type & 0x1) ? 'I' : 'D',
4468 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4469 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4472 struct sun4v_error_entry {
4473 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
4475 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4477 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4478 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4479 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4480 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4481 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4482 (void *) regs->u_regs[UREG_I7]);
4483 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4484 "pte[%lx] error[%lx]\n",
4485 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
4487 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4489 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4490 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4491 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4492 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4493 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4494 (void *) regs->u_regs[UREG_I7]);
4495 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4496 "pte[%lx] error[%lx]\n",
4497 @@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
4498 fp = (unsigned long)sf->fp + STACK_BIAS;
4501 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4502 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4503 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4504 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
4505 int index = tsk->curr_ret_stack;
4506 if (tsk->ret_stack && index >= graph) {
4507 pc = tsk->ret_stack[index - graph].ret;
4508 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4509 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4513 @@ -2254,7 +2265,7 @@ void die_if_kernel(char *str, struct pt_
4516 kstack_valid(tp, (unsigned long) rw)) {
4517 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4518 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4519 (void *) rw->ins[7]);
4521 rw = kernel_stack_up(rw);
4522 diff -urNp linux-2.6.38.4/arch/sparc/kernel/unaligned_64.c linux-2.6.38.4/arch/sparc/kernel/unaligned_64.c
4523 --- linux-2.6.38.4/arch/sparc/kernel/unaligned_64.c 2011-03-14 21:20:32.000000000 -0400
4524 +++ linux-2.6.38.4/arch/sparc/kernel/unaligned_64.c 2011-04-17 15:57:32.000000000 -0400
4525 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
4526 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
4528 if (__ratelimit(&ratelimit)) {
4529 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4530 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4531 regs->tpc, (void *) regs->tpc);
4534 diff -urNp linux-2.6.38.4/arch/sparc/lib/atomic_64.S linux-2.6.38.4/arch/sparc/lib/atomic_64.S
4535 --- linux-2.6.38.4/arch/sparc/lib/atomic_64.S 2011-03-14 21:20:32.000000000 -0400
4536 +++ linux-2.6.38.4/arch/sparc/lib/atomic_64.S 2011-04-17 15:57:32.000000000 -0400
4538 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4542 + addcc %g1, %o0, %g7
4544 +#ifdef CONFIG_PAX_REFCOUNT
4550 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4551 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4552 2: BACKOFF_SPIN(%o2, %o3, 1b)
4553 .size atomic_add, .-atomic_add
4555 + .globl atomic_add_unchecked
4556 + .type atomic_add_unchecked,#function
4557 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4558 + BACKOFF_SETUP(%o2)
4561 + cas [%o1], %g1, %g7
4567 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4568 + .size atomic_add_unchecked, .-atomic_add_unchecked
4571 .type atomic_sub,#function
4572 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4576 + subcc %g1, %o0, %g7
4578 +#ifdef CONFIG_PAX_REFCOUNT
4584 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4585 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4586 2: BACKOFF_SPIN(%o2, %o3, 1b)
4587 .size atomic_sub, .-atomic_sub
4589 + .globl atomic_sub_unchecked
4590 + .type atomic_sub_unchecked,#function
4591 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4592 + BACKOFF_SETUP(%o2)
4595 + cas [%o1], %g1, %g7
4601 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4602 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4604 .globl atomic_add_ret
4605 .type atomic_add_ret,#function
4606 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4610 + addcc %g1, %o0, %g7
4612 +#ifdef CONFIG_PAX_REFCOUNT
4618 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4619 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4620 2: BACKOFF_SPIN(%o2, %o3, 1b)
4621 .size atomic_add_ret, .-atomic_add_ret
4623 + .globl atomic_add_ret_unchecked
4624 + .type atomic_add_ret_unchecked,#function
4625 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4626 + BACKOFF_SETUP(%o2)
4628 + addcc %g1, %o0, %g7
4629 + cas [%o1], %g1, %g7
4636 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4637 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4639 .globl atomic_sub_ret
4640 .type atomic_sub_ret,#function
4641 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4645 + subcc %g1, %o0, %g7
4647 +#ifdef CONFIG_PAX_REFCOUNT
4653 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4654 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4655 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4659 + addcc %g1, %o0, %g7
4661 +#ifdef CONFIG_PAX_REFCOUNT
4665 casx [%o1], %g1, %g7
4667 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4668 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4669 2: BACKOFF_SPIN(%o2, %o3, 1b)
4670 .size atomic64_add, .-atomic64_add
4672 + .globl atomic64_add_unchecked
4673 + .type atomic64_add_unchecked,#function
4674 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4675 + BACKOFF_SETUP(%o2)
4677 + addcc %g1, %o0, %g7
4678 + casx [%o1], %g1, %g7
4684 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4685 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4688 .type atomic64_sub,#function
4689 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4693 + subcc %g1, %o0, %g7
4695 +#ifdef CONFIG_PAX_REFCOUNT
4699 casx [%o1], %g1, %g7
4701 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4702 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4703 2: BACKOFF_SPIN(%o2, %o3, 1b)
4704 .size atomic64_sub, .-atomic64_sub
4706 + .globl atomic64_sub_unchecked
4707 + .type atomic64_sub_unchecked,#function
4708 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4709 + BACKOFF_SETUP(%o2)
4711 + subcc %g1, %o0, %g7
4712 + casx [%o1], %g1, %g7
4718 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4719 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4721 .globl atomic64_add_ret
4722 .type atomic64_add_ret,#function
4723 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4727 + addcc %g1, %o0, %g7
4729 +#ifdef CONFIG_PAX_REFCOUNT
4733 casx [%o1], %g1, %g7
4735 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4736 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4737 2: BACKOFF_SPIN(%o2, %o3, 1b)
4738 .size atomic64_add_ret, .-atomic64_add_ret
4740 + .globl atomic64_add_ret_unchecked
4741 + .type atomic64_add_ret_unchecked,#function
4742 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4743 + BACKOFF_SETUP(%o2)
4745 + addcc %g1, %o0, %g7
4746 + casx [%o1], %g1, %g7
4753 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4754 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4756 .globl atomic64_sub_ret
4757 .type atomic64_sub_ret,#function
4758 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4762 + subcc %g1, %o0, %g7
4764 +#ifdef CONFIG_PAX_REFCOUNT
4768 casx [%o1], %g1, %g7
4770 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4771 diff -urNp linux-2.6.38.4/arch/sparc/lib/ksyms.c linux-2.6.38.4/arch/sparc/lib/ksyms.c
4772 --- linux-2.6.38.4/arch/sparc/lib/ksyms.c 2011-03-14 21:20:32.000000000 -0400
4773 +++ linux-2.6.38.4/arch/sparc/lib/ksyms.c 2011-04-17 15:57:32.000000000 -0400
4774 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4776 /* Atomic counter implementation. */
4777 EXPORT_SYMBOL(atomic_add);
4778 +EXPORT_SYMBOL(atomic_add_unchecked);
4779 EXPORT_SYMBOL(atomic_add_ret);
4780 EXPORT_SYMBOL(atomic_sub);
4781 +EXPORT_SYMBOL(atomic_sub_unchecked);
4782 EXPORT_SYMBOL(atomic_sub_ret);
4783 EXPORT_SYMBOL(atomic64_add);
4784 +EXPORT_SYMBOL(atomic64_add_unchecked);
4785 EXPORT_SYMBOL(atomic64_add_ret);
4786 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4787 EXPORT_SYMBOL(atomic64_sub);
4788 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4789 EXPORT_SYMBOL(atomic64_sub_ret);
4791 /* Atomic bit operations. */
4792 diff -urNp linux-2.6.38.4/arch/sparc/Makefile linux-2.6.38.4/arch/sparc/Makefile
4793 --- linux-2.6.38.4/arch/sparc/Makefile 2011-03-14 21:20:32.000000000 -0400
4794 +++ linux-2.6.38.4/arch/sparc/Makefile 2011-04-17 15:57:32.000000000 -0400
4795 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4796 # Export what is needed by arch/sparc/boot/Makefile
4797 export VMLINUX_INIT VMLINUX_MAIN
4798 VMLINUX_INIT := $(head-y) $(init-y)
4799 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4800 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4801 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4802 VMLINUX_MAIN += $(drivers-y) $(net-y)
4804 diff -urNp linux-2.6.38.4/arch/sparc/mm/fault_32.c linux-2.6.38.4/arch/sparc/mm/fault_32.c
4805 --- linux-2.6.38.4/arch/sparc/mm/fault_32.c 2011-04-22 19:20:59.000000000 -0400
4806 +++ linux-2.6.38.4/arch/sparc/mm/fault_32.c 2011-04-22 19:21:10.000000000 -0400
4808 #include <linux/interrupt.h>
4809 #include <linux/module.h>
4810 #include <linux/kdebug.h>
4811 +#include <linux/slab.h>
4812 +#include <linux/pagemap.h>
4813 +#include <linux/compiler.h>
4815 #include <asm/system.h>
4816 #include <asm/page.h>
4817 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4818 return safe_compute_effective_address(regs, insn);
4821 +#ifdef CONFIG_PAX_PAGEEXEC
4822 +#ifdef CONFIG_PAX_DLRESOLVE
4823 +static void pax_emuplt_close(struct vm_area_struct *vma)
4825 + vma->vm_mm->call_dl_resolve = 0UL;
4828 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4830 + unsigned int *kaddr;
4832 + vmf->page = alloc_page(GFP_HIGHUSER);
4834 + return VM_FAULT_OOM;
4836 + kaddr = kmap(vmf->page);
4837 + memset(kaddr, 0, PAGE_SIZE);
4838 + kaddr[0] = 0x9DE3BFA8U; /* save */
4839 + flush_dcache_page(vmf->page);
4840 + kunmap(vmf->page);
4841 + return VM_FAULT_MAJOR;
4844 +static const struct vm_operations_struct pax_vm_ops = {
4845 + .close = pax_emuplt_close,
4846 + .fault = pax_emuplt_fault
4849 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4853 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4854 + vma->vm_mm = current->mm;
4855 + vma->vm_start = addr;
4856 + vma->vm_end = addr + PAGE_SIZE;
4857 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4858 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4859 + vma->vm_ops = &pax_vm_ops;
4861 + ret = insert_vm_struct(current->mm, vma);
4865 + ++current->mm->total_vm;
4871 + * PaX: decide what to do with offenders (regs->pc = fault address)
4873 + * returns 1 when task should be killed
4874 + * 2 when patched PLT trampoline was detected
4875 + * 3 when unpatched PLT trampoline was detected
4877 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4880 +#ifdef CONFIG_PAX_EMUPLT
4883 + do { /* PaX: patched PLT emulation #1 */
4884 + unsigned int sethi1, sethi2, jmpl;
4886 + err = get_user(sethi1, (unsigned int *)regs->pc);
4887 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4888 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4893 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4894 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4895 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4897 + unsigned int addr;
4899 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4900 + addr = regs->u_regs[UREG_G1];
4901 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4903 + regs->npc = addr+4;
4908 + { /* PaX: patched PLT emulation #2 */
4911 + err = get_user(ba, (unsigned int *)regs->pc);
4913 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4914 + unsigned int addr;
4916 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4918 + regs->npc = addr+4;
4923 + do { /* PaX: patched PLT emulation #3 */
4924 + unsigned int sethi, jmpl, nop;
4926 + err = get_user(sethi, (unsigned int *)regs->pc);
4927 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4928 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4933 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4934 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4935 + nop == 0x01000000U)
4937 + unsigned int addr;
4939 + addr = (sethi & 0x003FFFFFU) << 10;
4940 + regs->u_regs[UREG_G1] = addr;
4941 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4943 + regs->npc = addr+4;
4948 + do { /* PaX: unpatched PLT emulation step 1 */
4949 + unsigned int sethi, ba, nop;
4951 + err = get_user(sethi, (unsigned int *)regs->pc);
4952 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4953 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4958 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4959 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4960 + nop == 0x01000000U)
4962 + unsigned int addr, save, call;
4964 + if ((ba & 0xFFC00000U) == 0x30800000U)
4965 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4967 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4969 + err = get_user(save, (unsigned int *)addr);
4970 + err |= get_user(call, (unsigned int *)(addr+4));
4971 + err |= get_user(nop, (unsigned int *)(addr+8));
4975 +#ifdef CONFIG_PAX_DLRESOLVE
4976 + if (save == 0x9DE3BFA8U &&
4977 + (call & 0xC0000000U) == 0x40000000U &&
4978 + nop == 0x01000000U)
4980 + struct vm_area_struct *vma;
4981 + unsigned long call_dl_resolve;
4983 + down_read(¤t->mm->mmap_sem);
4984 + call_dl_resolve = current->mm->call_dl_resolve;
4985 + up_read(¤t->mm->mmap_sem);
4986 + if (likely(call_dl_resolve))
4989 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4991 + down_write(¤t->mm->mmap_sem);
4992 + if (current->mm->call_dl_resolve) {
4993 + call_dl_resolve = current->mm->call_dl_resolve;
4994 + up_write(¤t->mm->mmap_sem);
4996 + kmem_cache_free(vm_area_cachep, vma);
5000 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5001 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5002 + up_write(¤t->mm->mmap_sem);
5004 + kmem_cache_free(vm_area_cachep, vma);
5008 + if (pax_insert_vma(vma, call_dl_resolve)) {
5009 + up_write(¤t->mm->mmap_sem);
5010 + kmem_cache_free(vm_area_cachep, vma);
5014 + current->mm->call_dl_resolve = call_dl_resolve;
5015 + up_write(¤t->mm->mmap_sem);
5018 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5019 + regs->pc = call_dl_resolve;
5020 + regs->npc = addr+4;
5025 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5026 + if ((save & 0xFFC00000U) == 0x05000000U &&
5027 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5028 + nop == 0x01000000U)
5030 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5031 + regs->u_regs[UREG_G2] = addr + 4;
5032 + addr = (save & 0x003FFFFFU) << 10;
5033 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5035 + regs->npc = addr+4;
5041 + do { /* PaX: unpatched PLT emulation step 2 */
5042 + unsigned int save, call, nop;
5044 + err = get_user(save, (unsigned int *)(regs->pc-4));
5045 + err |= get_user(call, (unsigned int *)regs->pc);
5046 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5050 + if (save == 0x9DE3BFA8U &&
5051 + (call & 0xC0000000U) == 0x40000000U &&
5052 + nop == 0x01000000U)
5054 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5056 + regs->u_regs[UREG_RETPC] = regs->pc;
5057 + regs->pc = dl_resolve;
5058 + regs->npc = dl_resolve+4;
5067 +void pax_report_insns(void *pc, void *sp)
5071 + printk(KERN_ERR "PAX: bytes at PC: ");
5072 + for (i = 0; i < 8; i++) {
5074 + if (get_user(c, (unsigned int *)pc+i))
5075 + printk(KERN_CONT "???????? ");
5077 + printk(KERN_CONT "%08x ", c);
5083 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
5086 @@ -281,6 +546,24 @@ good_area:
5087 if(!(vma->vm_flags & VM_WRITE))
5091 +#ifdef CONFIG_PAX_PAGEEXEC
5092 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5093 + up_read(&mm->mmap_sem);
5094 + switch (pax_handle_fetch_fault(regs)) {
5096 +#ifdef CONFIG_PAX_EMUPLT
5103 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5104 + do_group_exit(SIGKILL);
5108 /* Allow reads even for write-only mappings */
5109 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5111 diff -urNp linux-2.6.38.4/arch/sparc/mm/fault_64.c linux-2.6.38.4/arch/sparc/mm/fault_64.c
5112 --- linux-2.6.38.4/arch/sparc/mm/fault_64.c 2011-03-14 21:20:32.000000000 -0400
5113 +++ linux-2.6.38.4/arch/sparc/mm/fault_64.c 2011-04-17 15:57:32.000000000 -0400
5115 #include <linux/kprobes.h>
5116 #include <linux/kdebug.h>
5117 #include <linux/percpu.h>
5118 +#include <linux/slab.h>
5119 +#include <linux/pagemap.h>
5120 +#include <linux/compiler.h>
5122 #include <asm/page.h>
5123 #include <asm/pgtable.h>
5124 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
5125 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5127 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5128 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5129 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5130 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5132 unhandled_fault(regs->tpc, current, regs);
5133 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
5137 +#ifdef CONFIG_PAX_PAGEEXEC
5138 +#ifdef CONFIG_PAX_DLRESOLVE
5139 +static void pax_emuplt_close(struct vm_area_struct *vma)
5141 + vma->vm_mm->call_dl_resolve = 0UL;
5144 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5146 + unsigned int *kaddr;
5148 + vmf->page = alloc_page(GFP_HIGHUSER);
5150 + return VM_FAULT_OOM;
5152 + kaddr = kmap(vmf->page);
5153 + memset(kaddr, 0, PAGE_SIZE);
5154 + kaddr[0] = 0x9DE3BFA8U; /* save */
5155 + flush_dcache_page(vmf->page);
5156 + kunmap(vmf->page);
5157 + return VM_FAULT_MAJOR;
5160 +static const struct vm_operations_struct pax_vm_ops = {
5161 + .close = pax_emuplt_close,
5162 + .fault = pax_emuplt_fault
5165 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5169 + INIT_LIST_HEAD(&vma->anon_vma_chain);
5170 + vma->vm_mm = current->mm;
5171 + vma->vm_start = addr;
5172 + vma->vm_end = addr + PAGE_SIZE;
5173 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5174 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5175 + vma->vm_ops = &pax_vm_ops;
5177 + ret = insert_vm_struct(current->mm, vma);
5181 + ++current->mm->total_vm;
5187 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5189 + * returns 1 when task should be killed
5190 + * 2 when patched PLT trampoline was detected
5191 + * 3 when unpatched PLT trampoline was detected
5193 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5196 +#ifdef CONFIG_PAX_EMUPLT
5199 + do { /* PaX: patched PLT emulation #1 */
5200 + unsigned int sethi1, sethi2, jmpl;
5202 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5203 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5204 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5209 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5210 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5211 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5213 + unsigned long addr;
5215 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5216 + addr = regs->u_regs[UREG_G1];
5217 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5219 + if (test_thread_flag(TIF_32BIT))
5220 + addr &= 0xFFFFFFFFUL;
5223 + regs->tnpc = addr+4;
5228 + { /* PaX: patched PLT emulation #2 */
5231 + err = get_user(ba, (unsigned int *)regs->tpc);
5233 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5234 + unsigned long addr;
5236 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5238 + if (test_thread_flag(TIF_32BIT))
5239 + addr &= 0xFFFFFFFFUL;
5242 + regs->tnpc = addr+4;
5247 + do { /* PaX: patched PLT emulation #3 */
5248 + unsigned int sethi, jmpl, nop;
5250 + err = get_user(sethi, (unsigned int *)regs->tpc);
5251 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5252 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5257 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5258 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5259 + nop == 0x01000000U)
5261 + unsigned long addr;
5263 + addr = (sethi & 0x003FFFFFU) << 10;
5264 + regs->u_regs[UREG_G1] = addr;
5265 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5267 + if (test_thread_flag(TIF_32BIT))
5268 + addr &= 0xFFFFFFFFUL;
5271 + regs->tnpc = addr+4;
5276 + do { /* PaX: patched PLT emulation #4 */
5277 + unsigned int sethi, mov1, call, mov2;
5279 + err = get_user(sethi, (unsigned int *)regs->tpc);
5280 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5281 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5282 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5287 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5288 + mov1 == 0x8210000FU &&
5289 + (call & 0xC0000000U) == 0x40000000U &&
5290 + mov2 == 0x9E100001U)
5292 + unsigned long addr;
5294 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5295 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5297 + if (test_thread_flag(TIF_32BIT))
5298 + addr &= 0xFFFFFFFFUL;
5301 + regs->tnpc = addr+4;
5306 + do { /* PaX: patched PLT emulation #5 */
5307 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5309 + err = get_user(sethi, (unsigned int *)regs->tpc);
5310 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5311 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5312 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5313 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5314 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5315 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5316 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5321 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5322 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5323 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5324 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5325 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5326 + sllx == 0x83287020U &&
5327 + jmpl == 0x81C04005U &&
5328 + nop == 0x01000000U)
5330 + unsigned long addr;
5332 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5333 + regs->u_regs[UREG_G1] <<= 32;
5334 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5335 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5337 + regs->tnpc = addr+4;
5342 + do { /* PaX: patched PLT emulation #6 */
5343 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5345 + err = get_user(sethi, (unsigned int *)regs->tpc);
5346 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5347 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5348 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5349 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5350 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5351 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5356 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5357 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5358 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5359 + sllx == 0x83287020U &&
5360 + (or & 0xFFFFE000U) == 0x8A116000U &&
5361 + jmpl == 0x81C04005U &&
5362 + nop == 0x01000000U)
5364 + unsigned long addr;
5366 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5367 + regs->u_regs[UREG_G1] <<= 32;
5368 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5369 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5371 + regs->tnpc = addr+4;
5376 + do { /* PaX: unpatched PLT emulation step 1 */
5377 + unsigned int sethi, ba, nop;
5379 + err = get_user(sethi, (unsigned int *)regs->tpc);
5380 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5381 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5386 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5387 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5388 + nop == 0x01000000U)
5390 + unsigned long addr;
5391 + unsigned int save, call;
5392 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5394 + if ((ba & 0xFFC00000U) == 0x30800000U)
5395 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5397 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5399 + if (test_thread_flag(TIF_32BIT))
5400 + addr &= 0xFFFFFFFFUL;
5402 + err = get_user(save, (unsigned int *)addr);
5403 + err |= get_user(call, (unsigned int *)(addr+4));
5404 + err |= get_user(nop, (unsigned int *)(addr+8));
5408 +#ifdef CONFIG_PAX_DLRESOLVE
5409 + if (save == 0x9DE3BFA8U &&
5410 + (call & 0xC0000000U) == 0x40000000U &&
5411 + nop == 0x01000000U)
5413 + struct vm_area_struct *vma;
5414 + unsigned long call_dl_resolve;
5416 + down_read(¤t->mm->mmap_sem);
5417 + call_dl_resolve = current->mm->call_dl_resolve;
5418 + up_read(¤t->mm->mmap_sem);
5419 + if (likely(call_dl_resolve))
5422 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5424 + down_write(¤t->mm->mmap_sem);
5425 + if (current->mm->call_dl_resolve) {
5426 + call_dl_resolve = current->mm->call_dl_resolve;
5427 + up_write(¤t->mm->mmap_sem);
5429 + kmem_cache_free(vm_area_cachep, vma);
5433 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5434 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5435 + up_write(¤t->mm->mmap_sem);
5437 + kmem_cache_free(vm_area_cachep, vma);
5441 + if (pax_insert_vma(vma, call_dl_resolve)) {
5442 + up_write(¤t->mm->mmap_sem);
5443 + kmem_cache_free(vm_area_cachep, vma);
5447 + current->mm->call_dl_resolve = call_dl_resolve;
5448 + up_write(¤t->mm->mmap_sem);
5451 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5452 + regs->tpc = call_dl_resolve;
5453 + regs->tnpc = addr+4;
5458 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5459 + if ((save & 0xFFC00000U) == 0x05000000U &&
5460 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5461 + nop == 0x01000000U)
5463 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5464 + regs->u_regs[UREG_G2] = addr + 4;
5465 + addr = (save & 0x003FFFFFU) << 10;
5466 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5468 + if (test_thread_flag(TIF_32BIT))
5469 + addr &= 0xFFFFFFFFUL;
5472 + regs->tnpc = addr+4;
5476 + /* PaX: 64-bit PLT stub */
5477 + err = get_user(sethi1, (unsigned int *)addr);
5478 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5479 + err |= get_user(or1, (unsigned int *)(addr+8));
5480 + err |= get_user(or2, (unsigned int *)(addr+12));
5481 + err |= get_user(sllx, (unsigned int *)(addr+16));
5482 + err |= get_user(add, (unsigned int *)(addr+20));
5483 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5484 + err |= get_user(nop, (unsigned int *)(addr+28));
5488 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5489 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5490 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5491 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5492 + sllx == 0x89293020U &&
5493 + add == 0x8A010005U &&
5494 + jmpl == 0x89C14000U &&
5495 + nop == 0x01000000U)
5497 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5498 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5499 + regs->u_regs[UREG_G4] <<= 32;
5500 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5501 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5502 + regs->u_regs[UREG_G4] = addr + 24;
5503 + addr = regs->u_regs[UREG_G5];
5505 + regs->tnpc = addr+4;
5511 +#ifdef CONFIG_PAX_DLRESOLVE
5512 + do { /* PaX: unpatched PLT emulation step 2 */
5513 + unsigned int save, call, nop;
5515 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5516 + err |= get_user(call, (unsigned int *)regs->tpc);
5517 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5521 + if (save == 0x9DE3BFA8U &&
5522 + (call & 0xC0000000U) == 0x40000000U &&
5523 + nop == 0x01000000U)
5525 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5527 + if (test_thread_flag(TIF_32BIT))
5528 + dl_resolve &= 0xFFFFFFFFUL;
5530 + regs->u_regs[UREG_RETPC] = regs->tpc;
5531 + regs->tpc = dl_resolve;
5532 + regs->tnpc = dl_resolve+4;
5538 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5539 + unsigned int sethi, ba, nop;
5541 + err = get_user(sethi, (unsigned int *)regs->tpc);
5542 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5543 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5548 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5549 + (ba & 0xFFF00000U) == 0x30600000U &&
5550 + nop == 0x01000000U)
5552 + unsigned long addr;
5554 + addr = (sethi & 0x003FFFFFU) << 10;
5555 + regs->u_regs[UREG_G1] = addr;
5556 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5558 + if (test_thread_flag(TIF_32BIT))
5559 + addr &= 0xFFFFFFFFUL;
5562 + regs->tnpc = addr+4;
5572 +void pax_report_insns(void *pc, void *sp)
5576 + printk(KERN_ERR "PAX: bytes at PC: ");
5577 + for (i = 0; i < 8; i++) {
5579 + if (get_user(c, (unsigned int *)pc+i))
5580 + printk(KERN_CONT "???????? ");
5582 + printk(KERN_CONT "%08x ", c);
5588 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5590 struct mm_struct *mm = current->mm;
5591 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5595 +#ifdef CONFIG_PAX_PAGEEXEC
5596 + /* PaX: detect ITLB misses on non-exec pages */
5597 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5598 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5600 + if (address != regs->tpc)
5603 + up_read(&mm->mmap_sem);
5604 + switch (pax_handle_fetch_fault(regs)) {
5606 +#ifdef CONFIG_PAX_EMUPLT
5613 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5614 + do_group_exit(SIGKILL);
5618 /* Pure DTLB misses do not tell us whether the fault causing
5619 * load/store/atomic was a write or not, it only says that there
5620 * was no match. So in such a case we (carefully) read the
5621 diff -urNp linux-2.6.38.4/arch/sparc/mm/hugetlbpage.c linux-2.6.38.4/arch/sparc/mm/hugetlbpage.c
5622 --- linux-2.6.38.4/arch/sparc/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
5623 +++ linux-2.6.38.4/arch/sparc/mm/hugetlbpage.c 2011-04-17 15:57:32.000000000 -0400
5624 @@ -68,7 +68,7 @@ full_search:
5628 - if (likely(!vma || addr + len <= vma->vm_start)) {
5629 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5631 * Remember the place where we stopped the search:
5633 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5634 /* make sure it can fit in the remaining address space */
5635 if (likely(addr > len)) {
5636 vma = find_vma(mm, addr-len);
5637 - if (!vma || addr <= vma->vm_start) {
5638 + if (check_heap_stack_gap(vma, addr - len, len)) {
5639 /* remember the address as a hint for next time */
5640 return (mm->free_area_cache = addr-len);
5642 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
5643 if (unlikely(mm->mmap_base < len))
5646 - addr = (mm->mmap_base-len) & HPAGE_MASK;
5647 + addr = mm->mmap_base - len;
5650 + addr &= HPAGE_MASK;
5652 * Lookup failure means no vma is above this address,
5653 * else if new region fits below vma->vm_start,
5654 * return with success:
5656 vma = find_vma(mm, addr);
5657 - if (likely(!vma || addr+len <= vma->vm_start)) {
5658 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5659 /* remember the address as a hint for next time */
5660 return (mm->free_area_cache = addr);
5662 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
5663 mm->cached_hole_size = vma->vm_start - addr;
5665 /* try just below the current vma->vm_start */
5666 - addr = (vma->vm_start-len) & HPAGE_MASK;
5667 - } while (likely(len < vma->vm_start));
5668 + addr = skip_heap_stack_gap(vma, len);
5669 + } while (!IS_ERR_VALUE(addr));
5673 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
5675 addr = ALIGN(addr, HPAGE_SIZE);
5676 vma = find_vma(mm, addr);
5677 - if (task_size - len >= addr &&
5678 - (!vma || addr + len <= vma->vm_start))
5679 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5682 if (mm->get_unmapped_area == arch_get_unmapped_area)
5683 diff -urNp linux-2.6.38.4/arch/sparc/mm/init_32.c linux-2.6.38.4/arch/sparc/mm/init_32.c
5684 --- linux-2.6.38.4/arch/sparc/mm/init_32.c 2011-03-14 21:20:32.000000000 -0400
5685 +++ linux-2.6.38.4/arch/sparc/mm/init_32.c 2011-04-17 15:57:32.000000000 -0400
5686 @@ -318,6 +318,9 @@ extern void device_scan(void);
5687 pgprot_t PAGE_SHARED __read_mostly;
5688 EXPORT_SYMBOL(PAGE_SHARED);
5690 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5691 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5693 void __init paging_init(void)
5695 switch(sparc_cpu_model) {
5696 @@ -346,17 +349,17 @@ void __init paging_init(void)
5698 /* Initialize the protection map with non-constant, MMU dependent values. */
5699 protection_map[0] = PAGE_NONE;
5700 - protection_map[1] = PAGE_READONLY;
5701 - protection_map[2] = PAGE_COPY;
5702 - protection_map[3] = PAGE_COPY;
5703 + protection_map[1] = PAGE_READONLY_NOEXEC;
5704 + protection_map[2] = PAGE_COPY_NOEXEC;
5705 + protection_map[3] = PAGE_COPY_NOEXEC;
5706 protection_map[4] = PAGE_READONLY;
5707 protection_map[5] = PAGE_READONLY;
5708 protection_map[6] = PAGE_COPY;
5709 protection_map[7] = PAGE_COPY;
5710 protection_map[8] = PAGE_NONE;
5711 - protection_map[9] = PAGE_READONLY;
5712 - protection_map[10] = PAGE_SHARED;
5713 - protection_map[11] = PAGE_SHARED;
5714 + protection_map[9] = PAGE_READONLY_NOEXEC;
5715 + protection_map[10] = PAGE_SHARED_NOEXEC;
5716 + protection_map[11] = PAGE_SHARED_NOEXEC;
5717 protection_map[12] = PAGE_READONLY;
5718 protection_map[13] = PAGE_READONLY;
5719 protection_map[14] = PAGE_SHARED;
5720 diff -urNp linux-2.6.38.4/arch/sparc/mm/Makefile linux-2.6.38.4/arch/sparc/mm/Makefile
5721 --- linux-2.6.38.4/arch/sparc/mm/Makefile 2011-03-14 21:20:32.000000000 -0400
5722 +++ linux-2.6.38.4/arch/sparc/mm/Makefile 2011-04-17 15:57:32.000000000 -0400
5727 -ccflags-y := -Werror
5728 +#ccflags-y := -Werror
5730 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5731 obj-y += fault_$(BITS).o
5732 diff -urNp linux-2.6.38.4/arch/sparc/mm/srmmu.c linux-2.6.38.4/arch/sparc/mm/srmmu.c
5733 --- linux-2.6.38.4/arch/sparc/mm/srmmu.c 2011-03-14 21:20:32.000000000 -0400
5734 +++ linux-2.6.38.4/arch/sparc/mm/srmmu.c 2011-04-17 15:57:32.000000000 -0400
5735 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
5736 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5737 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5738 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5740 +#ifdef CONFIG_PAX_PAGEEXEC
5741 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5742 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5743 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5746 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5747 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5749 diff -urNp linux-2.6.38.4/arch/um/include/asm/kmap_types.h linux-2.6.38.4/arch/um/include/asm/kmap_types.h
5750 --- linux-2.6.38.4/arch/um/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
5751 +++ linux-2.6.38.4/arch/um/include/asm/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
5752 @@ -23,6 +23,7 @@ enum km_type {
5760 diff -urNp linux-2.6.38.4/arch/um/include/asm/page.h linux-2.6.38.4/arch/um/include/asm/page.h
5761 --- linux-2.6.38.4/arch/um/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
5762 +++ linux-2.6.38.4/arch/um/include/asm/page.h 2011-04-17 15:57:32.000000000 -0400
5764 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5765 #define PAGE_MASK (~(PAGE_SIZE-1))
5767 +#define ktla_ktva(addr) (addr)
5768 +#define ktva_ktla(addr) (addr)
5770 #ifndef __ASSEMBLY__
5773 diff -urNp linux-2.6.38.4/arch/um/kernel/process.c linux-2.6.38.4/arch/um/kernel/process.c
5774 --- linux-2.6.38.4/arch/um/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
5775 +++ linux-2.6.38.4/arch/um/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
5776 @@ -404,22 +404,6 @@ int singlestepping(void * t)
5781 - * Only x86 and x86_64 have an arch_align_stack().
5782 - * All other arches have "#define arch_align_stack(x) (x)"
5783 - * in their asm/system.h
5784 - * As this is included in UML from asm-um/system-generic.h,
5785 - * we can use it to behave as the subarch does.
5787 -#ifndef arch_align_stack
5788 -unsigned long arch_align_stack(unsigned long sp)
5790 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5791 - sp -= get_random_int() % 8192;
5796 unsigned long get_wchan(struct task_struct *p)
5798 unsigned long stack_page, sp, ip;
5799 diff -urNp linux-2.6.38.4/arch/um/sys-i386/syscalls.c linux-2.6.38.4/arch/um/sys-i386/syscalls.c
5800 --- linux-2.6.38.4/arch/um/sys-i386/syscalls.c 2011-03-14 21:20:32.000000000 -0400
5801 +++ linux-2.6.38.4/arch/um/sys-i386/syscalls.c 2011-04-17 15:57:32.000000000 -0400
5803 #include "asm/uaccess.h"
5804 #include "asm/unistd.h"
5806 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5808 + unsigned long pax_task_size = TASK_SIZE;
5810 +#ifdef CONFIG_PAX_SEGMEXEC
5811 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5812 + pax_task_size = SEGMEXEC_TASK_SIZE;
5815 + if (len > pax_task_size || addr > pax_task_size - len)
5822 * The prototype on i386 is:
5824 diff -urNp linux-2.6.38.4/arch/x86/boot/bitops.h linux-2.6.38.4/arch/x86/boot/bitops.h
5825 --- linux-2.6.38.4/arch/x86/boot/bitops.h 2011-03-14 21:20:32.000000000 -0400
5826 +++ linux-2.6.38.4/arch/x86/boot/bitops.h 2011-04-17 15:57:32.000000000 -0400
5827 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5829 const u32 *p = (const u32 *)addr;
5831 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5832 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5836 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5838 static inline void set_bit(int nr, void *addr)
5840 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5841 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5844 #endif /* BOOT_BITOPS_H */
5845 diff -urNp linux-2.6.38.4/arch/x86/boot/boot.h linux-2.6.38.4/arch/x86/boot/boot.h
5846 --- linux-2.6.38.4/arch/x86/boot/boot.h 2011-03-14 21:20:32.000000000 -0400
5847 +++ linux-2.6.38.4/arch/x86/boot/boot.h 2011-04-17 15:57:32.000000000 -0400
5848 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5849 static inline u16 ds(void)
5852 - asm("movw %%ds,%0" : "=rm" (seg));
5853 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5857 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5858 static inline int memcmp(const void *s1, const void *s2, size_t len)
5861 - asm("repe; cmpsb; setnz %0"
5862 + asm volatile("repe; cmpsb; setnz %0"
5863 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5866 diff -urNp linux-2.6.38.4/arch/x86/boot/compressed/head_32.S linux-2.6.38.4/arch/x86/boot/compressed/head_32.S
5867 --- linux-2.6.38.4/arch/x86/boot/compressed/head_32.S 2011-03-14 21:20:32.000000000 -0400
5868 +++ linux-2.6.38.4/arch/x86/boot/compressed/head_32.S 2011-04-17 15:57:32.000000000 -0400
5869 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5873 - movl $LOAD_PHYSICAL_ADDR, %ebx
5874 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5877 /* Target address to relocate to for decompression */
5878 @@ -162,7 +162,7 @@ relocated:
5879 * and where it was actually loaded.
5882 - subl $LOAD_PHYSICAL_ADDR, %ebx
5883 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5884 jz 2f /* Nothing to be done if loaded at compiled addr. */
5886 * Process relocations.
5887 @@ -170,8 +170,7 @@ relocated:
5894 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5897 diff -urNp linux-2.6.38.4/arch/x86/boot/compressed/head_64.S linux-2.6.38.4/arch/x86/boot/compressed/head_64.S
5898 --- linux-2.6.38.4/arch/x86/boot/compressed/head_64.S 2011-03-14 21:20:32.000000000 -0400
5899 +++ linux-2.6.38.4/arch/x86/boot/compressed/head_64.S 2011-04-17 15:57:32.000000000 -0400
5900 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5904 - movl $LOAD_PHYSICAL_ADDR, %ebx
5905 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5908 /* Target address to relocate to for decompression */
5909 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5913 - movq $LOAD_PHYSICAL_ADDR, %rbp
5914 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5917 /* Target address to relocate to for decompression */
5918 diff -urNp linux-2.6.38.4/arch/x86/boot/compressed/misc.c linux-2.6.38.4/arch/x86/boot/compressed/misc.c
5919 --- linux-2.6.38.4/arch/x86/boot/compressed/misc.c 2011-03-14 21:20:32.000000000 -0400
5920 +++ linux-2.6.38.4/arch/x86/boot/compressed/misc.c 2011-04-17 15:57:32.000000000 -0400
5921 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
5923 #ifdef CONFIG_RELOCATABLE
5925 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5926 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5928 dest = (void *)(phdr->p_paddr);
5930 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
5931 error("Destination address too large");
5933 #ifndef CONFIG_RELOCATABLE
5934 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5935 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5936 error("Wrong destination address");
5939 diff -urNp linux-2.6.38.4/arch/x86/boot/compressed/relocs.c linux-2.6.38.4/arch/x86/boot/compressed/relocs.c
5940 --- linux-2.6.38.4/arch/x86/boot/compressed/relocs.c 2011-03-14 21:20:32.000000000 -0400
5941 +++ linux-2.6.38.4/arch/x86/boot/compressed/relocs.c 2011-04-17 15:57:32.000000000 -0400
5944 static void die(char *fmt, ...);
5946 +#include "../../../../include/generated/autoconf.h"
5948 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5949 static Elf32_Ehdr ehdr;
5950 +static Elf32_Phdr *phdr;
5951 static unsigned long reloc_count, reloc_idx;
5952 static unsigned long *relocs;
5954 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5958 +static void read_phdrs(FILE *fp)
5962 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5964 + die("Unable to allocate %d program headers\n",
5967 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5968 + die("Seek to %d failed: %s\n",
5969 + ehdr.e_phoff, strerror(errno));
5971 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5972 + die("Cannot read ELF program headers: %s\n",
5975 + for(i = 0; i < ehdr.e_phnum; i++) {
5976 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5977 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5978 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5979 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5980 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5981 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5982 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5983 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5988 static void read_shdrs(FILE *fp)
5994 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5995 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5997 static void read_strtabs(FILE *fp)
6001 for (i = 0; i < ehdr.e_shnum; i++) {
6002 struct section *sec = &secs[i];
6003 if (sec->shdr.sh_type != SHT_STRTAB) {
6004 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
6006 static void read_symtabs(FILE *fp)
6010 for (i = 0; i < ehdr.e_shnum; i++) {
6011 struct section *sec = &secs[i];
6012 if (sec->shdr.sh_type != SHT_SYMTAB) {
6013 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
6015 static void read_relocs(FILE *fp)
6021 for (i = 0; i < ehdr.e_shnum; i++) {
6022 struct section *sec = &secs[i];
6023 if (sec->shdr.sh_type != SHT_REL) {
6024 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
6025 die("Cannot read symbol table: %s\n",
6029 + for (j = 0; j < ehdr.e_phnum; j++) {
6030 + if (phdr[j].p_type != PT_LOAD )
6032 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6034 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6037 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6038 Elf32_Rel *rel = &sec->reltab[j];
6039 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6040 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6041 rel->r_info = elf32_to_cpu(rel->r_info);
6044 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
6046 static void print_absolute_symbols(void)
6050 printf("Absolute symbols\n");
6051 printf(" Num: Value Size Type Bind Visibility Name\n");
6052 for (i = 0; i < ehdr.e_shnum; i++) {
6053 struct section *sec = &secs[i];
6055 Elf32_Sym *sh_symtab;
6059 if (sec->shdr.sh_type != SHT_SYMTAB) {
6061 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
6063 static void print_absolute_relocs(void)
6065 - int i, printed = 0;
6066 + unsigned int i, printed = 0;
6068 for (i = 0; i < ehdr.e_shnum; i++) {
6069 struct section *sec = &secs[i];
6070 struct section *sec_applies, *sec_symtab;
6072 Elf32_Sym *sh_symtab;
6075 if (sec->shdr.sh_type != SHT_REL) {
6078 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
6080 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6084 /* Walk through the relocations */
6085 for (i = 0; i < ehdr.e_shnum; i++) {
6087 Elf32_Sym *sh_symtab;
6088 struct section *sec_applies, *sec_symtab;
6091 struct section *sec = &secs[i];
6093 if (sec->shdr.sh_type != SHT_REL) {
6094 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
6095 !is_rel_reloc(sym_name(sym_strtab, sym))) {
6098 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6099 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6102 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6103 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6104 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6106 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6108 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6110 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6117 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
6119 static void emit_relocs(int as_text)
6123 /* Count how many relocations I have and allocate space for them. */
6125 walk_relocs(count_reloc);
6126 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
6127 fname, strerror(errno));
6134 diff -urNp linux-2.6.38.4/arch/x86/boot/cpucheck.c linux-2.6.38.4/arch/x86/boot/cpucheck.c
6135 --- linux-2.6.38.4/arch/x86/boot/cpucheck.c 2011-03-14 21:20:32.000000000 -0400
6136 +++ linux-2.6.38.4/arch/x86/boot/cpucheck.c 2011-04-17 15:57:32.000000000 -0400
6137 @@ -74,7 +74,7 @@ static int has_fpu(void)
6138 u16 fcw = -1, fsw = -1;
6141 - asm("movl %%cr0,%0" : "=r" (cr0));
6142 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6143 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6144 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6145 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6146 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6151 + asm volatile("pushfl ; "
6155 @@ -115,7 +115,7 @@ static void get_flags(void)
6156 set_bit(X86_FEATURE_FPU, cpu.flags);
6158 if (has_eflag(X86_EFLAGS_ID)) {
6160 + asm volatile("cpuid"
6161 : "=a" (max_intel_level),
6162 "=b" (cpu_vendor[0]),
6163 "=d" (cpu_vendor[1]),
6164 @@ -124,7 +124,7 @@ static void get_flags(void)
6166 if (max_intel_level >= 0x00000001 &&
6167 max_intel_level <= 0x0000ffff) {
6169 + asm volatile("cpuid"
6171 "=c" (cpu.flags[4]),
6173 @@ -136,7 +136,7 @@ static void get_flags(void)
6174 cpu.model += ((tfms >> 16) & 0xf) << 4;
6178 + asm volatile("cpuid"
6179 : "=a" (max_amd_level)
6181 : "ebx", "ecx", "edx");
6182 @@ -144,7 +144,7 @@ static void get_flags(void)
6183 if (max_amd_level >= 0x80000001 &&
6184 max_amd_level <= 0x8000ffff) {
6185 u32 eax = 0x80000001;
6187 + asm volatile("cpuid"
6189 "=c" (cpu.flags[6]),
6191 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6192 u32 ecx = MSR_K7_HWCR;
6195 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6196 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6198 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6199 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6201 get_flags(); /* Make sure it really did something */
6202 err = check_flags();
6203 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6204 u32 ecx = MSR_VIA_FCR;
6207 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6208 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6209 eax |= (1<<1)|(1<<7);
6210 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6211 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6213 set_bit(X86_FEATURE_CX8, cpu.flags);
6214 err = check_flags();
6215 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6219 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6220 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6222 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6223 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6224 + asm volatile("cpuid"
6225 : "+a" (level), "=d" (cpu.flags[0])
6227 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6228 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6230 err = check_flags();
6232 diff -urNp linux-2.6.38.4/arch/x86/boot/header.S linux-2.6.38.4/arch/x86/boot/header.S
6233 --- linux-2.6.38.4/arch/x86/boot/header.S 2011-03-14 21:20:32.000000000 -0400
6234 +++ linux-2.6.38.4/arch/x86/boot/header.S 2011-04-17 15:57:32.000000000 -0400
6235 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6236 # single linked list of
6239 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6240 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6242 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6243 #define VO_INIT_SIZE (VO__end - VO__text)
6244 diff -urNp linux-2.6.38.4/arch/x86/boot/memory.c linux-2.6.38.4/arch/x86/boot/memory.c
6245 --- linux-2.6.38.4/arch/x86/boot/memory.c 2011-03-14 21:20:32.000000000 -0400
6246 +++ linux-2.6.38.4/arch/x86/boot/memory.c 2011-04-17 15:57:32.000000000 -0400
6249 static int detect_memory_e820(void)
6252 + unsigned int count = 0;
6253 struct biosregs ireg, oreg;
6254 struct e820entry *desc = boot_params.e820_map;
6255 static struct e820entry buf; /* static so it is zeroed */
6256 diff -urNp linux-2.6.38.4/arch/x86/boot/video.c linux-2.6.38.4/arch/x86/boot/video.c
6257 --- linux-2.6.38.4/arch/x86/boot/video.c 2011-03-14 21:20:32.000000000 -0400
6258 +++ linux-2.6.38.4/arch/x86/boot/video.c 2011-04-17 15:57:32.000000000 -0400
6259 @@ -96,7 +96,7 @@ static void store_mode_params(void)
6260 static unsigned int get_entry(void)
6264 + unsigned int i, len = 0;
6268 diff -urNp linux-2.6.38.4/arch/x86/boot/video-vesa.c linux-2.6.38.4/arch/x86/boot/video-vesa.c
6269 --- linux-2.6.38.4/arch/x86/boot/video-vesa.c 2011-03-14 21:20:32.000000000 -0400
6270 +++ linux-2.6.38.4/arch/x86/boot/video-vesa.c 2011-04-17 15:57:32.000000000 -0400
6271 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6273 boot_params.screen_info.vesapm_seg = oreg.es;
6274 boot_params.screen_info.vesapm_off = oreg.di;
6275 + boot_params.screen_info.vesapm_size = oreg.cx;
6279 diff -urNp linux-2.6.38.4/arch/x86/ia32/ia32_aout.c linux-2.6.38.4/arch/x86/ia32/ia32_aout.c
6280 --- linux-2.6.38.4/arch/x86/ia32/ia32_aout.c 2011-03-14 21:20:32.000000000 -0400
6281 +++ linux-2.6.38.4/arch/x86/ia32/ia32_aout.c 2011-04-17 15:57:32.000000000 -0400
6282 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
6283 unsigned long dump_start, dump_size;
6286 + memset(&dump, 0, sizeof(dump));
6291 diff -urNp linux-2.6.38.4/arch/x86/ia32/ia32entry.S linux-2.6.38.4/arch/x86/ia32/ia32entry.S
6292 --- linux-2.6.38.4/arch/x86/ia32/ia32entry.S 2011-03-14 21:20:32.000000000 -0400
6293 +++ linux-2.6.38.4/arch/x86/ia32/ia32entry.S 2011-04-17 15:57:32.000000000 -0400
6295 #include <asm/thread_info.h>
6296 #include <asm/segment.h>
6297 #include <asm/irqflags.h>
6298 +#include <asm/pgtable.h>
6299 #include <linux/linkage.h>
6301 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6302 @@ -93,6 +94,23 @@ ENTRY(native_irq_enable_sysexit)
6303 ENDPROC(native_irq_enable_sysexit)
6306 + .macro pax_enter_kernel_user
6307 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6308 + call pax_enter_kernel_user
6312 + .macro pax_exit_kernel_user
6313 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6314 + call pax_exit_kernel_user
6316 +#ifdef CONFIG_PAX_RANDKSTACK
6318 + call pax_randomize_kstack
6324 * 32bit SYSENTER instruction entry.
6326 @@ -119,7 +137,7 @@ ENTRY(ia32_sysenter_target)
6327 CFI_REGISTER rsp,rbp
6329 movq PER_CPU_VAR(kernel_stack), %rsp
6330 - addq $(KERNEL_STACK_OFFSET),%rsp
6331 + pax_enter_kernel_user
6333 * No need to follow this irqs on/off section: the syscall
6334 * disabled irqs, here we enable it straight after entry:
6335 @@ -135,7 +153,8 @@ ENTRY(ia32_sysenter_target)
6337 CFI_ADJUST_CFA_OFFSET 8
6338 /*CFI_REL_OFFSET rflags,0*/
6339 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
6340 + GET_THREAD_INFO(%r10)
6341 + movl TI_sysenter_return(%r10), %r10d
6342 CFI_REGISTER rip,r10
6344 CFI_ADJUST_CFA_OFFSET 8
6345 @@ -150,6 +169,12 @@ ENTRY(ia32_sysenter_target)
6347 /* no need to do an access_ok check here because rbp has been
6348 32bit zero extended */
6350 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6351 + mov $PAX_USER_SHADOW_BASE,%r10
6356 .section __ex_table,"a"
6357 .quad 1b,ia32_badarg
6358 @@ -172,6 +197,7 @@ sysenter_dispatch:
6359 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6361 sysexit_from_sys_call:
6362 + pax_exit_kernel_user
6363 andl $~TS_COMPAT,TI_status(%r10)
6364 /* clear IF, that popfq doesn't enable interrupts early */
6365 andl $~0x200,EFLAGS-R11(%rsp)
6366 @@ -283,19 +309,24 @@ ENDPROC(ia32_sysenter_target)
6367 ENTRY(ia32_cstar_target)
6368 CFI_STARTPROC32 simple
6370 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
6372 CFI_REGISTER rip,rcx
6373 /*CFI_REGISTER rflags,r11*/
6377 movq PER_CPU_VAR(kernel_stack),%rsp
6379 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6380 + pax_enter_kernel_user
6384 * No need to follow this irqs on/off section: the syscall
6385 * disabled irqs and here we enable it straight after entry:
6387 ENABLE_INTERRUPTS(CLBR_NONE)
6390 movl %eax,%eax /* zero extension */
6391 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
6392 movq %rcx,RIP-ARGOFFSET(%rsp)
6393 @@ -311,6 +342,12 @@ ENTRY(ia32_cstar_target)
6394 /* no need to do an access_ok check here because r8 has been
6395 32bit zero extended */
6396 /* hardware stack frame is complete now */
6398 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6399 + mov $PAX_USER_SHADOW_BASE,%r10
6404 .section __ex_table,"a"
6405 .quad 1b,ia32_badarg
6406 @@ -323,7 +360,7 @@ ENTRY(ia32_cstar_target)
6407 cmpq $IA32_NR_syscalls-1,%rax
6413 call *ia32_sys_call_table(,%rax,8)
6414 movq %rax,RAX-ARGOFFSET(%rsp)
6415 @@ -333,6 +370,7 @@ cstar_dispatch:
6416 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6418 sysretl_from_sys_call:
6419 + pax_exit_kernel_user
6420 andl $~TS_COMPAT,TI_status(%r10)
6421 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6422 movl RIP-ARGOFFSET(%rsp),%ecx
6423 @@ -415,6 +453,7 @@ ENTRY(ia32_syscall)
6424 CFI_REL_OFFSET rip,RIP-RIP
6425 PARAVIRT_ADJUST_EXCEPTION_FRAME
6427 + pax_enter_kernel_user
6429 * No need to follow this irqs on/off section: the syscall
6430 * disabled irqs and here we enable it straight after entry:
6431 diff -urNp linux-2.6.38.4/arch/x86/ia32/ia32_signal.c linux-2.6.38.4/arch/x86/ia32/ia32_signal.c
6432 --- linux-2.6.38.4/arch/x86/ia32/ia32_signal.c 2011-03-14 21:20:32.000000000 -0400
6433 +++ linux-2.6.38.4/arch/x86/ia32/ia32_signal.c 2011-04-17 15:57:32.000000000 -0400
6434 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6436 /* Align the stack pointer according to the i386 ABI,
6437 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6438 - sp = ((sp + 4) & -16ul) - 4;
6439 + sp = ((sp - 12) & -16ul) - 4;
6440 return (void __user *) sp;
6443 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6444 * These are actually not used anymore, but left because some
6445 * gdb versions depend on them as a marker.
6447 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6448 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6449 } put_user_catch(err);
6452 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6454 __NR_ia32_rt_sigreturn,
6460 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6461 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6463 if (ka->sa.sa_flags & SA_RESTORER)
6464 restorer = ka->sa.sa_restorer;
6465 + else if (current->mm->context.vdso)
6466 + /* Return stub is in 32bit vsyscall page */
6467 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6469 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6471 + restorer = &frame->retcode;
6472 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6475 * Not actually used anymore, but left because some gdb
6478 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6479 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6480 } put_user_catch(err);
6483 diff -urNp linux-2.6.38.4/arch/x86/include/asm/alternative.h linux-2.6.38.4/arch/x86/include/asm/alternative.h
6484 --- linux-2.6.38.4/arch/x86/include/asm/alternative.h 2011-03-14 21:20:32.000000000 -0400
6485 +++ linux-2.6.38.4/arch/x86/include/asm/alternative.h 2011-04-17 15:57:32.000000000 -0400
6486 @@ -94,7 +94,7 @@ static inline int alternatives_text_rese
6487 ".section .discard,\"aw\",@progbits\n" \
6488 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6490 - ".section .altinstr_replacement, \"ax\"\n" \
6491 + ".section .altinstr_replacement, \"a\"\n" \
6492 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6495 diff -urNp linux-2.6.38.4/arch/x86/include/asm/apm.h linux-2.6.38.4/arch/x86/include/asm/apm.h
6496 --- linux-2.6.38.4/arch/x86/include/asm/apm.h 2011-03-14 21:20:32.000000000 -0400
6497 +++ linux-2.6.38.4/arch/x86/include/asm/apm.h 2011-04-17 15:57:32.000000000 -0400
6498 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6499 __asm__ __volatile__(APM_DO_ZERO_SEGS
6502 - "lcall *%%cs:apm_bios_entry\n\t"
6503 + "lcall *%%ss:apm_bios_entry\n\t"
6507 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6508 __asm__ __volatile__(APM_DO_ZERO_SEGS
6511 - "lcall *%%cs:apm_bios_entry\n\t"
6512 + "lcall *%%ss:apm_bios_entry\n\t"
6516 diff -urNp linux-2.6.38.4/arch/x86/include/asm/atomic64_32.h linux-2.6.38.4/arch/x86/include/asm/atomic64_32.h
6517 --- linux-2.6.38.4/arch/x86/include/asm/atomic64_32.h 2011-03-14 21:20:32.000000000 -0400
6518 +++ linux-2.6.38.4/arch/x86/include/asm/atomic64_32.h 2011-04-17 15:57:32.000000000 -0400
6519 @@ -12,6 +12,14 @@ typedef struct {
6520 u64 __aligned(8) counter;
6523 +#ifdef CONFIG_PAX_REFCOUNT
6525 + u64 __aligned(8) counter;
6526 +} atomic64_unchecked_t;
6528 +typedef atomic64_t atomic64_unchecked_t;
6531 #define ATOMIC64_INIT(val) { (val) }
6533 #ifdef CONFIG_X86_CMPXCHG64
6534 diff -urNp linux-2.6.38.4/arch/x86/include/asm/atomic64_64.h linux-2.6.38.4/arch/x86/include/asm/atomic64_64.h
6535 --- linux-2.6.38.4/arch/x86/include/asm/atomic64_64.h 2011-03-14 21:20:32.000000000 -0400
6536 +++ linux-2.6.38.4/arch/x86/include/asm/atomic64_64.h 2011-04-17 15:57:32.000000000 -0400
6539 static inline long atomic64_read(const atomic64_t *v)
6541 - return (*(volatile long *)&(v)->counter);
6542 + return (*(volatile const long *)&(v)->counter);
6546 + * atomic64_read_unchecked - read atomic64 variable
6547 + * @v: pointer of type atomic64_unchecked_t
6549 + * Atomically reads the value of @v.
6550 + * Doesn't imply a read memory barrier.
6552 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6554 + return (*(volatile const long *)&(v)->counter);
6558 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6562 + * atomic64_set_unchecked - set atomic64 variable
6563 + * @v: pointer to type atomic64_unchecked_t
6564 + * @i: required value
6566 + * Atomically sets the value of @v to @i.
6568 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6574 * atomic64_add - add integer to atomic64 variable
6575 * @i: integer value to add
6576 * @v: pointer to type atomic64_t
6577 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6579 static inline void atomic64_add(long i, atomic64_t *v)
6581 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6583 +#ifdef CONFIG_PAX_REFCOUNT
6585 + LOCK_PREFIX "subq %1,%0\n"
6587 + _ASM_EXTABLE(0b, 0b)
6590 + : "=m" (v->counter)
6591 + : "er" (i), "m" (v->counter));
6595 + * atomic64_add_unchecked - add integer to atomic64 variable
6596 + * @i: integer value to add
6597 + * @v: pointer to type atomic64_unchecked_t
6599 + * Atomically adds @i to @v.
6601 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6603 asm volatile(LOCK_PREFIX "addq %1,%0"
6605 : "er" (i), "m" (v->counter));
6606 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6608 static inline void atomic64_sub(long i, atomic64_t *v)
6610 - asm volatile(LOCK_PREFIX "subq %1,%0"
6611 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6613 +#ifdef CONFIG_PAX_REFCOUNT
6615 + LOCK_PREFIX "addq %1,%0\n"
6617 + _ASM_EXTABLE(0b, 0b)
6620 + : "=m" (v->counter)
6621 + : "er" (i), "m" (v->counter));
6625 + * atomic64_sub_unchecked - subtract the atomic64 variable
6626 + * @i: integer value to subtract
6627 + * @v: pointer to type atomic64_unchecked_t
6629 + * Atomically subtracts @i from @v.
6631 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6633 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6635 : "er" (i), "m" (v->counter));
6637 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6641 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6642 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6644 +#ifdef CONFIG_PAX_REFCOUNT
6646 + LOCK_PREFIX "addq %2,%0\n"
6648 + _ASM_EXTABLE(0b, 0b)
6652 : "=m" (v->counter), "=qm" (c)
6653 : "er" (i), "m" (v->counter) : "memory");
6655 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6657 static inline void atomic64_inc(atomic64_t *v)
6659 + asm volatile(LOCK_PREFIX "incq %0\n"
6661 +#ifdef CONFIG_PAX_REFCOUNT
6663 + LOCK_PREFIX "decq %0\n"
6665 + _ASM_EXTABLE(0b, 0b)
6668 + : "=m" (v->counter)
6669 + : "m" (v->counter));
6673 + * atomic64_inc_unchecked - increment atomic64 variable
6674 + * @v: pointer to type atomic64_unchecked_t
6676 + * Atomically increments @v by 1.
6678 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6680 asm volatile(LOCK_PREFIX "incq %0"
6682 : "m" (v->counter));
6683 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6685 static inline void atomic64_dec(atomic64_t *v)
6687 - asm volatile(LOCK_PREFIX "decq %0"
6688 + asm volatile(LOCK_PREFIX "decq %0\n"
6690 +#ifdef CONFIG_PAX_REFCOUNT
6692 + LOCK_PREFIX "incq %0\n"
6694 + _ASM_EXTABLE(0b, 0b)
6697 + : "=m" (v->counter)
6698 + : "m" (v->counter));
6702 + * atomic64_dec_unchecked - decrement atomic64 variable
6703 + * @v: pointer to type atomic64_t
6705 + * Atomically decrements @v by 1.
6707 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6709 + asm volatile(LOCK_PREFIX "decq %0\n"
6711 : "m" (v->counter));
6713 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6717 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6718 + asm volatile(LOCK_PREFIX "decq %0\n"
6720 +#ifdef CONFIG_PAX_REFCOUNT
6722 + LOCK_PREFIX "incq %0\n"
6724 + _ASM_EXTABLE(0b, 0b)
6728 : "=m" (v->counter), "=qm" (c)
6729 : "m" (v->counter) : "memory");
6731 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6735 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6736 + asm volatile(LOCK_PREFIX "incq %0\n"
6738 +#ifdef CONFIG_PAX_REFCOUNT
6740 + LOCK_PREFIX "decq %0\n"
6742 + _ASM_EXTABLE(0b, 0b)
6746 : "=m" (v->counter), "=qm" (c)
6747 : "m" (v->counter) : "memory");
6749 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6753 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6754 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6756 +#ifdef CONFIG_PAX_REFCOUNT
6758 + LOCK_PREFIX "subq %2,%0\n"
6760 + _ASM_EXTABLE(0b, 0b)
6764 : "=m" (v->counter), "=qm" (c)
6765 : "er" (i), "m" (v->counter) : "memory");
6767 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6768 static inline long atomic64_add_return(long i, atomic64_t *v)
6771 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6772 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6774 +#ifdef CONFIG_PAX_REFCOUNT
6778 + _ASM_EXTABLE(0b, 0b)
6781 + : "+r" (i), "+m" (v->counter)
6787 + * atomic64_add_return_unchecked - add and return
6788 + * @i: integer value to add
6789 + * @v: pointer to type atomic64_unchecked_t
6791 + * Atomically adds @i to @v and returns @i + @v
6793 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6796 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6797 : "+r" (i), "+m" (v->counter)
6800 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6803 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6804 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6806 + return atomic64_add_return_unchecked(1, v);
6808 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6810 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6811 @@ -206,17 +380,30 @@ static inline long atomic64_xchg(atomic6
6813 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6817 c = atomic64_read(v);
6819 - if (unlikely(c == (u)))
6820 + if (unlikely(c == u))
6822 - old = atomic64_cmpxchg((v), c, c + (a));
6824 + asm volatile("add %2,%0\n"
6826 +#ifdef CONFIG_PAX_REFCOUNT
6830 + _ASM_EXTABLE(0b, 0b)
6834 + : "0" (c), "ir" (a));
6836 + old = atomic64_cmpxchg(v, c, new);
6837 if (likely(old == c))
6845 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6846 diff -urNp linux-2.6.38.4/arch/x86/include/asm/atomic.h linux-2.6.38.4/arch/x86/include/asm/atomic.h
6847 --- linux-2.6.38.4/arch/x86/include/asm/atomic.h 2011-03-14 21:20:32.000000000 -0400
6848 +++ linux-2.6.38.4/arch/x86/include/asm/atomic.h 2011-04-17 15:57:32.000000000 -0400
6851 static inline int atomic_read(const atomic_t *v)
6853 - return (*(volatile int *)&(v)->counter);
6854 + return (*(volatile const int *)&(v)->counter);
6858 + * atomic_read_unchecked - read atomic variable
6859 + * @v: pointer of type atomic_unchecked_t
6861 + * Atomically reads the value of @v.
6863 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6865 + return (*(volatile const int *)&(v)->counter);
6869 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6873 + * atomic_set_unchecked - set atomic variable
6874 + * @v: pointer of type atomic_unchecked_t
6875 + * @i: required value
6877 + * Atomically sets the value of @v to @i.
6879 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6885 * atomic_add - add integer to atomic variable
6886 * @i: integer value to add
6887 * @v: pointer of type atomic_t
6888 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6890 static inline void atomic_add(int i, atomic_t *v)
6892 - asm volatile(LOCK_PREFIX "addl %1,%0"
6893 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6895 +#ifdef CONFIG_PAX_REFCOUNT
6897 + LOCK_PREFIX "subl %1,%0\n"
6899 + _ASM_EXTABLE(0b, 0b)
6902 + : "+m" (v->counter)
6907 + * atomic_add_unchecked - add integer to atomic variable
6908 + * @i: integer value to add
6909 + * @v: pointer of type atomic_unchecked_t
6911 + * Atomically adds @i to @v.
6913 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6915 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6919 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6921 static inline void atomic_sub(int i, atomic_t *v)
6923 - asm volatile(LOCK_PREFIX "subl %1,%0"
6924 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6926 +#ifdef CONFIG_PAX_REFCOUNT
6928 + LOCK_PREFIX "addl %1,%0\n"
6930 + _ASM_EXTABLE(0b, 0b)
6933 + : "+m" (v->counter)
6938 + * atomic_sub_unchecked - subtract integer from atomic variable
6939 + * @i: integer value to subtract
6940 + * @v: pointer of type atomic_t
6942 + * Atomically subtracts @i from @v.
6944 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6946 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6950 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6954 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6955 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6957 +#ifdef CONFIG_PAX_REFCOUNT
6959 + LOCK_PREFIX "addl %2,%0\n"
6961 + _ASM_EXTABLE(0b, 0b)
6965 : "+m" (v->counter), "=qm" (c)
6966 : "ir" (i) : "memory");
6968 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6970 static inline void atomic_inc(atomic_t *v)
6972 - asm volatile(LOCK_PREFIX "incl %0"
6973 + asm volatile(LOCK_PREFIX "incl %0\n"
6975 +#ifdef CONFIG_PAX_REFCOUNT
6977 + LOCK_PREFIX "decl %0\n"
6979 + _ASM_EXTABLE(0b, 0b)
6982 + : "+m" (v->counter));
6986 + * atomic_inc_unchecked - increment atomic variable
6987 + * @v: pointer of type atomic_unchecked_t
6989 + * Atomically increments @v by 1.
6991 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6993 + asm volatile(LOCK_PREFIX "incl %0\n"
6994 : "+m" (v->counter));
6997 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6999 static inline void atomic_dec(atomic_t *v)
7001 - asm volatile(LOCK_PREFIX "decl %0"
7002 + asm volatile(LOCK_PREFIX "decl %0\n"
7004 +#ifdef CONFIG_PAX_REFCOUNT
7006 + LOCK_PREFIX "incl %0\n"
7008 + _ASM_EXTABLE(0b, 0b)
7011 + : "+m" (v->counter));
7015 + * atomic_dec_unchecked - decrement atomic variable
7016 + * @v: pointer of type atomic_t
7018 + * Atomically decrements @v by 1.
7020 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7022 + asm volatile(LOCK_PREFIX "decl %0\n"
7023 : "+m" (v->counter));
7026 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
7030 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7031 + asm volatile(LOCK_PREFIX "decl %0\n"
7033 +#ifdef CONFIG_PAX_REFCOUNT
7035 + LOCK_PREFIX "incl %0\n"
7037 + _ASM_EXTABLE(0b, 0b)
7041 : "+m" (v->counter), "=qm" (c)
7044 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
7048 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7049 + asm volatile(LOCK_PREFIX "incl %0\n"
7051 +#ifdef CONFIG_PAX_REFCOUNT
7053 + LOCK_PREFIX "decl %0\n"
7055 + _ASM_EXTABLE(0b, 0b)
7059 : "+m" (v->counter), "=qm" (c)
7062 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
7066 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7067 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7069 +#ifdef CONFIG_PAX_REFCOUNT
7071 + LOCK_PREFIX "subl %2,%0\n"
7073 + _ASM_EXTABLE(0b, 0b)
7077 : "+m" (v->counter), "=qm" (c)
7078 : "ir" (i) : "memory");
7080 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
7082 /* Modern 486+ processor */
7084 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7086 +#ifdef CONFIG_PAX_REFCOUNT
7090 + _ASM_EXTABLE(0b, 0b)
7093 + : "+r" (i), "+m" (v->counter)
7098 +no_xadd: /* Legacy 386 processor */
7099 + local_irq_save(flags);
7100 + __i = atomic_read(v);
7101 + atomic_set(v, i + __i);
7102 + local_irq_restore(flags);
7108 + * atomic_add_return_unchecked - add integer and return
7109 + * @v: pointer of type atomic_unchecked_t
7110 + * @i: integer value to add
7112 + * Atomically adds @i to @v and returns @i + @v
7114 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7118 + unsigned long flags;
7119 + if (unlikely(boot_cpu_data.x86 <= 3))
7122 + /* Modern 486+ processor */
7124 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7125 : "+r" (i), "+m" (v->counter)
7127 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
7130 #define atomic_inc_return(v) (atomic_add_return(1, v))
7131 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7133 + return atomic_add_return_unchecked(1, v);
7135 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7137 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
7138 @@ -231,21 +418,77 @@ static inline int atomic_xchg(atomic_t *
7140 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7146 - if (unlikely(c == (u)))
7147 + if (unlikely(c == u))
7149 - old = atomic_cmpxchg((v), c, c + (a));
7151 + asm volatile("addl %2,%0\n"
7153 +#ifdef CONFIG_PAX_REFCOUNT
7157 + _ASM_EXTABLE(0b, 0b)
7161 + : "0" (c), "ir" (a));
7163 + old = atomic_cmpxchg(v, c, new);
7164 if (likely(old == c))
7172 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7175 + * atomic_inc_not_zero_hint - increment if not null
7176 + * @v: pointer of type atomic_t
7177 + * @hint: probable value of the atomic before the increment
7179 + * This version of atomic_inc_not_zero() gives a hint of probable
7180 + * value of the atomic. This helps processor to not read the memory
7181 + * before doing the atomic read/modify/write cycle, lowering
7182 + * number of bus transactions on some arches.
7184 + * Returns: 0 if increment was not done, 1 otherwise.
7186 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
7187 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
7189 + int val, c = hint, new;
7191 + /* sanity test, should be removed by compiler if hint is a constant */
7193 + return atomic_inc_not_zero(v);
7196 + asm volatile("incl %0\n"
7198 +#ifdef CONFIG_PAX_REFCOUNT
7202 + _ASM_EXTABLE(0b, 0b)
7208 + val = atomic_cmpxchg(v, c, new);
7218 * atomic_dec_if_positive - decrement by 1 if old value positive
7219 * @v: pointer of type atomic_t
7220 diff -urNp linux-2.6.38.4/arch/x86/include/asm/bitops.h linux-2.6.38.4/arch/x86/include/asm/bitops.h
7221 --- linux-2.6.38.4/arch/x86/include/asm/bitops.h 2011-03-14 21:20:32.000000000 -0400
7222 +++ linux-2.6.38.4/arch/x86/include/asm/bitops.h 2011-04-17 15:57:32.000000000 -0400
7224 * a mask operation on a byte.
7226 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7227 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7228 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7229 #define CONST_MASK(nr) (1 << ((nr) & 7))
7232 diff -urNp linux-2.6.38.4/arch/x86/include/asm/boot.h linux-2.6.38.4/arch/x86/include/asm/boot.h
7233 --- linux-2.6.38.4/arch/x86/include/asm/boot.h 2011-03-14 21:20:32.000000000 -0400
7234 +++ linux-2.6.38.4/arch/x86/include/asm/boot.h 2011-04-17 15:57:32.000000000 -0400
7236 #include <asm/pgtable_types.h>
7238 /* Physical address where kernel should be loaded. */
7239 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7240 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7241 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7242 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7244 +#ifndef __ASSEMBLY__
7245 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7246 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7249 /* Minimum kernel alignment, as a power of two */
7250 #ifdef CONFIG_X86_64
7251 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7252 diff -urNp linux-2.6.38.4/arch/x86/include/asm/cacheflush.h linux-2.6.38.4/arch/x86/include/asm/cacheflush.h
7253 --- linux-2.6.38.4/arch/x86/include/asm/cacheflush.h 2011-03-14 21:20:32.000000000 -0400
7254 +++ linux-2.6.38.4/arch/x86/include/asm/cacheflush.h 2011-04-17 15:57:32.000000000 -0400
7255 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
7256 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7258 if (pg_flags == _PGMT_DEFAULT)
7261 else if (pg_flags == _PGMT_WC)
7262 return _PAGE_CACHE_WC;
7263 else if (pg_flags == _PGMT_UC_MINUS)
7264 diff -urNp linux-2.6.38.4/arch/x86/include/asm/cache.h linux-2.6.38.4/arch/x86/include/asm/cache.h
7265 --- linux-2.6.38.4/arch/x86/include/asm/cache.h 2011-03-14 21:20:32.000000000 -0400
7266 +++ linux-2.6.38.4/arch/x86/include/asm/cache.h 2011-04-17 15:57:32.000000000 -0400
7268 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7270 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7271 +#define __read_only __attribute__((__section__(".data..read_only")))
7273 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7274 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7275 diff -urNp linux-2.6.38.4/arch/x86/include/asm/checksum_32.h linux-2.6.38.4/arch/x86/include/asm/checksum_32.h
7276 --- linux-2.6.38.4/arch/x86/include/asm/checksum_32.h 2011-03-14 21:20:32.000000000 -0400
7277 +++ linux-2.6.38.4/arch/x86/include/asm/checksum_32.h 2011-04-17 15:57:32.000000000 -0400
7278 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7279 int len, __wsum sum,
7280 int *src_err_ptr, int *dst_err_ptr);
7282 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7283 + int len, __wsum sum,
7284 + int *src_err_ptr, int *dst_err_ptr);
7286 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7287 + int len, __wsum sum,
7288 + int *src_err_ptr, int *dst_err_ptr);
7291 * Note: when you get a NULL pointer exception here this means someone
7292 * passed in an incorrect kernel address to one of these functions.
7293 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7297 - return csum_partial_copy_generic((__force void *)src, dst,
7298 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7299 len, sum, err_ptr, NULL);
7302 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7305 if (access_ok(VERIFY_WRITE, dst, len))
7306 - return csum_partial_copy_generic(src, (__force void *)dst,
7307 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7308 len, sum, NULL, err_ptr);
7311 diff -urNp linux-2.6.38.4/arch/x86/include/asm/cpufeature.h linux-2.6.38.4/arch/x86/include/asm/cpufeature.h
7312 --- linux-2.6.38.4/arch/x86/include/asm/cpufeature.h 2011-03-14 21:20:32.000000000 -0400
7313 +++ linux-2.6.38.4/arch/x86/include/asm/cpufeature.h 2011-04-17 15:57:32.000000000 -0400
7314 @@ -349,7 +349,7 @@ static __always_inline __pure bool __sta
7315 ".section .discard,\"aw\",@progbits\n"
7316 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7318 - ".section .altinstr_replacement,\"ax\"\n"
7319 + ".section .altinstr_replacement,\"a\"\n"
7323 diff -urNp linux-2.6.38.4/arch/x86/include/asm/desc_defs.h linux-2.6.38.4/arch/x86/include/asm/desc_defs.h
7324 --- linux-2.6.38.4/arch/x86/include/asm/desc_defs.h 2011-03-14 21:20:32.000000000 -0400
7325 +++ linux-2.6.38.4/arch/x86/include/asm/desc_defs.h 2011-04-17 15:57:32.000000000 -0400
7326 @@ -31,6 +31,12 @@ struct desc_struct {
7327 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
7328 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
7333 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
7334 + unsigned offset_high: 16;
7337 } __attribute__((packed));
7339 diff -urNp linux-2.6.38.4/arch/x86/include/asm/desc.h linux-2.6.38.4/arch/x86/include/asm/desc.h
7340 --- linux-2.6.38.4/arch/x86/include/asm/desc.h 2011-03-14 21:20:32.000000000 -0400
7341 +++ linux-2.6.38.4/arch/x86/include/asm/desc.h 2011-04-17 15:57:32.000000000 -0400
7343 #include <asm/desc_defs.h>
7344 #include <asm/ldt.h>
7345 #include <asm/mmu.h>
7346 +#include <asm/pgtable.h>
7347 #include <linux/smp.h>
7349 static inline void fill_ldt(struct desc_struct *desc,
7350 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
7351 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7352 desc->type = (info->read_exec_only ^ 1) << 1;
7353 desc->type |= info->contents << 2;
7354 + desc->type |= info->seg_not_present ^ 1;
7357 desc->p = info->seg_not_present ^ 1;
7358 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
7361 extern struct desc_ptr idt_descr;
7362 -extern gate_desc idt_table[];
7365 - struct desc_struct gdt[GDT_ENTRIES];
7366 -} __attribute__((aligned(PAGE_SIZE)));
7367 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7368 +extern gate_desc idt_table[256];
7370 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7371 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7373 - return per_cpu(gdt_page, cpu).gdt;
7374 + return cpu_gdt_table[cpu];
7377 #ifdef CONFIG_X86_64
7378 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
7379 unsigned long base, unsigned dpl, unsigned flags,
7382 - gate->a = (seg << 16) | (base & 0xffff);
7383 - gate->b = (base & 0xffff0000) |
7384 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
7385 + gate->gate.offset_low = base;
7386 + gate->gate.seg = seg;
7387 + gate->gate.reserved = 0;
7388 + gate->gate.type = type;
7390 + gate->gate.dpl = dpl;
7392 + gate->gate.offset_high = base >> 16;
7396 @@ -115,19 +118,24 @@ static inline void paravirt_free_ldt(str
7397 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7398 const gate_desc *gate)
7400 + pax_open_kernel();
7401 memcpy(&idt[entry], gate, sizeof(*gate));
7402 + pax_close_kernel();
7405 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7408 + pax_open_kernel();
7409 memcpy(&ldt[entry], desc, 8);
7410 + pax_close_kernel();
7413 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7414 const void *desc, int type)
7420 size = sizeof(tss_desc);
7421 @@ -139,7 +147,10 @@ static inline void native_write_gdt_entr
7422 size = sizeof(struct desc_struct);
7426 + pax_open_kernel();
7427 memcpy(&gdt[entry], desc, size);
7428 + pax_close_kernel();
7431 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7432 @@ -211,7 +222,9 @@ static inline void native_set_ldt(const
7434 static inline void native_load_tr_desc(void)
7436 + pax_open_kernel();
7437 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7438 + pax_close_kernel();
7441 static inline void native_load_gdt(const struct desc_ptr *dtr)
7442 @@ -246,8 +259,10 @@ static inline void native_load_tls(struc
7444 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7446 + pax_open_kernel();
7447 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7448 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7449 + pax_close_kernel();
7452 #define _LDT_empty(info) \
7453 @@ -309,7 +324,7 @@ static inline void set_desc_limit(struct
7454 desc->limit = (limit >> 16) & 0xf;
7457 -static inline void _set_gate(int gate, unsigned type, void *addr,
7458 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7459 unsigned dpl, unsigned ist, unsigned seg)
7462 @@ -327,7 +342,7 @@ static inline void _set_gate(int gate, u
7463 * Pentium F0 0F bugfix can have resulted in the mapped
7464 * IDT being write-protected.
7466 -static inline void set_intr_gate(unsigned int n, void *addr)
7467 +static inline void set_intr_gate(unsigned int n, const void *addr)
7469 BUG_ON((unsigned)n > 0xFF);
7470 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7471 @@ -356,19 +371,19 @@ static inline void alloc_intr_gate(unsig
7473 * This routine sets up an interrupt gate at directory privilege level 3.
7475 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7476 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7478 BUG_ON((unsigned)n > 0xFF);
7479 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7482 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7483 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7485 BUG_ON((unsigned)n > 0xFF);
7486 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7489 -static inline void set_trap_gate(unsigned int n, void *addr)
7490 +static inline void set_trap_gate(unsigned int n, const void *addr)
7492 BUG_ON((unsigned)n > 0xFF);
7493 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7494 @@ -377,19 +392,31 @@ static inline void set_trap_gate(unsigne
7495 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7497 BUG_ON((unsigned)n > 0xFF);
7498 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7499 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7502 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7503 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7505 BUG_ON((unsigned)n > 0xFF);
7506 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7509 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7510 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7512 BUG_ON((unsigned)n > 0xFF);
7513 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7516 +#ifdef CONFIG_X86_32
7517 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7519 + struct desc_struct d;
7521 + if (likely(limit))
7522 + limit = (limit - 1UL) >> PAGE_SHIFT;
7523 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7524 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7528 #endif /* _ASM_X86_DESC_H */
7529 diff -urNp linux-2.6.38.4/arch/x86/include/asm/device.h linux-2.6.38.4/arch/x86/include/asm/device.h
7530 --- linux-2.6.38.4/arch/x86/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
7531 +++ linux-2.6.38.4/arch/x86/include/asm/device.h 2011-04-17 15:57:32.000000000 -0400
7532 @@ -6,7 +6,7 @@ struct dev_archdata {
7535 #ifdef CONFIG_X86_64
7536 -struct dma_map_ops *dma_ops;
7537 + const struct dma_map_ops *dma_ops;
7539 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7540 void *iommu; /* hook for IOMMU specific extension */
7541 diff -urNp linux-2.6.38.4/arch/x86/include/asm/dma-mapping.h linux-2.6.38.4/arch/x86/include/asm/dma-mapping.h
7542 --- linux-2.6.38.4/arch/x86/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
7543 +++ linux-2.6.38.4/arch/x86/include/asm/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
7544 @@ -26,9 +26,9 @@ extern int iommu_merge;
7545 extern struct device x86_dma_fallback_dev;
7546 extern int panic_on_overflow;
7548 -extern struct dma_map_ops *dma_ops;
7549 +extern const struct dma_map_ops *dma_ops;
7551 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7552 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7554 #ifdef CONFIG_X86_32
7556 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7557 /* Make sure we keep the same behaviour */
7558 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7560 - struct dma_map_ops *ops = get_dma_ops(dev);
7561 + const struct dma_map_ops *ops = get_dma_ops(dev);
7562 if (ops->mapping_error)
7563 return ops->mapping_error(dev, dma_addr);
7565 @@ -115,7 +115,7 @@ static inline void *
7566 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7569 - struct dma_map_ops *ops = get_dma_ops(dev);
7570 + const struct dma_map_ops *ops = get_dma_ops(dev);
7573 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7574 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
7575 static inline void dma_free_coherent(struct device *dev, size_t size,
7576 void *vaddr, dma_addr_t bus)
7578 - struct dma_map_ops *ops = get_dma_ops(dev);
7579 + const struct dma_map_ops *ops = get_dma_ops(dev);
7581 WARN_ON(irqs_disabled()); /* for portability */
7583 diff -urNp linux-2.6.38.4/arch/x86/include/asm/e820.h linux-2.6.38.4/arch/x86/include/asm/e820.h
7584 --- linux-2.6.38.4/arch/x86/include/asm/e820.h 2011-03-14 21:20:32.000000000 -0400
7585 +++ linux-2.6.38.4/arch/x86/include/asm/e820.h 2011-04-17 15:57:32.000000000 -0400
7586 @@ -69,7 +69,7 @@ struct e820map {
7587 #define ISA_START_ADDRESS 0xa0000
7588 #define ISA_END_ADDRESS 0x100000
7590 -#define BIOS_BEGIN 0x000a0000
7591 +#define BIOS_BEGIN 0x000c0000
7592 #define BIOS_END 0x00100000
7594 #define BIOS_ROM_BASE 0xffe00000
7595 diff -urNp linux-2.6.38.4/arch/x86/include/asm/elf.h linux-2.6.38.4/arch/x86/include/asm/elf.h
7596 --- linux-2.6.38.4/arch/x86/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
7597 +++ linux-2.6.38.4/arch/x86/include/asm/elf.h 2011-04-17 15:57:32.000000000 -0400
7598 @@ -237,7 +237,25 @@ extern int force_personality32;
7599 the loader. We need to make sure that it is out of the way of the program
7600 that it will "exec", and that there is sufficient room for the brk. */
7602 +#ifdef CONFIG_PAX_SEGMEXEC
7603 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7605 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7608 +#ifdef CONFIG_PAX_ASLR
7609 +#ifdef CONFIG_X86_32
7610 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7612 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7613 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7615 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7617 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7618 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7622 /* This yields a mask that user programs can use to figure out what
7623 instruction set this CPU supports. This could be done in user space,
7624 @@ -291,8 +309,7 @@ do { \
7625 #define ARCH_DLINFO \
7628 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7629 - (unsigned long)current->mm->context.vdso); \
7630 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7633 #define AT_SYSINFO 32
7634 @@ -303,7 +320,7 @@ do { \
7636 #endif /* !CONFIG_X86_32 */
7638 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7639 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7641 #define VDSO_ENTRY \
7642 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7643 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7644 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7645 #define compat_arch_setup_additional_pages syscall32_setup_pages
7647 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7648 -#define arch_randomize_brk arch_randomize_brk
7650 #endif /* _ASM_X86_ELF_H */
7651 diff -urNp linux-2.6.38.4/arch/x86/include/asm/futex.h linux-2.6.38.4/arch/x86/include/asm/futex.h
7652 --- linux-2.6.38.4/arch/x86/include/asm/futex.h 2011-03-14 21:20:32.000000000 -0400
7653 +++ linux-2.6.38.4/arch/x86/include/asm/futex.h 2011-04-17 15:57:32.000000000 -0400
7655 #include <asm/system.h>
7657 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7658 + typecheck(u32 *, uaddr); \
7659 asm volatile("1:\t" insn "\n" \
7660 "2:\t.section .fixup,\"ax\"\n" \
7661 "3:\tmov\t%3, %1\n" \
7664 _ASM_EXTABLE(1b, 3b) \
7665 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7666 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
7667 : "i" (-EFAULT), "0" (oparg), "1" (0))
7669 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7670 + typecheck(u32 *, uaddr); \
7671 asm volatile("1:\tmovl %2, %0\n" \
7672 "\tmovl\t%0, %3\n" \
7675 _ASM_EXTABLE(1b, 4b) \
7676 _ASM_EXTABLE(2b, 4b) \
7677 : "=&a" (oldval), "=&r" (ret), \
7678 - "+m" (*uaddr), "=&r" (tem) \
7679 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
7680 : "r" (oparg), "i" (-EFAULT), "1" (0))
7682 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7683 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7685 int op = (encoded_op >> 28) & 7;
7686 int cmp = (encoded_op >> 24) & 15;
7687 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7691 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7692 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
7695 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7696 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
7700 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
7704 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7705 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7709 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
7713 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7714 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7717 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7718 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
7719 "2:\t.section .fixup, \"ax\"\n"
7723 _ASM_EXTABLE(1b, 3b)
7724 - : "=a" (oldval), "+m" (*uaddr)
7725 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
7726 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7729 diff -urNp linux-2.6.38.4/arch/x86/include/asm/i387.h linux-2.6.38.4/arch/x86/include/asm/i387.h
7730 --- linux-2.6.38.4/arch/x86/include/asm/i387.h 2011-03-14 21:20:32.000000000 -0400
7731 +++ linux-2.6.38.4/arch/x86/include/asm/i387.h 2011-04-17 15:57:32.000000000 -0400
7732 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
7736 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7737 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7738 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7741 /* See comment in fxsave() below. */
7742 #ifdef CONFIG_AS_FXSAVEQ
7743 asm volatile("1: fxrstorq %[fx]\n\t"
7744 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
7748 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7749 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7750 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7754 * Clear the bytes not touched by the fxsave and reserved
7756 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
7757 #endif /* CONFIG_X86_64 */
7759 /* We need a safe address that is cheap to find and that is already
7760 - in L1 during context switch. The best choices are unfortunately
7761 - different for UP and SMP */
7763 -#define safe_address (__per_cpu_offset[0])
7765 -#define safe_address (kstat_cpu(0).cpustat.user)
7767 + in L1 during context switch. */
7768 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7771 * These must be called with preempt disabled
7772 @@ -237,7 +242,7 @@ static inline void fpu_save_init(struct
7773 } else if (use_fxsr()) {
7776 - asm volatile("fsave %[fx]; fwait"
7777 + asm volatile("fnsave %[fx]; fwait"
7778 : [fx] "=m" (fpu->state->fsave));
7781 @@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
7782 struct thread_info *me = current_thread_info();
7784 if (me->status & TS_USEDFPU)
7785 - __save_init_fpu(me->task);
7786 + __save_init_fpu(current);
7790 diff -urNp linux-2.6.38.4/arch/x86/include/asm/io.h linux-2.6.38.4/arch/x86/include/asm/io.h
7791 --- linux-2.6.38.4/arch/x86/include/asm/io.h 2011-03-14 21:20:32.000000000 -0400
7792 +++ linux-2.6.38.4/arch/x86/include/asm/io.h 2011-04-17 15:57:32.000000000 -0400
7793 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
7795 #include <linux/vmalloc.h>
7797 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7798 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7800 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7803 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7805 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7809 * Convert a virtual cached pointer to an uncached pointer
7811 diff -urNp linux-2.6.38.4/arch/x86/include/asm/iommu.h linux-2.6.38.4/arch/x86/include/asm/iommu.h
7812 --- linux-2.6.38.4/arch/x86/include/asm/iommu.h 2011-03-14 21:20:32.000000000 -0400
7813 +++ linux-2.6.38.4/arch/x86/include/asm/iommu.h 2011-04-17 15:57:32.000000000 -0400
7815 #ifndef _ASM_X86_IOMMU_H
7816 #define _ASM_X86_IOMMU_H
7818 -extern struct dma_map_ops nommu_dma_ops;
7819 +extern const struct dma_map_ops nommu_dma_ops;
7820 extern int force_iommu, no_iommu;
7821 extern int iommu_detected;
7822 extern int iommu_pass_through;
7823 diff -urNp linux-2.6.38.4/arch/x86/include/asm/irqflags.h linux-2.6.38.4/arch/x86/include/asm/irqflags.h
7824 --- linux-2.6.38.4/arch/x86/include/asm/irqflags.h 2011-03-14 21:20:32.000000000 -0400
7825 +++ linux-2.6.38.4/arch/x86/include/asm/irqflags.h 2011-04-17 15:57:32.000000000 -0400
7826 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
7830 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7831 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7832 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7833 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7836 #define INTERRUPT_RETURN iret
7837 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7838 diff -urNp linux-2.6.38.4/arch/x86/include/asm/kvm_host.h linux-2.6.38.4/arch/x86/include/asm/kvm_host.h
7839 --- linux-2.6.38.4/arch/x86/include/asm/kvm_host.h 2011-03-14 21:20:32.000000000 -0400
7840 +++ linux-2.6.38.4/arch/x86/include/asm/kvm_host.h 2011-04-17 15:57:32.000000000 -0400
7841 @@ -603,7 +603,7 @@ struct kvm_arch_async_pf {
7845 -extern struct kvm_x86_ops *kvm_x86_ops;
7846 +extern const struct kvm_x86_ops *kvm_x86_ops;
7848 int kvm_mmu_module_init(void);
7849 void kvm_mmu_module_exit(void);
7850 diff -urNp linux-2.6.38.4/arch/x86/include/asm/local.h linux-2.6.38.4/arch/x86/include/asm/local.h
7851 --- linux-2.6.38.4/arch/x86/include/asm/local.h 2011-03-14 21:20:32.000000000 -0400
7852 +++ linux-2.6.38.4/arch/x86/include/asm/local.h 2011-04-17 15:57:32.000000000 -0400
7853 @@ -18,26 +18,58 @@ typedef struct {
7855 static inline void local_inc(local_t *l)
7857 - asm volatile(_ASM_INC "%0"
7858 + asm volatile(_ASM_INC "%0\n"
7860 +#ifdef CONFIG_PAX_REFCOUNT
7864 + _ASM_EXTABLE(0b, 0b)
7867 : "+m" (l->a.counter));
7870 static inline void local_dec(local_t *l)
7872 - asm volatile(_ASM_DEC "%0"
7873 + asm volatile(_ASM_DEC "%0\n"
7875 +#ifdef CONFIG_PAX_REFCOUNT
7879 + _ASM_EXTABLE(0b, 0b)
7882 : "+m" (l->a.counter));
7885 static inline void local_add(long i, local_t *l)
7887 - asm volatile(_ASM_ADD "%1,%0"
7888 + asm volatile(_ASM_ADD "%1,%0\n"
7890 +#ifdef CONFIG_PAX_REFCOUNT
7892 + _ASM_SUB "%1,%0\n"
7894 + _ASM_EXTABLE(0b, 0b)
7897 : "+m" (l->a.counter)
7901 static inline void local_sub(long i, local_t *l)
7903 - asm volatile(_ASM_SUB "%1,%0"
7904 + asm volatile(_ASM_SUB "%1,%0\n"
7906 +#ifdef CONFIG_PAX_REFCOUNT
7908 + _ASM_ADD "%1,%0\n"
7910 + _ASM_EXTABLE(0b, 0b)
7913 : "+m" (l->a.counter)
7916 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
7920 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7921 + asm volatile(_ASM_SUB "%2,%0\n"
7923 +#ifdef CONFIG_PAX_REFCOUNT
7925 + _ASM_ADD "%2,%0\n"
7927 + _ASM_EXTABLE(0b, 0b)
7931 : "+m" (l->a.counter), "=qm" (c)
7932 : "ir" (i) : "memory");
7934 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
7938 - asm volatile(_ASM_DEC "%0; sete %1"
7939 + asm volatile(_ASM_DEC "%0\n"
7941 +#ifdef CONFIG_PAX_REFCOUNT
7945 + _ASM_EXTABLE(0b, 0b)
7949 : "+m" (l->a.counter), "=qm" (c)
7952 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
7956 - asm volatile(_ASM_INC "%0; sete %1"
7957 + asm volatile(_ASM_INC "%0\n"
7959 +#ifdef CONFIG_PAX_REFCOUNT
7963 + _ASM_EXTABLE(0b, 0b)
7967 : "+m" (l->a.counter), "=qm" (c)
7970 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
7974 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7975 + asm volatile(_ASM_ADD "%2,%0\n"
7977 +#ifdef CONFIG_PAX_REFCOUNT
7979 + _ASM_SUB "%2,%0\n"
7981 + _ASM_EXTABLE(0b, 0b)
7985 : "+m" (l->a.counter), "=qm" (c)
7986 : "ir" (i) : "memory");
7988 @@ -133,7 +201,15 @@ static inline long local_add_return(long
7990 /* Modern 486+ processor */
7992 - asm volatile(_ASM_XADD "%0, %1;"
7993 + asm volatile(_ASM_XADD "%0, %1\n"
7995 +#ifdef CONFIG_PAX_REFCOUNT
7997 + _ASM_MOV "%0,%1\n"
7999 + _ASM_EXTABLE(0b, 0b)
8002 : "+r" (i), "+m" (l->a.counter)
8005 diff -urNp linux-2.6.38.4/arch/x86/include/asm/mc146818rtc.h linux-2.6.38.4/arch/x86/include/asm/mc146818rtc.h
8006 --- linux-2.6.38.4/arch/x86/include/asm/mc146818rtc.h 2011-03-14 21:20:32.000000000 -0400
8007 +++ linux-2.6.38.4/arch/x86/include/asm/mc146818rtc.h 2011-04-17 15:57:32.000000000 -0400
8008 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
8010 #define lock_cmos_prefix(reg) do {} while (0)
8011 #define lock_cmos_suffix(reg) do {} while (0)
8012 -#define lock_cmos(reg)
8013 -#define unlock_cmos()
8014 +#define lock_cmos(reg) do {} while (0)
8015 +#define unlock_cmos() do {} while (0)
8016 #define do_i_have_lock_cmos() 0
8017 #define current_lock_cmos_reg() 0
8019 diff -urNp linux-2.6.38.4/arch/x86/include/asm/mce.h linux-2.6.38.4/arch/x86/include/asm/mce.h
8020 --- linux-2.6.38.4/arch/x86/include/asm/mce.h 2011-03-14 21:20:32.000000000 -0400
8021 +++ linux-2.6.38.4/arch/x86/include/asm/mce.h 2011-04-17 15:57:32.000000000 -0400
8022 @@ -198,7 +198,7 @@ int mce_notify_irq(void);
8023 void mce_notify_process(void);
8025 DECLARE_PER_CPU(struct mce, injectm);
8026 -extern struct file_operations mce_chrdev_ops;
8027 +extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */
8031 diff -urNp linux-2.6.38.4/arch/x86/include/asm/microcode.h linux-2.6.38.4/arch/x86/include/asm/microcode.h
8032 --- linux-2.6.38.4/arch/x86/include/asm/microcode.h 2011-03-14 21:20:32.000000000 -0400
8033 +++ linux-2.6.38.4/arch/x86/include/asm/microcode.h 2011-04-17 15:57:32.000000000 -0400
8034 @@ -12,13 +12,13 @@ struct device;
8035 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
8037 struct microcode_ops {
8038 - enum ucode_state (*request_microcode_user) (int cpu,
8039 + enum ucode_state (* const request_microcode_user) (int cpu,
8040 const void __user *buf, size_t size);
8042 - enum ucode_state (*request_microcode_fw) (int cpu,
8043 + enum ucode_state (* const request_microcode_fw) (int cpu,
8044 struct device *device);
8046 - void (*microcode_fini_cpu) (int cpu);
8047 + void (* const microcode_fini_cpu) (int cpu);
8050 * The generic 'microcode_core' part guarantees that
8051 @@ -38,16 +38,16 @@ struct ucode_cpu_info {
8052 extern struct ucode_cpu_info ucode_cpu_info[];
8054 #ifdef CONFIG_MICROCODE_INTEL
8055 -extern struct microcode_ops * __init init_intel_microcode(void);
8056 +extern const struct microcode_ops * __init init_intel_microcode(void);
8058 -static inline struct microcode_ops * __init init_intel_microcode(void)
8059 +static inline const struct microcode_ops * __init init_intel_microcode(void)
8063 #endif /* CONFIG_MICROCODE_INTEL */
8065 #ifdef CONFIG_MICROCODE_AMD
8066 -extern struct microcode_ops * __init init_amd_microcode(void);
8067 +extern const struct microcode_ops * __init init_amd_microcode(void);
8069 static inline void get_ucode_data(void *to, const u8 *from, size_t n)
8071 @@ -55,7 +55,7 @@ static inline void get_ucode_data(void *
8075 -static inline struct microcode_ops * __init init_amd_microcode(void)
8076 +static inline const struct microcode_ops * __init init_amd_microcode(void)
8080 diff -urNp linux-2.6.38.4/arch/x86/include/asm/mman.h linux-2.6.38.4/arch/x86/include/asm/mman.h
8081 --- linux-2.6.38.4/arch/x86/include/asm/mman.h 2011-03-14 21:20:32.000000000 -0400
8082 +++ linux-2.6.38.4/arch/x86/include/asm/mman.h 2011-04-17 15:57:32.000000000 -0400
8085 #include <asm-generic/mman.h>
8088 +#ifndef __ASSEMBLY__
8089 +#ifdef CONFIG_X86_32
8090 +#define arch_mmap_check i386_mmap_check
8091 +int i386_mmap_check(unsigned long addr, unsigned long len,
8092 + unsigned long flags);
8097 #endif /* _ASM_X86_MMAN_H */
8098 diff -urNp linux-2.6.38.4/arch/x86/include/asm/mmu_context.h linux-2.6.38.4/arch/x86/include/asm/mmu_context.h
8099 --- linux-2.6.38.4/arch/x86/include/asm/mmu_context.h 2011-03-14 21:20:32.000000000 -0400
8100 +++ linux-2.6.38.4/arch/x86/include/asm/mmu_context.h 2011-04-17 15:57:32.000000000 -0400
8101 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
8103 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
8106 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8110 + pax_open_kernel();
8111 + pgd = get_cpu_pgd(smp_processor_id());
8112 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
8113 + if (paravirt_enabled())
8114 + set_pgd(pgd+i, native_make_pgd(0));
8116 + pgd[i] = native_make_pgd(0);
8117 + pax_close_kernel();
8121 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
8122 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
8123 @@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s
8124 struct task_struct *tsk)
8126 unsigned cpu = smp_processor_id();
8127 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
8128 + int tlbstate = TLBSTATE_OK;
8131 if (likely(prev != next)) {
8133 +#ifdef CONFIG_X86_32
8134 + tlbstate = percpu_read(cpu_tlbstate.state);
8136 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8137 percpu_write(cpu_tlbstate.active_mm, next);
8139 cpumask_set_cpu(cpu, mm_cpumask(next));
8141 /* Re-load page tables */
8142 +#ifdef CONFIG_PAX_PER_CPU_PGD
8143 + pax_open_kernel();
8144 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8145 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8146 + pax_close_kernel();
8147 + load_cr3(get_cpu_pgd(cpu));
8149 load_cr3(next->pgd);
8152 /* stop flush ipis for the previous mm */
8153 cpumask_clear_cpu(cpu, mm_cpumask(prev));
8154 @@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s
8156 if (unlikely(prev->context.ldt != next->context.ldt))
8157 load_LDT_nolock(&next->context);
8160 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8161 + if (!(__supported_pte_mask & _PAGE_NX)) {
8162 + smp_mb__before_clear_bit();
8163 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
8164 + smp_mb__after_clear_bit();
8165 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8169 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8170 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
8171 + prev->context.user_cs_limit != next->context.user_cs_limit))
8172 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8174 + else if (unlikely(tlbstate != TLBSTATE_OK))
8175 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8182 +#ifdef CONFIG_PAX_PER_CPU_PGD
8183 + pax_open_kernel();
8184 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8185 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8186 + pax_close_kernel();
8187 + load_cr3(get_cpu_pgd(cpu));
8191 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8192 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8194 @@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s
8195 * tlb flush IPI delivery. We must reload CR3
8196 * to make sure to use no freed page tables.
8199 +#ifndef CONFIG_PAX_PER_CPU_PGD
8200 load_cr3(next->pgd);
8203 load_LDT_nolock(&next->context);
8205 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8206 + if (!(__supported_pte_mask & _PAGE_NX))
8207 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8210 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8211 +#ifdef CONFIG_PAX_PAGEEXEC
8212 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
8214 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8223 #define activate_mm(prev, next) \
8224 diff -urNp linux-2.6.38.4/arch/x86/include/asm/mmu.h linux-2.6.38.4/arch/x86/include/asm/mmu.h
8225 --- linux-2.6.38.4/arch/x86/include/asm/mmu.h 2011-03-14 21:20:32.000000000 -0400
8226 +++ linux-2.6.38.4/arch/x86/include/asm/mmu.h 2011-04-17 15:57:32.000000000 -0400
8228 * we put the segment information here.
8232 + struct desc_struct *ldt;
8236 + unsigned long vdso;
8238 +#ifdef CONFIG_X86_32
8239 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8240 + unsigned long user_cs_base;
8241 + unsigned long user_cs_limit;
8243 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8244 + cpumask_t cpu_user_cs_mask;
8253 diff -urNp linux-2.6.38.4/arch/x86/include/asm/module.h linux-2.6.38.4/arch/x86/include/asm/module.h
8254 --- linux-2.6.38.4/arch/x86/include/asm/module.h 2011-03-14 21:20:32.000000000 -0400
8255 +++ linux-2.6.38.4/arch/x86/include/asm/module.h 2011-04-17 15:57:32.000000000 -0400
8257 #error unknown processor family
8260 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8261 +#define MODULE_PAX_UDEREF "UDEREF "
8263 +#define MODULE_PAX_UDEREF ""
8266 #ifdef CONFIG_X86_32
8267 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
8268 +# ifdef CONFIG_PAX_KERNEXEC
8269 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
8271 +# define MODULE_PAX_KERNEXEC ""
8273 +# ifdef CONFIG_GRKERNSEC
8274 +# define MODULE_GRSEC "GRSECURITY "
8276 +# define MODULE_GRSEC ""
8278 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8280 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
8283 #endif /* _ASM_X86_MODULE_H */
8284 diff -urNp linux-2.6.38.4/arch/x86/include/asm/page_64_types.h linux-2.6.38.4/arch/x86/include/asm/page_64_types.h
8285 --- linux-2.6.38.4/arch/x86/include/asm/page_64_types.h 2011-03-14 21:20:32.000000000 -0400
8286 +++ linux-2.6.38.4/arch/x86/include/asm/page_64_types.h 2011-04-17 15:57:32.000000000 -0400
8287 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8289 /* duplicated to the one in bootmem.h */
8290 extern unsigned long max_pfn;
8291 -extern unsigned long phys_base;
8292 +extern const unsigned long phys_base;
8294 extern unsigned long __phys_addr(unsigned long);
8295 #define __phys_reloc_hide(x) (x)
8296 diff -urNp linux-2.6.38.4/arch/x86/include/asm/paravirt.h linux-2.6.38.4/arch/x86/include/asm/paravirt.h
8297 --- linux-2.6.38.4/arch/x86/include/asm/paravirt.h 2011-03-14 21:20:32.000000000 -0400
8298 +++ linux-2.6.38.4/arch/x86/include/asm/paravirt.h 2011-04-17 15:57:32.000000000 -0400
8299 @@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned
8300 pv_mmu_ops.set_fixmap(idx, phys, flags);
8303 +#ifdef CONFIG_PAX_KERNEXEC
8304 +static inline unsigned long pax_open_kernel(void)
8306 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8309 +static inline unsigned long pax_close_kernel(void)
8311 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8314 +static inline unsigned long pax_open_kernel(void) { return 0; }
8315 +static inline unsigned long pax_close_kernel(void) { return 0; }
8318 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8320 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8321 @@ -955,7 +970,7 @@ extern void default_banner(void);
8323 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8324 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8325 -#define PARA_INDIRECT(addr) *%cs:addr
8326 +#define PARA_INDIRECT(addr) *%ss:addr
8329 #define INTERRUPT_RETURN \
8330 @@ -1032,6 +1047,21 @@ extern void default_banner(void);
8331 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8333 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8335 +#define GET_CR0_INTO_RDI \
8336 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8339 +#define SET_RDI_INTO_CR0 \
8340 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8342 +#define GET_CR3_INTO_RDI \
8343 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8346 +#define SET_RDI_INTO_CR3 \
8347 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8349 #endif /* CONFIG_X86_32 */
8351 #endif /* __ASSEMBLY__ */
8352 diff -urNp linux-2.6.38.4/arch/x86/include/asm/paravirt_types.h linux-2.6.38.4/arch/x86/include/asm/paravirt_types.h
8353 --- linux-2.6.38.4/arch/x86/include/asm/paravirt_types.h 2011-03-14 21:20:32.000000000 -0400
8354 +++ linux-2.6.38.4/arch/x86/include/asm/paravirt_types.h 2011-04-17 15:57:32.000000000 -0400
8355 @@ -317,6 +317,12 @@ struct pv_mmu_ops {
8356 an mfn. We can tell which is which from the index. */
8357 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8358 phys_addr_t phys, pgprot_t flags);
8360 +#ifdef CONFIG_PAX_KERNEXEC
8361 + unsigned long (*pax_open_kernel)(void);
8362 + unsigned long (*pax_close_kernel)(void);
8367 struct arch_spinlock;
8368 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pci_x86.h linux-2.6.38.4/arch/x86/include/asm/pci_x86.h
8369 --- linux-2.6.38.4/arch/x86/include/asm/pci_x86.h 2011-03-14 21:20:32.000000000 -0400
8370 +++ linux-2.6.38.4/arch/x86/include/asm/pci_x86.h 2011-04-17 15:57:32.000000000 -0400
8371 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
8372 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8374 struct pci_raw_ops {
8375 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8376 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8377 int reg, int len, u32 *val);
8378 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8379 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8380 int reg, int len, u32 val);
8383 -extern struct pci_raw_ops *raw_pci_ops;
8384 -extern struct pci_raw_ops *raw_pci_ext_ops;
8385 +extern const struct pci_raw_ops *raw_pci_ops;
8386 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8388 -extern struct pci_raw_ops pci_direct_conf1;
8389 +extern const struct pci_raw_ops pci_direct_conf1;
8390 extern bool port_cf9_safe;
8392 /* arch_initcall level */
8393 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgalloc.h linux-2.6.38.4/arch/x86/include/asm/pgalloc.h
8394 --- linux-2.6.38.4/arch/x86/include/asm/pgalloc.h 2011-03-14 21:20:32.000000000 -0400
8395 +++ linux-2.6.38.4/arch/x86/include/asm/pgalloc.h 2011-04-17 15:57:32.000000000 -0400
8396 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8397 pmd_t *pmd, pte_t *pte)
8399 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8400 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8403 +static inline void pmd_populate_user(struct mm_struct *mm,
8404 + pmd_t *pmd, pte_t *pte)
8406 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8407 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8410 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable-2level.h linux-2.6.38.4/arch/x86/include/asm/pgtable-2level.h
8411 --- linux-2.6.38.4/arch/x86/include/asm/pgtable-2level.h 2011-03-14 21:20:32.000000000 -0400
8412 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable-2level.h 2011-04-17 15:57:32.000000000 -0400
8413 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8415 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8417 + pax_open_kernel();
8419 + pax_close_kernel();
8422 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8423 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable_32.h linux-2.6.38.4/arch/x86/include/asm/pgtable_32.h
8424 --- linux-2.6.38.4/arch/x86/include/asm/pgtable_32.h 2011-03-14 21:20:32.000000000 -0400
8425 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable_32.h 2011-04-17 15:57:32.000000000 -0400
8428 struct vm_area_struct;
8430 -extern pgd_t swapper_pg_dir[1024];
8431 -extern pgd_t initial_page_table[1024];
8433 static inline void pgtable_cache_init(void) { }
8434 static inline void check_pgt_cache(void) { }
8435 void paging_init(void);
8436 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8437 # include <asm/pgtable-2level.h>
8440 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8441 +extern pgd_t initial_page_table[PTRS_PER_PGD];
8442 +#ifdef CONFIG_X86_PAE
8443 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8446 #if defined(CONFIG_HIGHPTE)
8447 #define pte_offset_map(dir, address) \
8448 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8449 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8450 /* Clear a kernel PTE and flush it from the TLB */
8451 #define kpte_clear_flush(ptep, vaddr) \
8453 + pax_open_kernel(); \
8454 pte_clear(&init_mm, (vaddr), (ptep)); \
8455 + pax_close_kernel(); \
8456 __flush_tlb_one((vaddr)); \
8459 @@ -74,6 +79,9 @@ do { \
8461 #endif /* !__ASSEMBLY__ */
8463 +#define HAVE_ARCH_UNMAPPED_AREA
8464 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8467 * kern_addr_valid() is (1) for FLATMEM and (0) for
8468 * SPARSEMEM and DISCONTIGMEM
8469 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable_32_types.h linux-2.6.38.4/arch/x86/include/asm/pgtable_32_types.h
8470 --- linux-2.6.38.4/arch/x86/include/asm/pgtable_32_types.h 2011-03-14 21:20:32.000000000 -0400
8471 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable_32_types.h 2011-04-17 15:57:32.000000000 -0400
8474 #ifdef CONFIG_X86_PAE
8475 # include <asm/pgtable-3level_types.h>
8476 -# define PMD_SIZE (1UL << PMD_SHIFT)
8477 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8478 # define PMD_MASK (~(PMD_SIZE - 1))
8480 # include <asm/pgtable-2level_types.h>
8481 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8482 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8485 +#ifdef CONFIG_PAX_KERNEXEC
8486 +#ifndef __ASSEMBLY__
8487 +extern unsigned char MODULES_EXEC_VADDR[];
8488 +extern unsigned char MODULES_EXEC_END[];
8490 +#include <asm/boot.h>
8491 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8492 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8494 +#define ktla_ktva(addr) (addr)
8495 +#define ktva_ktla(addr) (addr)
8498 #define MODULES_VADDR VMALLOC_START
8499 #define MODULES_END VMALLOC_END
8500 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8501 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable-3level.h linux-2.6.38.4/arch/x86/include/asm/pgtable-3level.h
8502 --- linux-2.6.38.4/arch/x86/include/asm/pgtable-3level.h 2011-04-18 17:27:13.000000000 -0400
8503 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable-3level.h 2011-04-17 15:57:32.000000000 -0400
8504 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8506 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8508 + pax_open_kernel();
8509 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8510 + pax_close_kernel();
8513 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8515 + pax_open_kernel();
8516 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8517 + pax_close_kernel();
8521 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable_64.h linux-2.6.38.4/arch/x86/include/asm/pgtable_64.h
8522 --- linux-2.6.38.4/arch/x86/include/asm/pgtable_64.h 2011-03-14 21:20:32.000000000 -0400
8523 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable_64.h 2011-04-17 15:57:32.000000000 -0400
8526 extern pud_t level3_kernel_pgt[512];
8527 extern pud_t level3_ident_pgt[512];
8528 +extern pud_t level3_vmalloc_pgt[512];
8529 +extern pud_t level3_vmemmap_pgt[512];
8530 +extern pud_t level2_vmemmap_pgt[512];
8531 extern pmd_t level2_kernel_pgt[512];
8532 extern pmd_t level2_fixmap_pgt[512];
8533 -extern pmd_t level2_ident_pgt[512];
8534 -extern pgd_t init_level4_pgt[];
8535 +extern pmd_t level2_ident_pgt[512*2];
8536 +extern pgd_t init_level4_pgt[512];
8538 #define swapper_pg_dir init_level4_pgt
8540 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
8542 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8544 + pax_open_kernel();
8546 + pax_close_kernel();
8549 static inline void native_pmd_clear(pmd_t *pmd)
8550 @@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_
8552 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8554 + pax_open_kernel();
8556 + pax_close_kernel();
8559 static inline void native_pgd_clear(pgd_t *pgd)
8560 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable_64_types.h linux-2.6.38.4/arch/x86/include/asm/pgtable_64_types.h
8561 --- linux-2.6.38.4/arch/x86/include/asm/pgtable_64_types.h 2011-03-14 21:20:32.000000000 -0400
8562 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable_64_types.h 2011-04-17 15:57:32.000000000 -0400
8563 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8564 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8565 #define MODULES_END _AC(0xffffffffff000000, UL)
8566 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8567 +#define MODULES_EXEC_VADDR MODULES_VADDR
8568 +#define MODULES_EXEC_END MODULES_END
8570 +#define ktla_ktva(addr) (addr)
8571 +#define ktva_ktla(addr) (addr)
8573 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8574 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable.h linux-2.6.38.4/arch/x86/include/asm/pgtable.h
8575 --- linux-2.6.38.4/arch/x86/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
8576 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable.h 2011-04-17 15:57:32.000000000 -0400
8577 @@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm
8579 #define arch_end_context_switch(prev) do {} while(0)
8581 +#define pax_open_kernel() native_pax_open_kernel()
8582 +#define pax_close_kernel() native_pax_close_kernel()
8583 #endif /* CONFIG_PARAVIRT */
8585 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8586 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8588 +#ifdef CONFIG_PAX_KERNEXEC
8589 +static inline unsigned long native_pax_open_kernel(void)
8591 + unsigned long cr0;
8593 + preempt_disable();
8595 + cr0 = read_cr0() ^ X86_CR0_WP;
8596 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8598 + return cr0 ^ X86_CR0_WP;
8601 +static inline unsigned long native_pax_close_kernel(void)
8603 + unsigned long cr0;
8605 + cr0 = read_cr0() ^ X86_CR0_WP;
8606 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8609 + preempt_enable_no_resched();
8610 + return cr0 ^ X86_CR0_WP;
8613 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8614 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8618 * The following only work if pte_present() is true.
8619 * Undefined behaviour if not..
8621 +static inline int pte_user(pte_t pte)
8623 + return pte_val(pte) & _PAGE_USER;
8626 static inline int pte_dirty(pte_t pte)
8628 return pte_flags(pte) & _PAGE_DIRTY;
8629 @@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t
8630 return pte_clear_flags(pte, _PAGE_RW);
8633 +static inline pte_t pte_mkread(pte_t pte)
8635 + return __pte(pte_val(pte) | _PAGE_USER);
8638 static inline pte_t pte_mkexec(pte_t pte)
8640 - return pte_clear_flags(pte, _PAGE_NX);
8641 +#ifdef CONFIG_X86_PAE
8642 + if (__supported_pte_mask & _PAGE_NX)
8643 + return pte_clear_flags(pte, _PAGE_NX);
8646 + return pte_set_flags(pte, _PAGE_USER);
8649 +static inline pte_t pte_exprotect(pte_t pte)
8651 +#ifdef CONFIG_X86_PAE
8652 + if (__supported_pte_mask & _PAGE_NX)
8653 + return pte_set_flags(pte, _PAGE_NX);
8656 + return pte_clear_flags(pte, _PAGE_USER);
8659 static inline pte_t pte_mkdirty(pte_t pte)
8660 @@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long
8663 #ifndef __ASSEMBLY__
8665 +#ifdef CONFIG_PAX_PER_CPU_PGD
8666 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8667 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8669 + return cpu_pgd[cpu];
8673 #include <linux/mm_types.h>
8675 static inline int pte_none(pte_t pte)
8676 @@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p
8678 static inline int pgd_bad(pgd_t pgd)
8680 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8681 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8684 static inline int pgd_none(pgd_t pgd)
8685 @@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd)
8686 * pgd_offset() returns a (pgd_t *)
8687 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8689 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8690 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8692 +#ifdef CONFIG_PAX_PER_CPU_PGD
8693 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8697 * a shortcut which implies the use of the kernel's pgd, instead
8699 @@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd)
8700 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8701 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8703 +#ifdef CONFIG_X86_32
8704 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8706 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8707 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8709 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8710 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8712 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8717 #ifndef __ASSEMBLY__
8719 extern int direct_gbpages;
8720 @@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st
8721 * dst and src can be on the same page, but the range must not overlap,
8722 * and must not cross a page boundary.
8724 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8725 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8727 - memcpy(dst, src, count * sizeof(pgd_t));
8728 + pax_open_kernel();
8731 + pax_close_kernel();
8734 +#ifdef CONFIG_PAX_PER_CPU_PGD
8735 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8738 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8739 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8741 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8744 #include <asm-generic/pgtable.h>
8745 #endif /* __ASSEMBLY__ */
8746 diff -urNp linux-2.6.38.4/arch/x86/include/asm/pgtable_types.h linux-2.6.38.4/arch/x86/include/asm/pgtable_types.h
8747 --- linux-2.6.38.4/arch/x86/include/asm/pgtable_types.h 2011-03-14 21:20:32.000000000 -0400
8748 +++ linux-2.6.38.4/arch/x86/include/asm/pgtable_types.h 2011-04-17 15:57:32.000000000 -0400
8750 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8751 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8752 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8753 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8754 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8755 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8756 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8757 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8758 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8759 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8760 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
8761 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8762 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
8763 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8765 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8767 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8768 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8769 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8770 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8771 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8772 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8773 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8776 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8777 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8779 +#elif defined(CONFIG_KMEMCHECK)
8780 #define _PAGE_NX (_AT(pteval_t, 0))
8782 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8785 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8787 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8790 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8791 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8793 #define __PAGE_KERNEL_EXEC \
8794 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8795 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8797 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8798 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8799 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8800 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8801 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8802 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8803 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8804 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8805 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8806 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8808 * bits are combined, this will alow user to access the high address mapped
8809 * VDSO in the presence of CONFIG_COMPAT_VDSO
8811 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8812 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8813 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8814 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8815 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8818 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8820 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8824 +#if PAGETABLE_LEVELS == 3
8825 +#include <asm-generic/pgtable-nopud.h>
8828 +#if PAGETABLE_LEVELS == 2
8829 +#include <asm-generic/pgtable-nopmd.h>
8832 +#ifndef __ASSEMBLY__
8833 #if PAGETABLE_LEVELS > 3
8834 typedef struct { pudval_t pud; } pud_t;
8836 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
8840 -#include <asm-generic/pgtable-nopud.h>
8842 static inline pudval_t native_pud_val(pud_t pud)
8844 return native_pgd_val(pud.pgd);
8845 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
8849 -#include <asm-generic/pgtable-nopmd.h>
8851 static inline pmdval_t native_pmd_val(pmd_t pmd)
8853 return native_pgd_val(pmd.pud.pgd);
8854 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
8856 extern pteval_t __supported_pte_mask;
8857 extern void set_nx(void);
8858 -extern int nx_enabled;
8860 #define pgprot_writecombine pgprot_writecombine
8861 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8862 diff -urNp linux-2.6.38.4/arch/x86/include/asm/processor.h linux-2.6.38.4/arch/x86/include/asm/processor.h
8863 --- linux-2.6.38.4/arch/x86/include/asm/processor.h 2011-03-14 21:20:32.000000000 -0400
8864 +++ linux-2.6.38.4/arch/x86/include/asm/processor.h 2011-04-17 15:57:32.000000000 -0400
8865 @@ -270,7 +270,7 @@ struct tss_struct {
8867 } ____cacheline_aligned;
8869 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8870 +extern struct tss_struct init_tss[NR_CPUS];
8873 * Save the original ist values for checking stack pointers during debugging
8874 @@ -864,8 +864,15 @@ static inline void spin_lock_prefetch(co
8876 #define TASK_SIZE PAGE_OFFSET
8877 #define TASK_SIZE_MAX TASK_SIZE
8879 +#ifdef CONFIG_PAX_SEGMEXEC
8880 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8881 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8883 #define STACK_TOP TASK_SIZE
8884 -#define STACK_TOP_MAX STACK_TOP
8887 +#define STACK_TOP_MAX TASK_SIZE
8889 #define INIT_THREAD { \
8890 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8891 @@ -882,7 +889,7 @@ static inline void spin_lock_prefetch(co
8893 #define INIT_TSS { \
8895 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8896 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8897 .ss0 = __KERNEL_DS, \
8898 .ss1 = __KERNEL_CS, \
8899 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8900 @@ -893,11 +900,7 @@ static inline void spin_lock_prefetch(co
8901 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8903 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8904 -#define KSTK_TOP(info) \
8906 - unsigned long *__ptr = (unsigned long *)(info); \
8907 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8909 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8912 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8913 @@ -912,7 +915,7 @@ extern unsigned long thread_saved_pc(str
8914 #define task_pt_regs(task) \
8916 struct pt_regs *__regs__; \
8917 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8918 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8922 @@ -922,13 +925,13 @@ extern unsigned long thread_saved_pc(str
8924 * User space process size. 47bits minus one guard page.
8926 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8927 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8929 /* This decides where the kernel will search for a free chunk of vm
8930 * space during mmap's.
8932 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8933 - 0xc0000000 : 0xFFFFe000)
8934 + 0xc0000000 : 0xFFFFf000)
8936 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8937 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8938 @@ -965,6 +968,10 @@ extern void start_thread(struct pt_regs
8940 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8942 +#ifdef CONFIG_PAX_SEGMEXEC
8943 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8946 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8948 /* Get/set a process' ability to use the timestamp counter instruction */
8949 diff -urNp linux-2.6.38.4/arch/x86/include/asm/ptrace.h linux-2.6.38.4/arch/x86/include/asm/ptrace.h
8950 --- linux-2.6.38.4/arch/x86/include/asm/ptrace.h 2011-03-14 21:20:32.000000000 -0400
8951 +++ linux-2.6.38.4/arch/x86/include/asm/ptrace.h 2011-04-17 15:57:32.000000000 -0400
8952 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8956 - * user_mode_vm(regs) determines whether a register set came from user mode.
8957 + * user_mode(regs) determines whether a register set came from user mode.
8958 * This is true if V8086 mode was enabled OR if the register set was from
8959 * protected mode with RPL-3 CS value. This tricky test checks that with
8960 * one comparison. Many places in the kernel can bypass this full check
8961 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8962 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8965 -static inline int user_mode(struct pt_regs *regs)
8966 +static inline int user_mode_novm(struct pt_regs *regs)
8968 #ifdef CONFIG_X86_32
8969 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8971 - return !!(regs->cs & 3);
8972 + return !!(regs->cs & SEGMENT_RPL_MASK);
8976 -static inline int user_mode_vm(struct pt_regs *regs)
8977 +static inline int user_mode(struct pt_regs *regs)
8979 #ifdef CONFIG_X86_32
8980 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8983 - return user_mode(regs);
8984 + return user_mode_novm(regs);
8988 diff -urNp linux-2.6.38.4/arch/x86/include/asm/reboot.h linux-2.6.38.4/arch/x86/include/asm/reboot.h
8989 --- linux-2.6.38.4/arch/x86/include/asm/reboot.h 2011-03-14 21:20:32.000000000 -0400
8990 +++ linux-2.6.38.4/arch/x86/include/asm/reboot.h 2011-04-17 15:57:32.000000000 -0400
8991 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8993 void native_machine_crash_shutdown(struct pt_regs *regs);
8994 void native_machine_shutdown(void);
8995 -void machine_real_restart(const unsigned char *code, int length);
8996 +void machine_real_restart(const unsigned char *code, unsigned int length);
8998 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8999 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
9000 diff -urNp linux-2.6.38.4/arch/x86/include/asm/rwsem.h linux-2.6.38.4/arch/x86/include/asm/rwsem.h
9001 --- linux-2.6.38.4/arch/x86/include/asm/rwsem.h 2011-03-14 21:20:32.000000000 -0400
9002 +++ linux-2.6.38.4/arch/x86/include/asm/rwsem.h 2011-04-17 15:57:32.000000000 -0400
9003 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
9005 asm volatile("# beginning down_read\n\t"
9006 LOCK_PREFIX _ASM_INC "(%1)\n\t"
9008 +#ifdef CONFIG_PAX_REFCOUNT
9010 + LOCK_PREFIX _ASM_DEC "(%1)\n"
9012 + _ASM_EXTABLE(0b, 0b)
9015 /* adds 0x00000001 */
9017 " call call_rwsem_down_read_failed\n"
9018 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
9023 +#ifdef CONFIG_PAX_REFCOUNT
9027 + _ASM_EXTABLE(0b, 0b)
9031 LOCK_PREFIX " cmpxchg %2,%0\n\t"
9033 @@ -158,6 +174,14 @@ static inline void __down_write_nested(s
9035 asm volatile("# beginning down_write\n\t"
9036 LOCK_PREFIX " xadd %1,(%2)\n\t"
9038 +#ifdef CONFIG_PAX_REFCOUNT
9042 + _ASM_EXTABLE(0b, 0b)
9045 /* adds 0xffff0001, returns the old value */
9047 /* was the count 0 before? */
9048 @@ -196,6 +220,14 @@ static inline void __up_read(struct rw_s
9050 asm volatile("# beginning __up_read\n\t"
9051 LOCK_PREFIX " xadd %1,(%2)\n\t"
9053 +#ifdef CONFIG_PAX_REFCOUNT
9057 + _ASM_EXTABLE(0b, 0b)
9060 /* subtracts 1, returns the old value */
9062 " call call_rwsem_wake\n" /* expects old value in %edx */
9063 @@ -214,6 +246,14 @@ static inline void __up_write(struct rw_
9065 asm volatile("# beginning __up_write\n\t"
9066 LOCK_PREFIX " xadd %1,(%2)\n\t"
9068 +#ifdef CONFIG_PAX_REFCOUNT
9072 + _ASM_EXTABLE(0b, 0b)
9075 /* subtracts 0xffff0001, returns the old value */
9077 " call call_rwsem_wake\n" /* expects old value in %edx */
9078 @@ -231,6 +271,14 @@ static inline void __downgrade_write(str
9080 asm volatile("# beginning __downgrade_write\n\t"
9081 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
9083 +#ifdef CONFIG_PAX_REFCOUNT
9085 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9087 + _ASM_EXTABLE(0b, 0b)
9091 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9092 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9093 @@ -250,7 +298,15 @@ static inline void __downgrade_write(str
9094 static inline void rwsem_atomic_add(rwsem_count_t delta,
9095 struct rw_semaphore *sem)
9097 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9098 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9100 +#ifdef CONFIG_PAX_REFCOUNT
9102 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
9104 + _ASM_EXTABLE(0b, 0b)
9110 @@ -263,7 +319,15 @@ static inline rwsem_count_t rwsem_atomic
9112 rwsem_count_t tmp = delta;
9114 - asm volatile(LOCK_PREFIX "xadd %0,%1"
9115 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9117 +#ifdef CONFIG_PAX_REFCOUNT
9121 + _ASM_EXTABLE(0b, 0b)
9124 : "+r" (tmp), "+m" (sem->count)
9127 diff -urNp linux-2.6.38.4/arch/x86/include/asm/segment.h linux-2.6.38.4/arch/x86/include/asm/segment.h
9128 --- linux-2.6.38.4/arch/x86/include/asm/segment.h 2011-03-14 21:20:32.000000000 -0400
9129 +++ linux-2.6.38.4/arch/x86/include/asm/segment.h 2011-04-17 15:57:32.000000000 -0400
9131 * 26 - ESPFIX small SS
9132 * 27 - per-cpu [ offset to per-cpu data area ]
9133 * 28 - stack_canary-20 [ for stack protector ]
9136 + * 29 - PCI BIOS CS
9137 + * 30 - PCI BIOS DS
9138 * 31 - TSS for double fault handler
9140 #define GDT_ENTRY_TLS_MIN 6
9143 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
9145 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9147 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
9149 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
9150 @@ -102,6 +104,12 @@
9151 #define __KERNEL_STACK_CANARY 0
9154 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
9155 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9157 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
9158 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9160 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9166 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9167 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9168 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9173 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9174 #define __USER32_DS __USER_DS
9176 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9178 #define GDT_ENTRY_TSS 8 /* needs two entries */
9179 #define GDT_ENTRY_LDT 10 /* needs two entries */
9180 #define GDT_ENTRY_TLS_MIN 12
9184 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
9185 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
9186 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
9187 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
9188 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
9189 diff -urNp linux-2.6.38.4/arch/x86/include/asm/smp.h linux-2.6.38.4/arch/x86/include/asm/smp.h
9190 --- linux-2.6.38.4/arch/x86/include/asm/smp.h 2011-03-14 21:20:32.000000000 -0400
9191 +++ linux-2.6.38.4/arch/x86/include/asm/smp.h 2011-04-17 15:57:32.000000000 -0400
9192 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
9193 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
9194 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
9195 DECLARE_PER_CPU(u16, cpu_llc_id);
9196 -DECLARE_PER_CPU(int, cpu_number);
9197 +DECLARE_PER_CPU(unsigned int, cpu_number);
9199 static inline struct cpumask *cpu_sibling_mask(int cpu)
9201 @@ -172,14 +172,8 @@ extern unsigned disabled_cpus __cpuinitd
9202 extern int safe_smp_processor_id(void);
9204 #elif defined(CONFIG_X86_64_SMP)
9205 -#define raw_smp_processor_id() (percpu_read(cpu_number))
9207 -#define stack_smp_processor_id() \
9209 - struct thread_info *ti; \
9210 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
9213 +#define raw_smp_processor_id() (percpu_read(cpu_number))
9214 +#define stack_smp_processor_id() raw_smp_processor_id()
9215 #define safe_smp_processor_id() smp_processor_id()
9218 diff -urNp linux-2.6.38.4/arch/x86/include/asm/spinlock.h linux-2.6.38.4/arch/x86/include/asm/spinlock.h
9219 --- linux-2.6.38.4/arch/x86/include/asm/spinlock.h 2011-03-14 21:20:32.000000000 -0400
9220 +++ linux-2.6.38.4/arch/x86/include/asm/spinlock.h 2011-04-17 15:57:32.000000000 -0400
9221 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
9222 static inline void arch_read_lock(arch_rwlock_t *rw)
9224 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9226 +#ifdef CONFIG_PAX_REFCOUNT
9228 + LOCK_PREFIX " addl $1,(%0)\n"
9230 + _ASM_EXTABLE(0b, 0b)
9234 "call __read_lock_failed\n\t"
9236 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
9237 static inline void arch_write_lock(arch_rwlock_t *rw)
9239 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9241 +#ifdef CONFIG_PAX_REFCOUNT
9243 + LOCK_PREFIX " addl %1,(%0)\n"
9245 + _ASM_EXTABLE(0b, 0b)
9249 "call __write_lock_failed\n\t"
9251 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
9253 static inline void arch_read_unlock(arch_rwlock_t *rw)
9255 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9256 + asm volatile(LOCK_PREFIX "incl %0\n"
9258 +#ifdef CONFIG_PAX_REFCOUNT
9260 + LOCK_PREFIX "decl %0\n"
9262 + _ASM_EXTABLE(0b, 0b)
9265 + :"+m" (rw->lock) : : "memory");
9268 static inline void arch_write_unlock(arch_rwlock_t *rw)
9270 - asm volatile(LOCK_PREFIX "addl %1, %0"
9271 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9273 +#ifdef CONFIG_PAX_REFCOUNT
9275 + LOCK_PREFIX "subl %1, %0\n"
9277 + _ASM_EXTABLE(0b, 0b)
9280 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9283 diff -urNp linux-2.6.38.4/arch/x86/include/asm/stackprotector.h linux-2.6.38.4/arch/x86/include/asm/stackprotector.h
9284 --- linux-2.6.38.4/arch/x86/include/asm/stackprotector.h 2011-03-14 21:20:32.000000000 -0400
9285 +++ linux-2.6.38.4/arch/x86/include/asm/stackprotector.h 2011-04-17 15:57:32.000000000 -0400
9286 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9288 static inline void load_stack_canary_segment(void)
9290 -#ifdef CONFIG_X86_32
9291 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9292 asm volatile ("mov %0, %%gs" : : "r" (0));
9295 diff -urNp linux-2.6.38.4/arch/x86/include/asm/stacktrace.h linux-2.6.38.4/arch/x86/include/asm/stacktrace.h
9296 --- linux-2.6.38.4/arch/x86/include/asm/stacktrace.h 2011-03-14 21:20:32.000000000 -0400
9297 +++ linux-2.6.38.4/arch/x86/include/asm/stacktrace.h 2011-04-17 15:57:32.000000000 -0400
9300 extern int kstack_depth_to_print;
9302 -struct thread_info;
9303 +struct task_struct;
9304 struct stacktrace_ops;
9306 -typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
9307 - unsigned long *stack,
9309 - const struct stacktrace_ops *ops,
9311 - unsigned long *end,
9314 -extern unsigned long
9315 -print_context_stack(struct thread_info *tinfo,
9316 - unsigned long *stack, unsigned long bp,
9317 - const struct stacktrace_ops *ops, void *data,
9318 - unsigned long *end, int *graph);
9320 -extern unsigned long
9321 -print_context_stack_bp(struct thread_info *tinfo,
9322 - unsigned long *stack, unsigned long bp,
9323 - const struct stacktrace_ops *ops, void *data,
9324 - unsigned long *end, int *graph);
9325 +typedef unsigned long walk_stack_t(struct task_struct *task,
9326 + void *stack_start,
9327 + unsigned long *stack,
9329 + const struct stacktrace_ops *ops,
9331 + unsigned long *end,
9334 +extern walk_stack_t print_context_stack;
9335 +extern walk_stack_t print_context_stack_bp;
9337 /* Generic stack tracer with callbacks */
9339 @@ -43,7 +35,7 @@ struct stacktrace_ops {
9340 void (*address)(void *data, unsigned long address, int reliable);
9341 /* On negative return stop dumping */
9342 int (*stack)(void *data, char *name);
9343 - walk_stack_t walk_stack;
9344 + walk_stack_t *walk_stack;
9347 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
9348 diff -urNp linux-2.6.38.4/arch/x86/include/asm/system.h linux-2.6.38.4/arch/x86/include/asm/system.h
9349 --- linux-2.6.38.4/arch/x86/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
9350 +++ linux-2.6.38.4/arch/x86/include/asm/system.h 2011-04-17 15:57:32.000000000 -0400
9351 @@ -131,7 +131,7 @@ do { \
9352 "call __switch_to\n\t" \
9353 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
9355 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
9356 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
9357 "movq %%rax,%%rdi\n\t" \
9358 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
9359 "jnz ret_from_fork\n\t" \
9360 @@ -142,7 +142,7 @@ do { \
9361 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
9362 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
9363 [_tif_fork] "i" (_TIF_FORK), \
9364 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
9365 + [thread_info] "m" (current_tinfo), \
9366 [current_task] "m" (current_task) \
9367 __switch_canary_iparam \
9368 : "memory", "cc" __EXTRA_CLOBBER)
9369 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9371 unsigned long __limit;
9372 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9373 - return __limit + 1;
9377 static inline void native_clts(void)
9378 @@ -342,7 +342,7 @@ void enable_hlt(void);
9380 void cpu_idle_wait(void);
9382 -extern unsigned long arch_align_stack(unsigned long sp);
9383 +#define arch_align_stack(x) ((x) & ~0xfUL)
9384 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9386 void default_idle(void);
9387 diff -urNp linux-2.6.38.4/arch/x86/include/asm/thread_info.h linux-2.6.38.4/arch/x86/include/asm/thread_info.h
9388 --- linux-2.6.38.4/arch/x86/include/asm/thread_info.h 2011-03-14 21:20:32.000000000 -0400
9389 +++ linux-2.6.38.4/arch/x86/include/asm/thread_info.h 2011-04-17 15:57:32.000000000 -0400
9391 #include <linux/compiler.h>
9392 #include <asm/page.h>
9393 #include <asm/types.h>
9394 +#include <asm/percpu.h>
9397 * low level task data that entry.S needs immediate access to
9398 @@ -24,7 +25,6 @@ struct exec_domain;
9399 #include <asm/atomic.h>
9401 struct thread_info {
9402 - struct task_struct *task; /* main task structure */
9403 struct exec_domain *exec_domain; /* execution domain */
9404 __u32 flags; /* low level flags */
9405 __u32 status; /* thread synchronous flags */
9406 @@ -34,18 +34,11 @@ struct thread_info {
9407 mm_segment_t addr_limit;
9408 struct restart_block restart_block;
9409 void __user *sysenter_return;
9410 -#ifdef CONFIG_X86_32
9411 - unsigned long previous_esp; /* ESP of the previous stack in
9412 - case of nested (IRQ) stacks
9414 - __u8 supervisor_stack[0];
9419 -#define INIT_THREAD_INFO(tsk) \
9420 +#define INIT_THREAD_INFO \
9423 .exec_domain = &default_exec_domain, \
9426 @@ -56,7 +49,7 @@ struct thread_info {
9430 -#define init_thread_info (init_thread_union.thread_info)
9431 +#define init_thread_info (init_task.tinfo)
9432 #define init_stack (init_thread_union.stack)
9434 #else /* !__ASSEMBLY__ */
9435 @@ -164,6 +157,23 @@ struct thread_info {
9436 #define alloc_thread_info(tsk) \
9437 ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
9439 +#ifdef __ASSEMBLY__
9440 +/* how to get the thread information struct from ASM */
9441 +#define GET_THREAD_INFO(reg) \
9442 + mov PER_CPU_VAR(current_tinfo), reg
9444 +/* use this one if reg already contains %esp */
9445 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
9447 +/* how to get the thread information struct from C */
9448 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
9450 +static __always_inline struct thread_info *current_thread_info(void)
9452 + return percpu_read_stable(current_tinfo);
9456 #ifdef CONFIG_X86_32
9458 #define STACK_WARN (THREAD_SIZE/8)
9459 @@ -174,35 +184,13 @@ struct thread_info {
9461 #ifndef __ASSEMBLY__
9464 /* how to get the current stack pointer from C */
9465 register unsigned long current_stack_pointer asm("esp") __used;
9467 -/* how to get the thread information struct from C */
9468 -static inline struct thread_info *current_thread_info(void)
9470 - return (struct thread_info *)
9471 - (current_stack_pointer & ~(THREAD_SIZE - 1));
9474 -#else /* !__ASSEMBLY__ */
9476 -/* how to get the thread information struct from ASM */
9477 -#define GET_THREAD_INFO(reg) \
9478 - movl $-THREAD_SIZE, reg; \
9481 -/* use this one if reg already contains %esp */
9482 -#define GET_THREAD_INFO_WITH_ESP(reg) \
9483 - andl $-THREAD_SIZE, reg
9489 -#include <asm/percpu.h>
9490 -#define KERNEL_STACK_OFFSET (5*8)
9493 * macros/functions for gaining access to the thread information structure
9494 * preempt_count needs to be 1 initially, until the scheduler is functional.
9495 @@ -210,21 +198,6 @@ static inline struct thread_info *curren
9496 #ifndef __ASSEMBLY__
9497 DECLARE_PER_CPU(unsigned long, kernel_stack);
9499 -static inline struct thread_info *current_thread_info(void)
9501 - struct thread_info *ti;
9502 - ti = (void *)(percpu_read_stable(kernel_stack) +
9503 - KERNEL_STACK_OFFSET - THREAD_SIZE);
9507 -#else /* !__ASSEMBLY__ */
9509 -/* how to get the thread information struct from ASM */
9510 -#define GET_THREAD_INFO(reg) \
9511 - movq PER_CPU_VAR(kernel_stack),reg ; \
9512 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
9516 #endif /* !X86_32 */
9517 @@ -260,5 +233,16 @@ extern void arch_task_cache_init(void);
9518 extern void free_thread_info(struct thread_info *ti);
9519 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
9520 #define arch_task_cache_init arch_task_cache_init
9522 +#define __HAVE_THREAD_FUNCTIONS
9523 +#define task_thread_info(task) (&(task)->tinfo)
9524 +#define task_stack_page(task) ((task)->stack)
9525 +#define setup_thread_stack(p, org) do {} while (0)
9526 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
9528 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
9529 +extern struct task_struct *alloc_task_struct(void);
9530 +extern void free_task_struct(struct task_struct *);
9533 #endif /* _ASM_X86_THREAD_INFO_H */
9534 diff -urNp linux-2.6.38.4/arch/x86/include/asm/uaccess_32.h linux-2.6.38.4/arch/x86/include/asm/uaccess_32.h
9535 --- linux-2.6.38.4/arch/x86/include/asm/uaccess_32.h 2011-03-14 21:20:32.000000000 -0400
9536 +++ linux-2.6.38.4/arch/x86/include/asm/uaccess_32.h 2011-04-17 15:57:32.000000000 -0400
9537 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9538 static __always_inline unsigned long __must_check
9539 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9544 if (__builtin_constant_p(n)) {
9547 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9551 + if (!__builtin_constant_p(n))
9552 + check_object_size(from, n, true);
9553 return __copy_to_user_ll(to, from, n);
9556 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9557 static __always_inline unsigned long
9558 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9563 /* Avoid zeroing the tail if the copy fails..
9564 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9565 * but as the zeroing behaviour is only significant when n is not
9566 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9567 __copy_from_user(void *to, const void __user *from, unsigned long n)
9574 if (__builtin_constant_p(n)) {
9577 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9581 + if (!__builtin_constant_p(n))
9582 + check_object_size(to, n, false);
9583 return __copy_from_user_ll(to, from, n);
9586 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9587 const void __user *from, unsigned long n)
9594 if (__builtin_constant_p(n)) {
9597 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9598 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9601 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9606 -unsigned long __must_check copy_to_user(void __user *to,
9607 - const void *from, unsigned long n);
9608 -unsigned long __must_check _copy_from_user(void *to,
9609 - const void __user *from,
9611 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9614 +extern void copy_to_user_overflow(void)
9615 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9616 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9618 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9622 extern void copy_from_user_overflow(void)
9623 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9624 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9628 -static inline unsigned long __must_check copy_from_user(void *to,
9629 - const void __user *from,
9632 + * copy_to_user: - Copy a block of data into user space.
9633 + * @to: Destination address, in user space.
9634 + * @from: Source address, in kernel space.
9635 + * @n: Number of bytes to copy.
9637 + * Context: User context only. This function may sleep.
9639 + * Copy data from kernel space to user space.
9641 + * Returns number of bytes that could not be copied.
9642 + * On success, this will be zero.
9644 +static inline unsigned long __must_check
9645 +copy_to_user(void __user *to, const void *from, unsigned long n)
9647 + int sz = __compiletime_object_size(from);
9649 + if (unlikely(sz != -1 && sz < n))
9650 + copy_to_user_overflow();
9651 + else if (access_ok(VERIFY_WRITE, to, n))
9652 + n = __copy_to_user(to, from, n);
9657 + * copy_from_user: - Copy a block of data from user space.
9658 + * @to: Destination address, in kernel space.
9659 + * @from: Source address, in user space.
9660 + * @n: Number of bytes to copy.
9662 + * Context: User context only. This function may sleep.
9664 + * Copy data from user space to kernel space.
9666 + * Returns number of bytes that could not be copied.
9667 + * On success, this will be zero.
9669 + * If some data could not be copied, this function will pad the copied
9670 + * data to the requested size using zero bytes.
9672 +static inline unsigned long __must_check
9673 +copy_from_user(void *to, const void __user *from, unsigned long n)
9675 int sz = __compiletime_object_size(to);
9677 - if (likely(sz == -1 || sz >= n))
9678 - n = _copy_from_user(to, from, n);
9680 + if (unlikely(sz != -1 && sz < n))
9681 copy_from_user_overflow();
9683 + else if (access_ok(VERIFY_READ, from, n))
9684 + n = __copy_from_user(to, from, n);
9685 + else if ((long)n > 0) {
9686 + if (!__builtin_constant_p(n))
9687 + check_object_size(to, n, false);
9693 diff -urNp linux-2.6.38.4/arch/x86/include/asm/uaccess_64.h linux-2.6.38.4/arch/x86/include/asm/uaccess_64.h
9694 --- linux-2.6.38.4/arch/x86/include/asm/uaccess_64.h 2011-03-14 21:20:32.000000000 -0400
9695 +++ linux-2.6.38.4/arch/x86/include/asm/uaccess_64.h 2011-04-17 15:57:32.000000000 -0400
9697 #include <asm/alternative.h>
9698 #include <asm/cpufeature.h>
9699 #include <asm/page.h>
9700 +#include <asm/pgtable.h>
9702 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9705 * Copy To/From Userspace
9706 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
9710 -__must_check unsigned long
9711 -_copy_to_user(void __user *to, const void *from, unsigned len);
9712 -__must_check unsigned long
9713 -_copy_from_user(void *to, const void __user *from, unsigned len);
9714 +static __always_inline __must_check unsigned long
9715 +__copy_to_user(void __user *to, const void *from, unsigned len);
9716 +static __always_inline __must_check unsigned long
9717 +__copy_from_user(void *to, const void __user *from, unsigned len);
9718 __must_check unsigned long
9719 copy_in_user(void __user *to, const void __user *from, unsigned len);
9721 static inline unsigned long __must_check copy_from_user(void *to,
9722 const void __user *from,
9726 - int sz = __compiletime_object_size(to);
9729 - if (likely(sz == -1 || sz >= n))
9730 - n = _copy_from_user(to, from, n);
9731 -#ifdef CONFIG_DEBUG_VM
9733 - WARN(1, "Buffer overflow detected!\n");
9736 + if (access_ok(VERIFY_READ, from, n))
9737 + n = __copy_from_user(to, from, n);
9738 + else if ((int)n > 0) {
9739 + if (!__builtin_constant_p(n))
9740 + check_object_size(to, n, false);
9746 @@ -65,110 +68,174 @@ int copy_to_user(void __user *dst, const
9750 - return _copy_to_user(dst, src, size);
9751 + if (access_ok(VERIFY_WRITE, dst, size))
9752 + size = __copy_to_user(dst, src, size);
9756 static __always_inline __must_check
9757 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9758 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9761 + int sz = __compiletime_object_size(dst);
9765 - if (!__builtin_constant_p(size))
9766 - return copy_user_generic(dst, (__force void *)src, size);
9768 + if ((int)size < 0)
9771 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9772 + if (!__access_ok(VERIFY_READ, src, size))
9776 + if (unlikely(sz != -1 && sz < size)) {
9777 +#ifdef CONFIG_DEBUG_VM
9778 + WARN(1, "Buffer overflow detected!\n");
9783 + if (!__builtin_constant_p(size)) {
9784 + check_object_size(dst, size, false);
9785 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9786 + src += PAX_USER_SHADOW_BASE;
9787 + return copy_user_generic(dst, (__force const void *)src, size);
9790 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9791 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
9792 ret, "b", "b", "=q", 1);
9794 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
9795 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
9796 ret, "w", "w", "=r", 2);
9798 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
9799 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
9800 ret, "l", "k", "=r", 4);
9802 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
9803 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9804 ret, "q", "", "=r", 8);
9807 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9808 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9809 ret, "q", "", "=r", 10);
9812 __get_user_asm(*(u16 *)(8 + (char *)dst),
9813 - (u16 __user *)(8 + (char __user *)src),
9814 + (const u16 __user *)(8 + (const char __user *)src),
9815 ret, "w", "w", "=r", 2);
9818 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9819 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9820 ret, "q", "", "=r", 16);
9823 __get_user_asm(*(u64 *)(8 + (char *)dst),
9824 - (u64 __user *)(8 + (char __user *)src),
9825 + (const u64 __user *)(8 + (const char __user *)src),
9826 ret, "q", "", "=r", 8);
9829 - return copy_user_generic(dst, (__force void *)src, size);
9830 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9831 + src += PAX_USER_SHADOW_BASE;
9832 + return copy_user_generic(dst, (__force const void *)src, size);
9836 static __always_inline __must_check
9837 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9838 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9841 + int sz = __compiletime_object_size(src);
9845 - if (!__builtin_constant_p(size))
9847 + if ((int)size < 0)
9850 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9851 + if (!__access_ok(VERIFY_WRITE, dst, size))
9855 + if (unlikely(sz != -1 && sz < size)) {
9856 +#ifdef CONFIG_DEBUG_VM
9857 + WARN(1, "Buffer overflow detected!\n");
9862 + if (!__builtin_constant_p(size)) {
9863 + check_object_size(src, size, true);
9864 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9865 + dst += PAX_USER_SHADOW_BASE;
9866 return copy_user_generic((__force void *)dst, src, size);
9869 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9870 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
9871 ret, "b", "b", "iq", 1);
9873 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
9874 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
9875 ret, "w", "w", "ir", 2);
9877 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
9878 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
9879 ret, "l", "k", "ir", 4);
9881 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
9882 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9883 ret, "q", "", "er", 8);
9886 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9887 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9888 ret, "q", "", "er", 10);
9892 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
9893 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
9894 ret, "w", "w", "ir", 2);
9897 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9898 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9899 ret, "q", "", "er", 16);
9903 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
9904 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
9905 ret, "q", "", "er", 8);
9908 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9909 + dst += PAX_USER_SHADOW_BASE;
9910 return copy_user_generic((__force void *)dst, src, size);
9914 static __always_inline __must_check
9915 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9916 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9922 - if (!__builtin_constant_p(size))
9924 + if ((int)size < 0)
9927 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9928 + if (!__access_ok(VERIFY_READ, src, size))
9930 + if (!__access_ok(VERIFY_WRITE, dst, size))
9934 + if (!__builtin_constant_p(size)) {
9935 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9936 + src += PAX_USER_SHADOW_BASE;
9937 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9938 + dst += PAX_USER_SHADOW_BASE;
9939 return copy_user_generic((__force void *)dst,
9940 - (__force void *)src, size);
9941 + (__force const void *)src, size);
9946 - __get_user_asm(tmp, (u8 __user *)src,
9947 + __get_user_asm(tmp, (const u8 __user *)src,
9948 ret, "b", "b", "=q", 1);
9950 __put_user_asm(tmp, (u8 __user *)dst,
9951 @@ -177,7 +244,7 @@ int __copy_in_user(void __user *dst, con
9955 - __get_user_asm(tmp, (u16 __user *)src,
9956 + __get_user_asm(tmp, (const u16 __user *)src,
9957 ret, "w", "w", "=r", 2);
9959 __put_user_asm(tmp, (u16 __user *)dst,
9960 @@ -187,7 +254,7 @@ int __copy_in_user(void __user *dst, con
9964 - __get_user_asm(tmp, (u32 __user *)src,
9965 + __get_user_asm(tmp, (const u32 __user *)src,
9966 ret, "l", "k", "=r", 4);
9968 __put_user_asm(tmp, (u32 __user *)dst,
9969 @@ -196,7 +263,7 @@ int __copy_in_user(void __user *dst, con
9973 - __get_user_asm(tmp, (u64 __user *)src,
9974 + __get_user_asm(tmp, (const u64 __user *)src,
9975 ret, "q", "", "=r", 8);
9977 __put_user_asm(tmp, (u64 __user *)dst,
9978 @@ -204,8 +271,12 @@ int __copy_in_user(void __user *dst, con
9982 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9983 + src += PAX_USER_SHADOW_BASE;
9984 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9985 + dst += PAX_USER_SHADOW_BASE;
9986 return copy_user_generic((__force void *)dst,
9987 - (__force void *)src, size);
9988 + (__force const void *)src, size);
9992 @@ -222,33 +293,68 @@ __must_check unsigned long __clear_user(
9993 static __must_check __always_inline int
9994 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9996 + if ((int)size < 0)
9999 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10000 + if (!__access_ok(VERIFY_READ, src, size))
10004 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10005 + src += PAX_USER_SHADOW_BASE;
10006 return copy_user_generic(dst, (__force const void *)src, size);
10009 -static __must_check __always_inline int
10010 +static __must_check __always_inline unsigned long
10011 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
10013 + if ((int)size < 0)
10016 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10017 + if (!__access_ok(VERIFY_WRITE, dst, size))
10021 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10022 + dst += PAX_USER_SHADOW_BASE;
10023 return copy_user_generic((__force void *)dst, src, size);
10026 -extern long __copy_user_nocache(void *dst, const void __user *src,
10027 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
10028 unsigned size, int zerorest);
10031 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
10032 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
10036 + if ((int)size < 0)
10039 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10040 + if (!__access_ok(VERIFY_READ, src, size))
10044 return __copy_user_nocache(dst, src, size, 1);
10048 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
10049 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
10052 + if ((int)size < 0)
10055 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10056 + if (!__access_ok(VERIFY_READ, src, size))
10060 return __copy_user_nocache(dst, src, size, 0);
10064 +extern unsigned long
10065 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
10067 #endif /* _ASM_X86_UACCESS_64_H */
10068 diff -urNp linux-2.6.38.4/arch/x86/include/asm/uaccess.h linux-2.6.38.4/arch/x86/include/asm/uaccess.h
10069 --- linux-2.6.38.4/arch/x86/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
10070 +++ linux-2.6.38.4/arch/x86/include/asm/uaccess.h 2011-04-17 15:57:32.000000000 -0400
10072 #include <linux/thread_info.h>
10073 #include <linux/prefetch.h>
10074 #include <linux/string.h>
10075 +#include <linux/sched.h>
10076 #include <asm/asm.h>
10077 #include <asm/page.h>
10079 #define VERIFY_READ 0
10080 #define VERIFY_WRITE 1
10082 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
10085 * The fs value determines whether argument validity checking should be
10086 * performed or not. If get_fs() == USER_DS, checking is performed, with
10089 #define get_ds() (KERNEL_DS)
10090 #define get_fs() (current_thread_info()->addr_limit)
10091 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10092 +void __set_fs(mm_segment_t x);
10093 +void set_fs(mm_segment_t x);
10095 #define set_fs(x) (current_thread_info()->addr_limit = (x))
10098 #define segment_eq(a, b) ((a).seg == (b).seg)
10101 * checks that the pointer is in the user space range - after calling
10102 * this function, memory access functions may still return -EFAULT.
10104 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
10105 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
10106 +#define access_ok(type, addr, size) \
10108 + long __size = size; \
10109 + unsigned long __addr = (unsigned long)addr; \
10110 + unsigned long __addr_ao = __addr & PAGE_MASK; \
10111 + unsigned long __end_ao = __addr + __size - 1; \
10112 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
10113 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
10114 + while(__addr_ao <= __end_ao) { \
10116 + __addr_ao += PAGE_SIZE; \
10117 + if (__size > PAGE_SIZE) \
10118 + cond_resched(); \
10119 + if (__get_user(__c_ao, (char __user *)__addr)) \
10121 + if (type != VERIFY_WRITE) { \
10122 + __addr = __addr_ao; \
10125 + if (__put_user(__c_ao, (char __user *)__addr)) \
10127 + __addr = __addr_ao; \
10134 * The exception table consists of pairs of addresses: the first is the
10135 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
10136 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
10137 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
10140 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10141 +#define __copyuser_seg "gs;"
10142 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
10143 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
10145 +#define __copyuser_seg
10146 +#define __COPYUSER_SET_ES
10147 +#define __COPYUSER_RESTORE_ES
10150 #ifdef CONFIG_X86_32
10151 #define __put_user_asm_u64(x, addr, err, errret) \
10152 - asm volatile("1: movl %%eax,0(%2)\n" \
10153 - "2: movl %%edx,4(%2)\n" \
10154 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
10155 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
10157 ".section .fixup,\"ax\"\n" \
10158 "4: movl %3,%0\n" \
10159 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
10160 : "A" (x), "r" (addr), "i" (errret), "0" (err))
10162 #define __put_user_asm_ex_u64(x, addr) \
10163 - asm volatile("1: movl %%eax,0(%1)\n" \
10164 - "2: movl %%edx,4(%1)\n" \
10165 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
10166 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
10168 _ASM_EXTABLE(1b, 2b - 1b) \
10169 _ASM_EXTABLE(2b, 3b - 2b) \
10170 @@ -374,7 +416,7 @@ do { \
10173 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10174 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
10175 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
10177 ".section .fixup,\"ax\"\n" \
10179 @@ -382,7 +424,7 @@ do { \
10182 _ASM_EXTABLE(1b, 3b) \
10183 - : "=r" (err), ltype(x) \
10184 + : "=r" (err), ltype (x) \
10185 : "m" (__m(addr)), "i" (errret), "0" (err))
10187 #define __get_user_size_ex(x, ptr, size) \
10188 @@ -407,7 +449,7 @@ do { \
10191 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
10192 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
10193 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
10195 _ASM_EXTABLE(1b, 2b - 1b) \
10196 : ltype(x) : "m" (__m(addr)))
10197 @@ -424,13 +466,24 @@ do { \
10199 unsigned long __gu_val; \
10200 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
10201 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
10202 + (x) = (__typeof__(*(ptr)))__gu_val; \
10206 /* FIXME: this hack is definitely wrong -AK */
10207 struct __large_struct { unsigned long buf[100]; };
10208 -#define __m(x) (*(struct __large_struct __user *)(x))
10209 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10210 +#define ____m(x) \
10212 + unsigned long ____x = (unsigned long)(x); \
10213 + if (____x < PAX_USER_SHADOW_BASE) \
10214 + ____x += PAX_USER_SHADOW_BASE; \
10215 + (void __user *)____x; \
10218 +#define ____m(x) (x)
10220 +#define __m(x) (*(struct __large_struct __user *)____m(x))
10223 * Tell gcc we read from memory instead of writing: this is because
10224 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
10227 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10228 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
10229 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
10231 ".section .fixup,\"ax\"\n" \
10233 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
10235 _ASM_EXTABLE(1b, 3b) \
10237 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
10238 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
10240 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
10241 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
10242 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
10244 _ASM_EXTABLE(1b, 2b - 1b) \
10245 : : ltype(x), "m" (__m(addr)))
10246 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
10247 * On error, the variable @x is set to zero.
10250 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10251 +#define __get_user(x, ptr) get_user((x), (ptr))
10253 #define __get_user(x, ptr) \
10254 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
10258 * __put_user: - Write a simple value into user space, with less checking.
10259 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
10260 * Returns zero on success, or -EFAULT on error.
10263 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10264 +#define __put_user(x, ptr) put_user((x), (ptr))
10266 #define __put_user(x, ptr) \
10267 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
10270 #define __get_user_unaligned __get_user
10271 #define __put_user_unaligned __put_user
10272 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
10273 #define get_user_ex(x, ptr) do { \
10274 unsigned long __gue_val; \
10275 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
10276 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
10277 + (x) = (__typeof__(*(ptr)))__gue_val; \
10280 #ifdef CONFIG_X86_WP_WORKS_OK
10281 @@ -567,6 +628,7 @@ extern struct movsl_mask {
10283 #define ARCH_HAS_NOCACHE_UACCESS 1
10285 +#define ARCH_HAS_SORT_EXTABLE
10286 #ifdef CONFIG_X86_32
10287 # include "uaccess_32.h"
10289 diff -urNp linux-2.6.38.4/arch/x86/include/asm/vgtod.h linux-2.6.38.4/arch/x86/include/asm/vgtod.h
10290 --- linux-2.6.38.4/arch/x86/include/asm/vgtod.h 2011-03-14 21:20:32.000000000 -0400
10291 +++ linux-2.6.38.4/arch/x86/include/asm/vgtod.h 2011-04-17 15:57:32.000000000 -0400
10292 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
10293 int sysctl_enabled;
10294 struct timezone sys_tz;
10295 struct { /* extract of a clocksource struct */
10297 cycle_t (*vread)(void);
10298 cycle_t cycle_last;
10300 diff -urNp linux-2.6.38.4/arch/x86/include/asm/vsyscall.h linux-2.6.38.4/arch/x86/include/asm/vsyscall.h
10301 --- linux-2.6.38.4/arch/x86/include/asm/vsyscall.h 2011-03-14 21:20:32.000000000 -0400
10302 +++ linux-2.6.38.4/arch/x86/include/asm/vsyscall.h 2011-04-17 15:57:32.000000000 -0400
10303 @@ -15,9 +15,10 @@ enum vsyscall_num {
10306 #include <linux/seqlock.h>
10307 +#include <linux/getcpu.h>
10308 +#include <linux/time.h>
10310 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
10311 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
10313 /* Definitions for CONFIG_GENERIC_TIME definitions */
10314 #define __section_vsyscall_gtod_data __attribute__ \
10315 @@ -31,7 +32,6 @@ enum vsyscall_num {
10316 #define VGETCPU_LSL 2
10318 extern int __vgetcpu_mode;
10319 -extern volatile unsigned long __jiffies;
10321 /* kernel space (writeable) */
10322 extern int vgetcpu_mode;
10323 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
10325 extern void map_vsyscall(void);
10327 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
10328 +extern time_t vtime(time_t *t);
10329 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
10330 #endif /* __KERNEL__ */
10332 #endif /* _ASM_X86_VSYSCALL_H */
10333 diff -urNp linux-2.6.38.4/arch/x86/include/asm/xsave.h linux-2.6.38.4/arch/x86/include/asm/xsave.h
10334 --- linux-2.6.38.4/arch/x86/include/asm/xsave.h 2011-03-14 21:20:32.000000000 -0400
10335 +++ linux-2.6.38.4/arch/x86/include/asm/xsave.h 2011-04-17 15:57:32.000000000 -0400
10336 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10340 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10341 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10342 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10346 * Clear the xsave header first, so that reserved fields are
10347 * initialized to zero.
10348 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
10350 u32 hmask = mask >> 32;
10352 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10353 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10354 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10357 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10359 ".section .fixup,\"ax\"\n"
10360 diff -urNp linux-2.6.38.4/arch/x86/Kconfig linux-2.6.38.4/arch/x86/Kconfig
10361 --- linux-2.6.38.4/arch/x86/Kconfig 2011-03-14 21:20:32.000000000 -0400
10362 +++ linux-2.6.38.4/arch/x86/Kconfig 2011-04-17 15:57:32.000000000 -0400
10363 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
10365 config X86_32_LAZY_GS
10367 - depends on X86_32 && !CC_STACKPROTECTOR
10368 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10370 config ARCH_HWEIGHT_CFLAGS
10372 @@ -1019,7 +1019,7 @@ choice
10376 - depends on !X86_NUMAQ
10377 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10379 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10380 However, the address space of 32-bit x86 processors is only 4
10381 @@ -1056,7 +1056,7 @@ config NOHIGHMEM
10385 - depends on !X86_NUMAQ
10386 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10388 Select this if you have a 32-bit processor and between 1 and 4
10389 gigabytes of physical RAM.
10390 @@ -1110,7 +1110,7 @@ config PAGE_OFFSET
10392 default 0xB0000000 if VMSPLIT_3G_OPT
10393 default 0x80000000 if VMSPLIT_2G
10394 - default 0x78000000 if VMSPLIT_2G_OPT
10395 + default 0x70000000 if VMSPLIT_2G_OPT
10396 default 0x40000000 if VMSPLIT_1G
10399 @@ -1454,7 +1454,7 @@ config ARCH_USES_PG_UNCACHED
10402 bool "EFI runtime service support"
10404 + depends on ACPI && !PAX_KERNEXEC
10406 This enables the kernel to use EFI runtime services that are
10407 available (such as the EFI variable services).
10408 @@ -1484,6 +1484,7 @@ config SECCOMP
10410 config CC_STACKPROTECTOR
10411 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
10412 + depends on X86_64 || !PAX_MEMORY_UDEREF
10414 This option turns on the -fstack-protector GCC feature. This
10415 feature puts, at the beginning of functions, a canary value on
10416 @@ -1541,6 +1542,7 @@ config KEXEC_JUMP
10417 config PHYSICAL_START
10418 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
10419 default "0x1000000"
10420 + range 0x400000 0x40000000
10422 This gives the physical address where the kernel is loaded.
10424 @@ -1604,6 +1606,7 @@ config X86_NEED_RELOCS
10425 config PHYSICAL_ALIGN
10426 hex "Alignment value to which kernel should be aligned" if X86_32
10427 default "0x1000000"
10428 + range 0x400000 0x1000000 if PAX_KERNEXEC
10429 range 0x2000 0x1000000
10431 This value puts the alignment restrictions on physical address
10432 @@ -1635,9 +1638,10 @@ config HOTPLUG_CPU
10433 Say N if you want to disable CPU hotplug.
10438 prompt "Compat VDSO support"
10439 depends on X86_32 || IA32_EMULATION
10440 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10442 Map the 32-bit VDSO to the predictable old-style address too.
10444 diff -urNp linux-2.6.38.4/arch/x86/Kconfig.cpu linux-2.6.38.4/arch/x86/Kconfig.cpu
10445 --- linux-2.6.38.4/arch/x86/Kconfig.cpu 2011-03-14 21:20:32.000000000 -0400
10446 +++ linux-2.6.38.4/arch/x86/Kconfig.cpu 2011-04-17 15:57:32.000000000 -0400
10447 @@ -339,7 +339,7 @@ config X86_PPRO_FENCE
10449 config X86_F00F_BUG
10451 - depends on M586MMX || M586TSC || M586 || M486 || M386
10452 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10454 config X86_INVD_BUG
10456 @@ -363,7 +363,7 @@ config X86_POPAD_OK
10458 config X86_ALIGNMENT_16
10460 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10461 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10463 config X86_INTEL_USERCOPY
10465 @@ -409,7 +409,7 @@ config X86_CMPXCHG64
10469 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10470 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10472 config X86_MINIMUM_CPU_FAMILY
10474 diff -urNp linux-2.6.38.4/arch/x86/Kconfig.debug linux-2.6.38.4/arch/x86/Kconfig.debug
10475 --- linux-2.6.38.4/arch/x86/Kconfig.debug 2011-03-14 21:20:32.000000000 -0400
10476 +++ linux-2.6.38.4/arch/x86/Kconfig.debug 2011-04-17 15:57:32.000000000 -0400
10477 @@ -101,7 +101,7 @@ config X86_PTDUMP
10478 config DEBUG_RODATA
10479 bool "Write protect kernel read-only data structures"
10481 - depends on DEBUG_KERNEL
10482 + depends on DEBUG_KERNEL && BROKEN
10484 Mark the kernel read-only data as write-protected in the pagetables,
10485 in order to catch accidental (and incorrect) writes to such const
10486 @@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST
10488 config DEBUG_SET_MODULE_RONX
10489 bool "Set loadable kernel module data as NX and text as RO"
10490 - depends on MODULES
10491 + depends on MODULES && BROKEN
10493 This option helps catch unintended modifications to loadable
10494 kernel module's text and read-only data. It also prevents execution
10495 diff -urNp linux-2.6.38.4/arch/x86/kernel/acpi/boot.c linux-2.6.38.4/arch/x86/kernel/acpi/boot.c
10496 --- linux-2.6.38.4/arch/x86/kernel/acpi/boot.c 2011-03-14 21:20:32.000000000 -0400
10497 +++ linux-2.6.38.4/arch/x86/kernel/acpi/boot.c 2011-04-17 15:57:32.000000000 -0400
10498 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
10499 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
10503 + { NULL, NULL, {{0, {0}}}, NULL}
10507 diff -urNp linux-2.6.38.4/arch/x86/kernel/acpi/sleep.c linux-2.6.38.4/arch/x86/kernel/acpi/sleep.c
10508 --- linux-2.6.38.4/arch/x86/kernel/acpi/sleep.c 2011-03-14 21:20:32.000000000 -0400
10509 +++ linux-2.6.38.4/arch/x86/kernel/acpi/sleep.c 2011-04-17 15:57:32.000000000 -0400
10511 #include "realmode/wakeup.h"
10514 -unsigned long acpi_wakeup_address;
10515 +unsigned long acpi_wakeup_address = 0x2000;
10516 unsigned long acpi_realmode_flags;
10518 /* address in low memory of the wakeup routine. */
10519 @@ -99,8 +99,12 @@ int acpi_save_state_mem(void)
10520 header->trampoline_segment = setup_trampoline() >> 4;
10522 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
10524 + pax_open_kernel();
10525 early_gdt_descr.address =
10526 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10527 + pax_close_kernel();
10529 initial_gs = per_cpu_offset(smp_processor_id());
10531 initial_code = (unsigned long)wakeup_long64;
10532 diff -urNp linux-2.6.38.4/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.38.4/arch/x86/kernel/acpi/wakeup_32.S
10533 --- linux-2.6.38.4/arch/x86/kernel/acpi/wakeup_32.S 2011-03-14 21:20:32.000000000 -0400
10534 +++ linux-2.6.38.4/arch/x86/kernel/acpi/wakeup_32.S 2011-04-17 15:57:32.000000000 -0400
10535 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10536 # and restore the stack ... but you need gdt for this to work
10537 movl saved_context_esp, %esp
10539 - movl %cs:saved_magic, %eax
10540 - cmpl $0x12345678, %eax
10541 + cmpl $0x12345678, saved_magic
10544 # jump to place where we left off
10545 - movl saved_eip, %eax
10551 diff -urNp linux-2.6.38.4/arch/x86/kernel/alternative.c linux-2.6.38.4/arch/x86/kernel/alternative.c
10552 --- linux-2.6.38.4/arch/x86/kernel/alternative.c 2011-04-18 17:27:13.000000000 -0400
10553 +++ linux-2.6.38.4/arch/x86/kernel/alternative.c 2011-04-17 15:57:32.000000000 -0400
10554 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
10555 if (!*poff || ptr < text || ptr >= text_end)
10557 /* turn DS segment override prefix into lock prefix */
10558 - if (*ptr == 0x3e)
10559 + if (*ktla_ktva(ptr) == 0x3e)
10560 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10562 mutex_unlock(&text_mutex);
10563 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
10564 if (!*poff || ptr < text || ptr >= text_end)
10566 /* turn lock prefix into DS segment override prefix */
10567 - if (*ptr == 0xf0)
10568 + if (*ktla_ktva(ptr) == 0xf0)
10569 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10571 mutex_unlock(&text_mutex);
10572 @@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str
10574 BUG_ON(p->len > MAX_PATCH_LEN);
10575 /* prep the buffer with the original instructions */
10576 - memcpy(insnbuf, p->instr, p->len);
10577 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10578 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10579 (unsigned long)p->instr, p->len);
10581 @@ -506,7 +506,7 @@ void __init alternative_instructions(voi
10583 free_init_pages("SMP alternatives",
10584 (unsigned long)__smp_locks,
10585 - (unsigned long)__smp_locks_end);
10586 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10590 @@ -523,13 +523,17 @@ void __init alternative_instructions(voi
10591 * instructions. And on the local CPU you need to be protected again NMI or MCE
10592 * handlers seeing an inconsistent instruction while you patch.
10594 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
10595 +void *__kprobes text_poke_early(void *addr, const void *opcode,
10598 unsigned long flags;
10599 local_irq_save(flags);
10600 - memcpy(addr, opcode, len);
10602 + pax_open_kernel();
10603 + memcpy(ktla_ktva(addr), opcode, len);
10605 + pax_close_kernel();
10607 local_irq_restore(flags);
10608 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10609 that causes hangs on some VIA CPUs. */
10610 @@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v
10612 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10614 - unsigned long flags;
10616 + unsigned char *vaddr = ktla_ktva(addr);
10617 struct page *pages[2];
10621 if (!core_kernel_text((unsigned long)addr)) {
10622 - pages[0] = vmalloc_to_page(addr);
10623 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10624 + pages[0] = vmalloc_to_page(vaddr);
10625 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10627 - pages[0] = virt_to_page(addr);
10628 + pages[0] = virt_to_page(vaddr);
10629 WARN_ON(!PageReserved(pages[0]));
10630 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10631 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10634 - local_irq_save(flags);
10635 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10637 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10638 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10639 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10640 - clear_fixmap(FIX_TEXT_POKE0);
10642 - clear_fixmap(FIX_TEXT_POKE1);
10643 - local_flush_tlb();
10645 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10646 - that causes hangs on some VIA CPUs. */
10647 + text_poke_early(addr, opcode, len);
10648 for (i = 0; i < len; i++)
10649 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10650 - local_irq_restore(flags);
10651 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10655 @@ -682,9 +672,9 @@ void __kprobes text_poke_smp_batch(struc
10656 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
10658 #ifdef CONFIG_X86_64
10659 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10660 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10662 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10663 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10666 void __init arch_init_ideal_nop5(void)
10667 diff -urNp linux-2.6.38.4/arch/x86/kernel/amd_iommu.c linux-2.6.38.4/arch/x86/kernel/amd_iommu.c
10668 --- linux-2.6.38.4/arch/x86/kernel/amd_iommu.c 2011-03-14 21:20:32.000000000 -0400
10669 +++ linux-2.6.38.4/arch/x86/kernel/amd_iommu.c 2011-04-17 15:57:32.000000000 -0400
10670 @@ -2286,7 +2286,7 @@ static void prealloc_protection_domains(
10674 -static struct dma_map_ops amd_iommu_dma_ops = {
10675 +static const struct dma_map_ops amd_iommu_dma_ops = {
10676 .alloc_coherent = alloc_coherent,
10677 .free_coherent = free_coherent,
10678 .map_page = map_page,
10679 diff -urNp linux-2.6.38.4/arch/x86/kernel/apic/io_apic.c linux-2.6.38.4/arch/x86/kernel/apic/io_apic.c
10680 --- linux-2.6.38.4/arch/x86/kernel/apic/io_apic.c 2011-03-14 21:20:32.000000000 -0400
10681 +++ linux-2.6.38.4/arch/x86/kernel/apic/io_apic.c 2011-04-17 15:57:32.000000000 -0400
10682 @@ -617,7 +617,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10683 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10685 if (!ioapic_entries)
10689 for (apic = 0; apic < nr_ioapics; apic++) {
10690 ioapic_entries[apic] =
10691 @@ -634,7 +634,7 @@ nomem:
10692 kfree(ioapic_entries[apic]);
10693 kfree(ioapic_entries);
10700 @@ -1044,7 +1044,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10702 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10704 -void lock_vector_lock(void)
10705 +void lock_vector_lock(void) __acquires(vector_lock)
10707 /* Used to the online set of cpus does not change
10708 * during assign_irq_vector.
10709 @@ -1052,7 +1052,7 @@ void lock_vector_lock(void)
10710 raw_spin_lock(&vector_lock);
10713 -void unlock_vector_lock(void)
10714 +void unlock_vector_lock(void) __releases(vector_lock)
10716 raw_spin_unlock(&vector_lock);
10718 diff -urNp linux-2.6.38.4/arch/x86/kernel/apm_32.c linux-2.6.38.4/arch/x86/kernel/apm_32.c
10719 --- linux-2.6.38.4/arch/x86/kernel/apm_32.c 2011-03-14 21:20:32.000000000 -0400
10720 +++ linux-2.6.38.4/arch/x86/kernel/apm_32.c 2011-04-17 15:57:32.000000000 -0400
10721 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10722 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10723 * even though they are called in protected mode.
10725 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10726 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10727 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10729 static const char driver_version[] = "1.16ac"; /* no spaces */
10730 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10732 gdt = get_cpu_gdt_table(cpu);
10733 save_desc_40 = gdt[0x40 / 8];
10735 + pax_open_kernel();
10736 gdt[0x40 / 8] = bad_bios_desc;
10737 + pax_close_kernel();
10739 apm_irq_save(flags);
10741 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10743 APM_DO_RESTORE_SEGS;
10744 apm_irq_restore(flags);
10746 + pax_open_kernel();
10747 gdt[0x40 / 8] = save_desc_40;
10748 + pax_close_kernel();
10752 return call->eax & 0xff;
10753 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10755 gdt = get_cpu_gdt_table(cpu);
10756 save_desc_40 = gdt[0x40 / 8];
10758 + pax_open_kernel();
10759 gdt[0x40 / 8] = bad_bios_desc;
10760 + pax_close_kernel();
10762 apm_irq_save(flags);
10764 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10766 APM_DO_RESTORE_SEGS;
10767 apm_irq_restore(flags);
10769 + pax_open_kernel();
10770 gdt[0x40 / 8] = save_desc_40;
10771 + pax_close_kernel();
10776 @@ -975,7 +989,7 @@ recalc:
10778 static void apm_power_off(void)
10780 - unsigned char po_bios_call[] = {
10781 + const unsigned char po_bios_call[] = {
10782 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10783 0x8e, 0xd0, /* movw ax,ss */
10784 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10785 @@ -1932,7 +1946,10 @@ static const struct file_operations apm_
10786 static struct miscdevice apm_device = {
10797 @@ -2253,7 +2270,7 @@ static struct dmi_system_id __initdata a
10798 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10802 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10806 @@ -2356,12 +2373,15 @@ static int __init apm_init(void)
10807 * code to that CPU.
10809 gdt = get_cpu_gdt_table(0);
10811 + pax_open_kernel();
10812 set_desc_base(&gdt[APM_CS >> 3],
10813 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10814 set_desc_base(&gdt[APM_CS_16 >> 3],
10815 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10816 set_desc_base(&gdt[APM_DS >> 3],
10817 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10818 + pax_close_kernel();
10820 proc_create("apm", 0, NULL, &apm_file_ops);
10822 diff -urNp linux-2.6.38.4/arch/x86/kernel/asm-offsets_32.c linux-2.6.38.4/arch/x86/kernel/asm-offsets_32.c
10823 --- linux-2.6.38.4/arch/x86/kernel/asm-offsets_32.c 2011-03-14 21:20:32.000000000 -0400
10824 +++ linux-2.6.38.4/arch/x86/kernel/asm-offsets_32.c 2011-04-17 15:57:32.000000000 -0400
10825 @@ -51,7 +51,6 @@ void foo(void)
10826 OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
10829 - OFFSET(TI_task, thread_info, task);
10830 OFFSET(TI_exec_domain, thread_info, exec_domain);
10831 OFFSET(TI_flags, thread_info, flags);
10832 OFFSET(TI_status, thread_info, status);
10833 @@ -113,6 +112,11 @@ void foo(void)
10834 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10835 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10836 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10838 +#ifdef CONFIG_PAX_KERNEXEC
10839 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10845 diff -urNp linux-2.6.38.4/arch/x86/kernel/asm-offsets_64.c linux-2.6.38.4/arch/x86/kernel/asm-offsets_64.c
10846 --- linux-2.6.38.4/arch/x86/kernel/asm-offsets_64.c 2011-03-14 21:20:32.000000000 -0400
10847 +++ linux-2.6.38.4/arch/x86/kernel/asm-offsets_64.c 2011-04-17 15:57:32.000000000 -0400
10848 @@ -63,6 +63,18 @@ int main(void)
10849 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10850 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10851 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10853 +#ifdef CONFIG_PAX_KERNEXEC
10854 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10855 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10858 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10859 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10860 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10861 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10867 @@ -115,6 +127,7 @@ int main(void)
10871 + DEFINE(TSS_size, sizeof(struct tss_struct));
10872 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10874 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10875 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/amd.c linux-2.6.38.4/arch/x86/kernel/cpu/amd.c
10876 --- linux-2.6.38.4/arch/x86/kernel/cpu/amd.c 2011-04-22 19:20:59.000000000 -0400
10877 +++ linux-2.6.38.4/arch/x86/kernel/cpu/amd.c 2011-04-22 19:21:10.000000000 -0400
10878 @@ -624,7 +624,7 @@ static unsigned int __cpuinit amd_size_c
10881 /* AMD errata T13 (order #21922) */
10882 - if ((c->x86 == 6)) {
10883 + if (c->x86 == 6) {
10885 if (c->x86_model == 3 && c->x86_mask == 0)
10887 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/common.c linux-2.6.38.4/arch/x86/kernel/cpu/common.c
10888 --- linux-2.6.38.4/arch/x86/kernel/cpu/common.c 2011-03-14 21:20:32.000000000 -0400
10889 +++ linux-2.6.38.4/arch/x86/kernel/cpu/common.c 2011-04-17 15:57:32.000000000 -0400
10890 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10892 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10894 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10895 -#ifdef CONFIG_X86_64
10897 - * We need valid kernel segments for data and code in long mode too
10898 - * IRET will check the segment types kkeil 2000/10/28
10899 - * Also sysret mandates a special GDT layout
10901 - * TLS descriptors are currently at a different place compared to i386.
10902 - * Hopefully nobody expects them at a fixed place (Wine?)
10904 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10905 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10906 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10907 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10908 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10909 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10911 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10912 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10913 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10914 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10916 - * Segments used for calling PnP BIOS have byte granularity.
10917 - * They code segments and data segments have fixed 64k limits,
10918 - * the transfer segment sizes are set at run time.
10920 - /* 32-bit code */
10921 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10922 - /* 16-bit code */
10923 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10924 - /* 16-bit data */
10925 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10926 - /* 16-bit data */
10927 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10928 - /* 16-bit data */
10929 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10931 - * The APM segments have byte granularity and their bases
10932 - * are set at run time. All have 64k limits.
10934 - /* 32-bit code */
10935 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10936 - /* 16-bit code */
10937 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10939 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10941 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10942 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10943 - GDT_STACK_CANARY_INIT
10946 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10948 static int __init x86_xsave_setup(char *s)
10950 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10951 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
10953 struct desc_ptr gdt_descr;
10955 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10956 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10957 gdt_descr.size = GDT_SIZE - 1;
10958 load_gdt(&gdt_descr);
10959 /* Reload the per-cpu base */
10960 @@ -825,6 +771,10 @@ static void __cpuinit identify_cpu(struc
10961 /* Filter out anything that depends on CPUID levels we don't have */
10962 filter_cpuid_features(c, true);
10964 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10965 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10968 /* If the model name is still unset, do table lookup. */
10969 if (!c->x86_model_id[0]) {
10971 @@ -1004,6 +954,9 @@ static __init int setup_disablecpuid(cha
10973 __setup("clearcpuid=", setup_disablecpuid);
10975 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
10976 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
10978 #ifdef CONFIG_X86_64
10979 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
10981 @@ -1019,7 +972,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
10982 EXPORT_PER_CPU_SYMBOL(current_task);
10984 DEFINE_PER_CPU(unsigned long, kernel_stack) =
10985 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
10986 + (unsigned long)&init_thread_union - 8 + THREAD_SIZE;
10987 EXPORT_PER_CPU_SYMBOL(kernel_stack);
10989 DEFINE_PER_CPU(char *, irq_stack_ptr) =
10990 @@ -1084,7 +1037,7 @@ struct pt_regs * __cpuinit idle_regs(str
10992 memset(regs, 0, sizeof(struct pt_regs));
10993 regs->fs = __KERNEL_PERCPU;
10994 - regs->gs = __KERNEL_STACK_CANARY;
10995 + savesegment(gs, regs->gs);
10999 @@ -1139,7 +1092,7 @@ void __cpuinit cpu_init(void)
11002 cpu = stack_smp_processor_id();
11003 - t = &per_cpu(init_tss, cpu);
11004 + t = init_tss + cpu;
11005 oist = &per_cpu(orig_ist, cpu);
11008 @@ -1165,7 +1118,7 @@ void __cpuinit cpu_init(void)
11009 switch_to_new_gdt(cpu);
11010 loadsegment(fs, 0);
11012 - load_idt((const struct desc_ptr *)&idt_descr);
11013 + load_idt(&idt_descr);
11015 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
11017 @@ -1174,7 +1127,6 @@ void __cpuinit cpu_init(void)
11018 wrmsrl(MSR_KERNEL_GS_BASE, 0);
11021 - x86_configure_nx();
11025 @@ -1228,7 +1180,7 @@ void __cpuinit cpu_init(void)
11027 int cpu = smp_processor_id();
11028 struct task_struct *curr = current;
11029 - struct tss_struct *t = &per_cpu(init_tss, cpu);
11030 + struct tss_struct *t = init_tss + cpu;
11031 struct thread_struct *thread = &curr->thread;
11033 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
11034 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
11035 --- linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-03-14 21:20:32.000000000 -0400
11036 +++ linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-04-17 15:57:32.000000000 -0400
11037 @@ -481,7 +481,7 @@ static const struct dmi_system_id sw_any
11038 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
11042 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
11045 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
11046 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
11047 --- linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-03-14 21:20:32.000000000 -0400
11048 +++ linux-2.6.38.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-04-17 15:57:32.000000000 -0400
11049 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
11050 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
11051 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
11054 + { NULL, NULL, 0, NULL}
11058 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/intel.c linux-2.6.38.4/arch/x86/kernel/cpu/intel.c
11059 --- linux-2.6.38.4/arch/x86/kernel/cpu/intel.c 2011-03-14 21:20:32.000000000 -0400
11060 +++ linux-2.6.38.4/arch/x86/kernel/cpu/intel.c 2011-04-17 15:57:32.000000000 -0400
11061 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
11062 * Update the IDT descriptor and reload the IDT so that
11063 * it uses the read-only mapped virtual address.
11065 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
11066 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
11067 load_idt(&idt_descr);
11070 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/Makefile linux-2.6.38.4/arch/x86/kernel/cpu/Makefile
11071 --- linux-2.6.38.4/arch/x86/kernel/cpu/Makefile 2011-03-14 21:20:32.000000000 -0400
11072 +++ linux-2.6.38.4/arch/x86/kernel/cpu/Makefile 2011-04-17 15:57:32.000000000 -0400
11073 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
11074 CFLAGS_REMOVE_perf_event.o = -pg
11077 -# Make sure load_percpu_segment has no stackprotector
11078 -nostackp := $(call cc-option, -fno-stack-protector)
11079 -CFLAGS_common.o := $(nostackp)
11081 obj-y := intel_cacheinfo.o scattered.o topology.o
11082 obj-y += proc.o capflags.o powerflags.o common.o
11083 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
11084 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.38.4/arch/x86/kernel/cpu/mcheck/mce.c
11085 --- linux-2.6.38.4/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-14 21:20:32.000000000 -0400
11086 +++ linux-2.6.38.4/arch/x86/kernel/cpu/mcheck/mce.c 2011-04-17 15:57:32.000000000 -0400
11088 #include <asm/ipi.h>
11089 #include <asm/mce.h>
11090 #include <asm/msr.h>
11091 +#include <asm/local.h>
11093 #include "mce-internal.h"
11095 @@ -219,7 +220,7 @@ static void print_mce(struct mce *m)
11096 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
11099 - if (m->cs == __KERNEL_CS)
11100 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
11101 print_symbol("{%s}", m->ip);
11104 @@ -1460,14 +1461,14 @@ void __cpuinit mcheck_cpu_init(struct cp
11107 static DEFINE_SPINLOCK(mce_state_lock);
11108 -static int open_count; /* #times opened */
11109 +static local_t open_count; /* #times opened */
11110 static int open_exclu; /* already open exclusive? */
11112 static int mce_open(struct inode *inode, struct file *file)
11114 spin_lock(&mce_state_lock);
11116 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
11117 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
11118 spin_unlock(&mce_state_lock);
11121 @@ -1475,7 +1476,7 @@ static int mce_open(struct inode *inode,
11123 if (file->f_flags & O_EXCL)
11126 + local_inc(&open_count);
11128 spin_unlock(&mce_state_lock);
11130 @@ -1486,7 +1487,7 @@ static int mce_release(struct inode *ino
11132 spin_lock(&mce_state_lock);
11135 + local_dec(&open_count);
11138 spin_unlock(&mce_state_lock);
11139 @@ -1658,8 +1659,7 @@ static long mce_ioctl(struct file *f, un
11143 -/* Modified in mce-inject.c, so not static or const */
11144 -struct file_operations mce_chrdev_ops = {
11145 +struct file_operations mce_chrdev_ops = { /* Modified in mce-inject.c, so not static or const */
11147 .release = mce_release,
11149 @@ -1673,6 +1673,7 @@ static struct miscdevice mce_log_device
11153 + {NULL, NULL}, NULL, NULL
11157 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/generic.c
11158 --- linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-14 21:20:32.000000000 -0400
11159 +++ linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/generic.c 2011-04-17 15:57:32.000000000 -0400
11160 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
11161 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
11162 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
11163 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
11168 static unsigned long smp_changes_mask;
11169 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/main.c
11170 --- linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/main.c 2011-04-18 17:27:18.000000000 -0400
11171 +++ linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 16:53:16.000000000 -0400
11172 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
11173 u64 size_or_mask, size_and_mask;
11174 static bool mtrr_aps_delayed_init;
11176 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
11177 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
11179 const struct mtrr_ops *mtrr_if;
11181 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/mtrr.h
11182 --- linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-14 21:20:32.000000000 -0400
11183 +++ linux-2.6.38.4/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-04-17 15:57:32.000000000 -0400
11184 @@ -12,19 +12,19 @@
11185 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
11189 - u32 use_intel_if;
11190 - void (*set)(unsigned int reg, unsigned long base,
11191 + const u32 vendor;
11192 + const u32 use_intel_if;
11193 + void (* const set)(unsigned int reg, unsigned long base,
11194 unsigned long size, mtrr_type type);
11195 - void (*set_all)(void);
11196 + void (* const set_all)(void);
11198 - void (*get)(unsigned int reg, unsigned long *base,
11199 + void (* const get)(unsigned int reg, unsigned long *base,
11200 unsigned long *size, mtrr_type *type);
11201 - int (*get_free_region)(unsigned long base, unsigned long size,
11202 + int (* const get_free_region)(unsigned long base, unsigned long size,
11204 - int (*validate_add_page)(unsigned long base, unsigned long size,
11205 + int (* const validate_add_page)(unsigned long base, unsigned long size,
11206 unsigned int type);
11207 - int (*have_wrcomb)(void);
11208 + int (* const have_wrcomb)(void);
11211 extern int generic_get_free_region(unsigned long base, unsigned long size,
11212 diff -urNp linux-2.6.38.4/arch/x86/kernel/cpu/perf_event.c linux-2.6.38.4/arch/x86/kernel/cpu/perf_event.c
11213 --- linux-2.6.38.4/arch/x86/kernel/cpu/perf_event.c 2011-03-14 21:20:32.000000000 -0400
11214 +++ linux-2.6.38.4/arch/x86/kernel/cpu/perf_event.c 2011-04-17 15:57:32.000000000 -0400
11215 @@ -1781,7 +1781,7 @@ perf_callchain_user(struct perf_callchai
11218 perf_callchain_store(entry, frame.return_address);
11219 - fp = frame.next_frame;
11220 + fp = (__force const void __user *)frame.next_frame;
11224 diff -urNp linux-2.6.38.4/arch/x86/kernel/crash.c linux-2.6.38.4/arch/x86/kernel/crash.c
11225 --- linux-2.6.38.4/arch/x86/kernel/crash.c 2011-03-14 21:20:32.000000000 -0400
11226 +++ linux-2.6.38.4/arch/x86/kernel/crash.c 2011-04-17 15:57:32.000000000 -0400
11227 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
11230 #ifdef CONFIG_X86_32
11231 - if (!user_mode_vm(regs)) {
11232 + if (!user_mode(regs)) {
11233 crash_fixup_ss_esp(&fixed_regs, regs);
11234 regs = &fixed_regs;
11236 diff -urNp linux-2.6.38.4/arch/x86/kernel/doublefault_32.c linux-2.6.38.4/arch/x86/kernel/doublefault_32.c
11237 --- linux-2.6.38.4/arch/x86/kernel/doublefault_32.c 2011-03-14 21:20:32.000000000 -0400
11238 +++ linux-2.6.38.4/arch/x86/kernel/doublefault_32.c 2011-04-17 15:57:32.000000000 -0400
11241 #define DOUBLEFAULT_STACKSIZE (1024)
11242 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
11243 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
11244 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
11246 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
11248 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
11249 unsigned long gdt, tss;
11251 store_gdt(&gdt_desc);
11252 - gdt = gdt_desc.address;
11253 + gdt = (unsigned long)gdt_desc.address;
11255 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
11257 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
11258 /* 0x2 bit is always set */
11259 .flags = X86_EFLAGS_SF | 0x2,
11262 + .es = __KERNEL_DS,
11266 + .ds = __KERNEL_DS,
11267 .fs = __KERNEL_PERCPU,
11269 .__cr3 = __pa_nodebug(swapper_pg_dir),
11270 diff -urNp linux-2.6.38.4/arch/x86/kernel/dumpstack_32.c linux-2.6.38.4/arch/x86/kernel/dumpstack_32.c
11271 --- linux-2.6.38.4/arch/x86/kernel/dumpstack_32.c 2011-03-14 21:20:32.000000000 -0400
11272 +++ linux-2.6.38.4/arch/x86/kernel/dumpstack_32.c 2011-04-17 15:57:32.000000000 -0400
11273 @@ -37,15 +37,12 @@ void dump_trace(struct task_struct *task
11275 bp = stack_frame(task, regs);
11277 - struct thread_info *context;
11278 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11279 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11281 - context = (struct thread_info *)
11282 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
11283 - bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
11285 - stack = (unsigned long *)context->previous_esp;
11287 + if (stack_start == task_stack_page(task))
11289 + stack = *(unsigned long **)stack_start;
11290 if (ops->stack(data, "IRQ") < 0)
11292 touch_nmi_watchdog();
11293 @@ -95,21 +92,22 @@ void show_registers(struct pt_regs *regs
11294 * When in-kernel, we also print out the stack and code at the
11295 * time of the fault..
11297 - if (!user_mode_vm(regs)) {
11298 + if (!user_mode(regs)) {
11299 unsigned int code_prologue = code_bytes * 43 / 64;
11300 unsigned int code_len = code_bytes;
11303 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
11305 printk(KERN_EMERG "Stack:\n");
11306 show_stack_log_lvl(NULL, regs, ®s->sp, KERN_EMERG);
11308 printk(KERN_EMERG "Code: ");
11310 - ip = (u8 *)regs->ip - code_prologue;
11311 + ip = (u8 *)regs->ip - code_prologue + cs_base;
11312 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
11313 /* try starting at IP */
11314 - ip = (u8 *)regs->ip;
11315 + ip = (u8 *)regs->ip + cs_base;
11316 code_len = code_len - code_prologue + 1;
11318 for (i = 0; i < code_len; i++, ip++) {
11319 @@ -118,7 +116,7 @@ void show_registers(struct pt_regs *regs
11320 printk(" Bad EIP value.");
11323 - if (ip == (u8 *)regs->ip)
11324 + if (ip == (u8 *)regs->ip + cs_base)
11325 printk("<%02x> ", c);
11327 printk("%02x ", c);
11328 @@ -131,6 +129,7 @@ int is_valid_bugaddr(unsigned long ip)
11330 unsigned short ud2;
11332 + ip = ktla_ktva(ip);
11333 if (ip < PAGE_OFFSET)
11335 if (probe_kernel_address((unsigned short *)ip, ud2))
11336 diff -urNp linux-2.6.38.4/arch/x86/kernel/dumpstack_64.c linux-2.6.38.4/arch/x86/kernel/dumpstack_64.c
11337 --- linux-2.6.38.4/arch/x86/kernel/dumpstack_64.c 2011-03-14 21:20:32.000000000 -0400
11338 +++ linux-2.6.38.4/arch/x86/kernel/dumpstack_64.c 2011-04-17 15:57:32.000000000 -0400
11339 @@ -147,10 +147,10 @@ void dump_trace(struct task_struct *task
11340 unsigned long *irq_stack_end =
11341 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
11343 - struct thread_info *tinfo;
11345 unsigned long dummy;
11347 + void *stack_start;
11351 @@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task
11352 * current stack address. If the stacks consist of nested
11355 - tinfo = task_thread_info(task);
11358 unsigned long *estack_end;
11360 estack_end = in_exception_stack(cpu, (unsigned long)stack,
11363 @@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task
11364 if (ops->stack(data, id) < 0)
11367 - bp = ops->walk_stack(tinfo, stack, bp, ops,
11368 + bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
11369 data, estack_end, &graph);
11370 ops->stack(data, "<EOE>");
11372 @@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task
11373 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
11374 if (ops->stack(data, "IRQ") < 0)
11376 - bp = ops->walk_stack(tinfo, stack, bp,
11377 + bp = ops->walk_stack(task, irq_stack, stack, bp,
11378 ops, data, irq_stack_end, &graph);
11380 * We link to the next stack (which would be
11381 @@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task
11383 * This handles the process stack:
11385 - bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
11386 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11387 + bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11390 EXPORT_SYMBOL(dump_trace);
11391 diff -urNp linux-2.6.38.4/arch/x86/kernel/dumpstack.c linux-2.6.38.4/arch/x86/kernel/dumpstack.c
11392 --- linux-2.6.38.4/arch/x86/kernel/dumpstack.c 2011-03-14 21:20:32.000000000 -0400
11393 +++ linux-2.6.38.4/arch/x86/kernel/dumpstack.c 2011-04-17 15:57:32.000000000 -0400
11395 * Copyright (C) 1991, 1992 Linus Torvalds
11396 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11398 +#ifdef CONFIG_GRKERNSEC_HIDESYM
11399 +#define __INCLUDED_BY_HIDESYM 1
11401 #include <linux/kallsyms.h>
11402 #include <linux/kprobes.h>
11403 #include <linux/uaccess.h>
11404 @@ -27,7 +30,7 @@ static int die_counter;
11406 void printk_address(unsigned long address, int reliable)
11408 - printk(" [<%p>] %s%pS\n", (void *) address,
11409 + printk(" [<%p>] %s%pA\n", (void *) address,
11410 reliable ? "" : "? ", (void *) address);
11413 @@ -35,9 +38,8 @@ void printk_address(unsigned long addres
11415 print_ftrace_graph_addr(unsigned long addr, void *data,
11416 const struct stacktrace_ops *ops,
11417 - struct thread_info *tinfo, int *graph)
11418 + struct task_struct *task, int *graph)
11420 - struct task_struct *task = tinfo->task;
11421 unsigned long ret_addr;
11422 int index = task->curr_ret_stack;
11424 @@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
11426 print_ftrace_graph_addr(unsigned long addr, void *data,
11427 const struct stacktrace_ops *ops,
11428 - struct thread_info *tinfo, int *graph)
11429 + struct task_struct *task, int *graph)
11433 @@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
11434 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
11437 -static inline int valid_stack_ptr(struct thread_info *tinfo,
11438 - void *p, unsigned int size, void *end)
11439 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
11443 if (p < end && p >= (end-THREAD_SIZE))
11445 @@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
11449 -print_context_stack(struct thread_info *tinfo,
11450 +print_context_stack(struct task_struct *task, void *stack_start,
11451 unsigned long *stack, unsigned long bp,
11452 const struct stacktrace_ops *ops, void *data,
11453 unsigned long *end, int *graph)
11455 struct stack_frame *frame = (struct stack_frame *)bp;
11457 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
11458 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
11459 unsigned long addr;
11462 @@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
11464 ops->address(data, addr, 0);
11466 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11467 + print_ftrace_graph_addr(addr, data, ops, task, graph);
11471 @@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
11472 EXPORT_SYMBOL_GPL(print_context_stack);
11475 -print_context_stack_bp(struct thread_info *tinfo,
11476 +print_context_stack_bp(struct task_struct *task, void *stack_start,
11477 unsigned long *stack, unsigned long bp,
11478 const struct stacktrace_ops *ops, void *data,
11479 unsigned long *end, int *graph)
11480 @@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
11481 struct stack_frame *frame = (struct stack_frame *)bp;
11482 unsigned long *ret_addr = &frame->return_address;
11484 - while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
11485 + while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
11486 unsigned long addr = *ret_addr;
11488 if (!__kernel_text_address(addr))
11489 @@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
11490 ops->address(data, addr, 1);
11491 frame = frame->next_frame;
11492 ret_addr = &frame->return_address;
11493 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11494 + print_ftrace_graph_addr(addr, data, ops, task, graph);
11497 return (unsigned long)frame;
11498 @@ -200,7 +200,7 @@ void dump_stack(void)
11499 unsigned long stack;
11501 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
11502 - current->pid, current->comm, current->xid, print_tainted(),
11503 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
11504 init_utsname()->release,
11505 (int)strcspn(init_utsname()->version, " "),
11506 init_utsname()->version);
11507 @@ -236,6 +236,8 @@ unsigned __kprobes long oops_begin(void)
11509 EXPORT_SYMBOL_GPL(oops_begin);
11511 +extern void gr_handle_kernel_exploit(void);
11513 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
11515 if (regs && kexec_should_crash(current))
11516 @@ -257,7 +259,10 @@ void __kprobes oops_end(unsigned long fl
11517 panic("Fatal exception in interrupt");
11519 panic("Fatal exception");
11522 + gr_handle_kernel_exploit();
11524 + do_group_exit(signr);
11527 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11528 @@ -284,7 +289,7 @@ int __kprobes __die(const char *str, str
11530 show_registers(regs);
11531 #ifdef CONFIG_X86_32
11532 - if (user_mode_vm(regs)) {
11533 + if (user_mode(regs)) {
11535 ss = regs->ss & 0xffff;
11537 @@ -312,7 +317,7 @@ void die(const char *str, struct pt_regs
11538 unsigned long flags = oops_begin();
11541 - if (!user_mode_vm(regs))
11542 + if (!user_mode(regs))
11543 report_bug(regs->ip, regs);
11545 if (__die(str, regs, err))
11546 diff -urNp linux-2.6.38.4/arch/x86/kernel/entry_32.S linux-2.6.38.4/arch/x86/kernel/entry_32.S
11547 --- linux-2.6.38.4/arch/x86/kernel/entry_32.S 2011-04-18 17:27:16.000000000 -0400
11548 +++ linux-2.6.38.4/arch/x86/kernel/entry_32.S 2011-04-19 17:17:51.000000000 -0400
11549 @@ -183,13 +183,81 @@
11550 /*CFI_REL_OFFSET gs, PT_GS*/
11552 .macro SET_KERNEL_GS reg
11554 +#ifdef CONFIG_CC_STACKPROTECTOR
11555 movl $(__KERNEL_STACK_CANARY), \reg
11556 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
11557 + movl $(__USER_DS), \reg
11565 #endif /* CONFIG_X86_32_LAZY_GS */
11568 +.macro PAX_EXIT_KERNEL
11569 +#ifdef CONFIG_PAX_KERNEXEC
11570 +#ifdef CONFIG_PARAVIRT
11571 + push %eax; push %ecx
11574 + cmp $__KERNEXEC_KERNEL_CS, %esi
11576 +#ifdef CONFIG_PARAVIRT
11577 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11583 + ljmp $__KERNEL_CS, $1f
11585 +#ifdef CONFIG_PARAVIRT
11587 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11592 +#ifdef CONFIG_PARAVIRT
11593 + pop %ecx; pop %eax
11598 +.macro PAX_ENTER_KERNEL
11599 +#ifdef CONFIG_PAX_KERNEXEC
11600 +#ifdef CONFIG_PARAVIRT
11601 + push %eax; push %ecx
11602 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11610 + cmp $__KERNEL_CS, %esi
11612 + ljmp $__KERNEL_CS, $3f
11613 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11615 +#ifdef CONFIG_PARAVIRT
11617 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11622 +#ifdef CONFIG_PARAVIRT
11623 + pop %ecx; pop %eax
11628 +.macro __SAVE_ALL _DS
11632 @@ -212,7 +280,7 @@
11633 CFI_REL_OFFSET ecx, 0
11635 CFI_REL_OFFSET ebx, 0
11636 - movl $(__USER_DS), %edx
11640 movl $(__KERNEL_PERCPU), %edx
11641 @@ -220,6 +288,15 @@
11646 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11647 + __SAVE_ALL __KERNEL_DS
11650 + __SAVE_ALL __USER_DS
11654 .macro RESTORE_INT_REGS
11657 @@ -330,7 +407,15 @@ check_userspace:
11658 movb PT_CS(%esp), %al
11659 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11660 cmpl $USER_RPL, %eax
11662 +#ifdef CONFIG_PAX_KERNEXEC
11663 + jae resume_userspace
11666 + jmp resume_kernel
11668 jb resume_kernel # not returning to v8086 or userspace
11671 ENTRY(resume_userspace)
11673 @@ -392,23 +477,34 @@ sysenter_past_esp:
11674 /*CFI_REL_OFFSET cs, 0*/
11676 * Push current_thread_info()->sysenter_return to the stack.
11677 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11678 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11680 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE_asm+8+4*4)(%esp)
11682 CFI_REL_OFFSET eip, 0
11686 + GET_THREAD_INFO(%ebp)
11687 + movl TI_sysenter_return(%ebp),%ebp
11688 + movl %ebp,PT_EIP(%esp)
11689 ENABLE_INTERRUPTS(CLBR_NONE)
11692 * Load the potential sixth argument from user stack.
11693 * Careful about security.
11695 + movl PT_OLDESP(%esp),%ebp
11697 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11698 + mov PT_OLDSS(%esp),%ds
11699 +1: movl %ds:(%ebp),%ebp
11703 cmpl $__PAGE_OFFSET-3,%ebp
11705 1: movl (%ebp),%ebp
11708 movl %ebp,PT_EBP(%esp)
11709 .section __ex_table,"a"
11711 @@ -431,12 +527,23 @@ sysenter_do_call:
11712 testl $_TIF_ALLWORK_MASK, %ecx
11716 +#ifdef CONFIG_PAX_RANDKSTACK
11718 + CFI_ADJUST_CFA_OFFSET 4
11719 + call pax_randomize_kstack
11721 + CFI_ADJUST_CFA_OFFSET -4
11724 /* if something modifies registers it must also disable sysexit */
11725 movl PT_EIP(%esp), %edx
11726 movl PT_OLDESP(%esp), %ecx
11729 1: mov PT_FS(%esp), %fs
11730 +2: mov PT_DS(%esp), %ds
11731 +3: mov PT_ES(%esp), %es
11733 ENABLE_INTERRUPTS_SYSEXIT
11735 @@ -479,11 +586,17 @@ sysexit_audit:
11738 .pushsection .fixup,"ax"
11739 -2: movl $0,PT_FS(%esp)
11740 +4: movl $0,PT_FS(%esp)
11742 +5: movl $0,PT_DS(%esp)
11744 +6: movl $0,PT_ES(%esp)
11746 .section __ex_table,"a"
11754 ENDPROC(ia32_sysenter_target)
11755 @@ -516,6 +629,10 @@ syscall_exit:
11756 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11757 jne syscall_exit_work
11759 +#ifdef CONFIG_PAX_RANDKSTACK
11760 + call pax_randomize_kstack
11765 restore_all_notrace:
11766 @@ -575,14 +692,21 @@ ldt_ss:
11767 * compensating for the offset by changing to the ESPFIX segment with
11768 * a base address that matches for the difference.
11770 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11771 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11772 mov %esp, %edx /* load kernel esp */
11773 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11774 mov %dx, %ax /* eax: new kernel esp */
11775 sub %eax, %edx /* offset (low word is 0) */
11777 + movl PER_CPU_VAR(cpu_number), %ebx
11778 + shll $PAGE_SHIFT_asm, %ebx
11779 + addl $cpu_gdt_table, %ebx
11781 + movl $cpu_gdt_table, %ebx
11784 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11785 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11786 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11787 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11788 pushl_cfi $__ESPFIX_SS
11789 pushl_cfi %eax /* new kernel esp */
11790 /* Disable interrupts, but do not irqtrace this section: we
11791 @@ -617,23 +741,17 @@ work_resched:
11793 work_notifysig: # deal with pending signals and
11794 # notify-resume requests
11797 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11799 - jne work_notifysig_v86 # returning to kernel-space or
11800 + jz 1f # returning to kernel-space or
11803 - call do_notify_resume
11804 - jmp resume_userspace_sig
11807 -work_notifysig_v86:
11808 pushl_cfi %ecx # save ti_flags for do_notify_resume
11809 call save_v86_state # %eax contains pt_regs pointer
11817 call do_notify_resume
11818 @@ -668,6 +786,10 @@ END(syscall_exit_work)
11820 RING0_INT_FRAME # can't unwind into user space anyway
11822 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11826 GET_THREAD_INFO(%ebp)
11827 movl $-EFAULT,PT_EAX(%esp)
11828 jmp resume_userspace
11829 @@ -750,6 +872,36 @@ ptregs_clone:
11831 ENDPROC(ptregs_clone)
11834 +ENTRY(kernel_execve)
11837 + sub $PT_OLDSS+4,%esp
11841 + lea 3*4(%esp),%edi
11842 + mov $PT_OLDSS/4+1,%ecx
11848 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
11852 + CFI_ADJUST_CFA_OFFSET -4
11853 + GET_THREAD_INFO(%ebp)
11856 + add $PT_OLDSS+4,%esp
11857 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
11861 +ENDPROC(kernel_execve)
11863 .macro FIXUP_ESPFIX_STACK
11865 * Switch back for ESPFIX stack to the normal zerobased stack
11866 @@ -759,8 +911,15 @@ ENDPROC(ptregs_clone)
11867 * normal stack and adjusts ESP with the matching offset.
11869 /* fixup the stack */
11870 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
11871 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
11873 + movl PER_CPU_VAR(cpu_number), %ebx
11874 + shll $PAGE_SHIFT_asm, %ebx
11875 + addl $cpu_gdt_table, %ebx
11877 + movl $cpu_gdt_table, %ebx
11879 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
11880 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
11882 addl %esp, %eax /* the adjusted stack pointer */
11883 pushl_cfi $__KERNEL_DS
11884 @@ -1211,7 +1370,6 @@ return_to_handler:
11888 -.section .rodata,"a"
11889 #include "syscall_table_32.S"
11891 syscall_table_size=(.-sys_call_table)
11892 @@ -1257,9 +1415,12 @@ error_code:
11893 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11896 - movl $(__USER_DS), %ecx
11897 + movl $(__KERNEL_DS), %ecx
11904 movl %esp,%eax # pt_regs pointer
11906 @@ -1344,6 +1505,9 @@ nmi_stack_correct:
11907 xorl %edx,%edx # zero error code
11908 movl %esp,%eax # pt_regs pointer
11913 jmp restore_all_notrace
11916 @@ -1380,6 +1544,9 @@ nmi_espfix_stack:
11917 FIXUP_ESPFIX_STACK # %eax == %esp
11918 xorl %edx,%edx # zero error code
11924 lss 12+4(%esp), %esp # back to espfix stack
11925 CFI_ADJUST_CFA_OFFSET -24
11926 diff -urNp linux-2.6.38.4/arch/x86/kernel/entry_64.S linux-2.6.38.4/arch/x86/kernel/entry_64.S
11927 --- linux-2.6.38.4/arch/x86/kernel/entry_64.S 2011-04-18 17:27:13.000000000 -0400
11928 +++ linux-2.6.38.4/arch/x86/kernel/entry_64.S 2011-04-17 15:57:32.000000000 -0400
11930 #include <asm/paravirt.h>
11931 #include <asm/ftrace.h>
11932 #include <asm/percpu.h>
11933 +#include <asm/pgtable.h>
11935 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11936 #include <linux/elf-em.h>
11937 @@ -174,6 +175,206 @@ ENTRY(native_usergs_sysret64)
11938 ENDPROC(native_usergs_sysret64)
11939 #endif /* CONFIG_PARAVIRT */
11941 + .macro ljmpq sel, off
11942 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11943 + .byte 0x48; ljmp *1234f(%rip)
11944 + .pushsection .rodata
11946 + 1234: .quad \off; .word \sel
11955 + .macro pax_enter_kernel
11956 +#ifdef CONFIG_PAX_KERNEXEC
11957 + call pax_enter_kernel
11961 + .macro pax_exit_kernel
11962 +#ifdef CONFIG_PAX_KERNEXEC
11963 + call pax_exit_kernel
11967 +#ifdef CONFIG_PAX_KERNEXEC
11968 +ENTRY(pax_enter_kernel)
11971 +#ifdef CONFIG_PARAVIRT
11972 + PV_SAVE_REGS(CLBR_RDI)
11979 + cmp $__KERNEL_CS,%edi
11981 + ljmpq __KERNEL_CS,3f
11982 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11983 +2: SET_RDI_INTO_CR0
11986 +#ifdef CONFIG_PARAVIRT
11987 + PV_RESTORE_REGS(CLBR_RDI)
11992 +ENDPROC(pax_enter_kernel)
11994 +ENTRY(pax_exit_kernel)
11997 +#ifdef CONFIG_PARAVIRT
11998 + PV_SAVE_REGS(CLBR_RDI)
12002 + cmp $__KERNEXEC_KERNEL_CS,%edi
12006 + ljmpq __KERNEL_CS,1f
12007 +1: SET_RDI_INTO_CR0
12010 +#ifdef CONFIG_PARAVIRT
12011 + PV_RESTORE_REGS(CLBR_RDI);
12016 +ENDPROC(pax_exit_kernel)
12019 + .macro pax_enter_kernel_user
12020 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12021 + call pax_enter_kernel_user
12025 + .macro pax_exit_kernel_user
12026 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12027 + call pax_exit_kernel_user
12029 +#ifdef CONFIG_PAX_RANDKSTACK
12031 + call pax_randomize_kstack
12036 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12037 +ENTRY(pax_enter_kernel_user)
12041 +#ifdef CONFIG_PARAVIRT
12042 + PV_SAVE_REGS(CLBR_RDI)
12047 + add $__START_KERNEL_map,%rbx
12048 + sub phys_base(%rip),%rbx
12050 +#ifdef CONFIG_PARAVIRT
12052 + cmpl $0, pv_info+PARAVIRT_enabled
12055 + .rept USER_PGD_PTRS
12056 + mov i*8(%rbx),%rsi
12058 + lea i*8(%rbx),%rdi
12059 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
12067 + .rept USER_PGD_PTRS
12068 + movb $0,i*8(%rbx)
12072 +#ifdef CONFIG_PARAVIRT
12077 +#ifdef CONFIG_PAX_KERNEXEC
12083 +#ifdef CONFIG_PARAVIRT
12084 + PV_RESTORE_REGS(CLBR_RDI)
12090 +ENDPROC(pax_enter_kernel_user)
12092 +ENTRY(pax_exit_kernel_user)
12095 +#ifdef CONFIG_PARAVIRT
12097 + PV_SAVE_REGS(CLBR_RDI)
12100 +#ifdef CONFIG_PAX_KERNEXEC
12107 + add $__START_KERNEL_map,%rdi
12108 + sub phys_base(%rip),%rdi
12110 +#ifdef CONFIG_PARAVIRT
12111 + cmpl $0, pv_info+PARAVIRT_enabled
12115 + .rept USER_PGD_PTRS
12116 + mov i*8(%rbx),%rsi
12118 + lea i*8(%rbx),%rdi
12119 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
12127 + .rept USER_PGD_PTRS
12128 + movb $0x67,i*8(%rdi)
12132 +#ifdef CONFIG_PARAVIRT
12133 +2: PV_RESTORE_REGS(CLBR_RDI)
12139 +ENDPROC(pax_exit_kernel_user)
12142 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
12143 #ifdef CONFIG_TRACE_IRQFLAGS
12144 @@ -316,7 +517,7 @@ ENTRY(save_args)
12145 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
12146 movq_cfi rbp, 8 /* push %rbp */
12147 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
12148 - testl $3, CS(%rdi)
12149 + testb $3, CS(%rdi)
12153 @@ -407,7 +608,7 @@ ENTRY(ret_from_fork)
12157 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12158 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12159 je int_ret_from_sys_call
12161 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
12162 @@ -453,7 +654,7 @@ END(ret_from_fork)
12164 CFI_STARTPROC simple
12166 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
12167 + CFI_DEF_CFA rsp,0
12168 CFI_REGISTER rip,rcx
12169 /*CFI_REGISTER rflags,r11*/
12170 SWAPGS_UNSAFE_STACK
12171 @@ -466,12 +667,13 @@ ENTRY(system_call_after_swapgs)
12173 movq %rsp,PER_CPU_VAR(old_rsp)
12174 movq PER_CPU_VAR(kernel_stack),%rsp
12175 + pax_enter_kernel_user
12177 * No need to follow this irqs off/on section - it's straight
12180 ENABLE_INTERRUPTS(CLBR_NONE)
12183 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
12184 movq %rcx,RIP-ARGOFFSET(%rsp)
12185 CFI_REL_OFFSET rip,RIP-ARGOFFSET
12186 @@ -500,6 +702,7 @@ sysret_check:
12190 + pax_exit_kernel_user
12192 * sysretq will re-enable interrupts:
12194 @@ -609,7 +812,7 @@ tracesys:
12195 GLOBAL(int_ret_from_sys_call)
12196 DISABLE_INTERRUPTS(CLBR_NONE)
12198 - testl $3,CS-ARGOFFSET(%rsp)
12199 + testb $3,CS-ARGOFFSET(%rsp)
12200 je retint_restore_args
12201 movl $_TIF_ALLWORK_MASK,%edi
12202 /* edi: mask to check */
12203 @@ -791,6 +994,16 @@ END(interrupt)
12204 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
12207 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12208 + testb $3, CS(%rdi)
12212 +1: pax_enter_kernel_user
12220 @@ -823,7 +1036,7 @@ ret_from_intr:
12221 CFI_ADJUST_CFA_OFFSET -8
12223 GET_THREAD_INFO(%rcx)
12224 - testl $3,CS-ARGOFFSET(%rsp)
12225 + testb $3,CS-ARGOFFSET(%rsp)
12228 /* Interrupt came from user space */
12229 @@ -845,12 +1058,14 @@ retint_swapgs: /* return to user-space
12230 * The iretq could re-enable interrupts:
12232 DISABLE_INTERRUPTS(CLBR_ANY)
12233 + pax_exit_kernel_user
12238 retint_restore_args: /* return to kernel space */
12239 DISABLE_INTERRUPTS(CLBR_ANY)
12242 * The iretq could re-enable interrupts:
12244 @@ -1022,6 +1237,16 @@ ENTRY(\sym)
12245 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12248 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12249 + testb $3, CS(%rsp)
12253 +1: pax_enter_kernel_user
12258 movq %rsp,%rdi /* pt_regs pointer */
12259 xorl %esi,%esi /* no error code */
12261 @@ -1039,6 +1264,16 @@ ENTRY(\sym)
12262 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12265 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12266 + testb $3, CS(%rsp)
12270 +1: pax_enter_kernel_user
12275 movq %rsp,%rdi /* pt_regs pointer */
12276 xorl %esi,%esi /* no error code */
12278 @@ -1047,7 +1282,7 @@ ENTRY(\sym)
12282 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
12283 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
12284 .macro paranoidzeroentry_ist sym do_sym ist
12287 @@ -1057,8 +1292,24 @@ ENTRY(\sym)
12288 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12291 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12292 + testb $3, CS(%rsp)
12296 +1: pax_enter_kernel_user
12301 movq %rsp,%rdi /* pt_regs pointer */
12302 xorl %esi,%esi /* no error code */
12304 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
12305 + lea init_tss(%r12), %r12
12307 + lea init_tss(%rip), %r12
12309 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12311 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12312 @@ -1075,6 +1326,16 @@ ENTRY(\sym)
12313 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12316 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12317 + testb $3, CS(%rsp)
12321 +1: pax_enter_kernel_user
12326 movq %rsp,%rdi /* pt_regs pointer */
12327 movq ORIG_RAX(%rsp),%rsi /* get error code */
12328 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12329 @@ -1094,6 +1355,16 @@ ENTRY(\sym)
12333 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12334 + testb $3, CS(%rsp)
12338 +1: pax_enter_kernel_user
12343 movq %rsp,%rdi /* pt_regs pointer */
12344 movq ORIG_RAX(%rsp),%rsi /* get error code */
12345 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12346 @@ -1356,14 +1627,27 @@ ENTRY(paranoid_exit)
12348 testl %ebx,%ebx /* swapgs needed? */
12349 jnz paranoid_restore
12350 - testl $3,CS(%rsp)
12351 + testb $3,CS(%rsp)
12352 jnz paranoid_userspace
12353 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12355 + TRACE_IRQS_IRETQ 0
12356 + SWAPGS_UNSAFE_STACK
12361 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12362 + pax_exit_kernel_user
12367 SWAPGS_UNSAFE_STACK
12375 @@ -1421,7 +1705,7 @@ ENTRY(error_entry)
12376 movq_cfi r14, R14+8
12377 movq_cfi r15, R15+8
12379 - testl $3,CS+8(%rsp)
12380 + testb $3,CS+8(%rsp)
12381 je error_kernelspace
12384 @@ -1485,6 +1769,16 @@ ENTRY(nmi)
12385 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12388 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12389 + testb $3, CS(%rsp)
12393 +1: pax_enter_kernel_user
12398 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
12401 @@ -1495,11 +1789,25 @@ ENTRY(nmi)
12402 DISABLE_INTERRUPTS(CLBR_NONE)
12403 testl %ebx,%ebx /* swapgs needed? */
12405 - testl $3,CS(%rsp)
12406 + testb $3,CS(%rsp)
12408 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12410 + SWAPGS_UNSAFE_STACK
12415 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12416 + pax_exit_kernel_user
12420 SWAPGS_UNSAFE_STACK
12428 diff -urNp linux-2.6.38.4/arch/x86/kernel/ftrace.c linux-2.6.38.4/arch/x86/kernel/ftrace.c
12429 --- linux-2.6.38.4/arch/x86/kernel/ftrace.c 2011-03-14 21:20:32.000000000 -0400
12430 +++ linux-2.6.38.4/arch/x86/kernel/ftrace.c 2011-04-17 15:57:32.000000000 -0400
12431 @@ -177,7 +177,9 @@ void ftrace_nmi_enter(void)
12433 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
12435 + pax_open_kernel();
12437 + pax_close_kernel();
12438 atomic_inc(&nmi_update_count);
12440 /* Must have previous changes seen before executions */
12441 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
12443 unsigned char replaced[MCOUNT_INSN_SIZE];
12445 + ip = ktla_ktva(ip);
12448 * Note: Due to modules and __init, code can
12449 * disappear and change, we need to protect against faulting
12450 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
12451 unsigned char old[MCOUNT_INSN_SIZE], *new;
12454 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
12455 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
12456 new = ftrace_call_replace(ip, (unsigned long)func);
12457 ret = ftrace_modify_code(ip, old, new);
12459 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
12461 unsigned char code[MCOUNT_INSN_SIZE];
12463 + ip = ktla_ktva(ip);
12465 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
12468 diff -urNp linux-2.6.38.4/arch/x86/kernel/head32.c linux-2.6.38.4/arch/x86/kernel/head32.c
12469 --- linux-2.6.38.4/arch/x86/kernel/head32.c 2011-03-14 21:20:32.000000000 -0400
12470 +++ linux-2.6.38.4/arch/x86/kernel/head32.c 2011-04-17 15:57:32.000000000 -0400
12472 #include <asm/io_apic.h>
12473 #include <asm/bios_ebda.h>
12474 #include <asm/tlbflush.h>
12475 +#include <asm/boot.h>
12477 static void __init i386_default_early_setup(void)
12479 @@ -43,7 +44,7 @@ void __init i386_start_kernel(void)
12480 memblock_x86_reserve_range(PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE");
12483 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
12484 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
12486 #ifdef CONFIG_BLK_DEV_INITRD
12487 /* Reserve INITRD */
12488 diff -urNp linux-2.6.38.4/arch/x86/kernel/head_32.S linux-2.6.38.4/arch/x86/kernel/head_32.S
12489 --- linux-2.6.38.4/arch/x86/kernel/head_32.S 2011-03-14 21:20:32.000000000 -0400
12490 +++ linux-2.6.38.4/arch/x86/kernel/head_32.S 2011-04-17 16:02:16.000000000 -0400
12492 /* Physical address */
12493 #define pa(X) ((X) - __PAGE_OFFSET)
12495 +#ifdef CONFIG_PAX_KERNEXEC
12498 +#define ta(X) ((X) - __PAGE_OFFSET)
12502 * References to members of the new_cpu_data structure.
12505 * and small than max_low_pfn, otherwise will waste some page table entries
12508 -#if PTRS_PER_PMD > 1
12509 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
12511 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
12513 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
12515 /* Number of possible pages in the lowmem region */
12516 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
12517 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
12518 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12521 + * Real beginning of normal "text" segment
12527 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
12528 * %esi points to the real-mode code as a 32-bit pointer.
12529 * CS and DS must be 4 GB flat segments, but we don't depend on
12530 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12535 +#ifdef CONFIG_PAX_KERNEXEC
12537 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
12538 +.fill PAGE_SIZE-5,1,0xcc
12542 movl pa(stack_start),%ecx
12544 @@ -105,6 +120,57 @@ ENTRY(startup_32)
12546 leal -__PAGE_OFFSET(%ecx),%esp
12549 + movl $pa(cpu_gdt_table),%edi
12550 + movl $__per_cpu_load,%eax
12551 + movw %ax,__KERNEL_PERCPU + 2(%edi)
12553 + movb %al,__KERNEL_PERCPU + 4(%edi)
12554 + movb %ah,__KERNEL_PERCPU + 7(%edi)
12555 + movl $__per_cpu_end - 1,%eax
12556 + subl $__per_cpu_start,%eax
12557 + movw %ax,__KERNEL_PERCPU + 0(%edi)
12560 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12561 + movl $NR_CPUS,%ecx
12562 + movl $pa(cpu_gdt_table),%edi
12564 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
12565 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
12566 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
12567 + addl $PAGE_SIZE_asm,%edi
12571 +#ifdef CONFIG_PAX_KERNEXEC
12572 + movl $pa(boot_gdt),%edi
12573 + movl $__LOAD_PHYSICAL_ADDR,%eax
12574 + movw %ax,__BOOT_CS + 2(%edi)
12576 + movb %al,__BOOT_CS + 4(%edi)
12577 + movb %ah,__BOOT_CS + 7(%edi)
12580 + ljmp $(__BOOT_CS),$1f
12583 + movl $NR_CPUS,%ecx
12584 + movl $pa(cpu_gdt_table),%edi
12585 + addl $__PAGE_OFFSET,%eax
12587 + movw %ax,__KERNEL_CS + 2(%edi)
12588 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
12590 + movb %al,__KERNEL_CS + 4(%edi)
12591 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
12592 + movb %ah,__KERNEL_CS + 7(%edi)
12593 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
12595 + addl $PAGE_SIZE_asm,%edi
12600 * Clear BSS first so that there are no surprises...
12602 @@ -195,8 +261,11 @@ ENTRY(startup_32)
12603 movl %eax, pa(max_pfn_mapped)
12605 /* Do early initialization of the fixmap area */
12606 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12607 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
12608 +#ifdef CONFIG_COMPAT_VDSO
12609 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
12611 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
12613 #else /* Not PAE */
12615 page_pde_offset = (__PAGE_OFFSET >> 20);
12616 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12617 movl %eax, pa(max_pfn_mapped)
12619 /* Do early initialization of the fixmap area */
12620 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12621 - movl %eax,pa(initial_page_table+0xffc)
12622 +#ifdef CONFIG_COMPAT_VDSO
12623 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
12625 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
12629 #ifdef CONFIG_PARAVIRT
12630 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12631 cmpl $num_subarch_entries, %eax
12634 - movl pa(subarch_entries)(,%eax,4), %eax
12635 - subl $__PAGE_OFFSET, %eax
12637 + jmp *pa(subarch_entries)(,%eax,4)
12641 @@ -255,10 +325,10 @@ WEAK(xen_entry)
12645 - .long default_entry /* normal x86/PC */
12646 - .long lguest_entry /* lguest hypervisor */
12647 - .long xen_entry /* Xen hypervisor */
12648 - .long default_entry /* Moorestown MID */
12649 + .long pa(default_entry) /* normal x86/PC */
12650 + .long pa(lguest_entry) /* lguest hypervisor */
12651 + .long pa(xen_entry) /* Xen hypervisor */
12652 + .long pa(default_entry) /* Moorestown MID */
12653 num_subarch_entries = (. - subarch_entries) / 4
12656 @@ -312,6 +382,7 @@ default_entry:
12660 +#ifdef CONFIG_X86_PAE
12661 testb $X86_CR4_PAE, %al # check if PAE is enabled
12664 @@ -340,6 +411,9 @@ default_entry:
12665 /* Make changes effective */
12668 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
12674 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
12675 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
12676 movl %eax,%ss # after changing gdt.
12678 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
12679 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
12683 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
12687 - movl $gdt_page,%eax
12688 + movl $cpu_gdt_table,%eax
12689 movl $stack_canary,%ecx
12691 + addl $__per_cpu_load,%ecx
12693 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
12695 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
12696 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
12699 movl $(__KERNEL_STACK_CANARY),%eax
12700 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
12701 + movl $(__USER_DS),%eax
12707 xorl %eax,%eax # Clear LDT
12708 @@ -558,22 +639,22 @@ early_page_fault:
12713 #ifdef CONFIG_PRINTK
12714 + cmpl $1,%ss:early_recursion_flag
12716 + incl %ss:early_recursion_flag
12719 movl $(__KERNEL_DS),%eax
12722 - cmpl $2,early_recursion_flag
12724 - incl early_recursion_flag
12727 pushl %edx /* trapno */
12736 @@ -581,8 +662,11 @@ hlt_loop:
12737 /* This is the default interrupt "handler" :-) */
12741 #ifdef CONFIG_PRINTK
12742 + cmpl $2,%ss:early_recursion_flag
12744 + incl %ss:early_recursion_flag
12749 @@ -591,9 +675,6 @@ ignore_int:
12750 movl $(__KERNEL_DS),%eax
12753 - cmpl $2,early_recursion_flag
12755 - incl early_recursion_flag
12759 @@ -622,29 +703,43 @@ ENTRY(initial_code)
12763 -__PAGE_ALIGNED_BSS
12764 - .align PAGE_SIZE_asm
12765 #ifdef CONFIG_X86_PAE
12766 +.section .initial_pg_pmd,"a",@progbits
12768 .fill 1024*KPMDS,4,0
12770 +.section .initial_page_table,"a",@progbits
12771 ENTRY(initial_page_table)
12774 +.section .initial_pg_fixmap,"a",@progbits
12777 +.section .empty_zero_page,"a",@progbits
12778 ENTRY(empty_zero_page)
12780 +.section .swapper_pg_dir,"a",@progbits
12781 ENTRY(swapper_pg_dir)
12782 +#ifdef CONFIG_X86_PAE
12789 + * The IDT has to be page-aligned to simplify the Pentium
12790 + * F0 0F bug workaround.. We have a special link segment
12793 +.section .idt,"a",@progbits
12798 * This starts the data section.
12800 #ifdef CONFIG_X86_PAE
12801 -__PAGE_ALIGNED_DATA
12802 - /* Page-aligned for the benefit of paravirt? */
12803 - .align PAGE_SIZE_asm
12804 +.section .initial_page_table,"a",@progbits
12805 ENTRY(initial_page_table)
12806 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12808 @@ -663,18 +758,27 @@ ENTRY(initial_page_table)
12809 # error "Kernel PMDs should be 1, 2 or 3"
12811 .align PAGE_SIZE_asm /* needs to be page-sized too */
12813 +#ifdef CONFIG_PAX_PER_CPU_PGD
12825 - .long init_thread_union+THREAD_SIZE
12826 + .long init_thread_union+THREAD_SIZE-8
12830 +.section .rodata,"a",@progbits
12831 early_recursion_flag:
12837 .asciz "Unknown interrupt or fault at: %p %p %p\n"
12839 @@ -707,7 +811,7 @@ fault_msg:
12840 .word 0 # 32 bit align gdt_desc.address
12843 - .long boot_gdt - __PAGE_OFFSET
12844 + .long pa(boot_gdt)
12846 .word 0 # 32-bit align idt_desc.address
12848 @@ -718,7 +822,7 @@ idt_descr:
12849 .word 0 # 32 bit align gdt_desc.address
12850 ENTRY(early_gdt_descr)
12851 .word GDT_ENTRIES*8-1
12852 - .long gdt_page /* Overwritten for secondary CPUs */
12853 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12856 * The boot_gdt must mirror the equivalent in setup.S and is
12857 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
12858 .align L1_CACHE_BYTES
12860 .fill GDT_ENTRY_BOOT_CS,8,0
12861 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12862 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12863 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12864 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12866 + .align PAGE_SIZE_asm
12867 +ENTRY(cpu_gdt_table)
12869 + .quad 0x0000000000000000 /* NULL descriptor */
12870 + .quad 0x0000000000000000 /* 0x0b reserved */
12871 + .quad 0x0000000000000000 /* 0x13 reserved */
12872 + .quad 0x0000000000000000 /* 0x1b reserved */
12874 +#ifdef CONFIG_PAX_KERNEXEC
12875 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12877 + .quad 0x0000000000000000 /* 0x20 unused */
12880 + .quad 0x0000000000000000 /* 0x28 unused */
12881 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12882 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12883 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12884 + .quad 0x0000000000000000 /* 0x4b reserved */
12885 + .quad 0x0000000000000000 /* 0x53 reserved */
12886 + .quad 0x0000000000000000 /* 0x5b reserved */
12888 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12889 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12890 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12891 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12893 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12894 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12897 + * Segments used for calling PnP BIOS have byte granularity.
12898 + * The code segments and data segments have fixed 64k limits,
12899 + * the transfer segment sizes are set at run time.
12901 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12902 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12903 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12904 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12905 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12908 + * The APM segments have byte granularity and their bases
12909 + * are set at run time. All have 64k limits.
12911 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12912 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12913 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12915 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12916 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12917 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12918 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12919 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12920 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12922 + /* Be sure this is zeroed to avoid false validations in Xen */
12923 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12925 diff -urNp linux-2.6.38.4/arch/x86/kernel/head_64.S linux-2.6.38.4/arch/x86/kernel/head_64.S
12926 --- linux-2.6.38.4/arch/x86/kernel/head_64.S 2011-03-14 21:20:32.000000000 -0400
12927 +++ linux-2.6.38.4/arch/x86/kernel/head_64.S 2011-04-17 15:57:32.000000000 -0400
12929 #include <asm/cache.h>
12930 #include <asm/processor-flags.h>
12931 #include <asm/percpu.h>
12932 +#include <asm/cpufeature.h>
12934 #ifdef CONFIG_PARAVIRT
12935 #include <asm/asm-offsets.h>
12936 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12937 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12938 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12939 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12940 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12941 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12942 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12943 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12947 @@ -85,35 +90,22 @@ startup_64:
12949 addq %rbp, init_level4_pgt + 0(%rip)
12950 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12951 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12952 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12953 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12955 addq %rbp, level3_ident_pgt + 0(%rip)
12956 +#ifndef CONFIG_XEN
12957 + addq %rbp, level3_ident_pgt + 8(%rip)
12960 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12961 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12962 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12964 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12965 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12966 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12968 - /* Add an Identity mapping if I am above 1G */
12969 - leaq _text(%rip), %rdi
12970 - andq $PMD_PAGE_MASK, %rdi
12973 - shrq $PUD_SHIFT, %rax
12974 - andq $(PTRS_PER_PUD - 1), %rax
12975 - jz ident_complete
12977 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12978 - leaq level3_ident_pgt(%rip), %rbx
12979 - movq %rdx, 0(%rbx, %rax, 8)
12982 - shrq $PMD_SHIFT, %rax
12983 - andq $(PTRS_PER_PMD - 1), %rax
12984 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12985 - leaq level2_spare_pgt(%rip), %rbx
12986 - movq %rdx, 0(%rbx, %rax, 8)
12988 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12989 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12992 * Fixup the kernel text+data virtual addresses. Note that
12993 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12994 * after the boot processor executes this code.
12997 - /* Enable PAE mode and PGE */
12998 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12999 + /* Enable PAE mode and PSE/PGE */
13000 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
13003 /* Setup early boot stage 4 level pagetables. */
13004 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
13005 movl $MSR_EFER, %ecx
13007 btsl $_EFER_SCE, %eax /* Enable System Call */
13008 - btl $20,%edi /* No Execute supported? */
13009 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
13011 btsl $_EFER_NX, %eax
13012 + leaq init_level4_pgt(%rip), %rdi
13013 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
13014 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
13015 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
13016 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
13017 1: wrmsr /* Make changes effective */
13020 @@ -270,7 +267,7 @@ ENTRY(secondary_startup_64)
13024 - .section ".init.text","ax"
13026 #ifdef CONFIG_EARLY_PRINTK
13027 .globl early_idt_handlers
13028 early_idt_handlers:
13029 @@ -315,18 +312,23 @@ ENTRY(early_idt_handler)
13030 #endif /* EARLY_PRINTK */
13035 #ifdef CONFIG_EARLY_PRINTK
13037 early_recursion_flag:
13041 + .section .rodata,"a",@progbits
13043 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
13046 -#endif /* CONFIG_EARLY_PRINTK */
13048 +#endif /* CONFIG_EARLY_PRINTK */
13050 + .section .rodata,"a",@progbits
13051 #define NEXT_PAGE(name) \
13052 .balign PAGE_SIZE; \
13054 @@ -339,7 +341,6 @@ ENTRY(name)
13060 * This default setting generates an ident mapping at address 0x100000
13061 * and a mapping for the kernel that precisely maps virtual address
13062 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
13063 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13064 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
13065 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13066 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
13067 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
13068 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
13069 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13070 .org init_level4_pgt + L4_START_KERNEL*8, 0
13071 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
13072 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
13074 +#ifdef CONFIG_PAX_PER_CPU_PGD
13075 +NEXT_PAGE(cpu_pgd)
13081 NEXT_PAGE(level3_ident_pgt)
13082 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13086 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
13090 +NEXT_PAGE(level3_vmalloc_pgt)
13093 +NEXT_PAGE(level3_vmemmap_pgt)
13094 + .fill L3_VMEMMAP_START,8,0
13095 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13097 NEXT_PAGE(level3_kernel_pgt)
13098 .fill L3_START_KERNEL,8,0
13099 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
13100 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
13101 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13103 +NEXT_PAGE(level2_vmemmap_pgt)
13106 NEXT_PAGE(level2_fixmap_pgt)
13108 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13109 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
13112 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
13113 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
13116 -NEXT_PAGE(level1_fixmap_pgt)
13117 +NEXT_PAGE(level1_vsyscall_pgt)
13120 -NEXT_PAGE(level2_ident_pgt)
13121 - /* Since I easily can, map the first 1G.
13122 + /* Since I easily can, map the first 2G.
13123 * Don't set NX because code runs from these pages.
13125 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
13126 +NEXT_PAGE(level2_ident_pgt)
13127 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
13129 NEXT_PAGE(level2_kernel_pgt)
13131 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
13132 * If you want to increase this then increase MODULES_VADDR
13135 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
13136 - KERNEL_IMAGE_SIZE/PMD_SIZE)
13138 -NEXT_PAGE(level2_spare_pgt)
13140 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
13147 +ENTRY(cpu_gdt_table)
13149 + .quad 0x0000000000000000 /* NULL descriptor */
13150 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
13151 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
13152 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
13153 + .quad 0x00cffb000000ffff /* __USER32_CS */
13154 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
13155 + .quad 0x00affb000000ffff /* __USER_CS */
13157 +#ifdef CONFIG_PAX_KERNEXEC
13158 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
13160 + .quad 0x0 /* unused */
13163 + .quad 0,0 /* TSS */
13164 + .quad 0,0 /* LDT */
13165 + .quad 0,0,0 /* three TLS descriptors */
13166 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
13167 + /* asm/segment.h:GDT_ENTRIES must match this */
13169 + /* zero the remaining page */
13170 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
13174 .globl early_gdt_descr
13176 .word GDT_ENTRIES*8-1
13177 early_gdt_descr_base:
13178 - .quad INIT_PER_CPU_VAR(gdt_page)
13179 + .quad cpu_gdt_table
13182 /* This must match the first entry in level2_kernel_pgt */
13183 .quad 0x0000000000000000
13185 #include "../../x86/xen/xen-head.S"
13187 - .section .bss, "aw", @nobits
13189 + .section .rodata,"a",@progbits
13190 .align L1_CACHE_BYTES
13192 - .skip IDT_ENTRIES * 16
13197 diff -urNp linux-2.6.38.4/arch/x86/kernel/i386_ksyms_32.c linux-2.6.38.4/arch/x86/kernel/i386_ksyms_32.c
13198 --- linux-2.6.38.4/arch/x86/kernel/i386_ksyms_32.c 2011-03-14 21:20:32.000000000 -0400
13199 +++ linux-2.6.38.4/arch/x86/kernel/i386_ksyms_32.c 2011-04-17 15:57:32.000000000 -0400
13200 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
13201 EXPORT_SYMBOL(cmpxchg8b_emu);
13204 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
13206 /* Networking helper routines. */
13207 EXPORT_SYMBOL(csum_partial_copy_generic);
13208 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
13209 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
13211 EXPORT_SYMBOL(__get_user_1);
13212 EXPORT_SYMBOL(__get_user_2);
13213 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
13215 EXPORT_SYMBOL(csum_partial);
13216 EXPORT_SYMBOL(empty_zero_page);
13218 +#ifdef CONFIG_PAX_KERNEXEC
13219 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
13221 diff -urNp linux-2.6.38.4/arch/x86/kernel/init_task.c linux-2.6.38.4/arch/x86/kernel/init_task.c
13222 --- linux-2.6.38.4/arch/x86/kernel/init_task.c 2011-03-14 21:20:32.000000000 -0400
13223 +++ linux-2.6.38.4/arch/x86/kernel/init_task.c 2011-04-17 15:57:32.000000000 -0400
13224 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
13225 * way process stacks are handled. This is done by having a special
13226 * "init_task" linker map entry..
13228 -union thread_union init_thread_union __init_task_data =
13229 - { INIT_THREAD_INFO(init_task) };
13230 +union thread_union init_thread_union __init_task_data;
13233 * Initial task structure.
13234 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
13235 * section. Since TSS's are completely CPU-local, we want them
13236 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
13238 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
13240 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
13241 +EXPORT_SYMBOL(init_tss);
13242 diff -urNp linux-2.6.38.4/arch/x86/kernel/ioport.c linux-2.6.38.4/arch/x86/kernel/ioport.c
13243 --- linux-2.6.38.4/arch/x86/kernel/ioport.c 2011-03-14 21:20:32.000000000 -0400
13244 +++ linux-2.6.38.4/arch/x86/kernel/ioport.c 2011-04-17 15:57:32.000000000 -0400
13246 #include <linux/sched.h>
13247 #include <linux/kernel.h>
13248 #include <linux/capability.h>
13249 +#include <linux/security.h>
13250 #include <linux/errno.h>
13251 #include <linux/types.h>
13252 #include <linux/ioport.h>
13253 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
13255 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
13257 +#ifdef CONFIG_GRKERNSEC_IO
13258 + if (turn_on && grsec_disable_privio) {
13259 + gr_handle_ioperm();
13263 if (turn_on && !capable(CAP_SYS_RAWIO))
13266 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
13267 * because the ->io_bitmap_max value must match the bitmap
13270 - tss = &per_cpu(init_tss, get_cpu());
13271 + tss = init_tss + get_cpu();
13273 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
13275 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
13277 /* Trying to gain more privileges? */
13279 +#ifdef CONFIG_GRKERNSEC_IO
13280 + if (grsec_disable_privio) {
13281 + gr_handle_iopl();
13285 if (!capable(CAP_SYS_RAWIO))
13288 diff -urNp linux-2.6.38.4/arch/x86/kernel/irq_32.c linux-2.6.38.4/arch/x86/kernel/irq_32.c
13289 --- linux-2.6.38.4/arch/x86/kernel/irq_32.c 2011-03-14 21:20:32.000000000 -0400
13290 +++ linux-2.6.38.4/arch/x86/kernel/irq_32.c 2011-04-17 15:57:32.000000000 -0400
13291 @@ -36,7 +36,7 @@ static int check_stack_overflow(void)
13292 __asm__ __volatile__("andl %%esp,%0" :
13293 "=r" (sp) : "0" (THREAD_SIZE - 1));
13295 - return sp < (sizeof(struct thread_info) + STACK_WARN);
13296 + return sp < STACK_WARN;
13299 static void print_stack_overflow(void)
13300 @@ -54,8 +54,8 @@ static inline void print_stack_overflow(
13301 * per-CPU IRQ handling contexts (thread information and stack)
13304 - struct thread_info tinfo;
13305 - u32 stack[THREAD_SIZE/sizeof(u32)];
13306 + unsigned long previous_esp;
13307 + u32 stack[THREAD_SIZE/sizeof(u32)];
13308 } __attribute__((aligned(THREAD_SIZE)));
13310 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
13311 @@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
13313 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
13315 - union irq_ctx *curctx, *irqctx;
13316 + union irq_ctx *irqctx;
13317 u32 *isp, arg1, arg2;
13319 - curctx = (union irq_ctx *) current_thread_info();
13320 irqctx = __this_cpu_read(hardirq_ctx);
13323 @@ -87,21 +86,17 @@ execute_on_irq_stack(int overflow, struc
13324 * handler) we can't do that and just have to keep using the
13325 * current stack (which is the irq stack already after all)
13327 - if (unlikely(curctx == irqctx))
13328 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
13331 /* build the stack frame on the IRQ stack */
13332 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
13333 - irqctx->tinfo.task = curctx->tinfo.task;
13334 - irqctx->tinfo.previous_esp = current_stack_pointer;
13335 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
13336 + irqctx->previous_esp = current_stack_pointer;
13337 + add_preempt_count(HARDIRQ_OFFSET);
13340 - * Copy the softirq bits in preempt_count so that the
13341 - * softirq checks work in the hardirq context.
13343 - irqctx->tinfo.preempt_count =
13344 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
13345 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
13346 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13347 + __set_fs(MAKE_MM_SEG(0));
13350 if (unlikely(overflow))
13351 call_on_stack(print_stack_overflow, isp);
13352 @@ -113,6 +108,12 @@ execute_on_irq_stack(int overflow, struc
13353 : "0" (irq), "1" (desc), "2" (isp),
13354 "D" (desc->handle_irq)
13355 : "memory", "cc", "ecx");
13357 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13358 + __set_fs(current_thread_info()->addr_limit);
13361 + sub_preempt_count(HARDIRQ_OFFSET);
13365 @@ -121,29 +122,11 @@ execute_on_irq_stack(int overflow, struc
13367 void __cpuinit irq_ctx_init(int cpu)
13369 - union irq_ctx *irqctx;
13371 if (per_cpu(hardirq_ctx, cpu))
13374 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
13377 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
13378 - irqctx->tinfo.cpu = cpu;
13379 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
13380 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
13382 - per_cpu(hardirq_ctx, cpu) = irqctx;
13384 - irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
13387 - memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
13388 - irqctx->tinfo.cpu = cpu;
13389 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
13391 - per_cpu(softirq_ctx, cpu) = irqctx;
13392 + per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
13393 + per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
13395 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
13396 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
13397 @@ -152,7 +135,6 @@ void __cpuinit irq_ctx_init(int cpu)
13398 asmlinkage void do_softirq(void)
13400 unsigned long flags;
13401 - struct thread_info *curctx;
13402 union irq_ctx *irqctx;
13405 @@ -162,15 +144,22 @@ asmlinkage void do_softirq(void)
13406 local_irq_save(flags);
13408 if (local_softirq_pending()) {
13409 - curctx = current_thread_info();
13410 irqctx = __this_cpu_read(softirq_ctx);
13411 - irqctx->tinfo.task = curctx->task;
13412 - irqctx->tinfo.previous_esp = current_stack_pointer;
13413 + irqctx->previous_esp = current_stack_pointer;
13415 /* build the stack frame on the softirq stack */
13416 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
13417 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
13419 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13420 + __set_fs(MAKE_MM_SEG(0));
13423 call_on_stack(__do_softirq, isp);
13425 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13426 + __set_fs(current_thread_info()->addr_limit);
13430 * Shouldnt happen, we returned above if in_interrupt():
13432 diff -urNp linux-2.6.38.4/arch/x86/kernel/kgdb.c linux-2.6.38.4/arch/x86/kernel/kgdb.c
13433 --- linux-2.6.38.4/arch/x86/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
13434 +++ linux-2.6.38.4/arch/x86/kernel/kgdb.c 2011-04-17 15:57:32.000000000 -0400
13435 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
13437 #ifdef CONFIG_X86_32
13439 - if (!user_mode_vm(regs))
13440 + if (!user_mode(regs))
13441 *(unsigned long *)mem = __KERNEL_DS;
13444 - if (!user_mode_vm(regs))
13445 + if (!user_mode(regs))
13446 *(unsigned long *)mem = kernel_stack_pointer(regs);
13449 @@ -719,7 +719,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
13453 -struct kgdb_arch arch_kgdb_ops = {
13454 +const struct kgdb_arch arch_kgdb_ops = {
13455 /* Breakpoint instruction: */
13456 .gdb_bpt_instr = { 0xcc },
13457 .flags = KGDB_HW_BREAKPOINT,
13458 diff -urNp linux-2.6.38.4/arch/x86/kernel/kprobes.c linux-2.6.38.4/arch/x86/kernel/kprobes.c
13459 --- linux-2.6.38.4/arch/x86/kernel/kprobes.c 2011-03-14 21:20:32.000000000 -0400
13460 +++ linux-2.6.38.4/arch/x86/kernel/kprobes.c 2011-04-17 15:57:32.000000000 -0400
13461 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
13462 } __attribute__((packed)) *insn;
13464 insn = (struct __arch_relative_insn *)from;
13466 + pax_open_kernel();
13467 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
13469 + pax_close_kernel();
13472 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
13473 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
13474 kprobe_opcode_t opcode;
13475 kprobe_opcode_t *orig_opcodes = opcodes;
13477 - if (search_exception_tables((unsigned long)opcodes))
13478 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
13479 return 0; /* Page fault may occur on this address. */
13482 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
13485 insn_get_length(&insn);
13486 + pax_open_kernel();
13487 memcpy(dest, insn.kaddr, insn.length);
13488 + pax_close_kernel();
13490 #ifdef CONFIG_X86_64
13491 if (insn_rip_relative(&insn)) {
13492 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
13494 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
13495 disp = (u8 *) dest + insn_offset_displacement(&insn);
13496 + pax_open_kernel();
13497 *(s32 *) disp = (s32) newdisp;
13498 + pax_close_kernel();
13501 return insn.length;
13502 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
13504 __copy_instruction(p->ainsn.insn, p->addr, 0);
13506 - if (can_boost(p->addr))
13507 + if (can_boost(ktla_ktva(p->addr)))
13508 p->ainsn.boostable = 0;
13510 p->ainsn.boostable = -1;
13512 - p->opcode = *p->addr;
13513 + p->opcode = *(ktla_ktva(p->addr));
13516 int __kprobes arch_prepare_kprobe(struct kprobe *p)
13517 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
13518 * nor set current_kprobe, because it doesn't use single
13521 - regs->ip = (unsigned long)p->ainsn.insn;
13522 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
13523 preempt_enable_no_resched();
13526 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
13527 if (p->opcode == BREAKPOINT_INSTRUCTION)
13528 regs->ip = (unsigned long)p->addr;
13530 - regs->ip = (unsigned long)p->ainsn.insn;
13531 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
13535 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
13536 setup_singlestep(p, regs, kcb, 0);
13539 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
13540 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
13542 * The breakpoint instruction was removed right
13543 * after we hit it. Another cpu has removed
13544 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
13545 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
13547 unsigned long *tos = stack_addr(regs);
13548 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
13549 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
13550 unsigned long orig_ip = (unsigned long)p->addr;
13551 kprobe_opcode_t *insn = p->ainsn.insn;
13553 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
13554 struct die_args *args = data;
13555 int ret = NOTIFY_DONE;
13557 - if (args->regs && user_mode_vm(args->regs))
13558 + if (args->regs && user_mode(args->regs))
13562 @@ -1372,7 +1379,7 @@ int __kprobes arch_prepare_optimized_kpr
13563 * Verify if the address gap is in 2GB range, because this uses
13566 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
13567 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
13568 if (abs(rel) > 0x7fffffff)
13571 @@ -1393,11 +1400,11 @@ int __kprobes arch_prepare_optimized_kpr
13572 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
13574 /* Set probe function call */
13575 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
13576 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
13578 /* Set returning jmp instruction at the tail of out-of-line buffer */
13579 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
13580 - (u8 *)op->kp.addr + op->optinsn.size);
13581 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
13583 flush_icache_range((unsigned long) buf,
13584 (unsigned long) buf + TMPL_END_IDX +
13585 @@ -1419,7 +1426,7 @@ static void __kprobes setup_optimize_kpr
13586 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
13588 /* Backup instructions which will be replaced by jump address */
13589 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
13590 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
13591 RELATIVE_ADDR_SIZE);
13593 insn_buf[0] = RELATIVEJUMP_OPCODE;
13594 diff -urNp linux-2.6.38.4/arch/x86/kernel/ldt.c linux-2.6.38.4/arch/x86/kernel/ldt.c
13595 --- linux-2.6.38.4/arch/x86/kernel/ldt.c 2011-03-14 21:20:32.000000000 -0400
13596 +++ linux-2.6.38.4/arch/x86/kernel/ldt.c 2011-04-17 15:57:32.000000000 -0400
13597 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
13602 + load_LDT_nolock(pc);
13603 if (!cpumask_equal(mm_cpumask(current->mm),
13604 cpumask_of(smp_processor_id())))
13605 smp_call_function(flush_ldt, current->mm, 1);
13609 + load_LDT_nolock(pc);
13613 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
13616 for (i = 0; i < old->size; i++)
13617 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
13618 + write_ldt_entry(new->ldt, i, old->ldt + i);
13622 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
13623 retval = copy_ldt(&mm->context, &old_mm->context);
13624 mutex_unlock(&old_mm->context.lock);
13627 + if (tsk == current) {
13628 + mm->context.vdso = 0;
13630 +#ifdef CONFIG_X86_32
13631 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
13632 + mm->context.user_cs_base = 0UL;
13633 + mm->context.user_cs_limit = ~0UL;
13635 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
13636 + cpus_clear(mm->context.cpu_user_cs_mask);
13647 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
13651 +#ifdef CONFIG_PAX_SEGMEXEC
13652 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
13658 fill_ldt(&ldt, &ldt_info);
13661 diff -urNp linux-2.6.38.4/arch/x86/kernel/machine_kexec_32.c linux-2.6.38.4/arch/x86/kernel/machine_kexec_32.c
13662 --- linux-2.6.38.4/arch/x86/kernel/machine_kexec_32.c 2011-03-14 21:20:32.000000000 -0400
13663 +++ linux-2.6.38.4/arch/x86/kernel/machine_kexec_32.c 2011-04-17 15:57:32.000000000 -0400
13665 #include <asm/cacheflush.h>
13666 #include <asm/debugreg.h>
13668 -static void set_idt(void *newidt, __u16 limit)
13669 +static void set_idt(struct desc_struct *newidt, __u16 limit)
13671 struct desc_ptr curidt;
13673 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
13677 -static void set_gdt(void *newgdt, __u16 limit)
13678 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
13680 struct desc_ptr curgdt;
13682 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
13685 control_page = page_address(image->control_code_page);
13686 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
13687 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
13689 relocate_kernel_ptr = control_page;
13690 page_list[PA_CONTROL_PAGE] = __pa(control_page);
13691 diff -urNp linux-2.6.38.4/arch/x86/kernel/microcode_amd.c linux-2.6.38.4/arch/x86/kernel/microcode_amd.c
13692 --- linux-2.6.38.4/arch/x86/kernel/microcode_amd.c 2011-03-14 21:20:32.000000000 -0400
13693 +++ linux-2.6.38.4/arch/x86/kernel/microcode_amd.c 2011-04-17 15:57:32.000000000 -0400
13694 @@ -317,7 +317,7 @@ static void microcode_fini_cpu_amd(int c
13698 -static struct microcode_ops microcode_amd_ops = {
13699 +static const struct microcode_ops microcode_amd_ops = {
13700 .request_microcode_user = request_microcode_user,
13701 .request_microcode_fw = request_microcode_fw,
13702 .collect_cpu_info = collect_cpu_info_amd,
13703 @@ -325,7 +325,7 @@ static struct microcode_ops microcode_am
13704 .microcode_fini_cpu = microcode_fini_cpu_amd,
13707 -struct microcode_ops * __init init_amd_microcode(void)
13708 +const struct microcode_ops * __init init_amd_microcode(void)
13710 return µcode_amd_ops;
13712 diff -urNp linux-2.6.38.4/arch/x86/kernel/microcode_core.c linux-2.6.38.4/arch/x86/kernel/microcode_core.c
13713 --- linux-2.6.38.4/arch/x86/kernel/microcode_core.c 2011-03-14 21:20:32.000000000 -0400
13714 +++ linux-2.6.38.4/arch/x86/kernel/microcode_core.c 2011-04-17 15:57:32.000000000 -0400
13715 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
13717 #define MICROCODE_VERSION "2.00"
13719 -static struct microcode_ops *microcode_ops;
13720 +static const struct microcode_ops *microcode_ops;
13724 diff -urNp linux-2.6.38.4/arch/x86/kernel/microcode_intel.c linux-2.6.38.4/arch/x86/kernel/microcode_intel.c
13725 --- linux-2.6.38.4/arch/x86/kernel/microcode_intel.c 2011-03-14 21:20:32.000000000 -0400
13726 +++ linux-2.6.38.4/arch/x86/kernel/microcode_intel.c 2011-04-17 15:57:32.000000000 -0400
13727 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
13729 static int get_ucode_user(void *to, const void *from, size_t n)
13731 - return copy_from_user(to, from, n);
13732 + return copy_from_user(to, (__force const void __user *)from, n);
13735 static enum ucode_state
13736 request_microcode_user(int cpu, const void __user *buf, size_t size)
13738 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
13739 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
13742 static void microcode_fini_cpu(int cpu)
13743 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
13747 -static struct microcode_ops microcode_intel_ops = {
13748 +static const struct microcode_ops microcode_intel_ops = {
13749 .request_microcode_user = request_microcode_user,
13750 .request_microcode_fw = request_microcode_fw,
13751 .collect_cpu_info = collect_cpu_info,
13752 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
13753 .microcode_fini_cpu = microcode_fini_cpu,
13756 -struct microcode_ops * __init init_intel_microcode(void)
13757 +const struct microcode_ops * __init init_intel_microcode(void)
13759 return µcode_intel_ops;
13761 diff -urNp linux-2.6.38.4/arch/x86/kernel/module.c linux-2.6.38.4/arch/x86/kernel/module.c
13762 --- linux-2.6.38.4/arch/x86/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
13763 +++ linux-2.6.38.4/arch/x86/kernel/module.c 2011-04-17 15:57:32.000000000 -0400
13764 @@ -35,21 +35,66 @@
13765 #define DEBUGP(fmt...)
13768 -void *module_alloc(unsigned long size)
13769 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
13771 if (PAGE_ALIGN(size) > MODULES_LEN)
13773 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
13774 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
13775 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
13776 -1, __builtin_return_address(0));
13779 +void *module_alloc(unsigned long size)
13782 +#ifdef CONFIG_PAX_KERNEXEC
13783 + return __module_alloc(size, PAGE_KERNEL);
13785 + return __module_alloc(size, PAGE_KERNEL_EXEC);
13790 /* Free memory returned from module_alloc */
13791 void module_free(struct module *mod, void *module_region)
13793 vfree(module_region);
13796 +#ifdef CONFIG_PAX_KERNEXEC
13797 +#ifdef CONFIG_X86_32
13798 +void *module_alloc_exec(unsigned long size)
13800 + struct vm_struct *area;
13805 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
13806 + return area ? area->addr : NULL;
13808 +EXPORT_SYMBOL(module_alloc_exec);
13810 +void module_free_exec(struct module *mod, void *module_region)
13812 + vunmap(module_region);
13814 +EXPORT_SYMBOL(module_free_exec);
13816 +void module_free_exec(struct module *mod, void *module_region)
13818 + module_free(mod, module_region);
13820 +EXPORT_SYMBOL(module_free_exec);
13822 +void *module_alloc_exec(unsigned long size)
13824 + return __module_alloc(size, PAGE_KERNEL_RX);
13826 +EXPORT_SYMBOL(module_alloc_exec);
13830 /* We don't need anything special. */
13831 int module_frob_arch_sections(Elf_Ehdr *hdr,
13833 @@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13835 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
13837 - uint32_t *location;
13838 + uint32_t *plocation, location;
13840 DEBUGP("Applying relocate section %u to %u\n", relsec,
13841 sechdrs[relsec].sh_info);
13842 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
13843 /* This is where to make the change */
13844 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
13845 - + rel[i].r_offset;
13846 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
13847 + location = (uint32_t)plocation;
13848 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
13849 + plocation = ktla_ktva((void *)plocation);
13850 /* This is the symbol it is referring to. Note that all
13851 undefined symbols have been resolved. */
13852 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
13853 @@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13854 switch (ELF32_R_TYPE(rel[i].r_info)) {
13856 /* We add the value into the location given */
13857 - *location += sym->st_value;
13858 + pax_open_kernel();
13859 + *plocation += sym->st_value;
13860 + pax_close_kernel();
13863 /* Add the value, subtract its postition */
13864 - *location += sym->st_value - (uint32_t)location;
13865 + pax_open_kernel();
13866 + *plocation += sym->st_value - location;
13867 + pax_close_kernel();
13870 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
13871 @@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
13872 case R_X86_64_NONE:
13875 + pax_open_kernel();
13877 + pax_close_kernel();
13880 + pax_open_kernel();
13882 + pax_close_kernel();
13883 if (val != *(u32 *)loc)
13887 + pax_open_kernel();
13889 + pax_close_kernel();
13890 if ((s64)val != *(s32 *)loc)
13893 case R_X86_64_PC32:
13895 + pax_open_kernel();
13897 + pax_close_kernel();
13900 if ((s64)val != *(s32 *)loc)
13902 diff -urNp linux-2.6.38.4/arch/x86/kernel/paravirt.c linux-2.6.38.4/arch/x86/kernel/paravirt.c
13903 --- linux-2.6.38.4/arch/x86/kernel/paravirt.c 2011-03-14 21:20:32.000000000 -0400
13904 +++ linux-2.6.38.4/arch/x86/kernel/paravirt.c 2011-04-17 15:57:32.000000000 -0400
13905 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
13906 * corresponding structure. */
13907 static void *get_call_destination(u8 type)
13909 - struct paravirt_patch_template tmpl = {
13910 + const struct paravirt_patch_template tmpl = {
13911 .pv_init_ops = pv_init_ops,
13912 .pv_time_ops = pv_time_ops,
13913 .pv_cpu_ops = pv_cpu_ops,
13914 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
13915 if (opfunc == NULL)
13916 /* If there's no function, patch it with a ud2a (BUG) */
13917 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13918 - else if (opfunc == _paravirt_nop)
13919 + else if (opfunc == (void *)_paravirt_nop)
13920 /* If the operation is a nop, then nop the callsite */
13921 ret = paravirt_patch_nop();
13923 /* identity functions just return their single argument */
13924 - else if (opfunc == _paravirt_ident_32)
13925 + else if (opfunc == (void *)_paravirt_ident_32)
13926 ret = paravirt_patch_ident_32(insnbuf, len);
13927 - else if (opfunc == _paravirt_ident_64)
13928 + else if (opfunc == (void *)_paravirt_ident_64)
13929 ret = paravirt_patch_ident_64(insnbuf, len);
13931 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
13932 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
13933 if (insn_len > len || start == NULL)
13936 - memcpy(insnbuf, start, insn_len);
13937 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13941 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13945 -struct pv_info pv_info = {
13946 +struct pv_info pv_info __read_only = {
13947 .name = "bare hardware",
13948 .paravirt_enabled = 0,
13950 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13953 -struct pv_init_ops pv_init_ops = {
13954 +struct pv_init_ops pv_init_ops __read_only = {
13955 .patch = native_patch,
13958 -struct pv_time_ops pv_time_ops = {
13959 +struct pv_time_ops pv_time_ops __read_only = {
13960 .sched_clock = native_sched_clock,
13963 -struct pv_irq_ops pv_irq_ops = {
13964 +struct pv_irq_ops pv_irq_ops __read_only = {
13965 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13966 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13967 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13968 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13972 -struct pv_cpu_ops pv_cpu_ops = {
13973 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13974 .cpuid = native_cpuid,
13975 .get_debugreg = native_get_debugreg,
13976 .set_debugreg = native_set_debugreg,
13977 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13978 .end_context_switch = paravirt_nop,
13981 -struct pv_apic_ops pv_apic_ops = {
13982 +struct pv_apic_ops pv_apic_ops __read_only = {
13983 #ifdef CONFIG_X86_LOCAL_APIC
13984 .startup_ipi_hook = paravirt_nop,
13986 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13987 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13990 -struct pv_mmu_ops pv_mmu_ops = {
13991 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13993 .read_cr2 = native_read_cr2,
13994 .write_cr2 = native_write_cr2,
13995 @@ -465,6 +465,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13998 .set_fixmap = native_set_fixmap,
14000 +#ifdef CONFIG_PAX_KERNEXEC
14001 + .pax_open_kernel = native_pax_open_kernel,
14002 + .pax_close_kernel = native_pax_close_kernel,
14007 EXPORT_SYMBOL_GPL(pv_time_ops);
14008 diff -urNp linux-2.6.38.4/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.38.4/arch/x86/kernel/paravirt-spinlocks.c
14009 --- linux-2.6.38.4/arch/x86/kernel/paravirt-spinlocks.c 2011-03-14 21:20:32.000000000 -0400
14010 +++ linux-2.6.38.4/arch/x86/kernel/paravirt-spinlocks.c 2011-04-17 15:57:32.000000000 -0400
14011 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
14012 arch_spin_lock(lock);
14015 -struct pv_lock_ops pv_lock_ops = {
14016 +struct pv_lock_ops pv_lock_ops __read_only = {
14018 .spin_is_locked = __ticket_spin_is_locked,
14019 .spin_is_contended = __ticket_spin_is_contended,
14020 diff -urNp linux-2.6.38.4/arch/x86/kernel/pci-calgary_64.c linux-2.6.38.4/arch/x86/kernel/pci-calgary_64.c
14021 --- linux-2.6.38.4/arch/x86/kernel/pci-calgary_64.c 2011-03-14 21:20:32.000000000 -0400
14022 +++ linux-2.6.38.4/arch/x86/kernel/pci-calgary_64.c 2011-04-17 15:57:32.000000000 -0400
14023 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
14024 free_pages((unsigned long)vaddr, get_order(size));
14027 -static struct dma_map_ops calgary_dma_ops = {
14028 +static const struct dma_map_ops calgary_dma_ops = {
14029 .alloc_coherent = calgary_alloc_coherent,
14030 .free_coherent = calgary_free_coherent,
14031 .map_sg = calgary_map_sg,
14032 diff -urNp linux-2.6.38.4/arch/x86/kernel/pci-dma.c linux-2.6.38.4/arch/x86/kernel/pci-dma.c
14033 --- linux-2.6.38.4/arch/x86/kernel/pci-dma.c 2011-03-14 21:20:32.000000000 -0400
14034 +++ linux-2.6.38.4/arch/x86/kernel/pci-dma.c 2011-04-17 15:57:32.000000000 -0400
14037 static int forbid_dac __read_mostly;
14039 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
14040 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
14041 EXPORT_SYMBOL(dma_ops);
14043 static int iommu_sac_force __read_mostly;
14044 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
14046 int dma_supported(struct device *dev, u64 mask)
14048 - struct dma_map_ops *ops = get_dma_ops(dev);
14049 + const struct dma_map_ops *ops = get_dma_ops(dev);
14052 if (mask > 0xffffffff && forbid_dac > 0) {
14053 diff -urNp linux-2.6.38.4/arch/x86/kernel/pci-gart_64.c linux-2.6.38.4/arch/x86/kernel/pci-gart_64.c
14054 --- linux-2.6.38.4/arch/x86/kernel/pci-gart_64.c 2011-03-14 21:20:32.000000000 -0400
14055 +++ linux-2.6.38.4/arch/x86/kernel/pci-gart_64.c 2011-04-17 15:57:32.000000000 -0400
14056 @@ -706,7 +706,7 @@ static __init int init_amd_gatt(struct a
14060 -static struct dma_map_ops gart_dma_ops = {
14061 +static const struct dma_map_ops gart_dma_ops = {
14062 .map_sg = gart_map_sg,
14063 .unmap_sg = gart_unmap_sg,
14064 .map_page = gart_map_page,
14065 diff -urNp linux-2.6.38.4/arch/x86/kernel/pci-nommu.c linux-2.6.38.4/arch/x86/kernel/pci-nommu.c
14066 --- linux-2.6.38.4/arch/x86/kernel/pci-nommu.c 2011-03-14 21:20:32.000000000 -0400
14067 +++ linux-2.6.38.4/arch/x86/kernel/pci-nommu.c 2011-04-17 15:57:32.000000000 -0400
14068 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
14069 flush_write_buffers();
14072 -struct dma_map_ops nommu_dma_ops = {
14073 +const struct dma_map_ops nommu_dma_ops = {
14074 .alloc_coherent = dma_generic_alloc_coherent,
14075 .free_coherent = nommu_free_coherent,
14076 .map_sg = nommu_map_sg,
14077 diff -urNp linux-2.6.38.4/arch/x86/kernel/pci-swiotlb.c linux-2.6.38.4/arch/x86/kernel/pci-swiotlb.c
14078 --- linux-2.6.38.4/arch/x86/kernel/pci-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
14079 +++ linux-2.6.38.4/arch/x86/kernel/pci-swiotlb.c 2011-04-17 15:57:32.000000000 -0400
14080 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
14081 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
14084 -static struct dma_map_ops swiotlb_dma_ops = {
14085 +static const struct dma_map_ops swiotlb_dma_ops = {
14086 .mapping_error = swiotlb_dma_mapping_error,
14087 .alloc_coherent = x86_swiotlb_alloc_coherent,
14088 .free_coherent = swiotlb_free_coherent,
14089 diff -urNp linux-2.6.38.4/arch/x86/kernel/process_32.c linux-2.6.38.4/arch/x86/kernel/process_32.c
14090 --- linux-2.6.38.4/arch/x86/kernel/process_32.c 2011-03-14 21:20:32.000000000 -0400
14091 +++ linux-2.6.38.4/arch/x86/kernel/process_32.c 2011-04-17 15:57:32.000000000 -0400
14092 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
14093 unsigned long thread_saved_pc(struct task_struct *tsk)
14095 return ((unsigned long *)tsk->thread.sp)[3];
14096 +//XXX return tsk->thread.eip;
14100 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
14102 unsigned short ss, gs;
14104 - if (user_mode_vm(regs)) {
14105 + if (user_mode(regs)) {
14107 ss = regs->ss & 0xffff;
14108 - gs = get_user_gs(regs);
14110 sp = kernel_stack_pointer(regs);
14111 savesegment(ss, ss);
14112 - savesegment(gs, gs);
14114 + gs = get_user_gs(regs);
14116 show_regs_common();
14118 @@ -196,7 +196,7 @@ int copy_thread(unsigned long clone_flag
14119 struct task_struct *tsk;
14122 - childregs = task_pt_regs(p);
14123 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
14124 *childregs = *regs;
14126 childregs->sp = sp;
14127 @@ -293,7 +293,7 @@ __switch_to(struct task_struct *prev_p,
14128 struct thread_struct *prev = &prev_p->thread,
14129 *next = &next_p->thread;
14130 int cpu = smp_processor_id();
14131 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
14132 + struct tss_struct *tss = init_tss + cpu;
14135 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
14136 @@ -328,6 +328,10 @@ __switch_to(struct task_struct *prev_p,
14138 lazy_save_gs(prev->gs);
14140 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14141 + __set_fs(task_thread_info(next_p)->addr_limit);
14145 * Load the per-thread Thread-Local Storage descriptor.
14147 @@ -363,6 +367,9 @@ __switch_to(struct task_struct *prev_p,
14149 arch_end_context_switch(next_p);
14151 + percpu_write(current_task, next_p);
14152 + percpu_write(current_tinfo, &next_p->tinfo);
14155 __math_state_restore();
14157 @@ -372,8 +379,6 @@ __switch_to(struct task_struct *prev_p,
14158 if (prev->gs | next->gs)
14159 lazy_load_gs(next->gs);
14161 - percpu_write(current_task, next_p);
14166 @@ -403,4 +408,3 @@ unsigned long get_wchan(struct task_stru
14167 } while (count++ < 16);
14171 diff -urNp linux-2.6.38.4/arch/x86/kernel/process_64.c linux-2.6.38.4/arch/x86/kernel/process_64.c
14172 --- linux-2.6.38.4/arch/x86/kernel/process_64.c 2011-03-14 21:20:32.000000000 -0400
14173 +++ linux-2.6.38.4/arch/x86/kernel/process_64.c 2011-04-17 15:57:32.000000000 -0400
14174 @@ -87,7 +87,7 @@ static void __exit_idle(void)
14175 void exit_idle(void)
14177 /* idle loop has pid 0 */
14178 - if (current->pid)
14179 + if (task_pid_nr(current))
14183 @@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag
14184 struct pt_regs *childregs;
14185 struct task_struct *me = current;
14187 - childregs = ((struct pt_regs *)
14188 - (THREAD_SIZE + task_stack_page(p))) - 1;
14189 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
14190 *childregs = *regs;
14193 @@ -376,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
14194 struct thread_struct *prev = &prev_p->thread;
14195 struct thread_struct *next = &next_p->thread;
14196 int cpu = smp_processor_id();
14197 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
14198 + struct tss_struct *tss = init_tss + cpu;
14199 unsigned fsindex, gsindex;
14202 @@ -472,10 +471,9 @@ __switch_to(struct task_struct *prev_p,
14203 prev->usersp = percpu_read(old_rsp);
14204 percpu_write(old_rsp, next->usersp);
14205 percpu_write(current_task, next_p);
14206 + percpu_write(current_tinfo, &next_p->tinfo);
14208 - percpu_write(kernel_stack,
14209 - (unsigned long)task_stack_page(next_p) +
14210 - THREAD_SIZE - KERNEL_STACK_OFFSET);
14211 + percpu_write(kernel_stack, next->sp0);
14214 * Now maybe reload the debug registers and handle I/O bitmaps
14215 @@ -529,12 +527,11 @@ unsigned long get_wchan(struct task_stru
14216 if (!p || p == current || p->state == TASK_RUNNING)
14218 stack = (unsigned long)task_stack_page(p);
14219 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
14220 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
14222 fp = *(u64 *)(p->thread.sp);
14224 - if (fp < (unsigned long)stack ||
14225 - fp >= (unsigned long)stack+THREAD_SIZE)
14226 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
14228 ip = *(u64 *)(fp+8);
14229 if (!in_sched_functions(ip))
14230 diff -urNp linux-2.6.38.4/arch/x86/kernel/process.c linux-2.6.38.4/arch/x86/kernel/process.c
14231 --- linux-2.6.38.4/arch/x86/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
14232 +++ linux-2.6.38.4/arch/x86/kernel/process.c 2011-04-17 15:57:32.000000000 -0400
14233 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
14235 void free_thread_info(struct thread_info *ti)
14237 - free_thread_xstate(ti->task);
14238 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
14241 +static struct kmem_cache *task_struct_cachep;
14243 void arch_task_cache_init(void)
14245 - task_xstate_cachep =
14246 - kmem_cache_create("task_xstate", xstate_size,
14247 + /* create a slab on which task_structs can be allocated */
14248 + task_struct_cachep =
14249 + kmem_cache_create("task_struct", sizeof(struct task_struct),
14250 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
14252 + task_xstate_cachep =
14253 + kmem_cache_create("task_xstate", xstate_size,
14254 __alignof__(union thread_xstate),
14255 - SLAB_PANIC | SLAB_NOTRACK, NULL);
14256 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
14259 +struct task_struct *alloc_task_struct(void)
14261 + return kmem_cache_alloc(task_struct_cachep, GFP_KERNEL);
14264 +void free_task_struct(struct task_struct *task)
14266 + free_thread_xstate(task);
14267 + kmem_cache_free(task_struct_cachep, task);
14271 @@ -70,7 +87,7 @@ void exit_thread(void)
14272 unsigned long *bp = t->io_bitmap_ptr;
14275 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
14276 + struct tss_struct *tss = init_tss + get_cpu();
14278 t->io_bitmap_ptr = NULL;
14279 clear_thread_flag(TIF_IO_BITMAP);
14280 @@ -106,7 +123,7 @@ void show_regs_common(void)
14282 printk(KERN_CONT "\n");
14283 printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
14284 - current->pid, current->xid, current->comm, print_tainted(),
14285 + task_pid_nr(current), current->xid, current->comm, print_tainted(),
14286 init_utsname()->release,
14287 (int)strcspn(init_utsname()->version, " "),
14288 init_utsname()->version);
14289 @@ -123,6 +140,9 @@ void flush_thread(void)
14291 struct task_struct *tsk = current;
14293 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
14294 + loadsegment(gs, 0);
14296 flush_ptrace_hw_breakpoint(tsk);
14297 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
14299 @@ -285,10 +305,10 @@ int kernel_thread(int (*fn)(void *), voi
14300 regs.di = (unsigned long) arg;
14302 #ifdef CONFIG_X86_32
14303 - regs.ds = __USER_DS;
14304 - regs.es = __USER_DS;
14305 + regs.ds = __KERNEL_DS;
14306 + regs.es = __KERNEL_DS;
14307 regs.fs = __KERNEL_PERCPU;
14308 - regs.gs = __KERNEL_STACK_CANARY;
14309 + savesegment(gs, regs.gs);
14311 regs.ss = __KERNEL_DS;
14313 @@ -668,16 +688,31 @@ static int __init idle_setup(char *str)
14315 early_param("idle", idle_setup);
14317 -unsigned long arch_align_stack(unsigned long sp)
14318 +#ifdef CONFIG_PAX_RANDKSTACK
14319 +asmlinkage void pax_randomize_kstack(void)
14321 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
14322 - sp -= get_random_int() % 8192;
14323 - return sp & ~0xf;
14325 + struct thread_struct *thread = ¤t->thread;
14326 + unsigned long time;
14328 -unsigned long arch_randomize_brk(struct mm_struct *mm)
14330 - unsigned long range_end = mm->brk + 0x02000000;
14331 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
14333 + if (!randomize_va_space)
14338 + /* P4 seems to return a 0 LSB, ignore it */
14339 +#ifdef CONFIG_MPENTIUM4
14347 + thread->sp0 ^= time;
14348 + load_sp0(init_tss + smp_processor_id(), thread);
14350 +#ifdef CONFIG_X86_64
14351 + percpu_write(kernel_stack, thread->sp0);
14355 diff -urNp linux-2.6.38.4/arch/x86/kernel/ptrace.c linux-2.6.38.4/arch/x86/kernel/ptrace.c
14356 --- linux-2.6.38.4/arch/x86/kernel/ptrace.c 2011-03-14 21:20:32.000000000 -0400
14357 +++ linux-2.6.38.4/arch/x86/kernel/ptrace.c 2011-04-17 15:57:32.000000000 -0400
14358 @@ -805,7 +805,7 @@ long arch_ptrace(struct task_struct *chi
14359 unsigned long addr, unsigned long data)
14362 - unsigned long __user *datap = (unsigned long __user *)data;
14363 + unsigned long __user *datap = (__force unsigned long __user *)data;
14366 /* read the word at location addr in the USER area. */
14367 @@ -890,14 +890,14 @@ long arch_ptrace(struct task_struct *chi
14368 if ((int) addr < 0)
14370 ret = do_get_thread_area(child, addr,
14371 - (struct user_desc __user *)data);
14372 + (__force struct user_desc __user *) data);
14375 case PTRACE_SET_THREAD_AREA:
14376 if ((int) addr < 0)
14378 ret = do_set_thread_area(child, addr,
14379 - (struct user_desc __user *)data, 0);
14380 + (__force struct user_desc __user *) data, 0);
14384 @@ -1314,7 +1314,7 @@ static void fill_sigtrap_info(struct tas
14385 memset(info, 0, sizeof(*info));
14386 info->si_signo = SIGTRAP;
14387 info->si_code = si_code;
14388 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
14389 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
14392 void user_single_step_siginfo(struct task_struct *tsk,
14393 @@ -1347,7 +1347,7 @@ void send_sigtrap(struct task_struct *ts
14394 * We must return the syscall number to actually look up in the table.
14395 * This can be -1L to skip running any syscall at all.
14397 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
14398 +long syscall_trace_enter(struct pt_regs *regs)
14402 @@ -1392,7 +1392,7 @@ asmregparm long syscall_trace_enter(stru
14403 return ret ?: regs->orig_ax;
14406 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
14407 +void syscall_trace_leave(struct pt_regs *regs)
14411 diff -urNp linux-2.6.38.4/arch/x86/kernel/reboot.c linux-2.6.38.4/arch/x86/kernel/reboot.c
14412 --- linux-2.6.38.4/arch/x86/kernel/reboot.c 2011-03-14 21:20:32.000000000 -0400
14413 +++ linux-2.6.38.4/arch/x86/kernel/reboot.c 2011-04-17 15:57:32.000000000 -0400
14414 @@ -34,7 +34,7 @@ void (*pm_power_off)(void);
14415 EXPORT_SYMBOL(pm_power_off);
14417 static const struct desc_ptr no_idt = {};
14418 -static int reboot_mode;
14419 +static unsigned short reboot_mode;
14420 enum reboot_type reboot_type = BOOT_KBD;
14423 @@ -293,7 +293,7 @@ static struct dmi_system_id __initdata r
14424 DMI_MATCH(DMI_BOARD_NAME, "VersaLogic Menlow board"),
14428 + { NULL, NULL, {{0, {0}}}, NULL}
14431 static int __init reboot_init(void)
14432 @@ -309,12 +309,12 @@ core_initcall(reboot_init);
14433 controller to pulse the CPU reset line, which is more thorough, but
14434 doesn't work with at least one type of 486 motherboard. It is easy
14435 to stop this code working; hence the copious comments. */
14436 -static const unsigned long long
14437 -real_mode_gdt_entries [3] =
14438 +static struct desc_struct
14439 +real_mode_gdt_entries [3] __read_only =
14441 - 0x0000000000000000ULL, /* Null descriptor */
14442 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
14443 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
14444 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
14445 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
14446 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
14449 static const struct desc_ptr
14450 @@ -363,7 +363,7 @@ static const unsigned char jump_to_bios
14451 * specified by the code and length parameters.
14452 * We assume that length will aways be less that 100!
14454 -void machine_real_restart(const unsigned char *code, int length)
14455 +void machine_real_restart(const unsigned char *code, unsigned int length)
14457 local_irq_disable();
14459 @@ -390,16 +390,15 @@ void machine_real_restart(const unsigned
14460 boot)". This seems like a fairly standard thing that gets set by
14461 REBOOT.COM programs, and the previous reset routine did this
14463 - *((unsigned short *)0x472) = reboot_mode;
14464 + *(unsigned short *)(__va(0x472)) = reboot_mode;
14466 /* For the switch to real mode, copy some code to low memory. It has
14467 to be in the first 64k because it is running in 16-bit mode, and it
14468 has to have the same physical and virtual address, because it turns
14469 off paging. Copy it near the end of the first page, out of the way
14470 of BIOS variables. */
14471 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
14472 - real_mode_switch, sizeof (real_mode_switch));
14473 - memcpy((void *)(0x1000 - 100), code, length);
14474 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
14475 + memcpy(__va(0x1000 - 100), code, length);
14477 /* Set up the IDT for real mode. */
14478 load_idt(&real_mode_idt);
14479 diff -urNp linux-2.6.38.4/arch/x86/kernel/setup.c linux-2.6.38.4/arch/x86/kernel/setup.c
14480 --- linux-2.6.38.4/arch/x86/kernel/setup.c 2011-04-18 17:27:18.000000000 -0400
14481 +++ linux-2.6.38.4/arch/x86/kernel/setup.c 2011-04-17 16:53:16.000000000 -0400
14482 @@ -654,7 +654,7 @@ static void __init trim_bios_range(void)
14483 * area (640->1Mb) as ram even though it is not.
14486 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
14487 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
14488 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
14491 @@ -790,14 +790,14 @@ void __init setup_arch(char **cmdline_p)
14493 if (!boot_params.hdr.root_flags)
14494 root_mountflags &= ~MS_RDONLY;
14495 - init_mm.start_code = (unsigned long) _text;
14496 - init_mm.end_code = (unsigned long) _etext;
14497 + init_mm.start_code = ktla_ktva((unsigned long) _text);
14498 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
14499 init_mm.end_data = (unsigned long) _edata;
14500 init_mm.brk = _brk_end;
14502 - code_resource.start = virt_to_phys(_text);
14503 - code_resource.end = virt_to_phys(_etext)-1;
14504 - data_resource.start = virt_to_phys(_etext);
14505 + code_resource.start = virt_to_phys(ktla_ktva(_text));
14506 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
14507 + data_resource.start = virt_to_phys(_sdata);
14508 data_resource.end = virt_to_phys(_edata)-1;
14509 bss_resource.start = virt_to_phys(&__bss_start);
14510 bss_resource.end = virt_to_phys(&__bss_stop)-1;
14511 diff -urNp linux-2.6.38.4/arch/x86/kernel/setup_percpu.c linux-2.6.38.4/arch/x86/kernel/setup_percpu.c
14512 --- linux-2.6.38.4/arch/x86/kernel/setup_percpu.c 2011-03-14 21:20:32.000000000 -0400
14513 +++ linux-2.6.38.4/arch/x86/kernel/setup_percpu.c 2011-04-17 15:57:32.000000000 -0400
14514 @@ -21,19 +21,17 @@
14515 #include <asm/cpu.h>
14516 #include <asm/stackprotector.h>
14518 -DEFINE_PER_CPU(int, cpu_number);
14520 +DEFINE_PER_CPU(unsigned int, cpu_number);
14521 EXPORT_PER_CPU_SYMBOL(cpu_number);
14524 -#ifdef CONFIG_X86_64
14525 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
14527 -#define BOOT_PERCPU_OFFSET 0
14530 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
14531 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
14533 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
14534 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
14535 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
14537 EXPORT_SYMBOL(__per_cpu_offset);
14538 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
14540 #ifdef CONFIG_X86_32
14541 struct desc_struct gdt;
14542 + unsigned long base = per_cpu_offset(cpu);
14544 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
14545 - 0x2 | DESCTYPE_S, 0x8);
14547 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
14548 + 0x83 | DESCTYPE_S, 0xC);
14549 write_gdt_entry(get_cpu_gdt_table(cpu),
14550 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
14552 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
14553 /* alrighty, percpu areas up and running */
14554 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
14555 for_each_possible_cpu(cpu) {
14556 +#ifdef CONFIG_CC_STACKPROTECTOR
14557 +#ifdef CONFIG_x86_32
14558 + unsigned long canary = per_cpu(stack_canary, cpu);
14561 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
14562 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
14563 per_cpu(cpu_number, cpu) = cpu;
14564 @@ -243,6 +246,12 @@ void __init setup_per_cpu_areas(void)
14565 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
14568 +#ifdef CONFIG_CC_STACKPROTECTOR
14569 +#ifdef CONFIG_x86_32
14570 + if (cpu == boot_cpu_id)
14571 + per_cpu(stack_canary, cpu) = canary;
14575 * Up to this point, the boot CPU has been using .init.data
14576 * area. Reload any changed state for the boot CPU.
14577 diff -urNp linux-2.6.38.4/arch/x86/kernel/signal.c linux-2.6.38.4/arch/x86/kernel/signal.c
14578 --- linux-2.6.38.4/arch/x86/kernel/signal.c 2011-03-14 21:20:32.000000000 -0400
14579 +++ linux-2.6.38.4/arch/x86/kernel/signal.c 2011-04-17 15:57:32.000000000 -0400
14580 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
14581 * Align the stack pointer according to the i386 ABI,
14582 * i.e. so that on function entry ((sp + 4) & 15) == 0.
14584 - sp = ((sp + 4) & -16ul) - 4;
14585 + sp = ((sp - 12) & -16ul) - 4;
14586 #else /* !CONFIG_X86_32 */
14587 sp = round_down(sp, 16) - 8;
14589 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
14590 * Return an always-bogus address instead so we will die with SIGSEGV.
14592 if (onsigstack && !likely(on_sig_stack(sp)))
14593 - return (void __user *)-1L;
14594 + return (__force void __user *)-1L;
14596 /* save i387 state */
14597 if (used_math() && save_i387_xstate(*fpstate) < 0)
14598 - return (void __user *)-1L;
14599 + return (__force void __user *)-1L;
14601 return (void __user *)sp;
14603 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
14606 if (current->mm->context.vdso)
14607 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
14608 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
14610 - restorer = &frame->retcode;
14611 + restorer = (void __user *)&frame->retcode;
14612 if (ka->sa.sa_flags & SA_RESTORER)
14613 restorer = ka->sa.sa_restorer;
14615 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
14616 * reasons and because gdb uses it as a signature to notice
14617 * signal handler stack frames.
14619 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
14620 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
14624 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
14625 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
14627 /* Set up to return from userspace. */
14628 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
14629 + if (current->mm->context.vdso)
14630 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
14632 + restorer = (void __user *)&frame->retcode;
14633 if (ka->sa.sa_flags & SA_RESTORER)
14634 restorer = ka->sa.sa_restorer;
14635 put_user_ex(restorer, &frame->pretcode);
14636 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
14637 * reasons and because gdb uses it as a signature to notice
14638 * signal handler stack frames.
14640 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
14641 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
14642 } put_user_catch(err);
14645 @@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re
14646 * X86_32: vm86 regs switched out by assembly code before reaching
14647 * here, so testing against kernel CS suffices.
14649 - if (!user_mode(regs))
14650 + if (!user_mode_novm(regs))
14653 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
14654 diff -urNp linux-2.6.38.4/arch/x86/kernel/smpboot.c linux-2.6.38.4/arch/x86/kernel/smpboot.c
14655 --- linux-2.6.38.4/arch/x86/kernel/smpboot.c 2011-03-14 21:20:32.000000000 -0400
14656 +++ linux-2.6.38.4/arch/x86/kernel/smpboot.c 2011-04-17 15:57:32.000000000 -0400
14657 @@ -773,17 +773,20 @@ static int __cpuinit do_boot_cpu(int api
14658 set_idle_for_cpu(cpu, c_idle.idle);
14660 per_cpu(current_task, cpu) = c_idle.idle;
14661 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
14662 #ifdef CONFIG_X86_32
14663 /* Stack for startup_32 can be just as for start_secondary onwards */
14666 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
14667 initial_gs = per_cpu_offset(cpu);
14668 - per_cpu(kernel_stack, cpu) =
14669 - (unsigned long)task_stack_page(c_idle.idle) -
14670 - KERNEL_STACK_OFFSET + THREAD_SIZE;
14671 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 8 + THREAD_SIZE;
14674 + pax_open_kernel();
14675 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
14676 + pax_close_kernel();
14678 initial_code = (unsigned long)start_secondary;
14679 stack_start = c_idle.idle->thread.sp;
14681 @@ -923,6 +926,12 @@ int __cpuinit native_cpu_up(unsigned int
14683 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
14685 +#ifdef CONFIG_PAX_PER_CPU_PGD
14686 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
14687 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
14688 + KERNEL_PGD_PTRS);
14691 err = do_boot_cpu(apicid, cpu);
14693 pr_debug("do_boot_cpu failed %d\n", err);
14694 diff -urNp linux-2.6.38.4/arch/x86/kernel/step.c linux-2.6.38.4/arch/x86/kernel/step.c
14695 --- linux-2.6.38.4/arch/x86/kernel/step.c 2011-03-14 21:20:32.000000000 -0400
14696 +++ linux-2.6.38.4/arch/x86/kernel/step.c 2011-04-17 15:57:32.000000000 -0400
14697 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
14698 struct desc_struct *desc;
14699 unsigned long base;
14704 mutex_lock(&child->mm->context.lock);
14705 - if (unlikely((seg >> 3) >= child->mm->context.size))
14706 + if (unlikely(seg >= child->mm->context.size))
14707 addr = -1L; /* bogus selector, access would fault */
14709 desc = child->mm->context.ldt + seg;
14710 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
14713 mutex_unlock(&child->mm->context.lock);
14715 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
14716 + addr = ktla_ktva(addr);
14720 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
14721 unsigned char opcode[15];
14722 unsigned long addr = convert_ip_to_linear(child, regs);
14724 + if (addr == -EINVAL)
14727 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
14728 for (i = 0; i < copied; i++) {
14729 switch (opcode[i]) {
14730 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
14732 #ifdef CONFIG_X86_64
14733 case 0x40 ... 0x4f:
14734 - if (regs->cs != __USER_CS)
14735 + if ((regs->cs & 0xffff) != __USER_CS)
14736 /* 32-bit mode: register increment */
14738 /* 64-bit mode: REX prefix */
14739 diff -urNp linux-2.6.38.4/arch/x86/kernel/syscall_table_32.S linux-2.6.38.4/arch/x86/kernel/syscall_table_32.S
14740 --- linux-2.6.38.4/arch/x86/kernel/syscall_table_32.S 2011-03-14 21:20:32.000000000 -0400
14741 +++ linux-2.6.38.4/arch/x86/kernel/syscall_table_32.S 2011-04-17 15:57:32.000000000 -0400
14743 +.section .rodata,"a",@progbits
14744 ENTRY(sys_call_table)
14745 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
14747 diff -urNp linux-2.6.38.4/arch/x86/kernel/sys_i386_32.c linux-2.6.38.4/arch/x86/kernel/sys_i386_32.c
14748 --- linux-2.6.38.4/arch/x86/kernel/sys_i386_32.c 2011-03-14 21:20:32.000000000 -0400
14749 +++ linux-2.6.38.4/arch/x86/kernel/sys_i386_32.c 2011-04-17 15:57:32.000000000 -0400
14750 @@ -24,17 +24,224 @@
14752 #include <asm/syscalls.h>
14755 - * Do a system call from kernel instead of calling sys_execve so we
14756 - * end up with proper pt_regs.
14758 -int kernel_execve(const char *filename,
14759 - const char *const argv[],
14760 - const char *const envp[])
14761 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
14764 - asm volatile ("int $0x80"
14766 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
14768 + unsigned long pax_task_size = TASK_SIZE;
14770 +#ifdef CONFIG_PAX_SEGMEXEC
14771 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
14772 + pax_task_size = SEGMEXEC_TASK_SIZE;
14775 + if (len > pax_task_size || addr > pax_task_size - len)
14782 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
14783 + unsigned long len, unsigned long pgoff, unsigned long flags)
14785 + struct mm_struct *mm = current->mm;
14786 + struct vm_area_struct *vma;
14787 + unsigned long start_addr, pax_task_size = TASK_SIZE;
14789 +#ifdef CONFIG_PAX_SEGMEXEC
14790 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14791 + pax_task_size = SEGMEXEC_TASK_SIZE;
14794 + pax_task_size -= PAGE_SIZE;
14796 + if (len > pax_task_size)
14799 + if (flags & MAP_FIXED)
14802 +#ifdef CONFIG_PAX_RANDMMAP
14803 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14807 + addr = PAGE_ALIGN(addr);
14808 + if (pax_task_size - len >= addr) {
14809 + vma = find_vma(mm, addr);
14810 + if (check_heap_stack_gap(vma, addr, len))
14814 + if (len > mm->cached_hole_size) {
14815 + start_addr = addr = mm->free_area_cache;
14817 + start_addr = addr = mm->mmap_base;
14818 + mm->cached_hole_size = 0;
14821 +#ifdef CONFIG_PAX_PAGEEXEC
14822 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
14823 + start_addr = 0x00110000UL;
14825 +#ifdef CONFIG_PAX_RANDMMAP
14826 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14827 + start_addr += mm->delta_mmap & 0x03FFF000UL;
14830 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
14831 + start_addr = addr = mm->mmap_base;
14833 + addr = start_addr;
14838 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
14839 + /* At this point: (!vma || addr < vma->vm_end). */
14840 + if (pax_task_size - len < addr) {
14842 + * Start a new search - just in case we missed
14845 + if (start_addr != mm->mmap_base) {
14846 + start_addr = addr = mm->mmap_base;
14847 + mm->cached_hole_size = 0;
14848 + goto full_search;
14852 + if (check_heap_stack_gap(vma, addr, len))
14854 + if (addr + mm->cached_hole_size < vma->vm_start)
14855 + mm->cached_hole_size = vma->vm_start - addr;
14856 + addr = vma->vm_end;
14857 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
14858 + start_addr = addr = mm->mmap_base;
14859 + mm->cached_hole_size = 0;
14860 + goto full_search;
14865 + * Remember the place where we stopped the search:
14867 + mm->free_area_cache = addr + len;
14872 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
14873 + const unsigned long len, const unsigned long pgoff,
14874 + const unsigned long flags)
14876 + struct vm_area_struct *vma;
14877 + struct mm_struct *mm = current->mm;
14878 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
14880 +#ifdef CONFIG_PAX_SEGMEXEC
14881 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14882 + pax_task_size = SEGMEXEC_TASK_SIZE;
14885 + pax_task_size -= PAGE_SIZE;
14887 + /* requested length too big for entire address space */
14888 + if (len > pax_task_size)
14891 + if (flags & MAP_FIXED)
14894 +#ifdef CONFIG_PAX_PAGEEXEC
14895 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
14899 +#ifdef CONFIG_PAX_RANDMMAP
14900 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14903 + /* requesting a specific address */
14905 + addr = PAGE_ALIGN(addr);
14906 + if (pax_task_size - len >= addr) {
14907 + vma = find_vma(mm, addr);
14908 + if (check_heap_stack_gap(vma, addr, len))
14913 + /* check if free_area_cache is useful for us */
14914 + if (len <= mm->cached_hole_size) {
14915 + mm->cached_hole_size = 0;
14916 + mm->free_area_cache = mm->mmap_base;
14919 + /* either no address requested or can't fit in requested address hole */
14920 + addr = mm->free_area_cache;
14922 + /* make sure it can fit in the remaining address space */
14923 + if (addr > len) {
14924 + vma = find_vma(mm, addr-len);
14925 + if (check_heap_stack_gap(vma, addr - len, len))
14926 + /* remember the address as a hint for next time */
14927 + return (mm->free_area_cache = addr-len);
14930 + if (mm->mmap_base < len)
14933 + addr = mm->mmap_base-len;
14937 + * Lookup failure means no vma is above this address,
14938 + * else if new region fits below vma->vm_start,
14939 + * return with success:
14941 + vma = find_vma(mm, addr);
14942 + if (check_heap_stack_gap(vma, addr, len))
14943 + /* remember the address as a hint for next time */
14944 + return (mm->free_area_cache = addr);
14946 + /* remember the largest hole we saw so far */
14947 + if (addr + mm->cached_hole_size < vma->vm_start)
14948 + mm->cached_hole_size = vma->vm_start - addr;
14950 + /* try just below the current vma->vm_start */
14951 + addr = skip_heap_stack_gap(vma, len);
14952 + } while (!IS_ERR_VALUE(addr));
14956 + * A failed mmap() very likely causes application failure,
14957 + * so fall back to the bottom-up function here. This scenario
14958 + * can happen with large stack limits and large mmap()
14962 +#ifdef CONFIG_PAX_SEGMEXEC
14963 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14964 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14968 + mm->mmap_base = TASK_UNMAPPED_BASE;
14970 +#ifdef CONFIG_PAX_RANDMMAP
14971 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14972 + mm->mmap_base += mm->delta_mmap;
14975 + mm->free_area_cache = mm->mmap_base;
14976 + mm->cached_hole_size = ~0UL;
14977 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14979 + * Restore the topdown base:
14981 + mm->mmap_base = base;
14982 + mm->free_area_cache = base;
14983 + mm->cached_hole_size = ~0UL;
14987 diff -urNp linux-2.6.38.4/arch/x86/kernel/sys_x86_64.c linux-2.6.38.4/arch/x86/kernel/sys_x86_64.c
14988 --- linux-2.6.38.4/arch/x86/kernel/sys_x86_64.c 2011-03-14 21:20:32.000000000 -0400
14989 +++ linux-2.6.38.4/arch/x86/kernel/sys_x86_64.c 2011-04-17 15:57:32.000000000 -0400
14990 @@ -32,8 +32,8 @@ out:
14994 -static void find_start_end(unsigned long flags, unsigned long *begin,
14995 - unsigned long *end)
14996 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
14997 + unsigned long *begin, unsigned long *end)
14999 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
15000 unsigned long new_begin;
15001 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
15002 *begin = new_begin;
15005 - *begin = TASK_UNMAPPED_BASE;
15006 + *begin = mm->mmap_base;
15010 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
15011 if (flags & MAP_FIXED)
15014 - find_start_end(flags, &begin, &end);
15015 + find_start_end(mm, flags, &begin, &end);
15020 +#ifdef CONFIG_PAX_RANDMMAP
15021 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15025 addr = PAGE_ALIGN(addr);
15026 vma = find_vma(mm, addr);
15027 - if (end - len >= addr &&
15028 - (!vma || addr + len <= vma->vm_start))
15029 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
15032 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
15033 @@ -106,7 +109,7 @@ full_search:
15037 - if (!vma || addr + len <= vma->vm_start) {
15038 + if (check_heap_stack_gap(vma, addr, len)) {
15040 * Remember the place where we stopped the search:
15042 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
15044 struct vm_area_struct *vma;
15045 struct mm_struct *mm = current->mm;
15046 - unsigned long addr = addr0;
15047 + unsigned long base = mm->mmap_base, addr = addr0;
15049 /* requested length too big for entire address space */
15050 if (len > TASK_SIZE)
15051 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
15052 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
15055 +#ifdef CONFIG_PAX_RANDMMAP
15056 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15059 /* requesting a specific address */
15061 addr = PAGE_ALIGN(addr);
15062 - vma = find_vma(mm, addr);
15063 - if (TASK_SIZE - len >= addr &&
15064 - (!vma || addr + len <= vma->vm_start))
15066 + if (TASK_SIZE - len >= addr) {
15067 + vma = find_vma(mm, addr);
15068 + if (check_heap_stack_gap(vma, addr, len))
15073 /* check if free_area_cache is useful for us */
15074 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
15075 /* make sure it can fit in the remaining address space */
15077 vma = find_vma(mm, addr-len);
15078 - if (!vma || addr <= vma->vm_start)
15079 + if (check_heap_stack_gap(vma, addr - len, len))
15080 /* remember the address as a hint for next time */
15081 return mm->free_area_cache = addr-len;
15083 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
15084 * return with success:
15086 vma = find_vma(mm, addr);
15087 - if (!vma || addr+len <= vma->vm_start)
15088 + if (check_heap_stack_gap(vma, addr, len))
15089 /* remember the address as a hint for next time */
15090 return mm->free_area_cache = addr;
15092 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
15093 mm->cached_hole_size = vma->vm_start - addr;
15095 /* try just below the current vma->vm_start */
15096 - addr = vma->vm_start-len;
15097 - } while (len < vma->vm_start);
15098 + addr = skip_heap_stack_gap(vma, len);
15099 + } while (!IS_ERR_VALUE(addr));
15103 @@ -198,13 +206,21 @@ bottomup:
15104 * can happen with large stack limits and large mmap()
15107 + mm->mmap_base = TASK_UNMAPPED_BASE;
15109 +#ifdef CONFIG_PAX_RANDMMAP
15110 + if (mm->pax_flags & MF_PAX_RANDMMAP)
15111 + mm->mmap_base += mm->delta_mmap;
15114 + mm->free_area_cache = mm->mmap_base;
15115 mm->cached_hole_size = ~0UL;
15116 - mm->free_area_cache = TASK_UNMAPPED_BASE;
15117 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
15119 * Restore the topdown base:
15121 - mm->free_area_cache = mm->mmap_base;
15122 + mm->mmap_base = base;
15123 + mm->free_area_cache = base;
15124 mm->cached_hole_size = ~0UL;
15127 diff -urNp linux-2.6.38.4/arch/x86/kernel/time.c linux-2.6.38.4/arch/x86/kernel/time.c
15128 --- linux-2.6.38.4/arch/x86/kernel/time.c 2011-03-14 21:20:32.000000000 -0400
15129 +++ linux-2.6.38.4/arch/x86/kernel/time.c 2011-04-17 15:57:32.000000000 -0400
15130 @@ -22,17 +22,13 @@
15131 #include <asm/hpet.h>
15132 #include <asm/time.h>
15134 -#ifdef CONFIG_X86_64
15135 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
15138 unsigned long profile_pc(struct pt_regs *regs)
15140 unsigned long pc = instruction_pointer(regs);
15142 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
15143 + if (!user_mode(regs) && in_lock_functions(pc)) {
15144 #ifdef CONFIG_FRAME_POINTER
15145 - return *(unsigned long *)(regs->bp + sizeof(long));
15146 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
15148 unsigned long *sp =
15149 (unsigned long *)kernel_stack_pointer(regs);
15150 @@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs
15151 * or above a saved flags. Eflags has bits 22-31 zero,
15152 * kernel addresses don't.
15155 +#ifdef CONFIG_PAX_KERNEXEC
15156 + return ktla_ktva(sp[0]);
15168 diff -urNp linux-2.6.38.4/arch/x86/kernel/tls.c linux-2.6.38.4/arch/x86/kernel/tls.c
15169 --- linux-2.6.38.4/arch/x86/kernel/tls.c 2011-03-14 21:20:32.000000000 -0400
15170 +++ linux-2.6.38.4/arch/x86/kernel/tls.c 2011-04-17 15:57:32.000000000 -0400
15171 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
15172 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
15175 +#ifdef CONFIG_PAX_SEGMEXEC
15176 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
15180 set_tls_desc(p, idx, &info, 1);
15183 diff -urNp linux-2.6.38.4/arch/x86/kernel/trampoline_32.S linux-2.6.38.4/arch/x86/kernel/trampoline_32.S
15184 --- linux-2.6.38.4/arch/x86/kernel/trampoline_32.S 2011-03-14 21:20:32.000000000 -0400
15185 +++ linux-2.6.38.4/arch/x86/kernel/trampoline_32.S 2011-04-17 15:57:32.000000000 -0400
15187 #include <asm/segment.h>
15188 #include <asm/page_types.h>
15190 +#ifdef CONFIG_PAX_KERNEXEC
15193 +#define ta(X) ((X) - __PAGE_OFFSET)
15196 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
15199 @@ -60,7 +66,7 @@ r_base = .
15200 inc %ax # protected mode (PE) bit
15201 lmsw %ax # into protected mode
15202 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
15203 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
15204 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
15206 # These need to be in the same 64K segment as the above;
15207 # hence we don't use the boot_gdt_descr defined in head.S
15208 diff -urNp linux-2.6.38.4/arch/x86/kernel/trampoline_64.S linux-2.6.38.4/arch/x86/kernel/trampoline_64.S
15209 --- linux-2.6.38.4/arch/x86/kernel/trampoline_64.S 2011-03-14 21:20:32.000000000 -0400
15210 +++ linux-2.6.38.4/arch/x86/kernel/trampoline_64.S 2011-04-17 15:57:32.000000000 -0400
15211 @@ -91,7 +91,7 @@ startup_32:
15212 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
15215 - movl $X86_CR4_PAE, %eax
15216 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
15217 movl %eax, %cr4 # Enable PAE mode
15219 # Setup trampoline 4 level pagetables
15220 @@ -138,7 +138,7 @@ tidt:
15221 # so the kernel can live anywhere
15224 - .short tgdt_end - tgdt # gdt limit
15225 + .short tgdt_end - tgdt - 1 # gdt limit
15226 .long tgdt - r_base
15228 .quad 0x00cf9b000000ffff # __KERNEL32_CS
15229 diff -urNp linux-2.6.38.4/arch/x86/kernel/traps.c linux-2.6.38.4/arch/x86/kernel/traps.c
15230 --- linux-2.6.38.4/arch/x86/kernel/traps.c 2011-03-14 21:20:32.000000000 -0400
15231 +++ linux-2.6.38.4/arch/x86/kernel/traps.c 2011-04-17 15:57:32.000000000 -0400
15232 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
15234 /* Do we ignore FPU interrupts ? */
15235 char ignore_fpu_irq;
15238 - * The IDT has to be page-aligned to simplify the Pentium
15239 - * F0 0F bug workaround.
15241 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
15244 DECLARE_BITMAP(used_vectors, NR_VECTORS);
15245 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
15248 static void __kprobes
15249 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
15250 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
15251 long error_code, siginfo_t *info)
15253 struct task_struct *tsk = current;
15255 #ifdef CONFIG_X86_32
15256 - if (regs->flags & X86_VM_MASK) {
15257 + if (v8086_mode(regs)) {
15259 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
15260 * On nmi (interrupt 2), do_trap should not be called.
15261 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
15265 - if (!user_mode(regs))
15266 + if (!user_mode_novm(regs))
15269 #ifdef CONFIG_X86_32
15270 @@ -157,7 +151,7 @@ trap_signal:
15271 printk_ratelimit()) {
15273 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
15274 - tsk->comm, tsk->pid, str,
15275 + tsk->comm, task_pid_nr(tsk), str,
15276 regs->ip, regs->sp, error_code);
15277 print_vma_addr(" in ", regs->ip);
15279 @@ -174,8 +168,20 @@ kernel_trap:
15280 if (!fixup_exception(regs)) {
15281 tsk->thread.error_code = error_code;
15282 tsk->thread.trap_no = trapnr;
15284 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15285 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
15286 + str = "PAX: suspicious stack segment fault";
15289 die(str, regs, error_code);
15292 +#ifdef CONFIG_PAX_REFCOUNT
15294 + pax_report_refcount_overflow(regs);
15299 #ifdef CONFIG_X86_32
15300 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
15301 conditional_sti(regs);
15303 #ifdef CONFIG_X86_32
15304 - if (regs->flags & X86_VM_MASK)
15305 + if (v8086_mode(regs))
15310 - if (!user_mode(regs))
15311 + if (!user_mode_novm(regs))
15314 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
15315 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
15316 + struct mm_struct *mm = tsk->mm;
15317 + unsigned long limit;
15319 + down_write(&mm->mmap_sem);
15320 + limit = mm->context.user_cs_limit;
15321 + if (limit < TASK_SIZE) {
15322 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
15323 + up_write(&mm->mmap_sem);
15326 + up_write(&mm->mmap_sem);
15330 tsk->thread.error_code = error_code;
15331 tsk->thread.trap_no = 13;
15333 @@ -304,6 +326,13 @@ gp_in_kernel:
15334 if (notify_die(DIE_GPF, "general protection fault", regs,
15335 error_code, 13, SIGSEGV) == NOTIFY_STOP)
15338 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15339 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
15340 + die("PAX: suspicious general protection fault", regs, error_code);
15344 die("general protection fault", regs, error_code);
15347 @@ -569,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
15348 /* It's safe to allow irq's after DR6 has been saved */
15349 preempt_conditional_sti(regs);
15351 - if (regs->flags & X86_VM_MASK) {
15352 + if (v8086_mode(regs)) {
15353 handle_vm86_trap((struct kernel_vm86_regs *) regs,
15355 preempt_conditional_cli(regs);
15356 @@ -583,7 +612,7 @@ dotraplinkage void __kprobes do_debug(st
15357 * We already checked v86 mode above, so we can check for kernel mode
15358 * by just checking the CPL of CS.
15360 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
15361 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
15362 tsk->thread.debugreg6 &= ~DR_STEP;
15363 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
15364 regs->flags &= ~X86_EFLAGS_TF;
15365 @@ -612,7 +641,7 @@ void math_error(struct pt_regs *regs, in
15367 conditional_sti(regs);
15369 - if (!user_mode_vm(regs))
15370 + if (!user_mode(regs))
15372 if (!fixup_exception(regs)) {
15373 task->thread.error_code = error_code;
15374 @@ -723,7 +752,7 @@ asmlinkage void __attribute__((weak)) sm
15375 void __math_state_restore(void)
15377 struct thread_info *thread = current_thread_info();
15378 - struct task_struct *tsk = thread->task;
15379 + struct task_struct *tsk = current;
15382 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
15383 @@ -750,8 +779,7 @@ void __math_state_restore(void)
15385 asmlinkage void math_state_restore(void)
15387 - struct thread_info *thread = current_thread_info();
15388 - struct task_struct *tsk = thread->task;
15389 + struct task_struct *tsk = current;
15391 if (!tsk_used_math(tsk)) {
15392 local_irq_enable();
15393 diff -urNp linux-2.6.38.4/arch/x86/kernel/tsc.c linux-2.6.38.4/arch/x86/kernel/tsc.c
15394 --- linux-2.6.38.4/arch/x86/kernel/tsc.c 2011-03-14 21:20:32.000000000 -0400
15395 +++ linux-2.6.38.4/arch/x86/kernel/tsc.c 2011-04-17 15:57:32.000000000 -0400
15396 @@ -837,7 +837,7 @@ static struct dmi_system_id __initdata b
15397 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
15401 + { NULL, NULL, {{0, {0}}}, NULL}
15404 static void __init check_system_tsc_reliable(void)
15405 diff -urNp linux-2.6.38.4/arch/x86/kernel/vm86_32.c linux-2.6.38.4/arch/x86/kernel/vm86_32.c
15406 --- linux-2.6.38.4/arch/x86/kernel/vm86_32.c 2011-03-14 21:20:32.000000000 -0400
15407 +++ linux-2.6.38.4/arch/x86/kernel/vm86_32.c 2011-04-17 15:57:32.000000000 -0400
15409 #include <linux/ptrace.h>
15410 #include <linux/audit.h>
15411 #include <linux/stddef.h>
15412 +#include <linux/grsecurity.h>
15414 #include <asm/uaccess.h>
15415 #include <asm/io.h>
15416 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
15420 - tss = &per_cpu(init_tss, get_cpu());
15421 + tss = init_tss + get_cpu();
15422 current->thread.sp0 = current->thread.saved_sp0;
15423 current->thread.sysenter_cs = __KERNEL_CS;
15424 load_sp0(tss, ¤t->thread);
15425 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
15426 struct task_struct *tsk;
15427 int tmp, ret = -EPERM;
15429 +#ifdef CONFIG_GRKERNSEC_VM86
15430 + if (!capable(CAP_SYS_RAWIO)) {
15431 + gr_handle_vm86();
15437 if (tsk->thread.saved_sp0)
15439 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
15441 struct vm86plus_struct __user *v86;
15443 +#ifdef CONFIG_GRKERNSEC_VM86
15444 + if (!capable(CAP_SYS_RAWIO)) {
15445 + gr_handle_vm86();
15453 case VM86_REQUEST_IRQ:
15454 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
15455 tsk->thread.saved_fs = info->regs32->fs;
15456 tsk->thread.saved_gs = get_user_gs(info->regs32);
15458 - tss = &per_cpu(init_tss, get_cpu());
15459 + tss = init_tss + get_cpu();
15460 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
15462 tsk->thread.sysenter_cs = 0;
15463 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
15464 goto cannot_handle;
15465 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
15466 goto cannot_handle;
15467 - intr_ptr = (unsigned long __user *) (i << 2);
15468 + intr_ptr = (__force unsigned long __user *) (i << 2);
15469 if (get_user(segoffs, intr_ptr))
15470 goto cannot_handle;
15471 if ((segoffs >> 16) == BIOSSEG)
15472 diff -urNp linux-2.6.38.4/arch/x86/kernel/vmlinux.lds.S linux-2.6.38.4/arch/x86/kernel/vmlinux.lds.S
15473 --- linux-2.6.38.4/arch/x86/kernel/vmlinux.lds.S 2011-03-14 21:20:32.000000000 -0400
15474 +++ linux-2.6.38.4/arch/x86/kernel/vmlinux.lds.S 2011-04-17 15:57:32.000000000 -0400
15476 #include <asm/page_types.h>
15477 #include <asm/cache.h>
15478 #include <asm/boot.h>
15479 +#include <asm/segment.h>
15481 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15482 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
15484 +#define __KERNEL_TEXT_OFFSET 0
15487 #undef i386 /* in case the preprocessor is a 32bit one */
15489 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
15490 #ifdef CONFIG_X86_32
15492 ENTRY(phys_startup_32)
15493 -jiffies = jiffies_64;
15495 OUTPUT_ARCH(i386:x86-64)
15496 ENTRY(phys_startup_64)
15497 -jiffies_64 = jiffies;
15500 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
15501 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
15504 text PT_LOAD FLAGS(5); /* R_E */
15505 +#ifdef CONFIG_X86_32
15506 + module PT_LOAD FLAGS(5); /* R_E */
15509 + rodata PT_LOAD FLAGS(5); /* R_E */
15511 + rodata PT_LOAD FLAGS(4); /* R__ */
15513 data PT_LOAD FLAGS(6); /* RW_ */
15514 #ifdef CONFIG_X86_64
15515 user PT_LOAD FLAGS(5); /* R_E */
15517 + init.begin PT_LOAD FLAGS(6); /* RW_ */
15519 percpu PT_LOAD FLAGS(6); /* RW_ */
15521 + text.init PT_LOAD FLAGS(5); /* R_E */
15522 + text.exit PT_LOAD FLAGS(5); /* R_E */
15523 init PT_LOAD FLAGS(7); /* RWE */
15525 note PT_NOTE FLAGS(0); /* ___ */
15530 #ifdef CONFIG_X86_32
15531 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
15532 - phys_startup_32 = startup_32 - LOAD_OFFSET;
15533 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
15535 - . = __START_KERNEL;
15536 - phys_startup_64 = startup_64 - LOAD_OFFSET;
15537 + . = __START_KERNEL;
15540 /* Text and read-only data */
15541 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
15543 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
15544 /* bootstrapping code */
15545 +#ifdef CONFIG_X86_32
15546 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
15548 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
15550 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
15553 #ifdef CONFIG_X86_32
15554 . = ALIGN(PAGE_SIZE);
15555 @@ -108,13 +128,47 @@ SECTIONS
15559 - /* End of text section */
15563 - NOTES :text :note
15564 + . += __KERNEL_TEXT_OFFSET;
15566 +#ifdef CONFIG_X86_32
15567 + . = ALIGN(PAGE_SIZE);
15568 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
15570 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
15571 + MODULES_EXEC_VADDR = .;
15573 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
15574 + . = ALIGN(HPAGE_SIZE);
15575 + MODULES_EXEC_END = . - 1;
15581 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
15582 + /* End of text section */
15583 + _etext = . - __KERNEL_TEXT_OFFSET;
15586 - EXCEPTION_TABLE(16) :text = 0x9090
15587 +#ifdef CONFIG_X86_32
15588 + . = ALIGN(PAGE_SIZE);
15589 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
15591 + . = ALIGN(PAGE_SIZE);
15592 + *(.empty_zero_page)
15593 + *(.initial_pg_fixmap)
15594 + *(.initial_pg_pmd)
15595 + *(.initial_page_table)
15596 + *(.swapper_pg_dir)
15600 + . = ALIGN(PAGE_SIZE);
15601 + NOTES :rodata :note
15603 + EXCEPTION_TABLE(16) :rodata
15605 #if defined(CONFIG_DEBUG_RODATA)
15606 /* .text should occupy whole number of pages */
15607 @@ -126,16 +180,20 @@ SECTIONS
15610 .data : AT(ADDR(.data) - LOAD_OFFSET) {
15612 +#ifdef CONFIG_PAX_KERNEXEC
15613 + . = ALIGN(HPAGE_SIZE);
15615 + . = ALIGN(PAGE_SIZE);
15618 /* Start of data section */
15622 INIT_TASK_DATA(THREAD_SIZE)
15624 -#ifdef CONFIG_X86_32
15625 - /* 32 bit has nosave before _edata */
15629 PAGE_ALIGNED_DATA(PAGE_SIZE)
15631 @@ -144,6 +202,8 @@ SECTIONS
15635 + jiffies = jiffies_64;
15637 /* rarely changed data like cpu maps */
15638 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
15640 @@ -198,12 +258,6 @@ SECTIONS
15642 vgetcpu_mode = VVIRT(.vgetcpu_mode);
15644 - . = ALIGN(L1_CACHE_BYTES);
15645 - .jiffies : AT(VLOAD(.jiffies)) {
15648 - jiffies = VVIRT(.jiffies);
15650 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
15653 @@ -219,12 +273,19 @@ SECTIONS
15654 #endif /* CONFIG_X86_64 */
15656 /* Init code and data - will be freed after init */
15657 - . = ALIGN(PAGE_SIZE);
15658 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
15661 +#ifdef CONFIG_PAX_KERNEXEC
15662 + . = ALIGN(HPAGE_SIZE);
15664 + . = ALIGN(PAGE_SIZE);
15667 __init_begin = .; /* paired with __init_end */
15671 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
15674 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
15675 * output PHDR, so the next output section - .init.text - should
15676 @@ -233,12 +294,27 @@ SECTIONS
15677 PERCPU_VADDR(0, :percpu)
15680 - INIT_TEXT_SECTION(PAGE_SIZE)
15681 -#ifdef CONFIG_X86_64
15684 + . = ALIGN(PAGE_SIZE);
15686 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
15687 + VMLINUX_SYMBOL(_sinittext) = .;
15689 + VMLINUX_SYMBOL(_einittext) = .;
15690 + . = ALIGN(PAGE_SIZE);
15693 - INIT_DATA_SECTION(16)
15695 + * .exit.text is discard at runtime, not link time, to deal with
15696 + * references from .altinstructions and .eh_frame
15698 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
15702 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
15704 + . = ALIGN(PAGE_SIZE);
15705 + INIT_DATA_SECTION(16) :init
15707 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
15708 __x86_cpu_dev_start = .;
15709 @@ -292,19 +368,12 @@ SECTIONS
15710 __iommu_table_end = .;
15714 - * .exit.text is discard at runtime, not link time, to deal with
15715 - * references from .altinstructions and .eh_frame
15717 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
15721 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
15725 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
15726 +#ifndef CONFIG_SMP
15727 PERCPU(THREAD_SIZE)
15730 @@ -323,16 +392,10 @@ SECTIONS
15731 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
15734 - . = ALIGN(PAGE_SIZE);
15735 __smp_locks_end = .;
15736 + . = ALIGN(PAGE_SIZE);
15739 -#ifdef CONFIG_X86_64
15740 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
15746 . = ALIGN(PAGE_SIZE);
15747 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
15748 @@ -348,6 +411,7 @@ SECTIONS
15750 . += 64 * 1024; /* 64k alignment slop space */
15751 *(.brk_reservation) /* areas brk users have reserved */
15752 + . = ALIGN(HPAGE_SIZE);
15756 @@ -374,13 +438,12 @@ SECTIONS
15757 * for the boot processor.
15759 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
15760 -INIT_PER_CPU(gdt_page);
15761 INIT_PER_CPU(irq_stack_union);
15764 * Build-time check on the image size:
15766 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
15767 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
15768 "kernel image bigger than KERNEL_IMAGE_SIZE");
15771 diff -urNp linux-2.6.38.4/arch/x86/kernel/vsyscall_64.c linux-2.6.38.4/arch/x86/kernel/vsyscall_64.c
15772 --- linux-2.6.38.4/arch/x86/kernel/vsyscall_64.c 2011-03-14 21:20:32.000000000 -0400
15773 +++ linux-2.6.38.4/arch/x86/kernel/vsyscall_64.c 2011-04-17 15:57:32.000000000 -0400
15774 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
15776 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
15777 /* copy vsyscall data */
15778 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
15779 vsyscall_gtod_data.clock.vread = clock->vread;
15780 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
15781 vsyscall_gtod_data.clock.mask = clock->mask;
15782 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
15783 We do this here because otherwise user space would do it on
15784 its own in a likely inferior way (no access to jiffies).
15785 If you don't like it pass NULL. */
15786 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
15787 + if (tcache && tcache->blob[0] == (j = jiffies)) {
15788 p = tcache->blob[1];
15789 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
15790 /* Load per CPU data from RDTSCP */
15791 diff -urNp linux-2.6.38.4/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.38.4/arch/x86/kernel/x8664_ksyms_64.c
15792 --- linux-2.6.38.4/arch/x86/kernel/x8664_ksyms_64.c 2011-03-14 21:20:32.000000000 -0400
15793 +++ linux-2.6.38.4/arch/x86/kernel/x8664_ksyms_64.c 2011-04-17 15:57:32.000000000 -0400
15794 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
15795 EXPORT_SYMBOL(copy_user_generic_string);
15796 EXPORT_SYMBOL(copy_user_generic_unrolled);
15797 EXPORT_SYMBOL(__copy_user_nocache);
15798 -EXPORT_SYMBOL(_copy_from_user);
15799 -EXPORT_SYMBOL(_copy_to_user);
15801 EXPORT_SYMBOL(copy_page);
15802 EXPORT_SYMBOL(clear_page);
15803 diff -urNp linux-2.6.38.4/arch/x86/kernel/xsave.c linux-2.6.38.4/arch/x86/kernel/xsave.c
15804 --- linux-2.6.38.4/arch/x86/kernel/xsave.c 2011-03-14 21:20:32.000000000 -0400
15805 +++ linux-2.6.38.4/arch/x86/kernel/xsave.c 2011-04-17 15:57:32.000000000 -0400
15806 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
15807 fx_sw_user->xstate_size > fx_sw_user->extended_size)
15810 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
15811 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
15812 fx_sw_user->extended_size -
15813 FP_XSTATE_MAGIC2_SIZE));
15815 @@ -267,7 +267,7 @@ fx_only:
15816 * the other extended state.
15818 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
15819 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
15820 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
15824 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
15826 err = restore_user_xstate(buf);
15828 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
15829 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
15831 if (unlikely(err)) {
15833 diff -urNp linux-2.6.38.4/arch/x86/kvm/emulate.c linux-2.6.38.4/arch/x86/kvm/emulate.c
15834 --- linux-2.6.38.4/arch/x86/kvm/emulate.c 2011-03-14 21:20:32.000000000 -0400
15835 +++ linux-2.6.38.4/arch/x86/kvm/emulate.c 2011-04-17 15:57:32.000000000 -0400
15837 #define Src2ImmByte (2<<29)
15838 #define Src2One (3<<29)
15839 #define Src2Imm (4<<29)
15840 -#define Src2Mask (7<<29)
15841 +#define Src2Mask (7U<<29)
15843 #define X2(x...) x, x
15844 #define X3(x...) X2(x), x
15845 @@ -189,6 +189,7 @@ struct group_dual {
15847 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
15849 + unsigned long _tmp; \
15850 __asm__ __volatile__ ( \
15851 _PRE_EFLAGS("0", "4", "2") \
15852 _op _suffix " %"_x"3,%1; " \
15853 @@ -202,8 +203,6 @@ struct group_dual {
15854 /* Raw emulation: instruction has two explicit operands. */
15855 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
15857 - unsigned long _tmp; \
15859 switch ((_dst).bytes) { \
15861 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
15862 @@ -219,7 +218,6 @@ struct group_dual {
15864 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
15866 - unsigned long _tmp; \
15867 switch ((_dst).bytes) { \
15869 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
15870 diff -urNp linux-2.6.38.4/arch/x86/kvm/lapic.c linux-2.6.38.4/arch/x86/kvm/lapic.c
15871 --- linux-2.6.38.4/arch/x86/kvm/lapic.c 2011-03-14 21:20:32.000000000 -0400
15872 +++ linux-2.6.38.4/arch/x86/kvm/lapic.c 2011-04-17 15:57:32.000000000 -0400
15874 #define APIC_BUS_CYCLE_NS 1
15876 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
15877 -#define apic_debug(fmt, arg...)
15878 +#define apic_debug(fmt, arg...) do {} while (0)
15880 #define APIC_LVT_NUM 6
15881 /* 14 is the version for Xeon and Pentium 8.4.8*/
15882 diff -urNp linux-2.6.38.4/arch/x86/kvm/svm.c linux-2.6.38.4/arch/x86/kvm/svm.c
15883 --- linux-2.6.38.4/arch/x86/kvm/svm.c 2011-03-14 21:20:32.000000000 -0400
15884 +++ linux-2.6.38.4/arch/x86/kvm/svm.c 2011-04-17 15:57:32.000000000 -0400
15885 @@ -3273,7 +3273,11 @@ static void reload_tss(struct kvm_vcpu *
15886 int cpu = raw_smp_processor_id();
15888 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
15890 + pax_open_kernel();
15891 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
15892 + pax_close_kernel();
15897 @@ -3850,7 +3854,7 @@ static void svm_fpu_deactivate(struct kv
15898 update_cr0_intercept(svm);
15901 -static struct kvm_x86_ops svm_x86_ops = {
15902 +static const struct kvm_x86_ops svm_x86_ops = {
15903 .cpu_has_kvm_support = has_svm,
15904 .disabled_by_bios = is_disabled,
15905 .hardware_setup = svm_hardware_setup,
15906 diff -urNp linux-2.6.38.4/arch/x86/kvm/vmx.c linux-2.6.38.4/arch/x86/kvm/vmx.c
15907 --- linux-2.6.38.4/arch/x86/kvm/vmx.c 2011-03-14 21:20:32.000000000 -0400
15908 +++ linux-2.6.38.4/arch/x86/kvm/vmx.c 2011-04-17 15:57:32.000000000 -0400
15909 @@ -725,7 +725,11 @@ static void reload_tss(void)
15910 struct desc_struct *descs;
15912 descs = (void *)gdt->address;
15914 + pax_open_kernel();
15915 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
15916 + pax_close_kernel();
15921 @@ -1642,8 +1646,11 @@ static __init int hardware_setup(void)
15922 if (!cpu_has_vmx_flexpriority())
15923 flexpriority_enabled = 0;
15925 - if (!cpu_has_vmx_tpr_shadow())
15926 - kvm_x86_ops->update_cr8_intercept = NULL;
15927 + if (!cpu_has_vmx_tpr_shadow()) {
15928 + pax_open_kernel();
15929 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
15930 + pax_close_kernel();
15933 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15934 kvm_disable_largepages();
15935 @@ -2640,7 +2647,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15936 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
15938 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15939 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15940 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15941 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15942 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
15943 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15944 @@ -4031,6 +4038,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
15945 "jmp .Lkvm_vmx_return \n\t"
15946 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15947 ".Lkvm_vmx_return: "
15949 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15950 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15951 + ".Lkvm_vmx_return2: "
15954 /* Save guest registers, load host registers, keep flags */
15955 "xchg %0, (%%"R"sp) \n\t"
15956 "mov %%"R"ax, %c[rax](%0) \n\t"
15957 @@ -4077,6 +4090,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
15958 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15960 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15962 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15963 + ,[cs]"i"(__KERNEL_CS)
15967 , R"ax", R"bx", R"di", R"si"
15968 #ifdef CONFIG_X86_64
15969 @@ -4091,7 +4109,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15971 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
15973 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15974 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
15977 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
15978 @@ -4326,7 +4344,7 @@ static void vmx_set_supported_cpuid(u32
15982 -static struct kvm_x86_ops vmx_x86_ops = {
15983 +static const struct kvm_x86_ops vmx_x86_ops = {
15984 .cpu_has_kvm_support = cpu_has_kvm_support,
15985 .disabled_by_bios = vmx_disabled_by_bios,
15986 .hardware_setup = hardware_setup,
15987 diff -urNp linux-2.6.38.4/arch/x86/kvm/x86.c linux-2.6.38.4/arch/x86/kvm/x86.c
15988 --- linux-2.6.38.4/arch/x86/kvm/x86.c 2011-03-14 21:20:32.000000000 -0400
15989 +++ linux-2.6.38.4/arch/x86/kvm/x86.c 2011-04-22 19:09:02.000000000 -0400
15990 @@ -93,7 +93,7 @@ static void update_cr8_intercept(struct
15991 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15992 struct kvm_cpuid_entry2 __user *entries);
15994 -struct kvm_x86_ops *kvm_x86_ops;
15995 +const struct kvm_x86_ops *kvm_x86_ops;
15996 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15998 int ignore_msrs = 0;
15999 @@ -119,38 +119,38 @@ static struct kvm_shared_msrs_global __r
16000 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
16002 struct kvm_stats_debugfs_item debugfs_entries[] = {
16003 - { "pf_fixed", VCPU_STAT(pf_fixed) },
16004 - { "pf_guest", VCPU_STAT(pf_guest) },
16005 - { "tlb_flush", VCPU_STAT(tlb_flush) },
16006 - { "invlpg", VCPU_STAT(invlpg) },
16007 - { "exits", VCPU_STAT(exits) },
16008 - { "io_exits", VCPU_STAT(io_exits) },
16009 - { "mmio_exits", VCPU_STAT(mmio_exits) },
16010 - { "signal_exits", VCPU_STAT(signal_exits) },
16011 - { "irq_window", VCPU_STAT(irq_window_exits) },
16012 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
16013 - { "halt_exits", VCPU_STAT(halt_exits) },
16014 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
16015 - { "hypercalls", VCPU_STAT(hypercalls) },
16016 - { "request_irq", VCPU_STAT(request_irq_exits) },
16017 - { "irq_exits", VCPU_STAT(irq_exits) },
16018 - { "host_state_reload", VCPU_STAT(host_state_reload) },
16019 - { "efer_reload", VCPU_STAT(efer_reload) },
16020 - { "fpu_reload", VCPU_STAT(fpu_reload) },
16021 - { "insn_emulation", VCPU_STAT(insn_emulation) },
16022 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
16023 - { "irq_injections", VCPU_STAT(irq_injections) },
16024 - { "nmi_injections", VCPU_STAT(nmi_injections) },
16025 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
16026 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
16027 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
16028 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
16029 - { "mmu_flooded", VM_STAT(mmu_flooded) },
16030 - { "mmu_recycled", VM_STAT(mmu_recycled) },
16031 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
16032 - { "mmu_unsync", VM_STAT(mmu_unsync) },
16033 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
16034 - { "largepages", VM_STAT(lpages) },
16035 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
16036 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
16037 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
16038 + { "invlpg", VCPU_STAT(invlpg), NULL },
16039 + { "exits", VCPU_STAT(exits), NULL },
16040 + { "io_exits", VCPU_STAT(io_exits), NULL },
16041 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
16042 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
16043 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
16044 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
16045 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
16046 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
16047 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
16048 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
16049 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
16050 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
16051 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
16052 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
16053 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
16054 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
16055 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
16056 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
16057 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
16058 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
16059 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
16060 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
16061 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
16062 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
16063 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
16064 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
16065 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
16066 + { "largepages", VM_STAT(lpages), NULL },
16070 @@ -2023,6 +2023,8 @@ long kvm_arch_dev_ioctl(struct file *fil
16071 if (n < msr_list.nmsrs)
16074 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
16076 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
16077 num_msrs_to_save * sizeof(u32)))
16079 @@ -2190,15 +2192,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
16080 struct kvm_cpuid2 *cpuid,
16081 struct kvm_cpuid_entry2 __user *entries)
16087 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
16090 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
16091 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
16092 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
16094 + for (i = 0; i < cpuid->nent; ++i) {
16095 + struct kvm_cpuid_entry2 cpuid_entry;
16096 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
16098 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
16100 vcpu->arch.cpuid_nent = cpuid->nent;
16101 kvm_apic_set_version(vcpu);
16102 kvm_x86_ops->cpuid_update(vcpu);
16103 @@ -2213,15 +2220,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
16104 struct kvm_cpuid2 *cpuid,
16105 struct kvm_cpuid_entry2 __user *entries)
16111 if (cpuid->nent < vcpu->arch.cpuid_nent)
16114 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
16115 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
16116 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
16118 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
16119 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
16120 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
16126 @@ -2499,7 +2510,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
16127 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
16128 struct kvm_interrupt *irq)
16130 - if (irq->irq < 0 || irq->irq >= 256)
16131 + if (irq->irq >= 256)
16133 if (irqchip_in_kernel(vcpu->kvm))
16135 @@ -4687,10 +4698,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
16137 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
16139 -int kvm_arch_init(void *opaque)
16140 +int kvm_arch_init(const void *opaque)
16143 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
16144 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
16147 printk(KERN_ERR "kvm: already loaded the other module\n");
16148 diff -urNp linux-2.6.38.4/arch/x86/lib/atomic64_cx8_32.S linux-2.6.38.4/arch/x86/lib/atomic64_cx8_32.S
16149 --- linux-2.6.38.4/arch/x86/lib/atomic64_cx8_32.S 2011-03-14 21:20:32.000000000 -0400
16150 +++ linux-2.6.38.4/arch/x86/lib/atomic64_cx8_32.S 2011-04-17 15:57:32.000000000 -0400
16151 @@ -86,13 +86,23 @@ ENTRY(atomic64_\func\()_return_cx8)
16153 \ins\()l %esi, %ebx
16154 \insc\()l %edi, %ecx
16156 +#ifdef CONFIG_PAX_REFCOUNT
16159 + _ASM_EXTABLE(2b, 3f)
16170 +#ifdef CONFIG_PAX_REFCOUNT
16177 @@ -116,13 +126,24 @@ ENTRY(atomic64_\func\()_return_cx8)
16182 +#ifdef CONFIG_PAX_REFCOUNT
16185 + _ASM_EXTABLE(2b, 3f)
16196 +#ifdef CONFIG_PAX_REFCOUNT
16203 @@ -176,6 +197,13 @@ ENTRY(atomic64_add_unless_cx8)
16208 +#ifdef CONFIG_PAX_REFCOUNT
16211 + _ASM_EXTABLE(1234b, 1234b)
16217 @@ -208,6 +236,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
16222 +#ifdef CONFIG_PAX_REFCOUNT
16225 + _ASM_EXTABLE(1234b, 1234b)
16231 diff -urNp linux-2.6.38.4/arch/x86/lib/checksum_32.S linux-2.6.38.4/arch/x86/lib/checksum_32.S
16232 --- linux-2.6.38.4/arch/x86/lib/checksum_32.S 2011-03-14 21:20:32.000000000 -0400
16233 +++ linux-2.6.38.4/arch/x86/lib/checksum_32.S 2011-04-17 15:57:32.000000000 -0400
16235 #include <linux/linkage.h>
16236 #include <asm/dwarf2.h>
16237 #include <asm/errno.h>
16239 +#include <asm/segment.h>
16242 * computes a partial checksum, e.g. for TCP/UDP fragments
16244 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
16249 -ENTRY(csum_partial_copy_generic)
16251 +ENTRY(csum_partial_copy_generic_to_user)
16254 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16256 + CFI_ADJUST_CFA_OFFSET 4
16258 + CFI_ADJUST_CFA_OFFSET -4
16259 + jmp csum_partial_copy_generic
16262 +ENTRY(csum_partial_copy_generic_from_user)
16264 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16266 + CFI_ADJUST_CFA_OFFSET 4
16268 + CFI_ADJUST_CFA_OFFSET -4
16271 +ENTRY(csum_partial_copy_generic)
16273 CFI_ADJUST_CFA_OFFSET 4
16275 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
16277 SRC(1: movw (%esi), %bx )
16279 -DST( movw %bx, (%edi) )
16280 +DST( movw %bx, %es:(%edi) )
16284 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
16285 SRC(1: movl (%esi), %ebx )
16286 SRC( movl 4(%esi), %edx )
16288 -DST( movl %ebx, (%edi) )
16289 +DST( movl %ebx, %es:(%edi) )
16291 -DST( movl %edx, 4(%edi) )
16292 +DST( movl %edx, %es:4(%edi) )
16294 SRC( movl 8(%esi), %ebx )
16295 SRC( movl 12(%esi), %edx )
16297 -DST( movl %ebx, 8(%edi) )
16298 +DST( movl %ebx, %es:8(%edi) )
16300 -DST( movl %edx, 12(%edi) )
16301 +DST( movl %edx, %es:12(%edi) )
16303 SRC( movl 16(%esi), %ebx )
16304 SRC( movl 20(%esi), %edx )
16306 -DST( movl %ebx, 16(%edi) )
16307 +DST( movl %ebx, %es:16(%edi) )
16309 -DST( movl %edx, 20(%edi) )
16310 +DST( movl %edx, %es:20(%edi) )
16312 SRC( movl 24(%esi), %ebx )
16313 SRC( movl 28(%esi), %edx )
16315 -DST( movl %ebx, 24(%edi) )
16316 +DST( movl %ebx, %es:24(%edi) )
16318 -DST( movl %edx, 28(%edi) )
16319 +DST( movl %edx, %es:28(%edi) )
16323 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
16324 shrl $2, %edx # This clears CF
16325 SRC(3: movl (%esi), %ebx )
16327 -DST( movl %ebx, (%edi) )
16328 +DST( movl %ebx, %es:(%edi) )
16332 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
16334 SRC( movw (%esi), %cx )
16336 -DST( movw %cx, (%edi) )
16337 +DST( movw %cx, %es:(%edi) )
16341 SRC(5: movb (%esi), %cl )
16342 -DST( movb %cl, (%edi) )
16343 +DST( movb %cl, %es:(%edi) )
16347 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
16350 movl ARGBASE+20(%esp), %ebx # src_err_ptr
16351 - movl $-EFAULT, (%ebx)
16352 + movl $-EFAULT, %ss:(%ebx)
16354 # zero the complete destination - computing the rest
16356 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
16359 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
16360 - movl $-EFAULT,(%ebx)
16361 + movl $-EFAULT,%ss:(%ebx)
16367 + CFI_ADJUST_CFA_OFFSET 4
16369 + CFI_ADJUST_CFA_OFFSET -4
16371 + CFI_ADJUST_CFA_OFFSET 4
16373 + CFI_ADJUST_CFA_OFFSET -4
16375 CFI_ADJUST_CFA_OFFSET -4
16377 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
16378 CFI_ADJUST_CFA_OFFSET -4
16381 -ENDPROC(csum_partial_copy_generic)
16382 +ENDPROC(csum_partial_copy_generic_to_user)
16386 /* Version for PentiumII/PPro */
16388 #define ROUND1(x) \
16390 SRC(movl x(%esi), %ebx ) ; \
16391 addl %ebx, %eax ; \
16392 - DST(movl %ebx, x(%edi) ) ;
16393 + DST(movl %ebx, %es:x(%edi)) ;
16397 SRC(movl x(%esi), %ebx ) ; \
16398 adcl %ebx, %eax ; \
16399 - DST(movl %ebx, x(%edi) ) ;
16400 + DST(movl %ebx, %es:x(%edi)) ;
16404 -ENTRY(csum_partial_copy_generic)
16406 +ENTRY(csum_partial_copy_generic_to_user)
16409 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16411 + CFI_ADJUST_CFA_OFFSET 4
16413 + CFI_ADJUST_CFA_OFFSET -4
16414 + jmp csum_partial_copy_generic
16417 +ENTRY(csum_partial_copy_generic_from_user)
16419 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16421 + CFI_ADJUST_CFA_OFFSET 4
16423 + CFI_ADJUST_CFA_OFFSET -4
16426 +ENTRY(csum_partial_copy_generic)
16428 CFI_ADJUST_CFA_OFFSET 4
16429 CFI_REL_OFFSET ebx, 0
16430 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
16434 - lea 3f(%ebx,%ebx), %ebx
16435 + lea 3f(%ebx,%ebx,2), %ebx
16439 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
16441 SRC( movw (%esi), %dx )
16443 -DST( movw %dx, (%edi) )
16444 +DST( movw %dx, %es:(%edi) )
16449 SRC( movb (%esi), %dl )
16450 -DST( movb %dl, (%edi) )
16451 +DST( movb %dl, %es:(%edi) )
16455 .section .fixup, "ax"
16456 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
16457 - movl $-EFAULT, (%ebx)
16458 + movl $-EFAULT, %ss:(%ebx)
16459 # zero the complete destination (computing the rest is too much work)
16460 movl ARGBASE+8(%esp),%edi # dst
16461 movl ARGBASE+12(%esp),%ecx # len
16462 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
16465 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
16466 - movl $-EFAULT, (%ebx)
16467 + movl $-EFAULT, %ss:(%ebx)
16471 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16473 + CFI_ADJUST_CFA_OFFSET 4
16475 + CFI_ADJUST_CFA_OFFSET -4
16477 + CFI_ADJUST_CFA_OFFSET 4
16479 + CFI_ADJUST_CFA_OFFSET -4
16483 CFI_ADJUST_CFA_OFFSET -4
16485 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
16489 -ENDPROC(csum_partial_copy_generic)
16490 +ENDPROC(csum_partial_copy_generic_to_user)
16494 diff -urNp linux-2.6.38.4/arch/x86/lib/clear_page_64.S linux-2.6.38.4/arch/x86/lib/clear_page_64.S
16495 --- linux-2.6.38.4/arch/x86/lib/clear_page_64.S 2011-03-14 21:20:32.000000000 -0400
16496 +++ linux-2.6.38.4/arch/x86/lib/clear_page_64.S 2011-04-17 15:57:32.000000000 -0400
16497 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
16499 #include <asm/cpufeature.h>
16501 - .section .altinstr_replacement,"ax"
16502 + .section .altinstr_replacement,"a"
16503 1: .byte 0xeb /* jmp <disp8> */
16504 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
16506 diff -urNp linux-2.6.38.4/arch/x86/lib/copy_page_64.S linux-2.6.38.4/arch/x86/lib/copy_page_64.S
16507 --- linux-2.6.38.4/arch/x86/lib/copy_page_64.S 2011-03-14 21:20:32.000000000 -0400
16508 +++ linux-2.6.38.4/arch/x86/lib/copy_page_64.S 2011-04-17 15:57:32.000000000 -0400
16509 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
16511 #include <asm/cpufeature.h>
16513 - .section .altinstr_replacement,"ax"
16514 + .section .altinstr_replacement,"a"
16515 1: .byte 0xeb /* jmp <disp8> */
16516 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
16518 diff -urNp linux-2.6.38.4/arch/x86/lib/copy_user_64.S linux-2.6.38.4/arch/x86/lib/copy_user_64.S
16519 --- linux-2.6.38.4/arch/x86/lib/copy_user_64.S 2011-03-14 21:20:32.000000000 -0400
16520 +++ linux-2.6.38.4/arch/x86/lib/copy_user_64.S 2011-04-17 15:57:32.000000000 -0400
16521 @@ -15,13 +15,14 @@
16522 #include <asm/asm-offsets.h>
16523 #include <asm/thread_info.h>
16524 #include <asm/cpufeature.h>
16525 +#include <asm/pgtable.h>
16527 .macro ALTERNATIVE_JUMP feature,orig,alt
16529 .byte 0xe9 /* 32bit jump */
16530 .long \orig-1f /* by default jump to orig */
16532 - .section .altinstr_replacement,"ax"
16533 + .section .altinstr_replacement,"a"
16534 2: .byte 0xe9 /* near jump with 32bit immediate */
16535 .long \alt-1b /* offset */ /* or alternatively to alt */
16537 @@ -64,37 +65,13 @@
16541 -/* Standard copy_to_user with segment limit checking */
16542 -ENTRY(_copy_to_user)
16544 - GET_THREAD_INFO(%rax)
16548 - cmpq TI_addr_limit(%rax),%rcx
16550 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
16552 -ENDPROC(_copy_to_user)
16554 -/* Standard copy_from_user with segment limit checking */
16555 -ENTRY(_copy_from_user)
16557 - GET_THREAD_INFO(%rax)
16561 - cmpq TI_addr_limit(%rax),%rcx
16562 - jae bad_from_user
16563 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
16565 -ENDPROC(_copy_from_user)
16567 .section .fixup,"ax"
16568 /* must zero dest */
16569 ENTRY(bad_from_user)
16577 diff -urNp linux-2.6.38.4/arch/x86/lib/copy_user_nocache_64.S linux-2.6.38.4/arch/x86/lib/copy_user_nocache_64.S
16578 --- linux-2.6.38.4/arch/x86/lib/copy_user_nocache_64.S 2011-03-14 21:20:32.000000000 -0400
16579 +++ linux-2.6.38.4/arch/x86/lib/copy_user_nocache_64.S 2011-04-17 15:57:32.000000000 -0400
16581 #include <asm/current.h>
16582 #include <asm/asm-offsets.h>
16583 #include <asm/thread_info.h>
16584 +#include <asm/pgtable.h>
16586 .macro ALIGN_DESTINATION
16587 #ifdef FIX_ALIGNMENT
16590 ENTRY(__copy_user_nocache)
16593 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16594 + mov $PAX_USER_SHADOW_BASE,%rcx
16602 jb 20f /* less then 8 bytes, go to byte copy loop */
16604 diff -urNp linux-2.6.38.4/arch/x86/lib/csum-wrappers_64.c linux-2.6.38.4/arch/x86/lib/csum-wrappers_64.c
16605 --- linux-2.6.38.4/arch/x86/lib/csum-wrappers_64.c 2011-03-14 21:20:32.000000000 -0400
16606 +++ linux-2.6.38.4/arch/x86/lib/csum-wrappers_64.c 2011-04-17 15:57:32.000000000 -0400
16607 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
16611 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
16612 + src += PAX_USER_SHADOW_BASE;
16613 isum = csum_partial_copy_generic((__force const void *)src,
16614 dst, len, isum, errp, NULL);
16615 if (unlikely(*errp))
16616 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
16620 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
16621 + dst += PAX_USER_SHADOW_BASE;
16622 return csum_partial_copy_generic(src, (void __force *)dst,
16623 len, isum, NULL, errp);
16625 diff -urNp linux-2.6.38.4/arch/x86/lib/getuser.S linux-2.6.38.4/arch/x86/lib/getuser.S
16626 --- linux-2.6.38.4/arch/x86/lib/getuser.S 2011-03-14 21:20:32.000000000 -0400
16627 +++ linux-2.6.38.4/arch/x86/lib/getuser.S 2011-04-17 15:57:32.000000000 -0400
16628 @@ -33,14 +33,35 @@
16629 #include <asm/asm-offsets.h>
16630 #include <asm/thread_info.h>
16631 #include <asm/asm.h>
16632 +#include <asm/segment.h>
16633 +#include <asm/pgtable.h>
16635 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16636 +#define __copyuser_seg gs;
16638 +#define __copyuser_seg
16642 ENTRY(__get_user_1)
16645 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16646 GET_THREAD_INFO(%_ASM_DX)
16647 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16649 -1: movzb (%_ASM_AX),%edx
16651 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16652 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16653 + cmp %_ASM_DX,%_ASM_AX
16655 + add %_ASM_DX,%_ASM_AX
16661 +1: __copyuser_seg movzb (%_ASM_AX),%edx
16665 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
16666 ENTRY(__get_user_2)
16670 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16672 GET_THREAD_INFO(%_ASM_DX)
16673 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16675 -2: movzwl -1(%_ASM_AX),%edx
16677 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16678 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16679 + cmp %_ASM_DX,%_ASM_AX
16681 + add %_ASM_DX,%_ASM_AX
16687 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
16691 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
16692 ENTRY(__get_user_4)
16696 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16698 GET_THREAD_INFO(%_ASM_DX)
16699 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16701 -3: mov -3(%_ASM_AX),%edx
16703 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16704 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16705 + cmp %_ASM_DX,%_ASM_AX
16707 + add %_ASM_DX,%_ASM_AX
16713 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
16717 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
16718 GET_THREAD_INFO(%_ASM_DX)
16719 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16722 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16723 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16724 + cmp %_ASM_DX,%_ASM_AX
16726 + add %_ASM_DX,%_ASM_AX
16730 4: movq -7(%_ASM_AX),%_ASM_DX
16733 diff -urNp linux-2.6.38.4/arch/x86/lib/insn.c linux-2.6.38.4/arch/x86/lib/insn.c
16734 --- linux-2.6.38.4/arch/x86/lib/insn.c 2011-03-14 21:20:32.000000000 -0400
16735 +++ linux-2.6.38.4/arch/x86/lib/insn.c 2011-04-17 15:57:32.000000000 -0400
16737 #include <linux/string.h>
16738 #include <asm/inat.h>
16739 #include <asm/insn.h>
16741 +#include <asm/pgtable_types.h>
16743 +#define ktla_ktva(addr) addr
16746 #define get_next(t, insn) \
16747 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
16749 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
16751 memset(insn, 0, sizeof(*insn));
16752 - insn->kaddr = kaddr;
16753 - insn->next_byte = kaddr;
16754 + insn->kaddr = ktla_ktva(kaddr);
16755 + insn->next_byte = ktla_ktva(kaddr);
16756 insn->x86_64 = x86_64 ? 1 : 0;
16757 insn->opnd_bytes = 4;
16759 diff -urNp linux-2.6.38.4/arch/x86/lib/mmx_32.c linux-2.6.38.4/arch/x86/lib/mmx_32.c
16760 --- linux-2.6.38.4/arch/x86/lib/mmx_32.c 2011-03-14 21:20:32.000000000 -0400
16761 +++ linux-2.6.38.4/arch/x86/lib/mmx_32.c 2011-04-17 15:57:32.000000000 -0400
16762 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
16766 + unsigned long cr0;
16768 if (unlikely(in_interrupt()))
16769 return __memcpy(to, from, len);
16770 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
16771 kernel_fpu_begin();
16773 __asm__ __volatile__ (
16774 - "1: prefetch (%0)\n" /* This set is 28 bytes */
16775 - " prefetch 64(%0)\n"
16776 - " prefetch 128(%0)\n"
16777 - " prefetch 192(%0)\n"
16778 - " prefetch 256(%0)\n"
16779 + "1: prefetch (%1)\n" /* This set is 28 bytes */
16780 + " prefetch 64(%1)\n"
16781 + " prefetch 128(%1)\n"
16782 + " prefetch 192(%1)\n"
16783 + " prefetch 256(%1)\n"
16785 ".section .fixup, \"ax\"\n"
16786 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16789 +#ifdef CONFIG_PAX_KERNEXEC
16790 + " movl %%cr0, %0\n"
16791 + " movl %0, %%eax\n"
16792 + " andl $0xFFFEFFFF, %%eax\n"
16793 + " movl %%eax, %%cr0\n"
16796 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16798 +#ifdef CONFIG_PAX_KERNEXEC
16799 + " movl %0, %%cr0\n"
16804 _ASM_EXTABLE(1b, 3b)
16806 + : "=&r" (cr0) : "r" (from) : "ax");
16808 for ( ; i > 5; i--) {
16809 __asm__ __volatile__ (
16810 - "1: prefetch 320(%0)\n"
16811 - "2: movq (%0), %%mm0\n"
16812 - " movq 8(%0), %%mm1\n"
16813 - " movq 16(%0), %%mm2\n"
16814 - " movq 24(%0), %%mm3\n"
16815 - " movq %%mm0, (%1)\n"
16816 - " movq %%mm1, 8(%1)\n"
16817 - " movq %%mm2, 16(%1)\n"
16818 - " movq %%mm3, 24(%1)\n"
16819 - " movq 32(%0), %%mm0\n"
16820 - " movq 40(%0), %%mm1\n"
16821 - " movq 48(%0), %%mm2\n"
16822 - " movq 56(%0), %%mm3\n"
16823 - " movq %%mm0, 32(%1)\n"
16824 - " movq %%mm1, 40(%1)\n"
16825 - " movq %%mm2, 48(%1)\n"
16826 - " movq %%mm3, 56(%1)\n"
16827 + "1: prefetch 320(%1)\n"
16828 + "2: movq (%1), %%mm0\n"
16829 + " movq 8(%1), %%mm1\n"
16830 + " movq 16(%1), %%mm2\n"
16831 + " movq 24(%1), %%mm3\n"
16832 + " movq %%mm0, (%2)\n"
16833 + " movq %%mm1, 8(%2)\n"
16834 + " movq %%mm2, 16(%2)\n"
16835 + " movq %%mm3, 24(%2)\n"
16836 + " movq 32(%1), %%mm0\n"
16837 + " movq 40(%1), %%mm1\n"
16838 + " movq 48(%1), %%mm2\n"
16839 + " movq 56(%1), %%mm3\n"
16840 + " movq %%mm0, 32(%2)\n"
16841 + " movq %%mm1, 40(%2)\n"
16842 + " movq %%mm2, 48(%2)\n"
16843 + " movq %%mm3, 56(%2)\n"
16844 ".section .fixup, \"ax\"\n"
16845 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16848 +#ifdef CONFIG_PAX_KERNEXEC
16849 + " movl %%cr0, %0\n"
16850 + " movl %0, %%eax\n"
16851 + " andl $0xFFFEFFFF, %%eax\n"
16852 + " movl %%eax, %%cr0\n"
16855 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16857 +#ifdef CONFIG_PAX_KERNEXEC
16858 + " movl %0, %%cr0\n"
16863 _ASM_EXTABLE(1b, 3b)
16864 - : : "r" (from), "r" (to) : "memory");
16865 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16869 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
16870 static void fast_copy_page(void *to, void *from)
16873 + unsigned long cr0;
16875 kernel_fpu_begin();
16877 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
16878 * but that is for later. -AV
16880 __asm__ __volatile__(
16881 - "1: prefetch (%0)\n"
16882 - " prefetch 64(%0)\n"
16883 - " prefetch 128(%0)\n"
16884 - " prefetch 192(%0)\n"
16885 - " prefetch 256(%0)\n"
16886 + "1: prefetch (%1)\n"
16887 + " prefetch 64(%1)\n"
16888 + " prefetch 128(%1)\n"
16889 + " prefetch 192(%1)\n"
16890 + " prefetch 256(%1)\n"
16892 ".section .fixup, \"ax\"\n"
16893 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16896 +#ifdef CONFIG_PAX_KERNEXEC
16897 + " movl %%cr0, %0\n"
16898 + " movl %0, %%eax\n"
16899 + " andl $0xFFFEFFFF, %%eax\n"
16900 + " movl %%eax, %%cr0\n"
16903 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16905 +#ifdef CONFIG_PAX_KERNEXEC
16906 + " movl %0, %%cr0\n"
16911 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16912 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16914 for (i = 0; i < (4096-320)/64; i++) {
16915 __asm__ __volatile__ (
16916 - "1: prefetch 320(%0)\n"
16917 - "2: movq (%0), %%mm0\n"
16918 - " movntq %%mm0, (%1)\n"
16919 - " movq 8(%0), %%mm1\n"
16920 - " movntq %%mm1, 8(%1)\n"
16921 - " movq 16(%0), %%mm2\n"
16922 - " movntq %%mm2, 16(%1)\n"
16923 - " movq 24(%0), %%mm3\n"
16924 - " movntq %%mm3, 24(%1)\n"
16925 - " movq 32(%0), %%mm4\n"
16926 - " movntq %%mm4, 32(%1)\n"
16927 - " movq 40(%0), %%mm5\n"
16928 - " movntq %%mm5, 40(%1)\n"
16929 - " movq 48(%0), %%mm6\n"
16930 - " movntq %%mm6, 48(%1)\n"
16931 - " movq 56(%0), %%mm7\n"
16932 - " movntq %%mm7, 56(%1)\n"
16933 + "1: prefetch 320(%1)\n"
16934 + "2: movq (%1), %%mm0\n"
16935 + " movntq %%mm0, (%2)\n"
16936 + " movq 8(%1), %%mm1\n"
16937 + " movntq %%mm1, 8(%2)\n"
16938 + " movq 16(%1), %%mm2\n"
16939 + " movntq %%mm2, 16(%2)\n"
16940 + " movq 24(%1), %%mm3\n"
16941 + " movntq %%mm3, 24(%2)\n"
16942 + " movq 32(%1), %%mm4\n"
16943 + " movntq %%mm4, 32(%2)\n"
16944 + " movq 40(%1), %%mm5\n"
16945 + " movntq %%mm5, 40(%2)\n"
16946 + " movq 48(%1), %%mm6\n"
16947 + " movntq %%mm6, 48(%2)\n"
16948 + " movq 56(%1), %%mm7\n"
16949 + " movntq %%mm7, 56(%2)\n"
16950 ".section .fixup, \"ax\"\n"
16951 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16954 +#ifdef CONFIG_PAX_KERNEXEC
16955 + " movl %%cr0, %0\n"
16956 + " movl %0, %%eax\n"
16957 + " andl $0xFFFEFFFF, %%eax\n"
16958 + " movl %%eax, %%cr0\n"
16961 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16963 +#ifdef CONFIG_PAX_KERNEXEC
16964 + " movl %0, %%cr0\n"
16969 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16970 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16974 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16975 static void fast_copy_page(void *to, void *from)
16978 + unsigned long cr0;
16980 kernel_fpu_begin();
16982 __asm__ __volatile__ (
16983 - "1: prefetch (%0)\n"
16984 - " prefetch 64(%0)\n"
16985 - " prefetch 128(%0)\n"
16986 - " prefetch 192(%0)\n"
16987 - " prefetch 256(%0)\n"
16988 + "1: prefetch (%1)\n"
16989 + " prefetch 64(%1)\n"
16990 + " prefetch 128(%1)\n"
16991 + " prefetch 192(%1)\n"
16992 + " prefetch 256(%1)\n"
16994 ".section .fixup, \"ax\"\n"
16995 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16998 +#ifdef CONFIG_PAX_KERNEXEC
16999 + " movl %%cr0, %0\n"
17000 + " movl %0, %%eax\n"
17001 + " andl $0xFFFEFFFF, %%eax\n"
17002 + " movl %%eax, %%cr0\n"
17005 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
17007 +#ifdef CONFIG_PAX_KERNEXEC
17008 + " movl %0, %%cr0\n"
17013 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
17014 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
17016 for (i = 0; i < 4096/64; i++) {
17017 __asm__ __volatile__ (
17018 - "1: prefetch 320(%0)\n"
17019 - "2: movq (%0), %%mm0\n"
17020 - " movq 8(%0), %%mm1\n"
17021 - " movq 16(%0), %%mm2\n"
17022 - " movq 24(%0), %%mm3\n"
17023 - " movq %%mm0, (%1)\n"
17024 - " movq %%mm1, 8(%1)\n"
17025 - " movq %%mm2, 16(%1)\n"
17026 - " movq %%mm3, 24(%1)\n"
17027 - " movq 32(%0), %%mm0\n"
17028 - " movq 40(%0), %%mm1\n"
17029 - " movq 48(%0), %%mm2\n"
17030 - " movq 56(%0), %%mm3\n"
17031 - " movq %%mm0, 32(%1)\n"
17032 - " movq %%mm1, 40(%1)\n"
17033 - " movq %%mm2, 48(%1)\n"
17034 - " movq %%mm3, 56(%1)\n"
17035 + "1: prefetch 320(%1)\n"
17036 + "2: movq (%1), %%mm0\n"
17037 + " movq 8(%1), %%mm1\n"
17038 + " movq 16(%1), %%mm2\n"
17039 + " movq 24(%1), %%mm3\n"
17040 + " movq %%mm0, (%2)\n"
17041 + " movq %%mm1, 8(%2)\n"
17042 + " movq %%mm2, 16(%2)\n"
17043 + " movq %%mm3, 24(%2)\n"
17044 + " movq 32(%1), %%mm0\n"
17045 + " movq 40(%1), %%mm1\n"
17046 + " movq 48(%1), %%mm2\n"
17047 + " movq 56(%1), %%mm3\n"
17048 + " movq %%mm0, 32(%2)\n"
17049 + " movq %%mm1, 40(%2)\n"
17050 + " movq %%mm2, 48(%2)\n"
17051 + " movq %%mm3, 56(%2)\n"
17052 ".section .fixup, \"ax\"\n"
17053 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
17056 +#ifdef CONFIG_PAX_KERNEXEC
17057 + " movl %%cr0, %0\n"
17058 + " movl %0, %%eax\n"
17059 + " andl $0xFFFEFFFF, %%eax\n"
17060 + " movl %%eax, %%cr0\n"
17063 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
17065 +#ifdef CONFIG_PAX_KERNEXEC
17066 + " movl %0, %%cr0\n"
17071 _ASM_EXTABLE(1b, 3b)
17072 - : : "r" (from), "r" (to) : "memory");
17073 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
17077 diff -urNp linux-2.6.38.4/arch/x86/lib/putuser.S linux-2.6.38.4/arch/x86/lib/putuser.S
17078 --- linux-2.6.38.4/arch/x86/lib/putuser.S 2011-03-14 21:20:32.000000000 -0400
17079 +++ linux-2.6.38.4/arch/x86/lib/putuser.S 2011-04-17 15:57:32.000000000 -0400
17081 #include <asm/thread_info.h>
17082 #include <asm/errno.h>
17083 #include <asm/asm.h>
17085 +#include <asm/segment.h>
17086 +#include <asm/pgtable.h>
17090 @@ -29,52 +30,119 @@
17091 * as they get called from within inline assembly.
17094 -#define ENTER CFI_STARTPROC ; \
17095 - GET_THREAD_INFO(%_ASM_BX)
17096 +#define ENTER CFI_STARTPROC
17097 #define EXIT ret ; \
17100 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17101 +#define _DEST %_ASM_CX,%_ASM_BX
17103 +#define _DEST %_ASM_CX
17106 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
17107 +#define __copyuser_seg gs;
17109 +#define __copyuser_seg
17113 ENTRY(__put_user_1)
17116 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17117 + GET_THREAD_INFO(%_ASM_BX)
17118 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
17120 -1: movb %al,(%_ASM_CX)
17122 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17123 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
17124 + cmp %_ASM_BX,%_ASM_CX
17132 +1: __copyuser_seg movb %al,(_DEST)
17135 ENDPROC(__put_user_1)
17137 ENTRY(__put_user_2)
17140 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17141 + GET_THREAD_INFO(%_ASM_BX)
17142 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
17144 cmp %_ASM_BX,%_ASM_CX
17146 -2: movw %ax,(%_ASM_CX)
17148 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17149 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
17150 + cmp %_ASM_BX,%_ASM_CX
17158 +2: __copyuser_seg movw %ax,(_DEST)
17161 ENDPROC(__put_user_2)
17163 ENTRY(__put_user_4)
17166 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17167 + GET_THREAD_INFO(%_ASM_BX)
17168 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
17170 cmp %_ASM_BX,%_ASM_CX
17172 -3: movl %eax,(%_ASM_CX)
17174 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17175 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
17176 + cmp %_ASM_BX,%_ASM_CX
17184 +3: __copyuser_seg movl %eax,(_DEST)
17187 ENDPROC(__put_user_4)
17189 ENTRY(__put_user_8)
17192 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
17193 + GET_THREAD_INFO(%_ASM_BX)
17194 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
17196 cmp %_ASM_BX,%_ASM_CX
17198 -4: mov %_ASM_AX,(%_ASM_CX)
17200 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17201 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
17202 + cmp %_ASM_BX,%_ASM_CX
17210 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
17211 #ifdef CONFIG_X86_32
17212 -5: movl %edx,4(%_ASM_CX)
17213 +5: __copyuser_seg movl %edx,4(_DEST)
17217 diff -urNp linux-2.6.38.4/arch/x86/lib/usercopy_32.c linux-2.6.38.4/arch/x86/lib/usercopy_32.c
17218 --- linux-2.6.38.4/arch/x86/lib/usercopy_32.c 2011-03-14 21:20:32.000000000 -0400
17219 +++ linux-2.6.38.4/arch/x86/lib/usercopy_32.c 2011-04-17 15:57:32.000000000 -0400
17220 @@ -43,7 +43,7 @@ do { \
17221 __asm__ __volatile__( \
17225 + "0: "__copyuser_seg"lodsb\n" \
17227 " testb %%al,%%al\n" \
17229 @@ -128,10 +128,12 @@ do { \
17232 __asm__ __volatile__( \
17233 + __COPYUSER_SET_ES \
17234 "0: rep; stosl\n" \
17236 "1: rep; stosb\n" \
17238 + __COPYUSER_RESTORE_ES \
17239 ".section .fixup,\"ax\"\n" \
17240 "3: lea 0(%2,%0,4),%0\n" \
17242 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
17245 __asm__ __volatile__(
17246 + __COPYUSER_SET_ES
17250 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
17254 + __COPYUSER_RESTORE_ES
17255 ".section .fixup,\"ax\"\n"
17256 "2: xorl %%eax,%%eax\n"
17258 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
17260 #ifdef CONFIG_X86_INTEL_USERCOPY
17261 static unsigned long
17262 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
17263 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
17266 __asm__ __volatile__(
17267 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
17269 "3: movl 0(%4), %%eax\n"
17270 "4: movl 4(%4), %%edx\n"
17271 - "5: movl %%eax, 0(%3)\n"
17272 - "6: movl %%edx, 4(%3)\n"
17273 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
17274 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
17275 "7: movl 8(%4), %%eax\n"
17276 "8: movl 12(%4),%%edx\n"
17277 - "9: movl %%eax, 8(%3)\n"
17278 - "10: movl %%edx, 12(%3)\n"
17279 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
17280 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
17281 "11: movl 16(%4), %%eax\n"
17282 "12: movl 20(%4), %%edx\n"
17283 - "13: movl %%eax, 16(%3)\n"
17284 - "14: movl %%edx, 20(%3)\n"
17285 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
17286 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
17287 "15: movl 24(%4), %%eax\n"
17288 "16: movl 28(%4), %%edx\n"
17289 - "17: movl %%eax, 24(%3)\n"
17290 - "18: movl %%edx, 28(%3)\n"
17291 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
17292 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
17293 "19: movl 32(%4), %%eax\n"
17294 "20: movl 36(%4), %%edx\n"
17295 - "21: movl %%eax, 32(%3)\n"
17296 - "22: movl %%edx, 36(%3)\n"
17297 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
17298 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
17299 "23: movl 40(%4), %%eax\n"
17300 "24: movl 44(%4), %%edx\n"
17301 - "25: movl %%eax, 40(%3)\n"
17302 - "26: movl %%edx, 44(%3)\n"
17303 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
17304 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
17305 "27: movl 48(%4), %%eax\n"
17306 "28: movl 52(%4), %%edx\n"
17307 - "29: movl %%eax, 48(%3)\n"
17308 - "30: movl %%edx, 52(%3)\n"
17309 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
17310 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
17311 "31: movl 56(%4), %%eax\n"
17312 "32: movl 60(%4), %%edx\n"
17313 - "33: movl %%eax, 56(%3)\n"
17314 - "34: movl %%edx, 60(%3)\n"
17315 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
17316 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
17320 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
17322 " andl $3, %%eax\n"
17324 + __COPYUSER_SET_ES
17326 "36: movl %%eax, %0\n"
17329 + __COPYUSER_RESTORE_ES
17330 + ".section .fixup,\"ax\"\n"
17331 + "101: lea 0(%%eax,%0,4),%0\n"
17334 + ".section __ex_table,\"a\"\n"
17336 + " .long 1b,100b\n"
17337 + " .long 2b,100b\n"
17338 + " .long 3b,100b\n"
17339 + " .long 4b,100b\n"
17340 + " .long 5b,100b\n"
17341 + " .long 6b,100b\n"
17342 + " .long 7b,100b\n"
17343 + " .long 8b,100b\n"
17344 + " .long 9b,100b\n"
17345 + " .long 10b,100b\n"
17346 + " .long 11b,100b\n"
17347 + " .long 12b,100b\n"
17348 + " .long 13b,100b\n"
17349 + " .long 14b,100b\n"
17350 + " .long 15b,100b\n"
17351 + " .long 16b,100b\n"
17352 + " .long 17b,100b\n"
17353 + " .long 18b,100b\n"
17354 + " .long 19b,100b\n"
17355 + " .long 20b,100b\n"
17356 + " .long 21b,100b\n"
17357 + " .long 22b,100b\n"
17358 + " .long 23b,100b\n"
17359 + " .long 24b,100b\n"
17360 + " .long 25b,100b\n"
17361 + " .long 26b,100b\n"
17362 + " .long 27b,100b\n"
17363 + " .long 28b,100b\n"
17364 + " .long 29b,100b\n"
17365 + " .long 30b,100b\n"
17366 + " .long 31b,100b\n"
17367 + " .long 32b,100b\n"
17368 + " .long 33b,100b\n"
17369 + " .long 34b,100b\n"
17370 + " .long 35b,100b\n"
17371 + " .long 36b,100b\n"
17372 + " .long 37b,100b\n"
17373 + " .long 99b,101b\n"
17375 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
17376 + : "1"(to), "2"(from), "0"(size)
17377 + : "eax", "edx", "memory");
17381 +static unsigned long
17382 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
17385 + __asm__ __volatile__(
17386 + " .align 2,0x90\n"
17387 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
17388 + " cmpl $67, %0\n"
17390 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
17391 + " .align 2,0x90\n"
17392 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
17393 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
17394 + "5: movl %%eax, 0(%3)\n"
17395 + "6: movl %%edx, 4(%3)\n"
17396 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
17397 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
17398 + "9: movl %%eax, 8(%3)\n"
17399 + "10: movl %%edx, 12(%3)\n"
17400 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
17401 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
17402 + "13: movl %%eax, 16(%3)\n"
17403 + "14: movl %%edx, 20(%3)\n"
17404 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
17405 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
17406 + "17: movl %%eax, 24(%3)\n"
17407 + "18: movl %%edx, 28(%3)\n"
17408 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
17409 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
17410 + "21: movl %%eax, 32(%3)\n"
17411 + "22: movl %%edx, 36(%3)\n"
17412 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
17413 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
17414 + "25: movl %%eax, 40(%3)\n"
17415 + "26: movl %%edx, 44(%3)\n"
17416 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
17417 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
17418 + "29: movl %%eax, 48(%3)\n"
17419 + "30: movl %%edx, 52(%3)\n"
17420 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
17421 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
17422 + "33: movl %%eax, 56(%3)\n"
17423 + "34: movl %%edx, 60(%3)\n"
17424 + " addl $-64, %0\n"
17425 + " addl $64, %4\n"
17426 + " addl $64, %3\n"
17427 + " cmpl $63, %0\n"
17429 + "35: movl %0, %%eax\n"
17431 + " andl $3, %%eax\n"
17433 + "99: rep; "__copyuser_seg" movsl\n"
17434 + "36: movl %%eax, %0\n"
17435 + "37: rep; "__copyuser_seg" movsb\n"
17437 ".section .fixup,\"ax\"\n"
17438 "101: lea 0(%%eax,%0,4),%0\n"
17440 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
17442 __asm__ __volatile__(
17444 - "0: movl 32(%4), %%eax\n"
17445 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
17448 - "1: movl 64(%4), %%eax\n"
17449 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
17451 - "2: movl 0(%4), %%eax\n"
17452 - "21: movl 4(%4), %%edx\n"
17453 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
17454 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
17455 " movl %%eax, 0(%3)\n"
17456 " movl %%edx, 4(%3)\n"
17457 - "3: movl 8(%4), %%eax\n"
17458 - "31: movl 12(%4),%%edx\n"
17459 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
17460 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
17461 " movl %%eax, 8(%3)\n"
17462 " movl %%edx, 12(%3)\n"
17463 - "4: movl 16(%4), %%eax\n"
17464 - "41: movl 20(%4), %%edx\n"
17465 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
17466 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
17467 " movl %%eax, 16(%3)\n"
17468 " movl %%edx, 20(%3)\n"
17469 - "10: movl 24(%4), %%eax\n"
17470 - "51: movl 28(%4), %%edx\n"
17471 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
17472 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
17473 " movl %%eax, 24(%3)\n"
17474 " movl %%edx, 28(%3)\n"
17475 - "11: movl 32(%4), %%eax\n"
17476 - "61: movl 36(%4), %%edx\n"
17477 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
17478 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
17479 " movl %%eax, 32(%3)\n"
17480 " movl %%edx, 36(%3)\n"
17481 - "12: movl 40(%4), %%eax\n"
17482 - "71: movl 44(%4), %%edx\n"
17483 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
17484 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
17485 " movl %%eax, 40(%3)\n"
17486 " movl %%edx, 44(%3)\n"
17487 - "13: movl 48(%4), %%eax\n"
17488 - "81: movl 52(%4), %%edx\n"
17489 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
17490 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
17491 " movl %%eax, 48(%3)\n"
17492 " movl %%edx, 52(%3)\n"
17493 - "14: movl 56(%4), %%eax\n"
17494 - "91: movl 60(%4), %%edx\n"
17495 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
17496 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
17497 " movl %%eax, 56(%3)\n"
17498 " movl %%edx, 60(%3)\n"
17500 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
17502 " andl $3, %%eax\n"
17504 - "6: rep; movsl\n"
17505 + "6: rep; "__copyuser_seg" movsl\n"
17507 - "7: rep; movsb\n"
17508 + "7: rep; "__copyuser_seg" movsb\n"
17510 ".section .fixup,\"ax\"\n"
17511 "9: lea 0(%%eax,%0,4),%0\n"
17512 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
17514 __asm__ __volatile__(
17516 - "0: movl 32(%4), %%eax\n"
17517 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
17520 - "1: movl 64(%4), %%eax\n"
17521 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
17523 - "2: movl 0(%4), %%eax\n"
17524 - "21: movl 4(%4), %%edx\n"
17525 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
17526 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
17527 " movnti %%eax, 0(%3)\n"
17528 " movnti %%edx, 4(%3)\n"
17529 - "3: movl 8(%4), %%eax\n"
17530 - "31: movl 12(%4),%%edx\n"
17531 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
17532 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
17533 " movnti %%eax, 8(%3)\n"
17534 " movnti %%edx, 12(%3)\n"
17535 - "4: movl 16(%4), %%eax\n"
17536 - "41: movl 20(%4), %%edx\n"
17537 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
17538 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
17539 " movnti %%eax, 16(%3)\n"
17540 " movnti %%edx, 20(%3)\n"
17541 - "10: movl 24(%4), %%eax\n"
17542 - "51: movl 28(%4), %%edx\n"
17543 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
17544 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
17545 " movnti %%eax, 24(%3)\n"
17546 " movnti %%edx, 28(%3)\n"
17547 - "11: movl 32(%4), %%eax\n"
17548 - "61: movl 36(%4), %%edx\n"
17549 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
17550 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
17551 " movnti %%eax, 32(%3)\n"
17552 " movnti %%edx, 36(%3)\n"
17553 - "12: movl 40(%4), %%eax\n"
17554 - "71: movl 44(%4), %%edx\n"
17555 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
17556 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
17557 " movnti %%eax, 40(%3)\n"
17558 " movnti %%edx, 44(%3)\n"
17559 - "13: movl 48(%4), %%eax\n"
17560 - "81: movl 52(%4), %%edx\n"
17561 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
17562 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
17563 " movnti %%eax, 48(%3)\n"
17564 " movnti %%edx, 52(%3)\n"
17565 - "14: movl 56(%4), %%eax\n"
17566 - "91: movl 60(%4), %%edx\n"
17567 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
17568 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
17569 " movnti %%eax, 56(%3)\n"
17570 " movnti %%edx, 60(%3)\n"
17572 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
17574 " andl $3, %%eax\n"
17576 - "6: rep; movsl\n"
17577 + "6: rep; "__copyuser_seg" movsl\n"
17579 - "7: rep; movsb\n"
17580 + "7: rep; "__copyuser_seg" movsb\n"
17582 ".section .fixup,\"ax\"\n"
17583 "9: lea 0(%%eax,%0,4),%0\n"
17584 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
17586 __asm__ __volatile__(
17588 - "0: movl 32(%4), %%eax\n"
17589 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
17592 - "1: movl 64(%4), %%eax\n"
17593 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
17595 - "2: movl 0(%4), %%eax\n"
17596 - "21: movl 4(%4), %%edx\n"
17597 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
17598 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
17599 " movnti %%eax, 0(%3)\n"
17600 " movnti %%edx, 4(%3)\n"
17601 - "3: movl 8(%4), %%eax\n"
17602 - "31: movl 12(%4),%%edx\n"
17603 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
17604 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
17605 " movnti %%eax, 8(%3)\n"
17606 " movnti %%edx, 12(%3)\n"
17607 - "4: movl 16(%4), %%eax\n"
17608 - "41: movl 20(%4), %%edx\n"
17609 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
17610 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
17611 " movnti %%eax, 16(%3)\n"
17612 " movnti %%edx, 20(%3)\n"
17613 - "10: movl 24(%4), %%eax\n"
17614 - "51: movl 28(%4), %%edx\n"
17615 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
17616 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
17617 " movnti %%eax, 24(%3)\n"
17618 " movnti %%edx, 28(%3)\n"
17619 - "11: movl 32(%4), %%eax\n"
17620 - "61: movl 36(%4), %%edx\n"
17621 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
17622 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
17623 " movnti %%eax, 32(%3)\n"
17624 " movnti %%edx, 36(%3)\n"
17625 - "12: movl 40(%4), %%eax\n"
17626 - "71: movl 44(%4), %%edx\n"
17627 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
17628 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
17629 " movnti %%eax, 40(%3)\n"
17630 " movnti %%edx, 44(%3)\n"
17631 - "13: movl 48(%4), %%eax\n"
17632 - "81: movl 52(%4), %%edx\n"
17633 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
17634 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
17635 " movnti %%eax, 48(%3)\n"
17636 " movnti %%edx, 52(%3)\n"
17637 - "14: movl 56(%4), %%eax\n"
17638 - "91: movl 60(%4), %%edx\n"
17639 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
17640 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
17641 " movnti %%eax, 56(%3)\n"
17642 " movnti %%edx, 60(%3)\n"
17644 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
17646 " andl $3, %%eax\n"
17648 - "6: rep; movsl\n"
17649 + "6: rep; "__copyuser_seg" movsl\n"
17651 - "7: rep; movsb\n"
17652 + "7: rep; "__copyuser_seg" movsb\n"
17654 ".section .fixup,\"ax\"\n"
17655 "9: lea 0(%%eax,%0,4),%0\n"
17656 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
17658 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
17659 unsigned long size);
17660 -unsigned long __copy_user_intel(void __user *to, const void *from,
17661 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
17662 + unsigned long size);
17663 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
17664 unsigned long size);
17665 unsigned long __copy_user_zeroing_intel_nocache(void *to,
17666 const void __user *from, unsigned long size);
17667 #endif /* CONFIG_X86_INTEL_USERCOPY */
17669 /* Generic arbitrary sized copy. */
17670 -#define __copy_user(to, from, size) \
17671 +#define __copy_user(to, from, size, prefix, set, restore) \
17673 int __d0, __d1, __d2; \
17674 __asm__ __volatile__( \
17682 - "4: rep; movsb\n" \
17683 + "4: rep; "prefix"movsb\n" \
17687 " .align 2,0x90\n" \
17688 - "0: rep; movsl\n" \
17689 + "0: rep; "prefix"movsl\n" \
17691 - "1: rep; movsb\n" \
17692 + "1: rep; "prefix"movsb\n" \
17695 ".section .fixup,\"ax\"\n" \
17696 "5: addl %3,%0\n" \
17698 @@ -682,14 +799,14 @@ do { \
17702 - "4: rep; movsb\n" \
17703 + "4: rep; "__copyuser_seg"movsb\n" \
17707 " .align 2,0x90\n" \
17708 - "0: rep; movsl\n" \
17709 + "0: rep; "__copyuser_seg"movsl\n" \
17711 - "1: rep; movsb\n" \
17712 + "1: rep; "__copyuser_seg"movsb\n" \
17714 ".section .fixup,\"ax\"\n" \
17715 "5: addl %3,%0\n" \
17716 @@ -775,9 +892,9 @@ survive:
17719 if (movsl_is_ok(to, from, n))
17720 - __copy_user(to, from, n);
17721 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
17723 - n = __copy_user_intel(to, from, n);
17724 + n = __generic_copy_to_user_intel(to, from, n);
17727 EXPORT_SYMBOL(__copy_to_user_ll);
17728 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
17731 if (movsl_is_ok(to, from, n))
17732 - __copy_user(to, from, n);
17733 + __copy_user(to, from, n, __copyuser_seg, "", "");
17735 - n = __copy_user_intel((void __user *)to,
17736 - (const void *)from, n);
17737 + n = __generic_copy_from_user_intel(to, from, n);
17740 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
17741 @@ -827,65 +943,49 @@ unsigned long __copy_from_user_ll_nocach
17742 if (n > 64 && cpu_has_xmm2)
17743 n = __copy_user_intel_nocache(to, from, n);
17745 - __copy_user(to, from, n);
17746 + __copy_user(to, from, n, __copyuser_seg, "", "");
17748 - __copy_user(to, from, n);
17749 + __copy_user(to, from, n, __copyuser_seg, "", "");
17753 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
17756 - * copy_to_user: - Copy a block of data into user space.
17757 - * @to: Destination address, in user space.
17758 - * @from: Source address, in kernel space.
17759 - * @n: Number of bytes to copy.
17761 - * Context: User context only. This function may sleep.
17763 - * Copy data from kernel space to user space.
17765 - * Returns number of bytes that could not be copied.
17766 - * On success, this will be zero.
17769 -copy_to_user(void __user *to, const void *from, unsigned long n)
17770 +void copy_from_user_overflow(void)
17772 - if (access_ok(VERIFY_WRITE, to, n))
17773 - n = __copy_to_user(to, from, n);
17775 + WARN(1, "Buffer overflow detected!\n");
17777 -EXPORT_SYMBOL(copy_to_user);
17778 +EXPORT_SYMBOL(copy_from_user_overflow);
17781 - * copy_from_user: - Copy a block of data from user space.
17782 - * @to: Destination address, in kernel space.
17783 - * @from: Source address, in user space.
17784 - * @n: Number of bytes to copy.
17786 - * Context: User context only. This function may sleep.
17788 - * Copy data from user space to kernel space.
17790 - * Returns number of bytes that could not be copied.
17791 - * On success, this will be zero.
17793 - * If some data could not be copied, this function will pad the copied
17794 - * data to the requested size using zero bytes.
17797 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17798 +void copy_to_user_overflow(void)
17800 - if (access_ok(VERIFY_READ, from, n))
17801 - n = __copy_from_user(to, from, n);
17803 - memset(to, 0, n);
17805 + WARN(1, "Buffer overflow detected!\n");
17807 -EXPORT_SYMBOL(_copy_from_user);
17808 +EXPORT_SYMBOL(copy_to_user_overflow);
17810 -void copy_from_user_overflow(void)
17811 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17812 +void __set_fs(mm_segment_t x)
17814 - WARN(1, "Buffer overflow detected!\n");
17817 + loadsegment(gs, 0);
17819 + case TASK_SIZE_MAX:
17820 + loadsegment(gs, __USER_DS);
17823 + loadsegment(gs, __KERNEL_DS);
17830 -EXPORT_SYMBOL(copy_from_user_overflow);
17832 +void set_fs(mm_segment_t x)
17834 + current_thread_info()->addr_limit = x;
17837 +EXPORT_SYMBOL(set_fs);
17839 diff -urNp linux-2.6.38.4/arch/x86/lib/usercopy_64.c linux-2.6.38.4/arch/x86/lib/usercopy_64.c
17840 --- linux-2.6.38.4/arch/x86/lib/usercopy_64.c 2011-03-14 21:20:32.000000000 -0400
17841 +++ linux-2.6.38.4/arch/x86/lib/usercopy_64.c 2011-04-17 15:57:32.000000000 -0400
17842 @@ -42,6 +42,8 @@ long
17843 __strncpy_from_user(char *dst, const char __user *src, long count)
17846 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17847 + src += PAX_USER_SHADOW_BASE;
17848 __do_strncpy_from_user(dst, src, count, res);
17851 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17855 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17856 + addr += PAX_USER_SHADOW_BASE;
17857 /* no memory constraint because it doesn't change any memory gcc knows
17860 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17862 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17864 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17865 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17866 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17867 + to += PAX_USER_SHADOW_BASE;
17868 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17869 + from += PAX_USER_SHADOW_BASE;
17870 return copy_user_generic((__force void *)to, (__force void *)from, len);
17876 EXPORT_SYMBOL(copy_in_user);
17878 diff -urNp linux-2.6.38.4/arch/x86/Makefile linux-2.6.38.4/arch/x86/Makefile
17879 --- linux-2.6.38.4/arch/x86/Makefile 2011-03-14 21:20:32.000000000 -0400
17880 +++ linux-2.6.38.4/arch/x86/Makefile 2011-04-17 15:57:32.000000000 -0400
17881 @@ -195,3 +195,12 @@ define archhelp
17882 echo ' FDARGS="..." arguments for the booted kernel'
17883 echo ' FDINITRD=file initrd for the booted kernel'
17888 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17889 +*** Please upgrade your binutils to 2.18 or newer
17893 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17894 diff -urNp linux-2.6.38.4/arch/x86/mm/extable.c linux-2.6.38.4/arch/x86/mm/extable.c
17895 --- linux-2.6.38.4/arch/x86/mm/extable.c 2011-03-14 21:20:32.000000000 -0400
17896 +++ linux-2.6.38.4/arch/x86/mm/extable.c 2011-04-17 15:57:32.000000000 -0400
17898 #include <linux/module.h>
17899 #include <linux/spinlock.h>
17900 +#include <linux/sort.h>
17901 #include <asm/uaccess.h>
17902 +#include <asm/pgtable.h>
17905 + * The exception table needs to be sorted so that the binary
17906 + * search that we use to find entries in it works properly.
17907 + * This is used both for the kernel exception table and for
17908 + * the exception tables of modules that get loaded.
17910 +static int cmp_ex(const void *a, const void *b)
17912 + const struct exception_table_entry *x = a, *y = b;
17914 + /* avoid overflow */
17915 + if (x->insn > y->insn)
17917 + if (x->insn < y->insn)
17922 +static void swap_ex(void *a, void *b, int size)
17924 + struct exception_table_entry t, *x = a, *y = b;
17928 + pax_open_kernel();
17931 + pax_close_kernel();
17934 +void sort_extable(struct exception_table_entry *start,
17935 + struct exception_table_entry *finish)
17937 + sort(start, finish - start, sizeof(struct exception_table_entry),
17938 + cmp_ex, swap_ex);
17941 +#ifdef CONFIG_MODULES
17943 + * If the exception table is sorted, any referring to the module init
17944 + * will be at the beginning or the end.
17946 +void trim_init_extable(struct module *m)
17948 + /*trim the beginning*/
17949 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17951 + m->num_exentries--;
17954 + while (m->num_exentries &&
17955 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17956 + m->num_exentries--;
17958 +#endif /* CONFIG_MODULES */
17960 int fixup_exception(struct pt_regs *regs)
17962 const struct exception_table_entry *fixup;
17964 #ifdef CONFIG_PNPBIOS
17965 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17966 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17967 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17968 extern u32 pnp_bios_is_utter_crap;
17969 pnp_bios_is_utter_crap = 1;
17970 diff -urNp linux-2.6.38.4/arch/x86/mm/fault.c linux-2.6.38.4/arch/x86/mm/fault.c
17971 --- linux-2.6.38.4/arch/x86/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
17972 +++ linux-2.6.38.4/arch/x86/mm/fault.c 2011-04-17 15:57:32.000000000 -0400
17973 @@ -12,10 +12,18 @@
17974 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17975 #include <linux/perf_event.h> /* perf_sw_event */
17976 #include <linux/hugetlb.h> /* hstate_index_to_shift */
17977 +#include <linux/unistd.h>
17978 +#include <linux/compiler.h>
17980 #include <asm/traps.h> /* dotraplinkage, ... */
17981 #include <asm/pgalloc.h> /* pgd_*(), ... */
17982 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17983 +#include <asm/vsyscall.h>
17984 +#include <asm/tlbflush.h>
17986 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17987 +#include <asm/stacktrace.h>
17991 * Page fault error code bits:
17992 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
17995 /* kprobe_running() needs smp_processor_id() */
17996 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17997 + if (kprobes_built_in() && !user_mode(regs)) {
17999 if (kprobe_running() && kprobe_fault_handler(regs, 14))
18001 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
18002 return !instr_lo || (instr_lo>>1) == 1;
18004 /* Prefetch instruction is 0x0F0D or 0x0F18 */
18005 - if (probe_kernel_address(instr, opcode))
18006 + if (user_mode(regs)) {
18007 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
18009 + } else if (probe_kernel_address(instr, opcode))
18012 *prefetch = (instr_lo == 0xF) &&
18013 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
18014 while (instr < max_instr) {
18015 unsigned char opcode;
18017 - if (probe_kernel_address(instr, opcode))
18018 + if (user_mode(regs)) {
18019 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
18021 + } else if (probe_kernel_address(instr, opcode))
18025 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
18026 force_sig_info(si_signo, &info, tsk);
18029 +#ifdef CONFIG_PAX_EMUTRAMP
18030 +static int pax_handle_fetch_fault(struct pt_regs *regs);
18033 +#ifdef CONFIG_PAX_PAGEEXEC
18034 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
18040 + pgd = pgd_offset(mm, address);
18041 + if (!pgd_present(*pgd))
18043 + pud = pud_offset(pgd, address);
18044 + if (!pud_present(*pud))
18046 + pmd = pmd_offset(pud, address);
18047 + if (!pmd_present(*pmd))
18053 DEFINE_SPINLOCK(pgd_lock);
18054 LIST_HEAD(pgd_list);
18056 @@ -229,10 +267,22 @@ void vmalloc_sync_all(void)
18057 for (address = VMALLOC_START & PMD_MASK;
18058 address >= TASK_SIZE && address < FIXADDR_TOP;
18059 address += PMD_SIZE) {
18061 +#ifdef CONFIG_PAX_PER_CPU_PGD
18062 + unsigned long cpu;
18067 spin_lock(&pgd_lock);
18069 +#ifdef CONFIG_PAX_PER_CPU_PGD
18070 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18071 + pgd_t *pgd = get_cpu_pgd(cpu);
18074 list_for_each_entry(page, &pgd_list, lru) {
18075 + pgd_t *pgd = page_address(page);
18076 spinlock_t *pgt_lock;
18079 @@ -240,8 +290,13 @@ void vmalloc_sync_all(void)
18080 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
18082 spin_lock(pgt_lock);
18083 - ret = vmalloc_sync_one(page_address(page), address);
18086 + ret = vmalloc_sync_one(pgd, address);
18088 +#ifndef CONFIG_PAX_PER_CPU_PGD
18089 spin_unlock(pgt_lock);
18094 @@ -275,6 +330,11 @@ static noinline __kprobes int vmalloc_fa
18095 * an interrupt in the middle of a task switch..
18097 pgd_paddr = read_cr3();
18099 +#ifdef CONFIG_PAX_PER_CPU_PGD
18100 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
18103 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
18106 @@ -370,7 +430,14 @@ static noinline __kprobes int vmalloc_fa
18107 * happen within a race in page table update. In the later
18111 +#ifdef CONFIG_PAX_PER_CPU_PGD
18112 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
18113 + pgd = pgd_offset_cpu(smp_processor_id(), address);
18115 pgd = pgd_offset(current->active_mm, address);
18118 pgd_ref = pgd_offset_k(address);
18119 if (pgd_none(*pgd_ref))
18121 @@ -532,7 +599,7 @@ static int is_errata93(struct pt_regs *r
18122 static int is_errata100(struct pt_regs *regs, unsigned long address)
18124 #ifdef CONFIG_X86_64
18125 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
18126 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
18130 @@ -559,7 +626,7 @@ static int is_f00f_bug(struct pt_regs *r
18133 static const char nx_warning[] = KERN_CRIT
18134 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
18135 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
18138 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
18139 @@ -568,15 +635,26 @@ show_fault_oops(struct pt_regs *regs, un
18140 if (!oops_may_print())
18143 - if (error_code & PF_INSTR) {
18144 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
18145 unsigned int level;
18147 pte_t *pte = lookup_address(address, &level);
18149 if (pte && pte_present(*pte) && !pte_exec(*pte))
18150 - printk(nx_warning, current_uid());
18151 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
18154 +#ifdef CONFIG_PAX_KERNEXEC
18155 + if (init_mm.start_code <= address && address < init_mm.end_code) {
18156 + if (current->signal->curr_ip)
18157 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
18158 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
18160 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
18161 + current->comm, task_pid_nr(current), current_uid(), current_euid());
18165 printk(KERN_ALERT "BUG: unable to handle kernel ");
18166 if (address < PAGE_SIZE)
18167 printk(KERN_CONT "NULL pointer dereference");
18168 @@ -701,6 +779,68 @@ __bad_area_nosemaphore(struct pt_regs *r
18169 unsigned long address, int si_code)
18171 struct task_struct *tsk = current;
18172 + struct mm_struct *mm = tsk->mm;
18174 +#ifdef CONFIG_X86_64
18175 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
18176 + if (regs->ip == (unsigned long)vgettimeofday) {
18177 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
18179 + } else if (regs->ip == (unsigned long)vtime) {
18180 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
18182 + } else if (regs->ip == (unsigned long)vgetcpu) {
18183 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
18189 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18190 + if (mm && (error_code & PF_USER)) {
18191 + unsigned long ip = regs->ip;
18193 + if (v8086_mode(regs))
18194 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
18197 + * It's possible to have interrupts off here:
18199 + local_irq_enable();
18201 +#ifdef CONFIG_PAX_PAGEEXEC
18202 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
18203 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
18205 +#ifdef CONFIG_PAX_EMUTRAMP
18206 + switch (pax_handle_fetch_fault(regs)) {
18212 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
18213 + do_group_exit(SIGKILL);
18217 +#ifdef CONFIG_PAX_SEGMEXEC
18218 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
18220 +#ifdef CONFIG_PAX_EMUTRAMP
18221 + switch (pax_handle_fetch_fault(regs)) {
18227 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
18228 + do_group_exit(SIGKILL);
18235 /* User mode accesses just cause a SIGSEGV */
18236 if (error_code & PF_USER) {
18237 @@ -855,6 +995,99 @@ static int spurious_fault_check(unsigned
18241 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18242 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
18247 + unsigned char pte_mask;
18249 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
18250 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
18253 + /* PaX: it's our fault, let's handle it if we can */
18255 + /* PaX: take a look at read faults before acquiring any locks */
18256 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
18257 + /* instruction fetch attempt from a protected page in user mode */
18258 + up_read(&mm->mmap_sem);
18260 +#ifdef CONFIG_PAX_EMUTRAMP
18261 + switch (pax_handle_fetch_fault(regs)) {
18267 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
18268 + do_group_exit(SIGKILL);
18271 + pmd = pax_get_pmd(mm, address);
18272 + if (unlikely(!pmd))
18275 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
18276 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
18277 + pte_unmap_unlock(pte, ptl);
18281 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
18282 + /* write attempt to a protected page in user mode */
18283 + pte_unmap_unlock(pte, ptl);
18288 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
18290 + if (likely(address > get_limit(regs->cs)))
18293 + set_pte(pte, pte_mkread(*pte));
18294 + __flush_tlb_one(address);
18295 + pte_unmap_unlock(pte, ptl);
18296 + up_read(&mm->mmap_sem);
18300 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
18303 + * PaX: fill DTLB with user rights and retry
18305 + __asm__ __volatile__ (
18307 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
18309 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
18310 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
18311 + * page fault when examined during a TLB load attempt. this is true not only
18312 + * for PTEs holding a non-present entry but also present entries that will
18313 + * raise a page fault (such as those set up by PaX, or the copy-on-write
18314 + * mechanism). in effect it means that we do *not* need to flush the TLBs
18315 + * for our target pages since their PTEs are simply not in the TLBs at all.
18317 + * the best thing in omitting it is that we gain around 15-20% speed in the
18318 + * fast path of the page fault handler and can get rid of tracing since we
18319 + * can no longer flush unintended entries.
18323 + __copyuser_seg"testb $0,(%0)\n"
18326 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
18327 + : "memory", "cc");
18328 + pte_unmap_unlock(pte, ptl);
18329 + up_read(&mm->mmap_sem);
18335 * Handle a spurious fault caused by a stale TLB entry.
18337 @@ -927,6 +1160,9 @@ int show_unhandled_signals = 1;
18339 access_error(unsigned long error_code, struct vm_area_struct *vma)
18341 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
18344 if (error_code & PF_WRITE) {
18345 /* write, present and write, not present: */
18346 if (unlikely(!(vma->vm_flags & VM_WRITE)))
18347 @@ -960,19 +1196,33 @@ do_page_fault(struct pt_regs *regs, unsi
18349 struct vm_area_struct *vma;
18350 struct task_struct *tsk;
18351 - unsigned long address;
18352 struct mm_struct *mm;
18354 int write = error_code & PF_WRITE;
18355 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
18356 (write ? FAULT_FLAG_WRITE : 0);
18358 + /* Get the faulting address: */
18359 + unsigned long address = read_cr2();
18361 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18362 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
18363 + if (!search_exception_tables(regs->ip)) {
18364 + bad_area_nosemaphore(regs, error_code, address);
18367 + if (address < PAX_USER_SHADOW_BASE) {
18368 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
18369 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
18370 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, KERN_ERR);
18372 + address -= PAX_USER_SHADOW_BASE;
18379 - /* Get the faulting address: */
18380 - address = read_cr2();
18383 * Detect and handle instructions that would cause a page fault for
18384 * both a tracked kernel page and a userspace page.
18385 @@ -1032,7 +1282,7 @@ do_page_fault(struct pt_regs *regs, unsi
18386 * User-mode registers count as a user access even for any
18387 * potential system fault or CPU buglet:
18389 - if (user_mode_vm(regs)) {
18390 + if (user_mode(regs)) {
18391 local_irq_enable();
18392 error_code |= PF_USER;
18394 @@ -1087,6 +1337,11 @@ retry:
18398 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18399 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
18403 vma = find_vma(mm, address);
18404 if (unlikely(!vma)) {
18405 bad_area(regs, error_code, address);
18406 @@ -1098,18 +1353,24 @@ retry:
18407 bad_area(regs, error_code, address);
18410 - if (error_code & PF_USER) {
18412 - * Accessing the stack below %sp is always a bug.
18413 - * The large cushion allows instructions like enter
18414 - * and pusha to work. ("enter $65535, $31" pushes
18415 - * 32 pointers and then decrements %sp by 65535.)
18417 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
18418 - bad_area(regs, error_code, address);
18422 + * Accessing the stack below %sp is always a bug.
18423 + * The large cushion allows instructions like enter
18424 + * and pusha to work. ("enter $65535, $31" pushes
18425 + * 32 pointers and then decrements %sp by 65535.)
18427 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
18428 + bad_area(regs, error_code, address);
18432 +#ifdef CONFIG_PAX_SEGMEXEC
18433 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
18434 + bad_area(regs, error_code, address);
18439 if (unlikely(expand_stack(vma, address))) {
18440 bad_area(regs, error_code, address);
18442 @@ -1164,3 +1425,199 @@ good_area:
18444 up_read(&mm->mmap_sem);
18447 +#ifdef CONFIG_PAX_EMUTRAMP
18448 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
18452 + do { /* PaX: gcc trampoline emulation #1 */
18453 + unsigned char mov1, mov2;
18454 + unsigned short jmp;
18455 + unsigned int addr1, addr2;
18457 +#ifdef CONFIG_X86_64
18458 + if ((regs->ip + 11) >> 32)
18462 + err = get_user(mov1, (unsigned char __user *)regs->ip);
18463 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
18464 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
18465 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
18466 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
18471 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
18472 + regs->cx = addr1;
18473 + regs->ax = addr2;
18474 + regs->ip = addr2;
18479 + do { /* PaX: gcc trampoline emulation #2 */
18480 + unsigned char mov, jmp;
18481 + unsigned int addr1, addr2;
18483 +#ifdef CONFIG_X86_64
18484 + if ((regs->ip + 9) >> 32)
18488 + err = get_user(mov, (unsigned char __user *)regs->ip);
18489 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
18490 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
18491 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
18496 + if (mov == 0xB9 && jmp == 0xE9) {
18497 + regs->cx = addr1;
18498 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
18503 + return 1; /* PaX in action */
18506 +#ifdef CONFIG_X86_64
18507 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
18511 + do { /* PaX: gcc trampoline emulation #1 */
18512 + unsigned short mov1, mov2, jmp1;
18513 + unsigned char jmp2;
18514 + unsigned int addr1;
18515 + unsigned long addr2;
18517 + err = get_user(mov1, (unsigned short __user *)regs->ip);
18518 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
18519 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
18520 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
18521 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
18522 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
18527 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18528 + regs->r11 = addr1;
18529 + regs->r10 = addr2;
18530 + regs->ip = addr1;
18535 + do { /* PaX: gcc trampoline emulation #2 */
18536 + unsigned short mov1, mov2, jmp1;
18537 + unsigned char jmp2;
18538 + unsigned long addr1, addr2;
18540 + err = get_user(mov1, (unsigned short __user *)regs->ip);
18541 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
18542 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
18543 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
18544 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
18545 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
18550 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18551 + regs->r11 = addr1;
18552 + regs->r10 = addr2;
18553 + regs->ip = addr1;
18558 + return 1; /* PaX in action */
18563 + * PaX: decide what to do with offenders (regs->ip = fault address)
18565 + * returns 1 when task should be killed
18566 + * 2 when gcc trampoline was detected
18568 +static int pax_handle_fetch_fault(struct pt_regs *regs)
18570 + if (v8086_mode(regs))
18573 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
18576 +#ifdef CONFIG_X86_32
18577 + return pax_handle_fetch_fault_32(regs);
18579 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
18580 + return pax_handle_fetch_fault_32(regs);
18582 + return pax_handle_fetch_fault_64(regs);
18587 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18588 +void pax_report_insns(void *pc, void *sp)
18592 + printk(KERN_ERR "PAX: bytes at PC: ");
18593 + for (i = 0; i < 20; i++) {
18595 + if (get_user(c, (__force unsigned char __user *)pc+i))
18596 + printk(KERN_CONT "?? ");
18598 + printk(KERN_CONT "%02x ", c);
18602 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
18603 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
18605 + if (get_user(c, (__force unsigned long __user *)sp+i))
18606 +#ifdef CONFIG_X86_32
18607 + printk(KERN_CONT "???????? ");
18609 + printk(KERN_CONT "???????????????? ");
18612 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
18619 + * probe_kernel_write(): safely attempt to write to a location
18620 + * @dst: address to write to
18621 + * @src: pointer to the data that shall be written
18622 + * @size: size of the data chunk
18624 + * Safely write to address @dst from the buffer at @src. If a kernel fault
18625 + * happens, handle that and return -EFAULT.
18627 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
18630 + mm_segment_t old_fs = get_fs();
18632 + set_fs(KERNEL_DS);
18633 + pagefault_disable();
18634 + pax_open_kernel();
18635 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
18636 + pax_close_kernel();
18637 + pagefault_enable();
18640 + return ret ? -EFAULT : 0;
18642 diff -urNp linux-2.6.38.4/arch/x86/mm/gup.c linux-2.6.38.4/arch/x86/mm/gup.c
18643 --- linux-2.6.38.4/arch/x86/mm/gup.c 2011-03-14 21:20:32.000000000 -0400
18644 +++ linux-2.6.38.4/arch/x86/mm/gup.c 2011-04-17 15:57:32.000000000 -0400
18645 @@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
18647 len = (unsigned long) nr_pages << PAGE_SHIFT;
18649 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18650 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18651 (void __user *)start, len)))
18654 diff -urNp linux-2.6.38.4/arch/x86/mm/highmem_32.c linux-2.6.38.4/arch/x86/mm/highmem_32.c
18655 --- linux-2.6.38.4/arch/x86/mm/highmem_32.c 2011-03-14 21:20:32.000000000 -0400
18656 +++ linux-2.6.38.4/arch/x86/mm/highmem_32.c 2011-04-17 15:57:32.000000000 -0400
18657 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
18658 idx = type + KM_TYPE_NR*smp_processor_id();
18659 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18660 BUG_ON(!pte_none(*(kmap_pte-idx)));
18662 + pax_open_kernel();
18663 set_pte(kmap_pte-idx, mk_pte(page, prot));
18664 + pax_close_kernel();
18666 return (void *)vaddr;
18668 diff -urNp linux-2.6.38.4/arch/x86/mm/hugetlbpage.c linux-2.6.38.4/arch/x86/mm/hugetlbpage.c
18669 --- linux-2.6.38.4/arch/x86/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
18670 +++ linux-2.6.38.4/arch/x86/mm/hugetlbpage.c 2011-04-17 15:57:32.000000000 -0400
18671 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
18672 struct hstate *h = hstate_file(file);
18673 struct mm_struct *mm = current->mm;
18674 struct vm_area_struct *vma;
18675 - unsigned long start_addr;
18676 + unsigned long start_addr, pax_task_size = TASK_SIZE;
18678 +#ifdef CONFIG_PAX_SEGMEXEC
18679 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18680 + pax_task_size = SEGMEXEC_TASK_SIZE;
18683 + pax_task_size -= PAGE_SIZE;
18685 if (len > mm->cached_hole_size) {
18686 - start_addr = mm->free_area_cache;
18687 + start_addr = mm->free_area_cache;
18689 - start_addr = TASK_UNMAPPED_BASE;
18690 - mm->cached_hole_size = 0;
18691 + start_addr = mm->mmap_base;
18692 + mm->cached_hole_size = 0;
18696 @@ -280,26 +287,27 @@ full_search:
18698 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18699 /* At this point: (!vma || addr < vma->vm_end). */
18700 - if (TASK_SIZE - len < addr) {
18701 + if (pax_task_size - len < addr) {
18703 * Start a new search - just in case we missed
18706 - if (start_addr != TASK_UNMAPPED_BASE) {
18707 - start_addr = TASK_UNMAPPED_BASE;
18708 + if (start_addr != mm->mmap_base) {
18709 + start_addr = mm->mmap_base;
18710 mm->cached_hole_size = 0;
18715 - if (!vma || addr + len <= vma->vm_start) {
18716 - mm->free_area_cache = addr + len;
18719 + if (check_heap_stack_gap(vma, addr, len))
18721 if (addr + mm->cached_hole_size < vma->vm_start)
18722 mm->cached_hole_size = vma->vm_start - addr;
18723 addr = ALIGN(vma->vm_end, huge_page_size(h));
18726 + mm->free_area_cache = addr + len;
18730 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
18731 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
18733 struct hstate *h = hstate_file(file);
18734 struct mm_struct *mm = current->mm;
18735 - struct vm_area_struct *vma, *prev_vma;
18736 - unsigned long base = mm->mmap_base, addr = addr0;
18737 + struct vm_area_struct *vma;
18738 + unsigned long base = mm->mmap_base, addr;
18739 unsigned long largest_hole = mm->cached_hole_size;
18740 - int first_time = 1;
18742 /* don't allow allocations above current base */
18743 if (mm->free_area_cache > base)
18744 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
18746 mm->free_area_cache = base;
18750 /* make sure it can fit in the remaining address space */
18751 if (mm->free_area_cache < len)
18754 /* either no address requested or cant fit in requested address hole */
18755 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
18756 + addr = (mm->free_area_cache - len);
18758 + addr &= huge_page_mask(h);
18759 + vma = find_vma(mm, addr);
18761 * Lookup failure means no vma is above this address,
18762 * i.e. return with success:
18764 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18768 * new region fits between prev_vma->vm_end and
18769 * vma->vm_start, use it:
18771 - if (addr + len <= vma->vm_start &&
18772 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18773 + if (check_heap_stack_gap(vma, addr, len)) {
18774 /* remember the address as a hint for next time */
18775 - mm->cached_hole_size = largest_hole;
18776 - return (mm->free_area_cache = addr);
18778 - /* pull free_area_cache down to the first hole */
18779 - if (mm->free_area_cache == vma->vm_end) {
18780 - mm->free_area_cache = vma->vm_start;
18781 - mm->cached_hole_size = largest_hole;
18783 + mm->cached_hole_size = largest_hole;
18784 + return (mm->free_area_cache = addr);
18786 + /* pull free_area_cache down to the first hole */
18787 + if (mm->free_area_cache == vma->vm_end) {
18788 + mm->free_area_cache = vma->vm_start;
18789 + mm->cached_hole_size = largest_hole;
18792 /* remember the largest hole we saw so far */
18793 if (addr + largest_hole < vma->vm_start)
18794 - largest_hole = vma->vm_start - addr;
18795 + largest_hole = vma->vm_start - addr;
18797 /* try just below the current vma->vm_start */
18798 - addr = (vma->vm_start - len) & huge_page_mask(h);
18799 - } while (len <= vma->vm_start);
18800 + addr = skip_heap_stack_gap(vma, len);
18801 + } while (!IS_ERR_VALUE(addr));
18805 - * if hint left us with no space for the requested
18806 - * mapping then try again:
18808 - if (first_time) {
18809 - mm->free_area_cache = base;
18810 - largest_hole = 0;
18815 * A failed mmap() very likely causes application failure,
18816 * so fall back to the bottom-up function here. This scenario
18817 * can happen with large stack limits and large mmap()
18820 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18822 +#ifdef CONFIG_PAX_SEGMEXEC
18823 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18824 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18828 + mm->mmap_base = TASK_UNMAPPED_BASE;
18830 +#ifdef CONFIG_PAX_RANDMMAP
18831 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18832 + mm->mmap_base += mm->delta_mmap;
18835 + mm->free_area_cache = mm->mmap_base;
18836 mm->cached_hole_size = ~0UL;
18837 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18838 len, pgoff, flags);
18839 @@ -386,6 +392,7 @@ fail:
18841 * Restore the topdown base:
18843 + mm->mmap_base = base;
18844 mm->free_area_cache = base;
18845 mm->cached_hole_size = ~0UL;
18847 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
18848 struct hstate *h = hstate_file(file);
18849 struct mm_struct *mm = current->mm;
18850 struct vm_area_struct *vma;
18851 + unsigned long pax_task_size = TASK_SIZE;
18853 if (len & ~huge_page_mask(h))
18855 - if (len > TASK_SIZE)
18857 +#ifdef CONFIG_PAX_SEGMEXEC
18858 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18859 + pax_task_size = SEGMEXEC_TASK_SIZE;
18862 + pax_task_size -= PAGE_SIZE;
18864 + if (len > pax_task_size)
18867 if (flags & MAP_FIXED) {
18868 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
18870 addr = ALIGN(addr, huge_page_size(h));
18871 vma = find_vma(mm, addr);
18872 - if (TASK_SIZE - len >= addr &&
18873 - (!vma || addr + len <= vma->vm_start))
18874 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18877 if (mm->get_unmapped_area == arch_get_unmapped_area)
18878 diff -urNp linux-2.6.38.4/arch/x86/mm/init_32.c linux-2.6.38.4/arch/x86/mm/init_32.c
18879 --- linux-2.6.38.4/arch/x86/mm/init_32.c 2011-03-14 21:20:32.000000000 -0400
18880 +++ linux-2.6.38.4/arch/x86/mm/init_32.c 2011-04-17 15:57:32.000000000 -0400
18881 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
18885 - * Creates a middle page table and puts a pointer to it in the
18886 - * given global directory entry. This only returns the gd entry
18887 - * in non-PAE compilation mode, since the middle layer is folded.
18889 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18892 - pmd_t *pmd_table;
18894 -#ifdef CONFIG_X86_PAE
18895 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18896 - if (after_bootmem)
18897 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18899 - pmd_table = (pmd_t *)alloc_low_page();
18900 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18901 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18902 - pud = pud_offset(pgd, 0);
18903 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18905 - return pmd_table;
18908 - pud = pud_offset(pgd, 0);
18909 - pmd_table = pmd_offset(pud, 0);
18911 - return pmd_table;
18915 * Create a page table and place a pointer to it in a middle page
18918 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
18919 page_table = (pte_t *)alloc_low_page();
18921 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18922 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18923 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18925 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18927 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18930 return pte_offset_kernel(pmd, 0);
18933 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18936 + pmd_t *pmd_table;
18938 + pud = pud_offset(pgd, 0);
18939 + pmd_table = pmd_offset(pud, 0);
18941 + return pmd_table;
18944 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18946 int pgd_idx = pgd_index(vaddr);
18947 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
18948 int pgd_idx, pmd_idx;
18949 unsigned long vaddr;
18955 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
18956 pgd = pgd_base + pgd_idx;
18958 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18959 - pmd = one_md_table_init(pgd);
18960 - pmd = pmd + pmd_index(vaddr);
18961 + pud = pud_offset(pgd, vaddr);
18962 + pmd = pmd_offset(pud, vaddr);
18964 +#ifdef CONFIG_X86_PAE
18965 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18968 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18969 pmd++, pmd_idx++) {
18970 pte = page_table_kmap_check(one_page_table_init(pmd),
18971 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
18975 -static inline int is_kernel_text(unsigned long addr)
18976 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18978 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
18981 + if ((start > ktla_ktva((unsigned long)_etext) ||
18982 + end <= ktla_ktva((unsigned long)_stext)) &&
18983 + (start > ktla_ktva((unsigned long)_einittext) ||
18984 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18986 +#ifdef CONFIG_ACPI_SLEEP
18987 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18990 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18996 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
18997 unsigned long last_map_addr = end;
18998 unsigned long start_pfn, end_pfn;
18999 pgd_t *pgd_base = swapper_pg_dir;
19000 - int pgd_idx, pmd_idx, pte_ofs;
19001 + unsigned int pgd_idx, pmd_idx, pte_ofs;
19007 unsigned pages_2m, pages_4k;
19008 @@ -281,8 +282,13 @@ repeat:
19010 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
19011 pgd = pgd_base + pgd_idx;
19012 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
19013 - pmd = one_md_table_init(pgd);
19014 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
19015 + pud = pud_offset(pgd, 0);
19016 + pmd = pmd_offset(pud, 0);
19018 +#ifdef CONFIG_X86_PAE
19019 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
19022 if (pfn >= end_pfn)
19024 @@ -294,14 +300,13 @@ repeat:
19026 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
19027 pmd++, pmd_idx++) {
19028 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
19029 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
19032 * Map with big pages if possible, otherwise
19033 * create normal page tables:
19036 - unsigned int addr2;
19037 pgprot_t prot = PAGE_KERNEL_LARGE;
19039 * first pass will use the same initial
19040 @@ -311,11 +316,7 @@ repeat:
19041 __pgprot(PTE_IDENT_ATTR |
19044 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
19045 - PAGE_OFFSET + PAGE_SIZE-1;
19047 - if (is_kernel_text(addr) ||
19048 - is_kernel_text(addr2))
19049 + if (is_kernel_text(address, address + PMD_SIZE))
19050 prot = PAGE_KERNEL_LARGE_EXEC;
19053 @@ -332,7 +333,7 @@ repeat:
19054 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
19056 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
19057 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
19058 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
19059 pgprot_t prot = PAGE_KERNEL;
19061 * first pass will use the same initial
19062 @@ -340,7 +341,7 @@ repeat:
19064 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
19066 - if (is_kernel_text(addr))
19067 + if (is_kernel_text(address, address + PAGE_SIZE))
19068 prot = PAGE_KERNEL_EXEC;
19071 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
19073 pud = pud_offset(pgd, va);
19074 pmd = pmd_offset(pud, va);
19075 - if (!pmd_present(*pmd))
19076 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
19079 pte = pte_offset_kernel(pmd, va);
19080 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
19082 static void __init pagetable_init(void)
19084 - pgd_t *pgd_base = swapper_pg_dir;
19086 - permanent_kmaps_init(pgd_base);
19087 + permanent_kmaps_init(swapper_pg_dir);
19090 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
19091 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
19092 EXPORT_SYMBOL_GPL(__supported_pte_mask);
19094 /* user-defined highmem size */
19095 @@ -755,6 +754,12 @@ void __init mem_init(void)
19099 +#ifdef CONFIG_PAX_PER_CPU_PGD
19100 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
19101 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
19102 + KERNEL_PGD_PTRS);
19105 #ifdef CONFIG_FLATMEM
19108 @@ -772,7 +777,7 @@ void __init mem_init(void)
19109 set_highmem_pages_init();
19111 codesize = (unsigned long) &_etext - (unsigned long) &_text;
19112 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
19113 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
19114 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
19116 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
19117 @@ -813,10 +818,10 @@ void __init mem_init(void)
19118 ((unsigned long)&__init_end -
19119 (unsigned long)&__init_begin) >> 10,
19121 - (unsigned long)&_etext, (unsigned long)&_edata,
19122 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
19123 + (unsigned long)&_sdata, (unsigned long)&_edata,
19124 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
19126 - (unsigned long)&_text, (unsigned long)&_etext,
19127 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
19128 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
19131 @@ -894,6 +899,7 @@ void set_kernel_text_rw(void)
19132 if (!kernel_set_to_readonly)
19135 + start = ktla_ktva(start);
19136 pr_debug("Set kernel text: %lx - %lx for read write\n",
19137 start, start+size);
19139 @@ -908,6 +914,7 @@ void set_kernel_text_ro(void)
19140 if (!kernel_set_to_readonly)
19143 + start = ktla_ktva(start);
19144 pr_debug("Set kernel text: %lx - %lx for read only\n",
19145 start, start+size);
19147 @@ -936,6 +943,7 @@ void mark_rodata_ro(void)
19148 unsigned long start = PFN_ALIGN(_text);
19149 unsigned long size = PFN_ALIGN(_etext) - start;
19151 + start = ktla_ktva(start);
19152 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
19153 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
19155 diff -urNp linux-2.6.38.4/arch/x86/mm/init_64.c linux-2.6.38.4/arch/x86/mm/init_64.c
19156 --- linux-2.6.38.4/arch/x86/mm/init_64.c 2011-04-18 17:27:18.000000000 -0400
19157 +++ linux-2.6.38.4/arch/x86/mm/init_64.c 2011-04-17 16:53:16.000000000 -0400
19158 @@ -72,7 +72,7 @@ early_param("gbpages", parse_direct_gbpa
19159 * around without checking the pgd every time.
19162 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
19163 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
19164 EXPORT_SYMBOL_GPL(__supported_pte_mask);
19166 int force_personality32;
19167 @@ -105,12 +105,22 @@ void sync_global_pgds(unsigned long star
19169 for (address = start; address <= end; address += PGDIR_SIZE) {
19170 const pgd_t *pgd_ref = pgd_offset_k(address);
19172 +#ifdef CONFIG_PAX_PER_CPU_PGD
19173 + unsigned long cpu;
19178 if (pgd_none(*pgd_ref))
19181 spin_lock(&pgd_lock);
19183 +#ifdef CONFIG_PAX_PER_CPU_PGD
19184 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19185 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
19187 list_for_each_entry(page, &pgd_list, lru) {
19189 spinlock_t *pgt_lock;
19190 @@ -119,6 +129,7 @@ void sync_global_pgds(unsigned long star
19191 /* the pgt_lock only for Xen */
19192 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
19193 spin_lock(pgt_lock);
19196 if (pgd_none(*pgd))
19197 set_pgd(pgd, *pgd_ref);
19198 @@ -126,7 +137,10 @@ void sync_global_pgds(unsigned long star
19199 BUG_ON(pgd_page_vaddr(*pgd)
19200 != pgd_page_vaddr(*pgd_ref));
19202 +#ifndef CONFIG_PAX_PER_CPU_PGD
19203 spin_unlock(pgt_lock);
19207 spin_unlock(&pgd_lock);
19209 @@ -200,7 +214,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
19210 pmd = fill_pmd(pud, vaddr);
19211 pte = fill_pte(pmd, vaddr);
19213 + pax_open_kernel();
19214 set_pte(pte, new_pte);
19215 + pax_close_kernel();
19218 * It's enough to flush this one mapping.
19219 @@ -259,14 +275,12 @@ static void __init __init_extra_mapping(
19220 pgd = pgd_offset_k((unsigned long)__va(phys));
19221 if (pgd_none(*pgd)) {
19222 pud = (pud_t *) spp_getpage();
19223 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
19225 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
19227 pud = pud_offset(pgd, (unsigned long)__va(phys));
19228 if (pud_none(*pud)) {
19229 pmd = (pmd_t *) spp_getpage();
19230 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
19232 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
19234 pmd = pmd_offset(pud, phys);
19235 BUG_ON(!pmd_none(*pmd));
19236 @@ -706,6 +720,12 @@ void __init mem_init(void)
19240 +#ifdef CONFIG_PAX_PER_CPU_PGD
19241 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
19242 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
19243 + KERNEL_PGD_PTRS);
19246 /* clear_bss() already clear the empty_zero_page */
19249 @@ -866,8 +886,8 @@ int kern_addr_valid(unsigned long addr)
19250 static struct vm_area_struct gate_vma = {
19251 .vm_start = VSYSCALL_START,
19252 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
19253 - .vm_page_prot = PAGE_READONLY_EXEC,
19254 - .vm_flags = VM_READ | VM_EXEC
19255 + .vm_page_prot = PAGE_READONLY,
19256 + .vm_flags = VM_READ
19259 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
19260 @@ -901,7 +921,7 @@ int in_gate_area_no_task(unsigned long a
19262 const char *arch_vma_name(struct vm_area_struct *vma)
19264 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
19265 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
19267 if (vma == &gate_vma)
19268 return "[vsyscall]";
19269 diff -urNp linux-2.6.38.4/arch/x86/mm/init.c linux-2.6.38.4/arch/x86/mm/init.c
19270 --- linux-2.6.38.4/arch/x86/mm/init.c 2011-04-18 17:27:18.000000000 -0400
19271 +++ linux-2.6.38.4/arch/x86/mm/init.c 2011-04-17 16:53:16.000000000 -0400
19272 @@ -72,11 +72,7 @@ static void __init find_early_table_spac
19273 * cause a hotspot and fill up ZONE_DMA. The page tables
19274 * need roughly 0.5KB per GB.
19276 -#ifdef CONFIG_X86_32
19281 + start = 0x100000;
19282 base = memblock_find_in_range(start, max_pfn_mapped<<PAGE_SHIFT,
19283 tables, PAGE_SIZE);
19284 if (base == MEMBLOCK_ERROR)
19285 @@ -323,7 +319,16 @@ unsigned long __init_refok init_memory_m
19287 int devmem_is_allowed(unsigned long pagenr)
19289 - if (pagenr <= 256)
19290 +#ifndef CONFIG_GRKERNSEC_KMEM
19293 +#ifdef CONFIG_VM86
19294 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
19299 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
19301 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
19303 @@ -383,6 +388,86 @@ void free_init_pages(char *what, unsigne
19305 void free_initmem(void)
19308 +#ifdef CONFIG_PAX_KERNEXEC
19309 +#ifdef CONFIG_X86_32
19310 + /* PaX: limit KERNEL_CS to actual size */
19311 + unsigned long addr, limit;
19312 + struct desc_struct d;
19315 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
19316 + limit = (limit - 1UL) >> PAGE_SHIFT;
19318 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
19319 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19320 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
19321 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
19324 + /* PaX: make KERNEL_CS read-only */
19325 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
19326 + if (!paravirt_enabled())
19327 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
19329 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
19330 + pgd = pgd_offset_k(addr);
19331 + pud = pud_offset(pgd, addr);
19332 + pmd = pmd_offset(pud, addr);
19333 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19336 +#ifdef CONFIG_X86_PAE
19337 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
19339 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
19340 + pgd = pgd_offset_k(addr);
19341 + pud = pud_offset(pgd, addr);
19342 + pmd = pmd_offset(pud, addr);
19343 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
19348 +#ifdef CONFIG_MODULES
19349 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
19356 + unsigned long addr, end;
19358 + /* PaX: make kernel code/rodata read-only, rest non-executable */
19359 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
19360 + pgd = pgd_offset_k(addr);
19361 + pud = pud_offset(pgd, addr);
19362 + pmd = pmd_offset(pud, addr);
19363 + if (!pmd_present(*pmd))
19365 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
19366 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19368 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
19371 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
19372 + end = addr + KERNEL_IMAGE_SIZE;
19373 + for (; addr < end; addr += PMD_SIZE) {
19374 + pgd = pgd_offset_k(addr);
19375 + pud = pud_offset(pgd, addr);
19376 + pmd = pmd_offset(pud, addr);
19377 + if (!pmd_present(*pmd))
19379 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
19380 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19387 free_init_pages("unused kernel memory",
19388 (unsigned long)(&__init_begin),
19389 (unsigned long)(&__init_end));
19390 diff -urNp linux-2.6.38.4/arch/x86/mm/iomap_32.c linux-2.6.38.4/arch/x86/mm/iomap_32.c
19391 --- linux-2.6.38.4/arch/x86/mm/iomap_32.c 2011-03-14 21:20:32.000000000 -0400
19392 +++ linux-2.6.38.4/arch/x86/mm/iomap_32.c 2011-04-17 15:57:32.000000000 -0400
19393 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
19394 type = kmap_atomic_idx_push();
19395 idx = type + KM_TYPE_NR * smp_processor_id();
19396 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
19398 + pax_open_kernel();
19399 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
19400 + pax_close_kernel();
19402 arch_flush_lazy_mmu_mode();
19404 return (void *)vaddr;
19405 diff -urNp linux-2.6.38.4/arch/x86/mm/ioremap.c linux-2.6.38.4/arch/x86/mm/ioremap.c
19406 --- linux-2.6.38.4/arch/x86/mm/ioremap.c 2011-03-14 21:20:32.000000000 -0400
19407 +++ linux-2.6.38.4/arch/x86/mm/ioremap.c 2011-04-17 15:57:32.000000000 -0400
19408 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
19409 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
19410 int is_ram = page_is_ram(pfn);
19412 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
19413 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
19415 WARN_ON_ONCE(is_ram);
19417 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
19418 early_param("early_ioremap_debug", early_ioremap_debug_setup);
19420 static __initdata int after_paging_init;
19421 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
19422 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
19424 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
19426 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
19427 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
19429 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
19430 - memset(bm_pte, 0, sizeof(bm_pte));
19431 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
19432 + pmd_populate_user(&init_mm, pmd, bm_pte);
19435 * The boot-ioremap range spans multiple pmds, for which
19436 diff -urNp linux-2.6.38.4/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.38.4/arch/x86/mm/kmemcheck/kmemcheck.c
19437 --- linux-2.6.38.4/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-14 21:20:32.000000000 -0400
19438 +++ linux-2.6.38.4/arch/x86/mm/kmemcheck/kmemcheck.c 2011-04-17 15:57:32.000000000 -0400
19439 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
19440 * memory (e.g. tracked pages)? For now, we need this to avoid
19441 * invoking kmemcheck for PnP BIOS calls.
19443 - if (regs->flags & X86_VM_MASK)
19444 + if (v8086_mode(regs))
19446 - if (regs->cs != __KERNEL_CS)
19447 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
19450 pte = kmemcheck_pte_lookup(address);
19451 diff -urNp linux-2.6.38.4/arch/x86/mm/mmap.c linux-2.6.38.4/arch/x86/mm/mmap.c
19452 --- linux-2.6.38.4/arch/x86/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
19453 +++ linux-2.6.38.4/arch/x86/mm/mmap.c 2011-04-17 15:57:32.000000000 -0400
19454 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
19455 * Leave an at least ~128 MB hole with possible stack randomization.
19457 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
19458 -#define MAX_GAP (TASK_SIZE/6*5)
19459 +#define MAX_GAP (pax_task_size/6*5)
19462 * True on X86_32 or when emulating IA32 on X86_64
19463 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
19464 return rnd << PAGE_SHIFT;
19467 -static unsigned long mmap_base(void)
19468 +static unsigned long mmap_base(struct mm_struct *mm)
19470 unsigned long gap = rlimit(RLIMIT_STACK);
19471 + unsigned long pax_task_size = TASK_SIZE;
19473 +#ifdef CONFIG_PAX_SEGMEXEC
19474 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
19475 + pax_task_size = SEGMEXEC_TASK_SIZE;
19480 else if (gap > MAX_GAP)
19483 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
19484 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
19488 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
19489 * does, but not when emulating X86_32
19491 -static unsigned long mmap_legacy_base(void)
19492 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
19494 - if (mmap_is_ia32())
19495 + if (mmap_is_ia32()) {
19497 +#ifdef CONFIG_PAX_SEGMEXEC
19498 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
19499 + return SEGMEXEC_TASK_UNMAPPED_BASE;
19503 return TASK_UNMAPPED_BASE;
19506 return TASK_UNMAPPED_BASE + mmap_rnd();
19509 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
19510 void arch_pick_mmap_layout(struct mm_struct *mm)
19512 if (mmap_is_legacy()) {
19513 - mm->mmap_base = mmap_legacy_base();
19514 + mm->mmap_base = mmap_legacy_base(mm);
19516 +#ifdef CONFIG_PAX_RANDMMAP
19517 + if (mm->pax_flags & MF_PAX_RANDMMAP)
19518 + mm->mmap_base += mm->delta_mmap;
19521 mm->get_unmapped_area = arch_get_unmapped_area;
19522 mm->unmap_area = arch_unmap_area;
19524 - mm->mmap_base = mmap_base();
19525 + mm->mmap_base = mmap_base(mm);
19527 +#ifdef CONFIG_PAX_RANDMMAP
19528 + if (mm->pax_flags & MF_PAX_RANDMMAP)
19529 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
19532 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
19533 mm->unmap_area = arch_unmap_area_topdown;
19535 diff -urNp linux-2.6.38.4/arch/x86/mm/numa_32.c linux-2.6.38.4/arch/x86/mm/numa_32.c
19536 --- linux-2.6.38.4/arch/x86/mm/numa_32.c 2011-03-14 21:20:32.000000000 -0400
19537 +++ linux-2.6.38.4/arch/x86/mm/numa_32.c 2011-04-17 15:57:32.000000000 -0400
19538 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
19542 -extern unsigned long find_max_low_pfn(void);
19543 extern unsigned long highend_pfn, highstart_pfn;
19545 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
19546 diff -urNp linux-2.6.38.4/arch/x86/mm/pageattr.c linux-2.6.38.4/arch/x86/mm/pageattr.c
19547 --- linux-2.6.38.4/arch/x86/mm/pageattr.c 2011-03-14 21:20:32.000000000 -0400
19548 +++ linux-2.6.38.4/arch/x86/mm/pageattr.c 2011-04-17 15:57:32.000000000 -0400
19549 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
19551 #ifdef CONFIG_PCI_BIOS
19552 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
19553 - pgprot_val(forbidden) |= _PAGE_NX;
19554 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19558 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
19559 * Does not cover __inittext since that is gone later on. On
19560 * 64bit we do not enforce !NX on the low mapping
19562 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
19563 - pgprot_val(forbidden) |= _PAGE_NX;
19564 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
19565 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19567 +#ifdef CONFIG_DEBUG_RODATA
19569 * The .rodata section needs to be read-only. Using the pfn
19570 * catches all aliases.
19571 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
19572 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
19573 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
19574 pgprot_val(forbidden) |= _PAGE_RW;
19577 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
19579 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
19583 +#ifdef CONFIG_PAX_KERNEXEC
19584 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
19585 + pgprot_val(forbidden) |= _PAGE_RW;
19586 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19590 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
19593 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
19594 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
19596 /* change init_mm */
19597 + pax_open_kernel();
19598 set_pte_atomic(kpte, pte);
19600 #ifdef CONFIG_X86_32
19601 if (!SHARED_KERNEL_PMD) {
19603 +#ifdef CONFIG_PAX_PER_CPU_PGD
19604 + unsigned long cpu;
19609 +#ifdef CONFIG_PAX_PER_CPU_PGD
19610 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19611 + pgd_t *pgd = get_cpu_pgd(cpu);
19613 list_for_each_entry(page, &pgd_list, lru) {
19615 + pgd_t *pgd = (pgd_t *)page_address(page);
19621 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
19622 + pgd += pgd_index(address);
19623 pud = pud_offset(pgd, address);
19624 pmd = pmd_offset(pud, address);
19625 set_pte_atomic((pte_t *)pmd, pte);
19629 + pax_close_kernel();
19633 diff -urNp linux-2.6.38.4/arch/x86/mm/pageattr-test.c linux-2.6.38.4/arch/x86/mm/pageattr-test.c
19634 --- linux-2.6.38.4/arch/x86/mm/pageattr-test.c 2011-03-14 21:20:32.000000000 -0400
19635 +++ linux-2.6.38.4/arch/x86/mm/pageattr-test.c 2011-04-17 15:57:32.000000000 -0400
19636 @@ -36,7 +36,7 @@ enum {
19638 static int pte_testbit(pte_t pte)
19640 - return pte_flags(pte) & _PAGE_UNUSED1;
19641 + return pte_flags(pte) & _PAGE_CPA_TEST;
19644 struct split_state {
19645 diff -urNp linux-2.6.38.4/arch/x86/mm/pat.c linux-2.6.38.4/arch/x86/mm/pat.c
19646 --- linux-2.6.38.4/arch/x86/mm/pat.c 2011-03-14 21:20:32.000000000 -0400
19647 +++ linux-2.6.38.4/arch/x86/mm/pat.c 2011-04-17 15:57:32.000000000 -0400
19648 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
19651 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
19652 - current->comm, current->pid, start, end);
19653 + current->comm, task_pid_nr(current), start, end);
19657 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
19658 while (cursor < to) {
19659 if (!devmem_is_allowed(pfn)) {
19661 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
19662 - current->comm, from, to);
19663 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
19664 + current->comm, from, to, cursor);
19667 cursor += PAGE_SIZE;
19668 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
19670 "%s:%d ioremap_change_attr failed %s "
19672 - current->comm, current->pid,
19673 + current->comm, task_pid_nr(current),
19675 base, (unsigned long long)(base + size));
19677 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
19678 if (want_flags != flags) {
19679 printk(KERN_WARNING
19680 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
19681 - current->comm, current->pid,
19682 + current->comm, task_pid_nr(current),
19683 cattr_name(want_flags),
19684 (unsigned long long)paddr,
19685 (unsigned long long)(paddr + size),
19686 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
19687 free_memtype(paddr, paddr + size);
19688 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
19689 " for %Lx-%Lx, got %s\n",
19690 - current->comm, current->pid,
19691 + current->comm, task_pid_nr(current),
19692 cattr_name(want_flags),
19693 (unsigned long long)paddr,
19694 (unsigned long long)(paddr + size),
19695 diff -urNp linux-2.6.38.4/arch/x86/mm/pgtable_32.c linux-2.6.38.4/arch/x86/mm/pgtable_32.c
19696 --- linux-2.6.38.4/arch/x86/mm/pgtable_32.c 2011-03-14 21:20:32.000000000 -0400
19697 +++ linux-2.6.38.4/arch/x86/mm/pgtable_32.c 2011-04-17 15:57:32.000000000 -0400
19698 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
19701 pte = pte_offset_kernel(pmd, vaddr);
19703 + pax_open_kernel();
19704 if (pte_val(pteval))
19705 set_pte_at(&init_mm, vaddr, pte, pteval);
19707 pte_clear(&init_mm, vaddr, pte);
19708 + pax_close_kernel();
19711 * It's enough to flush this one mapping.
19712 diff -urNp linux-2.6.38.4/arch/x86/mm/pgtable.c linux-2.6.38.4/arch/x86/mm/pgtable.c
19713 --- linux-2.6.38.4/arch/x86/mm/pgtable.c 2011-04-18 17:27:13.000000000 -0400
19714 +++ linux-2.6.38.4/arch/x86/mm/pgtable.c 2011-04-17 15:57:32.000000000 -0400
19715 @@ -84,9 +84,58 @@ static inline void pgd_list_del(pgd_t *p
19716 list_del(&page->lru);
19719 -#define UNSHARED_PTRS_PER_PGD \
19720 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19721 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19722 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
19724 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19727 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
19731 +#ifdef CONFIG_PAX_PER_CPU_PGD
19732 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19736 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19737 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
19745 +#ifdef CONFIG_PAX_PER_CPU_PGD
19746 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
19747 +static inline void pgd_dtor(pgd_t *pgd) {}
19748 +#ifdef CONFIG_X86_64
19749 +#define pxd_t pud_t
19750 +#define pyd_t pgd_t
19751 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
19752 +#define pxd_free(mm, pud) pud_free((mm), (pud))
19753 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
19754 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
19755 +#define PYD_SIZE PGDIR_SIZE
19757 +#define pxd_t pmd_t
19758 +#define pyd_t pud_t
19759 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19760 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
19761 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
19762 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19763 +#define PYD_SIZE PUD_SIZE
19766 +#define pxd_t pmd_t
19767 +#define pyd_t pud_t
19768 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19769 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19770 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19771 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19772 +#define PYD_SIZE PUD_SIZE
19774 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
19776 @@ -128,6 +177,7 @@ static void pgd_dtor(pgd_t *pgd)
19778 spin_unlock(&pgd_lock);
19783 * List of all pgd's needed for non-PAE so it can invalidate entries
19784 @@ -140,7 +190,7 @@ static void pgd_dtor(pgd_t *pgd)
19788 -#ifdef CONFIG_X86_PAE
19789 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19791 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19792 * updating the top-level pagetable entries to guarantee the
19793 @@ -152,7 +202,7 @@ static void pgd_dtor(pgd_t *pgd)
19794 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19795 * and initialize the kernel pmds here.
19797 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19798 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19800 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19802 @@ -170,36 +220,38 @@ void pud_populate(struct mm_struct *mm,
19806 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19807 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19808 #else /* !CONFIG_X86_PAE */
19810 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19811 -#define PREALLOCATED_PMDS 0
19812 +#define PREALLOCATED_PXDS 0
19814 #endif /* CONFIG_X86_PAE */
19816 -static void free_pmds(pmd_t *pmds[])
19817 +static void free_pxds(pxd_t *pxds[])
19821 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19823 - free_page((unsigned long)pmds[i]);
19824 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19826 + free_page((unsigned long)pxds[i]);
19829 -static int preallocate_pmds(pmd_t *pmds[])
19830 +static int preallocate_pxds(pxd_t *pxds[])
19833 bool failed = false;
19835 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19836 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19838 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19839 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19852 @@ -212,51 +264,55 @@ static int preallocate_pmds(pmd_t *pmds[
19853 * preallocate which never got a corresponding vma will need to be
19856 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19857 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19861 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19862 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19863 pgd_t pgd = pgdp[i];
19865 if (pgd_val(pgd) != 0) {
19866 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19867 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19869 - pgdp[i] = native_make_pgd(0);
19870 + set_pgd(pgdp + i, native_make_pgd(0));
19872 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19873 - pmd_free(mm, pmd);
19874 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19875 + pxd_free(mm, pxd);
19880 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19881 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19885 unsigned long addr;
19888 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19889 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19892 - pud = pud_offset(pgd, 0);
19893 +#ifdef CONFIG_X86_64
19894 + pyd = pyd_offset(mm, 0L);
19896 + pyd = pyd_offset(pgd, 0L);
19899 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19900 - i++, pud++, addr += PUD_SIZE) {
19901 - pmd_t *pmd = pmds[i];
19902 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19903 + i++, pyd++, addr += PYD_SIZE) {
19904 + pxd_t *pxd = pxds[i];
19906 if (i >= KERNEL_PGD_BOUNDARY)
19907 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19908 - sizeof(pmd_t) * PTRS_PER_PMD);
19909 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19910 + sizeof(pxd_t) * PTRS_PER_PMD);
19912 - pud_populate(mm, pud, pmd);
19913 + pyd_populate(mm, pyd, pxd);
19917 pgd_t *pgd_alloc(struct mm_struct *mm)
19920 - pmd_t *pmds[PREALLOCATED_PMDS];
19921 + pxd_t *pxds[PREALLOCATED_PXDS];
19923 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19925 @@ -265,11 +321,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19929 - if (preallocate_pmds(pmds) != 0)
19930 + if (preallocate_pxds(pxds) != 0)
19933 if (paravirt_pgd_alloc(mm) != 0)
19934 - goto out_free_pmds;
19935 + goto out_free_pxds;
19938 * Make sure that pre-populating the pmds is atomic with
19939 @@ -279,14 +335,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19940 spin_lock(&pgd_lock);
19943 - pgd_prepopulate_pmd(mm, pgd, pmds);
19944 + pgd_prepopulate_pxd(mm, pgd, pxds);
19946 spin_unlock(&pgd_lock);
19955 free_page((unsigned long)pgd);
19957 @@ -295,7 +351,7 @@ out:
19959 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19961 - pgd_mop_up_pmds(mm, pgd);
19962 + pgd_mop_up_pxds(mm, pgd);
19964 paravirt_pgd_free(mm, pgd);
19965 free_page((unsigned long)pgd);
19966 diff -urNp linux-2.6.38.4/arch/x86/mm/setup_nx.c linux-2.6.38.4/arch/x86/mm/setup_nx.c
19967 --- linux-2.6.38.4/arch/x86/mm/setup_nx.c 2011-03-14 21:20:32.000000000 -0400
19968 +++ linux-2.6.38.4/arch/x86/mm/setup_nx.c 2011-04-17 15:57:32.000000000 -0400
19970 #include <asm/pgtable.h>
19971 #include <asm/proto.h>
19973 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19974 static int disable_nx __cpuinitdata;
19976 +#ifndef CONFIG_PAX_PAGEEXEC
19980 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19983 early_param("noexec", noexec_setup);
19988 void __cpuinit x86_configure_nx(void)
19990 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19991 if (cpu_has_nx && !disable_nx)
19992 __supported_pte_mask |= _PAGE_NX;
19995 __supported_pte_mask &= ~_PAGE_NX;
19998 diff -urNp linux-2.6.38.4/arch/x86/mm/tlb.c linux-2.6.38.4/arch/x86/mm/tlb.c
19999 --- linux-2.6.38.4/arch/x86/mm/tlb.c 2011-03-14 21:20:32.000000000 -0400
20000 +++ linux-2.6.38.4/arch/x86/mm/tlb.c 2011-04-17 15:57:32.000000000 -0400
20002 #include <asm/uv/uv.h>
20004 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
20005 - = { &init_mm, 0, };
20006 + = { &init_mm, 0 };
20009 * Smarter SMP flushing macros.
20010 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
20012 cpumask_clear_cpu(cpu,
20013 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
20015 +#ifndef CONFIG_PAX_PER_CPU_PGD
20016 load_cr3(swapper_pg_dir);
20020 EXPORT_SYMBOL_GPL(leave_mm);
20022 diff -urNp linux-2.6.38.4/arch/x86/oprofile/backtrace.c linux-2.6.38.4/arch/x86/oprofile/backtrace.c
20023 --- linux-2.6.38.4/arch/x86/oprofile/backtrace.c 2011-03-14 21:20:32.000000000 -0400
20024 +++ linux-2.6.38.4/arch/x86/oprofile/backtrace.c 2011-04-17 15:57:32.000000000 -0400
20025 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
20026 struct stack_frame_ia32 *fp;
20028 /* Also check accessibility of one struct frame_head beyond */
20029 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
20030 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
20032 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
20034 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
20036 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
20038 - if (!user_mode_vm(regs)) {
20039 + if (!user_mode(regs)) {
20040 unsigned long stack = kernel_stack_pointer(regs);
20042 dump_trace(NULL, regs, (unsigned long *)stack,
20043 diff -urNp linux-2.6.38.4/arch/x86/oprofile/op_model_p4.c linux-2.6.38.4/arch/x86/oprofile/op_model_p4.c
20044 --- linux-2.6.38.4/arch/x86/oprofile/op_model_p4.c 2011-03-14 21:20:32.000000000 -0400
20045 +++ linux-2.6.38.4/arch/x86/oprofile/op_model_p4.c 2011-04-17 15:57:32.000000000 -0400
20046 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
20050 -static int inline addr_increment(void)
20051 +static inline int addr_increment(void)
20054 return smp_num_siblings == 2 ? 2 : 1;
20055 diff -urNp linux-2.6.38.4/arch/x86/pci/ce4100.c linux-2.6.38.4/arch/x86/pci/ce4100.c
20056 --- linux-2.6.38.4/arch/x86/pci/ce4100.c 2011-03-14 21:20:32.000000000 -0400
20057 +++ linux-2.6.38.4/arch/x86/pci/ce4100.c 2011-04-17 15:57:32.000000000 -0400
20058 @@ -302,7 +302,7 @@ static int ce4100_conf_write(unsigned in
20059 return pci_direct_conf1.write(seg, bus, devfn, reg, len, value);
20062 -struct pci_raw_ops ce4100_pci_conf = {
20063 +const struct pci_raw_ops ce4100_pci_conf = {
20064 .read = ce4100_conf_read,
20065 .write = ce4100_conf_write,
20067 diff -urNp linux-2.6.38.4/arch/x86/pci/common.c linux-2.6.38.4/arch/x86/pci/common.c
20068 --- linux-2.6.38.4/arch/x86/pci/common.c 2011-03-14 21:20:32.000000000 -0400
20069 +++ linux-2.6.38.4/arch/x86/pci/common.c 2011-04-17 15:57:32.000000000 -0400
20070 @@ -33,8 +33,8 @@ int noioapicreroute = 1;
20071 int pcibios_last_bus = -1;
20072 unsigned long pirq_table_addr;
20073 struct pci_bus *pci_root_bus;
20074 -struct pci_raw_ops *raw_pci_ops;
20075 -struct pci_raw_ops *raw_pci_ext_ops;
20076 +const struct pci_raw_ops *raw_pci_ops;
20077 +const struct pci_raw_ops *raw_pci_ext_ops;
20079 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
20080 int reg, int len, u32 *val)
20081 @@ -423,7 +423,7 @@ static const struct dmi_system_id __devi
20082 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
20086 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
20089 void __init dmi_check_pciprobe(void)
20090 diff -urNp linux-2.6.38.4/arch/x86/pci/direct.c linux-2.6.38.4/arch/x86/pci/direct.c
20091 --- linux-2.6.38.4/arch/x86/pci/direct.c 2011-03-14 21:20:32.000000000 -0400
20092 +++ linux-2.6.38.4/arch/x86/pci/direct.c 2011-04-17 15:57:32.000000000 -0400
20093 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
20095 #undef PCI_CONF1_ADDRESS
20097 -struct pci_raw_ops pci_direct_conf1 = {
20098 +const struct pci_raw_ops pci_direct_conf1 = {
20099 .read = pci_conf1_read,
20100 .write = pci_conf1_write,
20102 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
20104 #undef PCI_CONF2_ADDRESS
20106 -struct pci_raw_ops pci_direct_conf2 = {
20107 +const struct pci_raw_ops pci_direct_conf2 = {
20108 .read = pci_conf2_read,
20109 .write = pci_conf2_write,
20111 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
20112 * This should be close to trivial, but it isn't, because there are buggy
20113 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
20115 -static int __init pci_sanity_check(struct pci_raw_ops *o)
20116 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
20120 diff -urNp linux-2.6.38.4/arch/x86/pci/fixup.c linux-2.6.38.4/arch/x86/pci/fixup.c
20121 --- linux-2.6.38.4/arch/x86/pci/fixup.c 2011-03-14 21:20:32.000000000 -0400
20122 +++ linux-2.6.38.4/arch/x86/pci/fixup.c 2011-04-17 15:57:32.000000000 -0400
20123 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
20124 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
20128 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
20132 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
20133 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
20137 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
20140 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
20141 diff -urNp linux-2.6.38.4/arch/x86/pci/irq.c linux-2.6.38.4/arch/x86/pci/irq.c
20142 --- linux-2.6.38.4/arch/x86/pci/irq.c 2011-03-14 21:20:32.000000000 -0400
20143 +++ linux-2.6.38.4/arch/x86/pci/irq.c 2011-04-17 15:57:32.000000000 -0400
20144 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
20145 static struct pci_device_id __initdata pirq_440gx[] = {
20146 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
20147 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
20149 + { PCI_DEVICE(0, 0) }
20152 /* 440GX has a proprietary PIRQ router -- don't use it */
20153 @@ -1115,7 +1115,7 @@ static struct dmi_system_id __initdata p
20154 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
20158 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
20161 void __init pcibios_irq_init(void)
20162 diff -urNp linux-2.6.38.4/arch/x86/pci/mmconfig_32.c linux-2.6.38.4/arch/x86/pci/mmconfig_32.c
20163 --- linux-2.6.38.4/arch/x86/pci/mmconfig_32.c 2011-03-14 21:20:32.000000000 -0400
20164 +++ linux-2.6.38.4/arch/x86/pci/mmconfig_32.c 2011-04-17 15:57:32.000000000 -0400
20165 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
20169 -static struct pci_raw_ops pci_mmcfg = {
20170 +static const struct pci_raw_ops pci_mmcfg = {
20171 .read = pci_mmcfg_read,
20172 .write = pci_mmcfg_write,
20174 diff -urNp linux-2.6.38.4/arch/x86/pci/mmconfig_64.c linux-2.6.38.4/arch/x86/pci/mmconfig_64.c
20175 --- linux-2.6.38.4/arch/x86/pci/mmconfig_64.c 2011-03-14 21:20:32.000000000 -0400
20176 +++ linux-2.6.38.4/arch/x86/pci/mmconfig_64.c 2011-04-17 15:57:32.000000000 -0400
20177 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
20181 -static struct pci_raw_ops pci_mmcfg = {
20182 +static const struct pci_raw_ops pci_mmcfg = {
20183 .read = pci_mmcfg_read,
20184 .write = pci_mmcfg_write,
20186 diff -urNp linux-2.6.38.4/arch/x86/pci/numaq_32.c linux-2.6.38.4/arch/x86/pci/numaq_32.c
20187 --- linux-2.6.38.4/arch/x86/pci/numaq_32.c 2011-03-14 21:20:32.000000000 -0400
20188 +++ linux-2.6.38.4/arch/x86/pci/numaq_32.c 2011-04-17 15:57:32.000000000 -0400
20189 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
20191 #undef PCI_CONF1_MQ_ADDRESS
20193 -static struct pci_raw_ops pci_direct_conf1_mq = {
20194 +static const struct pci_raw_ops pci_direct_conf1_mq = {
20195 .read = pci_conf1_mq_read,
20196 .write = pci_conf1_mq_write
20198 diff -urNp linux-2.6.38.4/arch/x86/pci/olpc.c linux-2.6.38.4/arch/x86/pci/olpc.c
20199 --- linux-2.6.38.4/arch/x86/pci/olpc.c 2011-03-14 21:20:32.000000000 -0400
20200 +++ linux-2.6.38.4/arch/x86/pci/olpc.c 2011-04-17 15:57:32.000000000 -0400
20201 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
20205 -static struct pci_raw_ops pci_olpc_conf = {
20206 +static const struct pci_raw_ops pci_olpc_conf = {
20207 .read = pci_olpc_read,
20208 .write = pci_olpc_write,
20210 diff -urNp linux-2.6.38.4/arch/x86/pci/pcbios.c linux-2.6.38.4/arch/x86/pci/pcbios.c
20211 --- linux-2.6.38.4/arch/x86/pci/pcbios.c 2011-03-14 21:20:32.000000000 -0400
20212 +++ linux-2.6.38.4/arch/x86/pci/pcbios.c 2011-04-17 15:57:32.000000000 -0400
20213 @@ -79,50 +79,93 @@ union bios32 {
20215 unsigned long address;
20216 unsigned short segment;
20217 -} bios32_indirect = { 0, __KERNEL_CS };
20218 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
20221 * Returns the entry point for the given service, NULL on error
20224 -static unsigned long bios32_service(unsigned long service)
20225 +static unsigned long __devinit bios32_service(unsigned long service)
20227 unsigned char return_code; /* %al */
20228 unsigned long address; /* %ebx */
20229 unsigned long length; /* %ecx */
20230 unsigned long entry; /* %edx */
20231 unsigned long flags;
20232 + struct desc_struct d, *gdt;
20234 local_irq_save(flags);
20235 - __asm__("lcall *(%%edi); cld"
20237 + gdt = get_cpu_gdt_table(smp_processor_id());
20239 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
20240 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
20241 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
20242 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
20244 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
20245 : "=a" (return_code),
20251 - "D" (&bios32_indirect));
20252 + "D" (&bios32_indirect),
20253 + "r"(__PCIBIOS_DS)
20256 + pax_open_kernel();
20257 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
20258 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
20259 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
20260 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
20261 + pax_close_kernel();
20263 local_irq_restore(flags);
20265 switch (return_code) {
20267 - return address + entry;
20268 - case 0x80: /* Not present */
20269 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
20271 - default: /* Shouldn't happen */
20272 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
20273 - service, return_code);
20276 + unsigned char flags;
20278 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
20279 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
20280 + printk(KERN_WARNING "bios32_service: not valid\n");
20283 + address = address + PAGE_OFFSET;
20284 + length += 16UL; /* some BIOSs underreport this... */
20286 + if (length >= 64*1024*1024) {
20287 + length >>= PAGE_SHIFT;
20291 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
20292 + gdt = get_cpu_gdt_table(cpu);
20293 + pack_descriptor(&d, address, length, 0x9b, flags);
20294 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
20295 + pack_descriptor(&d, address, length, 0x93, flags);
20296 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
20300 + case 0x80: /* Not present */
20301 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
20303 + default: /* Shouldn't happen */
20304 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
20305 + service, return_code);
20311 unsigned long address;
20312 unsigned short segment;
20313 -} pci_indirect = { 0, __KERNEL_CS };
20314 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
20316 -static int pci_bios_present;
20317 +static int pci_bios_present __read_only;
20319 static int __devinit check_pcibios(void)
20321 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
20322 unsigned long flags, pcibios_entry;
20324 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
20325 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
20326 + pci_indirect.address = pcibios_entry;
20328 local_irq_save(flags);
20330 - "lcall *(%%edi); cld\n\t"
20331 + __asm__("movw %w6, %%ds\n\t"
20332 + "lcall *%%ss:(%%edi); cld\n\t"
20338 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
20341 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
20342 - "D" (&pci_indirect)
20343 + "D" (&pci_indirect),
20344 + "r" (__PCIBIOS_DS)
20346 local_irq_restore(flags);
20348 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
20352 - __asm__("lcall *(%%esi); cld\n\t"
20353 + __asm__("movw %w6, %%ds\n\t"
20354 + "lcall *%%ss:(%%esi); cld\n\t"
20360 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
20361 : "1" (PCIBIOS_READ_CONFIG_BYTE),
20364 - "S" (&pci_indirect));
20365 + "S" (&pci_indirect),
20366 + "r" (__PCIBIOS_DS));
20368 * Zero-extend the result beyond 8 bits, do not trust the
20369 * BIOS having done it:
20370 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
20374 - __asm__("lcall *(%%esi); cld\n\t"
20375 + __asm__("movw %w6, %%ds\n\t"
20376 + "lcall *%%ss:(%%esi); cld\n\t"
20382 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
20383 : "1" (PCIBIOS_READ_CONFIG_WORD),
20386 - "S" (&pci_indirect));
20387 + "S" (&pci_indirect),
20388 + "r" (__PCIBIOS_DS));
20390 * Zero-extend the result beyond 16 bits, do not trust the
20391 * BIOS having done it:
20392 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
20396 - __asm__("lcall *(%%esi); cld\n\t"
20397 + __asm__("movw %w6, %%ds\n\t"
20398 + "lcall *%%ss:(%%esi); cld\n\t"
20404 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
20405 : "1" (PCIBIOS_READ_CONFIG_DWORD),
20408 - "S" (&pci_indirect));
20409 + "S" (&pci_indirect),
20410 + "r" (__PCIBIOS_DS));
20414 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
20418 - __asm__("lcall *(%%esi); cld\n\t"
20419 + __asm__("movw %w6, %%ds\n\t"
20420 + "lcall *%%ss:(%%esi); cld\n\t"
20426 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
20430 - "S" (&pci_indirect));
20431 + "S" (&pci_indirect),
20432 + "r" (__PCIBIOS_DS));
20435 - __asm__("lcall *(%%esi); cld\n\t"
20436 + __asm__("movw %w6, %%ds\n\t"
20437 + "lcall *%%ss:(%%esi); cld\n\t"
20443 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
20447 - "S" (&pci_indirect));
20448 + "S" (&pci_indirect),
20449 + "r" (__PCIBIOS_DS));
20452 - __asm__("lcall *(%%esi); cld\n\t"
20453 + __asm__("movw %w6, %%ds\n\t"
20454 + "lcall *%%ss:(%%esi); cld\n\t"
20460 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
20464 - "S" (&pci_indirect));
20465 + "S" (&pci_indirect),
20466 + "r" (__PCIBIOS_DS));
20470 @@ -301,7 +371,7 @@ static int pci_bios_write(unsigned int s
20471 * Function table for BIOS32 access
20474 -static struct pci_raw_ops pci_bios_access = {
20475 +static const struct pci_raw_ops pci_bios_access = {
20476 .read = pci_bios_read,
20477 .write = pci_bios_write
20479 @@ -310,7 +380,7 @@ static struct pci_raw_ops pci_bios_acces
20480 * Try to find PCI BIOS.
20483 -static struct pci_raw_ops * __devinit pci_find_bios(void)
20484 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
20486 union bios32 *check;
20488 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
20490 DBG("PCI: Fetching IRQ routing table... ");
20491 __asm__("push %%es\n\t"
20492 + "movw %w8, %%ds\n\t"
20495 - "lcall *(%%esi); cld\n\t"
20496 + "lcall *%%ss:(%%esi); cld\n\t"
20503 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
20506 "S" (&pci_indirect),
20509 + "r" (__PCIBIOS_DS)
20511 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
20513 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
20517 - __asm__("lcall *(%%esi); cld\n\t"
20518 + __asm__("movw %w5, %%ds\n\t"
20519 + "lcall *%%ss:(%%esi); cld\n\t"
20525 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
20526 : "0" (PCIBIOS_SET_PCI_HW_INT),
20527 "b" ((dev->bus->number << 8) | dev->devfn),
20528 "c" ((irq << 8) | (pin + 10)),
20529 - "S" (&pci_indirect));
20530 + "S" (&pci_indirect),
20531 + "r" (__PCIBIOS_DS));
20532 return !(ret & 0xff00);
20534 EXPORT_SYMBOL(pcibios_set_irq_routing);
20535 diff -urNp linux-2.6.38.4/arch/x86/platform/efi/efi_32.c linux-2.6.38.4/arch/x86/platform/efi/efi_32.c
20536 --- linux-2.6.38.4/arch/x86/platform/efi/efi_32.c 2011-03-14 21:20:32.000000000 -0400
20537 +++ linux-2.6.38.4/arch/x86/platform/efi/efi_32.c 2011-04-17 15:57:32.000000000 -0400
20538 @@ -38,70 +38,37 @@
20541 static unsigned long efi_rt_eflags;
20542 -static pgd_t efi_bak_pg_dir_pointer[2];
20543 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
20545 -void efi_call_phys_prelog(void)
20546 +void __init efi_call_phys_prelog(void)
20548 - unsigned long cr4;
20549 - unsigned long temp;
20550 struct desc_ptr gdt_descr;
20552 local_irq_save(efi_rt_eflags);
20555 - * If I don't have PAE, I should just duplicate two entries in page
20556 - * directory. If I have PAE, I just need to duplicate one entry in
20557 - * page directory.
20559 - cr4 = read_cr4_safe();
20561 - if (cr4 & X86_CR4_PAE) {
20562 - efi_bak_pg_dir_pointer[0].pgd =
20563 - swapper_pg_dir[pgd_index(0)].pgd;
20564 - swapper_pg_dir[0].pgd =
20565 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
20567 - efi_bak_pg_dir_pointer[0].pgd =
20568 - swapper_pg_dir[pgd_index(0)].pgd;
20569 - efi_bak_pg_dir_pointer[1].pgd =
20570 - swapper_pg_dir[pgd_index(0x400000)].pgd;
20571 - swapper_pg_dir[pgd_index(0)].pgd =
20572 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
20573 - temp = PAGE_OFFSET + 0x400000;
20574 - swapper_pg_dir[pgd_index(0x400000)].pgd =
20575 - swapper_pg_dir[pgd_index(temp)].pgd;
20577 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
20578 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
20579 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
20582 * After the lock is released, the original page table is restored.
20586 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
20587 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
20588 gdt_descr.size = GDT_SIZE - 1;
20589 load_gdt(&gdt_descr);
20592 -void efi_call_phys_epilog(void)
20593 +void __init efi_call_phys_epilog(void)
20595 - unsigned long cr4;
20596 struct desc_ptr gdt_descr;
20598 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
20599 + gdt_descr.address = get_cpu_gdt_table(0);
20600 gdt_descr.size = GDT_SIZE - 1;
20601 load_gdt(&gdt_descr);
20603 - cr4 = read_cr4_safe();
20605 - if (cr4 & X86_CR4_PAE) {
20606 - swapper_pg_dir[pgd_index(0)].pgd =
20607 - efi_bak_pg_dir_pointer[0].pgd;
20609 - swapper_pg_dir[pgd_index(0)].pgd =
20610 - efi_bak_pg_dir_pointer[0].pgd;
20611 - swapper_pg_dir[pgd_index(0x400000)].pgd =
20612 - efi_bak_pg_dir_pointer[1].pgd;
20614 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
20617 * After the lock is released, the original page table is restored.
20618 diff -urNp linux-2.6.38.4/arch/x86/platform/efi/efi_stub_32.S linux-2.6.38.4/arch/x86/platform/efi/efi_stub_32.S
20619 --- linux-2.6.38.4/arch/x86/platform/efi/efi_stub_32.S 2011-03-14 21:20:32.000000000 -0400
20620 +++ linux-2.6.38.4/arch/x86/platform/efi/efi_stub_32.S 2011-04-17 15:57:32.000000000 -0400
20624 #include <linux/linkage.h>
20625 +#include <linux/init.h>
20626 #include <asm/page_types.h>
20630 * service functions will comply with gcc calling convention, too.
20635 ENTRY(efi_call_phys)
20637 * 0. The function can only be called in Linux kernel. So CS has been
20638 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
20639 * The mapping of lower virtual memory has been created in prelog and
20643 - subl $__PAGE_OFFSET, %edx
20645 + jmp 1f-__PAGE_OFFSET
20649 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
20650 * parameter 2, ..., param n. To make things easy, we save the return
20651 * address of efi_call_phys in a global variable.
20654 - movl %edx, saved_return_addr
20655 - /* get the function pointer into ECX*/
20657 - movl %ecx, efi_rt_function_ptr
20659 - subl $__PAGE_OFFSET, %edx
20661 + popl (saved_return_addr)
20662 + popl (efi_rt_function_ptr)
20665 * 3. Clear PG bit in %CR0.
20666 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
20668 * 5. Call the physical function.
20671 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
20675 * 6. After EFI runtime service returns, control will return to
20676 * following instruction. We'd better readjust stack pointer first.
20677 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
20679 orl $0x80000000, %edx
20685 * 8. Now restore the virtual mode from flat mode by
20686 * adding EIP with PAGE_OFFSET.
20690 + jmp 1f+__PAGE_OFFSET
20694 * 9. Balance the stack. And because EAX contain the return value,
20695 * we'd better not clobber it.
20697 - leal efi_rt_function_ptr, %edx
20698 - movl (%edx), %ecx
20700 + pushl (efi_rt_function_ptr)
20703 - * 10. Push the saved return address onto the stack and return.
20704 + * 10. Return to the saved return address.
20706 - leal saved_return_addr, %edx
20707 - movl (%edx), %ecx
20710 + jmpl *(saved_return_addr)
20711 ENDPROC(efi_call_phys)
20718 efi_rt_function_ptr:
20719 diff -urNp linux-2.6.38.4/arch/x86/power/cpu.c linux-2.6.38.4/arch/x86/power/cpu.c
20720 --- linux-2.6.38.4/arch/x86/power/cpu.c 2011-03-14 21:20:32.000000000 -0400
20721 +++ linux-2.6.38.4/arch/x86/power/cpu.c 2011-04-17 15:57:32.000000000 -0400
20722 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
20723 static void fix_processor_context(void)
20725 int cpu = smp_processor_id();
20726 - struct tss_struct *t = &per_cpu(init_tss, cpu);
20727 + struct tss_struct *t = init_tss + cpu;
20729 set_tss_desc(cpu, t); /*
20730 * This just modifies memory; should not be
20731 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
20734 #ifdef CONFIG_X86_64
20735 + pax_open_kernel();
20736 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
20737 + pax_close_kernel();
20739 syscall_init(); /* This sets MSR_*STAR and related */
20741 diff -urNp linux-2.6.38.4/arch/x86/vdso/Makefile linux-2.6.38.4/arch/x86/vdso/Makefile
20742 --- linux-2.6.38.4/arch/x86/vdso/Makefile 2011-03-14 21:20:32.000000000 -0400
20743 +++ linux-2.6.38.4/arch/x86/vdso/Makefile 2011-04-17 15:57:32.000000000 -0400
20744 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
20745 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
20746 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
20748 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20749 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20753 diff -urNp linux-2.6.38.4/arch/x86/vdso/vclock_gettime.c linux-2.6.38.4/arch/x86/vdso/vclock_gettime.c
20754 --- linux-2.6.38.4/arch/x86/vdso/vclock_gettime.c 2011-03-14 21:20:32.000000000 -0400
20755 +++ linux-2.6.38.4/arch/x86/vdso/vclock_gettime.c 2011-04-17 15:57:32.000000000 -0400
20756 @@ -22,24 +22,48 @@
20757 #include <asm/hpet.h>
20758 #include <asm/unistd.h>
20759 #include <asm/io.h>
20760 +#include <asm/fixmap.h>
20761 #include "vextern.h"
20763 #define gtod vdso_vsyscall_gtod_data
20765 +notrace noinline long __vdso_fallback_time(long *t)
20768 + asm volatile("syscall"
20770 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
20774 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
20777 asm("syscall" : "=a" (ret) :
20778 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
20779 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
20783 +notrace static inline cycle_t __vdso_vread_hpet(void)
20785 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
20788 +notrace static inline cycle_t __vdso_vread_tsc(void)
20790 + cycle_t ret = (cycle_t)vget_cycles();
20792 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
20795 notrace static inline long vgetns(void)
20798 - cycles_t (*vread)(void);
20799 - vread = gtod->clock.vread;
20800 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
20801 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
20802 + v = __vdso_vread_tsc();
20804 + v = __vdso_vread_hpet();
20805 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
20806 return (v * gtod->clock.mult) >> gtod->clock.shift;
20809 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
20811 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20813 - if (likely(gtod->sysctl_enabled))
20814 + if (likely(gtod->sysctl_enabled &&
20815 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20816 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20818 case CLOCK_REALTIME:
20819 if (likely(gtod->clock.vread))
20820 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
20821 int clock_gettime(clockid_t, struct timespec *)
20822 __attribute__((weak, alias("__vdso_clock_gettime")));
20824 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20825 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20828 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20829 + asm("syscall" : "=a" (ret) :
20830 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20834 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20836 + if (likely(gtod->sysctl_enabled &&
20837 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20838 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20840 if (likely(tv != NULL)) {
20841 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20842 offsetof(struct timespec, tv_nsec) ||
20843 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
20847 - asm("syscall" : "=a" (ret) :
20848 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20850 + return __vdso_fallback_gettimeofday(tv, tz);
20852 int gettimeofday(struct timeval *, struct timezone *)
20853 __attribute__((weak, alias("__vdso_gettimeofday")));
20854 diff -urNp linux-2.6.38.4/arch/x86/vdso/vdso32-setup.c linux-2.6.38.4/arch/x86/vdso/vdso32-setup.c
20855 --- linux-2.6.38.4/arch/x86/vdso/vdso32-setup.c 2011-03-14 21:20:32.000000000 -0400
20856 +++ linux-2.6.38.4/arch/x86/vdso/vdso32-setup.c 2011-04-17 15:57:32.000000000 -0400
20858 #include <asm/tlbflush.h>
20859 #include <asm/vdso.h>
20860 #include <asm/proto.h>
20861 +#include <asm/mman.h>
20865 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20866 void enable_sep_cpu(void)
20868 int cpu = get_cpu();
20869 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
20870 + struct tss_struct *tss = init_tss + cpu;
20872 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20874 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20875 gate_vma.vm_start = FIXADDR_USER_START;
20876 gate_vma.vm_end = FIXADDR_USER_END;
20877 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20878 - gate_vma.vm_page_prot = __P101;
20879 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20881 * Make sure the vDSO gets into every core dump.
20882 * Dumping its contents makes post-mortem fully interpretable later
20883 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20885 addr = VDSO_HIGH_BASE;
20887 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20888 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20889 if (IS_ERR_VALUE(addr)) {
20895 - current->mm->context.vdso = (void *)addr;
20896 + current->mm->context.vdso = addr;
20898 if (compat_uses_vma || !compat) {
20900 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20903 current_thread_info()->sysenter_return =
20904 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20905 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20909 - current->mm->context.vdso = NULL;
20910 + current->mm->context.vdso = 0;
20912 up_write(&mm->mmap_sem);
20914 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20916 const char *arch_vma_name(struct vm_area_struct *vma)
20918 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20919 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20922 +#ifdef CONFIG_PAX_SEGMEXEC
20923 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20930 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20931 struct mm_struct *mm = tsk->mm;
20933 /* Check to see if this task was created in compat vdso mode */
20934 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20935 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20939 diff -urNp linux-2.6.38.4/arch/x86/vdso/vdso.lds.S linux-2.6.38.4/arch/x86/vdso/vdso.lds.S
20940 --- linux-2.6.38.4/arch/x86/vdso/vdso.lds.S 2011-03-14 21:20:32.000000000 -0400
20941 +++ linux-2.6.38.4/arch/x86/vdso/vdso.lds.S 2011-04-17 15:57:32.000000000 -0400
20942 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20943 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20944 #include "vextern.h"
20947 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20948 +VEXTERN(fallback_gettimeofday)
20949 +VEXTERN(fallback_time)
20952 diff -urNp linux-2.6.38.4/arch/x86/vdso/vextern.h linux-2.6.38.4/arch/x86/vdso/vextern.h
20953 --- linux-2.6.38.4/arch/x86/vdso/vextern.h 2011-03-14 21:20:32.000000000 -0400
20954 +++ linux-2.6.38.4/arch/x86/vdso/vextern.h 2011-04-17 15:57:32.000000000 -0400
20956 put into vextern.h and be referenced as a pointer with vdso prefix.
20957 The main kernel later fills in the values. */
20960 VEXTERN(vgetcpu_mode)
20961 VEXTERN(vsyscall_gtod_data)
20962 diff -urNp linux-2.6.38.4/arch/x86/vdso/vma.c linux-2.6.38.4/arch/x86/vdso/vma.c
20963 --- linux-2.6.38.4/arch/x86/vdso/vma.c 2011-03-14 21:20:32.000000000 -0400
20964 +++ linux-2.6.38.4/arch/x86/vdso/vma.c 2011-04-17 15:57:32.000000000 -0400
20965 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20969 - if (memcmp(vbase, "\177ELF", 4)) {
20970 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20971 printk("VDSO: I'm broken; not ELF\n");
20974 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
20978 - current->mm->context.vdso = (void *)addr;
20979 + current->mm->context.vdso = addr;
20981 ret = install_special_mapping(mm, addr, vdso_size,
20983 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
20987 - current->mm->context.vdso = NULL;
20988 + current->mm->context.vdso = 0;
20992 @@ -134,10 +134,3 @@ up_fail:
20993 up_write(&mm->mmap_sem);
20997 -static __init int vdso_setup(char *s)
20999 - vdso_enabled = simple_strtoul(s, NULL, 0);
21002 -__setup("vdso=", vdso_setup);
21003 diff -urNp linux-2.6.38.4/arch/x86/xen/enlighten.c linux-2.6.38.4/arch/x86/xen/enlighten.c
21004 --- linux-2.6.38.4/arch/x86/xen/enlighten.c 2011-03-14 21:20:32.000000000 -0400
21005 +++ linux-2.6.38.4/arch/x86/xen/enlighten.c 2011-04-17 15:57:32.000000000 -0400
21006 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
21008 struct shared_info xen_dummy_shared_info;
21010 -void *xen_initial_gdt;
21012 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
21013 __read_mostly int xen_have_vector_callback;
21014 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
21015 @@ -1134,7 +1132,17 @@ asmlinkage void __init xen_start_kernel(
21016 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
21018 /* Work out if we support NX */
21019 - x86_configure_nx();
21020 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21021 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
21022 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
21025 + __supported_pte_mask |= _PAGE_NX;
21026 + rdmsr(MSR_EFER, l, h);
21028 + wrmsr(MSR_EFER, l, h);
21032 xen_setup_features();
21034 @@ -1165,13 +1173,6 @@ asmlinkage void __init xen_start_kernel(
21036 machine_ops = xen_machine_ops;
21039 - * The only reliable way to retain the initial address of the
21040 - * percpu gdt_page is to remember it here, so we can go and
21041 - * mark it RW later, when the initial percpu area is freed.
21043 - xen_initial_gdt = &per_cpu(gdt_page, 0);
21047 #ifdef CONFIG_ACPI_NUMA
21048 diff -urNp linux-2.6.38.4/arch/x86/xen/mmu.c linux-2.6.38.4/arch/x86/xen/mmu.c
21049 --- linux-2.6.38.4/arch/x86/xen/mmu.c 2011-04-18 17:27:16.000000000 -0400
21050 +++ linux-2.6.38.4/arch/x86/xen/mmu.c 2011-04-17 15:57:32.000000000 -0400
21051 @@ -1721,6 +1721,8 @@ __init pgd_t *xen_setup_kernel_pagetable
21052 convert_pfn_mfn(init_level4_pgt);
21053 convert_pfn_mfn(level3_ident_pgt);
21054 convert_pfn_mfn(level3_kernel_pgt);
21055 + convert_pfn_mfn(level3_vmalloc_pgt);
21056 + convert_pfn_mfn(level3_vmemmap_pgt);
21058 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
21059 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
21060 @@ -1739,7 +1741,10 @@ __init pgd_t *xen_setup_kernel_pagetable
21061 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
21062 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
21063 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
21064 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
21065 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
21066 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
21067 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
21068 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
21069 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
21071 diff -urNp linux-2.6.38.4/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.38.4/arch/x86/xen/pci-swiotlb-xen.c
21072 --- linux-2.6.38.4/arch/x86/xen/pci-swiotlb-xen.c 2011-03-14 21:20:32.000000000 -0400
21073 +++ linux-2.6.38.4/arch/x86/xen/pci-swiotlb-xen.c 2011-04-17 15:57:32.000000000 -0400
21076 int xen_swiotlb __read_mostly;
21078 -static struct dma_map_ops xen_swiotlb_dma_ops = {
21079 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
21080 .mapping_error = xen_swiotlb_dma_mapping_error,
21081 .alloc_coherent = xen_swiotlb_alloc_coherent,
21082 .free_coherent = xen_swiotlb_free_coherent,
21083 diff -urNp linux-2.6.38.4/arch/x86/xen/smp.c linux-2.6.38.4/arch/x86/xen/smp.c
21084 --- linux-2.6.38.4/arch/x86/xen/smp.c 2011-03-14 21:20:32.000000000 -0400
21085 +++ linux-2.6.38.4/arch/x86/xen/smp.c 2011-04-17 15:57:32.000000000 -0400
21086 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
21088 BUG_ON(smp_processor_id() != 0);
21089 native_smp_prepare_boot_cpu();
21091 - /* We've switched to the "real" per-cpu gdt, so make sure the
21092 - old memory can be recycled */
21093 - make_lowmem_page_readwrite(xen_initial_gdt);
21095 xen_filter_cpu_maps();
21096 xen_setup_vcpu_info_placement();
21098 @@ -259,12 +254,12 @@ cpu_initialize_context(unsigned int cpu,
21099 gdt = get_cpu_gdt_table(cpu);
21101 ctxt->flags = VGCF_IN_KERNEL;
21102 - ctxt->user_regs.ds = __USER_DS;
21103 - ctxt->user_regs.es = __USER_DS;
21104 + ctxt->user_regs.ds = __KERNEL_DS;
21105 + ctxt->user_regs.es = __KERNEL_DS;
21106 ctxt->user_regs.ss = __KERNEL_DS;
21107 #ifdef CONFIG_X86_32
21108 ctxt->user_regs.fs = __KERNEL_PERCPU;
21109 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
21110 + savesegment(gs, ctxt->user_regs.gs);
21112 ctxt->gs_base_kernel = per_cpu_offset(cpu);
21114 @@ -315,13 +310,12 @@ static int __cpuinit xen_cpu_up(unsigned
21117 per_cpu(current_task, cpu) = idle;
21118 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
21119 #ifdef CONFIG_X86_32
21122 clear_tsk_thread_flag(idle, TIF_FORK);
21123 - per_cpu(kernel_stack, cpu) =
21124 - (unsigned long)task_stack_page(idle) -
21125 - KERNEL_STACK_OFFSET + THREAD_SIZE;
21126 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 8 + THREAD_SIZE;
21128 xen_setup_runstate_info(cpu);
21129 xen_setup_timer(cpu);
21130 diff -urNp linux-2.6.38.4/arch/x86/xen/xen-asm_32.S linux-2.6.38.4/arch/x86/xen/xen-asm_32.S
21131 --- linux-2.6.38.4/arch/x86/xen/xen-asm_32.S 2011-03-14 21:20:32.000000000 -0400
21132 +++ linux-2.6.38.4/arch/x86/xen/xen-asm_32.S 2011-04-22 19:11:04.000000000 -0400
21133 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
21134 ESP_OFFSET=4 # bytes pushed onto stack
21137 - * Store vcpu_info pointer for easy access. Do it this way to
21138 - * avoid having to reload %fs
21139 + * Store vcpu_info pointer for easy access.
21142 - GET_THREAD_INFO(%eax)
21143 - movl TI_cpu(%eax), %eax
21144 - movl __per_cpu_offset(,%eax,4), %eax
21145 - mov xen_vcpu(%eax), %eax
21147 + mov $(__KERNEL_PERCPU), %eax
21149 + mov PER_CPU_VAR(xen_vcpu), %eax
21152 movl xen_vcpu, %eax
21154 diff -urNp linux-2.6.38.4/arch/x86/xen/xen-head.S linux-2.6.38.4/arch/x86/xen/xen-head.S
21155 --- linux-2.6.38.4/arch/x86/xen/xen-head.S 2011-03-14 21:20:32.000000000 -0400
21156 +++ linux-2.6.38.4/arch/x86/xen/xen-head.S 2011-04-17 15:57:32.000000000 -0400
21157 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
21158 #ifdef CONFIG_X86_32
21159 mov %esi,xen_start_info
21160 mov $init_thread_union+THREAD_SIZE,%esp
21162 + movl $cpu_gdt_table,%edi
21163 + movl $__per_cpu_load,%eax
21164 + movw %ax,__KERNEL_PERCPU + 2(%edi)
21166 + movb %al,__KERNEL_PERCPU + 4(%edi)
21167 + movb %ah,__KERNEL_PERCPU + 7(%edi)
21168 + movl $__per_cpu_end - 1,%eax
21169 + subl $__per_cpu_start,%eax
21170 + movw %ax,__KERNEL_PERCPU + 0(%edi)
21173 mov %rsi,xen_start_info
21174 mov $init_thread_union+THREAD_SIZE,%rsp
21175 diff -urNp linux-2.6.38.4/arch/x86/xen/xen-ops.h linux-2.6.38.4/arch/x86/xen/xen-ops.h
21176 --- linux-2.6.38.4/arch/x86/xen/xen-ops.h 2011-03-14 21:20:32.000000000 -0400
21177 +++ linux-2.6.38.4/arch/x86/xen/xen-ops.h 2011-04-17 15:57:32.000000000 -0400
21179 extern const char xen_hypervisor_callback[];
21180 extern const char xen_failsafe_callback[];
21182 -extern void *xen_initial_gdt;
21185 void xen_copy_trap_info(struct trap_info *traps);
21187 diff -urNp linux-2.6.38.4/block/blk-iopoll.c linux-2.6.38.4/block/blk-iopoll.c
21188 --- linux-2.6.38.4/block/blk-iopoll.c 2011-03-14 21:20:32.000000000 -0400
21189 +++ linux-2.6.38.4/block/blk-iopoll.c 2011-04-17 15:57:32.000000000 -0400
21190 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
21192 EXPORT_SYMBOL(blk_iopoll_complete);
21194 -static void blk_iopoll_softirq(struct softirq_action *h)
21195 +static void blk_iopoll_softirq(void)
21197 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
21198 int rearm = 0, budget = blk_iopoll_budget;
21199 diff -urNp linux-2.6.38.4/block/blk-map.c linux-2.6.38.4/block/blk-map.c
21200 --- linux-2.6.38.4/block/blk-map.c 2011-03-14 21:20:32.000000000 -0400
21201 +++ linux-2.6.38.4/block/blk-map.c 2011-04-17 15:57:32.000000000 -0400
21202 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
21206 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
21207 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
21209 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
21211 diff -urNp linux-2.6.38.4/block/blk-softirq.c linux-2.6.38.4/block/blk-softirq.c
21212 --- linux-2.6.38.4/block/blk-softirq.c 2011-03-14 21:20:32.000000000 -0400
21213 +++ linux-2.6.38.4/block/blk-softirq.c 2011-04-17 15:57:32.000000000 -0400
21214 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
21215 * Softirq action handler - move entries to local list and loop over them
21216 * while passing them to the queue registered handler.
21218 -static void blk_done_softirq(struct softirq_action *h)
21219 +static void blk_done_softirq(void)
21221 struct list_head *cpu_list, local_list;
21223 diff -urNp linux-2.6.38.4/block/bsg.c linux-2.6.38.4/block/bsg.c
21224 --- linux-2.6.38.4/block/bsg.c 2011-03-14 21:20:32.000000000 -0400
21225 +++ linux-2.6.38.4/block/bsg.c 2011-04-17 15:57:32.000000000 -0400
21226 @@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
21227 struct sg_io_v4 *hdr, struct bsg_device *bd,
21228 fmode_t has_write_perm)
21230 + unsigned char tmpcmd[sizeof(rq->__cmd)];
21231 + unsigned char *cmdptr;
21233 if (hdr->request_len > BLK_MAX_CDB) {
21234 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
21238 + cmdptr = rq->cmd;
21242 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
21243 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
21247 + if (cmdptr != rq->cmd)
21248 + memcpy(rq->cmd, cmdptr, hdr->request_len);
21250 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
21251 if (blk_verify_command(rq->cmd, has_write_perm))
21253 diff -urNp linux-2.6.38.4/block/scsi_ioctl.c linux-2.6.38.4/block/scsi_ioctl.c
21254 --- linux-2.6.38.4/block/scsi_ioctl.c 2011-03-14 21:20:32.000000000 -0400
21255 +++ linux-2.6.38.4/block/scsi_ioctl.c 2011-04-17 15:57:32.000000000 -0400
21256 @@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
21257 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
21258 struct sg_io_hdr *hdr, fmode_t mode)
21260 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
21261 + unsigned char tmpcmd[sizeof(rq->__cmd)];
21262 + unsigned char *cmdptr;
21264 + if (rq->cmd != rq->__cmd)
21265 + cmdptr = rq->cmd;
21269 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
21272 + if (cmdptr != rq->cmd)
21273 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
21275 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
21278 @@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
21280 unsigned int in_len, out_len, bytes, opcode, cmdlen;
21281 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
21282 + unsigned char tmpcmd[sizeof(rq->__cmd)];
21283 + unsigned char *cmdptr;
21287 @@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
21290 rq->cmd_len = cmdlen;
21291 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
21293 + if (rq->cmd != rq->__cmd)
21294 + cmdptr = rq->cmd;
21298 + if (copy_from_user(cmdptr, sic->data, cmdlen))
21301 + if (rq->cmd != cmdptr)
21302 + memcpy(rq->cmd, cmdptr, cmdlen);
21304 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
21307 diff -urNp linux-2.6.38.4/crypto/lrw.c linux-2.6.38.4/crypto/lrw.c
21308 --- linux-2.6.38.4/crypto/lrw.c 2011-03-14 21:20:32.000000000 -0400
21309 +++ linux-2.6.38.4/crypto/lrw.c 2011-04-17 15:57:32.000000000 -0400
21310 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
21311 struct priv *ctx = crypto_tfm_ctx(parent);
21312 struct crypto_cipher *child = ctx->child;
21314 - be128 tmp = { 0 };
21315 + be128 tmp = { 0, 0 };
21316 int bsize = crypto_cipher_blocksize(child);
21318 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
21319 diff -urNp linux-2.6.38.4/Documentation/dontdiff linux-2.6.38.4/Documentation/dontdiff
21320 --- linux-2.6.38.4/Documentation/dontdiff 2011-03-14 21:20:32.000000000 -0400
21321 +++ linux-2.6.38.4/Documentation/dontdiff 2011-04-17 15:57:32.000000000 -0400
21341 @@ -49,11 +52,16 @@
21358 @@ -82,6 +90,8 @@ bvmlinux
21367 @@ -106,16 +116,19 @@ fore200e_mkfirm
21382 initramfs_data.cpio
21383 +initramfs_data.cpio.bz2
21384 initramfs_data.cpio.gz
21387 @@ -125,7 +138,6 @@ int32.c
21395 @@ -149,7 +161,9 @@ mkboot
21405 @@ -165,6 +179,7 @@ parse.h
21413 @@ -180,6 +195,7 @@ r600_reg_safe.h
21421 @@ -189,6 +205,7 @@ setup
21429 @@ -213,13 +230,17 @@ version.h*
21447 diff -urNp linux-2.6.38.4/Documentation/filesystems/sysfs.txt linux-2.6.38.4/Documentation/filesystems/sysfs.txt
21448 --- linux-2.6.38.4/Documentation/filesystems/sysfs.txt 2011-03-14 21:20:32.000000000 -0400
21449 +++ linux-2.6.38.4/Documentation/filesystems/sysfs.txt 2011-04-17 15:57:32.000000000 -0400
21450 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
21451 show and store methods of the attribute owners.
21454 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
21455 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
21456 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
21457 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
21460 [ Subsystems should have already defined a struct kobj_type as a
21461 diff -urNp linux-2.6.38.4/Documentation/kernel-parameters.txt linux-2.6.38.4/Documentation/kernel-parameters.txt
21462 --- linux-2.6.38.4/Documentation/kernel-parameters.txt 2011-03-14 21:20:32.000000000 -0400
21463 +++ linux-2.6.38.4/Documentation/kernel-parameters.txt 2011-04-17 15:57:32.000000000 -0400
21464 @@ -1853,6 +1853,13 @@ bytes respectively. Such letter suffixes
21465 the specified number of seconds. This is to be used if
21466 your oopses keep scrolling off the screen.
21468 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
21469 + virtualization environments that don't cope well with the
21470 + expand down segment used by UDEREF on X86-32 or the frequent
21471 + page table updates on X86-64.
21473 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
21478 diff -urNp linux-2.6.38.4/drivers/acpi/battery.c linux-2.6.38.4/drivers/acpi/battery.c
21479 --- linux-2.6.38.4/drivers/acpi/battery.c 2011-03-14 21:20:32.000000000 -0400
21480 +++ linux-2.6.38.4/drivers/acpi/battery.c 2011-04-17 15:57:32.000000000 -0400
21481 @@ -862,7 +862,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
21484 static struct battery_file {
21485 - struct file_operations ops;
21486 + const struct file_operations ops;
21489 } acpi_battery_file[] = {
21490 diff -urNp linux-2.6.38.4/drivers/acpi/blacklist.c linux-2.6.38.4/drivers/acpi/blacklist.c
21491 --- linux-2.6.38.4/drivers/acpi/blacklist.c 2011-03-14 21:20:32.000000000 -0400
21492 +++ linux-2.6.38.4/drivers/acpi/blacklist.c 2011-04-17 15:57:32.000000000 -0400
21493 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
21494 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
21495 "Incorrect _ADR", 1},
21498 + {"", "", 0, NULL, all_versions, NULL, 0}
21501 #if CONFIG_ACPI_BLACKLIST_YEAR
21502 diff -urNp linux-2.6.38.4/drivers/acpi/dock.c linux-2.6.38.4/drivers/acpi/dock.c
21503 --- linux-2.6.38.4/drivers/acpi/dock.c 2011-03-14 21:20:32.000000000 -0400
21504 +++ linux-2.6.38.4/drivers/acpi/dock.c 2011-04-17 15:57:32.000000000 -0400
21505 @@ -77,7 +77,7 @@ struct dock_dependent_device {
21506 struct list_head list;
21507 struct list_head hotplug_list;
21508 acpi_handle handle;
21509 - struct acpi_dock_ops *ops;
21510 + const struct acpi_dock_ops *ops;
21514 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
21515 * the dock driver after _DCK is executed.
21518 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
21519 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
21522 struct dock_dependent_device *dd;
21523 diff -urNp linux-2.6.38.4/drivers/acpi/ec_sys.c linux-2.6.38.4/drivers/acpi/ec_sys.c
21524 --- linux-2.6.38.4/drivers/acpi/ec_sys.c 2011-03-14 21:20:32.000000000 -0400
21525 +++ linux-2.6.38.4/drivers/acpi/ec_sys.c 2011-04-17 15:57:32.000000000 -0400
21526 @@ -96,7 +96,7 @@ static ssize_t acpi_ec_write_io(struct f
21530 -static struct file_operations acpi_ec_io_ops = {
21531 +static const struct file_operations acpi_ec_io_ops = {
21532 .owner = THIS_MODULE,
21533 .open = acpi_ec_open_io,
21534 .read = acpi_ec_read_io,
21535 diff -urNp linux-2.6.38.4/drivers/acpi/power_meter.c linux-2.6.38.4/drivers/acpi/power_meter.c
21536 --- linux-2.6.38.4/drivers/acpi/power_meter.c 2011-03-14 21:20:32.000000000 -0400
21537 +++ linux-2.6.38.4/drivers/acpi/power_meter.c 2011-04-17 15:57:32.000000000 -0400
21538 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
21545 mutex_lock(&resource->lock);
21546 resource->trip[attr->index - 7] = temp;
21547 diff -urNp linux-2.6.38.4/drivers/acpi/proc.c linux-2.6.38.4/drivers/acpi/proc.c
21548 --- linux-2.6.38.4/drivers/acpi/proc.c 2011-03-14 21:20:32.000000000 -0400
21549 +++ linux-2.6.38.4/drivers/acpi/proc.c 2011-04-17 15:57:32.000000000 -0400
21550 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
21551 size_t count, loff_t * ppos)
21553 struct list_head *node, *next;
21555 - char str[5] = "";
21556 - unsigned int len = count;
21562 + char strbuf[5] = {0};
21564 - if (copy_from_user(strbuf, buffer, len))
21567 + if (copy_from_user(strbuf, buffer, count))
21569 - strbuf[len] = '\0';
21570 - sscanf(strbuf, "%s", str);
21571 + strbuf[count] = '\0';
21573 mutex_lock(&acpi_device_lock);
21574 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
21575 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
21576 if (!dev->wakeup.flags.valid)
21579 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
21580 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
21581 if (device_can_wakeup(&dev->dev)) {
21582 bool enable = !device_may_wakeup(&dev->dev);
21583 device_set_wakeup_enable(&dev->dev, enable);
21584 diff -urNp linux-2.6.38.4/drivers/acpi/processor_driver.c linux-2.6.38.4/drivers/acpi/processor_driver.c
21585 --- linux-2.6.38.4/drivers/acpi/processor_driver.c 2011-03-14 21:20:32.000000000 -0400
21586 +++ linux-2.6.38.4/drivers/acpi/processor_driver.c 2011-04-17 15:57:32.000000000 -0400
21587 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
21591 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
21592 + BUG_ON(pr->id >= nr_cpu_ids);
21596 diff -urNp linux-2.6.38.4/drivers/acpi/processor_idle.c linux-2.6.38.4/drivers/acpi/processor_idle.c
21597 --- linux-2.6.38.4/drivers/acpi/processor_idle.c 2011-03-14 21:20:32.000000000 -0400
21598 +++ linux-2.6.38.4/drivers/acpi/processor_idle.c 2011-04-17 15:57:32.000000000 -0400
21599 @@ -121,7 +121,7 @@ static struct dmi_system_id __cpuinitdat
21600 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
21601 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
21604 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
21608 diff -urNp linux-2.6.38.4/drivers/ata/acard-ahci.c linux-2.6.38.4/drivers/ata/acard-ahci.c
21609 --- linux-2.6.38.4/drivers/ata/acard-ahci.c 2011-03-14 21:20:32.000000000 -0400
21610 +++ linux-2.6.38.4/drivers/ata/acard-ahci.c 2011-04-17 15:57:32.000000000 -0400
21611 @@ -87,7 +87,7 @@ static struct scsi_host_template acard_a
21612 AHCI_SHT("acard-ahci"),
21615 -static struct ata_port_operations acard_ops = {
21616 +static const struct ata_port_operations acard_ops = {
21617 .inherits = &ahci_ops,
21618 .qc_prep = acard_ahci_qc_prep,
21619 .qc_fill_rtf = acard_ahci_qc_fill_rtf,
21620 diff -urNp linux-2.6.38.4/drivers/ata/ahci.c linux-2.6.38.4/drivers/ata/ahci.c
21621 --- linux-2.6.38.4/drivers/ata/ahci.c 2011-04-18 17:27:13.000000000 -0400
21622 +++ linux-2.6.38.4/drivers/ata/ahci.c 2011-04-17 15:57:32.000000000 -0400
21623 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
21627 -static struct ata_port_operations ahci_vt8251_ops = {
21628 +static const struct ata_port_operations ahci_vt8251_ops = {
21629 .inherits = &ahci_ops,
21630 .hardreset = ahci_vt8251_hardreset,
21633 -static struct ata_port_operations ahci_p5wdh_ops = {
21634 +static const struct ata_port_operations ahci_p5wdh_ops = {
21635 .inherits = &ahci_ops,
21636 .hardreset = ahci_p5wdh_hardreset,
21639 -static struct ata_port_operations ahci_sb600_ops = {
21640 +static const struct ata_port_operations ahci_sb600_ops = {
21641 .inherits = &ahci_ops,
21642 .softreset = ahci_sb600_softreset,
21643 .pmp_softreset = ahci_sb600_softreset,
21644 @@ -394,7 +394,7 @@ static const struct pci_device_id ahci_p
21645 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
21646 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
21648 - { } /* terminate list */
21649 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
21653 diff -urNp linux-2.6.38.4/drivers/ata/ahci.h linux-2.6.38.4/drivers/ata/ahci.h
21654 --- linux-2.6.38.4/drivers/ata/ahci.h 2011-03-14 21:20:32.000000000 -0400
21655 +++ linux-2.6.38.4/drivers/ata/ahci.h 2011-04-17 15:57:32.000000000 -0400
21656 @@ -309,7 +309,7 @@ extern struct device_attribute *ahci_sde
21657 .shost_attrs = ahci_shost_attrs, \
21658 .sdev_attrs = ahci_sdev_attrs
21660 -extern struct ata_port_operations ahci_ops;
21661 +extern const struct ata_port_operations ahci_ops;
21663 void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
21665 diff -urNp linux-2.6.38.4/drivers/ata/ata_generic.c linux-2.6.38.4/drivers/ata/ata_generic.c
21666 --- linux-2.6.38.4/drivers/ata/ata_generic.c 2011-03-14 21:20:32.000000000 -0400
21667 +++ linux-2.6.38.4/drivers/ata/ata_generic.c 2011-04-17 15:57:32.000000000 -0400
21668 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
21669 ATA_BMDMA_SHT(DRV_NAME),
21672 -static struct ata_port_operations generic_port_ops = {
21673 +static const struct ata_port_operations generic_port_ops = {
21674 .inherits = &ata_bmdma_port_ops,
21675 .cable_detect = ata_cable_unknown,
21676 .set_mode = generic_set_mode,
21677 diff -urNp linux-2.6.38.4/drivers/ata/ata_piix.c linux-2.6.38.4/drivers/ata/ata_piix.c
21678 --- linux-2.6.38.4/drivers/ata/ata_piix.c 2011-03-14 21:20:32.000000000 -0400
21679 +++ linux-2.6.38.4/drivers/ata/ata_piix.c 2011-04-17 15:57:32.000000000 -0400
21680 @@ -309,7 +309,7 @@ static const struct pci_device_id piix_p
21681 { 0x8086, 0x1d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
21682 /* SATA Controller IDE (PBG) */
21683 { 0x8086, 0x1d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
21684 - { } /* terminate list */
21685 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
21688 static struct pci_driver piix_pci_driver = {
21689 @@ -327,12 +327,12 @@ static struct scsi_host_template piix_sh
21690 ATA_BMDMA_SHT(DRV_NAME),
21693 -static struct ata_port_operations piix_sata_ops = {
21694 +static const struct ata_port_operations piix_sata_ops = {
21695 .inherits = &ata_bmdma32_port_ops,
21696 .sff_irq_check = piix_irq_check,
21699 -static struct ata_port_operations piix_pata_ops = {
21700 +static const struct ata_port_operations piix_pata_ops = {
21701 .inherits = &piix_sata_ops,
21702 .cable_detect = ata_cable_40wire,
21703 .set_piomode = piix_set_piomode,
21704 @@ -340,12 +340,12 @@ static struct ata_port_operations piix_p
21705 .prereset = piix_pata_prereset,
21708 -static struct ata_port_operations piix_vmw_ops = {
21709 +static const struct ata_port_operations piix_vmw_ops = {
21710 .inherits = &piix_pata_ops,
21711 .bmdma_status = piix_vmw_bmdma_status,
21714 -static struct ata_port_operations ich_pata_ops = {
21715 +static const struct ata_port_operations ich_pata_ops = {
21716 .inherits = &piix_pata_ops,
21717 .cable_detect = ich_pata_cable_detect,
21718 .set_dmamode = ich_set_dmamode,
21719 @@ -361,7 +361,7 @@ static struct scsi_host_template piix_si
21720 .shost_attrs = piix_sidpr_shost_attrs,
21723 -static struct ata_port_operations piix_sidpr_sata_ops = {
21724 +static const struct ata_port_operations piix_sidpr_sata_ops = {
21725 .inherits = &piix_sata_ops,
21726 .hardreset = sata_std_hardreset,
21727 .scr_read = piix_sidpr_scr_read,
21728 @@ -638,7 +638,7 @@ static const struct ich_laptop ich_lapto
21729 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
21730 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
21737 @@ -1130,7 +1130,7 @@ static int piix_broken_suspend(void)
21741 - { } /* terminate list */
21742 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
21744 static const char *oemstrs[] = {
21746 diff -urNp linux-2.6.38.4/drivers/ata/libahci.c linux-2.6.38.4/drivers/ata/libahci.c
21747 --- linux-2.6.38.4/drivers/ata/libahci.c 2011-03-14 21:20:32.000000000 -0400
21748 +++ linux-2.6.38.4/drivers/ata/libahci.c 2011-04-17 15:57:32.000000000 -0400
21749 @@ -137,7 +137,7 @@ struct device_attribute *ahci_sdev_attrs
21751 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
21753 -struct ata_port_operations ahci_ops = {
21754 +const struct ata_port_operations ahci_ops = {
21755 .inherits = &sata_pmp_port_ops,
21757 .qc_defer = ahci_pmp_qc_defer,
21758 diff -urNp linux-2.6.38.4/drivers/ata/libata-acpi.c linux-2.6.38.4/drivers/ata/libata-acpi.c
21759 --- linux-2.6.38.4/drivers/ata/libata-acpi.c 2011-03-14 21:20:32.000000000 -0400
21760 +++ linux-2.6.38.4/drivers/ata/libata-acpi.c 2011-04-17 15:57:32.000000000 -0400
21761 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
21762 ata_acpi_uevent(dev->link->ap, dev, event);
21765 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
21766 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
21767 .handler = ata_acpi_dev_notify_dock,
21768 .uevent = ata_acpi_dev_uevent,
21771 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
21772 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
21773 .handler = ata_acpi_ap_notify_dock,
21774 .uevent = ata_acpi_ap_uevent,
21776 diff -urNp linux-2.6.38.4/drivers/ata/libata-core.c linux-2.6.38.4/drivers/ata/libata-core.c
21777 --- linux-2.6.38.4/drivers/ata/libata-core.c 2011-03-14 21:20:32.000000000 -0400
21778 +++ linux-2.6.38.4/drivers/ata/libata-core.c 2011-04-17 15:57:32.000000000 -0400
21779 @@ -897,7 +897,7 @@ static const struct ata_xfer_ent {
21780 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
21781 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
21782 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
21788 @@ -2885,7 +2885,7 @@ static const struct ata_timing ata_timin
21789 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
21790 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
21793 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
21796 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
21797 @@ -4141,7 +4141,7 @@ static const struct ata_blacklist_entry
21798 { "PIONEER DVD-RW DVR-212D", "1.28", ATA_HORKAGE_NOSETXFER },
21802 + { NULL, NULL, 0 }
21806 @@ -4746,7 +4746,7 @@ void ata_qc_free(struct ata_queued_cmd *
21807 struct ata_port *ap;
21810 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21811 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21815 @@ -4762,7 +4762,7 @@ void __ata_qc_complete(struct ata_queued
21816 struct ata_port *ap;
21817 struct ata_link *link;
21819 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21820 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21821 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
21823 link = qc->dev->link;
21824 @@ -5755,7 +5755,7 @@ static void ata_host_stop(struct device
21828 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
21829 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
21831 static DEFINE_SPINLOCK(lock);
21832 const struct ata_port_operations *cur;
21833 @@ -5767,6 +5767,7 @@ static void ata_finalize_port_ops(struct
21837 + pax_open_kernel();
21839 for (cur = ops->inherits; cur; cur = cur->inherits) {
21840 void **inherit = (void **)cur;
21841 @@ -5780,8 +5781,9 @@ static void ata_finalize_port_ops(struct
21845 - ops->inherits = NULL;
21846 + ((struct ata_port_operations *)ops)->inherits = NULL;
21848 + pax_close_kernel();
21849 spin_unlock(&lock);
21852 @@ -5878,7 +5880,7 @@ int ata_host_start(struct ata_host *host
21854 /* KILLME - the only user left is ipr */
21855 void ata_host_init(struct ata_host *host, struct device *dev,
21856 - unsigned long flags, struct ata_port_operations *ops)
21857 + unsigned long flags, const struct ata_port_operations *ops)
21859 spin_lock_init(&host->lock);
21860 mutex_init(&host->eh_mutex);
21861 @@ -6584,7 +6586,7 @@ static void ata_dummy_error_handler(stru
21865 -struct ata_port_operations ata_dummy_port_ops = {
21866 +const struct ata_port_operations ata_dummy_port_ops = {
21867 .qc_prep = ata_noop_qc_prep,
21868 .qc_issue = ata_dummy_qc_issue,
21869 .error_handler = ata_dummy_error_handler,
21870 diff -urNp linux-2.6.38.4/drivers/ata/libata-eh.c linux-2.6.38.4/drivers/ata/libata-eh.c
21871 --- linux-2.6.38.4/drivers/ata/libata-eh.c 2011-04-18 17:27:13.000000000 -0400
21872 +++ linux-2.6.38.4/drivers/ata/libata-eh.c 2011-04-17 15:57:32.000000000 -0400
21873 @@ -3880,7 +3880,7 @@ void ata_do_eh(struct ata_port *ap, ata_
21875 void ata_std_error_handler(struct ata_port *ap)
21877 - struct ata_port_operations *ops = ap->ops;
21878 + const struct ata_port_operations *ops = ap->ops;
21879 ata_reset_fn_t hardreset = ops->hardreset;
21881 /* ignore built-in hardreset if SCR access is not available */
21882 diff -urNp linux-2.6.38.4/drivers/ata/libata-pmp.c linux-2.6.38.4/drivers/ata/libata-pmp.c
21883 --- linux-2.6.38.4/drivers/ata/libata-pmp.c 2011-03-14 21:20:32.000000000 -0400
21884 +++ linux-2.6.38.4/drivers/ata/libata-pmp.c 2011-04-17 15:57:32.000000000 -0400
21885 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
21887 static int sata_pmp_eh_recover(struct ata_port *ap)
21889 - struct ata_port_operations *ops = ap->ops;
21890 + const struct ata_port_operations *ops = ap->ops;
21891 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
21892 struct ata_link *pmp_link = &ap->link;
21893 struct ata_device *pmp_dev = pmp_link->device;
21894 diff -urNp linux-2.6.38.4/drivers/ata/pata_acpi.c linux-2.6.38.4/drivers/ata/pata_acpi.c
21895 --- linux-2.6.38.4/drivers/ata/pata_acpi.c 2011-03-14 21:20:32.000000000 -0400
21896 +++ linux-2.6.38.4/drivers/ata/pata_acpi.c 2011-04-17 15:57:32.000000000 -0400
21897 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
21898 ATA_BMDMA_SHT(DRV_NAME),
21901 -static struct ata_port_operations pacpi_ops = {
21902 +static const struct ata_port_operations pacpi_ops = {
21903 .inherits = &ata_bmdma_port_ops,
21904 .qc_issue = pacpi_qc_issue,
21905 .cable_detect = pacpi_cable_detect,
21906 diff -urNp linux-2.6.38.4/drivers/ata/pata_ali.c linux-2.6.38.4/drivers/ata/pata_ali.c
21907 --- linux-2.6.38.4/drivers/ata/pata_ali.c 2011-03-14 21:20:32.000000000 -0400
21908 +++ linux-2.6.38.4/drivers/ata/pata_ali.c 2011-04-17 15:57:32.000000000 -0400
21909 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
21910 * Port operations for PIO only ALi
21913 -static struct ata_port_operations ali_early_port_ops = {
21914 +static const struct ata_port_operations ali_early_port_ops = {
21915 .inherits = &ata_sff_port_ops,
21916 .cable_detect = ata_cable_40wire,
21917 .set_piomode = ali_set_piomode,
21918 @@ -380,7 +380,7 @@ static const struct ata_port_operations
21919 * Port operations for DMA capable ALi without cable
21922 -static struct ata_port_operations ali_20_port_ops = {
21923 +static const struct ata_port_operations ali_20_port_ops = {
21924 .inherits = &ali_dma_base_ops,
21925 .cable_detect = ata_cable_40wire,
21926 .mode_filter = ali_20_filter,
21927 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
21929 * Port operations for DMA capable ALi with cable detect
21931 -static struct ata_port_operations ali_c2_port_ops = {
21932 +static const struct ata_port_operations ali_c2_port_ops = {
21933 .inherits = &ali_dma_base_ops,
21934 .check_atapi_dma = ali_check_atapi_dma,
21935 .cable_detect = ali_c2_cable_detect,
21936 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
21938 * Port operations for DMA capable ALi with cable detect
21940 -static struct ata_port_operations ali_c4_port_ops = {
21941 +static const struct ata_port_operations ali_c4_port_ops = {
21942 .inherits = &ali_dma_base_ops,
21943 .check_atapi_dma = ali_check_atapi_dma,
21944 .cable_detect = ali_c2_cable_detect,
21945 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
21947 * Port operations for DMA capable ALi with cable detect and LBA48
21949 -static struct ata_port_operations ali_c5_port_ops = {
21950 +static const struct ata_port_operations ali_c5_port_ops = {
21951 .inherits = &ali_dma_base_ops,
21952 .check_atapi_dma = ali_check_atapi_dma,
21953 .dev_config = ali_warn_atapi_dma,
21954 diff -urNp linux-2.6.38.4/drivers/ata/pata_amd.c linux-2.6.38.4/drivers/ata/pata_amd.c
21955 --- linux-2.6.38.4/drivers/ata/pata_amd.c 2011-03-14 21:20:32.000000000 -0400
21956 +++ linux-2.6.38.4/drivers/ata/pata_amd.c 2011-04-17 15:57:32.000000000 -0400
21957 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21958 .prereset = amd_pre_reset,
21961 -static struct ata_port_operations amd33_port_ops = {
21962 +static const struct ata_port_operations amd33_port_ops = {
21963 .inherits = &amd_base_port_ops,
21964 .cable_detect = ata_cable_40wire,
21965 .set_piomode = amd33_set_piomode,
21966 .set_dmamode = amd33_set_dmamode,
21969 -static struct ata_port_operations amd66_port_ops = {
21970 +static const struct ata_port_operations amd66_port_ops = {
21971 .inherits = &amd_base_port_ops,
21972 .cable_detect = ata_cable_unknown,
21973 .set_piomode = amd66_set_piomode,
21974 .set_dmamode = amd66_set_dmamode,
21977 -static struct ata_port_operations amd100_port_ops = {
21978 +static const struct ata_port_operations amd100_port_ops = {
21979 .inherits = &amd_base_port_ops,
21980 .cable_detect = ata_cable_unknown,
21981 .set_piomode = amd100_set_piomode,
21982 .set_dmamode = amd100_set_dmamode,
21985 -static struct ata_port_operations amd133_port_ops = {
21986 +static const struct ata_port_operations amd133_port_ops = {
21987 .inherits = &amd_base_port_ops,
21988 .cable_detect = amd_cable_detect,
21989 .set_piomode = amd133_set_piomode,
21990 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21991 .host_stop = nv_host_stop,
21994 -static struct ata_port_operations nv100_port_ops = {
21995 +static const struct ata_port_operations nv100_port_ops = {
21996 .inherits = &nv_base_port_ops,
21997 .set_piomode = nv100_set_piomode,
21998 .set_dmamode = nv100_set_dmamode,
22001 -static struct ata_port_operations nv133_port_ops = {
22002 +static const struct ata_port_operations nv133_port_ops = {
22003 .inherits = &nv_base_port_ops,
22004 .set_piomode = nv133_set_piomode,
22005 .set_dmamode = nv133_set_dmamode,
22006 diff -urNp linux-2.6.38.4/drivers/ata/pata_artop.c linux-2.6.38.4/drivers/ata/pata_artop.c
22007 --- linux-2.6.38.4/drivers/ata/pata_artop.c 2011-03-14 21:20:32.000000000 -0400
22008 +++ linux-2.6.38.4/drivers/ata/pata_artop.c 2011-04-17 15:57:32.000000000 -0400
22009 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
22010 ATA_BMDMA_SHT(DRV_NAME),
22013 -static struct ata_port_operations artop6210_ops = {
22014 +static const struct ata_port_operations artop6210_ops = {
22015 .inherits = &ata_bmdma_port_ops,
22016 .cable_detect = ata_cable_40wire,
22017 .set_piomode = artop6210_set_piomode,
22018 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
22019 .qc_defer = artop6210_qc_defer,
22022 -static struct ata_port_operations artop6260_ops = {
22023 +static const struct ata_port_operations artop6260_ops = {
22024 .inherits = &ata_bmdma_port_ops,
22025 .cable_detect = artop6260_cable_detect,
22026 .set_piomode = artop6260_set_piomode,
22027 diff -urNp linux-2.6.38.4/drivers/ata/pata_at32.c linux-2.6.38.4/drivers/ata/pata_at32.c
22028 --- linux-2.6.38.4/drivers/ata/pata_at32.c 2011-03-14 21:20:32.000000000 -0400
22029 +++ linux-2.6.38.4/drivers/ata/pata_at32.c 2011-04-17 15:57:32.000000000 -0400
22030 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
22031 ATA_PIO_SHT(DRV_NAME),
22034 -static struct ata_port_operations at32_port_ops = {
22035 +static const struct ata_port_operations at32_port_ops = {
22036 .inherits = &ata_sff_port_ops,
22037 .cable_detect = ata_cable_40wire,
22038 .set_piomode = pata_at32_set_piomode,
22039 diff -urNp linux-2.6.38.4/drivers/ata/pata_at91.c linux-2.6.38.4/drivers/ata/pata_at91.c
22040 --- linux-2.6.38.4/drivers/ata/pata_at91.c 2011-03-14 21:20:32.000000000 -0400
22041 +++ linux-2.6.38.4/drivers/ata/pata_at91.c 2011-04-17 15:57:32.000000000 -0400
22042 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
22043 ATA_PIO_SHT(DRV_NAME),
22046 -static struct ata_port_operations pata_at91_port_ops = {
22047 +static const struct ata_port_operations pata_at91_port_ops = {
22048 .inherits = &ata_sff_port_ops,
22050 .sff_data_xfer = pata_at91_data_xfer_noirq,
22051 diff -urNp linux-2.6.38.4/drivers/ata/pata_atiixp.c linux-2.6.38.4/drivers/ata/pata_atiixp.c
22052 --- linux-2.6.38.4/drivers/ata/pata_atiixp.c 2011-03-14 21:20:32.000000000 -0400
22053 +++ linux-2.6.38.4/drivers/ata/pata_atiixp.c 2011-04-17 15:57:32.000000000 -0400
22054 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
22055 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22058 -static struct ata_port_operations atiixp_port_ops = {
22059 +static const struct ata_port_operations atiixp_port_ops = {
22060 .inherits = &ata_bmdma_port_ops,
22062 .qc_prep = ata_bmdma_dumb_qc_prep,
22063 diff -urNp linux-2.6.38.4/drivers/ata/pata_atp867x.c linux-2.6.38.4/drivers/ata/pata_atp867x.c
22064 --- linux-2.6.38.4/drivers/ata/pata_atp867x.c 2011-03-14 21:20:32.000000000 -0400
22065 +++ linux-2.6.38.4/drivers/ata/pata_atp867x.c 2011-04-17 15:57:32.000000000 -0400
22066 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
22067 ATA_BMDMA_SHT(DRV_NAME),
22070 -static struct ata_port_operations atp867x_ops = {
22071 +static const struct ata_port_operations atp867x_ops = {
22072 .inherits = &ata_bmdma_port_ops,
22073 .cable_detect = atp867x_cable_detect,
22074 .set_piomode = atp867x_set_piomode,
22075 diff -urNp linux-2.6.38.4/drivers/ata/pata_bf54x.c linux-2.6.38.4/drivers/ata/pata_bf54x.c
22076 --- linux-2.6.38.4/drivers/ata/pata_bf54x.c 2011-03-14 21:20:32.000000000 -0400
22077 +++ linux-2.6.38.4/drivers/ata/pata_bf54x.c 2011-04-17 15:57:32.000000000 -0400
22078 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
22079 .dma_boundary = ATA_DMA_BOUNDARY,
22082 -static struct ata_port_operations bfin_pata_ops = {
22083 +static const struct ata_port_operations bfin_pata_ops = {
22084 .inherits = &ata_bmdma_port_ops,
22086 .set_piomode = bfin_set_piomode,
22087 diff -urNp linux-2.6.38.4/drivers/ata/pata_cmd640.c linux-2.6.38.4/drivers/ata/pata_cmd640.c
22088 --- linux-2.6.38.4/drivers/ata/pata_cmd640.c 2011-03-14 21:20:32.000000000 -0400
22089 +++ linux-2.6.38.4/drivers/ata/pata_cmd640.c 2011-04-17 15:57:32.000000000 -0400
22090 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
22091 ATA_PIO_SHT(DRV_NAME),
22094 -static struct ata_port_operations cmd640_port_ops = {
22095 +static const struct ata_port_operations cmd640_port_ops = {
22096 .inherits = &ata_sff_port_ops,
22097 /* In theory xfer_noirq is not needed once we kill the prefetcher */
22098 .sff_data_xfer = ata_sff_data_xfer_noirq,
22099 diff -urNp linux-2.6.38.4/drivers/ata/pata_cmd64x.c linux-2.6.38.4/drivers/ata/pata_cmd64x.c
22100 --- linux-2.6.38.4/drivers/ata/pata_cmd64x.c 2011-03-14 21:20:32.000000000 -0400
22101 +++ linux-2.6.38.4/drivers/ata/pata_cmd64x.c 2011-04-17 15:57:32.000000000 -0400
22102 @@ -268,18 +268,18 @@ static const struct ata_port_operations
22103 .set_dmamode = cmd64x_set_dmamode,
22106 -static struct ata_port_operations cmd64x_port_ops = {
22107 +static const struct ata_port_operations cmd64x_port_ops = {
22108 .inherits = &cmd64x_base_ops,
22109 .cable_detect = ata_cable_40wire,
22112 -static struct ata_port_operations cmd646r1_port_ops = {
22113 +static const struct ata_port_operations cmd646r1_port_ops = {
22114 .inherits = &cmd64x_base_ops,
22115 .bmdma_stop = cmd646r1_bmdma_stop,
22116 .cable_detect = ata_cable_40wire,
22119 -static struct ata_port_operations cmd648_port_ops = {
22120 +static const struct ata_port_operations cmd648_port_ops = {
22121 .inherits = &cmd64x_base_ops,
22122 .bmdma_stop = cmd648_bmdma_stop,
22123 .cable_detect = cmd648_cable_detect,
22124 diff -urNp linux-2.6.38.4/drivers/ata/pata_cs5520.c linux-2.6.38.4/drivers/ata/pata_cs5520.c
22125 --- linux-2.6.38.4/drivers/ata/pata_cs5520.c 2011-03-14 21:20:32.000000000 -0400
22126 +++ linux-2.6.38.4/drivers/ata/pata_cs5520.c 2011-04-17 15:57:32.000000000 -0400
22127 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
22128 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22131 -static struct ata_port_operations cs5520_port_ops = {
22132 +static const struct ata_port_operations cs5520_port_ops = {
22133 .inherits = &ata_bmdma_port_ops,
22134 .qc_prep = ata_bmdma_dumb_qc_prep,
22135 .cable_detect = ata_cable_40wire,
22136 diff -urNp linux-2.6.38.4/drivers/ata/pata_cs5530.c linux-2.6.38.4/drivers/ata/pata_cs5530.c
22137 --- linux-2.6.38.4/drivers/ata/pata_cs5530.c 2011-03-14 21:20:32.000000000 -0400
22138 +++ linux-2.6.38.4/drivers/ata/pata_cs5530.c 2011-04-17 15:57:32.000000000 -0400
22139 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
22140 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22143 -static struct ata_port_operations cs5530_port_ops = {
22144 +static const struct ata_port_operations cs5530_port_ops = {
22145 .inherits = &ata_bmdma_port_ops,
22147 .qc_prep = ata_bmdma_dumb_qc_prep,
22148 diff -urNp linux-2.6.38.4/drivers/ata/pata_cs5535.c linux-2.6.38.4/drivers/ata/pata_cs5535.c
22149 --- linux-2.6.38.4/drivers/ata/pata_cs5535.c 2011-03-14 21:20:32.000000000 -0400
22150 +++ linux-2.6.38.4/drivers/ata/pata_cs5535.c 2011-04-17 15:57:32.000000000 -0400
22151 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
22152 ATA_BMDMA_SHT(DRV_NAME),
22155 -static struct ata_port_operations cs5535_port_ops = {
22156 +static const struct ata_port_operations cs5535_port_ops = {
22157 .inherits = &ata_bmdma_port_ops,
22158 .cable_detect = cs5535_cable_detect,
22159 .set_piomode = cs5535_set_piomode,
22160 diff -urNp linux-2.6.38.4/drivers/ata/pata_cs5536.c linux-2.6.38.4/drivers/ata/pata_cs5536.c
22161 --- linux-2.6.38.4/drivers/ata/pata_cs5536.c 2011-03-14 21:20:32.000000000 -0400
22162 +++ linux-2.6.38.4/drivers/ata/pata_cs5536.c 2011-04-17 15:57:32.000000000 -0400
22163 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
22164 ATA_BMDMA_SHT(DRV_NAME),
22167 -static struct ata_port_operations cs5536_port_ops = {
22168 +static const struct ata_port_operations cs5536_port_ops = {
22169 .inherits = &ata_bmdma32_port_ops,
22170 .cable_detect = cs5536_cable_detect,
22171 .set_piomode = cs5536_set_piomode,
22172 diff -urNp linux-2.6.38.4/drivers/ata/pata_cypress.c linux-2.6.38.4/drivers/ata/pata_cypress.c
22173 --- linux-2.6.38.4/drivers/ata/pata_cypress.c 2011-03-14 21:20:32.000000000 -0400
22174 +++ linux-2.6.38.4/drivers/ata/pata_cypress.c 2011-04-17 15:57:32.000000000 -0400
22175 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
22176 ATA_BMDMA_SHT(DRV_NAME),
22179 -static struct ata_port_operations cy82c693_port_ops = {
22180 +static const struct ata_port_operations cy82c693_port_ops = {
22181 .inherits = &ata_bmdma_port_ops,
22182 .cable_detect = ata_cable_40wire,
22183 .set_piomode = cy82c693_set_piomode,
22184 diff -urNp linux-2.6.38.4/drivers/ata/pata_efar.c linux-2.6.38.4/drivers/ata/pata_efar.c
22185 --- linux-2.6.38.4/drivers/ata/pata_efar.c 2011-03-14 21:20:32.000000000 -0400
22186 +++ linux-2.6.38.4/drivers/ata/pata_efar.c 2011-04-17 15:57:32.000000000 -0400
22187 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
22188 ATA_BMDMA_SHT(DRV_NAME),
22191 -static struct ata_port_operations efar_ops = {
22192 +static const struct ata_port_operations efar_ops = {
22193 .inherits = &ata_bmdma_port_ops,
22194 .cable_detect = efar_cable_detect,
22195 .set_piomode = efar_set_piomode,
22196 diff -urNp linux-2.6.38.4/drivers/ata/pata_hpt366.c linux-2.6.38.4/drivers/ata/pata_hpt366.c
22197 --- linux-2.6.38.4/drivers/ata/pata_hpt366.c 2011-03-14 21:20:32.000000000 -0400
22198 +++ linux-2.6.38.4/drivers/ata/pata_hpt366.c 2011-04-17 15:57:32.000000000 -0400
22199 @@ -275,7 +275,7 @@ static struct scsi_host_template hpt36x_
22200 * Configuration for HPT366/68
22203 -static struct ata_port_operations hpt366_port_ops = {
22204 +static const struct ata_port_operations hpt366_port_ops = {
22205 .inherits = &ata_bmdma_port_ops,
22206 .cable_detect = hpt36x_cable_detect,
22207 .mode_filter = hpt366_filter,
22208 diff -urNp linux-2.6.38.4/drivers/ata/pata_hpt37x.c linux-2.6.38.4/drivers/ata/pata_hpt37x.c
22209 --- linux-2.6.38.4/drivers/ata/pata_hpt37x.c 2011-03-14 21:20:32.000000000 -0400
22210 +++ linux-2.6.38.4/drivers/ata/pata_hpt37x.c 2011-04-17 15:57:32.000000000 -0400
22211 @@ -587,7 +587,7 @@ static struct scsi_host_template hpt37x_
22212 * Configuration for HPT370
22215 -static struct ata_port_operations hpt370_port_ops = {
22216 +static const struct ata_port_operations hpt370_port_ops = {
22217 .inherits = &ata_bmdma_port_ops,
22219 .bmdma_stop = hpt370_bmdma_stop,
22220 @@ -603,7 +603,7 @@ static struct ata_port_operations hpt370
22221 * Configuration for HPT370A. Close to 370 but less filters
22224 -static struct ata_port_operations hpt370a_port_ops = {
22225 +static const struct ata_port_operations hpt370a_port_ops = {
22226 .inherits = &hpt370_port_ops,
22227 .mode_filter = hpt370a_filter,
22229 @@ -613,7 +613,7 @@ static struct ata_port_operations hpt370
22230 * mode setting functionality.
22233 -static struct ata_port_operations hpt302_port_ops = {
22234 +static const struct ata_port_operations hpt302_port_ops = {
22235 .inherits = &ata_bmdma_port_ops,
22237 .bmdma_stop = hpt37x_bmdma_stop,
22238 @@ -629,7 +629,7 @@ static struct ata_port_operations hpt302
22239 * but we have a mode filter.
22242 -static struct ata_port_operations hpt372_port_ops = {
22243 +static const struct ata_port_operations hpt372_port_ops = {
22244 .inherits = &hpt302_port_ops,
22245 .mode_filter = hpt372_filter,
22247 @@ -639,7 +639,7 @@ static struct ata_port_operations hpt372
22248 * but we have a different cable detection procedure for function 1.
22251 -static struct ata_port_operations hpt374_fn1_port_ops = {
22252 +static const struct ata_port_operations hpt374_fn1_port_ops = {
22253 .inherits = &hpt372_port_ops,
22254 .cable_detect = hpt374_fn1_cable_detect,
22256 diff -urNp linux-2.6.38.4/drivers/ata/pata_hpt3x2n.c linux-2.6.38.4/drivers/ata/pata_hpt3x2n.c
22257 --- linux-2.6.38.4/drivers/ata/pata_hpt3x2n.c 2011-03-14 21:20:32.000000000 -0400
22258 +++ linux-2.6.38.4/drivers/ata/pata_hpt3x2n.c 2011-04-17 15:57:32.000000000 -0400
22259 @@ -348,7 +348,7 @@ static struct scsi_host_template hpt3x2n
22260 * Configuration for HPT302N/371N.
22263 -static struct ata_port_operations hpt3xxn_port_ops = {
22264 +static const struct ata_port_operations hpt3xxn_port_ops = {
22265 .inherits = &ata_bmdma_port_ops,
22267 .bmdma_stop = hpt3x2n_bmdma_stop,
22268 @@ -366,7 +366,7 @@ static struct ata_port_operations hpt3xx
22269 * Configuration for HPT372N. Same as 302N/371N but we have a mode filter.
22272 -static struct ata_port_operations hpt372n_port_ops = {
22273 +static const struct ata_port_operations hpt372n_port_ops = {
22274 .inherits = &hpt3xxn_port_ops,
22275 .mode_filter = &hpt372n_filter,
22277 diff -urNp linux-2.6.38.4/drivers/ata/pata_hpt3x3.c linux-2.6.38.4/drivers/ata/pata_hpt3x3.c
22278 --- linux-2.6.38.4/drivers/ata/pata_hpt3x3.c 2011-03-14 21:20:32.000000000 -0400
22279 +++ linux-2.6.38.4/drivers/ata/pata_hpt3x3.c 2011-04-17 15:57:32.000000000 -0400
22280 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
22281 ATA_BMDMA_SHT(DRV_NAME),
22284 -static struct ata_port_operations hpt3x3_port_ops = {
22285 +static const struct ata_port_operations hpt3x3_port_ops = {
22286 .inherits = &ata_bmdma_port_ops,
22287 .cable_detect = ata_cable_40wire,
22288 .set_piomode = hpt3x3_set_piomode,
22289 diff -urNp linux-2.6.38.4/drivers/ata/pata_icside.c linux-2.6.38.4/drivers/ata/pata_icside.c
22290 --- linux-2.6.38.4/drivers/ata/pata_icside.c 2011-03-14 21:20:32.000000000 -0400
22291 +++ linux-2.6.38.4/drivers/ata/pata_icside.c 2011-04-17 15:57:32.000000000 -0400
22292 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
22296 -static struct ata_port_operations pata_icside_port_ops = {
22297 +static const struct ata_port_operations pata_icside_port_ops = {
22298 .inherits = &ata_bmdma_port_ops,
22299 /* no need to build any PRD tables for DMA */
22300 .qc_prep = ata_noop_qc_prep,
22301 diff -urNp linux-2.6.38.4/drivers/ata/pata_isapnp.c linux-2.6.38.4/drivers/ata/pata_isapnp.c
22302 --- linux-2.6.38.4/drivers/ata/pata_isapnp.c 2011-03-14 21:20:32.000000000 -0400
22303 +++ linux-2.6.38.4/drivers/ata/pata_isapnp.c 2011-04-17 15:57:32.000000000 -0400
22304 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
22305 ATA_PIO_SHT(DRV_NAME),
22308 -static struct ata_port_operations isapnp_port_ops = {
22309 +static const struct ata_port_operations isapnp_port_ops = {
22310 .inherits = &ata_sff_port_ops,
22311 .cable_detect = ata_cable_40wire,
22314 -static struct ata_port_operations isapnp_noalt_port_ops = {
22315 +static const struct ata_port_operations isapnp_noalt_port_ops = {
22316 .inherits = &ata_sff_port_ops,
22317 .cable_detect = ata_cable_40wire,
22318 /* No altstatus so we don't want to use the lost interrupt poll */
22319 diff -urNp linux-2.6.38.4/drivers/ata/pata_it8213.c linux-2.6.38.4/drivers/ata/pata_it8213.c
22320 --- linux-2.6.38.4/drivers/ata/pata_it8213.c 2011-03-14 21:20:32.000000000 -0400
22321 +++ linux-2.6.38.4/drivers/ata/pata_it8213.c 2011-04-17 15:57:32.000000000 -0400
22322 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
22326 -static struct ata_port_operations it8213_ops = {
22327 +static const struct ata_port_operations it8213_ops = {
22328 .inherits = &ata_bmdma_port_ops,
22329 .cable_detect = it8213_cable_detect,
22330 .set_piomode = it8213_set_piomode,
22331 diff -urNp linux-2.6.38.4/drivers/ata/pata_it821x.c linux-2.6.38.4/drivers/ata/pata_it821x.c
22332 --- linux-2.6.38.4/drivers/ata/pata_it821x.c 2011-03-14 21:20:32.000000000 -0400
22333 +++ linux-2.6.38.4/drivers/ata/pata_it821x.c 2011-04-17 15:57:32.000000000 -0400
22334 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
22335 ATA_BMDMA_SHT(DRV_NAME),
22338 -static struct ata_port_operations it821x_smart_port_ops = {
22339 +static const struct ata_port_operations it821x_smart_port_ops = {
22340 .inherits = &ata_bmdma_port_ops,
22342 .check_atapi_dma= it821x_check_atapi_dma,
22343 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
22344 .port_start = it821x_port_start,
22347 -static struct ata_port_operations it821x_passthru_port_ops = {
22348 +static const struct ata_port_operations it821x_passthru_port_ops = {
22349 .inherits = &ata_bmdma_port_ops,
22351 .check_atapi_dma= it821x_check_atapi_dma,
22352 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
22353 .port_start = it821x_port_start,
22356 -static struct ata_port_operations it821x_rdc_port_ops = {
22357 +static const struct ata_port_operations it821x_rdc_port_ops = {
22358 .inherits = &ata_bmdma_port_ops,
22360 .check_atapi_dma= it821x_check_atapi_dma,
22361 diff -urNp linux-2.6.38.4/drivers/ata/pata_ixp4xx_cf.c linux-2.6.38.4/drivers/ata/pata_ixp4xx_cf.c
22362 --- linux-2.6.38.4/drivers/ata/pata_ixp4xx_cf.c 2011-03-14 21:20:32.000000000 -0400
22363 +++ linux-2.6.38.4/drivers/ata/pata_ixp4xx_cf.c 2011-04-17 15:57:32.000000000 -0400
22364 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
22365 ATA_PIO_SHT(DRV_NAME),
22368 -static struct ata_port_operations ixp4xx_port_ops = {
22369 +static const struct ata_port_operations ixp4xx_port_ops = {
22370 .inherits = &ata_sff_port_ops,
22371 .sff_data_xfer = ixp4xx_mmio_data_xfer,
22372 .cable_detect = ata_cable_40wire,
22373 diff -urNp linux-2.6.38.4/drivers/ata/pata_jmicron.c linux-2.6.38.4/drivers/ata/pata_jmicron.c
22374 --- linux-2.6.38.4/drivers/ata/pata_jmicron.c 2011-03-14 21:20:32.000000000 -0400
22375 +++ linux-2.6.38.4/drivers/ata/pata_jmicron.c 2011-04-17 15:57:32.000000000 -0400
22376 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
22377 ATA_BMDMA_SHT(DRV_NAME),
22380 -static struct ata_port_operations jmicron_ops = {
22381 +static const struct ata_port_operations jmicron_ops = {
22382 .inherits = &ata_bmdma_port_ops,
22383 .prereset = jmicron_pre_reset,
22385 diff -urNp linux-2.6.38.4/drivers/ata/pata_legacy.c linux-2.6.38.4/drivers/ata/pata_legacy.c
22386 --- linux-2.6.38.4/drivers/ata/pata_legacy.c 2011-03-14 21:20:32.000000000 -0400
22387 +++ linux-2.6.38.4/drivers/ata/pata_legacy.c 2011-04-17 15:57:32.000000000 -0400
22388 @@ -116,7 +116,7 @@ struct legacy_probe {
22390 struct legacy_controller {
22392 - struct ata_port_operations *ops;
22393 + const struct ata_port_operations *ops;
22394 unsigned int pio_mask;
22395 unsigned int flags;
22396 unsigned int pflags;
22397 @@ -239,12 +239,12 @@ static const struct ata_port_operations
22398 * pio_mask as well.
22401 -static struct ata_port_operations simple_port_ops = {
22402 +static const struct ata_port_operations simple_port_ops = {
22403 .inherits = &legacy_base_port_ops,
22404 .sff_data_xfer = ata_sff_data_xfer_noirq,
22407 -static struct ata_port_operations legacy_port_ops = {
22408 +static const struct ata_port_operations legacy_port_ops = {
22409 .inherits = &legacy_base_port_ops,
22410 .sff_data_xfer = ata_sff_data_xfer_noirq,
22411 .set_mode = legacy_set_mode,
22412 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
22416 -static struct ata_port_operations pdc20230_port_ops = {
22417 +static const struct ata_port_operations pdc20230_port_ops = {
22418 .inherits = &legacy_base_port_ops,
22419 .set_piomode = pdc20230_set_piomode,
22420 .sff_data_xfer = pdc_data_xfer_vlb,
22421 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
22422 ioread8(ap->ioaddr.status_addr);
22425 -static struct ata_port_operations ht6560a_port_ops = {
22426 +static const struct ata_port_operations ht6560a_port_ops = {
22427 .inherits = &legacy_base_port_ops,
22428 .set_piomode = ht6560a_set_piomode,
22430 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
22431 ioread8(ap->ioaddr.status_addr);
22434 -static struct ata_port_operations ht6560b_port_ops = {
22435 +static const struct ata_port_operations ht6560b_port_ops = {
22436 .inherits = &legacy_base_port_ops,
22437 .set_piomode = ht6560b_set_piomode,
22439 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
22443 -static struct ata_port_operations opti82c611a_port_ops = {
22444 +static const struct ata_port_operations opti82c611a_port_ops = {
22445 .inherits = &legacy_base_port_ops,
22446 .set_piomode = opti82c611a_set_piomode,
22448 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
22449 return ata_sff_qc_issue(qc);
22452 -static struct ata_port_operations opti82c46x_port_ops = {
22453 +static const struct ata_port_operations opti82c46x_port_ops = {
22454 .inherits = &legacy_base_port_ops,
22455 .set_piomode = opti82c46x_set_piomode,
22456 .qc_issue = opti82c46x_qc_issue,
22457 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
22461 -static struct ata_port_operations qdi6500_port_ops = {
22462 +static const struct ata_port_operations qdi6500_port_ops = {
22463 .inherits = &legacy_base_port_ops,
22464 .set_piomode = qdi6500_set_piomode,
22465 .qc_issue = qdi_qc_issue,
22466 .sff_data_xfer = vlb32_data_xfer,
22469 -static struct ata_port_operations qdi6580_port_ops = {
22470 +static const struct ata_port_operations qdi6580_port_ops = {
22471 .inherits = &legacy_base_port_ops,
22472 .set_piomode = qdi6580_set_piomode,
22473 .sff_data_xfer = vlb32_data_xfer,
22476 -static struct ata_port_operations qdi6580dp_port_ops = {
22477 +static const struct ata_port_operations qdi6580dp_port_ops = {
22478 .inherits = &legacy_base_port_ops,
22479 .set_piomode = qdi6580dp_set_piomode,
22480 .qc_issue = qdi_qc_issue,
22481 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
22485 -static struct ata_port_operations winbond_port_ops = {
22486 +static const struct ata_port_operations winbond_port_ops = {
22487 .inherits = &legacy_base_port_ops,
22488 .set_piomode = winbond_set_piomode,
22489 .sff_data_xfer = vlb32_data_xfer,
22490 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
22491 int pio_modes = controller->pio_mask;
22492 unsigned long io = probe->port;
22493 u32 mask = (1 << probe->slot);
22494 - struct ata_port_operations *ops = controller->ops;
22495 + const struct ata_port_operations *ops = controller->ops;
22496 struct legacy_data *ld = &legacy_data[probe->slot];
22497 struct ata_host *host = NULL;
22498 struct ata_port *ap;
22499 diff -urNp linux-2.6.38.4/drivers/ata/pata_macio.c linux-2.6.38.4/drivers/ata/pata_macio.c
22500 --- linux-2.6.38.4/drivers/ata/pata_macio.c 2011-03-14 21:20:32.000000000 -0400
22501 +++ linux-2.6.38.4/drivers/ata/pata_macio.c 2011-04-17 15:57:32.000000000 -0400
22502 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
22503 .slave_configure = pata_macio_slave_config,
22506 -static struct ata_port_operations pata_macio_ops = {
22507 +static const struct ata_port_operations pata_macio_ops = {
22508 .inherits = &ata_bmdma_port_ops,
22510 .freeze = pata_macio_freeze,
22511 .set_piomode = pata_macio_set_timings,
22512 .set_dmamode = pata_macio_set_timings,
22513 diff -urNp linux-2.6.38.4/drivers/ata/pata_marvell.c linux-2.6.38.4/drivers/ata/pata_marvell.c
22514 --- linux-2.6.38.4/drivers/ata/pata_marvell.c 2011-03-14 21:20:32.000000000 -0400
22515 +++ linux-2.6.38.4/drivers/ata/pata_marvell.c 2011-04-17 15:57:32.000000000 -0400
22516 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
22517 ATA_BMDMA_SHT(DRV_NAME),
22520 -static struct ata_port_operations marvell_ops = {
22521 +static const struct ata_port_operations marvell_ops = {
22522 .inherits = &ata_bmdma_port_ops,
22523 .cable_detect = marvell_cable_detect,
22524 .prereset = marvell_pre_reset,
22525 diff -urNp linux-2.6.38.4/drivers/ata/pata_mpc52xx.c linux-2.6.38.4/drivers/ata/pata_mpc52xx.c
22526 --- linux-2.6.38.4/drivers/ata/pata_mpc52xx.c 2011-03-14 21:20:32.000000000 -0400
22527 +++ linux-2.6.38.4/drivers/ata/pata_mpc52xx.c 2011-04-17 15:57:32.000000000 -0400
22528 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
22529 ATA_PIO_SHT(DRV_NAME),
22532 -static struct ata_port_operations mpc52xx_ata_port_ops = {
22533 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
22534 .inherits = &ata_bmdma_port_ops,
22535 .sff_dev_select = mpc52xx_ata_dev_select,
22536 .set_piomode = mpc52xx_ata_set_piomode,
22537 diff -urNp linux-2.6.38.4/drivers/ata/pata_mpiix.c linux-2.6.38.4/drivers/ata/pata_mpiix.c
22538 --- linux-2.6.38.4/drivers/ata/pata_mpiix.c 2011-03-14 21:20:32.000000000 -0400
22539 +++ linux-2.6.38.4/drivers/ata/pata_mpiix.c 2011-04-17 15:57:32.000000000 -0400
22540 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
22541 ATA_PIO_SHT(DRV_NAME),
22544 -static struct ata_port_operations mpiix_port_ops = {
22545 +static const struct ata_port_operations mpiix_port_ops = {
22546 .inherits = &ata_sff_port_ops,
22547 .qc_issue = mpiix_qc_issue,
22548 .cable_detect = ata_cable_40wire,
22549 diff -urNp linux-2.6.38.4/drivers/ata/pata_netcell.c linux-2.6.38.4/drivers/ata/pata_netcell.c
22550 --- linux-2.6.38.4/drivers/ata/pata_netcell.c 2011-03-14 21:20:32.000000000 -0400
22551 +++ linux-2.6.38.4/drivers/ata/pata_netcell.c 2011-04-17 15:57:32.000000000 -0400
22552 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
22553 ATA_BMDMA_SHT(DRV_NAME),
22556 -static struct ata_port_operations netcell_ops = {
22557 +static const struct ata_port_operations netcell_ops = {
22558 .inherits = &ata_bmdma_port_ops,
22559 .cable_detect = ata_cable_80wire,
22560 .read_id = netcell_read_id,
22561 diff -urNp linux-2.6.38.4/drivers/ata/pata_ninja32.c linux-2.6.38.4/drivers/ata/pata_ninja32.c
22562 --- linux-2.6.38.4/drivers/ata/pata_ninja32.c 2011-03-14 21:20:32.000000000 -0400
22563 +++ linux-2.6.38.4/drivers/ata/pata_ninja32.c 2011-04-17 15:57:32.000000000 -0400
22564 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
22565 ATA_BMDMA_SHT(DRV_NAME),
22568 -static struct ata_port_operations ninja32_port_ops = {
22569 +static const struct ata_port_operations ninja32_port_ops = {
22570 .inherits = &ata_bmdma_port_ops,
22571 .sff_dev_select = ninja32_dev_select,
22572 .cable_detect = ata_cable_40wire,
22573 diff -urNp linux-2.6.38.4/drivers/ata/pata_ns87410.c linux-2.6.38.4/drivers/ata/pata_ns87410.c
22574 --- linux-2.6.38.4/drivers/ata/pata_ns87410.c 2011-03-14 21:20:32.000000000 -0400
22575 +++ linux-2.6.38.4/drivers/ata/pata_ns87410.c 2011-04-17 15:57:32.000000000 -0400
22576 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
22577 ATA_PIO_SHT(DRV_NAME),
22580 -static struct ata_port_operations ns87410_port_ops = {
22581 +static const struct ata_port_operations ns87410_port_ops = {
22582 .inherits = &ata_sff_port_ops,
22583 .qc_issue = ns87410_qc_issue,
22584 .cable_detect = ata_cable_40wire,
22585 diff -urNp linux-2.6.38.4/drivers/ata/pata_ns87415.c linux-2.6.38.4/drivers/ata/pata_ns87415.c
22586 --- linux-2.6.38.4/drivers/ata/pata_ns87415.c 2011-03-14 21:20:32.000000000 -0400
22587 +++ linux-2.6.38.4/drivers/ata/pata_ns87415.c 2011-04-17 15:57:32.000000000 -0400
22588 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
22590 #endif /* 87560 SuperIO Support */
22592 -static struct ata_port_operations ns87415_pata_ops = {
22593 +static const struct ata_port_operations ns87415_pata_ops = {
22594 .inherits = &ata_bmdma_port_ops,
22596 .check_atapi_dma = ns87415_check_atapi_dma,
22597 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
22600 #if defined(CONFIG_SUPERIO)
22601 -static struct ata_port_operations ns87560_pata_ops = {
22602 +static const struct ata_port_operations ns87560_pata_ops = {
22603 .inherits = &ns87415_pata_ops,
22604 .sff_tf_read = ns87560_tf_read,
22605 .sff_check_status = ns87560_check_status,
22606 diff -urNp linux-2.6.38.4/drivers/ata/pata_octeon_cf.c linux-2.6.38.4/drivers/ata/pata_octeon_cf.c
22607 --- linux-2.6.38.4/drivers/ata/pata_octeon_cf.c 2011-03-14 21:20:32.000000000 -0400
22608 +++ linux-2.6.38.4/drivers/ata/pata_octeon_cf.c 2011-04-17 15:57:32.000000000 -0400
22609 @@ -780,7 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
22613 -static struct ata_port_operations octeon_cf_ops = {
22614 +static struct ata_port_operations octeon_cf_ops = { /* cannot be const */
22615 .inherits = &ata_sff_port_ops,
22616 .check_atapi_dma = octeon_cf_check_atapi_dma,
22617 .qc_prep = ata_noop_qc_prep,
22618 diff -urNp linux-2.6.38.4/drivers/ata/pata_oldpiix.c linux-2.6.38.4/drivers/ata/pata_oldpiix.c
22619 --- linux-2.6.38.4/drivers/ata/pata_oldpiix.c 2011-03-14 21:20:32.000000000 -0400
22620 +++ linux-2.6.38.4/drivers/ata/pata_oldpiix.c 2011-04-17 15:57:32.000000000 -0400
22621 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
22622 ATA_BMDMA_SHT(DRV_NAME),
22625 -static struct ata_port_operations oldpiix_pata_ops = {
22626 +static const struct ata_port_operations oldpiix_pata_ops = {
22627 .inherits = &ata_bmdma_port_ops,
22628 .qc_issue = oldpiix_qc_issue,
22629 .cable_detect = ata_cable_40wire,
22630 diff -urNp linux-2.6.38.4/drivers/ata/pata_opti.c linux-2.6.38.4/drivers/ata/pata_opti.c
22631 --- linux-2.6.38.4/drivers/ata/pata_opti.c 2011-03-14 21:20:32.000000000 -0400
22632 +++ linux-2.6.38.4/drivers/ata/pata_opti.c 2011-04-17 15:57:32.000000000 -0400
22633 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
22634 ATA_PIO_SHT(DRV_NAME),
22637 -static struct ata_port_operations opti_port_ops = {
22638 +static const struct ata_port_operations opti_port_ops = {
22639 .inherits = &ata_sff_port_ops,
22640 .cable_detect = ata_cable_40wire,
22641 .set_piomode = opti_set_piomode,
22642 diff -urNp linux-2.6.38.4/drivers/ata/pata_optidma.c linux-2.6.38.4/drivers/ata/pata_optidma.c
22643 --- linux-2.6.38.4/drivers/ata/pata_optidma.c 2011-03-14 21:20:32.000000000 -0400
22644 +++ linux-2.6.38.4/drivers/ata/pata_optidma.c 2011-04-17 15:57:32.000000000 -0400
22645 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
22646 ATA_BMDMA_SHT(DRV_NAME),
22649 -static struct ata_port_operations optidma_port_ops = {
22650 +static const struct ata_port_operations optidma_port_ops = {
22651 .inherits = &ata_bmdma_port_ops,
22652 .cable_detect = ata_cable_40wire,
22653 .set_piomode = optidma_set_pio_mode,
22654 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
22655 .prereset = optidma_pre_reset,
22658 -static struct ata_port_operations optiplus_port_ops = {
22659 +static const struct ata_port_operations optiplus_port_ops = {
22660 .inherits = &optidma_port_ops,
22661 .set_piomode = optiplus_set_pio_mode,
22662 .set_dmamode = optiplus_set_dma_mode,
22663 diff -urNp linux-2.6.38.4/drivers/ata/pata_palmld.c linux-2.6.38.4/drivers/ata/pata_palmld.c
22664 --- linux-2.6.38.4/drivers/ata/pata_palmld.c 2011-03-14 21:20:32.000000000 -0400
22665 +++ linux-2.6.38.4/drivers/ata/pata_palmld.c 2011-04-17 15:57:32.000000000 -0400
22666 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
22667 ATA_PIO_SHT(DRV_NAME),
22670 -static struct ata_port_operations palmld_port_ops = {
22671 +static const struct ata_port_operations palmld_port_ops = {
22672 .inherits = &ata_sff_port_ops,
22673 .sff_data_xfer = ata_sff_data_xfer_noirq,
22674 .cable_detect = ata_cable_40wire,
22675 diff -urNp linux-2.6.38.4/drivers/ata/pata_pcmcia.c linux-2.6.38.4/drivers/ata/pata_pcmcia.c
22676 --- linux-2.6.38.4/drivers/ata/pata_pcmcia.c 2011-03-14 21:20:32.000000000 -0400
22677 +++ linux-2.6.38.4/drivers/ata/pata_pcmcia.c 2011-04-17 15:57:32.000000000 -0400
22678 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
22679 ATA_PIO_SHT(DRV_NAME),
22682 -static struct ata_port_operations pcmcia_port_ops = {
22683 +static const struct ata_port_operations pcmcia_port_ops = {
22684 .inherits = &ata_sff_port_ops,
22685 .sff_data_xfer = ata_sff_data_xfer_noirq,
22686 .cable_detect = ata_cable_40wire,
22687 .set_mode = pcmcia_set_mode,
22690 -static struct ata_port_operations pcmcia_8bit_port_ops = {
22691 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
22692 .inherits = &ata_sff_port_ops,
22693 .sff_data_xfer = ata_data_xfer_8bit,
22694 .cable_detect = ata_cable_40wire,
22695 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
22696 unsigned long io_base, ctl_base;
22697 void __iomem *io_addr, *ctl_addr;
22699 - struct ata_port_operations *ops = &pcmcia_port_ops;
22700 + const struct ata_port_operations *ops = &pcmcia_port_ops;
22702 /* Set up attributes in order to probe card and get resources */
22703 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
22704 diff -urNp linux-2.6.38.4/drivers/ata/pata_pdc2027x.c linux-2.6.38.4/drivers/ata/pata_pdc2027x.c
22705 --- linux-2.6.38.4/drivers/ata/pata_pdc2027x.c 2011-03-14 21:20:32.000000000 -0400
22706 +++ linux-2.6.38.4/drivers/ata/pata_pdc2027x.c 2011-04-17 15:57:32.000000000 -0400
22707 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
22708 ATA_BMDMA_SHT(DRV_NAME),
22711 -static struct ata_port_operations pdc2027x_pata100_ops = {
22712 +static const struct ata_port_operations pdc2027x_pata100_ops = {
22713 .inherits = &ata_bmdma_port_ops,
22714 .check_atapi_dma = pdc2027x_check_atapi_dma,
22715 .cable_detect = pdc2027x_cable_detect,
22716 .prereset = pdc2027x_prereset,
22719 -static struct ata_port_operations pdc2027x_pata133_ops = {
22720 +static const struct ata_port_operations pdc2027x_pata133_ops = {
22721 .inherits = &pdc2027x_pata100_ops,
22722 .mode_filter = pdc2027x_mode_filter,
22723 .set_piomode = pdc2027x_set_piomode,
22724 diff -urNp linux-2.6.38.4/drivers/ata/pata_pdc202xx_old.c linux-2.6.38.4/drivers/ata/pata_pdc202xx_old.c
22725 --- linux-2.6.38.4/drivers/ata/pata_pdc202xx_old.c 2011-03-14 21:20:32.000000000 -0400
22726 +++ linux-2.6.38.4/drivers/ata/pata_pdc202xx_old.c 2011-04-17 15:57:32.000000000 -0400
22727 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
22728 ATA_BMDMA_SHT(DRV_NAME),
22731 -static struct ata_port_operations pdc2024x_port_ops = {
22732 +static const struct ata_port_operations pdc2024x_port_ops = {
22733 .inherits = &ata_bmdma_port_ops,
22735 .cable_detect = ata_cable_40wire,
22736 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
22737 .sff_irq_check = pdc202xx_irq_check,
22740 -static struct ata_port_operations pdc2026x_port_ops = {
22741 +static const struct ata_port_operations pdc2026x_port_ops = {
22742 .inherits = &pdc2024x_port_ops,
22744 .check_atapi_dma = pdc2026x_check_atapi_dma,
22745 diff -urNp linux-2.6.38.4/drivers/ata/pata_piccolo.c linux-2.6.38.4/drivers/ata/pata_piccolo.c
22746 --- linux-2.6.38.4/drivers/ata/pata_piccolo.c 2011-03-14 21:20:32.000000000 -0400
22747 +++ linux-2.6.38.4/drivers/ata/pata_piccolo.c 2011-04-17 15:57:32.000000000 -0400
22748 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
22749 ATA_BMDMA_SHT(DRV_NAME),
22752 -static struct ata_port_operations tosh_port_ops = {
22753 +static const struct ata_port_operations tosh_port_ops = {
22754 .inherits = &ata_bmdma_port_ops,
22755 .cable_detect = ata_cable_unknown,
22756 .set_piomode = tosh_set_piomode,
22757 diff -urNp linux-2.6.38.4/drivers/ata/pata_platform.c linux-2.6.38.4/drivers/ata/pata_platform.c
22758 --- linux-2.6.38.4/drivers/ata/pata_platform.c 2011-03-14 21:20:32.000000000 -0400
22759 +++ linux-2.6.38.4/drivers/ata/pata_platform.c 2011-04-17 15:57:32.000000000 -0400
22760 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
22761 ATA_PIO_SHT(DRV_NAME),
22764 -static struct ata_port_operations pata_platform_port_ops = {
22765 +static const struct ata_port_operations pata_platform_port_ops = {
22766 .inherits = &ata_sff_port_ops,
22767 .sff_data_xfer = ata_sff_data_xfer_noirq,
22768 .cable_detect = ata_cable_unknown,
22769 diff -urNp linux-2.6.38.4/drivers/ata/pata_pxa.c linux-2.6.38.4/drivers/ata/pata_pxa.c
22770 --- linux-2.6.38.4/drivers/ata/pata_pxa.c 2011-03-14 21:20:32.000000000 -0400
22771 +++ linux-2.6.38.4/drivers/ata/pata_pxa.c 2011-04-17 15:57:32.000000000 -0400
22772 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
22773 ATA_BMDMA_SHT(DRV_NAME),
22776 -static struct ata_port_operations pxa_ata_port_ops = {
22777 +static const struct ata_port_operations pxa_ata_port_ops = {
22778 .inherits = &ata_bmdma_port_ops,
22779 .cable_detect = ata_cable_40wire,
22781 diff -urNp linux-2.6.38.4/drivers/ata/pata_qdi.c linux-2.6.38.4/drivers/ata/pata_qdi.c
22782 --- linux-2.6.38.4/drivers/ata/pata_qdi.c 2011-03-14 21:20:32.000000000 -0400
22783 +++ linux-2.6.38.4/drivers/ata/pata_qdi.c 2011-04-17 15:57:32.000000000 -0400
22784 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
22785 ATA_PIO_SHT(DRV_NAME),
22788 -static struct ata_port_operations qdi6500_port_ops = {
22789 +static const struct ata_port_operations qdi6500_port_ops = {
22790 .inherits = &ata_sff_port_ops,
22791 .qc_issue = qdi_qc_issue,
22792 .sff_data_xfer = qdi_data_xfer,
22793 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
22794 .set_piomode = qdi6500_set_piomode,
22797 -static struct ata_port_operations qdi6580_port_ops = {
22798 +static const struct ata_port_operations qdi6580_port_ops = {
22799 .inherits = &qdi6500_port_ops,
22800 .set_piomode = qdi6580_set_piomode,
22802 diff -urNp linux-2.6.38.4/drivers/ata/pata_radisys.c linux-2.6.38.4/drivers/ata/pata_radisys.c
22803 --- linux-2.6.38.4/drivers/ata/pata_radisys.c 2011-03-14 21:20:32.000000000 -0400
22804 +++ linux-2.6.38.4/drivers/ata/pata_radisys.c 2011-04-17 15:57:32.000000000 -0400
22805 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
22806 ATA_BMDMA_SHT(DRV_NAME),
22809 -static struct ata_port_operations radisys_pata_ops = {
22810 +static const struct ata_port_operations radisys_pata_ops = {
22811 .inherits = &ata_bmdma_port_ops,
22812 .qc_issue = radisys_qc_issue,
22813 .cable_detect = ata_cable_unknown,
22814 diff -urNp linux-2.6.38.4/drivers/ata/pata_rb532_cf.c linux-2.6.38.4/drivers/ata/pata_rb532_cf.c
22815 --- linux-2.6.38.4/drivers/ata/pata_rb532_cf.c 2011-03-14 21:20:32.000000000 -0400
22816 +++ linux-2.6.38.4/drivers/ata/pata_rb532_cf.c 2011-04-17 15:57:32.000000000 -0400
22817 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
22818 return IRQ_HANDLED;
22821 -static struct ata_port_operations rb532_pata_port_ops = {
22822 +static const struct ata_port_operations rb532_pata_port_ops = {
22823 .inherits = &ata_sff_port_ops,
22824 .sff_data_xfer = ata_sff_data_xfer32,
22826 diff -urNp linux-2.6.38.4/drivers/ata/pata_rdc.c linux-2.6.38.4/drivers/ata/pata_rdc.c
22827 --- linux-2.6.38.4/drivers/ata/pata_rdc.c 2011-03-14 21:20:32.000000000 -0400
22828 +++ linux-2.6.38.4/drivers/ata/pata_rdc.c 2011-04-17 15:57:32.000000000 -0400
22829 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
22830 pci_write_config_byte(dev, 0x48, udma_enable);
22833 -static struct ata_port_operations rdc_pata_ops = {
22834 +static const struct ata_port_operations rdc_pata_ops = {
22835 .inherits = &ata_bmdma32_port_ops,
22836 .cable_detect = rdc_pata_cable_detect,
22837 .set_piomode = rdc_set_piomode,
22838 diff -urNp linux-2.6.38.4/drivers/ata/pata_rz1000.c linux-2.6.38.4/drivers/ata/pata_rz1000.c
22839 --- linux-2.6.38.4/drivers/ata/pata_rz1000.c 2011-03-14 21:20:32.000000000 -0400
22840 +++ linux-2.6.38.4/drivers/ata/pata_rz1000.c 2011-04-17 15:57:32.000000000 -0400
22841 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
22842 ATA_PIO_SHT(DRV_NAME),
22845 -static struct ata_port_operations rz1000_port_ops = {
22846 +static const struct ata_port_operations rz1000_port_ops = {
22847 .inherits = &ata_sff_port_ops,
22848 .cable_detect = ata_cable_40wire,
22849 .set_mode = rz1000_set_mode,
22850 diff -urNp linux-2.6.38.4/drivers/ata/pata_samsung_cf.c linux-2.6.38.4/drivers/ata/pata_samsung_cf.c
22851 --- linux-2.6.38.4/drivers/ata/pata_samsung_cf.c 2011-03-14 21:20:32.000000000 -0400
22852 +++ linux-2.6.38.4/drivers/ata/pata_samsung_cf.c 2011-04-17 15:57:32.000000000 -0400
22853 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
22854 ATA_PIO_SHT(DRV_NAME),
22857 -static struct ata_port_operations pata_s3c_port_ops = {
22858 +static const struct ata_port_operations pata_s3c_port_ops = {
22859 .inherits = &ata_sff_port_ops,
22860 .sff_check_status = pata_s3c_check_status,
22861 .sff_check_altstatus = pata_s3c_check_altstatus,
22862 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
22863 .set_piomode = pata_s3c_set_piomode,
22866 -static struct ata_port_operations pata_s5p_port_ops = {
22867 +static const struct ata_port_operations pata_s5p_port_ops = {
22868 .inherits = &ata_sff_port_ops,
22869 .set_piomode = pata_s3c_set_piomode,
22871 diff -urNp linux-2.6.38.4/drivers/ata/pata_sc1200.c linux-2.6.38.4/drivers/ata/pata_sc1200.c
22872 --- linux-2.6.38.4/drivers/ata/pata_sc1200.c 2011-03-14 21:20:32.000000000 -0400
22873 +++ linux-2.6.38.4/drivers/ata/pata_sc1200.c 2011-04-17 15:57:32.000000000 -0400
22874 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
22875 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22878 -static struct ata_port_operations sc1200_port_ops = {
22879 +static const struct ata_port_operations sc1200_port_ops = {
22880 .inherits = &ata_bmdma_port_ops,
22881 .qc_prep = ata_bmdma_dumb_qc_prep,
22882 .qc_issue = sc1200_qc_issue,
22883 diff -urNp linux-2.6.38.4/drivers/ata/pata_scc.c linux-2.6.38.4/drivers/ata/pata_scc.c
22884 --- linux-2.6.38.4/drivers/ata/pata_scc.c 2011-03-14 21:20:32.000000000 -0400
22885 +++ linux-2.6.38.4/drivers/ata/pata_scc.c 2011-04-17 15:57:32.000000000 -0400
22886 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
22887 ATA_BMDMA_SHT(DRV_NAME),
22890 -static struct ata_port_operations scc_pata_ops = {
22891 +static const struct ata_port_operations scc_pata_ops = {
22892 .inherits = &ata_bmdma_port_ops,
22894 .set_piomode = scc_set_piomode,
22895 diff -urNp linux-2.6.38.4/drivers/ata/pata_sch.c linux-2.6.38.4/drivers/ata/pata_sch.c
22896 --- linux-2.6.38.4/drivers/ata/pata_sch.c 2011-03-14 21:20:32.000000000 -0400
22897 +++ linux-2.6.38.4/drivers/ata/pata_sch.c 2011-04-17 15:57:32.000000000 -0400
22898 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
22899 ATA_BMDMA_SHT(DRV_NAME),
22902 -static struct ata_port_operations sch_pata_ops = {
22903 +static const struct ata_port_operations sch_pata_ops = {
22904 .inherits = &ata_bmdma_port_ops,
22905 .cable_detect = ata_cable_unknown,
22906 .set_piomode = sch_set_piomode,
22907 diff -urNp linux-2.6.38.4/drivers/ata/pata_serverworks.c linux-2.6.38.4/drivers/ata/pata_serverworks.c
22908 --- linux-2.6.38.4/drivers/ata/pata_serverworks.c 2011-03-14 21:20:32.000000000 -0400
22909 +++ linux-2.6.38.4/drivers/ata/pata_serverworks.c 2011-04-17 15:57:32.000000000 -0400
22910 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
22911 ATA_BMDMA_SHT(DRV_NAME),
22914 -static struct ata_port_operations serverworks_osb4_port_ops = {
22915 +static const struct ata_port_operations serverworks_osb4_port_ops = {
22916 .inherits = &ata_bmdma_port_ops,
22917 .cable_detect = serverworks_cable_detect,
22918 .mode_filter = serverworks_osb4_filter,
22919 @@ -308,7 +308,7 @@ static struct ata_port_operations server
22920 .set_dmamode = serverworks_set_dmamode,
22923 -static struct ata_port_operations serverworks_csb_port_ops = {
22924 +static const struct ata_port_operations serverworks_csb_port_ops = {
22925 .inherits = &serverworks_osb4_port_ops,
22926 .mode_filter = serverworks_csb_filter,
22928 diff -urNp linux-2.6.38.4/drivers/ata/pata_sil680.c linux-2.6.38.4/drivers/ata/pata_sil680.c
22929 --- linux-2.6.38.4/drivers/ata/pata_sil680.c 2011-03-14 21:20:32.000000000 -0400
22930 +++ linux-2.6.38.4/drivers/ata/pata_sil680.c 2011-04-17 15:57:32.000000000 -0400
22931 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
22932 ATA_BMDMA_SHT(DRV_NAME),
22936 -static struct ata_port_operations sil680_port_ops = {
22937 +static const struct ata_port_operations sil680_port_ops = {
22938 .inherits = &ata_bmdma32_port_ops,
22939 .sff_exec_command = sil680_sff_exec_command,
22940 .sff_irq_check = sil680_sff_irq_check,
22941 diff -urNp linux-2.6.38.4/drivers/ata/pata_sis.c linux-2.6.38.4/drivers/ata/pata_sis.c
22942 --- linux-2.6.38.4/drivers/ata/pata_sis.c 2011-03-14 21:20:32.000000000 -0400
22943 +++ linux-2.6.38.4/drivers/ata/pata_sis.c 2011-04-17 15:57:32.000000000 -0400
22944 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22945 ATA_BMDMA_SHT(DRV_NAME),
22948 -static struct ata_port_operations sis_133_for_sata_ops = {
22949 +static const struct ata_port_operations sis_133_for_sata_ops = {
22950 .inherits = &ata_bmdma_port_ops,
22951 .set_piomode = sis_133_set_piomode,
22952 .set_dmamode = sis_133_set_dmamode,
22953 .cable_detect = sis_133_cable_detect,
22956 -static struct ata_port_operations sis_base_ops = {
22957 +static const struct ata_port_operations sis_base_ops = {
22958 .inherits = &ata_bmdma_port_ops,
22959 .prereset = sis_pre_reset,
22962 -static struct ata_port_operations sis_133_ops = {
22963 +static const struct ata_port_operations sis_133_ops = {
22964 .inherits = &sis_base_ops,
22965 .set_piomode = sis_133_set_piomode,
22966 .set_dmamode = sis_133_set_dmamode,
22967 .cable_detect = sis_133_cable_detect,
22970 -static struct ata_port_operations sis_133_early_ops = {
22971 +static const struct ata_port_operations sis_133_early_ops = {
22972 .inherits = &sis_base_ops,
22973 .set_piomode = sis_100_set_piomode,
22974 .set_dmamode = sis_133_early_set_dmamode,
22975 .cable_detect = sis_66_cable_detect,
22978 -static struct ata_port_operations sis_100_ops = {
22979 +static const struct ata_port_operations sis_100_ops = {
22980 .inherits = &sis_base_ops,
22981 .set_piomode = sis_100_set_piomode,
22982 .set_dmamode = sis_100_set_dmamode,
22983 .cable_detect = sis_66_cable_detect,
22986 -static struct ata_port_operations sis_66_ops = {
22987 +static const struct ata_port_operations sis_66_ops = {
22988 .inherits = &sis_base_ops,
22989 .set_piomode = sis_old_set_piomode,
22990 .set_dmamode = sis_66_set_dmamode,
22991 .cable_detect = sis_66_cable_detect,
22994 -static struct ata_port_operations sis_old_ops = {
22995 +static const struct ata_port_operations sis_old_ops = {
22996 .inherits = &sis_base_ops,
22997 .set_piomode = sis_old_set_piomode,
22998 .set_dmamode = sis_old_set_dmamode,
22999 diff -urNp linux-2.6.38.4/drivers/ata/pata_sl82c105.c linux-2.6.38.4/drivers/ata/pata_sl82c105.c
23000 --- linux-2.6.38.4/drivers/ata/pata_sl82c105.c 2011-03-14 21:20:32.000000000 -0400
23001 +++ linux-2.6.38.4/drivers/ata/pata_sl82c105.c 2011-04-17 15:57:32.000000000 -0400
23002 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
23003 ATA_BMDMA_SHT(DRV_NAME),
23006 -static struct ata_port_operations sl82c105_port_ops = {
23007 +static const struct ata_port_operations sl82c105_port_ops = {
23008 .inherits = &ata_bmdma_port_ops,
23009 .qc_defer = sl82c105_qc_defer,
23010 .bmdma_start = sl82c105_bmdma_start,
23011 diff -urNp linux-2.6.38.4/drivers/ata/pata_triflex.c linux-2.6.38.4/drivers/ata/pata_triflex.c
23012 --- linux-2.6.38.4/drivers/ata/pata_triflex.c 2011-03-14 21:20:32.000000000 -0400
23013 +++ linux-2.6.38.4/drivers/ata/pata_triflex.c 2011-04-17 15:57:32.000000000 -0400
23014 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
23015 ATA_BMDMA_SHT(DRV_NAME),
23018 -static struct ata_port_operations triflex_port_ops = {
23019 +static const struct ata_port_operations triflex_port_ops = {
23020 .inherits = &ata_bmdma_port_ops,
23021 .bmdma_start = triflex_bmdma_start,
23022 .bmdma_stop = triflex_bmdma_stop,
23023 diff -urNp linux-2.6.38.4/drivers/ata/pata_via.c linux-2.6.38.4/drivers/ata/pata_via.c
23024 --- linux-2.6.38.4/drivers/ata/pata_via.c 2011-03-14 21:20:32.000000000 -0400
23025 +++ linux-2.6.38.4/drivers/ata/pata_via.c 2011-04-17 15:57:32.000000000 -0400
23026 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
23027 ATA_BMDMA_SHT(DRV_NAME),
23030 -static struct ata_port_operations via_port_ops = {
23031 +static const struct ata_port_operations via_port_ops = {
23032 .inherits = &ata_bmdma_port_ops,
23033 .cable_detect = via_cable_detect,
23034 .set_piomode = via_set_piomode,
23035 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
23036 .mode_filter = via_mode_filter,
23039 -static struct ata_port_operations via_port_ops_noirq = {
23040 +static const struct ata_port_operations via_port_ops_noirq = {
23041 .inherits = &via_port_ops,
23042 .sff_data_xfer = ata_sff_data_xfer_noirq,
23044 diff -urNp linux-2.6.38.4/drivers/ata/pdc_adma.c linux-2.6.38.4/drivers/ata/pdc_adma.c
23045 --- linux-2.6.38.4/drivers/ata/pdc_adma.c 2011-03-14 21:20:32.000000000 -0400
23046 +++ linux-2.6.38.4/drivers/ata/pdc_adma.c 2011-04-17 15:57:32.000000000 -0400
23047 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
23048 .dma_boundary = ADMA_DMA_BOUNDARY,
23051 -static struct ata_port_operations adma_ata_ops = {
23052 +static const struct ata_port_operations adma_ata_ops = {
23053 .inherits = &ata_sff_port_ops,
23055 .lost_interrupt = ATA_OP_NULL,
23056 diff -urNp linux-2.6.38.4/drivers/ata/sata_dwc_460ex.c linux-2.6.38.4/drivers/ata/sata_dwc_460ex.c
23057 --- linux-2.6.38.4/drivers/ata/sata_dwc_460ex.c 2011-03-14 21:20:32.000000000 -0400
23058 +++ linux-2.6.38.4/drivers/ata/sata_dwc_460ex.c 2011-04-17 15:57:32.000000000 -0400
23059 @@ -1560,7 +1560,7 @@ static struct scsi_host_template sata_dw
23060 .dma_boundary = ATA_DMA_BOUNDARY,
23063 -static struct ata_port_operations sata_dwc_ops = {
23064 +static const struct ata_port_operations sata_dwc_ops = {
23065 .inherits = &ata_sff_port_ops,
23067 .error_handler = sata_dwc_error_handler,
23068 diff -urNp linux-2.6.38.4/drivers/ata/sata_fsl.c linux-2.6.38.4/drivers/ata/sata_fsl.c
23069 --- linux-2.6.38.4/drivers/ata/sata_fsl.c 2011-03-14 21:20:32.000000000 -0400
23070 +++ linux-2.6.38.4/drivers/ata/sata_fsl.c 2011-04-17 15:57:32.000000000 -0400
23071 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
23072 .dma_boundary = ATA_DMA_BOUNDARY,
23075 -static struct ata_port_operations sata_fsl_ops = {
23076 +static const struct ata_port_operations sata_fsl_ops = {
23077 .inherits = &sata_pmp_port_ops,
23079 .qc_defer = ata_std_qc_defer,
23080 diff -urNp linux-2.6.38.4/drivers/ata/sata_inic162x.c linux-2.6.38.4/drivers/ata/sata_inic162x.c
23081 --- linux-2.6.38.4/drivers/ata/sata_inic162x.c 2011-03-14 21:20:32.000000000 -0400
23082 +++ linux-2.6.38.4/drivers/ata/sata_inic162x.c 2011-04-17 15:57:32.000000000 -0400
23083 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
23087 -static struct ata_port_operations inic_port_ops = {
23088 +static const struct ata_port_operations inic_port_ops = {
23089 .inherits = &sata_port_ops,
23091 .check_atapi_dma = inic_check_atapi_dma,
23092 diff -urNp linux-2.6.38.4/drivers/ata/sata_mv.c linux-2.6.38.4/drivers/ata/sata_mv.c
23093 --- linux-2.6.38.4/drivers/ata/sata_mv.c 2011-03-14 21:20:32.000000000 -0400
23094 +++ linux-2.6.38.4/drivers/ata/sata_mv.c 2011-04-17 15:57:32.000000000 -0400
23095 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
23096 .dma_boundary = MV_DMA_BOUNDARY,
23099 -static struct ata_port_operations mv5_ops = {
23100 +static const struct ata_port_operations mv5_ops = {
23101 .inherits = &ata_sff_port_ops,
23103 .lost_interrupt = ATA_OP_NULL,
23104 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
23105 .port_stop = mv_port_stop,
23108 -static struct ata_port_operations mv6_ops = {
23109 +static const struct ata_port_operations mv6_ops = {
23110 .inherits = &ata_bmdma_port_ops,
23112 .lost_interrupt = ATA_OP_NULL,
23113 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
23114 .port_stop = mv_port_stop,
23117 -static struct ata_port_operations mv_iie_ops = {
23118 +static const struct ata_port_operations mv_iie_ops = {
23119 .inherits = &mv6_ops,
23120 .dev_config = ATA_OP_NULL,
23121 .qc_prep = mv_qc_prep_iie,
23122 diff -urNp linux-2.6.38.4/drivers/ata/sata_nv.c linux-2.6.38.4/drivers/ata/sata_nv.c
23123 --- linux-2.6.38.4/drivers/ata/sata_nv.c 2011-03-14 21:20:32.000000000 -0400
23124 +++ linux-2.6.38.4/drivers/ata/sata_nv.c 2011-04-17 15:57:32.000000000 -0400
23125 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
23126 * cases. Define nv_hardreset() which only kicks in for post-boot
23127 * probing and use it for all variants.
23129 -static struct ata_port_operations nv_generic_ops = {
23130 +static const struct ata_port_operations nv_generic_ops = {
23131 .inherits = &ata_bmdma_port_ops,
23132 .lost_interrupt = ATA_OP_NULL,
23133 .scr_read = nv_scr_read,
23134 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
23135 .hardreset = nv_hardreset,
23138 -static struct ata_port_operations nv_nf2_ops = {
23139 +static const struct ata_port_operations nv_nf2_ops = {
23140 .inherits = &nv_generic_ops,
23141 .freeze = nv_nf2_freeze,
23142 .thaw = nv_nf2_thaw,
23145 -static struct ata_port_operations nv_ck804_ops = {
23146 +static const struct ata_port_operations nv_ck804_ops = {
23147 .inherits = &nv_generic_ops,
23148 .freeze = nv_ck804_freeze,
23149 .thaw = nv_ck804_thaw,
23150 .host_stop = nv_ck804_host_stop,
23153 -static struct ata_port_operations nv_adma_ops = {
23154 +static const struct ata_port_operations nv_adma_ops = {
23155 .inherits = &nv_ck804_ops,
23157 .check_atapi_dma = nv_adma_check_atapi_dma,
23158 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
23159 .host_stop = nv_adma_host_stop,
23162 -static struct ata_port_operations nv_swncq_ops = {
23163 +static const struct ata_port_operations nv_swncq_ops = {
23164 .inherits = &nv_generic_ops,
23166 .qc_defer = ata_std_qc_defer,
23167 diff -urNp linux-2.6.38.4/drivers/ata/sata_promise.c linux-2.6.38.4/drivers/ata/sata_promise.c
23168 --- linux-2.6.38.4/drivers/ata/sata_promise.c 2011-03-14 21:20:32.000000000 -0400
23169 +++ linux-2.6.38.4/drivers/ata/sata_promise.c 2011-04-17 15:57:32.000000000 -0400
23170 @@ -196,7 +196,7 @@ static const struct ata_port_operations
23171 .error_handler = pdc_error_handler,
23174 -static struct ata_port_operations pdc_sata_ops = {
23175 +static const struct ata_port_operations pdc_sata_ops = {
23176 .inherits = &pdc_common_ops,
23177 .cable_detect = pdc_sata_cable_detect,
23178 .freeze = pdc_sata_freeze,
23179 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
23181 /* First-generation chips need a more restrictive ->check_atapi_dma op,
23182 and ->freeze/thaw that ignore the hotplug controls. */
23183 -static struct ata_port_operations pdc_old_sata_ops = {
23184 +static const struct ata_port_operations pdc_old_sata_ops = {
23185 .inherits = &pdc_sata_ops,
23186 .freeze = pdc_freeze,
23188 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
23191 -static struct ata_port_operations pdc_pata_ops = {
23192 +static const struct ata_port_operations pdc_pata_ops = {
23193 .inherits = &pdc_common_ops,
23194 .cable_detect = pdc_pata_cable_detect,
23195 .freeze = pdc_freeze,
23196 diff -urNp linux-2.6.38.4/drivers/ata/sata_qstor.c linux-2.6.38.4/drivers/ata/sata_qstor.c
23197 --- linux-2.6.38.4/drivers/ata/sata_qstor.c 2011-03-14 21:20:32.000000000 -0400
23198 +++ linux-2.6.38.4/drivers/ata/sata_qstor.c 2011-04-17 15:57:32.000000000 -0400
23199 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
23200 .dma_boundary = QS_DMA_BOUNDARY,
23203 -static struct ata_port_operations qs_ata_ops = {
23204 +static const struct ata_port_operations qs_ata_ops = {
23205 .inherits = &ata_sff_port_ops,
23207 .check_atapi_dma = qs_check_atapi_dma,
23208 diff -urNp linux-2.6.38.4/drivers/ata/sata_sil24.c linux-2.6.38.4/drivers/ata/sata_sil24.c
23209 --- linux-2.6.38.4/drivers/ata/sata_sil24.c 2011-03-14 21:20:32.000000000 -0400
23210 +++ linux-2.6.38.4/drivers/ata/sata_sil24.c 2011-04-17 15:57:32.000000000 -0400
23211 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
23212 .dma_boundary = ATA_DMA_BOUNDARY,
23215 -static struct ata_port_operations sil24_ops = {
23216 +static const struct ata_port_operations sil24_ops = {
23217 .inherits = &sata_pmp_port_ops,
23219 .qc_defer = sil24_qc_defer,
23220 diff -urNp linux-2.6.38.4/drivers/ata/sata_sil.c linux-2.6.38.4/drivers/ata/sata_sil.c
23221 --- linux-2.6.38.4/drivers/ata/sata_sil.c 2011-03-14 21:20:32.000000000 -0400
23222 +++ linux-2.6.38.4/drivers/ata/sata_sil.c 2011-04-17 15:57:32.000000000 -0400
23223 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
23224 .sg_tablesize = ATA_MAX_PRD
23227 -static struct ata_port_operations sil_ops = {
23228 +static const struct ata_port_operations sil_ops = {
23229 .inherits = &ata_bmdma32_port_ops,
23230 .dev_config = sil_dev_config,
23231 .set_mode = sil_set_mode,
23232 diff -urNp linux-2.6.38.4/drivers/ata/sata_sis.c linux-2.6.38.4/drivers/ata/sata_sis.c
23233 --- linux-2.6.38.4/drivers/ata/sata_sis.c 2011-03-14 21:20:32.000000000 -0400
23234 +++ linux-2.6.38.4/drivers/ata/sata_sis.c 2011-04-17 15:57:32.000000000 -0400
23235 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
23236 ATA_BMDMA_SHT(DRV_NAME),
23239 -static struct ata_port_operations sis_ops = {
23240 +static const struct ata_port_operations sis_ops = {
23241 .inherits = &ata_bmdma_port_ops,
23242 .scr_read = sis_scr_read,
23243 .scr_write = sis_scr_write,
23244 diff -urNp linux-2.6.38.4/drivers/ata/sata_svw.c linux-2.6.38.4/drivers/ata/sata_svw.c
23245 --- linux-2.6.38.4/drivers/ata/sata_svw.c 2011-03-14 21:20:32.000000000 -0400
23246 +++ linux-2.6.38.4/drivers/ata/sata_svw.c 2011-04-17 15:57:32.000000000 -0400
23247 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
23251 -static struct ata_port_operations k2_sata_ops = {
23252 +static const struct ata_port_operations k2_sata_ops = {
23253 .inherits = &ata_bmdma_port_ops,
23254 .sff_tf_load = k2_sata_tf_load,
23255 .sff_tf_read = k2_sata_tf_read,
23256 diff -urNp linux-2.6.38.4/drivers/ata/sata_sx4.c linux-2.6.38.4/drivers/ata/sata_sx4.c
23257 --- linux-2.6.38.4/drivers/ata/sata_sx4.c 2011-03-14 21:20:32.000000000 -0400
23258 +++ linux-2.6.38.4/drivers/ata/sata_sx4.c 2011-04-17 15:57:32.000000000 -0400
23259 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
23262 /* TODO: inherit from base port_ops after converting to new EH */
23263 -static struct ata_port_operations pdc_20621_ops = {
23264 +static const struct ata_port_operations pdc_20621_ops = {
23265 .inherits = &ata_sff_port_ops,
23267 .check_atapi_dma = pdc_check_atapi_dma,
23268 diff -urNp linux-2.6.38.4/drivers/ata/sata_uli.c linux-2.6.38.4/drivers/ata/sata_uli.c
23269 --- linux-2.6.38.4/drivers/ata/sata_uli.c 2011-03-14 21:20:32.000000000 -0400
23270 +++ linux-2.6.38.4/drivers/ata/sata_uli.c 2011-04-17 15:57:32.000000000 -0400
23271 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
23272 ATA_BMDMA_SHT(DRV_NAME),
23275 -static struct ata_port_operations uli_ops = {
23276 +static const struct ata_port_operations uli_ops = {
23277 .inherits = &ata_bmdma_port_ops,
23278 .scr_read = uli_scr_read,
23279 .scr_write = uli_scr_write,
23280 diff -urNp linux-2.6.38.4/drivers/ata/sata_via.c linux-2.6.38.4/drivers/ata/sata_via.c
23281 --- linux-2.6.38.4/drivers/ata/sata_via.c 2011-03-14 21:20:32.000000000 -0400
23282 +++ linux-2.6.38.4/drivers/ata/sata_via.c 2011-04-17 15:57:32.000000000 -0400
23283 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
23284 ATA_BMDMA_SHT(DRV_NAME),
23287 -static struct ata_port_operations svia_base_ops = {
23288 +static const struct ata_port_operations svia_base_ops = {
23289 .inherits = &ata_bmdma_port_ops,
23290 .sff_tf_load = svia_tf_load,
23293 -static struct ata_port_operations vt6420_sata_ops = {
23294 +static const struct ata_port_operations vt6420_sata_ops = {
23295 .inherits = &svia_base_ops,
23296 .freeze = svia_noop_freeze,
23297 .prereset = vt6420_prereset,
23298 .bmdma_start = vt6420_bmdma_start,
23301 -static struct ata_port_operations vt6421_pata_ops = {
23302 +static const struct ata_port_operations vt6421_pata_ops = {
23303 .inherits = &svia_base_ops,
23304 .cable_detect = vt6421_pata_cable_detect,
23305 .set_piomode = vt6421_set_pio_mode,
23306 .set_dmamode = vt6421_set_dma_mode,
23309 -static struct ata_port_operations vt6421_sata_ops = {
23310 +static const struct ata_port_operations vt6421_sata_ops = {
23311 .inherits = &svia_base_ops,
23312 .scr_read = svia_scr_read,
23313 .scr_write = svia_scr_write,
23316 -static struct ata_port_operations vt8251_ops = {
23317 +static const struct ata_port_operations vt8251_ops = {
23318 .inherits = &svia_base_ops,
23319 .hardreset = sata_std_hardreset,
23320 .scr_read = vt8251_scr_read,
23321 diff -urNp linux-2.6.38.4/drivers/ata/sata_vsc.c linux-2.6.38.4/drivers/ata/sata_vsc.c
23322 --- linux-2.6.38.4/drivers/ata/sata_vsc.c 2011-03-14 21:20:32.000000000 -0400
23323 +++ linux-2.6.38.4/drivers/ata/sata_vsc.c 2011-04-17 15:57:32.000000000 -0400
23324 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
23328 -static struct ata_port_operations vsc_sata_ops = {
23329 +static const struct ata_port_operations vsc_sata_ops = {
23330 .inherits = &ata_bmdma_port_ops,
23331 /* The IRQ handling is not quite standard SFF behaviour so we
23332 cannot use the default lost interrupt handler */
23333 diff -urNp linux-2.6.38.4/drivers/atm/adummy.c linux-2.6.38.4/drivers/atm/adummy.c
23334 --- linux-2.6.38.4/drivers/atm/adummy.c 2011-03-14 21:20:32.000000000 -0400
23335 +++ linux-2.6.38.4/drivers/atm/adummy.c 2011-04-17 15:57:32.000000000 -0400
23336 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
23337 vcc->pop(vcc, skb);
23339 dev_kfree_skb_any(skb);
23340 - atomic_inc(&vcc->stats->tx);
23341 + atomic_inc_unchecked(&vcc->stats->tx);
23345 diff -urNp linux-2.6.38.4/drivers/atm/ambassador.c linux-2.6.38.4/drivers/atm/ambassador.c
23346 --- linux-2.6.38.4/drivers/atm/ambassador.c 2011-03-14 21:20:32.000000000 -0400
23347 +++ linux-2.6.38.4/drivers/atm/ambassador.c 2011-04-17 15:57:32.000000000 -0400
23348 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
23349 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
23352 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23353 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23355 // free the descriptor
23357 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
23358 dump_skb ("<<<", vc, skb);
23361 - atomic_inc(&atm_vcc->stats->rx);
23362 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23363 __net_timestamp(skb);
23364 // end of our responsability
23365 atm_vcc->push (atm_vcc, skb);
23366 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
23368 PRINTK (KERN_INFO, "dropped over-size frame");
23369 // should we count this?
23370 - atomic_inc(&atm_vcc->stats->rx_drop);
23371 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23375 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
23378 if (check_area (skb->data, skb->len)) {
23379 - atomic_inc(&atm_vcc->stats->tx_err);
23380 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
23381 return -ENOMEM; // ?
23384 diff -urNp linux-2.6.38.4/drivers/atm/atmtcp.c linux-2.6.38.4/drivers/atm/atmtcp.c
23385 --- linux-2.6.38.4/drivers/atm/atmtcp.c 2011-03-14 21:20:32.000000000 -0400
23386 +++ linux-2.6.38.4/drivers/atm/atmtcp.c 2011-04-17 15:57:32.000000000 -0400
23387 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
23388 if (vcc->pop) vcc->pop(vcc,skb);
23389 else dev_kfree_skb(skb);
23390 if (dev_data) return 0;
23391 - atomic_inc(&vcc->stats->tx_err);
23392 + atomic_inc_unchecked(&vcc->stats->tx_err);
23395 size = skb->len+sizeof(struct atmtcp_hdr);
23396 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
23398 if (vcc->pop) vcc->pop(vcc,skb);
23399 else dev_kfree_skb(skb);
23400 - atomic_inc(&vcc->stats->tx_err);
23401 + atomic_inc_unchecked(&vcc->stats->tx_err);
23404 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
23405 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
23406 if (vcc->pop) vcc->pop(vcc,skb);
23407 else dev_kfree_skb(skb);
23408 out_vcc->push(out_vcc,new_skb);
23409 - atomic_inc(&vcc->stats->tx);
23410 - atomic_inc(&out_vcc->stats->rx);
23411 + atomic_inc_unchecked(&vcc->stats->tx);
23412 + atomic_inc_unchecked(&out_vcc->stats->rx);
23416 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
23417 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
23418 read_unlock(&vcc_sklist_lock);
23420 - atomic_inc(&vcc->stats->tx_err);
23421 + atomic_inc_unchecked(&vcc->stats->tx_err);
23424 skb_pull(skb,sizeof(struct atmtcp_hdr));
23425 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
23426 __net_timestamp(new_skb);
23427 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
23428 out_vcc->push(out_vcc,new_skb);
23429 - atomic_inc(&vcc->stats->tx);
23430 - atomic_inc(&out_vcc->stats->rx);
23431 + atomic_inc_unchecked(&vcc->stats->tx);
23432 + atomic_inc_unchecked(&out_vcc->stats->rx);
23434 if (vcc->pop) vcc->pop(vcc,skb);
23435 else dev_kfree_skb(skb);
23436 diff -urNp linux-2.6.38.4/drivers/atm/eni.c linux-2.6.38.4/drivers/atm/eni.c
23437 --- linux-2.6.38.4/drivers/atm/eni.c 2011-03-14 21:20:32.000000000 -0400
23438 +++ linux-2.6.38.4/drivers/atm/eni.c 2011-04-17 15:57:32.000000000 -0400
23439 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
23440 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
23443 - atomic_inc(&vcc->stats->rx_err);
23444 + atomic_inc_unchecked(&vcc->stats->rx_err);
23447 length = ATM_CELL_SIZE-1; /* no HEC */
23448 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23452 - atomic_inc(&vcc->stats->rx_err);
23453 + atomic_inc_unchecked(&vcc->stats->rx_err);
23456 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
23457 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23458 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
23459 vcc->dev->number,vcc->vci,length,size << 2,descr);
23461 - atomic_inc(&vcc->stats->rx_err);
23462 + atomic_inc_unchecked(&vcc->stats->rx_err);
23465 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
23466 @@ -771,7 +771,7 @@ rx_dequeued++;
23467 vcc->push(vcc,skb);
23470 - atomic_inc(&vcc->stats->rx);
23471 + atomic_inc_unchecked(&vcc->stats->rx);
23473 wake_up(&eni_dev->rx_wait);
23475 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
23477 if (vcc->pop) vcc->pop(vcc,skb);
23478 else dev_kfree_skb_irq(skb);
23479 - atomic_inc(&vcc->stats->tx);
23480 + atomic_inc_unchecked(&vcc->stats->tx);
23481 wake_up(&eni_dev->tx_wait);
23484 diff -urNp linux-2.6.38.4/drivers/atm/firestream.c linux-2.6.38.4/drivers/atm/firestream.c
23485 --- linux-2.6.38.4/drivers/atm/firestream.c 2011-03-14 21:20:32.000000000 -0400
23486 +++ linux-2.6.38.4/drivers/atm/firestream.c 2011-04-17 15:57:32.000000000 -0400
23487 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
23491 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23492 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23494 fs_dprintk (FS_DEBUG_TXMEM, "i");
23495 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
23496 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
23498 skb_put (skb, qe->p1 & 0xffff);
23499 ATM_SKB(skb)->vcc = atm_vcc;
23500 - atomic_inc(&atm_vcc->stats->rx);
23501 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23502 __net_timestamp(skb);
23503 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
23504 atm_vcc->push (atm_vcc, skb);
23505 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
23509 - atomic_inc(&atm_vcc->stats->rx_drop);
23510 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23512 case 0x1f: /* Reassembly abort: no buffers. */
23513 /* Silently increment error counter. */
23515 - atomic_inc(&atm_vcc->stats->rx_drop);
23516 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23518 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
23519 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
23520 diff -urNp linux-2.6.38.4/drivers/atm/fore200e.c linux-2.6.38.4/drivers/atm/fore200e.c
23521 --- linux-2.6.38.4/drivers/atm/fore200e.c 2011-03-14 21:20:32.000000000 -0400
23522 +++ linux-2.6.38.4/drivers/atm/fore200e.c 2011-04-17 15:57:32.000000000 -0400
23523 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
23525 /* check error condition */
23526 if (*entry->status & STATUS_ERROR)
23527 - atomic_inc(&vcc->stats->tx_err);
23528 + atomic_inc_unchecked(&vcc->stats->tx_err);
23530 - atomic_inc(&vcc->stats->tx);
23531 + atomic_inc_unchecked(&vcc->stats->tx);
23535 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
23537 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
23539 - atomic_inc(&vcc->stats->rx_drop);
23540 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23544 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
23546 dev_kfree_skb_any(skb);
23548 - atomic_inc(&vcc->stats->rx_drop);
23549 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23553 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23555 vcc->push(vcc, skb);
23556 - atomic_inc(&vcc->stats->rx);
23557 + atomic_inc_unchecked(&vcc->stats->rx);
23559 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23561 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
23562 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
23563 fore200e->atm_dev->number,
23564 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
23565 - atomic_inc(&vcc->stats->rx_err);
23566 + atomic_inc_unchecked(&vcc->stats->rx_err);
23570 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
23574 - atomic_inc(&vcc->stats->tx_err);
23575 + atomic_inc_unchecked(&vcc->stats->tx_err);
23577 fore200e->tx_sat++;
23578 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
23579 diff -urNp linux-2.6.38.4/drivers/atm/he.c linux-2.6.38.4/drivers/atm/he.c
23580 --- linux-2.6.38.4/drivers/atm/he.c 2011-03-14 21:20:32.000000000 -0400
23581 +++ linux-2.6.38.4/drivers/atm/he.c 2011-04-17 15:57:32.000000000 -0400
23582 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23584 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
23585 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
23586 - atomic_inc(&vcc->stats->rx_drop);
23587 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23588 goto return_host_buffers;
23591 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23592 RBRQ_LEN_ERR(he_dev->rbrq_head)
23594 vcc->vpi, vcc->vci);
23595 - atomic_inc(&vcc->stats->rx_err);
23596 + atomic_inc_unchecked(&vcc->stats->rx_err);
23597 goto return_host_buffers;
23600 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23601 vcc->push(vcc, skb);
23602 spin_lock(&he_dev->global_lock);
23604 - atomic_inc(&vcc->stats->rx);
23605 + atomic_inc_unchecked(&vcc->stats->rx);
23607 return_host_buffers:
23609 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
23610 tpd->vcc->pop(tpd->vcc, tpd->skb);
23612 dev_kfree_skb_any(tpd->skb);
23613 - atomic_inc(&tpd->vcc->stats->tx_err);
23614 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
23616 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
23618 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23619 vcc->pop(vcc, skb);
23621 dev_kfree_skb_any(skb);
23622 - atomic_inc(&vcc->stats->tx_err);
23623 + atomic_inc_unchecked(&vcc->stats->tx_err);
23627 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23628 vcc->pop(vcc, skb);
23630 dev_kfree_skb_any(skb);
23631 - atomic_inc(&vcc->stats->tx_err);
23632 + atomic_inc_unchecked(&vcc->stats->tx_err);
23636 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23637 vcc->pop(vcc, skb);
23639 dev_kfree_skb_any(skb);
23640 - atomic_inc(&vcc->stats->tx_err);
23641 + atomic_inc_unchecked(&vcc->stats->tx_err);
23642 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23645 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23646 vcc->pop(vcc, skb);
23648 dev_kfree_skb_any(skb);
23649 - atomic_inc(&vcc->stats->tx_err);
23650 + atomic_inc_unchecked(&vcc->stats->tx_err);
23651 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23654 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23655 __enqueue_tpd(he_dev, tpd, cid);
23656 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23658 - atomic_inc(&vcc->stats->tx);
23659 + atomic_inc_unchecked(&vcc->stats->tx);
23663 diff -urNp linux-2.6.38.4/drivers/atm/horizon.c linux-2.6.38.4/drivers/atm/horizon.c
23664 --- linux-2.6.38.4/drivers/atm/horizon.c 2011-03-14 21:20:32.000000000 -0400
23665 +++ linux-2.6.38.4/drivers/atm/horizon.c 2011-04-17 15:57:32.000000000 -0400
23666 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
23668 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
23670 - atomic_inc(&vcc->stats->rx);
23671 + atomic_inc_unchecked(&vcc->stats->rx);
23672 __net_timestamp(skb);
23673 // end of our responsability
23674 vcc->push (vcc, skb);
23675 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
23676 dev->tx_iovec = NULL;
23679 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23680 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23683 hrz_kfree_skb (skb);
23684 diff -urNp linux-2.6.38.4/drivers/atm/idt77252.c linux-2.6.38.4/drivers/atm/idt77252.c
23685 --- linux-2.6.38.4/drivers/atm/idt77252.c 2011-03-14 21:20:32.000000000 -0400
23686 +++ linux-2.6.38.4/drivers/atm/idt77252.c 2011-04-17 15:57:32.000000000 -0400
23687 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
23689 dev_kfree_skb(skb);
23691 - atomic_inc(&vcc->stats->tx);
23692 + atomic_inc_unchecked(&vcc->stats->tx);
23695 atomic_dec(&scq->used);
23696 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
23697 if ((sb = dev_alloc_skb(64)) == NULL) {
23698 printk("%s: Can't allocate buffers for aal0.\n",
23700 - atomic_add(i, &vcc->stats->rx_drop);
23701 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
23704 if (!atm_charge(vcc, sb->truesize)) {
23705 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
23707 - atomic_add(i - 1, &vcc->stats->rx_drop);
23708 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
23712 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
23713 ATM_SKB(sb)->vcc = vcc;
23714 __net_timestamp(sb);
23715 vcc->push(vcc, sb);
23716 - atomic_inc(&vcc->stats->rx);
23717 + atomic_inc_unchecked(&vcc->stats->rx);
23719 cell += ATM_CELL_PAYLOAD;
23721 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
23723 card->name, len, rpp->len, readl(SAR_REG_CDC));
23724 recycle_rx_pool_skb(card, rpp);
23725 - atomic_inc(&vcc->stats->rx_err);
23726 + atomic_inc_unchecked(&vcc->stats->rx_err);
23729 if (stat & SAR_RSQE_CRC) {
23730 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
23731 recycle_rx_pool_skb(card, rpp);
23732 - atomic_inc(&vcc->stats->rx_err);
23733 + atomic_inc_unchecked(&vcc->stats->rx_err);
23736 if (skb_queue_len(&rpp->queue) > 1) {
23737 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
23738 RXPRINTK("%s: Can't alloc RX skb.\n",
23740 recycle_rx_pool_skb(card, rpp);
23741 - atomic_inc(&vcc->stats->rx_err);
23742 + atomic_inc_unchecked(&vcc->stats->rx_err);
23745 if (!atm_charge(vcc, skb->truesize)) {
23746 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
23747 __net_timestamp(skb);
23749 vcc->push(vcc, skb);
23750 - atomic_inc(&vcc->stats->rx);
23751 + atomic_inc_unchecked(&vcc->stats->rx);
23755 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
23756 __net_timestamp(skb);
23758 vcc->push(vcc, skb);
23759 - atomic_inc(&vcc->stats->rx);
23760 + atomic_inc_unchecked(&vcc->stats->rx);
23762 if (skb->truesize > SAR_FB_SIZE_3)
23763 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
23764 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
23765 if (vcc->qos.aal != ATM_AAL0) {
23766 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
23767 card->name, vpi, vci);
23768 - atomic_inc(&vcc->stats->rx_drop);
23769 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23773 if ((sb = dev_alloc_skb(64)) == NULL) {
23774 printk("%s: Can't allocate buffers for AAL0.\n",
23776 - atomic_inc(&vcc->stats->rx_err);
23777 + atomic_inc_unchecked(&vcc->stats->rx_err);
23781 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
23782 ATM_SKB(sb)->vcc = vcc;
23783 __net_timestamp(sb);
23784 vcc->push(vcc, sb);
23785 - atomic_inc(&vcc->stats->rx);
23786 + atomic_inc_unchecked(&vcc->stats->rx);
23789 skb_pull(queue, 64);
23790 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23793 printk("%s: NULL connection in send().\n", card->name);
23794 - atomic_inc(&vcc->stats->tx_err);
23795 + atomic_inc_unchecked(&vcc->stats->tx_err);
23796 dev_kfree_skb(skb);
23799 if (!test_bit(VCF_TX, &vc->flags)) {
23800 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
23801 - atomic_inc(&vcc->stats->tx_err);
23802 + atomic_inc_unchecked(&vcc->stats->tx_err);
23803 dev_kfree_skb(skb);
23806 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23809 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
23810 - atomic_inc(&vcc->stats->tx_err);
23811 + atomic_inc_unchecked(&vcc->stats->tx_err);
23812 dev_kfree_skb(skb);
23816 if (skb_shinfo(skb)->nr_frags != 0) {
23817 printk("%s: No scatter-gather yet.\n", card->name);
23818 - atomic_inc(&vcc->stats->tx_err);
23819 + atomic_inc_unchecked(&vcc->stats->tx_err);
23820 dev_kfree_skb(skb);
23823 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23825 err = queue_skb(card, vc, skb, oam);
23827 - atomic_inc(&vcc->stats->tx_err);
23828 + atomic_inc_unchecked(&vcc->stats->tx_err);
23829 dev_kfree_skb(skb);
23832 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
23833 skb = dev_alloc_skb(64);
23835 printk("%s: Out of memory in send_oam().\n", card->name);
23836 - atomic_inc(&vcc->stats->tx_err);
23837 + atomic_inc_unchecked(&vcc->stats->tx_err);
23840 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
23841 diff -urNp linux-2.6.38.4/drivers/atm/iphase.c linux-2.6.38.4/drivers/atm/iphase.c
23842 --- linux-2.6.38.4/drivers/atm/iphase.c 2011-03-14 21:20:32.000000000 -0400
23843 +++ linux-2.6.38.4/drivers/atm/iphase.c 2011-04-17 15:57:32.000000000 -0400
23844 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
23845 status = (u_short) (buf_desc_ptr->desc_mode);
23846 if (status & (RX_CER | RX_PTE | RX_OFL))
23848 - atomic_inc(&vcc->stats->rx_err);
23849 + atomic_inc_unchecked(&vcc->stats->rx_err);
23850 IF_ERR(printk("IA: bad packet, dropping it");)
23851 if (status & RX_CER) {
23852 IF_ERR(printk(" cause: packet CRC error\n");)
23853 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
23854 len = dma_addr - buf_addr;
23855 if (len > iadev->rx_buf_sz) {
23856 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
23857 - atomic_inc(&vcc->stats->rx_err);
23858 + atomic_inc_unchecked(&vcc->stats->rx_err);
23859 goto out_free_desc;
23862 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
23863 ia_vcc = INPH_IA_VCC(vcc);
23864 if (ia_vcc == NULL)
23866 - atomic_inc(&vcc->stats->rx_err);
23867 + atomic_inc_unchecked(&vcc->stats->rx_err);
23868 dev_kfree_skb_any(skb);
23869 atm_return(vcc, atm_guess_pdu2truesize(len));
23871 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
23872 if ((length > iadev->rx_buf_sz) || (length >
23873 (skb->len - sizeof(struct cpcs_trailer))))
23875 - atomic_inc(&vcc->stats->rx_err);
23876 + atomic_inc_unchecked(&vcc->stats->rx_err);
23877 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
23878 length, skb->len);)
23879 dev_kfree_skb_any(skb);
23880 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
23882 IF_RX(printk("rx_dle_intr: skb push");)
23883 vcc->push(vcc,skb);
23884 - atomic_inc(&vcc->stats->rx);
23885 + atomic_inc_unchecked(&vcc->stats->rx);
23886 iadev->rx_pkt_cnt++;
23889 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
23891 struct k_sonet_stats *stats;
23892 stats = &PRIV(_ia_dev[board])->sonet_stats;
23893 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23894 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23895 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23896 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23897 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23898 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23899 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23900 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23901 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23902 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23903 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23904 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23905 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23906 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23907 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23908 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23909 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23910 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23912 ia_cmds.status = 0;
23914 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23915 if ((desc == 0) || (desc > iadev->num_tx_desc))
23917 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23918 - atomic_inc(&vcc->stats->tx);
23919 + atomic_inc_unchecked(&vcc->stats->tx);
23921 vcc->pop(vcc, skb);
23923 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23924 ATM_DESC(skb) = vcc->vci;
23925 skb_queue_tail(&iadev->tx_dma_q, skb);
23927 - atomic_inc(&vcc->stats->tx);
23928 + atomic_inc_unchecked(&vcc->stats->tx);
23929 iadev->tx_pkt_cnt++;
23930 /* Increment transaction counter */
23931 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23934 /* add flow control logic */
23935 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23936 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23937 if (iavcc->vc_desc_cnt > 10) {
23938 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23939 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23940 diff -urNp linux-2.6.38.4/drivers/atm/lanai.c linux-2.6.38.4/drivers/atm/lanai.c
23941 --- linux-2.6.38.4/drivers/atm/lanai.c 2011-03-14 21:20:32.000000000 -0400
23942 +++ linux-2.6.38.4/drivers/atm/lanai.c 2011-04-17 15:57:32.000000000 -0400
23943 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23944 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23945 lanai_endtx(lanai, lvcc);
23946 lanai_free_skb(lvcc->tx.atmvcc, skb);
23947 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23948 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23951 /* Try to fill the buffer - don't call unless there is backlog */
23952 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23953 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23954 __net_timestamp(skb);
23955 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23956 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23957 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23959 lvcc->rx.buf.ptr = end;
23960 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23961 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23962 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23963 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23964 lanai->stats.service_rxnotaal5++;
23965 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23966 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23969 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23970 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23972 read_unlock(&vcc_sklist_lock);
23973 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23974 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23975 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23976 lvcc->stats.x.aal5.service_trash++;
23977 bytes = (SERVICE_GET_END(s) * 16) -
23978 (((unsigned long) lvcc->rx.buf.ptr) -
23979 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23981 if (s & SERVICE_STREAM) {
23982 read_unlock(&vcc_sklist_lock);
23983 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23984 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23985 lvcc->stats.x.aal5.service_stream++;
23986 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23987 "PDU on VCI %d!\n", lanai->number, vci);
23988 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23991 DPRINTK("got rx crc error on vci %d\n", vci);
23992 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23993 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23994 lvcc->stats.x.aal5.service_rxcrc++;
23995 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23996 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
23997 diff -urNp linux-2.6.38.4/drivers/atm/nicstar.c linux-2.6.38.4/drivers/atm/nicstar.c
23998 --- linux-2.6.38.4/drivers/atm/nicstar.c 2011-03-14 21:20:32.000000000 -0400
23999 +++ linux-2.6.38.4/drivers/atm/nicstar.c 2011-04-17 15:57:32.000000000 -0400
24000 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
24001 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
24002 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
24004 - atomic_inc(&vcc->stats->tx_err);
24005 + atomic_inc_unchecked(&vcc->stats->tx_err);
24006 dev_kfree_skb_any(skb);
24009 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
24011 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
24013 - atomic_inc(&vcc->stats->tx_err);
24014 + atomic_inc_unchecked(&vcc->stats->tx_err);
24015 dev_kfree_skb_any(skb);
24018 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
24019 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
24020 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
24022 - atomic_inc(&vcc->stats->tx_err);
24023 + atomic_inc_unchecked(&vcc->stats->tx_err);
24024 dev_kfree_skb_any(skb);
24028 if (skb_shinfo(skb)->nr_frags != 0) {
24029 printk("nicstar%d: No scatter-gather yet.\n", card->index);
24030 - atomic_inc(&vcc->stats->tx_err);
24031 + atomic_inc_unchecked(&vcc->stats->tx_err);
24032 dev_kfree_skb_any(skb);
24035 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
24038 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
24039 - atomic_inc(&vcc->stats->tx_err);
24040 + atomic_inc_unchecked(&vcc->stats->tx_err);
24041 dev_kfree_skb_any(skb);
24044 - atomic_inc(&vcc->stats->tx);
24045 + atomic_inc_unchecked(&vcc->stats->tx);
24049 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
24051 ("nicstar%d: Can't allocate buffers for aal0.\n",
24053 - atomic_add(i, &vcc->stats->rx_drop);
24054 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
24057 if (!atm_charge(vcc, sb->truesize)) {
24059 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
24061 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24062 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24063 dev_kfree_skb_any(sb);
24066 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
24067 ATM_SKB(sb)->vcc = vcc;
24068 __net_timestamp(sb);
24069 vcc->push(vcc, sb);
24070 - atomic_inc(&vcc->stats->rx);
24071 + atomic_inc_unchecked(&vcc->stats->rx);
24072 cell += ATM_CELL_PAYLOAD;
24075 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
24076 if (iovb == NULL) {
24077 printk("nicstar%d: Out of iovec buffers.\n",
24079 - atomic_inc(&vcc->stats->rx_drop);
24080 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24081 recycle_rx_buf(card, skb);
24084 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
24085 small or large buffer itself. */
24086 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
24087 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
24088 - atomic_inc(&vcc->stats->rx_err);
24089 + atomic_inc_unchecked(&vcc->stats->rx_err);
24090 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24092 NS_PRV_IOVCNT(iovb) = 0;
24093 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
24094 ("nicstar%d: Expected a small buffer, and this is not one.\n",
24096 which_list(card, skb);
24097 - atomic_inc(&vcc->stats->rx_err);
24098 + atomic_inc_unchecked(&vcc->stats->rx_err);
24099 recycle_rx_buf(card, skb);
24101 recycle_iov_buf(card, iovb);
24102 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
24103 ("nicstar%d: Expected a large buffer, and this is not one.\n",
24105 which_list(card, skb);
24106 - atomic_inc(&vcc->stats->rx_err);
24107 + atomic_inc_unchecked(&vcc->stats->rx_err);
24108 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24109 NS_PRV_IOVCNT(iovb));
24111 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
24112 printk(" - PDU size mismatch.\n");
24115 - atomic_inc(&vcc->stats->rx_err);
24116 + atomic_inc_unchecked(&vcc->stats->rx_err);
24117 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24118 NS_PRV_IOVCNT(iovb));
24120 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
24121 /* skb points to a small buffer */
24122 if (!atm_charge(vcc, skb->truesize)) {
24123 push_rxbufs(card, skb);
24124 - atomic_inc(&vcc->stats->rx_drop);
24125 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24128 dequeue_sm_buf(card, skb);
24129 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
24130 ATM_SKB(skb)->vcc = vcc;
24131 __net_timestamp(skb);
24132 vcc->push(vcc, skb);
24133 - atomic_inc(&vcc->stats->rx);
24134 + atomic_inc_unchecked(&vcc->stats->rx);
24136 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
24137 struct sk_buff *sb;
24138 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
24139 if (len <= NS_SMBUFSIZE) {
24140 if (!atm_charge(vcc, sb->truesize)) {
24141 push_rxbufs(card, sb);
24142 - atomic_inc(&vcc->stats->rx_drop);
24143 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24146 dequeue_sm_buf(card, sb);
24147 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
24148 ATM_SKB(sb)->vcc = vcc;
24149 __net_timestamp(sb);
24150 vcc->push(vcc, sb);
24151 - atomic_inc(&vcc->stats->rx);
24152 + atomic_inc_unchecked(&vcc->stats->rx);
24155 push_rxbufs(card, skb);
24156 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
24158 if (!atm_charge(vcc, skb->truesize)) {
24159 push_rxbufs(card, skb);
24160 - atomic_inc(&vcc->stats->rx_drop);
24161 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24163 dequeue_lg_buf(card, skb);
24164 #ifdef NS_USE_DESTRUCTORS
24165 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
24166 ATM_SKB(skb)->vcc = vcc;
24167 __net_timestamp(skb);
24168 vcc->push(vcc, skb);
24169 - atomic_inc(&vcc->stats->rx);
24170 + atomic_inc_unchecked(&vcc->stats->rx);
24173 push_rxbufs(card, sb);
24174 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
24176 ("nicstar%d: Out of huge buffers.\n",
24178 - atomic_inc(&vcc->stats->rx_drop);
24179 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24180 recycle_iovec_rx_bufs(card,
24183 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
24184 card->hbpool.count++;
24186 dev_kfree_skb_any(hb);
24187 - atomic_inc(&vcc->stats->rx_drop);
24188 + atomic_inc_unchecked(&vcc->stats->rx_drop);
24190 /* Copy the small buffer to the huge buffer */
24191 sb = (struct sk_buff *)iov->iov_base;
24192 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
24193 #endif /* NS_USE_DESTRUCTORS */
24194 __net_timestamp(hb);
24195 vcc->push(vcc, hb);
24196 - atomic_inc(&vcc->stats->rx);
24197 + atomic_inc_unchecked(&vcc->stats->rx);
24201 diff -urNp linux-2.6.38.4/drivers/atm/solos-pci.c linux-2.6.38.4/drivers/atm/solos-pci.c
24202 --- linux-2.6.38.4/drivers/atm/solos-pci.c 2011-04-18 17:27:18.000000000 -0400
24203 +++ linux-2.6.38.4/drivers/atm/solos-pci.c 2011-04-17 16:53:16.000000000 -0400
24204 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
24206 atm_charge(vcc, skb->truesize);
24207 vcc->push(vcc, skb);
24208 - atomic_inc(&vcc->stats->rx);
24209 + atomic_inc_unchecked(&vcc->stats->rx);
24213 @@ -1009,7 +1009,7 @@ static uint32_t fpga_tx(struct solos_car
24214 vcc = SKB_CB(oldskb)->vcc;
24217 - atomic_inc(&vcc->stats->tx);
24218 + atomic_inc_unchecked(&vcc->stats->tx);
24219 solos_pop(vcc, oldskb);
24221 dev_kfree_skb_irq(oldskb);
24222 diff -urNp linux-2.6.38.4/drivers/atm/suni.c linux-2.6.38.4/drivers/atm/suni.c
24223 --- linux-2.6.38.4/drivers/atm/suni.c 2011-03-14 21:20:32.000000000 -0400
24224 +++ linux-2.6.38.4/drivers/atm/suni.c 2011-04-17 15:57:32.000000000 -0400
24225 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
24228 #define ADD_LIMITED(s,v) \
24229 - atomic_add((v),&stats->s); \
24230 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
24231 + atomic_add_unchecked((v),&stats->s); \
24232 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
24235 static void suni_hz(unsigned long from_timer)
24236 diff -urNp linux-2.6.38.4/drivers/atm/uPD98402.c linux-2.6.38.4/drivers/atm/uPD98402.c
24237 --- linux-2.6.38.4/drivers/atm/uPD98402.c 2011-03-14 21:20:32.000000000 -0400
24238 +++ linux-2.6.38.4/drivers/atm/uPD98402.c 2011-04-17 15:57:32.000000000 -0400
24239 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
24240 struct sonet_stats tmp;
24243 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24244 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24245 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
24246 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
24247 if (zero && !error) {
24248 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
24251 #define ADD_LIMITED(s,v) \
24252 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
24253 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
24254 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24255 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
24256 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
24257 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24260 static void stat_event(struct atm_dev *dev)
24261 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
24262 if (reason & uPD98402_INT_PFM) stat_event(dev);
24263 if (reason & uPD98402_INT_PCO) {
24264 (void) GET(PCOCR); /* clear interrupt cause */
24265 - atomic_add(GET(HECCT),
24266 + atomic_add_unchecked(GET(HECCT),
24267 &PRIV(dev)->sonet_stats.uncorr_hcs);
24269 if ((reason & uPD98402_INT_RFO) &&
24270 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
24271 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
24272 uPD98402_INT_LOS),PIMR); /* enable them */
24273 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
24274 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24275 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
24276 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
24277 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24278 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
24279 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
24283 diff -urNp linux-2.6.38.4/drivers/atm/zatm.c linux-2.6.38.4/drivers/atm/zatm.c
24284 --- linux-2.6.38.4/drivers/atm/zatm.c 2011-03-14 21:20:32.000000000 -0400
24285 +++ linux-2.6.38.4/drivers/atm/zatm.c 2011-04-17 15:57:32.000000000 -0400
24286 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24289 dev_kfree_skb_irq(skb);
24290 - if (vcc) atomic_inc(&vcc->stats->rx_err);
24291 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
24294 if (!atm_charge(vcc,skb->truesize)) {
24295 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24297 ATM_SKB(skb)->vcc = vcc;
24298 vcc->push(vcc,skb);
24299 - atomic_inc(&vcc->stats->rx);
24300 + atomic_inc_unchecked(&vcc->stats->rx);
24302 zout(pos & 0xffff,MTA(mbx));
24303 #if 0 /* probably a stupid idea */
24304 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
24305 skb_queue_head(&zatm_vcc->backlog,skb);
24308 - atomic_inc(&vcc->stats->tx);
24309 + atomic_inc_unchecked(&vcc->stats->tx);
24310 wake_up(&zatm_vcc->tx_wait);
24313 diff -urNp linux-2.6.38.4/drivers/block/cciss.c linux-2.6.38.4/drivers/block/cciss.c
24314 --- linux-2.6.38.4/drivers/block/cciss.c 2011-03-14 21:20:32.000000000 -0400
24315 +++ linux-2.6.38.4/drivers/block/cciss.c 2011-04-17 15:57:32.000000000 -0400
24316 @@ -1112,6 +1112,8 @@ static int cciss_ioctl32_passthru(struct
24320 + memset(&arg64, 0, sizeof(arg64));
24324 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
24325 diff -urNp linux-2.6.38.4/drivers/char/agp/frontend.c linux-2.6.38.4/drivers/char/agp/frontend.c
24326 --- linux-2.6.38.4/drivers/char/agp/frontend.c 2011-03-14 21:20:32.000000000 -0400
24327 +++ linux-2.6.38.4/drivers/char/agp/frontend.c 2011-04-17 15:57:32.000000000 -0400
24328 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
24329 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
24332 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
24333 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
24336 client = agp_find_client_by_pid(reserve.pid);
24337 diff -urNp linux-2.6.38.4/drivers/char/agp/intel-agp.c linux-2.6.38.4/drivers/char/agp/intel-agp.c
24338 --- linux-2.6.38.4/drivers/char/agp/intel-agp.c 2011-03-14 21:20:32.000000000 -0400
24339 +++ linux-2.6.38.4/drivers/char/agp/intel-agp.c 2011-04-17 15:57:32.000000000 -0400
24340 @@ -903,7 +903,7 @@ static struct pci_device_id agp_intel_pc
24341 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
24342 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
24343 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_S_HB),
24345 + { 0, 0, 0, 0, 0, 0, 0 }
24348 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
24349 diff -urNp linux-2.6.38.4/drivers/char/briq_panel.c linux-2.6.38.4/drivers/char/briq_panel.c
24350 --- linux-2.6.38.4/drivers/char/briq_panel.c 2011-03-14 21:20:32.000000000 -0400
24351 +++ linux-2.6.38.4/drivers/char/briq_panel.c 2011-04-18 19:47:43.000000000 -0400
24353 #include <linux/types.h>
24354 #include <linux/errno.h>
24355 #include <linux/tty.h>
24356 +#include <linux/mutex.h>
24357 #include <linux/timer.h>
24358 #include <linux/kernel.h>
24359 #include <linux/wait.h>
24360 @@ -34,6 +35,7 @@ static int vfd_is_open;
24361 static unsigned char vfd[40];
24362 static int vfd_cursor;
24363 static unsigned char ledpb, led;
24364 +static DEFINE_MUTEX(vfd_mutex);
24366 static void update_vfd(void)
24368 @@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
24372 + mutex_lock(&vfd_mutex);
24377 - if (get_user(c, buf))
24378 + if (get_user(c, buf)) {
24379 + mutex_unlock(&vfd_mutex);
24385 @@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
24389 + mutex_unlock(&vfd_mutex);
24393 diff -urNp linux-2.6.38.4/drivers/char/genrtc.c linux-2.6.38.4/drivers/char/genrtc.c
24394 --- linux-2.6.38.4/drivers/char/genrtc.c 2011-03-14 21:20:32.000000000 -0400
24395 +++ linux-2.6.38.4/drivers/char/genrtc.c 2011-04-21 16:55:16.000000000 -0400
24396 @@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
24400 + memset(&pll, 0, sizeof(pll));
24401 if (get_rtc_pll(&pll))
24404 diff -urNp linux-2.6.38.4/drivers/char/hpet.c linux-2.6.38.4/drivers/char/hpet.c
24405 --- linux-2.6.38.4/drivers/char/hpet.c 2011-03-14 21:20:32.000000000 -0400
24406 +++ linux-2.6.38.4/drivers/char/hpet.c 2011-04-17 15:57:32.000000000 -0400
24407 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
24411 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
24412 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
24413 struct hpet_info *info)
24415 struct hpet_timer __iomem *timer;
24416 @@ -1043,7 +1043,7 @@ static struct acpi_driver hpet_acpi_driv
24420 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
24421 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
24423 static int __init hpet_init(void)
24425 diff -urNp linux-2.6.38.4/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.38.4/drivers/char/ipmi/ipmi_msghandler.c
24426 --- linux-2.6.38.4/drivers/char/ipmi/ipmi_msghandler.c 2011-03-14 21:20:32.000000000 -0400
24427 +++ linux-2.6.38.4/drivers/char/ipmi/ipmi_msghandler.c 2011-04-17 15:57:32.000000000 -0400
24428 @@ -414,7 +414,7 @@ struct ipmi_smi {
24429 struct proc_dir_entry *proc_dir;
24430 char proc_dir_name[10];
24432 - atomic_t stats[IPMI_NUM_STATS];
24433 + atomic_unchecked_t stats[IPMI_NUM_STATS];
24436 * run_to_completion duplicate of smb_info, smi_info
24437 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
24440 #define ipmi_inc_stat(intf, stat) \
24441 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
24442 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
24443 #define ipmi_get_stat(intf, stat) \
24444 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
24445 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
24447 static int is_lan_addr(struct ipmi_addr *addr)
24449 @@ -2844,7 +2844,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
24450 INIT_LIST_HEAD(&intf->cmd_rcvrs);
24451 init_waitqueue_head(&intf->waitq);
24452 for (i = 0; i < IPMI_NUM_STATS; i++)
24453 - atomic_set(&intf->stats[i], 0);
24454 + atomic_set_unchecked(&intf->stats[i], 0);
24456 intf->proc_dir = NULL;
24458 diff -urNp linux-2.6.38.4/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.38.4/drivers/char/ipmi/ipmi_si_intf.c
24459 --- linux-2.6.38.4/drivers/char/ipmi/ipmi_si_intf.c 2011-03-14 21:20:32.000000000 -0400
24460 +++ linux-2.6.38.4/drivers/char/ipmi/ipmi_si_intf.c 2011-04-17 15:57:32.000000000 -0400
24461 @@ -285,7 +285,7 @@ struct smi_info {
24462 unsigned char slave_addr;
24464 /* Counters and things for the proc filesystem. */
24465 - atomic_t stats[SI_NUM_STATS];
24466 + atomic_unchecked_t stats[SI_NUM_STATS];
24468 struct task_struct *thread;
24470 @@ -294,9 +294,9 @@ struct smi_info {
24473 #define smi_inc_stat(smi, stat) \
24474 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
24475 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
24476 #define smi_get_stat(smi, stat) \
24477 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
24478 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
24480 #define SI_MAX_PARMS 4
24482 @@ -3202,7 +3202,7 @@ static int try_smi_init(struct smi_info
24483 atomic_set(&new_smi->req_events, 0);
24484 new_smi->run_to_completion = 0;
24485 for (i = 0; i < SI_NUM_STATS; i++)
24486 - atomic_set(&new_smi->stats[i], 0);
24487 + atomic_set_unchecked(&new_smi->stats[i], 0);
24489 new_smi->interrupt_disabled = 1;
24490 atomic_set(&new_smi->stop_operation, 0);
24491 diff -urNp linux-2.6.38.4/drivers/char/istallion.c linux-2.6.38.4/drivers/char/istallion.c
24492 --- linux-2.6.38.4/drivers/char/istallion.c 2011-03-14 21:20:32.000000000 -0400
24493 +++ linux-2.6.38.4/drivers/char/istallion.c 2011-04-18 19:42:25.000000000 -0400
24494 @@ -186,7 +186,6 @@ static struct ktermios stli_deftermios
24495 * re-used for each stats call.
24497 static comstats_t stli_comstats;
24498 -static combrd_t stli_brdstats;
24499 static struct asystats stli_cdkstats;
24501 /*****************************************************************************/
24502 @@ -4005,6 +4004,7 @@ static int stli_getbrdstats(combrd_t __u
24504 struct stlibrd *brdp;
24506 + combrd_t stli_brdstats;
24508 if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
24510 diff -urNp linux-2.6.38.4/drivers/char/Kconfig linux-2.6.38.4/drivers/char/Kconfig
24511 --- linux-2.6.38.4/drivers/char/Kconfig 2011-03-14 21:20:32.000000000 -0400
24512 +++ linux-2.6.38.4/drivers/char/Kconfig 2011-04-18 19:19:48.000000000 -0400
24513 @@ -90,7 +90,8 @@ config VT_HW_CONSOLE_BINDING
24516 bool "/dev/kmem virtual device support"
24519 + depends on !GRKERNSEC_KMEM
24521 Say Y here if you want to support the /dev/kmem device. The
24522 /dev/kmem device is rarely used, but can be used for certain
24523 @@ -1132,6 +1133,7 @@ config DEVPORT
24526 depends on ISA || PCI
24527 + depends on !GRKERNSEC_KMEM
24530 source "drivers/s390/char/Kconfig"
24531 diff -urNp linux-2.6.38.4/drivers/char/mem.c linux-2.6.38.4/drivers/char/mem.c
24532 --- linux-2.6.38.4/drivers/char/mem.c 2011-03-14 21:20:32.000000000 -0400
24533 +++ linux-2.6.38.4/drivers/char/mem.c 2011-04-17 15:57:32.000000000 -0400
24535 #include <linux/raw.h>
24536 #include <linux/tty.h>
24537 #include <linux/capability.h>
24538 +#include <linux/security.h>
24539 #include <linux/ptrace.h>
24540 #include <linux/device.h>
24541 #include <linux/highmem.h>
24543 # include <linux/efi.h>
24546 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
24547 +extern struct file_operations grsec_fops;
24550 static inline unsigned long size_inside_page(unsigned long start,
24551 unsigned long size)
24553 @@ -68,9 +73,13 @@ static inline int range_is_allowed(unsig
24555 while (cursor < to) {
24556 if (!devmem_is_allowed(pfn)) {
24557 +#ifdef CONFIG_GRKERNSEC_KMEM
24558 + gr_handle_mem_readwrite(from, to);
24561 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
24562 current->comm, from, to);
24566 cursor += PAGE_SIZE;
24567 @@ -78,6 +87,11 @@ static inline int range_is_allowed(unsig
24571 +#elif defined(CONFIG_GRKERNSEC_KMEM)
24572 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
24577 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
24579 @@ -120,6 +134,7 @@ static ssize_t read_mem(struct file *fil
24581 while (count > 0) {
24582 unsigned long remaining;
24585 sz = size_inside_page(p, count);
24587 @@ -135,7 +150,23 @@ static ssize_t read_mem(struct file *fil
24591 - remaining = copy_to_user(buf, ptr, sz);
24592 +#ifdef CONFIG_PAX_USERCOPY
24593 + temp = kmalloc(sz, GFP_KERNEL);
24595 + unxlate_dev_mem_ptr(p, ptr);
24598 + memcpy(temp, ptr, sz);
24603 + remaining = copy_to_user(buf, temp, sz);
24605 +#ifdef CONFIG_PAX_USERCOPY
24609 unxlate_dev_mem_ptr(p, ptr);
24612 @@ -398,9 +429,8 @@ static ssize_t read_kmem(struct file *fi
24613 size_t count, loff_t *ppos)
24615 unsigned long p = *ppos;
24616 - ssize_t low_count, read, sz;
24617 + ssize_t low_count, read, sz, err = 0;
24618 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
24622 if (p < (unsigned long) high_memory) {
24623 @@ -422,6 +452,8 @@ static ssize_t read_kmem(struct file *fi
24626 while (low_count > 0) {
24629 sz = size_inside_page(p, low_count);
24632 @@ -431,7 +463,22 @@ static ssize_t read_kmem(struct file *fi
24634 kbuf = xlate_dev_kmem_ptr((char *)p);
24636 - if (copy_to_user(buf, kbuf, sz))
24637 +#ifdef CONFIG_PAX_USERCOPY
24638 + temp = kmalloc(sz, GFP_KERNEL);
24641 + memcpy(temp, kbuf, sz);
24646 + err = copy_to_user(buf, temp, sz);
24648 +#ifdef CONFIG_PAX_USERCOPY
24656 @@ -857,6 +904,9 @@ static const struct memdev {
24657 #ifdef CONFIG_CRASH_DUMP
24658 [12] = { "oldmem", 0, &oldmem_fops, NULL },
24660 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
24661 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
24665 static int memory_open(struct inode *inode, struct file *filp)
24666 diff -urNp linux-2.6.38.4/drivers/char/nvram.c linux-2.6.38.4/drivers/char/nvram.c
24667 --- linux-2.6.38.4/drivers/char/nvram.c 2011-03-14 21:20:32.000000000 -0400
24668 +++ linux-2.6.38.4/drivers/char/nvram.c 2011-04-17 15:57:32.000000000 -0400
24669 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
24671 spin_unlock_irq(&rtc_lock);
24673 - if (copy_to_user(buf, contents, tmp - contents))
24674 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
24678 @@ -435,7 +435,10 @@ static const struct file_operations nvra
24679 static struct miscdevice nvram_dev = {
24689 static int __init nvram_init(void)
24690 diff -urNp linux-2.6.38.4/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.38.4/drivers/char/pcmcia/ipwireless/tty.c
24691 --- linux-2.6.38.4/drivers/char/pcmcia/ipwireless/tty.c 2011-03-14 21:20:32.000000000 -0400
24692 +++ linux-2.6.38.4/drivers/char/pcmcia/ipwireless/tty.c 2011-04-17 15:57:32.000000000 -0400
24694 #include <linux/tty_driver.h>
24695 #include <linux/tty_flip.h>
24696 #include <linux/uaccess.h>
24697 +#include <asm/local.h>
24700 #include "network.h"
24701 @@ -51,7 +52,7 @@ struct ipw_tty {
24703 struct ipw_network *network;
24704 struct tty_struct *linux_tty;
24706 + local_t open_count;
24707 unsigned int control_lines;
24708 struct mutex ipw_tty_mutex;
24709 int tx_bytes_queued;
24710 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
24711 mutex_unlock(&tty->ipw_tty_mutex);
24714 - if (tty->open_count == 0)
24715 + if (local_read(&tty->open_count) == 0)
24716 tty->tx_bytes_queued = 0;
24718 - tty->open_count++;
24719 + local_inc(&tty->open_count);
24721 tty->linux_tty = linux_tty;
24722 linux_tty->driver_data = tty;
24723 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
24725 static void do_ipw_close(struct ipw_tty *tty)
24727 - tty->open_count--;
24729 - if (tty->open_count == 0) {
24730 + if (local_dec_return(&tty->open_count) == 0) {
24731 struct tty_struct *linux_tty = tty->linux_tty;
24733 if (linux_tty != NULL) {
24734 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
24737 mutex_lock(&tty->ipw_tty_mutex);
24738 - if (tty->open_count == 0) {
24739 + if (local_read(&tty->open_count) == 0) {
24740 mutex_unlock(&tty->ipw_tty_mutex);
24743 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
24747 - if (!tty->open_count) {
24748 + if (!local_read(&tty->open_count)) {
24749 mutex_unlock(&tty->ipw_tty_mutex);
24752 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
24755 mutex_lock(&tty->ipw_tty_mutex);
24756 - if (!tty->open_count) {
24757 + if (!local_read(&tty->open_count)) {
24758 mutex_unlock(&tty->ipw_tty_mutex);
24761 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
24765 - if (!tty->open_count)
24766 + if (!local_read(&tty->open_count))
24769 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
24770 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
24774 - if (!tty->open_count)
24775 + if (!local_read(&tty->open_count))
24778 return tty->tx_bytes_queued;
24779 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
24783 - if (!tty->open_count)
24784 + if (!local_read(&tty->open_count))
24787 return get_control_lines(tty);
24788 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
24792 - if (!tty->open_count)
24793 + if (!local_read(&tty->open_count))
24796 return set_control_lines(tty, set, clear);
24797 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
24801 - if (!tty->open_count)
24802 + if (!local_read(&tty->open_count))
24805 /* FIXME: Exactly how is the tty object locked here .. */
24806 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
24807 against a parallel ioctl etc */
24808 mutex_lock(&ttyj->ipw_tty_mutex);
24810 - while (ttyj->open_count)
24811 + while (local_read(&ttyj->open_count))
24812 do_ipw_close(ttyj);
24813 ipwireless_disassociate_network_ttys(network,
24814 ttyj->channel_idx);
24815 diff -urNp linux-2.6.38.4/drivers/char/random.c linux-2.6.38.4/drivers/char/random.c
24816 --- linux-2.6.38.4/drivers/char/random.c 2011-03-14 21:20:32.000000000 -0400
24817 +++ linux-2.6.38.4/drivers/char/random.c 2011-04-17 15:57:32.000000000 -0400
24818 @@ -254,8 +254,13 @@
24820 * Configuration information
24822 +#ifdef CONFIG_GRKERNSEC_RANDNET
24823 +#define INPUT_POOL_WORDS 512
24824 +#define OUTPUT_POOL_WORDS 128
24826 #define INPUT_POOL_WORDS 128
24827 #define OUTPUT_POOL_WORDS 32
24829 #define SEC_XFER_SIZE 512
24830 #define EXTRACT_SIZE 10
24832 @@ -293,10 +298,17 @@ static struct poolinfo {
24834 int tap1, tap2, tap3, tap4, tap5;
24835 } poolinfo_table[] = {
24836 +#ifdef CONFIG_GRKERNSEC_RANDNET
24837 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
24838 + { 512, 411, 308, 208, 104, 1 },
24839 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
24840 + { 128, 103, 76, 51, 25, 1 },
24842 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
24843 { 128, 103, 76, 51, 25, 1 },
24844 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
24845 { 32, 26, 20, 14, 7, 1 },
24848 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
24849 { 2048, 1638, 1231, 819, 411, 1 },
24850 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
24852 extract_buf(r, tmp);
24853 i = min_t(int, nbytes, EXTRACT_SIZE);
24854 - if (copy_to_user(buf, tmp, i)) {
24855 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
24859 @@ -1207,7 +1219,7 @@ EXPORT_SYMBOL(generate_random_uuid);
24860 #include <linux/sysctl.h>
24862 static int min_read_thresh = 8, min_write_thresh;
24863 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
24864 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
24865 static int max_write_thresh = INPUT_POOL_WORDS * 32;
24866 static char sysctl_bootid[16];
24868 diff -urNp linux-2.6.38.4/drivers/char/sonypi.c linux-2.6.38.4/drivers/char/sonypi.c
24869 --- linux-2.6.38.4/drivers/char/sonypi.c 2011-03-14 21:20:32.000000000 -0400
24870 +++ linux-2.6.38.4/drivers/char/sonypi.c 2011-04-17 15:57:32.000000000 -0400
24872 #include <asm/uaccess.h>
24873 #include <asm/io.h>
24874 #include <asm/system.h>
24875 +#include <asm/local.h>
24877 #include <linux/sonypi.h>
24879 @@ -491,7 +492,7 @@ static struct sonypi_device {
24880 spinlock_t fifo_lock;
24881 wait_queue_head_t fifo_proc_list;
24882 struct fasync_struct *fifo_async;
24884 + local_t open_count;
24886 struct input_dev *input_jog_dev;
24887 struct input_dev *input_key_dev;
24888 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
24889 static int sonypi_misc_release(struct inode *inode, struct file *file)
24891 mutex_lock(&sonypi_device.lock);
24892 - sonypi_device.open_count--;
24893 + local_dec(&sonypi_device.open_count);
24894 mutex_unlock(&sonypi_device.lock);
24897 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
24899 mutex_lock(&sonypi_device.lock);
24900 /* Flush input queue on first open */
24901 - if (!sonypi_device.open_count)
24902 + if (!local_read(&sonypi_device.open_count))
24903 kfifo_reset(&sonypi_device.fifo);
24904 - sonypi_device.open_count++;
24905 + local_inc(&sonypi_device.open_count);
24906 mutex_unlock(&sonypi_device.lock);
24909 diff -urNp linux-2.6.38.4/drivers/char/tpm/tpm_bios.c linux-2.6.38.4/drivers/char/tpm/tpm_bios.c
24910 --- linux-2.6.38.4/drivers/char/tpm/tpm_bios.c 2011-03-14 21:20:32.000000000 -0400
24911 +++ linux-2.6.38.4/drivers/char/tpm/tpm_bios.c 2011-04-17 15:57:32.000000000 -0400
24912 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
24915 if ((event->event_type == 0 && event->event_size == 0) ||
24916 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24917 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24921 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
24924 if ((event->event_type == 0 && event->event_size == 0) ||
24925 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24926 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24930 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24933 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24934 - seq_putc(m, data[i]);
24935 + if (!seq_putc(m, data[i]))
24940 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
24941 log->bios_event_log_end = log->bios_event_log + len;
24943 virt = acpi_os_map_memory(start, len);
24945 + kfree(log->bios_event_log);
24946 + log->bios_event_log = NULL;
24950 memcpy(log->bios_event_log, virt, len);
24952 diff -urNp linux-2.6.38.4/drivers/char/tpm/tpm.c linux-2.6.38.4/drivers/char/tpm/tpm.c
24953 --- linux-2.6.38.4/drivers/char/tpm/tpm.c 2011-04-18 17:27:18.000000000 -0400
24954 +++ linux-2.6.38.4/drivers/char/tpm/tpm.c 2011-04-17 16:53:16.000000000 -0400
24955 @@ -411,7 +411,7 @@ static ssize_t tpm_transmit(struct tpm_c
24956 chip->vendor.req_complete_val)
24959 - if ((status == chip->vendor.req_canceled)) {
24960 + if (status == chip->vendor.req_canceled) {
24961 dev_err(chip->dev, "Operation Canceled\n");
24964 diff -urNp linux-2.6.38.4/drivers/cpuidle/sysfs.c linux-2.6.38.4/drivers/cpuidle/sysfs.c
24965 --- linux-2.6.38.4/drivers/cpuidle/sysfs.c 2011-03-14 21:20:32.000000000 -0400
24966 +++ linux-2.6.38.4/drivers/cpuidle/sysfs.c 2011-04-17 15:57:32.000000000 -0400
24967 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24968 .release = cpuidle_state_sysfs_release,
24971 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24972 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24974 kobject_put(&device->kobjs[i]->kobj);
24975 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24976 diff -urNp linux-2.6.38.4/drivers/edac/edac_core.h linux-2.6.38.4/drivers/edac/edac_core.h
24977 --- linux-2.6.38.4/drivers/edac/edac_core.h 2011-03-14 21:20:32.000000000 -0400
24978 +++ linux-2.6.38.4/drivers/edac/edac_core.h 2011-04-17 15:57:32.000000000 -0400
24979 @@ -88,11 +88,11 @@ extern int edac_debug_level;
24981 #else /* !CONFIG_EDAC_DEBUG */
24983 -#define debugf0( ... )
24984 -#define debugf1( ... )
24985 -#define debugf2( ... )
24986 -#define debugf3( ... )
24987 -#define debugf4( ... )
24988 +#define debugf0( ... ) do {} while (0)
24989 +#define debugf1( ... ) do {} while (0)
24990 +#define debugf2( ... ) do {} while (0)
24991 +#define debugf3( ... ) do {} while (0)
24992 +#define debugf4( ... ) do {} while (0)
24994 #endif /* !CONFIG_EDAC_DEBUG */
24996 diff -urNp linux-2.6.38.4/drivers/edac/edac_mc_sysfs.c linux-2.6.38.4/drivers/edac/edac_mc_sysfs.c
24997 --- linux-2.6.38.4/drivers/edac/edac_mc_sysfs.c 2011-03-14 21:20:32.000000000 -0400
24998 +++ linux-2.6.38.4/drivers/edac/edac_mc_sysfs.c 2011-04-17 15:57:32.000000000 -0400
24999 @@ -761,7 +761,7 @@ static void edac_inst_grp_release(struct
25002 /* Intermediate show/store table */
25003 -static struct sysfs_ops inst_grp_ops = {
25004 +static const struct sysfs_ops inst_grp_ops = {
25005 .show = inst_grp_show,
25006 .store = inst_grp_store
25008 diff -urNp linux-2.6.38.4/drivers/firewire/core-cdev.c linux-2.6.38.4/drivers/firewire/core-cdev.c
25009 --- linux-2.6.38.4/drivers/firewire/core-cdev.c 2011-03-14 21:20:32.000000000 -0400
25010 +++ linux-2.6.38.4/drivers/firewire/core-cdev.c 2011-04-17 15:57:32.000000000 -0400
25011 @@ -1329,8 +1329,7 @@ static int init_iso_resource(struct clie
25014 if ((request->channels == 0 && request->bandwidth == 0) ||
25015 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
25016 - request->bandwidth < 0)
25017 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
25020 r = kmalloc(sizeof(*r), GFP_KERNEL);
25021 diff -urNp linux-2.6.38.4/drivers/firmware/dmi_scan.c linux-2.6.38.4/drivers/firmware/dmi_scan.c
25022 --- linux-2.6.38.4/drivers/firmware/dmi_scan.c 2011-03-14 21:20:32.000000000 -0400
25023 +++ linux-2.6.38.4/drivers/firmware/dmi_scan.c 2011-04-17 15:57:32.000000000 -0400
25024 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
25029 - * no iounmap() for that ioremap(); it would be a no-op, but
25030 - * it's so early in setup that sucker gets confused into doing
25031 - * what it shouldn't if we actually call it.
25033 p = dmi_ioremap(0xF0000, 0x10000);
25036 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.38.4/drivers/gpu/drm/drm_crtc_helper.c
25037 --- linux-2.6.38.4/drivers/gpu/drm/drm_crtc_helper.c 2011-03-14 21:20:32.000000000 -0400
25038 +++ linux-2.6.38.4/drivers/gpu/drm/drm_crtc_helper.c 2011-04-17 15:57:32.000000000 -0400
25039 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
25040 struct drm_crtc *tmp;
25043 - WARN(!crtc, "checking null crtc?\n");
25048 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_drv.c linux-2.6.38.4/drivers/gpu/drm/drm_drv.c
25049 --- linux-2.6.38.4/drivers/gpu/drm/drm_drv.c 2011-03-14 21:20:32.000000000 -0400
25050 +++ linux-2.6.38.4/drivers/gpu/drm/drm_drv.c 2011-04-17 15:57:32.000000000 -0400
25051 @@ -425,7 +425,7 @@ long drm_ioctl(struct file *filp,
25053 dev = file_priv->minor->dev;
25054 atomic_inc(&dev->ioctl_count);
25055 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
25056 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
25057 ++file_priv->ioctl_count;
25059 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
25060 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_fops.c linux-2.6.38.4/drivers/gpu/drm/drm_fops.c
25061 --- linux-2.6.38.4/drivers/gpu/drm/drm_fops.c 2011-03-14 21:20:32.000000000 -0400
25062 +++ linux-2.6.38.4/drivers/gpu/drm/drm_fops.c 2011-04-17 15:57:32.000000000 -0400
25063 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
25066 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
25067 - atomic_set(&dev->counts[i], 0);
25068 + atomic_set_unchecked(&dev->counts[i], 0);
25070 dev->sigdata.lock = NULL;
25072 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
25074 retcode = drm_open_helper(inode, filp, dev);
25076 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
25077 - if (!dev->open_count++)
25078 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
25079 + if (local_inc_return(&dev->open_count) == 1)
25080 retcode = drm_setup(dev);
25083 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
25085 mutex_lock(&drm_global_mutex);
25087 - DRM_DEBUG("open_count = %d\n", dev->open_count);
25088 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
25090 if (dev->driver->preclose)
25091 dev->driver->preclose(dev, file_priv);
25092 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
25093 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
25094 task_pid_nr(current),
25095 (long)old_encode_dev(file_priv->minor->device),
25096 - dev->open_count);
25097 + local_read(&dev->open_count));
25099 /* if the master has gone away we can't do anything with the lock */
25100 if (file_priv->minor->master)
25101 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
25102 * End inline drm_release
25105 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
25106 - if (!--dev->open_count) {
25107 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
25108 + if (local_dec_and_test(&dev->open_count)) {
25109 if (atomic_read(&dev->ioctl_count)) {
25110 DRM_ERROR("Device busy: %d\n",
25111 atomic_read(&dev->ioctl_count));
25112 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_global.c linux-2.6.38.4/drivers/gpu/drm/drm_global.c
25113 --- linux-2.6.38.4/drivers/gpu/drm/drm_global.c 2011-03-14 21:20:32.000000000 -0400
25114 +++ linux-2.6.38.4/drivers/gpu/drm/drm_global.c 2011-04-17 15:57:32.000000000 -0400
25116 struct drm_global_item {
25117 struct mutex mutex;
25120 + atomic_t refcount;
25123 static struct drm_global_item glob[DRM_GLOBAL_NUM];
25124 @@ -49,7 +49,7 @@ void drm_global_init(void)
25125 struct drm_global_item *item = &glob[i];
25126 mutex_init(&item->mutex);
25127 item->object = NULL;
25128 - item->refcount = 0;
25129 + atomic_set(&item->refcount, 0);
25133 @@ -59,7 +59,7 @@ void drm_global_release(void)
25134 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
25135 struct drm_global_item *item = &glob[i];
25136 BUG_ON(item->object != NULL);
25137 - BUG_ON(item->refcount != 0);
25138 + BUG_ON(atomic_read(&item->refcount) != 0);
25142 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
25145 mutex_lock(&item->mutex);
25146 - if (item->refcount == 0) {
25147 + if (atomic_read(&item->refcount) == 0) {
25148 item->object = kzalloc(ref->size, GFP_KERNEL);
25149 if (unlikely(item->object == NULL)) {
25151 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
25155 - ++item->refcount;
25156 + atomic_inc(&item->refcount);
25157 ref->object = item->object;
25158 object = item->object;
25159 mutex_unlock(&item->mutex);
25160 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
25161 struct drm_global_item *item = &glob[ref->global_type];
25163 mutex_lock(&item->mutex);
25164 - BUG_ON(item->refcount == 0);
25165 + BUG_ON(atomic_read(&item->refcount) == 0);
25166 BUG_ON(ref->object != item->object);
25167 - if (--item->refcount == 0) {
25168 + if (atomic_dec_and_test(&item->refcount)) {
25170 item->object = NULL;
25172 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_info.c linux-2.6.38.4/drivers/gpu/drm/drm_info.c
25173 --- linux-2.6.38.4/drivers/gpu/drm/drm_info.c 2011-03-14 21:20:32.000000000 -0400
25174 +++ linux-2.6.38.4/drivers/gpu/drm/drm_info.c 2011-04-17 15:57:32.000000000 -0400
25175 @@ -86,10 +86,14 @@ int drm_vm_info(struct seq_file *m, void
25176 struct drm_local_map *map;
25177 struct drm_map_list *r_list;
25179 - /* Hardcoded from _DRM_FRAME_BUFFER,
25180 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
25181 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
25182 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
25183 + static const char * const types[] = {
25184 + [_DRM_FRAME_BUFFER] = "FB",
25185 + [_DRM_REGISTERS] = "REG",
25186 + [_DRM_SHM] = "SHM",
25187 + [_DRM_AGP] = "AGP",
25188 + [_DRM_SCATTER_GATHER] = "SG",
25189 + [_DRM_CONSISTENT] = "PCI",
25190 + [_DRM_GEM] = "GEM" };
25194 @@ -100,7 +104,7 @@ int drm_vm_info(struct seq_file *m, void
25198 - if (map->type < 0 || map->type > 5)
25199 + if (map->type >= ARRAY_SIZE(types))
25202 type = types[map->type];
25203 @@ -301,7 +305,11 @@ int drm_vma_info(struct seq_file *m, voi
25204 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
25205 vma->vm_flags & VM_LOCKED ? 'l' : '-',
25206 vma->vm_flags & VM_IO ? 'i' : '-',
25207 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25213 #if defined(__i386__)
25214 pgprot = pgprot_val(vma->vm_page_prot);
25215 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_ioctl.c linux-2.6.38.4/drivers/gpu/drm/drm_ioctl.c
25216 --- linux-2.6.38.4/drivers/gpu/drm/drm_ioctl.c 2011-03-14 21:20:32.000000000 -0400
25217 +++ linux-2.6.38.4/drivers/gpu/drm/drm_ioctl.c 2011-04-17 15:57:32.000000000 -0400
25218 @@ -353,7 +353,7 @@ int drm_getstats(struct drm_device *dev,
25219 stats->data[i].value =
25220 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
25222 - stats->data[i].value = atomic_read(&dev->counts[i]);
25223 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
25224 stats->data[i].type = dev->types[i];
25227 diff -urNp linux-2.6.38.4/drivers/gpu/drm/drm_lock.c linux-2.6.38.4/drivers/gpu/drm/drm_lock.c
25228 --- linux-2.6.38.4/drivers/gpu/drm/drm_lock.c 2011-03-14 21:20:32.000000000 -0400
25229 +++ linux-2.6.38.4/drivers/gpu/drm/drm_lock.c 2011-04-17 15:57:32.000000000 -0400
25230 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
25231 if (drm_lock_take(&master->lock, lock->context)) {
25232 master->lock.file_priv = file_priv;
25233 master->lock.lock_time = jiffies;
25234 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
25235 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
25236 break; /* Got lock */
25239 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
25243 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
25244 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
25246 if (drm_lock_free(&master->lock, lock->context)) {
25247 /* FIXME: Should really bail out here. */
25248 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i810/i810_dma.c linux-2.6.38.4/drivers/gpu/drm/i810/i810_dma.c
25249 --- linux-2.6.38.4/drivers/gpu/drm/i810/i810_dma.c 2011-03-14 21:20:32.000000000 -0400
25250 +++ linux-2.6.38.4/drivers/gpu/drm/i810/i810_dma.c 2011-04-17 15:57:32.000000000 -0400
25251 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
25252 dma->buflist[vertex->idx],
25253 vertex->discard, vertex->used);
25255 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
25256 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
25257 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
25258 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
25259 sarea_priv->last_enqueue = dev_priv->counter - 1;
25260 sarea_priv->last_dispatch = (int)hw_status[5];
25262 @@ -1114,8 +1114,8 @@ static int i810_dma_mc(struct drm_device
25263 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
25266 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
25267 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
25268 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
25269 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
25270 sarea_priv->last_enqueue = dev_priv->counter - 1;
25271 sarea_priv->last_dispatch = (int)hw_status[5];
25273 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7017.c
25274 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-14 21:20:32.000000000 -0400
25275 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7017.c 2011-04-17 15:57:32.000000000 -0400
25276 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
25280 -struct intel_dvo_dev_ops ch7017_ops = {
25281 +const struct intel_dvo_dev_ops ch7017_ops = {
25282 .init = ch7017_init,
25283 .detect = ch7017_detect,
25284 .mode_valid = ch7017_mode_valid,
25285 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7xxx.c
25286 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-14 21:20:32.000000000 -0400
25287 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-04-17 15:57:32.000000000 -0400
25288 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
25292 -struct intel_dvo_dev_ops ch7xxx_ops = {
25293 +const struct intel_dvo_dev_ops ch7xxx_ops = {
25294 .init = ch7xxx_init,
25295 .detect = ch7xxx_detect,
25296 .mode_valid = ch7xxx_mode_valid,
25297 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo.h linux-2.6.38.4/drivers/gpu/drm/i915/dvo.h
25298 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo.h 2011-03-14 21:20:32.000000000 -0400
25299 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo.h 2011-04-17 15:57:32.000000000 -0400
25300 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
25302 * \return singly-linked list of modes or NULL if no modes found.
25304 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
25305 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
25308 * Clean up driver-specific bits of the output
25310 - void (*destroy) (struct intel_dvo_device *dvo);
25311 + void (* const destroy) (struct intel_dvo_device *dvo);
25314 * Debugging hook to dump device registers to log file
25316 - void (*dump_regs)(struct intel_dvo_device *dvo);
25317 + void (* const dump_regs)(struct intel_dvo_device *dvo);
25320 -extern struct intel_dvo_dev_ops sil164_ops;
25321 -extern struct intel_dvo_dev_ops ch7xxx_ops;
25322 -extern struct intel_dvo_dev_ops ivch_ops;
25323 -extern struct intel_dvo_dev_ops tfp410_ops;
25324 -extern struct intel_dvo_dev_ops ch7017_ops;
25325 +extern const struct intel_dvo_dev_ops sil164_ops;
25326 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
25327 +extern const struct intel_dvo_dev_ops ivch_ops;
25328 +extern const struct intel_dvo_dev_ops tfp410_ops;
25329 +extern const struct intel_dvo_dev_ops ch7017_ops;
25331 #endif /* _INTEL_DVO_H */
25332 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ivch.c
25333 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-14 21:20:32.000000000 -0400
25334 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo_ivch.c 2011-04-17 15:57:32.000000000 -0400
25335 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
25339 -struct intel_dvo_dev_ops ivch_ops= {
25340 +const struct intel_dvo_dev_ops ivch_ops= {
25343 .mode_valid = ivch_mode_valid,
25344 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.38.4/drivers/gpu/drm/i915/dvo_sil164.c
25345 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-14 21:20:32.000000000 -0400
25346 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo_sil164.c 2011-04-17 15:57:32.000000000 -0400
25347 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
25351 -struct intel_dvo_dev_ops sil164_ops = {
25352 +const struct intel_dvo_dev_ops sil164_ops = {
25353 .init = sil164_init,
25354 .detect = sil164_detect,
25355 .mode_valid = sil164_mode_valid,
25356 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.38.4/drivers/gpu/drm/i915/dvo_tfp410.c
25357 --- linux-2.6.38.4/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-14 21:20:32.000000000 -0400
25358 +++ linux-2.6.38.4/drivers/gpu/drm/i915/dvo_tfp410.c 2011-04-17 15:57:32.000000000 -0400
25359 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
25363 -struct intel_dvo_dev_ops tfp410_ops = {
25364 +const struct intel_dvo_dev_ops tfp410_ops = {
25365 .init = tfp410_init,
25366 .detect = tfp410_detect,
25367 .mode_valid = tfp410_mode_valid,
25368 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/i915_dma.c linux-2.6.38.4/drivers/gpu/drm/i915/i915_dma.c
25369 --- linux-2.6.38.4/drivers/gpu/drm/i915/i915_dma.c 2011-03-14 21:20:32.000000000 -0400
25370 +++ linux-2.6.38.4/drivers/gpu/drm/i915/i915_dma.c 2011-04-17 15:57:32.000000000 -0400
25371 @@ -1159,7 +1159,7 @@ static bool i915_switcheroo_can_switch(s
25374 spin_lock(&dev->count_lock);
25375 - can_switch = (dev->open_count == 0);
25376 + can_switch = (local_read(&dev->open_count) == 0);
25377 spin_unlock(&dev->count_lock);
25380 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.c linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.c
25381 --- linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.c 2011-03-14 21:20:32.000000000 -0400
25382 +++ linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.c 2011-04-17 15:57:32.000000000 -0400
25383 @@ -673,7 +673,7 @@ static const struct dev_pm_ops i915_pm_o
25384 .restore = i915_pm_resume,
25387 -static struct vm_operations_struct i915_gem_vm_ops = {
25388 +static const struct vm_operations_struct i915_gem_vm_ops = {
25389 .fault = i915_gem_fault,
25390 .open = drm_gem_vm_open,
25391 .close = drm_gem_vm_close,
25392 diff -urNp linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.h linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.h
25393 --- linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.h 2011-03-14 21:20:32.000000000 -0400
25394 +++ linux-2.6.38.4/drivers/gpu/drm/i915/i915_drv.h 2011-04-17 15:57:32.000000000 -0400
25395 @@ -1229,7 +1229,7 @@ extern int intel_setup_gmbus(struct drm_
25396 extern void intel_teardown_gmbus(struct drm_device *dev);
25397 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
25398 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
25399 -extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
25400 +static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
25402 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
25404 diff -urNp linux-2.6.38.4/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.38.4/drivers/gpu/drm/nouveau/nouveau_state.c
25405 --- linux-2.6.38.4/drivers/gpu/drm/nouveau/nouveau_state.c 2011-03-14 21:20:32.000000000 -0400
25406 +++ linux-2.6.38.4/drivers/gpu/drm/nouveau/nouveau_state.c 2011-04-17 15:57:32.000000000 -0400
25407 @@ -621,7 +621,7 @@ static bool nouveau_switcheroo_can_switc
25410 spin_lock(&dev->count_lock);
25411 - can_switch = (dev->open_count == 0);
25412 + can_switch = (local_read(&dev->open_count) == 0);
25413 spin_unlock(&dev->count_lock);
25416 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.38.4/drivers/gpu/drm/radeon/mkregtable.c
25417 --- linux-2.6.38.4/drivers/gpu/drm/radeon/mkregtable.c 2011-03-14 21:20:32.000000000 -0400
25418 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/mkregtable.c 2011-04-17 15:57:32.000000000 -0400
25419 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
25421 regmatch_t match[4];
25429 struct offset *offset;
25430 char last_reg_s[10];
25432 + unsigned long last_reg;
25435 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
25436 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_device.c
25437 --- linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_device.c 2011-03-14 21:20:32.000000000 -0400
25438 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_device.c 2011-04-17 15:57:32.000000000 -0400
25439 @@ -673,7 +673,7 @@ static bool radeon_switcheroo_can_switch
25442 spin_lock(&dev->count_lock);
25443 - can_switch = (dev->open_count == 0);
25444 + can_switch = (local_read(&dev->open_count) == 0);
25445 spin_unlock(&dev->count_lock);
25448 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ioc32.c
25449 --- linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-03-14 21:20:32.000000000 -0400
25450 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-04-17 15:57:32.000000000 -0400
25451 @@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
25452 request = compat_alloc_user_space(sizeof(*request));
25453 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
25454 || __put_user(req32.param, &request->param)
25455 - || __put_user((void __user *)(unsigned long)req32.value,
25456 + || __put_user((unsigned long)req32.value,
25460 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_state.c
25461 --- linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_state.c 2011-03-14 21:20:32.000000000 -0400
25462 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_state.c 2011-04-17 15:57:32.000000000 -0400
25463 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
25464 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
25465 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
25467 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
25468 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
25469 sarea_priv->nbox * sizeof(depth_boxes[0])))
25472 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
25474 drm_radeon_private_t *dev_priv = dev->dev_private;
25475 drm_radeon_getparam_t *param = data;
25479 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
25481 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ttm.c
25482 --- linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-14 21:20:32.000000000 -0400
25483 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/radeon_ttm.c 2011-04-17 15:57:32.000000000 -0400
25484 @@ -603,8 +603,9 @@ void radeon_ttm_set_active_vram_size(str
25485 man->size = size >> PAGE_SHIFT;
25488 -static struct vm_operations_struct radeon_ttm_vm_ops;
25489 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
25490 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
25491 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
25492 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
25494 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25496 @@ -612,17 +613,22 @@ static int radeon_ttm_fault(struct vm_ar
25497 struct radeon_device *rdev;
25500 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
25501 - if (bo == NULL) {
25502 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
25504 return VM_FAULT_NOPAGE;
25506 rdev = radeon_get_rdev(bo->bdev);
25507 mutex_lock(&rdev->vram_mutex);
25508 - r = ttm_vm_ops->fault(vma, vmf);
25509 + r = ttm_bo_vm_fault(vma, vmf);
25510 mutex_unlock(&rdev->vram_mutex);
25514 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
25515 + .fault = radeon_ttm_fault,
25516 + .open = ttm_bo_vm_open,
25517 + .close = ttm_bo_vm_close
25520 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
25522 struct drm_file *file_priv;
25523 @@ -635,18 +641,11 @@ int radeon_mmap(struct file *filp, struc
25525 file_priv = filp->private_data;
25526 rdev = file_priv->minor->dev->dev_private;
25527 - if (rdev == NULL) {
25531 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
25532 - if (unlikely(r != 0)) {
25536 - if (unlikely(ttm_vm_ops == NULL)) {
25537 - ttm_vm_ops = vma->vm_ops;
25538 - radeon_ttm_vm_ops = *ttm_vm_ops;
25539 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
25541 vma->vm_ops = &radeon_ttm_vm_ops;
25544 diff -urNp linux-2.6.38.4/drivers/gpu/drm/radeon/rs690.c linux-2.6.38.4/drivers/gpu/drm/radeon/rs690.c
25545 --- linux-2.6.38.4/drivers/gpu/drm/radeon/rs690.c 2011-03-14 21:20:32.000000000 -0400
25546 +++ linux-2.6.38.4/drivers/gpu/drm/radeon/rs690.c 2011-04-17 15:57:32.000000000 -0400
25547 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
25548 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
25549 rdev->pm.sideport_bandwidth.full)
25550 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
25551 - read_delay_latency.full = dfixed_const(370 * 800 * 1000);
25552 + read_delay_latency.full = dfixed_const(800 * 1000);
25553 read_delay_latency.full = dfixed_div(read_delay_latency,
25554 rdev->pm.igp_sideport_mclk);
25555 + a.full = dfixed_const(370);
25556 + read_delay_latency.full = dfixed_mul(read_delay_latency, a);
25558 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
25559 rdev->pm.k8_bandwidth.full)
25560 diff -urNp linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo.c
25561 --- linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo.c 2011-03-14 21:20:32.000000000 -0400
25562 +++ linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo.c 2011-04-17 15:57:32.000000000 -0400
25564 #include <asm/atomic.h>
25566 #define TTM_ASSERT_LOCKED(param)
25567 -#define TTM_DEBUG(fmt, arg...)
25568 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
25569 #define TTM_BO_HASH_ORDER 13
25571 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
25572 diff -urNp linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo_vm.c
25573 --- linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-14 21:20:32.000000000 -0400
25574 +++ linux-2.6.38.4/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-04-17 15:57:32.000000000 -0400
25575 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
25579 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25580 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25582 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
25583 vma->vm_private_data;
25584 - struct ttm_bo_device *bdev = bo->bdev;
25585 + struct ttm_bo_device *bdev;
25586 unsigned long page_offset;
25587 unsigned long page_last;
25589 @@ -83,8 +83,12 @@ static int ttm_bo_vm_fault(struct vm_are
25591 unsigned long address = (unsigned long)vmf->virtual_address;
25592 int retval = VM_FAULT_NOPAGE;
25593 - struct ttm_mem_type_manager *man =
25594 - &bdev->man[bo->mem.mem_type];
25595 + struct ttm_mem_type_manager *man;
25598 + return VM_FAULT_NOPAGE;
25600 + man = &bdev->man[bo->mem.mem_type];
25603 * Work around locking order reversal in fault / nopfn
25604 @@ -219,22 +223,25 @@ out_unlock:
25605 ttm_bo_unreserve(bo);
25608 +EXPORT_SYMBOL(ttm_bo_vm_fault);
25610 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
25611 +void ttm_bo_vm_open(struct vm_area_struct *vma)
25613 struct ttm_buffer_object *bo =
25614 (struct ttm_buffer_object *)vma->vm_private_data;
25616 (void)ttm_bo_reference(bo);
25618 +EXPORT_SYMBOL(ttm_bo_vm_open);
25620 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
25621 +void ttm_bo_vm_close(struct vm_area_struct *vma)
25623 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
25626 vma->vm_private_data = NULL;
25628 +EXPORT_SYMBOL(ttm_bo_vm_close);
25630 static const struct vm_operations_struct ttm_bo_vm_ops = {
25631 .fault = ttm_bo_vm_fault,
25632 diff -urNp linux-2.6.38.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-2.6.38.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
25633 --- linux-2.6.38.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-03-14 21:20:32.000000000 -0400
25634 +++ linux-2.6.38.4/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-04-17 15:57:32.000000000 -0400
25635 @@ -534,7 +534,7 @@ static int vmw_fifo_vm_fault(struct vm_a
25636 return VM_FAULT_SIGBUS;
25639 -static struct vm_operations_struct vmw_fifo_vm_ops = {
25640 +static const struct vm_operations_struct vmw_fifo_vm_ops = {
25641 .fault = vmw_fifo_vm_fault,
25644 diff -urNp linux-2.6.38.4/drivers/hid/usbhid/hiddev.c linux-2.6.38.4/drivers/hid/usbhid/hiddev.c
25645 --- linux-2.6.38.4/drivers/hid/usbhid/hiddev.c 2011-03-14 21:20:32.000000000 -0400
25646 +++ linux-2.6.38.4/drivers/hid/usbhid/hiddev.c 2011-04-17 15:57:32.000000000 -0400
25647 @@ -613,7 +613,7 @@ static long hiddev_ioctl(struct file *fi
25650 case HIDIOCAPPLICATION:
25651 - if (arg < 0 || arg >= hid->maxapplication)
25652 + if (arg >= hid->maxapplication)
25655 for (i = 0; i < hid->maxcollection; i++)
25656 diff -urNp linux-2.6.38.4/drivers/hwmon/k8temp.c linux-2.6.38.4/drivers/hwmon/k8temp.c
25657 --- linux-2.6.38.4/drivers/hwmon/k8temp.c 2011-03-14 21:20:32.000000000 -0400
25658 +++ linux-2.6.38.4/drivers/hwmon/k8temp.c 2011-04-17 15:57:32.000000000 -0400
25659 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
25661 static const struct pci_device_id k8temp_ids[] = {
25662 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
25664 + { 0, 0, 0, 0, 0, 0, 0 },
25667 MODULE_DEVICE_TABLE(pci, k8temp_ids);
25668 diff -urNp linux-2.6.38.4/drivers/hwmon/sis5595.c linux-2.6.38.4/drivers/hwmon/sis5595.c
25669 --- linux-2.6.38.4/drivers/hwmon/sis5595.c 2011-03-14 21:20:32.000000000 -0400
25670 +++ linux-2.6.38.4/drivers/hwmon/sis5595.c 2011-04-17 15:57:32.000000000 -0400
25671 @@ -701,7 +701,7 @@ static struct sis5595_data *sis5595_upda
25673 static const struct pci_device_id sis5595_pci_ids[] = {
25674 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25676 + { 0, 0, 0, 0, 0, 0, 0 }
25679 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
25680 diff -urNp linux-2.6.38.4/drivers/hwmon/via686a.c linux-2.6.38.4/drivers/hwmon/via686a.c
25681 --- linux-2.6.38.4/drivers/hwmon/via686a.c 2011-03-14 21:20:32.000000000 -0400
25682 +++ linux-2.6.38.4/drivers/hwmon/via686a.c 2011-04-17 15:57:32.000000000 -0400
25683 @@ -779,7 +779,7 @@ static struct via686a_data *via686a_upda
25685 static const struct pci_device_id via686a_pci_ids[] = {
25686 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
25688 + { 0, 0, 0, 0, 0, 0, 0 }
25691 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
25692 diff -urNp linux-2.6.38.4/drivers/hwmon/vt8231.c linux-2.6.38.4/drivers/hwmon/vt8231.c
25693 --- linux-2.6.38.4/drivers/hwmon/vt8231.c 2011-03-14 21:20:32.000000000 -0400
25694 +++ linux-2.6.38.4/drivers/hwmon/vt8231.c 2011-04-17 15:57:32.000000000 -0400
25695 @@ -701,7 +701,7 @@ static struct platform_driver vt8231_dri
25697 static const struct pci_device_id vt8231_pci_ids[] = {
25698 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
25700 + { 0, 0, 0, 0, 0, 0, 0 }
25703 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
25704 diff -urNp linux-2.6.38.4/drivers/hwmon/w83791d.c linux-2.6.38.4/drivers/hwmon/w83791d.c
25705 --- linux-2.6.38.4/drivers/hwmon/w83791d.c 2011-03-14 21:20:32.000000000 -0400
25706 +++ linux-2.6.38.4/drivers/hwmon/w83791d.c 2011-04-17 15:57:32.000000000 -0400
25707 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
25708 struct i2c_board_info *info);
25709 static int w83791d_remove(struct i2c_client *client);
25711 -static int w83791d_read(struct i2c_client *client, u8 register);
25712 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
25713 +static int w83791d_read(struct i2c_client *client, u8 reg);
25714 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
25715 static struct w83791d_data *w83791d_update_device(struct device *dev);
25718 diff -urNp linux-2.6.38.4/drivers/i2c/busses/i2c-i801.c linux-2.6.38.4/drivers/i2c/busses/i2c-i801.c
25719 --- linux-2.6.38.4/drivers/i2c/busses/i2c-i801.c 2011-03-14 21:20:32.000000000 -0400
25720 +++ linux-2.6.38.4/drivers/i2c/busses/i2c-i801.c 2011-04-17 15:57:32.000000000 -0400
25721 @@ -621,7 +621,7 @@ static const struct pci_device_id i801_i
25722 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF0) },
25723 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF1) },
25724 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF2) },
25726 + { 0, 0, 0, 0, 0, 0, 0 }
25729 MODULE_DEVICE_TABLE(pci, i801_ids);
25730 diff -urNp linux-2.6.38.4/drivers/i2c/busses/i2c-piix4.c linux-2.6.38.4/drivers/i2c/busses/i2c-piix4.c
25731 --- linux-2.6.38.4/drivers/i2c/busses/i2c-piix4.c 2011-03-14 21:20:32.000000000 -0400
25732 +++ linux-2.6.38.4/drivers/i2c/busses/i2c-piix4.c 2011-04-17 15:57:32.000000000 -0400
25733 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
25735 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
25738 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25741 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
25742 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
25743 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
25744 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
25745 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
25747 + { 0, 0, 0, 0, 0, 0, 0 }
25750 MODULE_DEVICE_TABLE (pci, piix4_ids);
25751 diff -urNp linux-2.6.38.4/drivers/i2c/busses/i2c-sis630.c linux-2.6.38.4/drivers/i2c/busses/i2c-sis630.c
25752 --- linux-2.6.38.4/drivers/i2c/busses/i2c-sis630.c 2011-03-14 21:20:32.000000000 -0400
25753 +++ linux-2.6.38.4/drivers/i2c/busses/i2c-sis630.c 2011-04-17 15:57:32.000000000 -0400
25754 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
25755 static const struct pci_device_id sis630_ids[] __devinitconst = {
25756 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25757 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
25759 + { 0, 0, 0, 0, 0, 0, 0 }
25762 MODULE_DEVICE_TABLE (pci, sis630_ids);
25763 diff -urNp linux-2.6.38.4/drivers/i2c/busses/i2c-sis96x.c linux-2.6.38.4/drivers/i2c/busses/i2c-sis96x.c
25764 --- linux-2.6.38.4/drivers/i2c/busses/i2c-sis96x.c 2011-03-14 21:20:32.000000000 -0400
25765 +++ linux-2.6.38.4/drivers/i2c/busses/i2c-sis96x.c 2011-04-17 15:57:32.000000000 -0400
25766 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
25768 static const struct pci_device_id sis96x_ids[] = {
25769 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
25771 + { 0, 0, 0, 0, 0, 0, 0 }
25774 MODULE_DEVICE_TABLE (pci, sis96x_ids);
25775 diff -urNp linux-2.6.38.4/drivers/ide/ide-cd.c linux-2.6.38.4/drivers/ide/ide-cd.c
25776 --- linux-2.6.38.4/drivers/ide/ide-cd.c 2011-03-14 21:20:32.000000000 -0400
25777 +++ linux-2.6.38.4/drivers/ide/ide-cd.c 2011-04-17 15:57:32.000000000 -0400
25778 @@ -776,7 +776,7 @@ static void cdrom_do_block_pc(ide_drive_
25779 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
25780 if ((unsigned long)buf & alignment
25781 || blk_rq_bytes(rq) & q->dma_pad_mask
25782 - || object_is_on_stack(buf))
25783 + || object_starts_on_stack(buf))
25787 diff -urNp linux-2.6.38.4/drivers/infiniband/core/cm.c linux-2.6.38.4/drivers/infiniband/core/cm.c
25788 --- linux-2.6.38.4/drivers/infiniband/core/cm.c 2011-04-18 17:27:14.000000000 -0400
25789 +++ linux-2.6.38.4/drivers/infiniband/core/cm.c 2011-04-17 15:57:32.000000000 -0400
25790 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
25792 struct cm_counter_group {
25793 struct kobject obj;
25794 - atomic_long_t counter[CM_ATTR_COUNT];
25795 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
25798 struct cm_counter_attribute {
25799 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
25800 struct ib_mad_send_buf *msg = NULL;
25803 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25804 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25805 counter[CM_REQ_COUNTER]);
25807 /* Quick state check to discard duplicate REQs. */
25808 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
25812 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25813 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25814 counter[CM_REP_COUNTER]);
25815 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
25817 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
25818 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
25819 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
25820 spin_unlock_irq(&cm_id_priv->lock);
25821 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25822 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25823 counter[CM_RTU_COUNTER]);
25826 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
25827 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
25828 dreq_msg->local_comm_id);
25830 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25831 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25832 counter[CM_DREQ_COUNTER]);
25833 cm_issue_drep(work->port, work->mad_recv_wc);
25835 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
25836 case IB_CM_MRA_REP_RCVD:
25838 case IB_CM_TIMEWAIT:
25839 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25840 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25841 counter[CM_DREQ_COUNTER]);
25842 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25844 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
25847 case IB_CM_DREQ_RCVD:
25848 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25849 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25850 counter[CM_DREQ_COUNTER]);
25853 @@ -2504,7 +2504,7 @@ static int cm_mra_handler(struct cm_work
25854 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25855 cm_id_priv->msg, timeout)) {
25856 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25857 - atomic_long_inc(&work->port->
25858 + atomic_long_inc_unchecked(&work->port->
25859 counter_group[CM_RECV_DUPLICATES].
25860 counter[CM_MRA_COUNTER]);
25862 @@ -2513,7 +2513,7 @@ static int cm_mra_handler(struct cm_work
25864 case IB_CM_MRA_REQ_RCVD:
25865 case IB_CM_MRA_REP_RCVD:
25866 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25867 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25868 counter[CM_MRA_COUNTER]);
25871 @@ -2675,7 +2675,7 @@ static int cm_lap_handler(struct cm_work
25872 case IB_CM_LAP_IDLE:
25874 case IB_CM_MRA_LAP_SENT:
25875 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25876 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25877 counter[CM_LAP_COUNTER]);
25878 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25880 @@ -2691,7 +2691,7 @@ static int cm_lap_handler(struct cm_work
25883 case IB_CM_LAP_RCVD:
25884 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25885 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25886 counter[CM_LAP_COUNTER]);
25889 @@ -2975,7 +2975,7 @@ static int cm_sidr_req_handler(struct cm
25890 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25891 if (cur_cm_id_priv) {
25892 spin_unlock_irq(&cm.lock);
25893 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25894 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25895 counter[CM_SIDR_REQ_COUNTER]);
25896 goto out; /* Duplicate message. */
25898 @@ -3187,10 +3187,10 @@ static void cm_send_handler(struct ib_ma
25899 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25902 - atomic_long_add(1 + msg->retries,
25903 + atomic_long_add_unchecked(1 + msg->retries,
25904 &port->counter_group[CM_XMIT].counter[attr_index]);
25906 - atomic_long_add(msg->retries,
25907 + atomic_long_add_unchecked(msg->retries,
25908 &port->counter_group[CM_XMIT_RETRIES].
25909 counter[attr_index]);
25911 @@ -3400,7 +3400,7 @@ static void cm_recv_handler(struct ib_ma
25914 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25915 - atomic_long_inc(&port->counter_group[CM_RECV].
25916 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25917 counter[attr_id - CM_ATTR_ID_OFFSET]);
25919 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
25920 @@ -3598,7 +3598,7 @@ static ssize_t cm_show_counter(struct ko
25921 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25923 return sprintf(buf, "%ld\n",
25924 - atomic_long_read(&group->counter[cm_attr->index]));
25925 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25928 static const struct sysfs_ops cm_counter_ops = {
25929 diff -urNp linux-2.6.38.4/drivers/infiniband/hw/qib/qib.h linux-2.6.38.4/drivers/infiniband/hw/qib/qib.h
25930 --- linux-2.6.38.4/drivers/infiniband/hw/qib/qib.h 2011-03-14 21:20:32.000000000 -0400
25931 +++ linux-2.6.38.4/drivers/infiniband/hw/qib/qib.h 2011-04-17 15:57:32.000000000 -0400
25933 #include <linux/completion.h>
25934 #include <linux/kref.h>
25935 #include <linux/sched.h>
25936 +#include <linux/slab.h>
25938 #include "qib_common.h"
25939 #include "qib_verbs.h"
25940 diff -urNp linux-2.6.38.4/drivers/input/keyboard/atkbd.c linux-2.6.38.4/drivers/input/keyboard/atkbd.c
25941 --- linux-2.6.38.4/drivers/input/keyboard/atkbd.c 2011-03-14 21:20:32.000000000 -0400
25942 +++ linux-2.6.38.4/drivers/input/keyboard/atkbd.c 2011-04-17 15:57:32.000000000 -0400
25943 @@ -1250,7 +1250,7 @@ static struct serio_device_id atkbd_seri
25945 .extra = SERIO_ANY,
25951 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
25952 diff -urNp linux-2.6.38.4/drivers/input/mouse/lifebook.c linux-2.6.38.4/drivers/input/mouse/lifebook.c
25953 --- linux-2.6.38.4/drivers/input/mouse/lifebook.c 2011-03-14 21:20:32.000000000 -0400
25954 +++ linux-2.6.38.4/drivers/input/mouse/lifebook.c 2011-04-17 15:57:32.000000000 -0400
25955 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
25956 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
25960 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
25963 void __init lifebook_module_init(void)
25964 diff -urNp linux-2.6.38.4/drivers/input/mouse/psmouse-base.c linux-2.6.38.4/drivers/input/mouse/psmouse-base.c
25965 --- linux-2.6.38.4/drivers/input/mouse/psmouse-base.c 2011-03-14 21:20:32.000000000 -0400
25966 +++ linux-2.6.38.4/drivers/input/mouse/psmouse-base.c 2011-04-17 15:57:32.000000000 -0400
25967 @@ -1462,7 +1462,7 @@ static struct serio_device_id psmouse_se
25969 .extra = SERIO_ANY,
25975 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
25976 diff -urNp linux-2.6.38.4/drivers/input/mouse/synaptics.c linux-2.6.38.4/drivers/input/mouse/synaptics.c
25977 --- linux-2.6.38.4/drivers/input/mouse/synaptics.c 2011-04-18 17:27:18.000000000 -0400
25978 +++ linux-2.6.38.4/drivers/input/mouse/synaptics.c 2011-04-17 16:53:16.000000000 -0400
25979 @@ -559,7 +559,7 @@ static void synaptics_process_packet(str
25982 if (SYN_MODEL_PEN(priv->model_id))
25983 - ; /* Nothing, treat a pen as a single finger */
25984 + break; /* Nothing, treat a pen as a single finger */
25987 if (SYN_CAP_PALMDETECT(priv->capabilities))
25988 @@ -825,7 +825,6 @@ static const struct dmi_system_id __init
25989 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
25990 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
25995 /* Toshiba Portege M300 */
25996 @@ -834,10 +833,9 @@ static const struct dmi_system_id __init
25997 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
25998 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
26002 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26007 static bool broken_olpc_ec;
26008 diff -urNp linux-2.6.38.4/drivers/input/mousedev.c linux-2.6.38.4/drivers/input/mousedev.c
26009 --- linux-2.6.38.4/drivers/input/mousedev.c 2011-03-14 21:20:32.000000000 -0400
26010 +++ linux-2.6.38.4/drivers/input/mousedev.c 2011-04-17 15:57:32.000000000 -0400
26011 @@ -764,7 +764,7 @@ static ssize_t mousedev_read(struct file
26013 spin_unlock_irq(&client->packet_lock);
26015 - if (copy_to_user(buffer, data, count))
26016 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
26020 @@ -1067,7 +1067,7 @@ static struct input_handler mousedev_han
26022 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
26023 static struct miscdevice psaux_mouse = {
26024 - PSMOUSE_MINOR, "psaux", &mousedev_fops
26025 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
26027 static int psaux_registered;
26029 diff -urNp linux-2.6.38.4/drivers/input/serio/i8042-x86ia64io.h linux-2.6.38.4/drivers/input/serio/i8042-x86ia64io.h
26030 --- linux-2.6.38.4/drivers/input/serio/i8042-x86ia64io.h 2011-03-14 21:20:32.000000000 -0400
26031 +++ linux-2.6.38.4/drivers/input/serio/i8042-x86ia64io.h 2011-04-17 15:57:32.000000000 -0400
26032 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
26033 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
26037 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26041 @@ -431,7 +431,7 @@ static const struct dmi_system_id __init
26042 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro V13"),
26046 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26049 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
26050 @@ -505,7 +505,7 @@ static const struct dmi_system_id __init
26051 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
26055 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26059 @@ -524,7 +524,7 @@ static const struct dmi_system_id __init
26060 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
26064 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26067 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
26068 @@ -548,7 +548,7 @@ static const struct dmi_system_id __init
26069 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
26073 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26077 @@ -640,7 +640,7 @@ static const struct dmi_system_id __init
26078 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
26082 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26085 #endif /* CONFIG_X86 */
26086 diff -urNp linux-2.6.38.4/drivers/input/serio/serio_raw.c linux-2.6.38.4/drivers/input/serio/serio_raw.c
26087 --- linux-2.6.38.4/drivers/input/serio/serio_raw.c 2011-03-14 21:20:32.000000000 -0400
26088 +++ linux-2.6.38.4/drivers/input/serio/serio_raw.c 2011-04-17 15:57:32.000000000 -0400
26089 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
26091 .extra = SERIO_ANY,
26097 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
26098 diff -urNp linux-2.6.38.4/drivers/isdn/gigaset/common.c linux-2.6.38.4/drivers/isdn/gigaset/common.c
26099 --- linux-2.6.38.4/drivers/isdn/gigaset/common.c 2011-03-14 21:20:32.000000000 -0400
26100 +++ linux-2.6.38.4/drivers/isdn/gigaset/common.c 2011-04-17 15:57:32.000000000 -0400
26101 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
26102 cs->commands_pending = 0;
26103 cs->cur_at_seq = 0;
26105 - cs->open_count = 0;
26106 + local_set(&cs->open_count, 0);
26109 cs->tty_dev = NULL;
26110 diff -urNp linux-2.6.38.4/drivers/isdn/gigaset/gigaset.h linux-2.6.38.4/drivers/isdn/gigaset/gigaset.h
26111 --- linux-2.6.38.4/drivers/isdn/gigaset/gigaset.h 2011-03-14 21:20:32.000000000 -0400
26112 +++ linux-2.6.38.4/drivers/isdn/gigaset/gigaset.h 2011-04-17 15:57:32.000000000 -0400
26114 #include <linux/tty_driver.h>
26115 #include <linux/list.h>
26116 #include <asm/atomic.h>
26117 +#include <asm/local.h>
26119 #define GIG_VERSION {0, 5, 0, 0}
26120 #define GIG_COMPAT {0, 4, 0, 0}
26121 @@ -433,7 +434,7 @@ struct cardstate {
26122 spinlock_t cmdlock;
26123 unsigned curlen, cmdbytes;
26125 - unsigned open_count;
26126 + local_t open_count;
26127 struct tty_struct *tty;
26128 struct tasklet_struct if_wake_tasklet;
26129 unsigned control_state;
26130 diff -urNp linux-2.6.38.4/drivers/isdn/gigaset/interface.c linux-2.6.38.4/drivers/isdn/gigaset/interface.c
26131 --- linux-2.6.38.4/drivers/isdn/gigaset/interface.c 2011-03-14 21:20:32.000000000 -0400
26132 +++ linux-2.6.38.4/drivers/isdn/gigaset/interface.c 2011-04-17 15:57:32.000000000 -0400
26133 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
26134 return -ERESTARTSYS;
26135 tty->driver_data = cs;
26137 - ++cs->open_count;
26139 - if (cs->open_count == 1) {
26140 + if (local_inc_return(&cs->open_count) == 1) {
26141 spin_lock_irqsave(&cs->lock, flags);
26143 spin_unlock_irqrestore(&cs->lock, flags);
26144 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
26146 if (!cs->connected)
26147 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26148 - else if (!cs->open_count)
26149 + else if (!local_read(&cs->open_count))
26150 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26152 - if (!--cs->open_count) {
26153 + if (!local_dec_return(&cs->open_count)) {
26154 spin_lock_irqsave(&cs->lock, flags);
26156 spin_unlock_irqrestore(&cs->lock, flags);
26157 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
26158 if (!cs->connected) {
26159 gig_dbg(DEBUG_IF, "not connected");
26161 - } else if (!cs->open_count)
26162 + } else if (!local_read(&cs->open_count))
26163 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26166 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
26170 - if (!cs->open_count) {
26171 + if (!local_read(&cs->open_count)) {
26172 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26175 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
26176 if (!cs->connected) {
26177 gig_dbg(DEBUG_IF, "not connected");
26179 - } else if (!cs->open_count)
26180 + } else if (!local_read(&cs->open_count))
26181 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26182 else if (cs->mstate != MS_LOCKED) {
26183 dev_warn(cs->dev, "can't write to unlocked device\n");
26184 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
26186 if (!cs->connected)
26187 gig_dbg(DEBUG_IF, "not connected");
26188 - else if (!cs->open_count)
26189 + else if (!local_read(&cs->open_count))
26190 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26191 else if (cs->mstate != MS_LOCKED)
26192 dev_warn(cs->dev, "can't write to unlocked device\n");
26193 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
26195 if (!cs->connected)
26196 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26197 - else if (!cs->open_count)
26198 + else if (!local_read(&cs->open_count))
26199 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26201 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
26202 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
26204 if (!cs->connected)
26205 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26206 - else if (!cs->open_count)
26207 + else if (!local_read(&cs->open_count))
26208 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26210 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
26211 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
26215 - if (!cs->open_count) {
26216 + if (!local_read(&cs->open_count)) {
26217 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26220 diff -urNp linux-2.6.38.4/drivers/isdn/hardware/avm/b1.c linux-2.6.38.4/drivers/isdn/hardware/avm/b1.c
26221 --- linux-2.6.38.4/drivers/isdn/hardware/avm/b1.c 2011-03-14 21:20:32.000000000 -0400
26222 +++ linux-2.6.38.4/drivers/isdn/hardware/avm/b1.c 2011-04-17 15:57:32.000000000 -0400
26223 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
26226 if (t4file->user) {
26227 - if (copy_from_user(buf, dp, left))
26228 + if (left > sizeof buf || copy_from_user(buf, dp, left))
26231 memcpy(buf, dp, left);
26232 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
26235 if (config->user) {
26236 - if (copy_from_user(buf, dp, left))
26237 + if (left > sizeof buf || copy_from_user(buf, dp, left))
26240 memcpy(buf, dp, left);
26241 diff -urNp linux-2.6.38.4/drivers/isdn/icn/icn.c linux-2.6.38.4/drivers/isdn/icn/icn.c
26242 --- linux-2.6.38.4/drivers/isdn/icn/icn.c 2011-03-14 21:20:32.000000000 -0400
26243 +++ linux-2.6.38.4/drivers/isdn/icn/icn.c 2011-04-17 15:57:32.000000000 -0400
26244 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
26248 - if (copy_from_user(msg, buf, count))
26249 + if (count > sizeof msg || copy_from_user(msg, buf, count))
26252 memcpy(msg, buf, count);
26253 diff -urNp linux-2.6.38.4/drivers/lguest/core.c linux-2.6.38.4/drivers/lguest/core.c
26254 --- linux-2.6.38.4/drivers/lguest/core.c 2011-03-14 21:20:32.000000000 -0400
26255 +++ linux-2.6.38.4/drivers/lguest/core.c 2011-04-17 15:57:32.000000000 -0400
26256 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
26257 * it's worked so far. The end address needs +1 because __get_vm_area
26258 * allocates an extra guard page, so we need space for that.
26261 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
26262 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
26263 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
26264 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
26266 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
26267 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
26268 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
26271 if (!switcher_vma) {
26273 printk("lguest: could not map switcher pages high\n");
26274 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
26275 * Now the Switcher is mapped at the right address, we can't fail!
26276 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
26278 - memcpy(switcher_vma->addr, start_switcher_text,
26279 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
26280 end_switcher_text - start_switcher_text);
26282 printk(KERN_INFO "lguest: mapped switcher at %p\n",
26283 diff -urNp linux-2.6.38.4/drivers/lguest/x86/core.c linux-2.6.38.4/drivers/lguest/x86/core.c
26284 --- linux-2.6.38.4/drivers/lguest/x86/core.c 2011-03-14 21:20:32.000000000 -0400
26285 +++ linux-2.6.38.4/drivers/lguest/x86/core.c 2011-04-17 15:57:32.000000000 -0400
26286 @@ -59,7 +59,7 @@ static struct {
26287 /* Offset from where switcher.S was compiled to where we've copied it */
26288 static unsigned long switcher_offset(void)
26290 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
26291 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
26294 /* This cpu's struct lguest_pages. */
26295 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
26296 * These copies are pretty cheap, so we do them unconditionally: */
26297 /* Save the current Host top-level page directory.
26300 +#ifdef CONFIG_PAX_PER_CPU_PGD
26301 + pages->state.host_cr3 = read_cr3();
26303 pages->state.host_cr3 = __pa(current->mm->pgd);
26307 * Set up the Guest's page tables to see this CPU's pages (and no
26308 * other CPU's pages).
26309 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
26310 * compiled-in switcher code and the high-mapped copy we just made.
26312 for (i = 0; i < IDT_ENTRIES; i++)
26313 - default_idt_entries[i] += switcher_offset();
26314 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
26317 * Set up the Switcher's per-cpu areas.
26318 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
26319 * it will be undisturbed when we switch. To change %cs and jump we
26320 * need this structure to feed to Intel's "lcall" instruction.
26322 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
26323 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
26324 lguest_entry.segment = LGUEST_CS;
26327 diff -urNp linux-2.6.38.4/drivers/lguest/x86/switcher_32.S linux-2.6.38.4/drivers/lguest/x86/switcher_32.S
26328 --- linux-2.6.38.4/drivers/lguest/x86/switcher_32.S 2011-03-14 21:20:32.000000000 -0400
26329 +++ linux-2.6.38.4/drivers/lguest/x86/switcher_32.S 2011-04-17 15:57:32.000000000 -0400
26331 #include <asm/page.h>
26332 #include <asm/segment.h>
26333 #include <asm/lguest.h>
26334 +#include <asm/processor-flags.h>
26336 // We mark the start of the code to copy
26337 // It's placed in .text tho it's never run here
26338 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
26339 // Changes type when we load it: damn Intel!
26340 // For after we switch over our page tables
26341 // That entry will be read-only: we'd crash.
26343 +#ifdef CONFIG_PAX_KERNEXEC
26345 + xor $X86_CR0_WP, %edx
26349 movl $(GDT_ENTRY_TSS*8), %edx
26352 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
26353 // Let's clear it again for our return.
26354 // The GDT descriptor of the Host
26355 // Points to the table after two "size" bytes
26356 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
26357 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
26358 // Clear "used" from type field (byte 5, bit 2)
26359 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
26360 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
26362 +#ifdef CONFIG_PAX_KERNEXEC
26364 + xor $X86_CR0_WP, %eax
26368 // Once our page table's switched, the Guest is live!
26369 // The Host fades as we run this final step.
26370 @@ -295,13 +309,12 @@ deliver_to_host:
26371 // I consulted gcc, and it gave
26372 // These instructions, which I gladly credit:
26373 leal (%edx,%ebx,8), %eax
26374 - movzwl (%eax),%edx
26375 - movl 4(%eax), %eax
26378 + movl 4(%eax), %edx
26380 // Now the address of the handler's in %edx
26381 // We call it now: its "iret" drops us home.
26383 + ljmp $__KERNEL_CS, $1f
26386 // Every interrupt can come to us here
26387 // But we must truly tell each apart.
26388 diff -urNp linux-2.6.38.4/drivers/md/bitmap.c linux-2.6.38.4/drivers/md/bitmap.c
26389 --- linux-2.6.38.4/drivers/md/bitmap.c 2011-03-14 21:20:32.000000000 -0400
26390 +++ linux-2.6.38.4/drivers/md/bitmap.c 2011-04-17 15:57:32.000000000 -0400
26393 # define PRINTK(x...) printk(KERN_DEBUG x)
26395 -# define PRINTK(x...)
26396 +# define PRINTK(x...) do {} while (0)
26400 diff -urNp linux-2.6.38.4/drivers/md/dm-ioctl.c linux-2.6.38.4/drivers/md/dm-ioctl.c
26401 --- linux-2.6.38.4/drivers/md/dm-ioctl.c 2011-03-14 21:20:32.000000000 -0400
26402 +++ linux-2.6.38.4/drivers/md/dm-ioctl.c 2011-04-17 15:57:32.000000000 -0400
26403 @@ -1541,7 +1541,7 @@ static int validate_params(uint cmd, str
26404 cmd == DM_LIST_VERSIONS_CMD)
26407 - if ((cmd == DM_DEV_CREATE_CMD)) {
26408 + if (cmd == DM_DEV_CREATE_CMD) {
26409 if (!*param->name) {
26410 DMWARN("name not supplied when creating device");
26412 diff -urNp linux-2.6.38.4/drivers/md/dm-table.c linux-2.6.38.4/drivers/md/dm-table.c
26413 --- linux-2.6.38.4/drivers/md/dm-table.c 2011-03-14 21:20:32.000000000 -0400
26414 +++ linux-2.6.38.4/drivers/md/dm-table.c 2011-04-17 15:57:32.000000000 -0400
26415 @@ -372,7 +372,7 @@ static int device_area_is_invalid(struct
26419 - if ((start >= dev_size) || (start + len > dev_size)) {
26420 + if ((start >= dev_size) || (len > dev_size - start)) {
26421 DMWARN("%s: %s too small for target: "
26422 "start=%llu, len=%llu, dev_size=%llu",
26423 dm_device_name(ti->table->md), bdevname(bdev, b),
26424 diff -urNp linux-2.6.38.4/drivers/md/md.c linux-2.6.38.4/drivers/md/md.c
26425 --- linux-2.6.38.4/drivers/md/md.c 2011-03-14 21:20:32.000000000 -0400
26426 +++ linux-2.6.38.4/drivers/md/md.c 2011-04-17 15:57:32.000000000 -0400
26427 @@ -1889,7 +1889,7 @@ static int bind_rdev_to_array(mdk_rdev_t
26429 ko = &part_to_dev(rdev->bdev->bd_part)->kobj;
26430 if (sysfs_create_link(&rdev->kobj, ko, "block"))
26431 - /* failure here is OK */;
26432 + /* failure here is OK */{}
26433 rdev->sysfs_state = sysfs_get_dirent_safe(rdev->kobj.sd, "state");
26435 list_add_rcu(&rdev->same_set, &mddev->disks);
26436 @@ -2499,7 +2499,7 @@ slot_store(mdk_rdev_t *rdev, const char
26437 sysfs_notify_dirent_safe(rdev->sysfs_state);
26438 sprintf(nm, "rd%d", rdev->raid_disk);
26439 if (sysfs_create_link(&rdev->mddev->kobj, &rdev->kobj, nm))
26440 - /* failure here is OK */;
26441 + /* failure here is OK */{}
26442 /* don't wakeup anyone, leave that to userspace. */
26444 if (slot >= rdev->mddev->raid_disks &&
26445 @@ -4594,7 +4594,7 @@ int md_run(mddev_t *mddev)
26447 sprintf(nm, "rd%d", rdev->raid_disk);
26448 if (sysfs_create_link(&mddev->kobj, &rdev->kobj, nm))
26449 - /* failure here is OK */;
26450 + /* failure here is OK */{}
26453 set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
26454 @@ -6462,7 +6462,7 @@ static int md_seq_show(struct seq_file *
26455 chunk_kb ? "KB" : "B");
26456 if (bitmap->file) {
26457 seq_printf(seq, ", file: ");
26458 - seq_path(seq, &bitmap->file->f_path, " \t\n");
26459 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
26462 seq_printf(seq, "\n");
26463 @@ -6556,7 +6556,7 @@ static int is_mddev_idle(mddev_t *mddev,
26464 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
26465 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
26466 (int)part_stat_read(&disk->part0, sectors[1]) -
26467 - atomic_read(&disk->sync_io);
26468 + atomic_read_unchecked(&disk->sync_io);
26469 /* sync IO will cause sync_io to increase before the disk_stats
26470 * as sync_io is counted when a request starts, and
26471 * disk_stats is counted when it completes.
26472 @@ -7070,7 +7070,7 @@ static int remove_and_add_spares(mddev_t
26473 sprintf(nm, "rd%d", rdev->raid_disk);
26474 if (sysfs_create_link(&mddev->kobj,
26476 - /* failure here is OK */;
26477 + /* failure here is OK */{}
26479 md_new_event(mddev);
26480 set_bit(MD_CHANGE_DEVS, &mddev->flags);
26481 diff -urNp linux-2.6.38.4/drivers/md/md.h linux-2.6.38.4/drivers/md/md.h
26482 --- linux-2.6.38.4/drivers/md/md.h 2011-03-14 21:20:32.000000000 -0400
26483 +++ linux-2.6.38.4/drivers/md/md.h 2011-04-17 15:57:32.000000000 -0400
26484 @@ -360,7 +360,7 @@ static inline void rdev_dec_pending(mdk_
26486 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
26488 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
26489 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
26492 struct mdk_personality
26493 diff -urNp linux-2.6.38.4/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.38.4/drivers/media/dvb/dvb-core/dvbdev.c
26494 --- linux-2.6.38.4/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-14 21:20:32.000000000 -0400
26495 +++ linux-2.6.38.4/drivers/media/dvb/dvb-core/dvbdev.c 2011-04-17 15:57:32.000000000 -0400
26496 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
26497 const struct dvb_device *template, void *priv, int type)
26499 struct dvb_device *dvbdev;
26500 - struct file_operations *dvbdevfops;
26501 + struct file_operations *dvbdevfops; /* cannot be const, see this function */
26502 struct device *clsdev;
26505 diff -urNp linux-2.6.38.4/drivers/media/radio/radio-cadet.c linux-2.6.38.4/drivers/media/radio/radio-cadet.c
26506 --- linux-2.6.38.4/drivers/media/radio/radio-cadet.c 2011-03-14 21:20:32.000000000 -0400
26507 +++ linux-2.6.38.4/drivers/media/radio/radio-cadet.c 2011-04-17 15:57:32.000000000 -0400
26508 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
26509 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
26510 mutex_unlock(&dev->lock);
26512 - if (copy_to_user(data, readbuf, i))
26513 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
26517 diff -urNp linux-2.6.38.4/drivers/media/rc/ir-lirc-codec.c linux-2.6.38.4/drivers/media/rc/ir-lirc-codec.c
26518 --- linux-2.6.38.4/drivers/media/rc/ir-lirc-codec.c 2011-03-14 21:20:32.000000000 -0400
26519 +++ linux-2.6.38.4/drivers/media/rc/ir-lirc-codec.c 2011-04-17 15:57:32.000000000 -0400
26520 @@ -277,7 +277,7 @@ static void ir_lirc_close(void *data)
26524 -static struct file_operations lirc_fops = {
26525 +static const struct file_operations lirc_fops = {
26526 .owner = THIS_MODULE,
26527 .write = ir_lirc_transmit_ir,
26528 .unlocked_ioctl = ir_lirc_ioctl,
26529 diff -urNp linux-2.6.38.4/drivers/media/rc/lirc_dev.c linux-2.6.38.4/drivers/media/rc/lirc_dev.c
26530 --- linux-2.6.38.4/drivers/media/rc/lirc_dev.c 2011-03-14 21:20:32.000000000 -0400
26531 +++ linux-2.6.38.4/drivers/media/rc/lirc_dev.c 2011-04-17 15:57:32.000000000 -0400
26532 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
26536 -static struct file_operations lirc_dev_fops = {
26537 +static const struct file_operations lirc_dev_fops = {
26538 .owner = THIS_MODULE,
26539 .read = lirc_dev_fop_read,
26540 .write = lirc_dev_fop_write,
26541 diff -urNp linux-2.6.38.4/drivers/message/fusion/mptbase.c linux-2.6.38.4/drivers/message/fusion/mptbase.c
26542 --- linux-2.6.38.4/drivers/message/fusion/mptbase.c 2011-03-14 21:20:32.000000000 -0400
26543 +++ linux-2.6.38.4/drivers/message/fusion/mptbase.c 2011-04-17 15:57:32.000000000 -0400
26544 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
26545 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
26546 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
26548 +#ifdef CONFIG_GRKERNSEC_HIDESYM
26549 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
26551 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
26552 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
26556 * Rounding UP to nearest 4-kB boundary here...
26558 diff -urNp linux-2.6.38.4/drivers/message/fusion/mptdebug.h linux-2.6.38.4/drivers/message/fusion/mptdebug.h
26559 --- linux-2.6.38.4/drivers/message/fusion/mptdebug.h 2011-03-14 21:20:32.000000000 -0400
26560 +++ linux-2.6.38.4/drivers/message/fusion/mptdebug.h 2011-04-17 15:57:32.000000000 -0400
26565 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
26566 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
26570 diff -urNp linux-2.6.38.4/drivers/message/fusion/mptsas.c linux-2.6.38.4/drivers/message/fusion/mptsas.c
26571 --- linux-2.6.38.4/drivers/message/fusion/mptsas.c 2011-03-14 21:20:32.000000000 -0400
26572 +++ linux-2.6.38.4/drivers/message/fusion/mptsas.c 2011-04-17 15:57:32.000000000 -0400
26573 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
26577 +static inline void
26578 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
26580 + if (phy_info->port_details) {
26581 + phy_info->port_details->rphy = rphy;
26582 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
26583 + ioc->name, rphy));
26587 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
26588 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
26589 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
26590 + ioc->name, rphy, rphy->dev.release));
26596 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
26597 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
26601 -static inline void
26602 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
26604 - if (phy_info->port_details) {
26605 - phy_info->port_details->rphy = rphy;
26606 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
26607 - ioc->name, rphy));
26611 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
26612 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
26613 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
26614 - ioc->name, rphy, rphy->dev.release));
26618 static inline struct sas_port *
26619 mptsas_get_port(struct mptsas_phyinfo *phy_info)
26621 diff -urNp linux-2.6.38.4/drivers/message/fusion/mptscsih.c linux-2.6.38.4/drivers/message/fusion/mptscsih.c
26622 --- linux-2.6.38.4/drivers/message/fusion/mptscsih.c 2011-03-14 21:20:32.000000000 -0400
26623 +++ linux-2.6.38.4/drivers/message/fusion/mptscsih.c 2011-04-17 15:57:32.000000000 -0400
26624 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
26626 h = shost_priv(SChost);
26629 - if (h->info_kbuf == NULL)
26630 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
26631 - return h->info_kbuf;
26632 - h->info_kbuf[0] = '\0';
26636 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
26637 - h->info_kbuf[size-1] = '\0';
26639 + if (h->info_kbuf == NULL)
26640 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
26641 + return h->info_kbuf;
26642 + h->info_kbuf[0] = '\0';
26644 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
26645 + h->info_kbuf[size-1] = '\0';
26647 return h->info_kbuf;
26649 diff -urNp linux-2.6.38.4/drivers/message/i2o/i2o_proc.c linux-2.6.38.4/drivers/message/i2o/i2o_proc.c
26650 --- linux-2.6.38.4/drivers/message/i2o/i2o_proc.c 2011-03-14 21:20:32.000000000 -0400
26651 +++ linux-2.6.38.4/drivers/message/i2o/i2o_proc.c 2011-04-17 15:57:32.000000000 -0400
26652 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
26653 "Array Controller Device"
26656 -static char *chtostr(u8 * chars, int n)
26660 - return strncat(tmp, (char *)chars, n);
26663 static int i2o_report_query_status(struct seq_file *seq, int block_status,
26666 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
26668 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
26669 seq_printf(seq, "%-#8x", ddm_table.module_id);
26670 - seq_printf(seq, "%-29s",
26671 - chtostr(ddm_table.module_name_version, 28));
26672 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
26673 seq_printf(seq, "%9d ", ddm_table.data_size);
26674 seq_printf(seq, "%8d", ddm_table.code_size);
26676 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
26678 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
26679 seq_printf(seq, "%-#8x", dst->module_id);
26680 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
26681 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
26682 + seq_printf(seq, "%-.28s", dst->module_name_version);
26683 + seq_printf(seq, "%-.8s", dst->date);
26684 seq_printf(seq, "%8d ", dst->module_size);
26685 seq_printf(seq, "%8d ", dst->mpb_size);
26686 seq_printf(seq, "0x%04x", dst->module_flags);
26687 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
26688 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
26689 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
26690 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
26691 - seq_printf(seq, "Vendor info : %s\n",
26692 - chtostr((u8 *) (work32 + 2), 16));
26693 - seq_printf(seq, "Product info : %s\n",
26694 - chtostr((u8 *) (work32 + 6), 16));
26695 - seq_printf(seq, "Description : %s\n",
26696 - chtostr((u8 *) (work32 + 10), 16));
26697 - seq_printf(seq, "Product rev. : %s\n",
26698 - chtostr((u8 *) (work32 + 14), 8));
26699 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
26700 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
26701 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
26702 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
26704 seq_printf(seq, "Serial number : ");
26705 print_serial_number(seq, (u8 *) (work32 + 16),
26706 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
26709 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
26710 - seq_printf(seq, "Module name : %s\n",
26711 - chtostr(result.module_name, 24));
26712 - seq_printf(seq, "Module revision : %s\n",
26713 - chtostr(result.module_rev, 8));
26714 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
26715 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
26717 seq_printf(seq, "Serial number : ");
26718 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
26719 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
26723 - seq_printf(seq, "Device name : %s\n",
26724 - chtostr(result.device_name, 64));
26725 - seq_printf(seq, "Service name : %s\n",
26726 - chtostr(result.service_name, 64));
26727 - seq_printf(seq, "Physical name : %s\n",
26728 - chtostr(result.physical_location, 64));
26729 - seq_printf(seq, "Instance number : %s\n",
26730 - chtostr(result.instance_number, 4));
26731 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
26732 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
26733 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
26734 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
26738 diff -urNp linux-2.6.38.4/drivers/mfd/janz-cmodio.c linux-2.6.38.4/drivers/mfd/janz-cmodio.c
26739 --- linux-2.6.38.4/drivers/mfd/janz-cmodio.c 2011-03-14 21:20:32.000000000 -0400
26740 +++ linux-2.6.38.4/drivers/mfd/janz-cmodio.c 2011-04-17 15:57:32.000000000 -0400
26743 #include <linux/kernel.h>
26744 #include <linux/module.h>
26745 +#include <linux/slab.h>
26746 #include <linux/init.h>
26747 #include <linux/pci.h>
26748 #include <linux/interrupt.h>
26749 diff -urNp linux-2.6.38.4/drivers/misc/kgdbts.c linux-2.6.38.4/drivers/misc/kgdbts.c
26750 --- linux-2.6.38.4/drivers/misc/kgdbts.c 2011-03-14 21:20:32.000000000 -0400
26751 +++ linux-2.6.38.4/drivers/misc/kgdbts.c 2011-04-17 15:57:32.000000000 -0400
26752 @@ -118,7 +118,7 @@
26754 #define MAX_CONFIG_LEN 40
26756 -static struct kgdb_io kgdbts_io_ops;
26757 +static const struct kgdb_io kgdbts_io_ops;
26758 static char get_buf[BUFMAX];
26759 static int get_buf_cnt;
26760 static char put_buf[BUFMAX];
26761 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
26762 module_put(THIS_MODULE);
26765 -static struct kgdb_io kgdbts_io_ops = {
26766 +static const struct kgdb_io kgdbts_io_ops = {
26768 .read_char = kgdbts_get_char,
26769 .write_char = kgdbts_put_char,
26770 diff -urNp linux-2.6.38.4/drivers/misc/sgi-gru/gruhandles.c linux-2.6.38.4/drivers/misc/sgi-gru/gruhandles.c
26771 --- linux-2.6.38.4/drivers/misc/sgi-gru/gruhandles.c 2011-03-14 21:20:32.000000000 -0400
26772 +++ linux-2.6.38.4/drivers/misc/sgi-gru/gruhandles.c 2011-04-17 15:57:32.000000000 -0400
26773 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
26774 unsigned long nsec;
26776 nsec = CLKS2NSEC(clks);
26777 - atomic_long_inc(&mcs_op_statistics[op].count);
26778 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
26779 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
26780 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
26781 if (mcs_op_statistics[op].max < nsec)
26782 mcs_op_statistics[op].max = nsec;
26784 diff -urNp linux-2.6.38.4/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.38.4/drivers/misc/sgi-gru/gruprocfs.c
26785 --- linux-2.6.38.4/drivers/misc/sgi-gru/gruprocfs.c 2011-03-14 21:20:32.000000000 -0400
26786 +++ linux-2.6.38.4/drivers/misc/sgi-gru/gruprocfs.c 2011-04-17 15:57:32.000000000 -0400
26789 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
26791 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
26792 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
26794 - unsigned long val = atomic_long_read(v);
26795 + unsigned long val = atomic_long_read_unchecked(v);
26797 seq_printf(s, "%16lu %s\n", val, id);
26799 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
26801 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
26802 for (op = 0; op < mcsop_last; op++) {
26803 - count = atomic_long_read(&mcs_op_statistics[op].count);
26804 - total = atomic_long_read(&mcs_op_statistics[op].total);
26805 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
26806 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
26807 max = mcs_op_statistics[op].max;
26808 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
26809 count ? total / count : 0, max);
26810 diff -urNp linux-2.6.38.4/drivers/misc/sgi-gru/grutables.h linux-2.6.38.4/drivers/misc/sgi-gru/grutables.h
26811 --- linux-2.6.38.4/drivers/misc/sgi-gru/grutables.h 2011-03-14 21:20:32.000000000 -0400
26812 +++ linux-2.6.38.4/drivers/misc/sgi-gru/grutables.h 2011-04-17 15:57:32.000000000 -0400
26813 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
26816 struct gru_stats_s {
26817 - atomic_long_t vdata_alloc;
26818 - atomic_long_t vdata_free;
26819 - atomic_long_t gts_alloc;
26820 - atomic_long_t gts_free;
26821 - atomic_long_t gms_alloc;
26822 - atomic_long_t gms_free;
26823 - atomic_long_t gts_double_allocate;
26824 - atomic_long_t assign_context;
26825 - atomic_long_t assign_context_failed;
26826 - atomic_long_t free_context;
26827 - atomic_long_t load_user_context;
26828 - atomic_long_t load_kernel_context;
26829 - atomic_long_t lock_kernel_context;
26830 - atomic_long_t unlock_kernel_context;
26831 - atomic_long_t steal_user_context;
26832 - atomic_long_t steal_kernel_context;
26833 - atomic_long_t steal_context_failed;
26834 - atomic_long_t nopfn;
26835 - atomic_long_t asid_new;
26836 - atomic_long_t asid_next;
26837 - atomic_long_t asid_wrap;
26838 - atomic_long_t asid_reuse;
26839 - atomic_long_t intr;
26840 - atomic_long_t intr_cbr;
26841 - atomic_long_t intr_tfh;
26842 - atomic_long_t intr_spurious;
26843 - atomic_long_t intr_mm_lock_failed;
26844 - atomic_long_t call_os;
26845 - atomic_long_t call_os_wait_queue;
26846 - atomic_long_t user_flush_tlb;
26847 - atomic_long_t user_unload_context;
26848 - atomic_long_t user_exception;
26849 - atomic_long_t set_context_option;
26850 - atomic_long_t check_context_retarget_intr;
26851 - atomic_long_t check_context_unload;
26852 - atomic_long_t tlb_dropin;
26853 - atomic_long_t tlb_preload_page;
26854 - atomic_long_t tlb_dropin_fail_no_asid;
26855 - atomic_long_t tlb_dropin_fail_upm;
26856 - atomic_long_t tlb_dropin_fail_invalid;
26857 - atomic_long_t tlb_dropin_fail_range_active;
26858 - atomic_long_t tlb_dropin_fail_idle;
26859 - atomic_long_t tlb_dropin_fail_fmm;
26860 - atomic_long_t tlb_dropin_fail_no_exception;
26861 - atomic_long_t tfh_stale_on_fault;
26862 - atomic_long_t mmu_invalidate_range;
26863 - atomic_long_t mmu_invalidate_page;
26864 - atomic_long_t flush_tlb;
26865 - atomic_long_t flush_tlb_gru;
26866 - atomic_long_t flush_tlb_gru_tgh;
26867 - atomic_long_t flush_tlb_gru_zero_asid;
26869 - atomic_long_t copy_gpa;
26870 - atomic_long_t read_gpa;
26872 - atomic_long_t mesq_receive;
26873 - atomic_long_t mesq_receive_none;
26874 - atomic_long_t mesq_send;
26875 - atomic_long_t mesq_send_failed;
26876 - atomic_long_t mesq_noop;
26877 - atomic_long_t mesq_send_unexpected_error;
26878 - atomic_long_t mesq_send_lb_overflow;
26879 - atomic_long_t mesq_send_qlimit_reached;
26880 - atomic_long_t mesq_send_amo_nacked;
26881 - atomic_long_t mesq_send_put_nacked;
26882 - atomic_long_t mesq_page_overflow;
26883 - atomic_long_t mesq_qf_locked;
26884 - atomic_long_t mesq_qf_noop_not_full;
26885 - atomic_long_t mesq_qf_switch_head_failed;
26886 - atomic_long_t mesq_qf_unexpected_error;
26887 - atomic_long_t mesq_noop_unexpected_error;
26888 - atomic_long_t mesq_noop_lb_overflow;
26889 - atomic_long_t mesq_noop_qlimit_reached;
26890 - atomic_long_t mesq_noop_amo_nacked;
26891 - atomic_long_t mesq_noop_put_nacked;
26892 - atomic_long_t mesq_noop_page_overflow;
26893 + atomic_long_unchecked_t vdata_alloc;
26894 + atomic_long_unchecked_t vdata_free;
26895 + atomic_long_unchecked_t gts_alloc;
26896 + atomic_long_unchecked_t gts_free;
26897 + atomic_long_unchecked_t gms_alloc;
26898 + atomic_long_unchecked_t gms_free;
26899 + atomic_long_unchecked_t gts_double_allocate;
26900 + atomic_long_unchecked_t assign_context;
26901 + atomic_long_unchecked_t assign_context_failed;
26902 + atomic_long_unchecked_t free_context;
26903 + atomic_long_unchecked_t load_user_context;
26904 + atomic_long_unchecked_t load_kernel_context;
26905 + atomic_long_unchecked_t lock_kernel_context;
26906 + atomic_long_unchecked_t unlock_kernel_context;
26907 + atomic_long_unchecked_t steal_user_context;
26908 + atomic_long_unchecked_t steal_kernel_context;
26909 + atomic_long_unchecked_t steal_context_failed;
26910 + atomic_long_unchecked_t nopfn;
26911 + atomic_long_unchecked_t asid_new;
26912 + atomic_long_unchecked_t asid_next;
26913 + atomic_long_unchecked_t asid_wrap;
26914 + atomic_long_unchecked_t asid_reuse;
26915 + atomic_long_unchecked_t intr;
26916 + atomic_long_unchecked_t intr_cbr;
26917 + atomic_long_unchecked_t intr_tfh;
26918 + atomic_long_unchecked_t intr_spurious;
26919 + atomic_long_unchecked_t intr_mm_lock_failed;
26920 + atomic_long_unchecked_t call_os;
26921 + atomic_long_unchecked_t call_os_wait_queue;
26922 + atomic_long_unchecked_t user_flush_tlb;
26923 + atomic_long_unchecked_t user_unload_context;
26924 + atomic_long_unchecked_t user_exception;
26925 + atomic_long_unchecked_t set_context_option;
26926 + atomic_long_unchecked_t check_context_retarget_intr;
26927 + atomic_long_unchecked_t check_context_unload;
26928 + atomic_long_unchecked_t tlb_dropin;
26929 + atomic_long_unchecked_t tlb_preload_page;
26930 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26931 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26932 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26933 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26934 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26935 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26936 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26937 + atomic_long_unchecked_t tfh_stale_on_fault;
26938 + atomic_long_unchecked_t mmu_invalidate_range;
26939 + atomic_long_unchecked_t mmu_invalidate_page;
26940 + atomic_long_unchecked_t flush_tlb;
26941 + atomic_long_unchecked_t flush_tlb_gru;
26942 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26943 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26945 + atomic_long_unchecked_t copy_gpa;
26946 + atomic_long_unchecked_t read_gpa;
26948 + atomic_long_unchecked_t mesq_receive;
26949 + atomic_long_unchecked_t mesq_receive_none;
26950 + atomic_long_unchecked_t mesq_send;
26951 + atomic_long_unchecked_t mesq_send_failed;
26952 + atomic_long_unchecked_t mesq_noop;
26953 + atomic_long_unchecked_t mesq_send_unexpected_error;
26954 + atomic_long_unchecked_t mesq_send_lb_overflow;
26955 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26956 + atomic_long_unchecked_t mesq_send_amo_nacked;
26957 + atomic_long_unchecked_t mesq_send_put_nacked;
26958 + atomic_long_unchecked_t mesq_page_overflow;
26959 + atomic_long_unchecked_t mesq_qf_locked;
26960 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26961 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26962 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26963 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26964 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26965 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26966 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26967 + atomic_long_unchecked_t mesq_noop_put_nacked;
26968 + atomic_long_unchecked_t mesq_noop_page_overflow;
26972 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26973 tghop_invalidate, mcsop_last};
26975 struct mcs_op_statistic {
26976 - atomic_long_t count;
26977 - atomic_long_t total;
26978 + atomic_long_unchecked_t count;
26979 + atomic_long_unchecked_t total;
26983 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26985 #define STAT(id) do { \
26986 if (gru_options & OPT_STATS) \
26987 - atomic_long_inc(&gru_stats.id); \
26988 + atomic_long_inc_unchecked(&gru_stats.id); \
26991 #ifdef CONFIG_SGI_GRU_DEBUG
26992 diff -urNp linux-2.6.38.4/drivers/mtd/devices/doc2000.c linux-2.6.38.4/drivers/mtd/devices/doc2000.c
26993 --- linux-2.6.38.4/drivers/mtd/devices/doc2000.c 2011-03-14 21:20:32.000000000 -0400
26994 +++ linux-2.6.38.4/drivers/mtd/devices/doc2000.c 2011-04-17 15:57:32.000000000 -0400
26995 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26997 /* The ECC will not be calculated correctly if less than 512 is written */
26999 - if (len != 0x200 && eccbuf)
27000 + if (len != 0x200)
27001 printk(KERN_WARNING
27002 "ECC needs a full sector write (adr: %lx size %lx)\n",
27003 (long) to, (long) len);
27004 diff -urNp linux-2.6.38.4/drivers/mtd/devices/doc2001.c linux-2.6.38.4/drivers/mtd/devices/doc2001.c
27005 --- linux-2.6.38.4/drivers/mtd/devices/doc2001.c 2011-03-14 21:20:32.000000000 -0400
27006 +++ linux-2.6.38.4/drivers/mtd/devices/doc2001.c 2011-04-17 15:57:32.000000000 -0400
27007 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
27008 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
27010 /* Don't allow read past end of device */
27011 - if (from >= this->totlen)
27012 + if (from >= this->totlen || !len)
27015 /* Don't allow a single read to cross a 512-byte block boundary */
27016 diff -urNp linux-2.6.38.4/drivers/mtd/nand/denali.c linux-2.6.38.4/drivers/mtd/nand/denali.c
27017 --- linux-2.6.38.4/drivers/mtd/nand/denali.c 2011-03-14 21:20:32.000000000 -0400
27018 +++ linux-2.6.38.4/drivers/mtd/nand/denali.c 2011-04-17 15:57:32.000000000 -0400
27020 #include <linux/pci.h>
27021 #include <linux/mtd/mtd.h>
27022 #include <linux/module.h>
27023 +#include <linux/slab.h>
27025 #include "denali.h"
27027 diff -urNp linux-2.6.38.4/drivers/mtd/ubi/build.c linux-2.6.38.4/drivers/mtd/ubi/build.c
27028 --- linux-2.6.38.4/drivers/mtd/ubi/build.c 2011-03-14 21:20:32.000000000 -0400
27029 +++ linux-2.6.38.4/drivers/mtd/ubi/build.c 2011-04-17 15:57:32.000000000 -0400
27030 @@ -1285,7 +1285,7 @@ module_exit(ubi_exit);
27031 static int __init bytes_str_to_int(const char *str)
27034 - unsigned long result;
27035 + unsigned long result, scale = 1;
27037 result = simple_strtoul(str, &endp, 0);
27038 if (str == endp || result >= INT_MAX) {
27039 @@ -1296,11 +1296,11 @@ static int __init bytes_str_to_int(const
27051 if (endp[1] == 'i' && endp[2] == 'B')
27054 @@ -1311,7 +1311,13 @@ static int __init bytes_str_to_int(const
27059 + if ((intoverflow_t)result*scale >= INT_MAX) {
27060 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
27065 + return result*scale;
27069 diff -urNp linux-2.6.38.4/drivers/net/e1000e/82571.c linux-2.6.38.4/drivers/net/e1000e/82571.c
27070 --- linux-2.6.38.4/drivers/net/e1000e/82571.c 2011-03-14 21:20:32.000000000 -0400
27071 +++ linux-2.6.38.4/drivers/net/e1000e/82571.c 2011-04-17 15:57:32.000000000 -0400
27072 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
27074 struct e1000_hw *hw = &adapter->hw;
27075 struct e1000_mac_info *mac = &hw->mac;
27076 - struct e1000_mac_operations *func = &mac->ops;
27077 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
27080 bool force_clear_smbi = false;
27081 @@ -1930,7 +1930,7 @@ static void e1000_clear_hw_cntrs_82571(s
27085 -static struct e1000_mac_operations e82571_mac_ops = {
27086 +static const struct e1000_mac_operations e82571_mac_ops = {
27087 /* .check_mng_mode: mac type dependent */
27088 /* .check_for_link: media type dependent */
27089 .id_led_init = e1000e_id_led_init,
27090 @@ -1952,7 +1952,7 @@ static struct e1000_mac_operations e8257
27091 .read_mac_addr = e1000_read_mac_addr_82571,
27094 -static struct e1000_phy_operations e82_phy_ops_igp = {
27095 +static const struct e1000_phy_operations e82_phy_ops_igp = {
27096 .acquire = e1000_get_hw_semaphore_82571,
27097 .check_polarity = e1000_check_polarity_igp,
27098 .check_reset_block = e1000e_check_reset_block_generic,
27099 @@ -1970,7 +1970,7 @@ static struct e1000_phy_operations e82_p
27100 .cfg_on_link_up = NULL,
27103 -static struct e1000_phy_operations e82_phy_ops_m88 = {
27104 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
27105 .acquire = e1000_get_hw_semaphore_82571,
27106 .check_polarity = e1000_check_polarity_m88,
27107 .check_reset_block = e1000e_check_reset_block_generic,
27108 @@ -1988,7 +1988,7 @@ static struct e1000_phy_operations e82_p
27109 .cfg_on_link_up = NULL,
27112 -static struct e1000_phy_operations e82_phy_ops_bm = {
27113 +static const struct e1000_phy_operations e82_phy_ops_bm = {
27114 .acquire = e1000_get_hw_semaphore_82571,
27115 .check_polarity = e1000_check_polarity_m88,
27116 .check_reset_block = e1000e_check_reset_block_generic,
27117 @@ -2006,7 +2006,7 @@ static struct e1000_phy_operations e82_p
27118 .cfg_on_link_up = NULL,
27121 -static struct e1000_nvm_operations e82571_nvm_ops = {
27122 +static const struct e1000_nvm_operations e82571_nvm_ops = {
27123 .acquire = e1000_acquire_nvm_82571,
27124 .read = e1000e_read_nvm_eerd,
27125 .release = e1000_release_nvm_82571,
27126 diff -urNp linux-2.6.38.4/drivers/net/e1000e/e1000.h linux-2.6.38.4/drivers/net/e1000e/e1000.h
27127 --- linux-2.6.38.4/drivers/net/e1000e/e1000.h 2011-03-14 21:20:32.000000000 -0400
27128 +++ linux-2.6.38.4/drivers/net/e1000e/e1000.h 2011-04-17 15:57:32.000000000 -0400
27129 @@ -408,9 +408,9 @@ struct e1000_info {
27131 u32 max_hw_frame_size;
27132 s32 (*get_variants)(struct e1000_adapter *);
27133 - struct e1000_mac_operations *mac_ops;
27134 - struct e1000_phy_operations *phy_ops;
27135 - struct e1000_nvm_operations *nvm_ops;
27136 + const struct e1000_mac_operations *mac_ops;
27137 + const struct e1000_phy_operations *phy_ops;
27138 + const struct e1000_nvm_operations *nvm_ops;
27141 /* hardware capability, feature, and workaround flags */
27142 diff -urNp linux-2.6.38.4/drivers/net/e1000e/es2lan.c linux-2.6.38.4/drivers/net/e1000e/es2lan.c
27143 --- linux-2.6.38.4/drivers/net/e1000e/es2lan.c 2011-03-14 21:20:32.000000000 -0400
27144 +++ linux-2.6.38.4/drivers/net/e1000e/es2lan.c 2011-04-17 15:57:32.000000000 -0400
27145 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
27147 struct e1000_hw *hw = &adapter->hw;
27148 struct e1000_mac_info *mac = &hw->mac;
27149 - struct e1000_mac_operations *func = &mac->ops;
27150 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
27152 /* Set media type */
27153 switch (adapter->pdev->device) {
27154 @@ -1431,7 +1431,7 @@ static void e1000_clear_hw_cntrs_80003es
27158 -static struct e1000_mac_operations es2_mac_ops = {
27159 +static const struct e1000_mac_operations es2_mac_ops = {
27160 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
27161 .id_led_init = e1000e_id_led_init,
27162 .check_mng_mode = e1000e_check_mng_mode_generic,
27163 @@ -1453,7 +1453,7 @@ static struct e1000_mac_operations es2_m
27164 .setup_led = e1000e_setup_led_generic,
27167 -static struct e1000_phy_operations es2_phy_ops = {
27168 +static const struct e1000_phy_operations es2_phy_ops = {
27169 .acquire = e1000_acquire_phy_80003es2lan,
27170 .check_polarity = e1000_check_polarity_m88,
27171 .check_reset_block = e1000e_check_reset_block_generic,
27172 @@ -1471,7 +1471,7 @@ static struct e1000_phy_operations es2_p
27173 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
27176 -static struct e1000_nvm_operations es2_nvm_ops = {
27177 +static const struct e1000_nvm_operations es2_nvm_ops = {
27178 .acquire = e1000_acquire_nvm_80003es2lan,
27179 .read = e1000e_read_nvm_eerd,
27180 .release = e1000_release_nvm_80003es2lan,
27181 diff -urNp linux-2.6.38.4/drivers/net/e1000e/hw.h linux-2.6.38.4/drivers/net/e1000e/hw.h
27182 --- linux-2.6.38.4/drivers/net/e1000e/hw.h 2011-03-14 21:20:32.000000000 -0400
27183 +++ linux-2.6.38.4/drivers/net/e1000e/hw.h 2011-04-17 15:57:32.000000000 -0400
27184 @@ -801,16 +801,17 @@ struct e1000_phy_operations {
27186 /* Function pointers for the NVM. */
27187 struct e1000_nvm_operations {
27188 - s32 (*acquire)(struct e1000_hw *);
27189 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
27190 - void (*release)(struct e1000_hw *);
27191 - s32 (*update)(struct e1000_hw *);
27192 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
27193 - s32 (*validate)(struct e1000_hw *);
27194 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
27195 + s32 (* acquire)(struct e1000_hw *); /* cannot be const, see drivers/net/e1000e/82571.c e1000_init_nvm_params_82571() */
27196 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
27197 + void (* release)(struct e1000_hw *); /* cannot be const, see drivers/net/e1000e/82571.c e1000_init_nvm_params_82571() */
27198 + s32 (* const update)(struct e1000_hw *);
27199 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
27200 + s32 (* const validate)(struct e1000_hw *);
27201 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
27204 struct e1000_mac_info {
27205 + /* cannot be const see e1000_init_mac_params_ich8lan */
27206 struct e1000_mac_operations ops;
27209 @@ -853,6 +854,7 @@ struct e1000_mac_info {
27212 struct e1000_phy_info {
27213 + /* Cannot be const see e1000_init_phy_params_82571() */
27214 struct e1000_phy_operations ops;
27216 enum e1000_phy_type type;
27217 @@ -887,6 +889,7 @@ struct e1000_phy_info {
27220 struct e1000_nvm_info {
27221 + /* cannot be const */
27222 struct e1000_nvm_operations ops;
27224 enum e1000_nvm_type type;
27225 diff -urNp linux-2.6.38.4/drivers/net/e1000e/ich8lan.c linux-2.6.38.4/drivers/net/e1000e/ich8lan.c
27226 --- linux-2.6.38.4/drivers/net/e1000e/ich8lan.c 2011-03-14 21:20:32.000000000 -0400
27227 +++ linux-2.6.38.4/drivers/net/e1000e/ich8lan.c 2011-04-17 15:57:32.000000000 -0400
27228 @@ -3840,7 +3840,7 @@ static void e1000_clear_hw_cntrs_ich8lan
27232 -static struct e1000_mac_operations ich8_mac_ops = {
27233 +static const struct e1000_mac_operations ich8_mac_ops = {
27234 .id_led_init = e1000e_id_led_init,
27235 /* check_mng_mode dependent on mac type */
27236 .check_for_link = e1000_check_for_copper_link_ich8lan,
27237 @@ -3859,7 +3859,7 @@ static struct e1000_mac_operations ich8_
27238 /* id_led_init dependent on mac type */
27241 -static struct e1000_phy_operations ich8_phy_ops = {
27242 +static const struct e1000_phy_operations ich8_phy_ops = {
27243 .acquire = e1000_acquire_swflag_ich8lan,
27244 .check_reset_block = e1000_check_reset_block_ich8lan,
27246 @@ -3873,7 +3873,7 @@ static struct e1000_phy_operations ich8_
27247 .write_reg = e1000e_write_phy_reg_igp,
27250 -static struct e1000_nvm_operations ich8_nvm_ops = {
27251 +static const struct e1000_nvm_operations ich8_nvm_ops = {
27252 .acquire = e1000_acquire_nvm_ich8lan,
27253 .read = e1000_read_nvm_ich8lan,
27254 .release = e1000_release_nvm_ich8lan,
27255 diff -urNp linux-2.6.38.4/drivers/net/igb/e1000_82575.c linux-2.6.38.4/drivers/net/igb/e1000_82575.c
27256 --- linux-2.6.38.4/drivers/net/igb/e1000_82575.c 2011-03-14 21:20:32.000000000 -0400
27257 +++ linux-2.6.38.4/drivers/net/igb/e1000_82575.c 2011-04-17 15:57:32.000000000 -0400
27258 @@ -1747,7 +1747,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
27262 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
27263 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
27264 .init_hw = igb_init_hw_82575,
27265 .check_for_link = igb_check_for_link_82575,
27266 .rar_set = igb_rar_set,
27267 @@ -1755,13 +1755,13 @@ static struct e1000_mac_operations e1000
27268 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
27271 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
27272 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
27273 .acquire = igb_acquire_phy_82575,
27274 .get_cfg_done = igb_get_cfg_done_82575,
27275 .release = igb_release_phy_82575,
27278 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
27279 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
27280 .acquire = igb_acquire_nvm_82575,
27281 .read = igb_read_nvm_eerd,
27282 .release = igb_release_nvm_82575,
27283 diff -urNp linux-2.6.38.4/drivers/net/igb/e1000_hw.h linux-2.6.38.4/drivers/net/igb/e1000_hw.h
27284 --- linux-2.6.38.4/drivers/net/igb/e1000_hw.h 2011-03-14 21:20:32.000000000 -0400
27285 +++ linux-2.6.38.4/drivers/net/igb/e1000_hw.h 2011-04-17 15:57:32.000000000 -0400
27286 @@ -327,22 +327,23 @@ struct e1000_phy_operations {
27289 struct e1000_nvm_operations {
27290 - s32 (*acquire)(struct e1000_hw *);
27291 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
27292 - void (*release)(struct e1000_hw *);
27293 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
27294 + s32 (* const acquire)(struct e1000_hw *);
27295 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
27296 + void (* const release)(struct e1000_hw *);
27297 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
27300 struct e1000_info {
27301 s32 (*get_invariants)(struct e1000_hw *);
27302 - struct e1000_mac_operations *mac_ops;
27303 - struct e1000_phy_operations *phy_ops;
27304 - struct e1000_nvm_operations *nvm_ops;
27305 + const struct e1000_mac_operations *mac_ops;
27306 + const struct e1000_phy_operations *phy_ops;
27307 + const struct e1000_nvm_operations *nvm_ops;
27310 extern const struct e1000_info e1000_82575_info;
27312 struct e1000_mac_info {
27313 + /* cannot be const see igb_get_invariants_82575() */
27314 struct e1000_mac_operations ops;
27317 @@ -381,6 +382,7 @@ struct e1000_mac_info {
27320 struct e1000_phy_info {
27321 + /* cannot be const see igb_get_invariants_82575() */
27322 struct e1000_phy_operations ops;
27324 enum e1000_phy_type type;
27325 @@ -416,6 +418,7 @@ struct e1000_phy_info {
27328 struct e1000_nvm_info {
27329 + /* cannot be const */
27330 struct e1000_nvm_operations ops;
27332 enum e1000_nvm_type type;
27333 diff -urNp linux-2.6.38.4/drivers/net/igbvf/vf.h linux-2.6.38.4/drivers/net/igbvf/vf.h
27334 --- linux-2.6.38.4/drivers/net/igbvf/vf.h 2011-03-14 21:20:32.000000000 -0400
27335 +++ linux-2.6.38.4/drivers/net/igbvf/vf.h 2011-04-17 15:57:32.000000000 -0400
27336 @@ -191,6 +191,7 @@ struct e1000_mac_operations {
27339 struct e1000_mac_info {
27340 + /* cannot be const see e1000_init_mac_params_vf() */
27341 struct e1000_mac_operations ops;
27344 diff -urNp linux-2.6.38.4/drivers/net/irda/vlsi_ir.c linux-2.6.38.4/drivers/net/irda/vlsi_ir.c
27345 --- linux-2.6.38.4/drivers/net/irda/vlsi_ir.c 2011-03-14 21:20:32.000000000 -0400
27346 +++ linux-2.6.38.4/drivers/net/irda/vlsi_ir.c 2011-04-17 15:57:32.000000000 -0400
27347 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
27348 /* no race - tx-ring already empty */
27349 vlsi_set_baud(idev, iobase);
27350 netif_wake_queue(ndev);
27355 /* keep the speed change pending like it would
27356 * for any len>0 packet. tx completion interrupt
27357 * will apply it when the tx ring becomes empty.
27360 spin_unlock_irqrestore(&idev->lock, flags);
27361 dev_kfree_skb_any(skb);
27362 return NETDEV_TX_OK;
27363 diff -urNp linux-2.6.38.4/drivers/net/pcnet32.c linux-2.6.38.4/drivers/net/pcnet32.c
27364 --- linux-2.6.38.4/drivers/net/pcnet32.c 2011-03-14 21:20:32.000000000 -0400
27365 +++ linux-2.6.38.4/drivers/net/pcnet32.c 2011-04-17 15:57:32.000000000 -0400
27366 @@ -82,7 +82,7 @@ static int cards_found;
27368 * VLB I/O addresses
27370 -static unsigned int pcnet32_portlist[] __initdata =
27371 +static unsigned int pcnet32_portlist[] __devinitdata =
27372 { 0x300, 0x320, 0x340, 0x360, 0 };
27374 static int pcnet32_debug;
27375 diff -urNp linux-2.6.38.4/drivers/net/ppp_generic.c linux-2.6.38.4/drivers/net/ppp_generic.c
27376 --- linux-2.6.38.4/drivers/net/ppp_generic.c 2011-03-14 21:20:32.000000000 -0400
27377 +++ linux-2.6.38.4/drivers/net/ppp_generic.c 2011-04-17 15:57:32.000000000 -0400
27378 @@ -986,7 +986,6 @@ ppp_net_ioctl(struct net_device *dev, st
27379 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
27380 struct ppp_stats stats;
27381 struct ppp_comp_stats cstats;
27385 case SIOCGPPPSTATS:
27386 @@ -1008,8 +1007,7 @@ ppp_net_ioctl(struct net_device *dev, st
27390 - vers = PPP_VERSION;
27391 - if (copy_to_user(addr, vers, strlen(vers) + 1))
27392 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
27396 diff -urNp linux-2.6.38.4/drivers/net/tg3.h linux-2.6.38.4/drivers/net/tg3.h
27397 --- linux-2.6.38.4/drivers/net/tg3.h 2011-03-14 21:20:32.000000000 -0400
27398 +++ linux-2.6.38.4/drivers/net/tg3.h 2011-04-17 15:57:32.000000000 -0400
27399 @@ -131,6 +131,7 @@
27400 #define CHIPREV_ID_5750_A0 0x4000
27401 #define CHIPREV_ID_5750_A1 0x4001
27402 #define CHIPREV_ID_5750_A3 0x4003
27403 +#define CHIPREV_ID_5750_C1 0x4201
27404 #define CHIPREV_ID_5750_C2 0x4202
27405 #define CHIPREV_ID_5752_A0_HW 0x5000
27406 #define CHIPREV_ID_5752_A0 0x6000
27407 diff -urNp linux-2.6.38.4/drivers/net/tulip/de4x5.c linux-2.6.38.4/drivers/net/tulip/de4x5.c
27408 --- linux-2.6.38.4/drivers/net/tulip/de4x5.c 2011-03-14 21:20:32.000000000 -0400
27409 +++ linux-2.6.38.4/drivers/net/tulip/de4x5.c 2011-04-17 15:57:32.000000000 -0400
27410 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
27411 for (i=0; i<ETH_ALEN; i++) {
27412 tmp.addr[i] = dev->dev_addr[i];
27414 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
27415 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
27418 case DE4X5_SET_HWADDR: /* Set the hardware address */
27419 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
27420 spin_lock_irqsave(&lp->lock, flags);
27421 memcpy(&statbuf, &lp->pktStats, ioc->len);
27422 spin_unlock_irqrestore(&lp->lock, flags);
27423 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
27424 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
27428 diff -urNp linux-2.6.38.4/drivers/net/usb/hso.c linux-2.6.38.4/drivers/net/usb/hso.c
27429 --- linux-2.6.38.4/drivers/net/usb/hso.c 2011-03-14 21:20:32.000000000 -0400
27430 +++ linux-2.6.38.4/drivers/net/usb/hso.c 2011-04-17 15:57:32.000000000 -0400
27432 #include <asm/byteorder.h>
27433 #include <linux/serial_core.h>
27434 #include <linux/serial.h>
27436 +#include <asm/local.h>
27438 #define MOD_AUTHOR "Option Wireless"
27439 #define MOD_DESCRIPTION "USB High Speed Option driver"
27440 @@ -257,7 +257,7 @@ struct hso_serial {
27442 /* from usb_serial_port */
27443 struct tty_struct *tty;
27445 + local_t open_count;
27446 spinlock_t serial_lock;
27448 int (*write_data) (struct hso_serial *serial);
27449 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
27452 urb = serial->rx_urb[0];
27453 - if (serial->open_count > 0) {
27454 + if (local_read(&serial->open_count) > 0) {
27455 count = put_rxbuf_data(urb, serial);
27458 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
27459 DUMP1(urb->transfer_buffer, urb->actual_length);
27461 /* Anyone listening? */
27462 - if (serial->open_count == 0)
27463 + if (local_read(&serial->open_count) == 0)
27467 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
27468 spin_unlock_irq(&serial->serial_lock);
27470 /* check for port already opened, if not set the termios */
27471 - serial->open_count++;
27472 - if (serial->open_count == 1) {
27473 + if (local_inc_return(&serial->open_count) == 1) {
27474 serial->rx_state = RX_IDLE;
27475 /* Force default termio settings */
27476 _hso_serial_set_termios(tty, NULL);
27477 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
27478 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
27480 hso_stop_serial_device(serial->parent);
27481 - serial->open_count--;
27482 + local_dec(&serial->open_count);
27483 kref_put(&serial->parent->ref, hso_serial_ref_free);
27486 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
27488 /* reset the rts and dtr */
27489 /* do the actual close */
27490 - serial->open_count--;
27491 + local_dec(&serial->open_count);
27493 - if (serial->open_count <= 0) {
27494 - serial->open_count = 0;
27495 + if (local_read(&serial->open_count) <= 0) {
27496 + local_set(&serial->open_count, 0);
27497 spin_lock_irq(&serial->serial_lock);
27498 if (serial->tty == tty) {
27499 serial->tty->driver_data = NULL;
27500 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
27502 /* the actual setup */
27503 spin_lock_irqsave(&serial->serial_lock, flags);
27504 - if (serial->open_count)
27505 + if (local_read(&serial->open_count))
27506 _hso_serial_set_termios(tty, old);
27508 tty->termios = old;
27509 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
27510 D1("Pending read interrupt on port %d\n", i);
27511 spin_lock(&serial->serial_lock);
27512 if (serial->rx_state == RX_IDLE &&
27513 - serial->open_count > 0) {
27514 + local_read(&serial->open_count) > 0) {
27515 /* Setup and send a ctrl req read on
27517 if (!serial->rx_urb_filled[0]) {
27518 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
27519 /* Start all serial ports */
27520 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
27521 if (serial_table[i] && (serial_table[i]->interface == iface)) {
27522 - if (dev2ser(serial_table[i])->open_count) {
27523 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
27525 hso_start_serial_device(serial_table[i], GFP_NOIO);
27526 hso_kick_transmit(dev2ser(serial_table[i]));
27527 diff -urNp linux-2.6.38.4/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-2.6.38.4/drivers/net/vmxnet3/vmxnet3_ethtool.c
27528 --- linux-2.6.38.4/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-04-18 17:27:18.000000000 -0400
27529 +++ linux-2.6.38.4/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-04-17 16:53:41.000000000 -0400
27530 @@ -628,8 +628,7 @@ vmxnet3_set_rss_indir(struct net_device
27531 * Return with error code if any of the queue indices
27534 - if (p->ring_index[i] < 0 ||
27535 - p->ring_index[i] >= adapter->num_rx_queues)
27536 + if (p->ring_index[i] >= adapter->num_rx_queues)
27540 diff -urNp linux-2.6.38.4/drivers/net/wireless/b43/debugfs.c linux-2.6.38.4/drivers/net/wireless/b43/debugfs.c
27541 --- linux-2.6.38.4/drivers/net/wireless/b43/debugfs.c 2011-03-14 21:20:32.000000000 -0400
27542 +++ linux-2.6.38.4/drivers/net/wireless/b43/debugfs.c 2011-04-17 15:57:32.000000000 -0400
27543 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
27544 struct b43_debugfs_fops {
27545 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
27546 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
27547 - struct file_operations fops;
27548 + const struct file_operations fops;
27549 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
27550 size_t file_struct_offset;
27552 diff -urNp linux-2.6.38.4/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.38.4/drivers/net/wireless/b43legacy/debugfs.c
27553 --- linux-2.6.38.4/drivers/net/wireless/b43legacy/debugfs.c 2011-03-14 21:20:32.000000000 -0400
27554 +++ linux-2.6.38.4/drivers/net/wireless/b43legacy/debugfs.c 2011-04-17 15:57:32.000000000 -0400
27555 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
27556 struct b43legacy_debugfs_fops {
27557 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
27558 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
27559 - struct file_operations fops;
27560 + const struct file_operations fops;
27561 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
27562 size_t file_struct_offset;
27563 /* Take wl->irq_lock before calling read/write? */
27564 diff -urNp linux-2.6.38.4/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.38.4/drivers/net/wireless/iwlwifi/iwl-debug.h
27565 --- linux-2.6.38.4/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-14 21:20:32.000000000 -0400
27566 +++ linux-2.6.38.4/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-04-17 15:57:32.000000000 -0400
27567 @@ -68,8 +68,8 @@ do {
27571 -#define IWL_DEBUG(__priv, level, fmt, args...)
27572 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
27573 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
27574 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
27575 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
27576 const void *p, u32 len)
27578 diff -urNp linux-2.6.38.4/drivers/net/wireless/libertas/debugfs.c linux-2.6.38.4/drivers/net/wireless/libertas/debugfs.c
27579 --- linux-2.6.38.4/drivers/net/wireless/libertas/debugfs.c 2011-03-14 21:20:32.000000000 -0400
27580 +++ linux-2.6.38.4/drivers/net/wireless/libertas/debugfs.c 2011-04-17 15:57:32.000000000 -0400
27581 @@ -702,7 +702,7 @@ out_unlock:
27582 struct lbs_debugfs_files {
27585 - struct file_operations fops;
27586 + const struct file_operations fops;
27589 static const struct lbs_debugfs_files debugfs_files[] = {
27590 diff -urNp linux-2.6.38.4/drivers/net/wireless/rndis_wlan.c linux-2.6.38.4/drivers/net/wireless/rndis_wlan.c
27591 --- linux-2.6.38.4/drivers/net/wireless/rndis_wlan.c 2011-03-14 21:20:32.000000000 -0400
27592 +++ linux-2.6.38.4/drivers/net/wireless/rndis_wlan.c 2011-04-17 15:57:32.000000000 -0400
27593 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
27595 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
27597 - if (rts_threshold < 0 || rts_threshold > 2347)
27598 + if (rts_threshold > 2347)
27599 rts_threshold = 2347;
27601 tmp = cpu_to_le32(rts_threshold);
27602 diff -urNp linux-2.6.38.4/drivers/oprofile/buffer_sync.c linux-2.6.38.4/drivers/oprofile/buffer_sync.c
27603 --- linux-2.6.38.4/drivers/oprofile/buffer_sync.c 2011-03-14 21:20:32.000000000 -0400
27604 +++ linux-2.6.38.4/drivers/oprofile/buffer_sync.c 2011-04-17 15:57:32.000000000 -0400
27605 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
27606 if (cookie == NO_COOKIE)
27608 if (cookie == INVALID_COOKIE) {
27609 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
27610 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
27613 if (cookie != last_cookie) {
27614 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
27615 /* add userspace sample */
27618 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
27619 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
27623 cookie = lookup_dcookie(mm, s->eip, &offset);
27625 if (cookie == INVALID_COOKIE) {
27626 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
27627 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
27631 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
27632 /* ignore backtraces if failed to add a sample */
27633 if (state == sb_bt_start) {
27634 state = sb_bt_ignore;
27635 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
27636 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
27640 diff -urNp linux-2.6.38.4/drivers/oprofile/event_buffer.c linux-2.6.38.4/drivers/oprofile/event_buffer.c
27641 --- linux-2.6.38.4/drivers/oprofile/event_buffer.c 2011-03-14 21:20:32.000000000 -0400
27642 +++ linux-2.6.38.4/drivers/oprofile/event_buffer.c 2011-04-17 15:57:32.000000000 -0400
27643 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
27646 if (buffer_pos == buffer_size) {
27647 - atomic_inc(&oprofile_stats.event_lost_overflow);
27648 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
27652 diff -urNp linux-2.6.38.4/drivers/oprofile/oprof.c linux-2.6.38.4/drivers/oprofile/oprof.c
27653 --- linux-2.6.38.4/drivers/oprofile/oprof.c 2011-03-14 21:20:32.000000000 -0400
27654 +++ linux-2.6.38.4/drivers/oprofile/oprof.c 2011-04-17 15:57:32.000000000 -0400
27655 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
27656 if (oprofile_ops.switch_events())
27659 - atomic_inc(&oprofile_stats.multiplex_counter);
27660 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
27661 start_switch_worker();
27664 diff -urNp linux-2.6.38.4/drivers/oprofile/oprofilefs.c linux-2.6.38.4/drivers/oprofile/oprofilefs.c
27665 --- linux-2.6.38.4/drivers/oprofile/oprofilefs.c 2011-03-14 21:20:32.000000000 -0400
27666 +++ linux-2.6.38.4/drivers/oprofile/oprofilefs.c 2011-04-17 15:57:32.000000000 -0400
27667 @@ -186,7 +186,7 @@ static const struct file_operations atom
27670 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
27671 - char const *name, atomic_t *val)
27672 + char const *name, atomic_unchecked_t *val)
27674 return __oprofilefs_create_file(sb, root, name,
27675 &atomic_ro_fops, 0444, val);
27676 diff -urNp linux-2.6.38.4/drivers/oprofile/oprofile_stats.c linux-2.6.38.4/drivers/oprofile/oprofile_stats.c
27677 --- linux-2.6.38.4/drivers/oprofile/oprofile_stats.c 2011-03-14 21:20:32.000000000 -0400
27678 +++ linux-2.6.38.4/drivers/oprofile/oprofile_stats.c 2011-04-17 15:57:32.000000000 -0400
27679 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
27680 cpu_buf->sample_invalid_eip = 0;
27683 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
27684 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
27685 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
27686 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
27687 - atomic_set(&oprofile_stats.multiplex_counter, 0);
27688 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
27689 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
27690 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
27691 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
27692 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
27696 diff -urNp linux-2.6.38.4/drivers/oprofile/oprofile_stats.h linux-2.6.38.4/drivers/oprofile/oprofile_stats.h
27697 --- linux-2.6.38.4/drivers/oprofile/oprofile_stats.h 2011-03-14 21:20:32.000000000 -0400
27698 +++ linux-2.6.38.4/drivers/oprofile/oprofile_stats.h 2011-04-17 15:57:32.000000000 -0400
27699 @@ -13,11 +13,11 @@
27700 #include <asm/atomic.h>
27702 struct oprofile_stat_struct {
27703 - atomic_t sample_lost_no_mm;
27704 - atomic_t sample_lost_no_mapping;
27705 - atomic_t bt_lost_no_mapping;
27706 - atomic_t event_lost_overflow;
27707 - atomic_t multiplex_counter;
27708 + atomic_unchecked_t sample_lost_no_mm;
27709 + atomic_unchecked_t sample_lost_no_mapping;
27710 + atomic_unchecked_t bt_lost_no_mapping;
27711 + atomic_unchecked_t event_lost_overflow;
27712 + atomic_unchecked_t multiplex_counter;
27715 extern struct oprofile_stat_struct oprofile_stats;
27716 diff -urNp linux-2.6.38.4/drivers/parport/procfs.c linux-2.6.38.4/drivers/parport/procfs.c
27717 --- linux-2.6.38.4/drivers/parport/procfs.c 2011-03-14 21:20:32.000000000 -0400
27718 +++ linux-2.6.38.4/drivers/parport/procfs.c 2011-04-17 15:57:32.000000000 -0400
27719 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
27723 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
27724 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
27727 #ifdef CONFIG_PARPORT_1284
27728 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
27732 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
27733 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
27735 #endif /* IEEE1284.3 support. */
27737 diff -urNp linux-2.6.38.4/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.38.4/drivers/pci/hotplug/acpiphp_glue.c
27738 --- linux-2.6.38.4/drivers/pci/hotplug/acpiphp_glue.c 2011-04-18 17:27:16.000000000 -0400
27739 +++ linux-2.6.38.4/drivers/pci/hotplug/acpiphp_glue.c 2011-04-17 15:57:32.000000000 -0400
27740 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
27744 -static struct acpi_dock_ops acpiphp_dock_ops = {
27745 +static const struct acpi_dock_ops acpiphp_dock_ops = {
27746 .handler = handle_hotplug_event_func,
27749 diff -urNp linux-2.6.38.4/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.38.4/drivers/pci/hotplug/cpqphp_nvram.c
27750 --- linux-2.6.38.4/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-14 21:20:32.000000000 -0400
27751 +++ linux-2.6.38.4/drivers/pci/hotplug/cpqphp_nvram.c 2011-04-17 15:57:32.000000000 -0400
27752 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
27754 void compaq_nvram_init (void __iomem *rom_start)
27757 +#ifndef CONFIG_PAX_KERNEXEC
27759 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
27763 dbg("int15 entry = %p\n", compaq_int15_entry_point);
27765 /* initialize our int15 lock */
27766 diff -urNp linux-2.6.38.4/drivers/pci/intel-iommu.c linux-2.6.38.4/drivers/pci/intel-iommu.c
27767 --- linux-2.6.38.4/drivers/pci/intel-iommu.c 2011-03-14 21:20:32.000000000 -0400
27768 +++ linux-2.6.38.4/drivers/pci/intel-iommu.c 2011-04-17 15:57:32.000000000 -0400
27769 @@ -2934,7 +2934,7 @@ static int intel_mapping_error(struct de
27773 -struct dma_map_ops intel_dma_ops = {
27774 +const struct dma_map_ops intel_dma_ops = {
27775 .alloc_coherent = intel_alloc_coherent,
27776 .free_coherent = intel_free_coherent,
27777 .map_sg = intel_map_sg,
27778 diff -urNp linux-2.6.38.4/drivers/pci/pcie/aspm.c linux-2.6.38.4/drivers/pci/pcie/aspm.c
27779 --- linux-2.6.38.4/drivers/pci/pcie/aspm.c 2011-04-18 17:27:18.000000000 -0400
27780 +++ linux-2.6.38.4/drivers/pci/pcie/aspm.c 2011-04-17 16:53:41.000000000 -0400
27782 #define MODULE_PARAM_PREFIX "pcie_aspm."
27784 /* Note: those are not register definitions */
27785 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
27786 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
27787 -#define ASPM_STATE_L1 (4) /* L1 state */
27788 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
27789 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
27790 +#define ASPM_STATE_L1 (4U) /* L1 state */
27791 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
27792 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
27794 diff -urNp linux-2.6.38.4/drivers/pci/pcie/portdrv_pci.c linux-2.6.38.4/drivers/pci/pcie/portdrv_pci.c
27795 --- linux-2.6.38.4/drivers/pci/pcie/portdrv_pci.c 2011-03-14 21:20:32.000000000 -0400
27796 +++ linux-2.6.38.4/drivers/pci/pcie/portdrv_pci.c 2011-04-17 15:57:32.000000000 -0400
27797 @@ -307,7 +307,7 @@ static void pcie_portdrv_err_resume(stru
27798 static const struct pci_device_id port_pci_ids[] = { {
27799 /* handle any PCI-Express port */
27800 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
27801 - }, { /* end: all zeroes */ }
27802 + }, { 0, 0, 0, 0, 0, 0, 0 }
27804 MODULE_DEVICE_TABLE(pci, port_pci_ids);
27806 diff -urNp linux-2.6.38.4/drivers/pci/probe.c linux-2.6.38.4/drivers/pci/probe.c
27807 --- linux-2.6.38.4/drivers/pci/probe.c 2011-03-14 21:20:32.000000000 -0400
27808 +++ linux-2.6.38.4/drivers/pci/probe.c 2011-04-17 15:57:32.000000000 -0400
27809 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
27813 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
27814 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
27815 struct device_attribute *attr,
27818 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
27821 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
27822 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
27823 struct device_attribute *attr,
27826 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
27830 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
27831 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
27833 if (!dev->mmio_always_on) {
27834 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
27835 diff -urNp linux-2.6.38.4/drivers/pci/proc.c linux-2.6.38.4/drivers/pci/proc.c
27836 --- linux-2.6.38.4/drivers/pci/proc.c 2011-03-14 21:20:32.000000000 -0400
27837 +++ linux-2.6.38.4/drivers/pci/proc.c 2011-04-17 15:57:32.000000000 -0400
27838 @@ -476,7 +476,16 @@ static const struct file_operations proc
27839 static int __init pci_proc_init(void)
27841 struct pci_dev *dev = NULL;
27843 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
27844 +#ifdef CONFIG_GRKERNSEC_PROC_USER
27845 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
27846 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
27847 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27850 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27852 proc_create("devices", 0, proc_bus_pci_dir,
27853 &proc_bus_pci_dev_operations);
27854 proc_initialized = 1;
27855 diff -urNp linux-2.6.38.4/drivers/pcmcia/ti113x.h linux-2.6.38.4/drivers/pcmcia/ti113x.h
27856 --- linux-2.6.38.4/drivers/pcmcia/ti113x.h 2011-03-14 21:20:32.000000000 -0400
27857 +++ linux-2.6.38.4/drivers/pcmcia/ti113x.h 2011-04-17 15:57:32.000000000 -0400
27858 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
27859 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27860 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27863 + { 0, 0, 0, 0, 0, 0, 0 }
27866 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27867 diff -urNp linux-2.6.38.4/drivers/pcmcia/yenta_socket.c linux-2.6.38.4/drivers/pcmcia/yenta_socket.c
27868 --- linux-2.6.38.4/drivers/pcmcia/yenta_socket.c 2011-03-14 21:20:32.000000000 -0400
27869 +++ linux-2.6.38.4/drivers/pcmcia/yenta_socket.c 2011-04-17 15:57:32.000000000 -0400
27870 @@ -1426,7 +1426,7 @@ static struct pci_device_id yenta_table[
27872 /* match any cardbus bridge */
27873 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27874 - { /* all zeroes */ }
27875 + { 0, 0, 0, 0, 0, 0, 0 }
27877 MODULE_DEVICE_TABLE(pci, yenta_table);
27879 diff -urNp linux-2.6.38.4/drivers/platform/x86/asus-laptop.c linux-2.6.38.4/drivers/platform/x86/asus-laptop.c
27880 --- linux-2.6.38.4/drivers/platform/x86/asus-laptop.c 2011-03-14 21:20:32.000000000 -0400
27881 +++ linux-2.6.38.4/drivers/platform/x86/asus-laptop.c 2011-04-17 15:57:32.000000000 -0400
27882 @@ -243,7 +243,6 @@ struct asus_laptop {
27883 struct asus_led gled;
27884 struct asus_led kled;
27885 struct workqueue_struct *led_workqueue;
27887 int wireless_status;
27890 diff -urNp linux-2.6.38.4/drivers/pnp/pnpbios/bioscalls.c linux-2.6.38.4/drivers/pnp/pnpbios/bioscalls.c
27891 --- linux-2.6.38.4/drivers/pnp/pnpbios/bioscalls.c 2011-03-14 21:20:32.000000000 -0400
27892 +++ linux-2.6.38.4/drivers/pnp/pnpbios/bioscalls.c 2011-04-17 15:57:32.000000000 -0400
27893 @@ -59,7 +59,7 @@ do { \
27894 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27897 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27898 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27899 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27902 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27905 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27907 + pax_open_kernel();
27908 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27909 + pax_close_kernel();
27911 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27912 spin_lock_irqsave(&pnp_bios_lock, flags);
27913 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27915 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27917 + pax_open_kernel();
27918 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27919 + pax_close_kernel();
27923 /* If we get here and this is set then the PnP BIOS faulted on us. */
27924 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27928 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27929 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27933 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27934 pnp_bios_callpoint.offset = header->fields.pm16offset;
27935 pnp_bios_callpoint.segment = PNP_CS16;
27937 + pax_open_kernel();
27939 for_each_possible_cpu(i) {
27940 struct desc_struct *gdt = get_cpu_gdt_table(i);
27942 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27943 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27944 (unsigned long)__va(header->fields.pm16dseg));
27947 + pax_close_kernel();
27949 diff -urNp linux-2.6.38.4/drivers/pnp/quirks.c linux-2.6.38.4/drivers/pnp/quirks.c
27950 --- linux-2.6.38.4/drivers/pnp/quirks.c 2011-03-14 21:20:32.000000000 -0400
27951 +++ linux-2.6.38.4/drivers/pnp/quirks.c 2011-04-17 15:57:32.000000000 -0400
27952 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27953 /* PnP resources that might overlap PCI BARs */
27954 {"PNP0c01", quirk_system_pci_resources},
27955 {"PNP0c02", quirk_system_pci_resources},
27960 void pnp_fixup_device(struct pnp_dev *dev)
27961 diff -urNp linux-2.6.38.4/drivers/pnp/resource.c linux-2.6.38.4/drivers/pnp/resource.c
27962 --- linux-2.6.38.4/drivers/pnp/resource.c 2011-03-14 21:20:32.000000000 -0400
27963 +++ linux-2.6.38.4/drivers/pnp/resource.c 2011-04-17 15:57:32.000000000 -0400
27964 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27967 /* check if the resource is valid */
27968 - if (*irq < 0 || *irq > 15)
27972 /* check if the resource is reserved */
27973 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27976 /* check if the resource is valid */
27977 - if (*dma < 0 || *dma == 4 || *dma > 7)
27978 + if (*dma == 4 || *dma > 7)
27981 /* check if the resource is reserved */
27982 diff -urNp linux-2.6.38.4/drivers/rtc/rtc-dev.c linux-2.6.38.4/drivers/rtc/rtc-dev.c
27983 --- linux-2.6.38.4/drivers/rtc/rtc-dev.c 2011-03-14 21:20:32.000000000 -0400
27984 +++ linux-2.6.38.4/drivers/rtc/rtc-dev.c 2011-04-17 15:57:32.000000000 -0400
27986 #include <linux/module.h>
27987 #include <linux/rtc.h>
27988 #include <linux/sched.h>
27989 +#include <linux/grsecurity.h>
27990 #include "rtc-core.h"
27992 static dev_t rtc_devt;
27993 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
27994 if (copy_from_user(&tm, uarg, sizeof(tm)))
27997 + gr_log_timechange();
27999 return rtc_set_time(rtc, &tm);
28002 diff -urNp linux-2.6.38.4/drivers/s390/cio/qdio_debug.c linux-2.6.38.4/drivers/s390/cio/qdio_debug.c
28003 --- linux-2.6.38.4/drivers/s390/cio/qdio_debug.c 2011-03-14 21:20:32.000000000 -0400
28004 +++ linux-2.6.38.4/drivers/s390/cio/qdio_debug.c 2011-04-17 15:57:32.000000000 -0400
28005 @@ -225,7 +225,7 @@ static int qperf_seq_open(struct inode *
28006 filp->f_path.dentry->d_inode->i_private);
28009 -static struct file_operations debugfs_perf_fops = {
28010 +static const struct file_operations debugfs_perf_fops = {
28011 .owner = THIS_MODULE,
28012 .open = qperf_seq_open,
28014 diff -urNp linux-2.6.38.4/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.38.4/drivers/scsi/aic94xx/aic94xx_init.c
28015 --- linux-2.6.38.4/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-14 21:20:32.000000000 -0400
28016 +++ linux-2.6.38.4/drivers/scsi/aic94xx/aic94xx_init.c 2011-04-17 15:57:32.000000000 -0400
28017 @@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(stru
28018 flash_error_table[i].reason);
28021 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
28022 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
28023 asd_show_update_bios, asd_store_update_bios);
28025 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
28026 diff -urNp linux-2.6.38.4/drivers/scsi/hpsa.c linux-2.6.38.4/drivers/scsi/hpsa.c
28027 --- linux-2.6.38.4/drivers/scsi/hpsa.c 2011-03-14 21:20:32.000000000 -0400
28028 +++ linux-2.6.38.4/drivers/scsi/hpsa.c 2011-04-17 15:57:32.000000000 -0400
28029 @@ -2281,6 +2281,8 @@ static int hpsa_ioctl32_passthru(struct
28033 + memset(&arg64, 0, sizeof(arg64));
28036 err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
28037 sizeof(arg64.LUN_info));
28038 diff -urNp linux-2.6.38.4/drivers/scsi/ipr.c linux-2.6.38.4/drivers/scsi/ipr.c
28039 --- linux-2.6.38.4/drivers/scsi/ipr.c 2011-03-14 21:20:32.000000000 -0400
28040 +++ linux-2.6.38.4/drivers/scsi/ipr.c 2011-04-17 15:57:32.000000000 -0400
28041 @@ -6207,7 +6207,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
28045 -static struct ata_port_operations ipr_sata_ops = {
28046 +static const struct ata_port_operations ipr_sata_ops = {
28047 .phy_reset = ipr_ata_phy_reset,
28048 .hardreset = ipr_sata_reset,
28049 .post_internal_cmd = ipr_ata_post_internal,
28050 diff -urNp linux-2.6.38.4/drivers/scsi/libfc/fc_exch.c linux-2.6.38.4/drivers/scsi/libfc/fc_exch.c
28051 --- linux-2.6.38.4/drivers/scsi/libfc/fc_exch.c 2011-03-14 21:20:32.000000000 -0400
28052 +++ linux-2.6.38.4/drivers/scsi/libfc/fc_exch.c 2011-04-17 15:57:32.000000000 -0400
28053 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
28054 * all together if not used XXX
28057 - atomic_t no_free_exch;
28058 - atomic_t no_free_exch_xid;
28059 - atomic_t xid_not_found;
28060 - atomic_t xid_busy;
28061 - atomic_t seq_not_found;
28062 - atomic_t non_bls_resp;
28063 + atomic_unchecked_t no_free_exch;
28064 + atomic_unchecked_t no_free_exch_xid;
28065 + atomic_unchecked_t xid_not_found;
28066 + atomic_unchecked_t xid_busy;
28067 + atomic_unchecked_t seq_not_found;
28068 + atomic_unchecked_t non_bls_resp;
28072 @@ -687,7 +687,7 @@ static struct fc_exch *fc_exch_em_alloc(
28073 /* allocate memory for exchange */
28074 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
28076 - atomic_inc(&mp->stats.no_free_exch);
28077 + atomic_inc_unchecked(&mp->stats.no_free_exch);
28080 memset(ep, 0, sizeof(*ep));
28081 @@ -748,7 +748,7 @@ out:
28084 spin_unlock_bh(&pool->lock);
28085 - atomic_inc(&mp->stats.no_free_exch_xid);
28086 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
28087 mempool_free(ep, mp->ep_pool);
28090 @@ -893,7 +893,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28091 xid = ntohs(fh->fh_ox_id); /* we originated exch */
28092 ep = fc_exch_find(mp, xid);
28094 - atomic_inc(&mp->stats.xid_not_found);
28095 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28096 reject = FC_RJT_OX_ID;
28099 @@ -923,7 +923,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28100 ep = fc_exch_find(mp, xid);
28101 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
28103 - atomic_inc(&mp->stats.xid_busy);
28104 + atomic_inc_unchecked(&mp->stats.xid_busy);
28105 reject = FC_RJT_RX_ID;
28108 @@ -934,7 +934,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28110 xid = ep->xid; /* get our XID */
28112 - atomic_inc(&mp->stats.xid_not_found);
28113 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28114 reject = FC_RJT_RX_ID; /* XID not found */
28117 @@ -951,7 +951,7 @@ static enum fc_pf_rjt_reason fc_seq_look
28120 if (sp->id != fh->fh_seq_id) {
28121 - atomic_inc(&mp->stats.seq_not_found);
28122 + atomic_inc_unchecked(&mp->stats.seq_not_found);
28123 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
28126 @@ -1368,22 +1368,22 @@ static void fc_exch_recv_seq_resp(struct
28128 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
28130 - atomic_inc(&mp->stats.xid_not_found);
28131 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28134 if (ep->esb_stat & ESB_ST_COMPLETE) {
28135 - atomic_inc(&mp->stats.xid_not_found);
28136 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28139 if (ep->rxid == FC_XID_UNKNOWN)
28140 ep->rxid = ntohs(fh->fh_rx_id);
28141 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
28142 - atomic_inc(&mp->stats.xid_not_found);
28143 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28146 if (ep->did != ntoh24(fh->fh_s_id) &&
28147 ep->did != FC_FID_FLOGI) {
28148 - atomic_inc(&mp->stats.xid_not_found);
28149 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28153 @@ -1392,7 +1392,7 @@ static void fc_exch_recv_seq_resp(struct
28154 sp->ssb_stat |= SSB_ST_RESP;
28155 sp->id = fh->fh_seq_id;
28156 } else if (sp->id != fh->fh_seq_id) {
28157 - atomic_inc(&mp->stats.seq_not_found);
28158 + atomic_inc_unchecked(&mp->stats.seq_not_found);
28162 @@ -1455,9 +1455,9 @@ static void fc_exch_recv_resp(struct fc_
28163 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
28166 - atomic_inc(&mp->stats.xid_not_found);
28167 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28169 - atomic_inc(&mp->stats.non_bls_resp);
28170 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
28174 diff -urNp linux-2.6.38.4/drivers/scsi/libsas/sas_ata.c linux-2.6.38.4/drivers/scsi/libsas/sas_ata.c
28175 --- linux-2.6.38.4/drivers/scsi/libsas/sas_ata.c 2011-03-14 21:20:32.000000000 -0400
28176 +++ linux-2.6.38.4/drivers/scsi/libsas/sas_ata.c 2011-04-17 15:57:32.000000000 -0400
28177 @@ -348,10 +348,10 @@ static int sas_ata_scr_read(struct ata_l
28181 -static struct ata_port_operations sas_sata_ops = {
28182 +static const struct ata_port_operations sas_sata_ops = {
28183 .phy_reset = sas_ata_phy_reset,
28184 .post_internal_cmd = sas_ata_post_internal,
28185 - .qc_defer = ata_std_qc_defer,
28186 + .qc_defer = ata_std_qc_defer,
28187 .qc_prep = ata_noop_qc_prep,
28188 .qc_issue = sas_ata_qc_issue,
28189 .qc_fill_rtf = sas_ata_qc_fill_rtf,
28190 diff -urNp linux-2.6.38.4/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.38.4/drivers/scsi/mpt2sas/mpt2sas_debug.h
28191 --- linux-2.6.38.4/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-03-14 21:20:32.000000000 -0400
28192 +++ linux-2.6.38.4/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-04-17 15:57:32.000000000 -0400
28197 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
28198 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
28199 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
28202 diff -urNp linux-2.6.38.4/drivers/scsi/qla2xxx/qla_os.c linux-2.6.38.4/drivers/scsi/qla2xxx/qla_os.c
28203 --- linux-2.6.38.4/drivers/scsi/qla2xxx/qla_os.c 2011-03-14 21:20:32.000000000 -0400
28204 +++ linux-2.6.38.4/drivers/scsi/qla2xxx/qla_os.c 2011-04-17 15:57:32.000000000 -0400
28205 @@ -4096,7 +4096,7 @@ static struct pci_driver qla2xxx_pci_dri
28206 .err_handler = &qla2xxx_err_handler,
28209 -static struct file_operations apidev_fops = {
28210 +static const struct file_operations apidev_fops = {
28211 .owner = THIS_MODULE,
28212 .llseek = noop_llseek,
28214 diff -urNp linux-2.6.38.4/drivers/scsi/scsi_logging.h linux-2.6.38.4/drivers/scsi/scsi_logging.h
28215 --- linux-2.6.38.4/drivers/scsi/scsi_logging.h 2011-03-14 21:20:32.000000000 -0400
28216 +++ linux-2.6.38.4/drivers/scsi/scsi_logging.h 2011-04-17 15:57:32.000000000 -0400
28217 @@ -51,7 +51,7 @@ do { \
28221 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
28222 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
28223 #endif /* CONFIG_SCSI_LOGGING */
28226 diff -urNp linux-2.6.38.4/drivers/scsi/scsi_transport_fc.c linux-2.6.38.4/drivers/scsi/scsi_transport_fc.c
28227 --- linux-2.6.38.4/drivers/scsi/scsi_transport_fc.c 2011-03-14 21:20:32.000000000 -0400
28228 +++ linux-2.6.38.4/drivers/scsi/scsi_transport_fc.c 2011-04-17 15:57:32.000000000 -0400
28229 @@ -836,7 +836,7 @@ static int fc_str_to_dev_loss(const char
28232 *val = simple_strtoul(buf, &cp, 0);
28233 - if ((*cp && (*cp != '\n')) || (*val < 0))
28234 + if (*cp && (*cp != '\n'))
28237 * Check for overflow; dev_loss_tmo is u32
28238 diff -urNp linux-2.6.38.4/drivers/scsi/sg.c linux-2.6.38.4/drivers/scsi/sg.c
28239 --- linux-2.6.38.4/drivers/scsi/sg.c 2011-03-14 21:20:32.000000000 -0400
28240 +++ linux-2.6.38.4/drivers/scsi/sg.c 2011-04-17 15:57:32.000000000 -0400
28241 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
28242 const struct file_operations * fops;
28245 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
28246 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
28247 {"allow_dio", &adio_fops},
28248 {"debug", &debug_fops},
28249 {"def_reserved_size", &dressz_fops},
28250 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
28253 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
28254 - struct sg_proc_leaf * leaf;
28255 + const struct sg_proc_leaf * leaf;
28257 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
28259 diff -urNp linux-2.6.38.4/drivers/staging/autofs/root.c linux-2.6.38.4/drivers/staging/autofs/root.c
28260 --- linux-2.6.38.4/drivers/staging/autofs/root.c 2011-03-14 21:20:32.000000000 -0400
28261 +++ linux-2.6.38.4/drivers/staging/autofs/root.c 2011-04-17 15:57:32.000000000 -0400
28262 @@ -311,7 +311,8 @@ static int autofs_root_symlink(struct in
28263 set_bit(n,sbi->symlink_bitmap);
28264 sl = &sbi->symlink[n];
28265 sl->len = strlen(symname);
28266 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
28267 + slsize = sl->len+1;
28268 + sl->data = kmalloc(slsize, GFP_KERNEL);
28270 clear_bit(n,sbi->symlink_bitmap);
28272 diff -urNp linux-2.6.38.4/drivers/staging/bcm/Bcmchar.c linux-2.6.38.4/drivers/staging/bcm/Bcmchar.c
28273 --- linux-2.6.38.4/drivers/staging/bcm/Bcmchar.c 2011-03-14 21:20:32.000000000 -0400
28274 +++ linux-2.6.38.4/drivers/staging/bcm/Bcmchar.c 2011-04-17 15:57:32.000000000 -0400
28275 @@ -2093,7 +2093,7 @@ static long bcm_char_ioctl(struct file *
28279 -static struct file_operations bcm_fops = {
28280 +static const struct file_operations bcm_fops = {
28281 .owner = THIS_MODULE,
28282 .open = bcm_char_open,
28283 .release = bcm_char_release,
28284 diff -urNp linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
28285 --- linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-03-14 21:20:32.000000000 -0400
28286 +++ linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-04-17 15:57:32.000000000 -0400
28287 @@ -863,14 +863,14 @@ static void dhd_op_if(dhd_if_t *ifp)
28288 free_netdev(ifp->net);
28290 /* Allocate etherdev, including space for private structure */
28291 - ifp->net = alloc_etherdev(sizeof(dhd));
28292 + ifp->net = alloc_etherdev(sizeof(*dhd));
28294 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
28298 strcpy(ifp->net->name, ifp->name);
28299 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
28300 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
28301 err = dhd_net_attach(&dhd->pub, ifp->idx);
28303 DHD_ERROR(("%s: dhd_net_attach failed, "
28304 @@ -1969,25 +1969,23 @@ dhd_pub_t *dhd_attach(struct osl_info *o
28305 strcpy(nv_path, nvram_path);
28307 /* Allocate etherdev, including space for private structure */
28308 - net = alloc_etherdev(sizeof(dhd));
28309 + net = alloc_etherdev(sizeof(*dhd));
28311 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
28315 /* Allocate primary dhd_info */
28316 - dhd = kmalloc(sizeof(dhd_info_t), GFP_ATOMIC);
28317 + dhd = kzalloc(sizeof(dhd_info_t), GFP_ATOMIC);
28319 DHD_ERROR(("%s: OOM - alloc dhd_info\n", __func__));
28323 - memset(dhd, 0, sizeof(dhd_info_t));
28326 * Save the dhd_info into the priv
28328 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
28329 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
28330 dhd->pub.osh = osh;
28332 /* Set network interface name if it was provided as module parameter */
28333 @@ -2105,7 +2103,7 @@ dhd_pub_t *dhd_attach(struct osl_info *o
28335 * Save the dhd_info into the priv
28337 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
28338 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
28340 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
28342 diff -urNp linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/wl_iw.c
28343 --- linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-03-14 21:20:32.000000000 -0400
28344 +++ linux-2.6.38.4/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-04-17 15:57:32.000000000 -0400
28345 @@ -513,7 +513,7 @@ wl_iw_get_range(struct net_device *dev,
28346 list = (wl_u32_list_t *) channels;
28348 dwrq->length = sizeof(struct iw_range);
28349 - memset(range, 0, sizeof(range));
28350 + memset(range, 0, sizeof(*range));
28352 range->min_nwid = range->max_nwid = 0;
28354 diff -urNp linux-2.6.38.4/drivers/staging/comedi/comedi_fops.c linux-2.6.38.4/drivers/staging/comedi/comedi_fops.c
28355 --- linux-2.6.38.4/drivers/staging/comedi/comedi_fops.c 2011-03-14 21:20:32.000000000 -0400
28356 +++ linux-2.6.38.4/drivers/staging/comedi/comedi_fops.c 2011-04-17 15:57:32.000000000 -0400
28357 @@ -1426,7 +1426,7 @@ static void comedi_unmap(struct vm_area_
28358 mutex_unlock(&dev->mutex);
28361 -static struct vm_operations_struct comedi_vm_ops = {
28362 +static const struct vm_operations_struct comedi_vm_ops = {
28363 .close = comedi_unmap,
28366 diff -urNp linux-2.6.38.4/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c linux-2.6.38.4/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c
28367 --- linux-2.6.38.4/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-03-14 21:20:32.000000000 -0400
28368 +++ linux-2.6.38.4/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-04-17 15:57:32.000000000 -0400
28369 @@ -55,7 +55,7 @@ int numofmsgbuf = 0;
28371 // Table of entry-point routines for char device
28373 -static struct file_operations ft1000fops =
28374 +static const struct file_operations ft1000fops =
28376 .unlocked_ioctl = ft1000_ioctl,
28377 .poll = ft1000_poll_dev,
28378 diff -urNp linux-2.6.38.4/drivers/staging/go7007/go7007-v4l2.c linux-2.6.38.4/drivers/staging/go7007/go7007-v4l2.c
28379 --- linux-2.6.38.4/drivers/staging/go7007/go7007-v4l2.c 2011-03-14 21:20:32.000000000 -0400
28380 +++ linux-2.6.38.4/drivers/staging/go7007/go7007-v4l2.c 2011-04-17 15:57:32.000000000 -0400
28381 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
28385 -static struct vm_operations_struct go7007_vm_ops = {
28386 +static const struct vm_operations_struct go7007_vm_ops = {
28387 .open = go7007_vm_open,
28388 .close = go7007_vm_close,
28389 .fault = go7007_vm_fault,
28390 diff -urNp linux-2.6.38.4/drivers/staging/hv/hv.c linux-2.6.38.4/drivers/staging/hv/hv.c
28391 --- linux-2.6.38.4/drivers/staging/hv/hv.c 2011-03-14 21:20:32.000000000 -0400
28392 +++ linux-2.6.38.4/drivers/staging/hv/hv.c 2011-04-17 15:57:32.000000000 -0400
28393 @@ -163,7 +163,7 @@ static u64 do_hypercall(u64 control, voi
28394 u64 output_address = (output) ? virt_to_phys(output) : 0;
28395 u32 output_address_hi = output_address >> 32;
28396 u32 output_address_lo = output_address & 0xFFFFFFFF;
28397 - volatile void *hypercall_page = hv_context.hypercall_page;
28398 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
28400 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
28401 control, input, output);
28402 diff -urNp linux-2.6.38.4/drivers/staging/phison/phison.c linux-2.6.38.4/drivers/staging/phison/phison.c
28403 --- linux-2.6.38.4/drivers/staging/phison/phison.c 2011-03-14 21:20:32.000000000 -0400
28404 +++ linux-2.6.38.4/drivers/staging/phison/phison.c 2011-04-17 15:57:32.000000000 -0400
28405 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
28406 ATA_BMDMA_SHT(DRV_NAME),
28409 -static struct ata_port_operations phison_ops = {
28410 +static const struct ata_port_operations phison_ops = {
28411 .inherits = &ata_bmdma_port_ops,
28412 .prereset = phison_pre_reset,
28414 diff -urNp linux-2.6.38.4/drivers/staging/pohmelfs/inode.c linux-2.6.38.4/drivers/staging/pohmelfs/inode.c
28415 --- linux-2.6.38.4/drivers/staging/pohmelfs/inode.c 2011-03-14 21:20:32.000000000 -0400
28416 +++ linux-2.6.38.4/drivers/staging/pohmelfs/inode.c 2011-04-17 15:57:32.000000000 -0400
28417 @@ -1855,7 +1855,7 @@ static int pohmelfs_fill_super(struct su
28418 mutex_init(&psb->mcache_lock);
28419 psb->mcache_root = RB_ROOT;
28420 psb->mcache_timeout = msecs_to_jiffies(5000);
28421 - atomic_long_set(&psb->mcache_gen, 0);
28422 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
28424 psb->trans_max_pages = 100;
28426 diff -urNp linux-2.6.38.4/drivers/staging/pohmelfs/mcache.c linux-2.6.38.4/drivers/staging/pohmelfs/mcache.c
28427 --- linux-2.6.38.4/drivers/staging/pohmelfs/mcache.c 2011-03-14 21:20:32.000000000 -0400
28428 +++ linux-2.6.38.4/drivers/staging/pohmelfs/mcache.c 2011-04-17 15:57:32.000000000 -0400
28429 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
28433 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
28434 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
28436 mutex_lock(&psb->mcache_lock);
28437 err = pohmelfs_mcache_insert(psb, m);
28438 diff -urNp linux-2.6.38.4/drivers/staging/pohmelfs/netfs.h linux-2.6.38.4/drivers/staging/pohmelfs/netfs.h
28439 --- linux-2.6.38.4/drivers/staging/pohmelfs/netfs.h 2011-03-14 21:20:32.000000000 -0400
28440 +++ linux-2.6.38.4/drivers/staging/pohmelfs/netfs.h 2011-04-17 15:57:32.000000000 -0400
28441 @@ -571,7 +571,7 @@ struct pohmelfs_config;
28442 struct pohmelfs_sb {
28443 struct rb_root mcache_root;
28444 struct mutex mcache_lock;
28445 - atomic_long_t mcache_gen;
28446 + atomic_long_unchecked_t mcache_gen;
28447 unsigned long mcache_timeout;
28450 diff -urNp linux-2.6.38.4/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.38.4/drivers/staging/rtl8192u/ieee80211/proc.c
28451 --- linux-2.6.38.4/drivers/staging/rtl8192u/ieee80211/proc.c 2011-03-14 21:20:32.000000000 -0400
28452 +++ linux-2.6.38.4/drivers/staging/rtl8192u/ieee80211/proc.c 2011-04-17 15:57:32.000000000 -0400
28453 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
28454 return seq_open(file, &crypto_seq_ops);
28457 -static struct file_operations proc_crypto_ops = {
28458 +static const struct file_operations proc_crypto_ops = {
28459 .open = crypto_info_open,
28461 .llseek = seq_lseek,
28462 diff -urNp linux-2.6.38.4/drivers/staging/spectra/ffsport.c linux-2.6.38.4/drivers/staging/spectra/ffsport.c
28463 --- linux-2.6.38.4/drivers/staging/spectra/ffsport.c 2011-03-14 21:20:32.000000000 -0400
28464 +++ linux-2.6.38.4/drivers/staging/spectra/ffsport.c 2011-04-17 15:57:32.000000000 -0400
28465 @@ -604,7 +604,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
28469 -static struct block_device_operations GLOB_SBD_ops = {
28470 +static const struct block_device_operations GLOB_SBD_ops = {
28471 .owner = THIS_MODULE,
28472 .open = GLOB_SBD_open,
28473 .release = GLOB_SBD_release,
28474 diff -urNp linux-2.6.38.4/drivers/staging/vme/devices/vme_user.c linux-2.6.38.4/drivers/staging/vme/devices/vme_user.c
28475 --- linux-2.6.38.4/drivers/staging/vme/devices/vme_user.c 2011-03-14 21:20:32.000000000 -0400
28476 +++ linux-2.6.38.4/drivers/staging/vme/devices/vme_user.c 2011-04-17 15:57:32.000000000 -0400
28477 @@ -138,7 +138,7 @@ static long vme_user_unlocked_ioctl(stru
28478 static int __devinit vme_user_probe(struct device *, int, int);
28479 static int __devexit vme_user_remove(struct device *, int, int);
28481 -static struct file_operations vme_user_fops = {
28482 +static const struct file_operations vme_user_fops = {
28483 .open = vme_user_open,
28484 .release = vme_user_release,
28485 .read = vme_user_read,
28486 diff -urNp linux-2.6.38.4/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.38.4/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
28487 --- linux-2.6.38.4/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-03-14 21:20:32.000000000 -0400
28488 +++ linux-2.6.38.4/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-04-17 15:57:32.000000000 -0400
28489 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
28492 /*standard block device driver interface */
28493 -static struct block_device_operations cyasblkdev_bdops = {
28494 +static const struct block_device_operations cyasblkdev_bdops = {
28495 .open = cyasblkdev_blk_open,
28496 .release = cyasblkdev_blk_release,
28497 .ioctl = cyasblkdev_blk_ioctl,
28498 diff -urNp linux-2.6.38.4/drivers/tty/hvc/hvc_console.h linux-2.6.38.4/drivers/tty/hvc/hvc_console.h
28499 --- linux-2.6.38.4/drivers/tty/hvc/hvc_console.h 2011-03-14 21:20:32.000000000 -0400
28500 +++ linux-2.6.38.4/drivers/tty/hvc/hvc_console.h 2011-04-17 15:57:32.000000000 -0400
28501 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
28502 /* register a vterm for hvc tty operation (module_init or hotplug add) */
28503 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
28504 const struct hv_ops *ops, int outbuf_size);
28506 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
28507 extern int hvc_remove(struct hvc_struct *hp);
28509 diff -urNp linux-2.6.38.4/drivers/tty/hvc/hvcs.c linux-2.6.38.4/drivers/tty/hvc/hvcs.c
28510 --- linux-2.6.38.4/drivers/tty/hvc/hvcs.c 2011-03-14 21:20:32.000000000 -0400
28511 +++ linux-2.6.38.4/drivers/tty/hvc/hvcs.c 2011-04-17 15:57:32.000000000 -0400
28513 #include <asm/hvcserver.h>
28514 #include <asm/uaccess.h>
28515 #include <asm/vio.h>
28516 +#include <asm/local.h>
28519 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
28520 @@ -270,7 +271,7 @@ struct hvcs_struct {
28521 unsigned int index;
28523 struct tty_struct *tty;
28525 + local_t open_count;
28528 * Used to tell the driver kernel_thread what operations need to take
28529 @@ -420,7 +421,7 @@ static ssize_t hvcs_vterm_state_store(st
28531 spin_lock_irqsave(&hvcsd->lock, flags);
28533 - if (hvcsd->open_count > 0) {
28534 + if (local_read(&hvcsd->open_count) > 0) {
28535 spin_unlock_irqrestore(&hvcsd->lock, flags);
28536 printk(KERN_INFO "HVCS: vterm state unchanged. "
28537 "The hvcs device node is still in use.\n");
28538 @@ -1136,7 +1137,7 @@ static int hvcs_open(struct tty_struct *
28539 if ((retval = hvcs_partner_connect(hvcsd)))
28540 goto error_release;
28542 - hvcsd->open_count = 1;
28543 + local_set(&hvcsd->open_count, 1);
28545 tty->driver_data = hvcsd;
28547 @@ -1170,7 +1171,7 @@ fast_open:
28549 spin_lock_irqsave(&hvcsd->lock, flags);
28550 kref_get(&hvcsd->kref);
28551 - hvcsd->open_count++;
28552 + local_inc(&hvcsd->open_count);
28553 hvcsd->todo_mask |= HVCS_SCHED_READ;
28554 spin_unlock_irqrestore(&hvcsd->lock, flags);
28556 @@ -1214,7 +1215,7 @@ static void hvcs_close(struct tty_struct
28557 hvcsd = tty->driver_data;
28559 spin_lock_irqsave(&hvcsd->lock, flags);
28560 - if (--hvcsd->open_count == 0) {
28561 + if (local_dec_and_test(&hvcsd->open_count)) {
28563 vio_disable_interrupts(hvcsd->vdev);
28565 @@ -1240,10 +1241,10 @@ static void hvcs_close(struct tty_struct
28566 free_irq(irq, hvcsd);
28567 kref_put(&hvcsd->kref, destroy_hvcs_struct);
28569 - } else if (hvcsd->open_count < 0) {
28570 + } else if (local_read(&hvcsd->open_count) < 0) {
28571 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
28572 " is missmanaged.\n",
28573 - hvcsd->vdev->unit_address, hvcsd->open_count);
28574 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
28577 spin_unlock_irqrestore(&hvcsd->lock, flags);
28578 @@ -1259,7 +1260,7 @@ static void hvcs_hangup(struct tty_struc
28580 spin_lock_irqsave(&hvcsd->lock, flags);
28581 /* Preserve this so that we know how many kref refs to put */
28582 - temp_open_count = hvcsd->open_count;
28583 + temp_open_count = local_read(&hvcsd->open_count);
28586 * Don't kref put inside the spinlock because the destruction
28587 @@ -1274,7 +1275,7 @@ static void hvcs_hangup(struct tty_struc
28588 hvcsd->tty->driver_data = NULL;
28591 - hvcsd->open_count = 0;
28592 + local_set(&hvcsd->open_count, 0);
28594 /* This will drop any buffered data on the floor which is OK in a hangup
28596 @@ -1345,7 +1346,7 @@ static int hvcs_write(struct tty_struct
28597 * the middle of a write operation? This is a crummy place to do this
28598 * but we want to keep it all in the spinlock.
28600 - if (hvcsd->open_count <= 0) {
28601 + if (local_read(&hvcsd->open_count) <= 0) {
28602 spin_unlock_irqrestore(&hvcsd->lock, flags);
28605 @@ -1419,7 +1420,7 @@ static int hvcs_write_room(struct tty_st
28607 struct hvcs_struct *hvcsd = tty->driver_data;
28609 - if (!hvcsd || hvcsd->open_count <= 0)
28610 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
28613 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
28614 diff -urNp linux-2.6.38.4/drivers/tty/hvc/hvc_xen.c linux-2.6.38.4/drivers/tty/hvc/hvc_xen.c
28615 --- linux-2.6.38.4/drivers/tty/hvc/hvc_xen.c 2011-03-14 21:20:32.000000000 -0400
28616 +++ linux-2.6.38.4/drivers/tty/hvc/hvc_xen.c 2011-04-17 15:57:32.000000000 -0400
28617 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
28621 -static struct hv_ops domU_hvc_ops = {
28622 +static const struct hv_ops domU_hvc_ops = {
28623 .get_chars = domU_read_console,
28624 .put_chars = domU_write_console,
28625 .notifier_add = notifier_add_irq,
28626 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
28630 -static struct hv_ops dom0_hvc_ops = {
28631 +static const struct hv_ops dom0_hvc_ops = {
28632 .get_chars = dom0_read_console,
28633 .put_chars = dom0_write_console,
28634 .notifier_add = notifier_add_irq,
28635 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
28636 static int __init xen_hvc_init(void)
28638 struct hvc_struct *hp;
28639 - struct hv_ops *ops;
28640 + const struct hv_ops *ops;
28642 if (!xen_pv_domain())
28644 @@ -203,7 +203,7 @@ static void __exit xen_hvc_fini(void)
28646 static int xen_cons_init(void)
28648 - struct hv_ops *ops;
28649 + const struct hv_ops *ops;
28651 if (!xen_pv_domain())
28653 diff -urNp linux-2.6.38.4/drivers/tty/n_gsm.c linux-2.6.38.4/drivers/tty/n_gsm.c
28654 --- linux-2.6.38.4/drivers/tty/n_gsm.c 2011-03-14 21:20:32.000000000 -0400
28655 +++ linux-2.6.38.4/drivers/tty/n_gsm.c 2011-04-17 15:57:32.000000000 -0400
28656 @@ -1589,7 +1589,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
28658 spin_lock_init(&dlci->lock);
28659 dlci->fifo = &dlci->_fifo;
28660 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
28661 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
28665 diff -urNp linux-2.6.38.4/drivers/tty/n_tty.c linux-2.6.38.4/drivers/tty/n_tty.c
28666 --- linux-2.6.38.4/drivers/tty/n_tty.c 2011-03-14 21:20:32.000000000 -0400
28667 +++ linux-2.6.38.4/drivers/tty/n_tty.c 2011-04-17 15:57:32.000000000 -0400
28668 @@ -2116,6 +2116,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
28670 *ops = tty_ldisc_N_TTY;
28672 - ops->refcount = ops->flags = 0;
28673 + atomic_set(&ops->refcount, 0);
28676 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
28677 diff -urNp linux-2.6.38.4/drivers/tty/pty.c linux-2.6.38.4/drivers/tty/pty.c
28678 --- linux-2.6.38.4/drivers/tty/pty.c 2011-03-14 21:20:32.000000000 -0400
28679 +++ linux-2.6.38.4/drivers/tty/pty.c 2011-04-17 15:57:32.000000000 -0400
28680 @@ -700,7 +700,18 @@ out:
28684 -static struct file_operations ptmx_fops;
28685 +static const struct file_operations ptmx_fops = {
28686 + .llseek = no_llseek,
28687 + .read = tty_read,
28688 + .write = tty_write,
28689 + .poll = tty_poll,
28690 + .unlocked_ioctl = tty_ioctl,
28691 + .compat_ioctl = tty_compat_ioctl,
28692 + .open = ptmx_open,
28693 + .release = tty_release,
28694 + .fasync = tty_fasync,
28698 static void __init unix98_pty_init(void)
28700 @@ -753,10 +764,6 @@ static void __init unix98_pty_init(void)
28702 register_sysctl_table(pty_root_table);
28704 - /* Now create the /dev/ptmx special device */
28705 - tty_default_fops(&ptmx_fops);
28706 - ptmx_fops.open = ptmx_open;
28708 cdev_init(&ptmx_cdev, &ptmx_fops);
28709 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
28710 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
28711 diff -urNp linux-2.6.38.4/drivers/tty/serial/8250_pci.c linux-2.6.38.4/drivers/tty/serial/8250_pci.c
28712 --- linux-2.6.38.4/drivers/tty/serial/8250_pci.c 2011-03-14 21:20:32.000000000 -0400
28713 +++ linux-2.6.38.4/drivers/tty/serial/8250_pci.c 2011-04-17 15:57:32.000000000 -0400
28714 @@ -3818,7 +3818,7 @@ static struct pci_device_id serial_pci_t
28715 PCI_ANY_ID, PCI_ANY_ID,
28716 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
28717 0xffff00, pbn_default },
28719 + { 0, 0, 0, 0, 0, 0, 0 }
28722 static struct pci_driver serial_pci_driver = {
28723 diff -urNp linux-2.6.38.4/drivers/tty/serial/kgdboc.c linux-2.6.38.4/drivers/tty/serial/kgdboc.c
28724 --- linux-2.6.38.4/drivers/tty/serial/kgdboc.c 2011-03-14 21:20:32.000000000 -0400
28725 +++ linux-2.6.38.4/drivers/tty/serial/kgdboc.c 2011-04-17 15:57:32.000000000 -0400
28728 #define MAX_CONFIG_LEN 40
28730 -static struct kgdb_io kgdboc_io_ops;
28731 +static struct kgdb_io kgdboc_io_ops; /* cannot be const, see configure_kgdboc() */
28733 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
28734 static int configured = -1;
28735 @@ -293,7 +293,7 @@ static void kgdboc_post_exp_handler(void
28736 kgdboc_restore_input();
28739 -static struct kgdb_io kgdboc_io_ops = {
28740 +static struct kgdb_io kgdboc_io_ops = { /* cannot be const, see configure_kgdboc() */
28742 .read_char = kgdboc_get_char,
28743 .write_char = kgdboc_put_char,
28744 diff -urNp linux-2.6.38.4/drivers/tty/tty_io.c linux-2.6.38.4/drivers/tty/tty_io.c
28745 --- linux-2.6.38.4/drivers/tty/tty_io.c 2011-03-14 21:20:32.000000000 -0400
28746 +++ linux-2.6.38.4/drivers/tty/tty_io.c 2011-04-17 15:57:32.000000000 -0400
28747 @@ -140,21 +140,11 @@ EXPORT_SYMBOL(tty_mutex);
28748 /* Spinlock to protect the tty->tty_files list */
28749 DEFINE_SPINLOCK(tty_files_lock);
28751 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
28752 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
28753 ssize_t redirected_tty_write(struct file *, const char __user *,
28755 -static unsigned int tty_poll(struct file *, poll_table *);
28756 static int tty_open(struct inode *, struct file *);
28757 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
28758 -#ifdef CONFIG_COMPAT
28759 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
28760 - unsigned long arg);
28762 -#define tty_compat_ioctl NULL
28764 static int __tty_fasync(int fd, struct file *filp, int on);
28765 -static int tty_fasync(int fd, struct file *filp, int on);
28766 static void release_tty(struct tty_struct *tty, int idx);
28767 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
28768 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
28769 @@ -938,7 +928,7 @@ EXPORT_SYMBOL(start_tty);
28770 * read calls may be outstanding in parallel.
28773 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
28774 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
28778 @@ -964,6 +954,8 @@ static ssize_t tty_read(struct file *fil
28782 +EXPORT_SYMBOL(tty_read);
28784 void tty_write_unlock(struct tty_struct *tty)
28786 mutex_unlock(&tty->atomic_write_lock);
28787 @@ -1113,7 +1105,7 @@ void tty_write_message(struct tty_struct
28788 * write method will not be invoked in parallel for each device.
28791 -static ssize_t tty_write(struct file *file, const char __user *buf,
28792 +ssize_t tty_write(struct file *file, const char __user *buf,
28793 size_t count, loff_t *ppos)
28795 struct inode *inode = file->f_path.dentry->d_inode;
28796 @@ -1139,6 +1131,8 @@ static ssize_t tty_write(struct file *fi
28800 +EXPORT_SYMBOL(tty_write);
28802 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
28803 size_t count, loff_t *ppos)
28805 @@ -1778,6 +1772,8 @@ int tty_release(struct inode *inode, str
28809 +EXPORT_SYMBOL(tty_release);
28812 * tty_open - open a tty device
28813 * @inode: inode of device file
28814 @@ -1969,7 +1965,7 @@ got_driver:
28815 * may be re-entered freely by other callers.
28818 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
28819 +unsigned int tty_poll(struct file *filp, poll_table *wait)
28821 struct tty_struct *tty = file_tty(filp);
28822 struct tty_ldisc *ld;
28823 @@ -1985,6 +1981,8 @@ static unsigned int tty_poll(struct file
28827 +EXPORT_SYMBOL(tty_poll);
28829 static int __tty_fasync(int fd, struct file *filp, int on)
28831 struct tty_struct *tty = file_tty(filp);
28832 @@ -2026,7 +2024,7 @@ out:
28836 -static int tty_fasync(int fd, struct file *filp, int on)
28837 +int tty_fasync(int fd, struct file *filp, int on)
28841 @@ -2035,6 +2033,8 @@ static int tty_fasync(int fd, struct fil
28845 +EXPORT_SYMBOL(tty_fasync);
28848 * tiocsti - fake input character
28849 * @tty: tty to fake input into
28850 @@ -2692,8 +2692,10 @@ long tty_ioctl(struct file *file, unsign
28854 +EXPORT_SYMBOL(tty_ioctl);
28856 #ifdef CONFIG_COMPAT
28857 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
28858 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
28861 struct inode *inode = file->f_dentry->d_inode;
28862 @@ -2717,6 +2719,9 @@ static long tty_compat_ioctl(struct file
28867 +EXPORT_SYMBOL(tty_compat_ioctl);
28872 @@ -3195,11 +3200,6 @@ struct tty_struct *get_current_tty(void)
28874 EXPORT_SYMBOL_GPL(get_current_tty);
28876 -void tty_default_fops(struct file_operations *fops)
28878 - *fops = tty_fops;
28882 * Initialize the console device. This is called *early*, so
28883 * we can't necessarily depend on lots of kernel help here.
28884 diff -urNp linux-2.6.38.4/drivers/tty/tty_ldisc.c linux-2.6.38.4/drivers/tty/tty_ldisc.c
28885 --- linux-2.6.38.4/drivers/tty/tty_ldisc.c 2011-03-14 21:20:32.000000000 -0400
28886 +++ linux-2.6.38.4/drivers/tty/tty_ldisc.c 2011-04-17 15:57:32.000000000 -0400
28887 @@ -76,7 +76,7 @@ static void put_ldisc(struct tty_ldisc *
28888 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
28889 struct tty_ldisc_ops *ldo = ld->ops;
28892 + atomic_dec(&ldo->refcount);
28893 module_put(ldo->owner);
28894 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28896 @@ -111,7 +111,7 @@ int tty_register_ldisc(int disc, struct
28897 spin_lock_irqsave(&tty_ldisc_lock, flags);
28898 tty_ldiscs[disc] = new_ldisc;
28899 new_ldisc->num = disc;
28900 - new_ldisc->refcount = 0;
28901 + atomic_set(&new_ldisc->refcount, 0);
28902 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28905 @@ -139,7 +139,7 @@ int tty_unregister_ldisc(int disc)
28908 spin_lock_irqsave(&tty_ldisc_lock, flags);
28909 - if (tty_ldiscs[disc]->refcount)
28910 + if (atomic_read(&tty_ldiscs[disc]->refcount))
28913 tty_ldiscs[disc] = NULL;
28914 @@ -160,7 +160,7 @@ static struct tty_ldisc_ops *get_ldops(i
28916 ret = ERR_PTR(-EAGAIN);
28917 if (try_module_get(ldops->owner)) {
28918 - ldops->refcount++;
28919 + atomic_inc(&ldops->refcount);
28923 @@ -173,7 +173,7 @@ static void put_ldops(struct tty_ldisc_o
28924 unsigned long flags;
28926 spin_lock_irqsave(&tty_ldisc_lock, flags);
28927 - ldops->refcount--;
28928 + atomic_dec(&ldops->refcount);
28929 module_put(ldops->owner);
28930 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28932 diff -urNp linux-2.6.38.4/drivers/tty/vt/keyboard.c linux-2.6.38.4/drivers/tty/vt/keyboard.c
28933 --- linux-2.6.38.4/drivers/tty/vt/keyboard.c 2011-03-14 21:20:32.000000000 -0400
28934 +++ linux-2.6.38.4/drivers/tty/vt/keyboard.c 2011-04-17 15:57:32.000000000 -0400
28935 @@ -657,6 +657,16 @@ static void k_spec(struct vc_data *vc, u
28936 kbd->kbdmode == VC_MEDIUMRAW) &&
28937 value != KVAL(K_SAK))
28938 return; /* SAK is allowed even in raw mode */
28940 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
28942 + void *func = fn_handler[value];
28943 + if (func == fn_show_state || func == fn_show_ptregs ||
28944 + func == fn_show_mem)
28949 fn_handler[value](vc);
28952 @@ -1413,7 +1423,7 @@ static const struct input_device_id kbd_
28953 .evbit = { BIT_MASK(EV_SND) },
28956 - { }, /* Terminating entry */
28957 + { 0 }, /* Terminating entry */
28960 MODULE_DEVICE_TABLE(input, kbd_ids);
28961 diff -urNp linux-2.6.38.4/drivers/tty/vt/vt.c linux-2.6.38.4/drivers/tty/vt/vt.c
28962 --- linux-2.6.38.4/drivers/tty/vt/vt.c 2011-03-14 21:20:32.000000000 -0400
28963 +++ linux-2.6.38.4/drivers/tty/vt/vt.c 2011-04-17 15:57:32.000000000 -0400
28964 @@ -262,7 +262,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
28966 static void notify_write(struct vc_data *vc, unsigned int unicode)
28968 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
28969 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
28970 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, ¶m);
28973 diff -urNp linux-2.6.38.4/drivers/tty/vt/vt_ioctl.c linux-2.6.38.4/drivers/tty/vt/vt_ioctl.c
28974 --- linux-2.6.38.4/drivers/tty/vt/vt_ioctl.c 2011-03-14 21:20:32.000000000 -0400
28975 +++ linux-2.6.38.4/drivers/tty/vt/vt_ioctl.c 2011-04-17 15:57:32.000000000 -0400
28976 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28977 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
28980 - if (!capable(CAP_SYS_TTY_CONFIG))
28985 key_map = key_maps[s];
28986 @@ -224,6 +221,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28987 val = (i ? K_HOLE : K_NOSUCHMAP);
28988 return put_user(val, &user_kbe->kb_value);
28990 + if (!capable(CAP_SYS_TTY_CONFIG))
28995 if (!i && v == K_NOSUCHMAP) {
28996 @@ -325,9 +325,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
29000 - if (!capable(CAP_SYS_TTY_CONFIG))
29003 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
29006 @@ -361,6 +358,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
29008 return ((p && *p) ? -EOVERFLOW : 0);
29010 + if (!capable(CAP_SYS_TTY_CONFIG))
29016 diff -urNp linux-2.6.38.4/drivers/uio/uio.c linux-2.6.38.4/drivers/uio/uio.c
29017 --- linux-2.6.38.4/drivers/uio/uio.c 2011-03-14 21:20:32.000000000 -0400
29018 +++ linux-2.6.38.4/drivers/uio/uio.c 2011-04-17 15:57:32.000000000 -0400
29020 #include <linux/kobject.h>
29021 #include <linux/cdev.h>
29022 #include <linux/uio_driver.h>
29023 +#include <asm/local.h>
29025 #define UIO_MAX_DEVICES (1U << MINORBITS)
29027 @@ -35,7 +36,7 @@ struct uio_device {
29029 struct fasync_struct *async_queue;
29030 wait_queue_head_t wait;
29032 + local_t vma_count;
29033 struct uio_info *info;
29034 struct kobject *map_dir;
29035 struct kobject *portio_dir;
29036 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
29037 static void uio_vma_open(struct vm_area_struct *vma)
29039 struct uio_device *idev = vma->vm_private_data;
29040 - idev->vma_count++;
29041 + local_inc(&idev->vma_count);
29044 static void uio_vma_close(struct vm_area_struct *vma)
29046 struct uio_device *idev = vma->vm_private_data;
29047 - idev->vma_count--;
29048 + local_dec(&idev->vma_count);
29051 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
29052 diff -urNp linux-2.6.38.4/drivers/usb/atm/cxacru.c linux-2.6.38.4/drivers/usb/atm/cxacru.c
29053 --- linux-2.6.38.4/drivers/usb/atm/cxacru.c 2011-03-14 21:20:32.000000000 -0400
29054 +++ linux-2.6.38.4/drivers/usb/atm/cxacru.c 2011-04-17 15:57:32.000000000 -0400
29055 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
29056 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
29059 - if (index < 0 || index > 0x7f)
29060 + if (index > 0x7f)
29064 diff -urNp linux-2.6.38.4/drivers/usb/atm/usbatm.c linux-2.6.38.4/drivers/usb/atm/usbatm.c
29065 --- linux-2.6.38.4/drivers/usb/atm/usbatm.c 2011-03-14 21:20:32.000000000 -0400
29066 +++ linux-2.6.38.4/drivers/usb/atm/usbatm.c 2011-04-17 15:57:32.000000000 -0400
29067 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
29068 if (printk_ratelimit())
29069 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
29070 __func__, vpi, vci);
29071 - atomic_inc(&vcc->stats->rx_err);
29072 + atomic_inc_unchecked(&vcc->stats->rx_err);
29076 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
29077 if (length > ATM_MAX_AAL5_PDU) {
29078 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
29079 __func__, length, vcc);
29080 - atomic_inc(&vcc->stats->rx_err);
29081 + atomic_inc_unchecked(&vcc->stats->rx_err);
29085 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
29086 if (sarb->len < pdu_length) {
29087 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
29088 __func__, pdu_length, sarb->len, vcc);
29089 - atomic_inc(&vcc->stats->rx_err);
29090 + atomic_inc_unchecked(&vcc->stats->rx_err);
29094 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
29095 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
29097 - atomic_inc(&vcc->stats->rx_err);
29098 + atomic_inc_unchecked(&vcc->stats->rx_err);
29102 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
29103 if (printk_ratelimit())
29104 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
29106 - atomic_inc(&vcc->stats->rx_drop);
29107 + atomic_inc_unchecked(&vcc->stats->rx_drop);
29111 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
29113 vcc->push(vcc, skb);
29115 - atomic_inc(&vcc->stats->rx);
29116 + atomic_inc_unchecked(&vcc->stats->rx);
29120 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
29121 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
29123 usbatm_pop(vcc, skb);
29124 - atomic_inc(&vcc->stats->tx);
29125 + atomic_inc_unchecked(&vcc->stats->tx);
29127 skb = skb_dequeue(&instance->sndqueue);
29129 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
29131 return sprintf(page,
29132 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
29133 - atomic_read(&atm_dev->stats.aal5.tx),
29134 - atomic_read(&atm_dev->stats.aal5.tx_err),
29135 - atomic_read(&atm_dev->stats.aal5.rx),
29136 - atomic_read(&atm_dev->stats.aal5.rx_err),
29137 - atomic_read(&atm_dev->stats.aal5.rx_drop));
29138 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
29139 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
29140 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
29141 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
29142 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
29145 if (instance->disconnected)
29146 diff -urNp linux-2.6.38.4/drivers/usb/class/cdc-acm.c linux-2.6.38.4/drivers/usb/class/cdc-acm.c
29147 --- linux-2.6.38.4/drivers/usb/class/cdc-acm.c 2011-04-18 17:27:16.000000000 -0400
29148 +++ linux-2.6.38.4/drivers/usb/class/cdc-acm.c 2011-04-17 15:57:32.000000000 -0400
29149 @@ -1640,7 +1640,7 @@ static const struct usb_device_id acm_id
29150 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
29151 USB_CDC_ACM_PROTO_AT_CDMA) },
29154 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
29157 MODULE_DEVICE_TABLE(usb, acm_ids);
29158 diff -urNp linux-2.6.38.4/drivers/usb/class/usblp.c linux-2.6.38.4/drivers/usb/class/usblp.c
29159 --- linux-2.6.38.4/drivers/usb/class/usblp.c 2011-03-14 21:20:32.000000000 -0400
29160 +++ linux-2.6.38.4/drivers/usb/class/usblp.c 2011-04-17 15:57:32.000000000 -0400
29161 @@ -227,7 +227,7 @@ static const struct quirk_printer_struct
29162 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
29163 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
29164 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
29169 static int usblp_wwait(struct usblp *usblp, int nonblock);
29170 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
29171 { USB_INTERFACE_INFO(7, 1, 2) },
29172 { USB_INTERFACE_INFO(7, 1, 3) },
29173 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
29174 - { } /* Terminating entry */
29175 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
29178 MODULE_DEVICE_TABLE(usb, usblp_ids);
29179 diff -urNp linux-2.6.38.4/drivers/usb/core/hcd.c linux-2.6.38.4/drivers/usb/core/hcd.c
29180 --- linux-2.6.38.4/drivers/usb/core/hcd.c 2011-04-22 19:20:59.000000000 -0400
29181 +++ linux-2.6.38.4/drivers/usb/core/hcd.c 2011-04-22 19:21:23.000000000 -0400
29182 @@ -2457,7 +2457,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
29184 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
29186 -struct usb_mon_operations *mon_ops;
29187 +const struct usb_mon_operations *mon_ops;
29190 * The registration is unlocked.
29191 @@ -2467,7 +2467,7 @@ struct usb_mon_operations *mon_ops;
29192 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
29195 -int usb_mon_register (struct usb_mon_operations *ops)
29196 +int usb_mon_register (const struct usb_mon_operations *ops)
29200 diff -urNp linux-2.6.38.4/drivers/usb/core/hub.c linux-2.6.38.4/drivers/usb/core/hub.c
29201 --- linux-2.6.38.4/drivers/usb/core/hub.c 2011-03-14 21:20:32.000000000 -0400
29202 +++ linux-2.6.38.4/drivers/usb/core/hub.c 2011-04-17 15:57:32.000000000 -0400
29203 @@ -3492,7 +3492,7 @@ static const struct usb_device_id hub_id
29204 .bDeviceClass = USB_CLASS_HUB},
29205 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
29206 .bInterfaceClass = USB_CLASS_HUB},
29207 - { } /* Terminating entry */
29208 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
29211 MODULE_DEVICE_TABLE (usb, hub_id_table);
29212 diff -urNp linux-2.6.38.4/drivers/usb/core/message.c linux-2.6.38.4/drivers/usb/core/message.c
29213 --- linux-2.6.38.4/drivers/usb/core/message.c 2011-03-14 21:20:32.000000000 -0400
29214 +++ linux-2.6.38.4/drivers/usb/core/message.c 2011-04-17 15:57:32.000000000 -0400
29215 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
29216 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
29218 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
29220 - smallbuf = kmalloc(++len, GFP_NOIO);
29222 + smallbuf = kmalloc(len, GFP_NOIO);
29225 memcpy(smallbuf, buf, len);
29226 diff -urNp linux-2.6.38.4/drivers/usb/early/ehci-dbgp.c linux-2.6.38.4/drivers/usb/early/ehci-dbgp.c
29227 --- linux-2.6.38.4/drivers/usb/early/ehci-dbgp.c 2011-03-14 21:20:32.000000000 -0400
29228 +++ linux-2.6.38.4/drivers/usb/early/ehci-dbgp.c 2011-04-17 15:57:32.000000000 -0400
29229 @@ -96,7 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
29233 -static struct kgdb_io kgdbdbgp_io_ops;
29234 +static struct kgdb_io kgdbdbgp_io_ops; /* cannot be const, see kgdbdbgp_parse_config */
29235 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
29237 #define dbgp_kgdb_mode (0)
29238 @@ -1026,7 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
29239 early_dbgp_write(NULL, &chr, 1);
29242 -static struct kgdb_io kgdbdbgp_io_ops = {
29243 +static struct kgdb_io kgdbdbgp_io_ops = { /* cannot be const, see kgdbdbgp_parse_config() */
29244 .name = "kgdbdbgp",
29245 .read_char = kgdbdbgp_read_char,
29246 .write_char = kgdbdbgp_write_char,
29247 diff -urNp linux-2.6.38.4/drivers/usb/host/ehci-pci.c linux-2.6.38.4/drivers/usb/host/ehci-pci.c
29248 --- linux-2.6.38.4/drivers/usb/host/ehci-pci.c 2011-03-14 21:20:32.000000000 -0400
29249 +++ linux-2.6.38.4/drivers/usb/host/ehci-pci.c 2011-04-17 15:57:32.000000000 -0400
29250 @@ -516,7 +516,7 @@ static const struct pci_device_id pci_id
29251 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
29252 .driver_data = (unsigned long) &ehci_pci_hc_driver,
29254 - { /* end: all zeroes */ }
29255 + { 0, 0, 0, 0, 0, 0, 0 }
29257 MODULE_DEVICE_TABLE(pci, pci_ids);
29259 diff -urNp linux-2.6.38.4/drivers/usb/host/uhci-hcd.c linux-2.6.38.4/drivers/usb/host/uhci-hcd.c
29260 --- linux-2.6.38.4/drivers/usb/host/uhci-hcd.c 2011-03-14 21:20:32.000000000 -0400
29261 +++ linux-2.6.38.4/drivers/usb/host/uhci-hcd.c 2011-04-17 15:57:32.000000000 -0400
29262 @@ -948,7 +948,7 @@ static const struct pci_device_id uhci_p
29263 /* handle any USB UHCI controller */
29264 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
29265 .driver_data = (unsigned long) &uhci_driver,
29266 - }, { /* end: all zeroes */ }
29267 + }, { 0, 0, 0, 0, 0, 0, 0 }
29270 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
29271 diff -urNp linux-2.6.38.4/drivers/usb/mon/mon_main.c linux-2.6.38.4/drivers/usb/mon/mon_main.c
29272 --- linux-2.6.38.4/drivers/usb/mon/mon_main.c 2011-03-14 21:20:32.000000000 -0400
29273 +++ linux-2.6.38.4/drivers/usb/mon/mon_main.c 2011-04-17 15:57:32.000000000 -0400
29274 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
29278 -static struct usb_mon_operations mon_ops_0 = {
29279 +static const struct usb_mon_operations mon_ops_0 = {
29280 .urb_submit = mon_submit,
29281 .urb_submit_error = mon_submit_error,
29282 .urb_complete = mon_complete,
29283 diff -urNp linux-2.6.38.4/drivers/usb/storage/debug.h linux-2.6.38.4/drivers/usb/storage/debug.h
29284 --- linux-2.6.38.4/drivers/usb/storage/debug.h 2011-03-14 21:20:32.000000000 -0400
29285 +++ linux-2.6.38.4/drivers/usb/storage/debug.h 2011-04-17 15:57:32.000000000 -0400
29286 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
29287 #define US_DEBUGPX(x...) printk( x )
29288 #define US_DEBUG(x) x
29290 -#define US_DEBUGP(x...)
29291 -#define US_DEBUGPX(x...)
29292 -#define US_DEBUG(x)
29293 +#define US_DEBUGP(x...) do {} while (0)
29294 +#define US_DEBUGPX(x...) do {} while (0)
29295 +#define US_DEBUG(x) do {} while (0)
29299 diff -urNp linux-2.6.38.4/drivers/usb/storage/usb.c linux-2.6.38.4/drivers/usb/storage/usb.c
29300 --- linux-2.6.38.4/drivers/usb/storage/usb.c 2011-03-14 21:20:32.000000000 -0400
29301 +++ linux-2.6.38.4/drivers/usb/storage/usb.c 2011-04-17 15:57:32.000000000 -0400
29302 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
29304 static struct us_unusual_dev us_unusual_dev_list[] = {
29305 # include "unusual_devs.h"
29306 - { } /* Terminating entry */
29307 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
29311 diff -urNp linux-2.6.38.4/drivers/usb/storage/usual-tables.c linux-2.6.38.4/drivers/usb/storage/usual-tables.c
29312 --- linux-2.6.38.4/drivers/usb/storage/usual-tables.c 2011-03-14 21:20:32.000000000 -0400
29313 +++ linux-2.6.38.4/drivers/usb/storage/usual-tables.c 2011-04-17 15:57:32.000000000 -0400
29316 struct usb_device_id usb_storage_usb_ids[] = {
29317 # include "unusual_devs.h"
29318 - { } /* Terminating entry */
29319 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
29321 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
29323 diff -urNp linux-2.6.38.4/drivers/vhost/vhost.c linux-2.6.38.4/drivers/vhost/vhost.c
29324 --- linux-2.6.38.4/drivers/vhost/vhost.c 2011-03-14 21:20:32.000000000 -0400
29325 +++ linux-2.6.38.4/drivers/vhost/vhost.c 2011-04-17 15:57:32.000000000 -0400
29326 @@ -565,7 +565,7 @@ static int init_used(struct vhost_virtqu
29327 return get_user(vq->last_used_idx, &used->idx);
29330 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
29331 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
29333 struct file *eventfp, *filep = NULL,
29334 *pollstart = NULL, *pollstop = NULL;
29335 diff -urNp linux-2.6.38.4/drivers/video/fbcmap.c linux-2.6.38.4/drivers/video/fbcmap.c
29336 --- linux-2.6.38.4/drivers/video/fbcmap.c 2011-03-14 21:20:32.000000000 -0400
29337 +++ linux-2.6.38.4/drivers/video/fbcmap.c 2011-04-17 15:57:32.000000000 -0400
29338 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
29342 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
29343 - !info->fbops->fb_setcmap)) {
29344 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
29348 diff -urNp linux-2.6.38.4/drivers/video/fbmem.c linux-2.6.38.4/drivers/video/fbmem.c
29349 --- linux-2.6.38.4/drivers/video/fbmem.c 2011-03-14 21:20:32.000000000 -0400
29350 +++ linux-2.6.38.4/drivers/video/fbmem.c 2011-04-17 15:57:32.000000000 -0400
29351 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
29352 image->dx += image->width + 8;
29354 } else if (rotate == FB_ROTATE_UD) {
29355 - for (x = 0; x < num && image->dx >= 0; x++) {
29356 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
29357 info->fbops->fb_imageblit(info, image);
29358 image->dx -= image->width + 8;
29360 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
29361 image->dy += image->height + 8;
29363 } else if (rotate == FB_ROTATE_CCW) {
29364 - for (x = 0; x < num && image->dy >= 0; x++) {
29365 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
29366 info->fbops->fb_imageblit(info, image);
29367 image->dy -= image->height + 8;
29369 @@ -1101,7 +1101,7 @@ static long do_fb_ioctl(struct fb_info *
29371 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
29373 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
29374 + if (con2fb.framebuffer >= FB_MAX)
29376 if (!registered_fb[con2fb.framebuffer])
29377 request_module("fb%d", con2fb.framebuffer);
29378 diff -urNp linux-2.6.38.4/drivers/video/fbmon.c linux-2.6.38.4/drivers/video/fbmon.c
29379 --- linux-2.6.38.4/drivers/video/fbmon.c 2011-03-14 21:20:32.000000000 -0400
29380 +++ linux-2.6.38.4/drivers/video/fbmon.c 2011-04-17 15:57:32.000000000 -0400
29383 #define DPRINTK(fmt, args...) printk(fmt,## args)
29385 -#define DPRINTK(fmt, args...)
29386 +#define DPRINTK(fmt, args...) do {} while (0)
29389 #define FBMON_FIX_HEADER 1
29390 diff -urNp linux-2.6.38.4/drivers/video/i810/i810_accel.c linux-2.6.38.4/drivers/video/i810/i810_accel.c
29391 --- linux-2.6.38.4/drivers/video/i810/i810_accel.c 2011-03-14 21:20:32.000000000 -0400
29392 +++ linux-2.6.38.4/drivers/video/i810/i810_accel.c 2011-04-17 15:57:32.000000000 -0400
29393 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
29396 printk("ringbuffer lockup!!!\n");
29397 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
29398 i810_report_error(mmio);
29399 par->dev_flags |= LOCKUP;
29400 info->pixmap.scan_align = 1;
29401 diff -urNp linux-2.6.38.4/drivers/video/i810/i810_main.c linux-2.6.38.4/drivers/video/i810/i810_main.c
29402 --- linux-2.6.38.4/drivers/video/i810/i810_main.c 2011-03-14 21:20:32.000000000 -0400
29403 +++ linux-2.6.38.4/drivers/video/i810/i810_main.c 2011-04-17 15:57:32.000000000 -0400
29404 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
29405 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
29406 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
29407 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
29409 + { 0, 0, 0, 0, 0, 0, 0 },
29412 static struct pci_driver i810fb_driver = {
29413 diff -urNp linux-2.6.38.4/drivers/video/modedb.c linux-2.6.38.4/drivers/video/modedb.c
29414 --- linux-2.6.38.4/drivers/video/modedb.c 2011-03-14 21:20:32.000000000 -0400
29415 +++ linux-2.6.38.4/drivers/video/modedb.c 2011-04-17 15:57:32.000000000 -0400
29416 @@ -40,255 +40,255 @@ static const struct fb_videomode modedb[
29418 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
29419 { NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2, 0,
29420 - FB_VMODE_NONINTERLACED },
29421 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29423 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
29424 { NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2, 0,
29425 - FB_VMODE_NONINTERLACED },
29426 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29428 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
29429 { NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2, 0,
29430 - FB_VMODE_NONINTERLACED },
29431 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29433 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
29434 { NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8, 0,
29435 - FB_VMODE_INTERLACED },
29436 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
29438 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
29439 { NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
29440 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED },
29441 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29443 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
29444 { NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3, 0,
29445 - FB_VMODE_NONINTERLACED },
29446 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29448 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
29449 { NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3, 0,
29450 - FB_VMODE_NONINTERLACED },
29451 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29453 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
29454 { NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
29455 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29456 - FB_VMODE_NONINTERLACED },
29457 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29459 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
29460 { NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3, 0,
29461 - FB_VMODE_NONINTERLACED },
29462 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29464 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
29465 { NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10, 0,
29466 - FB_VMODE_INTERLACED },
29467 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
29468 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
29469 { NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
29470 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29471 - FB_VMODE_NONINTERLACED },
29472 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29474 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
29475 { NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6, 0,
29476 - FB_VMODE_NONINTERLACED },
29477 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29479 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
29480 { NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6, 0,
29481 - FB_VMODE_NONINTERLACED },
29482 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29484 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
29485 { NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8, 0,
29486 - FB_VMODE_NONINTERLACED },
29487 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29489 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
29490 { NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5, 0,
29491 - FB_VMODE_NONINTERLACED },
29492 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29494 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
29495 { NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6, 0,
29496 - FB_VMODE_NONINTERLACED },
29497 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29499 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
29500 { NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12, 0,
29501 - FB_VMODE_INTERLACED },
29502 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
29504 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
29505 { NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6, 0,
29506 - FB_VMODE_NONINTERLACED },
29507 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29509 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
29510 { NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3, 0,
29511 - FB_VMODE_NONINTERLACED },
29512 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29514 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
29515 { NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10, 0,
29516 - FB_VMODE_NONINTERLACED },
29517 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29519 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
29520 { NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3, 0,
29521 - FB_VMODE_NONINTERLACED },
29522 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29524 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
29525 { NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3, 0,
29526 - FB_VMODE_NONINTERLACED },
29527 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29529 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
29530 { NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
29531 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29532 - FB_VMODE_NONINTERLACED },
29533 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29535 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
29536 { NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
29537 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29538 - FB_VMODE_NONINTERLACED },
29539 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29541 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
29542 { NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6, 0,
29543 - FB_VMODE_NONINTERLACED },
29544 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29546 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
29547 { NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12, 0,
29548 - FB_VMODE_NONINTERLACED },
29549 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29551 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
29552 { NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8, 0,
29553 - FB_VMODE_NONINTERLACED },
29554 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29556 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
29557 { NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
29558 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29559 - FB_VMODE_NONINTERLACED },
29560 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29562 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
29563 { NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12, 0,
29564 - FB_VMODE_NONINTERLACED },
29565 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29567 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
29568 { NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3, 0,
29569 - FB_VMODE_NONINTERLACED },
29570 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29572 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
29573 { NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10, 0,
29574 - FB_VMODE_NONINTERLACED },
29575 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29577 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
29578 { NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3, 0,
29579 - FB_VMODE_NONINTERLACED },
29580 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29582 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
29583 { NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3, 0,
29584 - FB_VMODE_NONINTERLACED },
29585 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29587 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
29588 { NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19, 0,
29589 - FB_VMODE_NONINTERLACED },
29590 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29592 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
29593 { NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
29594 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29595 - FB_VMODE_NONINTERLACED },
29596 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29598 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
29599 { NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
29600 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29601 - FB_VMODE_NONINTERLACED },
29602 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29604 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
29605 { NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
29606 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29607 - FB_VMODE_NONINTERLACED },
29608 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29610 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
29611 { NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
29612 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29613 - FB_VMODE_NONINTERLACED },
29614 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29616 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
29617 { NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15, 0,
29618 - FB_VMODE_NONINTERLACED },
29619 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29621 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
29622 { NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
29623 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29624 - FB_VMODE_NONINTERLACED },
29625 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29627 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
29628 { NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
29629 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29630 - FB_VMODE_NONINTERLACED },
29631 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29633 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
29634 { NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3, 0,
29635 - FB_VMODE_NONINTERLACED },
29636 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29638 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
29639 { NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3, 0,
29640 - FB_VMODE_NONINTERLACED },
29641 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29643 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
29644 { NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1, 0,
29645 - FB_VMODE_DOUBLE },
29646 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29648 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
29649 { NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1, 0,
29650 - FB_VMODE_DOUBLE },
29651 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29653 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
29654 { NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2, 0,
29655 - FB_VMODE_DOUBLE },
29656 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29658 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
29659 { NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1, 0,
29660 - FB_VMODE_DOUBLE },
29661 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29663 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
29664 { NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2, 0,
29665 - FB_VMODE_DOUBLE },
29666 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29668 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
29669 { NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3, 0,
29670 - FB_VMODE_DOUBLE },
29671 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29673 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
29674 { NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1, 0,
29675 - FB_VMODE_DOUBLE },
29676 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29678 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
29679 { NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2, 0,
29680 - FB_VMODE_DOUBLE },
29681 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29683 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
29684 { NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2, 0,
29685 - FB_VMODE_DOUBLE },
29686 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29688 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
29689 { NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3, 0,
29690 - FB_VMODE_DOUBLE },
29691 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
29693 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
29694 { NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
29695 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29696 - FB_VMODE_NONINTERLACED },
29697 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29699 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
29700 { NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
29701 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29702 - FB_VMODE_NONINTERLACED },
29703 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29705 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
29706 { NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5, 0,
29707 - FB_VMODE_NONINTERLACED },
29708 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29710 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
29711 { NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3, 0,
29712 - FB_VMODE_NONINTERLACED },
29713 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29715 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
29716 { NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5, 0,
29717 - FB_VMODE_INTERLACED },
29718 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
29720 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
29721 { NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5, 0,
29722 - FB_VMODE_INTERLACED },
29723 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
29725 /* 864x480 @ 60 Hz, 35.15 kHz hsync */
29726 { NULL, 60, 864, 480, 27777, 1, 1, 1, 1, 0, 0,
29727 - 0, FB_VMODE_NONINTERLACED },
29728 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
29731 #ifdef CONFIG_FB_MODE_HELPERS
29732 diff -urNp linux-2.6.38.4/drivers/video/pxa3xx-gcu.c linux-2.6.38.4/drivers/video/pxa3xx-gcu.c
29733 --- linux-2.6.38.4/drivers/video/pxa3xx-gcu.c 2011-03-14 21:20:32.000000000 -0400
29734 +++ linux-2.6.38.4/drivers/video/pxa3xx-gcu.c 2011-04-17 15:57:32.000000000 -0400
29735 @@ -103,7 +103,7 @@ struct pxa3xx_gcu_priv {
29736 dma_addr_t shared_phys;
29737 struct resource *resource_mem;
29738 struct miscdevice misc_dev;
29739 - struct file_operations misc_fops;
29740 + const struct file_operations misc_fops;
29741 wait_queue_head_t wait_idle;
29742 wait_queue_head_t wait_free;
29743 spinlock_t spinlock;
29744 diff -urNp linux-2.6.38.4/drivers/video/uvesafb.c linux-2.6.38.4/drivers/video/uvesafb.c
29745 --- linux-2.6.38.4/drivers/video/uvesafb.c 2011-03-14 21:20:32.000000000 -0400
29746 +++ linux-2.6.38.4/drivers/video/uvesafb.c 2011-04-17 15:57:32.000000000 -0400
29748 #include <linux/io.h>
29749 #include <linux/mutex.h>
29750 #include <linux/slab.h>
29751 +#include <linux/moduleloader.h>
29752 #include <video/edid.h>
29753 #include <video/uvesafb.h>
29755 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
29759 - return call_usermodehelper(v86d_path, argv, envp, 1);
29760 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
29764 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
29765 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
29766 par->pmi_setpal = par->ypan = 0;
29769 +#ifdef CONFIG_PAX_KERNEXEC
29770 +#ifdef CONFIG_MODULES
29771 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
29773 + if (!par->pmi_code) {
29774 + par->pmi_setpal = par->ypan = 0;
29779 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
29780 + task->t.regs.edi);
29782 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29783 + pax_open_kernel();
29784 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
29785 + pax_close_kernel();
29787 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
29788 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
29790 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
29791 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
29794 printk(KERN_INFO "uvesafb: protected mode interface info at "
29796 (u16)task->t.regs.es, (u16)task->t.regs.edi);
29797 @@ -1800,6 +1823,11 @@ out:
29798 if (par->vbe_modes)
29799 kfree(par->vbe_modes);
29801 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29802 + if (par->pmi_code)
29803 + module_free_exec(NULL, par->pmi_code);
29806 framebuffer_release(info);
29809 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
29810 kfree(par->vbe_state_orig);
29811 if (par->vbe_state_saved)
29812 kfree(par->vbe_state_saved);
29814 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29815 + if (par->pmi_code)
29816 + module_free_exec(NULL, par->pmi_code);
29821 framebuffer_release(info);
29822 diff -urNp linux-2.6.38.4/drivers/video/vesafb.c linux-2.6.38.4/drivers/video/vesafb.c
29823 --- linux-2.6.38.4/drivers/video/vesafb.c 2011-03-14 21:20:32.000000000 -0400
29824 +++ linux-2.6.38.4/drivers/video/vesafb.c 2011-04-17 15:57:32.000000000 -0400
29828 #include <linux/module.h>
29829 +#include <linux/moduleloader.h>
29830 #include <linux/kernel.h>
29831 #include <linux/errno.h>
29832 #include <linux/string.h>
29833 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
29834 static int vram_total __initdata; /* Set total amount of memory */
29835 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
29836 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
29837 -static void (*pmi_start)(void) __read_mostly;
29838 -static void (*pmi_pal) (void) __read_mostly;
29839 +static void (*pmi_start)(void) __read_only;
29840 +static void (*pmi_pal) (void) __read_only;
29841 static int depth __read_mostly;
29842 static int vga_compat __read_mostly;
29843 /* --------------------------------------------------------------------- */
29844 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
29845 unsigned int size_vmode;
29846 unsigned int size_remap;
29847 unsigned int size_total;
29848 + void *pmi_code = NULL;
29850 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
29852 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
29853 size_remap = size_total;
29854 vesafb_fix.smem_len = size_remap;
29857 - screen_info.vesapm_seg = 0;
29860 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
29861 printk(KERN_WARNING
29862 "vesafb: cannot reserve video memory at 0x%lx\n",
29863 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
29864 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
29865 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
29869 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29870 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
29872 +#elif !defined(CONFIG_PAX_KERNEXEC)
29877 + screen_info.vesapm_seg = 0;
29879 if (screen_info.vesapm_seg) {
29880 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
29881 - screen_info.vesapm_seg,screen_info.vesapm_off);
29882 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
29883 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
29886 if (screen_info.vesapm_seg < 0xc000)
29887 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
29889 if (ypan || pmi_setpal) {
29890 unsigned short *pmi_base;
29891 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29892 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
29893 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
29895 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29897 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29898 + pax_open_kernel();
29899 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
29901 + pmi_code = pmi_base;
29904 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
29905 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
29907 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29908 + pmi_start = ktva_ktla(pmi_start);
29909 + pmi_pal = ktva_ktla(pmi_pal);
29910 + pax_close_kernel();
29913 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
29915 printk(KERN_INFO "vesafb: pmi: ports = ");
29916 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
29917 info->node, info->fix.id);
29921 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29922 + module_free_exec(NULL, pmi_code);
29925 if (info->screen_base)
29926 iounmap(info->screen_base);
29927 framebuffer_release(info);
29928 diff -urNp linux-2.6.38.4/fs/9p/vfs_inode.c linux-2.6.38.4/fs/9p/vfs_inode.c
29929 --- linux-2.6.38.4/fs/9p/vfs_inode.c 2011-03-14 21:20:32.000000000 -0400
29930 +++ linux-2.6.38.4/fs/9p/vfs_inode.c 2011-04-17 15:57:32.000000000 -0400
29931 @@ -1094,7 +1094,7 @@ static void *v9fs_vfs_follow_link(struct
29933 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
29935 - char *s = nd_get_link(nd);
29936 + const char *s = nd_get_link(nd);
29938 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
29939 IS_ERR(s) ? "<error>" : s);
29940 diff -urNp linux-2.6.38.4/fs/aio.c linux-2.6.38.4/fs/aio.c
29941 --- linux-2.6.38.4/fs/aio.c 2011-04-18 17:27:16.000000000 -0400
29942 +++ linux-2.6.38.4/fs/aio.c 2011-04-17 15:57:32.000000000 -0400
29943 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
29944 size += sizeof(struct io_event) * nr_events;
29945 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
29947 - if (nr_pages < 0)
29948 + if (nr_pages <= 0)
29951 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
29952 diff -urNp linux-2.6.38.4/fs/attr.c linux-2.6.38.4/fs/attr.c
29953 --- linux-2.6.38.4/fs/attr.c 2011-03-14 21:20:32.000000000 -0400
29954 +++ linux-2.6.38.4/fs/attr.c 2011-04-17 15:57:32.000000000 -0400
29955 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
29956 unsigned long limit;
29958 limit = rlimit(RLIMIT_FSIZE);
29959 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
29960 if (limit != RLIM_INFINITY && offset > limit)
29962 if (offset > inode->i_sb->s_maxbytes)
29963 diff -urNp linux-2.6.38.4/fs/befs/linuxvfs.c linux-2.6.38.4/fs/befs/linuxvfs.c
29964 --- linux-2.6.38.4/fs/befs/linuxvfs.c 2011-03-14 21:20:32.000000000 -0400
29965 +++ linux-2.6.38.4/fs/befs/linuxvfs.c 2011-04-17 15:57:32.000000000 -0400
29966 @@ -499,7 +499,7 @@ static void befs_put_link(struct dentry
29968 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
29969 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
29970 - char *link = nd_get_link(nd);
29971 + const char *link = nd_get_link(nd);
29975 diff -urNp linux-2.6.38.4/fs/binfmt_aout.c linux-2.6.38.4/fs/binfmt_aout.c
29976 --- linux-2.6.38.4/fs/binfmt_aout.c 2011-03-14 21:20:32.000000000 -0400
29977 +++ linux-2.6.38.4/fs/binfmt_aout.c 2011-04-17 15:57:32.000000000 -0400
29979 #include <linux/string.h>
29980 #include <linux/fs.h>
29981 #include <linux/file.h>
29982 +#include <linux/security.h>
29983 #include <linux/stat.h>
29984 #include <linux/fcntl.h>
29985 #include <linux/ptrace.h>
29986 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
29988 # define START_STACK(u) ((void __user *)u.start_stack)
29990 + memset(&dump, 0, sizeof(dump));
29995 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
29997 /* If the size of the dump file exceeds the rlimit, then see what would happen
29998 if we wrote the stack, but not the data area. */
29999 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
30000 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
30003 /* Make sure we have enough room to write the stack and data areas. */
30004 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
30005 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
30008 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
30009 rlim = rlimit(RLIMIT_DATA);
30010 if (rlim >= RLIM_INFINITY)
30013 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
30014 if (ex.a_data + ex.a_bss > rlim)
30017 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
30018 install_exec_creds(bprm);
30019 current->flags &= ~PF_FORKNOEXEC;
30021 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30022 + current->mm->pax_flags = 0UL;
30025 +#ifdef CONFIG_PAX_PAGEEXEC
30026 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
30027 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
30029 +#ifdef CONFIG_PAX_EMUTRAMP
30030 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
30031 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
30034 +#ifdef CONFIG_PAX_MPROTECT
30035 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
30036 + current->mm->pax_flags |= MF_PAX_MPROTECT;
30042 if (N_MAGIC(ex) == OMAGIC) {
30043 unsigned long text_addr, map_size;
30045 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
30047 down_write(¤t->mm->mmap_sem);
30048 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
30049 - PROT_READ | PROT_WRITE | PROT_EXEC,
30050 + PROT_READ | PROT_WRITE,
30051 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
30052 fd_offset + ex.a_text);
30053 up_write(¤t->mm->mmap_sem);
30054 diff -urNp linux-2.6.38.4/fs/binfmt_elf.c linux-2.6.38.4/fs/binfmt_elf.c
30055 --- linux-2.6.38.4/fs/binfmt_elf.c 2011-04-22 19:20:59.000000000 -0400
30056 +++ linux-2.6.38.4/fs/binfmt_elf.c 2011-04-22 19:21:23.000000000 -0400
30057 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
30058 #define elf_core_dump NULL
30061 +#ifdef CONFIG_PAX_MPROTECT
30062 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
30065 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
30066 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
30068 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
30069 .load_binary = load_elf_binary,
30070 .load_shlib = load_elf_library,
30071 .core_dump = elf_core_dump,
30073 +#ifdef CONFIG_PAX_MPROTECT
30074 + .handle_mprotect= elf_handle_mprotect,
30077 .min_coredump = ELF_EXEC_PAGESIZE,
30080 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
30082 static int set_brk(unsigned long start, unsigned long end)
30084 + unsigned long e = end;
30086 start = ELF_PAGEALIGN(start);
30087 end = ELF_PAGEALIGN(end);
30089 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
30090 if (BAD_ADDR(addr))
30093 - current->mm->start_brk = current->mm->brk = end;
30094 + current->mm->start_brk = current->mm->brk = e;
30098 @@ -148,12 +159,13 @@ create_elf_tables(struct linux_binprm *b
30099 elf_addr_t __user *u_rand_bytes;
30100 const char *k_platform = ELF_PLATFORM;
30101 const char *k_base_platform = ELF_BASE_PLATFORM;
30102 - unsigned char k_rand_bytes[16];
30103 + u32 k_rand_bytes[4];
30105 elf_addr_t *elf_info;
30107 const struct cred *cred = current_cred();
30108 struct vm_area_struct *vma;
30109 + unsigned long saved_auxv[AT_VECTOR_SIZE];
30112 * In some cases (e.g. Hyper-Threading), we want to avoid L1
30113 @@ -195,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
30114 * Generate 16 random bytes for userspace PRNG seeding.
30116 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
30117 - u_rand_bytes = (elf_addr_t __user *)
30118 - STACK_ALLOC(p, sizeof(k_rand_bytes));
30119 + srandom32(k_rand_bytes[0] ^ random32());
30120 + srandom32(k_rand_bytes[1] ^ random32());
30121 + srandom32(k_rand_bytes[2] ^ random32());
30122 + srandom32(k_rand_bytes[3] ^ random32());
30123 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
30124 + u_rand_bytes = (elf_addr_t __user *) p;
30125 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
30128 @@ -308,9 +324,11 @@ create_elf_tables(struct linux_binprm *b
30130 current->mm->env_end = p;
30132 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
30134 /* Put the elf_info on the stack in the right place. */
30135 sp = (elf_addr_t __user *)envp + 1;
30136 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
30137 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
30141 @@ -381,10 +399,10 @@ static unsigned long load_elf_interp(str
30143 struct elf_phdr *elf_phdata;
30144 struct elf_phdr *eppnt;
30145 - unsigned long load_addr = 0;
30146 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
30147 int load_addr_set = 0;
30148 unsigned long last_bss = 0, elf_bss = 0;
30149 - unsigned long error = ~0UL;
30150 + unsigned long error = -EINVAL;
30151 unsigned long total_size;
30152 int retval, i, size;
30154 @@ -430,6 +448,11 @@ static unsigned long load_elf_interp(str
30158 +#ifdef CONFIG_PAX_SEGMEXEC
30159 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
30160 + pax_task_size = SEGMEXEC_TASK_SIZE;
30163 eppnt = elf_phdata;
30164 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
30165 if (eppnt->p_type == PT_LOAD) {
30166 @@ -473,8 +496,8 @@ static unsigned long load_elf_interp(str
30167 k = load_addr + eppnt->p_vaddr;
30169 eppnt->p_filesz > eppnt->p_memsz ||
30170 - eppnt->p_memsz > TASK_SIZE ||
30171 - TASK_SIZE - eppnt->p_memsz < k) {
30172 + eppnt->p_memsz > pax_task_size ||
30173 + pax_task_size - eppnt->p_memsz < k) {
30177 @@ -528,6 +551,193 @@ out:
30181 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
30182 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
30184 + unsigned long pax_flags = 0UL;
30186 +#ifdef CONFIG_PAX_PAGEEXEC
30187 + if (elf_phdata->p_flags & PF_PAGEEXEC)
30188 + pax_flags |= MF_PAX_PAGEEXEC;
30191 +#ifdef CONFIG_PAX_SEGMEXEC
30192 + if (elf_phdata->p_flags & PF_SEGMEXEC)
30193 + pax_flags |= MF_PAX_SEGMEXEC;
30196 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
30197 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30198 + if ((__supported_pte_mask & _PAGE_NX))
30199 + pax_flags &= ~MF_PAX_SEGMEXEC;
30201 + pax_flags &= ~MF_PAX_PAGEEXEC;
30205 +#ifdef CONFIG_PAX_EMUTRAMP
30206 + if (elf_phdata->p_flags & PF_EMUTRAMP)
30207 + pax_flags |= MF_PAX_EMUTRAMP;
30210 +#ifdef CONFIG_PAX_MPROTECT
30211 + if (elf_phdata->p_flags & PF_MPROTECT)
30212 + pax_flags |= MF_PAX_MPROTECT;
30215 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
30216 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
30217 + pax_flags |= MF_PAX_RANDMMAP;
30220 + return pax_flags;
30224 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
30225 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
30227 + unsigned long pax_flags = 0UL;
30229 +#ifdef CONFIG_PAX_PAGEEXEC
30230 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
30231 + pax_flags |= MF_PAX_PAGEEXEC;
30234 +#ifdef CONFIG_PAX_SEGMEXEC
30235 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
30236 + pax_flags |= MF_PAX_SEGMEXEC;
30239 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
30240 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30241 + if ((__supported_pte_mask & _PAGE_NX))
30242 + pax_flags &= ~MF_PAX_SEGMEXEC;
30244 + pax_flags &= ~MF_PAX_PAGEEXEC;
30248 +#ifdef CONFIG_PAX_EMUTRAMP
30249 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
30250 + pax_flags |= MF_PAX_EMUTRAMP;
30253 +#ifdef CONFIG_PAX_MPROTECT
30254 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
30255 + pax_flags |= MF_PAX_MPROTECT;
30258 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
30259 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
30260 + pax_flags |= MF_PAX_RANDMMAP;
30263 + return pax_flags;
30267 +#ifdef CONFIG_PAX_EI_PAX
30268 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
30270 + unsigned long pax_flags = 0UL;
30272 +#ifdef CONFIG_PAX_PAGEEXEC
30273 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
30274 + pax_flags |= MF_PAX_PAGEEXEC;
30277 +#ifdef CONFIG_PAX_SEGMEXEC
30278 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
30279 + pax_flags |= MF_PAX_SEGMEXEC;
30282 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
30283 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30284 + if ((__supported_pte_mask & _PAGE_NX))
30285 + pax_flags &= ~MF_PAX_SEGMEXEC;
30287 + pax_flags &= ~MF_PAX_PAGEEXEC;
30291 +#ifdef CONFIG_PAX_EMUTRAMP
30292 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
30293 + pax_flags |= MF_PAX_EMUTRAMP;
30296 +#ifdef CONFIG_PAX_MPROTECT
30297 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
30298 + pax_flags |= MF_PAX_MPROTECT;
30301 +#ifdef CONFIG_PAX_ASLR
30302 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
30303 + pax_flags |= MF_PAX_RANDMMAP;
30306 + return pax_flags;
30310 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
30311 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
30313 + unsigned long pax_flags = 0UL;
30315 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
30317 + int found_flags = 0;
30320 +#ifdef CONFIG_PAX_EI_PAX
30321 + pax_flags = pax_parse_ei_pax(elf_ex);
30324 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
30325 + for (i = 0UL; i < elf_ex->e_phnum; i++)
30326 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
30327 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
30328 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
30329 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
30330 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
30331 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
30334 +#ifdef CONFIG_PAX_SOFTMODE
30335 + if (pax_softmode)
30336 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
30340 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
30346 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
30347 + if (found_flags == 0) {
30348 + struct elf_phdr phdr;
30349 + memset(&phdr, 0, sizeof(phdr));
30350 + phdr.p_flags = PF_NOEMUTRAMP;
30351 +#ifdef CONFIG_PAX_SOFTMODE
30352 + if (pax_softmode)
30353 + pax_flags = pax_parse_softmode(&phdr);
30356 + pax_flags = pax_parse_hardmode(&phdr);
30360 + if (0 > pax_check_flags(&pax_flags))
30363 + current->mm->pax_flags = pax_flags;
30369 * These are the functions used to load ELF style executables and shared
30370 * libraries. There is no binary dependent code anywhere else.
30371 @@ -544,6 +754,11 @@ static unsigned long randomize_stack_top
30373 unsigned int random_variable = 0;
30375 +#ifdef CONFIG_PAX_RANDUSTACK
30376 + if (randomize_va_space)
30377 + return stack_top - current->mm->delta_stack;
30380 if ((current->flags & PF_RANDOMIZE) &&
30381 !(current->personality & ADDR_NO_RANDOMIZE)) {
30382 random_variable = get_random_int() & STACK_RND_MASK;
30383 @@ -562,7 +777,7 @@ static int load_elf_binary(struct linux_
30384 unsigned long load_addr = 0, load_bias = 0;
30385 int load_addr_set = 0;
30386 char * elf_interpreter = NULL;
30387 - unsigned long error;
30388 + unsigned long error = 0;
30389 struct elf_phdr *elf_ppnt, *elf_phdata;
30390 unsigned long elf_bss, elf_brk;
30392 @@ -572,11 +787,11 @@ static int load_elf_binary(struct linux_
30393 unsigned long start_code, end_code, start_data, end_data;
30394 unsigned long reloc_func_desc = 0;
30395 int executable_stack = EXSTACK_DEFAULT;
30396 - unsigned long def_flags = 0;
30398 struct elfhdr elf_ex;
30399 struct elfhdr interp_elf_ex;
30401 + unsigned long pax_task_size = TASK_SIZE;
30403 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
30405 @@ -714,11 +929,80 @@ static int load_elf_binary(struct linux_
30407 /* OK, This is the point of no return */
30408 current->flags &= ~PF_FORKNOEXEC;
30409 - current->mm->def_flags = def_flags;
30411 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30412 + current->mm->pax_flags = 0UL;
30415 +#ifdef CONFIG_PAX_DLRESOLVE
30416 + current->mm->call_dl_resolve = 0UL;
30419 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
30420 + current->mm->call_syscall = 0UL;
30423 +#ifdef CONFIG_PAX_ASLR
30424 + current->mm->delta_mmap = 0UL;
30425 + current->mm->delta_stack = 0UL;
30428 + current->mm->def_flags = 0;
30430 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
30431 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
30432 + send_sig(SIGKILL, current, 0);
30433 + goto out_free_dentry;
30437 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
30438 + pax_set_initial_flags(bprm);
30439 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
30440 + if (pax_set_initial_flags_func)
30441 + (pax_set_initial_flags_func)(bprm);
30444 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
30445 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
30446 + current->mm->context.user_cs_limit = PAGE_SIZE;
30447 + current->mm->def_flags |= VM_PAGEEXEC;
30451 +#ifdef CONFIG_PAX_SEGMEXEC
30452 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
30453 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
30454 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
30455 + pax_task_size = SEGMEXEC_TASK_SIZE;
30459 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
30460 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30461 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
30466 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
30467 may depend on the personality. */
30468 SET_PERSONALITY(loc->elf_ex);
30470 +#ifdef CONFIG_PAX_ASLR
30471 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
30472 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
30473 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
30477 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30478 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30479 + executable_stack = EXSTACK_DISABLE_X;
30480 + current->personality &= ~READ_IMPLIES_EXEC;
30484 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
30485 current->personality |= READ_IMPLIES_EXEC;
30487 @@ -800,6 +1084,20 @@ static int load_elf_binary(struct linux_
30489 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
30492 +#ifdef CONFIG_PAX_RANDMMAP
30493 + /* PaX: randomize base address at the default exe base if requested */
30494 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
30495 +#ifdef CONFIG_SPARC64
30496 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
30498 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
30500 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
30501 + elf_flags |= MAP_FIXED;
30507 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
30508 @@ -832,9 +1130,9 @@ static int load_elf_binary(struct linux_
30509 * allowed task size. Note that p_filesz must always be
30510 * <= p_memsz so it is only necessary to check p_memsz.
30512 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
30513 - elf_ppnt->p_memsz > TASK_SIZE ||
30514 - TASK_SIZE - elf_ppnt->p_memsz < k) {
30515 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
30516 + elf_ppnt->p_memsz > pax_task_size ||
30517 + pax_task_size - elf_ppnt->p_memsz < k) {
30518 /* set_brk can never work. Avoid overflows. */
30519 send_sig(SIGKILL, current, 0);
30521 @@ -862,6 +1160,11 @@ static int load_elf_binary(struct linux_
30522 start_data += load_bias;
30523 end_data += load_bias;
30525 +#ifdef CONFIG_PAX_RANDMMAP
30526 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
30527 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
30530 /* Calling set_brk effectively mmaps the pages that we need
30531 * for the bss and break sections. We must do this before
30532 * mapping in the interpreter, to make sure it doesn't wind
30533 @@ -873,9 +1176,11 @@ static int load_elf_binary(struct linux_
30534 goto out_free_dentry;
30536 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
30537 - send_sig(SIGSEGV, current, 0);
30538 - retval = -EFAULT; /* Nobody gets to see this, but.. */
30539 - goto out_free_dentry;
30541 + * This bss-zeroing can fail if the ELF
30542 + * file specifies odd protections. So
30543 + * we don't check the return value
30547 if (elf_interpreter) {
30548 @@ -1090,7 +1395,7 @@ out:
30549 * Decide what to dump of a segment, part, all or none.
30551 static unsigned long vma_dump_size(struct vm_area_struct *vma,
30552 - unsigned long mm_flags)
30553 + unsigned long mm_flags, long signr)
30555 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
30557 @@ -1124,7 +1429,7 @@ static unsigned long vma_dump_size(struc
30558 if (vma->vm_file == NULL)
30561 - if (FILTER(MAPPED_PRIVATE))
30562 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
30566 @@ -1346,9 +1651,9 @@ static void fill_auxv_note(struct memelf
30568 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
30573 - while (auxv[i - 2] != AT_NULL);
30574 + } while (auxv[i - 2] != AT_NULL);
30575 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
30578 @@ -1854,14 +2159,14 @@ static void fill_extnum_info(struct elfh
30581 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
30582 - unsigned long mm_flags)
30583 + struct coredump_params *cprm)
30585 struct vm_area_struct *vma;
30588 for (vma = first_vma(current, gate_vma); vma != NULL;
30589 vma = next_vma(vma, gate_vma))
30590 - size += vma_dump_size(vma, mm_flags);
30591 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30595 @@ -1955,7 +2260,7 @@ static int elf_core_dump(struct coredump
30597 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
30599 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
30600 + offset += elf_core_vma_data_size(gate_vma, cprm);
30601 offset += elf_core_extra_data_size();
30604 @@ -1969,10 +2274,12 @@ static int elf_core_dump(struct coredump
30607 size += sizeof(*elf);
30608 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30609 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
30612 size += sizeof(*phdr4note);
30613 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30614 if (size > cprm->limit
30615 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
30617 @@ -1986,7 +2293,7 @@ static int elf_core_dump(struct coredump
30618 phdr.p_offset = offset;
30619 phdr.p_vaddr = vma->vm_start;
30621 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
30622 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30623 phdr.p_memsz = vma->vm_end - vma->vm_start;
30624 offset += phdr.p_filesz;
30625 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
30626 @@ -1997,6 +2304,7 @@ static int elf_core_dump(struct coredump
30627 phdr.p_align = ELF_EXEC_PAGESIZE;
30629 size += sizeof(phdr);
30630 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30631 if (size > cprm->limit
30632 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
30634 @@ -2021,7 +2329,7 @@ static int elf_core_dump(struct coredump
30635 unsigned long addr;
30638 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
30639 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30641 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
30643 @@ -2030,6 +2338,7 @@ static int elf_core_dump(struct coredump
30644 page = get_dump_page(addr);
30646 void *kaddr = kmap(page);
30647 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
30648 stop = ((size += PAGE_SIZE) > cprm->limit) ||
30649 !dump_write(cprm->file, kaddr,
30651 @@ -2047,6 +2356,7 @@ static int elf_core_dump(struct coredump
30653 if (e_phnum == PN_XNUM) {
30654 size += sizeof(*shdr4extnum);
30655 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30656 if (size > cprm->limit
30657 || !dump_write(cprm->file, shdr4extnum,
30658 sizeof(*shdr4extnum)))
30659 @@ -2067,6 +2377,97 @@ out:
30661 #endif /* CONFIG_ELF_CORE */
30663 +#ifdef CONFIG_PAX_MPROTECT
30664 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
30665 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
30666 + * we'll remove VM_MAYWRITE for good on RELRO segments.
30668 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
30669 + * basis because we want to allow the common case and not the special ones.
30671 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
30673 + struct elfhdr elf_h;
30674 + struct elf_phdr elf_p;
30676 + unsigned long oldflags;
30677 + bool is_textrel_rw, is_textrel_rx, is_relro;
30679 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
30682 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
30683 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
30685 +#ifdef CONFIG_PAX_ELFRELOCS
30686 + /* possible TEXTREL */
30687 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
30688 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
30690 + is_textrel_rw = false;
30691 + is_textrel_rx = false;
30694 + /* possible RELRO */
30695 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
30697 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
30700 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
30701 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
30703 +#ifdef CONFIG_PAX_ETEXECRELOCS
30704 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
30706 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
30709 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
30710 + !elf_check_arch(&elf_h) ||
30711 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
30712 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
30715 + for (i = 0UL; i < elf_h.e_phnum; i++) {
30716 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
30718 + switch (elf_p.p_type) {
30720 + if (!is_textrel_rw && !is_textrel_rx)
30723 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
30726 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
30728 + if (dyn.d_tag == DT_NULL)
30730 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
30731 + gr_log_textrel(vma);
30732 + if (is_textrel_rw)
30733 + vma->vm_flags |= VM_MAYWRITE;
30735 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
30736 + vma->vm_flags &= ~VM_MAYWRITE;
30743 + case PT_GNU_RELRO:
30746 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
30747 + vma->vm_flags &= ~VM_MAYWRITE;
30754 static int __init init_elf_binfmt(void)
30756 return register_binfmt(&elf_format);
30757 diff -urNp linux-2.6.38.4/fs/binfmt_flat.c linux-2.6.38.4/fs/binfmt_flat.c
30758 --- linux-2.6.38.4/fs/binfmt_flat.c 2011-03-14 21:20:32.000000000 -0400
30759 +++ linux-2.6.38.4/fs/binfmt_flat.c 2011-04-17 15:57:32.000000000 -0400
30760 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
30761 realdatastart = (unsigned long) -ENOMEM;
30762 printk("Unable to allocate RAM for process data, errno %d\n",
30763 (int)-realdatastart);
30764 + down_write(¤t->mm->mmap_sem);
30765 do_munmap(current->mm, textpos, text_len);
30766 + up_write(¤t->mm->mmap_sem);
30767 ret = realdatastart;
30770 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
30772 if (IS_ERR_VALUE(result)) {
30773 printk("Unable to read data+bss, errno %d\n", (int)-result);
30774 + down_write(¤t->mm->mmap_sem);
30775 do_munmap(current->mm, textpos, text_len);
30776 do_munmap(current->mm, realdatastart, len);
30777 + up_write(¤t->mm->mmap_sem);
30781 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
30783 if (IS_ERR_VALUE(result)) {
30784 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
30785 + down_write(¤t->mm->mmap_sem);
30786 do_munmap(current->mm, textpos, text_len + data_len + extra +
30787 MAX_SHARED_LIBS * sizeof(unsigned long));
30788 + up_write(¤t->mm->mmap_sem);
30792 diff -urNp linux-2.6.38.4/fs/binfmt_misc.c linux-2.6.38.4/fs/binfmt_misc.c
30793 --- linux-2.6.38.4/fs/binfmt_misc.c 2011-03-14 21:20:32.000000000 -0400
30794 +++ linux-2.6.38.4/fs/binfmt_misc.c 2011-04-17 15:57:32.000000000 -0400
30795 @@ -698,7 +698,7 @@ static int bm_fill_super(struct super_bl
30796 static struct tree_descr bm_files[] = {
30797 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
30798 [3] = {"register", &bm_register_operations, S_IWUSR},
30799 - /* last one */ {""}
30800 + /* last one */ {"", NULL, 0}
30802 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
30804 diff -urNp linux-2.6.38.4/fs/bio.c linux-2.6.38.4/fs/bio.c
30805 --- linux-2.6.38.4/fs/bio.c 2011-03-14 21:20:32.000000000 -0400
30806 +++ linux-2.6.38.4/fs/bio.c 2011-04-17 15:57:32.000000000 -0400
30807 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
30808 const int read = bio_data_dir(bio) == READ;
30809 struct bio_map_data *bmd = bio->bi_private;
30811 - char *p = bmd->sgvecs[0].iov_base;
30812 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
30814 __bio_for_each_segment(bvec, bio, i, 0) {
30815 char *addr = page_address(bvec->bv_page);
30816 diff -urNp linux-2.6.38.4/fs/block_dev.c linux-2.6.38.4/fs/block_dev.c
30817 --- linux-2.6.38.4/fs/block_dev.c 2011-03-14 21:20:32.000000000 -0400
30818 +++ linux-2.6.38.4/fs/block_dev.c 2011-04-17 15:57:32.000000000 -0400
30819 @@ -669,7 +669,7 @@ static bool bd_may_claim(struct block_de
30820 else if (bdev->bd_contains == bdev)
30821 return true; /* is a whole device which isn't held */
30823 - else if (whole->bd_holder == bd_may_claim)
30824 + else if (whole->bd_holder == (void *)bd_may_claim)
30825 return true; /* is a partition of a device that is being partitioned */
30826 else if (whole->bd_holder != NULL)
30827 return false; /* is a partition of a held device */
30828 diff -urNp linux-2.6.38.4/fs/btrfs/ctree.c linux-2.6.38.4/fs/btrfs/ctree.c
30829 --- linux-2.6.38.4/fs/btrfs/ctree.c 2011-03-14 21:20:32.000000000 -0400
30830 +++ linux-2.6.38.4/fs/btrfs/ctree.c 2011-04-17 15:57:32.000000000 -0400
30831 @@ -468,9 +468,12 @@ static noinline int __btrfs_cow_block(st
30832 free_extent_buffer(buf);
30833 add_root_to_dirty_list(root);
30835 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
30836 - parent_start = parent->start;
30838 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
30840 + parent_start = parent->start;
30842 + parent_start = 0;
30846 WARN_ON(trans->transid != btrfs_header_generation(parent));
30847 @@ -3776,7 +3779,6 @@ setup_items_for_insert(struct btrfs_tran
30851 - struct btrfs_disk_key disk_key;
30852 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
30853 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
30855 diff -urNp linux-2.6.38.4/fs/btrfs/disk-io.c linux-2.6.38.4/fs/btrfs/disk-io.c
30856 --- linux-2.6.38.4/fs/btrfs/disk-io.c 2011-04-18 17:27:18.000000000 -0400
30857 +++ linux-2.6.38.4/fs/btrfs/disk-io.c 2011-04-17 16:53:48.000000000 -0400
30859 #include "tree-log.h"
30860 #include "free-space-cache.h"
30862 -static struct extent_io_ops btree_extent_io_ops;
30863 +static const struct extent_io_ops btree_extent_io_ops;
30864 static void end_workqueue_fn(struct btrfs_work *work);
30865 static void free_fs_root(struct btrfs_root *root);
30866 static void btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
30867 @@ -3030,7 +3030,7 @@ static int btrfs_cleanup_transaction(str
30871 -static struct extent_io_ops btree_extent_io_ops = {
30872 +static const struct extent_io_ops btree_extent_io_ops = {
30873 .write_cache_pages_lock_hook = btree_lock_page_hook,
30874 .readpage_end_io_hook = btree_readpage_end_io_hook,
30875 .submit_bio_hook = btree_submit_bio_hook,
30876 diff -urNp linux-2.6.38.4/fs/btrfs/extent_io.h linux-2.6.38.4/fs/btrfs/extent_io.h
30877 --- linux-2.6.38.4/fs/btrfs/extent_io.h 2011-03-14 21:20:32.000000000 -0400
30878 +++ linux-2.6.38.4/fs/btrfs/extent_io.h 2011-04-17 15:57:32.000000000 -0400
30879 @@ -55,36 +55,36 @@ typedef int (extent_submit_bio_hook_t)(s
30880 struct bio *bio, int mirror_num,
30881 unsigned long bio_flags, u64 bio_offset);
30882 struct extent_io_ops {
30883 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
30884 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
30885 u64 start, u64 end, int *page_started,
30886 unsigned long *nr_written);
30887 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
30888 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
30889 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
30890 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
30891 extent_submit_bio_hook_t *submit_bio_hook;
30892 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
30893 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
30894 size_t size, struct bio *bio,
30895 unsigned long bio_flags);
30896 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
30897 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
30898 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
30899 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
30900 u64 start, u64 end,
30901 struct extent_state *state);
30902 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
30903 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
30904 u64 start, u64 end,
30905 struct extent_state *state);
30906 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30907 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30908 struct extent_state *state);
30909 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30910 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30911 struct extent_state *state, int uptodate);
30912 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
30913 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
30915 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
30916 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
30918 - int (*merge_extent_hook)(struct inode *inode,
30919 + int (* const merge_extent_hook)(struct inode *inode,
30920 struct extent_state *new,
30921 struct extent_state *other);
30922 - int (*split_extent_hook)(struct inode *inode,
30923 + int (* const split_extent_hook)(struct inode *inode,
30924 struct extent_state *orig, u64 split);
30925 - int (*write_cache_pages_lock_hook)(struct page *page);
30926 + int (* const write_cache_pages_lock_hook)(struct page *page);
30929 struct extent_io_tree {
30930 @@ -94,7 +94,7 @@ struct extent_io_tree {
30933 spinlock_t buffer_lock;
30934 - struct extent_io_ops *ops;
30935 + const struct extent_io_ops *ops;
30938 struct extent_state {
30939 diff -urNp linux-2.6.38.4/fs/btrfs/free-space-cache.c linux-2.6.38.4/fs/btrfs/free-space-cache.c
30940 --- linux-2.6.38.4/fs/btrfs/free-space-cache.c 2011-03-14 21:20:32.000000000 -0400
30941 +++ linux-2.6.38.4/fs/btrfs/free-space-cache.c 2011-04-17 15:57:32.000000000 -0400
30942 @@ -1855,8 +1855,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
30945 if (entry->bytes < bytes || entry->offset < min_start) {
30946 - struct rb_node *node;
30948 node = rb_next(&entry->offset_index);
30951 @@ -2018,7 +2016,7 @@ again:
30953 while (entry->bitmap || found_bitmap ||
30954 (!entry->bitmap && entry->bytes < min_bytes)) {
30955 - struct rb_node *node = rb_next(&entry->offset_index);
30956 + node = rb_next(&entry->offset_index);
30958 if (entry->bitmap && entry->bytes > bytes + empty_size) {
30959 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
30960 diff -urNp linux-2.6.38.4/fs/btrfs/inode.c linux-2.6.38.4/fs/btrfs/inode.c
30961 --- linux-2.6.38.4/fs/btrfs/inode.c 2011-03-14 21:20:32.000000000 -0400
30962 +++ linux-2.6.38.4/fs/btrfs/inode.c 2011-04-17 15:57:32.000000000 -0400
30963 @@ -64,7 +64,7 @@ static const struct inode_operations btr
30964 static const struct address_space_operations btrfs_aops;
30965 static const struct address_space_operations btrfs_symlink_aops;
30966 static const struct file_operations btrfs_dir_file_operations;
30967 -static struct extent_io_ops btrfs_extent_io_ops;
30968 +static const struct extent_io_ops btrfs_extent_io_ops;
30970 static struct kmem_cache *btrfs_inode_cachep;
30971 struct kmem_cache *btrfs_trans_handle_cachep;
30972 @@ -6796,7 +6796,7 @@ fail:
30976 -static int btrfs_getattr(struct vfsmount *mnt,
30977 +int btrfs_getattr(struct vfsmount *mnt,
30978 struct dentry *dentry, struct kstat *stat)
30980 struct inode *inode = dentry->d_inode;
30981 @@ -6808,6 +6808,14 @@ static int btrfs_getattr(struct vfsmount
30985 +EXPORT_SYMBOL(btrfs_getattr);
30987 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
30989 + return BTRFS_I(inode)->root->anon_super.s_dev;
30991 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
30993 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
30994 struct inode *new_dir, struct dentry *new_dentry)
30996 @@ -7311,7 +7319,7 @@ static const struct file_operations btrf
30997 .fsync = btrfs_sync_file,
31000 -static struct extent_io_ops btrfs_extent_io_ops = {
31001 +static const struct extent_io_ops btrfs_extent_io_ops = {
31002 .fill_delalloc = run_delalloc_range,
31003 .submit_bio_hook = btrfs_submit_bio_hook,
31004 .merge_bio_hook = btrfs_merge_bio_hook,
31005 diff -urNp linux-2.6.38.4/fs/btrfs/ioctl.c linux-2.6.38.4/fs/btrfs/ioctl.c
31006 --- linux-2.6.38.4/fs/btrfs/ioctl.c 2011-04-18 17:27:18.000000000 -0400
31007 +++ linux-2.6.38.4/fs/btrfs/ioctl.c 2011-04-17 16:53:48.000000000 -0400
31008 @@ -2274,9 +2274,12 @@ long btrfs_ioctl_space_info(struct btrfs
31009 for (i = 0; i < num_types; i++) {
31010 struct btrfs_space_info *tmp;
31012 + /* Don't copy in more than we allocated */
31020 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
31021 @@ -2298,10 +2301,7 @@ long btrfs_ioctl_space_info(struct btrfs
31022 memcpy(dest, &space, sizeof(space));
31024 space_args.total_spaces++;
31030 up_read(&info->groups_sem);
31032 diff -urNp linux-2.6.38.4/fs/btrfs/relocation.c linux-2.6.38.4/fs/btrfs/relocation.c
31033 --- linux-2.6.38.4/fs/btrfs/relocation.c 2011-03-14 21:20:32.000000000 -0400
31034 +++ linux-2.6.38.4/fs/btrfs/relocation.c 2011-04-17 15:57:32.000000000 -0400
31035 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
31037 spin_unlock(&rc->reloc_root_tree.lock);
31039 - BUG_ON((struct btrfs_root *)node->data != root);
31040 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
31043 spin_lock(&rc->reloc_root_tree.lock);
31044 diff -urNp linux-2.6.38.4/fs/cachefiles/bind.c linux-2.6.38.4/fs/cachefiles/bind.c
31045 --- linux-2.6.38.4/fs/cachefiles/bind.c 2011-03-14 21:20:32.000000000 -0400
31046 +++ linux-2.6.38.4/fs/cachefiles/bind.c 2011-04-17 15:57:32.000000000 -0400
31047 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
31050 /* start by checking things over */
31051 - ASSERT(cache->fstop_percent >= 0 &&
31052 - cache->fstop_percent < cache->fcull_percent &&
31053 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
31054 cache->fcull_percent < cache->frun_percent &&
31055 cache->frun_percent < 100);
31057 - ASSERT(cache->bstop_percent >= 0 &&
31058 - cache->bstop_percent < cache->bcull_percent &&
31059 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
31060 cache->bcull_percent < cache->brun_percent &&
31061 cache->brun_percent < 100);
31063 diff -urNp linux-2.6.38.4/fs/cachefiles/daemon.c linux-2.6.38.4/fs/cachefiles/daemon.c
31064 --- linux-2.6.38.4/fs/cachefiles/daemon.c 2011-03-14 21:20:32.000000000 -0400
31065 +++ linux-2.6.38.4/fs/cachefiles/daemon.c 2011-04-17 15:57:32.000000000 -0400
31066 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
31070 - if (copy_to_user(_buffer, buffer, n) != 0)
31071 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
31075 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
31076 if (test_bit(CACHEFILES_DEAD, &cache->flags))
31079 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
31080 + if (datalen > PAGE_SIZE - 1)
31081 return -EOPNOTSUPP;
31083 /* drag the command string into the kernel so we can parse it */
31084 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
31085 if (args[0] != '%' || args[1] != '\0')
31088 - if (fstop < 0 || fstop >= cache->fcull_percent)
31089 + if (fstop >= cache->fcull_percent)
31090 return cachefiles_daemon_range_error(cache, args);
31092 cache->fstop_percent = fstop;
31093 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
31094 if (args[0] != '%' || args[1] != '\0')
31097 - if (bstop < 0 || bstop >= cache->bcull_percent)
31098 + if (bstop >= cache->bcull_percent)
31099 return cachefiles_daemon_range_error(cache, args);
31101 cache->bstop_percent = bstop;
31102 diff -urNp linux-2.6.38.4/fs/cachefiles/rdwr.c linux-2.6.38.4/fs/cachefiles/rdwr.c
31103 --- linux-2.6.38.4/fs/cachefiles/rdwr.c 2011-03-14 21:20:32.000000000 -0400
31104 +++ linux-2.6.38.4/fs/cachefiles/rdwr.c 2011-04-17 15:57:32.000000000 -0400
31105 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
31108 ret = file->f_op->write(
31109 - file, (const void __user *) data, len, &pos);
31110 + file, (__force const void __user *) data, len, &pos);
31114 diff -urNp linux-2.6.38.4/fs/ceph/dir.c linux-2.6.38.4/fs/ceph/dir.c
31115 --- linux-2.6.38.4/fs/ceph/dir.c 2011-03-14 21:20:32.000000000 -0400
31116 +++ linux-2.6.38.4/fs/ceph/dir.c 2011-04-17 15:57:32.000000000 -0400
31117 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
31118 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
31119 struct ceph_mds_client *mdsc = fsc->mdsc;
31120 unsigned frag = fpos_frag(filp->f_pos);
31121 - int off = fpos_off(filp->f_pos);
31122 + unsigned int off = fpos_off(filp->f_pos);
31125 struct ceph_mds_reply_info_parsed *rinfo;
31126 @@ -358,7 +358,7 @@ more:
31127 rinfo = &fi->last_readdir->r_reply_info;
31128 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
31129 rinfo->dir_nr, off, fi->offset);
31130 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
31131 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
31132 u64 pos = ceph_make_fpos(frag, off);
31133 struct ceph_mds_reply_inode *in =
31134 rinfo->dir_in[off - fi->offset].in;
31135 diff -urNp linux-2.6.38.4/fs/cifs/cifs_uniupr.h linux-2.6.38.4/fs/cifs/cifs_uniupr.h
31136 --- linux-2.6.38.4/fs/cifs/cifs_uniupr.h 2011-03-14 21:20:32.000000000 -0400
31137 +++ linux-2.6.38.4/fs/cifs/cifs_uniupr.h 2011-04-17 15:57:32.000000000 -0400
31138 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
31139 {0x0490, 0x04cc, UniCaseRangeU0490},
31140 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
31141 {0xff40, 0xff5a, UniCaseRangeUff40},
31147 diff -urNp linux-2.6.38.4/fs/cifs/link.c linux-2.6.38.4/fs/cifs/link.c
31148 --- linux-2.6.38.4/fs/cifs/link.c 2011-03-14 21:20:32.000000000 -0400
31149 +++ linux-2.6.38.4/fs/cifs/link.c 2011-04-17 15:57:32.000000000 -0400
31150 @@ -577,7 +577,7 @@ symlink_exit:
31152 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
31154 - char *p = nd_get_link(nd);
31155 + const char *p = nd_get_link(nd);
31159 diff -urNp linux-2.6.38.4/fs/compat_binfmt_elf.c linux-2.6.38.4/fs/compat_binfmt_elf.c
31160 --- linux-2.6.38.4/fs/compat_binfmt_elf.c 2011-03-14 21:20:32.000000000 -0400
31161 +++ linux-2.6.38.4/fs/compat_binfmt_elf.c 2011-04-17 15:57:32.000000000 -0400
31162 @@ -30,11 +30,13 @@
31168 #define elfhdr elf32_hdr
31169 #define elf_phdr elf32_phdr
31170 #define elf_shdr elf32_shdr
31171 #define elf_note elf32_note
31172 +#define elf_dyn Elf32_Dyn
31173 #define elf_addr_t Elf32_Addr
31176 diff -urNp linux-2.6.38.4/fs/compat.c linux-2.6.38.4/fs/compat.c
31177 --- linux-2.6.38.4/fs/compat.c 2011-03-14 21:20:32.000000000 -0400
31178 +++ linux-2.6.38.4/fs/compat.c 2011-04-17 15:57:32.000000000 -0400
31179 @@ -594,7 +594,7 @@ ssize_t compat_rw_copy_check_uvector(int
31183 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
31184 + if (nr_segs > UIO_MAXIOV)
31186 if (nr_segs > fast_segs) {
31188 @@ -876,6 +876,7 @@ struct compat_old_linux_dirent {
31190 struct compat_readdir_callback {
31191 struct compat_old_linux_dirent __user *dirent;
31192 + struct file * file;
31196 @@ -893,6 +894,10 @@ static int compat_fillonedir(void *__buf
31197 buf->result = -EOVERFLOW;
31201 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31205 dirent = buf->dirent;
31206 if (!access_ok(VERIFY_WRITE, dirent,
31207 @@ -925,6 +930,7 @@ asmlinkage long compat_sys_old_readdir(u
31210 buf.dirent = dirent;
31213 error = vfs_readdir(file, compat_fillonedir, &buf);
31215 @@ -945,6 +951,7 @@ struct compat_linux_dirent {
31216 struct compat_getdents_callback {
31217 struct compat_linux_dirent __user *current_dir;
31218 struct compat_linux_dirent __user *previous;
31219 + struct file * file;
31223 @@ -966,6 +973,10 @@ static int compat_filldir(void *__buf, c
31224 buf->error = -EOVERFLOW;
31228 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31231 dirent = buf->previous;
31233 if (__put_user(offset, &dirent->d_off))
31234 @@ -1013,6 +1024,7 @@ asmlinkage long compat_sys_getdents(unsi
31235 buf.previous = NULL;
31240 error = vfs_readdir(file, compat_filldir, &buf);
31242 @@ -1034,6 +1046,7 @@ out:
31243 struct compat_getdents_callback64 {
31244 struct linux_dirent64 __user *current_dir;
31245 struct linux_dirent64 __user *previous;
31246 + struct file * file;
31250 @@ -1050,6 +1063,10 @@ static int compat_filldir64(void * __buf
31251 buf->error = -EINVAL; /* only used if we fail.. */
31252 if (reclen > buf->count)
31255 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31258 dirent = buf->previous;
31261 @@ -1101,6 +1118,7 @@ asmlinkage long compat_sys_getdents64(un
31262 buf.previous = NULL;
31267 error = vfs_readdir(file, compat_filldir64, &buf);
31269 @@ -1423,6 +1441,7 @@ static int compat_copy_strings(int argc,
31271 page = get_arg_page(bprm, pos, 1);
31273 + /* We've exceed the stack rlimit. */
31277 @@ -1464,6 +1483,11 @@ int compat_do_execve(char * filename,
31278 compat_uptr_t __user *envp,
31279 struct pt_regs * regs)
31281 +#ifdef CONFIG_GRKERNSEC
31282 + struct file *old_exec_file;
31283 + struct acl_subject_label *old_acl;
31284 + struct rlimit old_rlim[RLIM_NLIMITS];
31286 struct linux_binprm *bprm;
31288 struct files_struct *displaced;
31289 @@ -1500,6 +1524,19 @@ int compat_do_execve(char * filename,
31290 bprm->filename = filename;
31291 bprm->interp = filename;
31293 + if (gr_process_user_ban()) {
31298 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
31299 + retval = -EAGAIN;
31300 + if (gr_handle_nproc())
31302 + retval = -EACCES;
31303 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
31306 retval = bprm_mm_init(bprm);
31309 @@ -1529,9 +1566,40 @@ int compat_do_execve(char * filename,
31313 + if (!gr_tpe_allow(file)) {
31314 + retval = -EACCES;
31318 + if (gr_check_crash_exec(file)) {
31319 + retval = -EACCES;
31323 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
31325 + gr_handle_exec_args_compat(bprm, argv);
31327 +#ifdef CONFIG_GRKERNSEC
31328 + old_acl = current->acl;
31329 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
31330 + old_exec_file = current->exec_file;
31332 + current->exec_file = file;
31335 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
31336 + bprm->unsafe & LSM_UNSAFE_SHARE);
31340 retval = search_binary_handler(bprm, regs);
31344 +#ifdef CONFIG_GRKERNSEC
31345 + if (old_exec_file)
31346 + fput(old_exec_file);
31349 /* execve succeeded */
31350 current->fs->in_exec = 0;
31351 @@ -1542,6 +1610,14 @@ int compat_do_execve(char * filename,
31352 put_files_struct(displaced);
31356 +#ifdef CONFIG_GRKERNSEC
31357 + current->acl = old_acl;
31358 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
31359 + fput(current->exec_file);
31360 + current->exec_file = old_exec_file;
31365 acct_arg_size(bprm, 0);
31366 diff -urNp linux-2.6.38.4/fs/compat_ioctl.c linux-2.6.38.4/fs/compat_ioctl.c
31367 --- linux-2.6.38.4/fs/compat_ioctl.c 2011-03-14 21:20:32.000000000 -0400
31368 +++ linux-2.6.38.4/fs/compat_ioctl.c 2011-04-17 15:57:32.000000000 -0400
31369 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
31371 err = get_user(palp, &up->palette);
31372 err |= get_user(length, &up->length);
31376 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
31377 err = put_user(compat_ptr(palp), &up_native->palette);
31378 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
31379 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
31382 - a = *(unsigned int *)p;
31383 - b = *(unsigned int *)q;
31384 + a = *(const unsigned int *)p;
31385 + b = *(const unsigned int *)q;
31389 diff -urNp linux-2.6.38.4/fs/dcache.c linux-2.6.38.4/fs/dcache.c
31390 --- linux-2.6.38.4/fs/dcache.c 2011-04-18 17:27:16.000000000 -0400
31391 +++ linux-2.6.38.4/fs/dcache.c 2011-04-17 15:57:32.000000000 -0400
31392 @@ -3092,7 +3092,7 @@ void __init vfs_caches_init(unsigned lon
31393 mempages -= reserve;
31395 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
31396 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
31397 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
31401 diff -urNp linux-2.6.38.4/fs/debugfs/inode.c linux-2.6.38.4/fs/debugfs/inode.c
31402 --- linux-2.6.38.4/fs/debugfs/inode.c 2011-03-14 21:20:32.000000000 -0400
31403 +++ linux-2.6.38.4/fs/debugfs/inode.c 2011-04-17 15:57:32.000000000 -0400
31404 @@ -130,7 +130,7 @@ static inline int debugfs_positive(struc
31406 static int debug_fill_super(struct super_block *sb, void *data, int silent)
31408 - static struct tree_descr debug_files[] = {{""}};
31409 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
31411 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
31413 diff -urNp linux-2.6.38.4/fs/dlm/lockspace.c linux-2.6.38.4/fs/dlm/lockspace.c
31414 --- linux-2.6.38.4/fs/dlm/lockspace.c 2011-03-14 21:20:32.000000000 -0400
31415 +++ linux-2.6.38.4/fs/dlm/lockspace.c 2011-04-17 15:57:32.000000000 -0400
31416 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
31420 -static struct kset_uevent_ops dlm_uevent_ops = {
31421 +static const struct kset_uevent_ops dlm_uevent_ops = {
31422 .uevent = dlm_uevent,
31425 diff -urNp linux-2.6.38.4/fs/ecryptfs/inode.c linux-2.6.38.4/fs/ecryptfs/inode.c
31426 --- linux-2.6.38.4/fs/ecryptfs/inode.c 2011-03-14 21:20:32.000000000 -0400
31427 +++ linux-2.6.38.4/fs/ecryptfs/inode.c 2011-04-17 15:57:32.000000000 -0400
31428 @@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
31431 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
31432 - (char __user *)lower_buf,
31433 + (__force char __user *)lower_buf,
31437 @@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
31441 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
31442 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
31446 @@ -719,7 +719,7 @@ out:
31448 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
31450 - char *buf = nd_get_link(nd);
31451 + const char *buf = nd_get_link(nd);
31452 if (!IS_ERR(buf)) {
31453 /* Free the char* */
31455 diff -urNp linux-2.6.38.4/fs/ecryptfs/miscdev.c linux-2.6.38.4/fs/ecryptfs/miscdev.c
31456 --- linux-2.6.38.4/fs/ecryptfs/miscdev.c 2011-03-14 21:20:32.000000000 -0400
31457 +++ linux-2.6.38.4/fs/ecryptfs/miscdev.c 2011-04-17 15:57:32.000000000 -0400
31458 @@ -328,7 +328,7 @@ check_list:
31459 goto out_unlock_msg_ctx;
31461 if (msg_ctx->msg) {
31462 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
31463 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
31464 goto out_unlock_msg_ctx;
31465 i += packet_length_size;
31466 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
31467 diff -urNp linux-2.6.38.4/fs/exec.c linux-2.6.38.4/fs/exec.c
31468 --- linux-2.6.38.4/fs/exec.c 2011-03-14 21:20:32.000000000 -0400
31469 +++ linux-2.6.38.4/fs/exec.c 2011-04-17 15:57:32.000000000 -0400
31470 @@ -55,12 +55,24 @@
31471 #include <linux/fs_struct.h>
31472 #include <linux/pipe_fs_i.h>
31473 #include <linux/oom.h>
31474 +#include <linux/random.h>
31475 +#include <linux/seq_file.h>
31477 +#ifdef CONFIG_PAX_REFCOUNT
31478 +#include <linux/kallsyms.h>
31479 +#include <linux/kdebug.h>
31482 #include <asm/uaccess.h>
31483 #include <asm/mmu_context.h>
31484 #include <asm/tlb.h>
31485 #include "internal.h"
31487 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
31488 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
31489 +EXPORT_SYMBOL(pax_set_initial_flags_func);
31493 char core_pattern[CORENAME_MAX_SIZE] = "core";
31494 unsigned int core_pipe_limit;
31495 @@ -120,7 +132,7 @@ SYSCALL_DEFINE1(uselib, const char __use
31498 file = do_filp_open(AT_FDCWD, tmp,
31499 - O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 0,
31500 + O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC, 0,
31501 MAY_READ | MAY_EXEC | MAY_OPEN);
31503 error = PTR_ERR(file);
31504 @@ -187,18 +199,10 @@ struct page *get_arg_page(struct linux_b
31510 -#ifdef CONFIG_STACK_GROWSUP
31512 - ret = expand_stack_downwards(bprm->vma, pos);
31517 - ret = get_user_pages(current, bprm->mm, pos,
31518 - 1, write, 1, &page, NULL);
31520 + if (0 > expand_stack_downwards(bprm->vma, pos))
31522 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
31526 @@ -273,6 +277,11 @@ static int __bprm_mm_init(struct linux_b
31527 vma->vm_end = STACK_TOP_MAX;
31528 vma->vm_start = vma->vm_end - PAGE_SIZE;
31529 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
31531 +#ifdef CONFIG_PAX_SEGMEXEC
31532 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
31535 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
31536 INIT_LIST_HEAD(&vma->anon_vma_chain);
31538 @@ -287,6 +296,12 @@ static int __bprm_mm_init(struct linux_b
31539 mm->stack_vm = mm->total_vm = 1;
31540 up_write(&mm->mmap_sem);
31541 bprm->p = vma->vm_end - sizeof(void *);
31543 +#ifdef CONFIG_PAX_RANDUSTACK
31544 + if (randomize_va_space)
31545 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
31550 up_write(&mm->mmap_sem);
31551 @@ -522,7 +537,7 @@ int copy_strings_kernel(int argc, const
31553 mm_segment_t oldfs = get_fs();
31555 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
31556 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
31560 @@ -552,7 +567,8 @@ static int shift_arg_pages(struct vm_are
31561 unsigned long new_end = old_end - shift;
31562 struct mmu_gather *tlb;
31564 - BUG_ON(new_start > new_end);
31565 + if (new_start >= new_end || new_start < mmap_min_addr)
31569 * ensure there are no vmas between where we want to go
31570 @@ -561,6 +577,10 @@ static int shift_arg_pages(struct vm_are
31571 if (vma != find_vma(mm, new_start))
31574 +#ifdef CONFIG_PAX_SEGMEXEC
31575 + BUG_ON(pax_find_mirror_vma(vma));
31579 * cover the whole range: [new_start, old_end)
31581 @@ -641,10 +661,6 @@ int setup_arg_pages(struct linux_binprm
31582 stack_top = arch_align_stack(stack_top);
31583 stack_top = PAGE_ALIGN(stack_top);
31585 - if (unlikely(stack_top < mmap_min_addr) ||
31586 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
31589 stack_shift = vma->vm_end - stack_top;
31591 bprm->p -= stack_shift;
31592 @@ -656,8 +672,28 @@ int setup_arg_pages(struct linux_binprm
31593 bprm->exec -= stack_shift;
31595 down_write(&mm->mmap_sem);
31597 + /* Move stack pages down in memory. */
31598 + if (stack_shift) {
31599 + ret = shift_arg_pages(vma, stack_shift);
31604 vm_flags = VM_STACK_FLAGS;
31606 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
31607 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
31608 + vm_flags &= ~VM_EXEC;
31610 +#ifdef CONFIG_PAX_MPROTECT
31611 + if (mm->pax_flags & MF_PAX_MPROTECT)
31612 + vm_flags &= ~VM_MAYEXEC;
31619 * Adjust stack execute permissions; explicitly enable for
31620 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
31621 @@ -676,13 +712,6 @@ int setup_arg_pages(struct linux_binprm
31623 BUG_ON(prev != vma);
31625 - /* Move stack pages down in memory. */
31626 - if (stack_shift) {
31627 - ret = shift_arg_pages(vma, stack_shift);
31632 /* mprotect_fixup is overkill to remove the temporary stack flags */
31633 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
31635 @@ -723,7 +752,7 @@ struct file *open_exec(const char *name)
31638 file = do_filp_open(AT_FDCWD, name,
31639 - O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 0,
31640 + O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC, 0,
31641 MAY_EXEC | MAY_OPEN);
31644 @@ -760,7 +789,7 @@ int kernel_read(struct file *file, loff_
31647 /* The cast to a user pointer is valid due to the set_fs() */
31648 - result = vfs_read(file, (void __user *)addr, count, &pos);
31649 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
31653 @@ -1182,7 +1211,7 @@ int check_unsafe_exec(struct linux_binpr
31657 - if (p->fs->users > n_fs) {
31658 + if (atomic_read(&p->fs->users) > n_fs) {
31659 bprm->unsafe |= LSM_UNSAFE_SHARE;
31662 @@ -1378,6 +1407,11 @@ int do_execve(const char * filename,
31663 const char __user *const __user *envp,
31664 struct pt_regs * regs)
31666 +#ifdef CONFIG_GRKERNSEC
31667 + struct file *old_exec_file;
31668 + struct acl_subject_label *old_acl;
31669 + struct rlimit old_rlim[RLIM_NLIMITS];
31671 struct linux_binprm *bprm;
31673 struct files_struct *displaced;
31674 @@ -1414,6 +1448,23 @@ int do_execve(const char * filename,
31675 bprm->filename = filename;
31676 bprm->interp = filename;
31678 + if (gr_process_user_ban()) {
31683 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
31685 + if (gr_handle_nproc()) {
31686 + retval = -EAGAIN;
31690 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
31691 + retval = -EACCES;
31695 retval = bprm_mm_init(bprm);
31698 @@ -1443,9 +1494,40 @@ int do_execve(const char * filename,
31702 + if (!gr_tpe_allow(file)) {
31703 + retval = -EACCES;
31707 + if (gr_check_crash_exec(file)) {
31708 + retval = -EACCES;
31712 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
31714 + gr_handle_exec_args(bprm, argv);
31716 +#ifdef CONFIG_GRKERNSEC
31717 + old_acl = current->acl;
31718 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
31719 + old_exec_file = current->exec_file;
31721 + current->exec_file = file;
31724 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
31725 + bprm->unsafe & LSM_UNSAFE_SHARE);
31729 retval = search_binary_handler(bprm,regs);
31733 +#ifdef CONFIG_GRKERNSEC
31734 + if (old_exec_file)
31735 + fput(old_exec_file);
31738 /* execve succeeded */
31739 current->fs->in_exec = 0;
31740 @@ -1456,6 +1538,14 @@ int do_execve(const char * filename,
31741 put_files_struct(displaced);
31745 +#ifdef CONFIG_GRKERNSEC
31746 + current->acl = old_acl;
31747 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
31748 + fput(current->exec_file);
31749 + current->exec_file = old_exec_file;
31754 acct_arg_size(bprm, 0);
31755 @@ -1642,6 +1732,208 @@ out:
31759 +int pax_check_flags(unsigned long *flags)
31763 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
31764 + if (*flags & MF_PAX_SEGMEXEC)
31766 + *flags &= ~MF_PAX_SEGMEXEC;
31767 + retval = -EINVAL;
31771 + if ((*flags & MF_PAX_PAGEEXEC)
31773 +#ifdef CONFIG_PAX_PAGEEXEC
31774 + && (*flags & MF_PAX_SEGMEXEC)
31779 + *flags &= ~MF_PAX_PAGEEXEC;
31780 + retval = -EINVAL;
31783 + if ((*flags & MF_PAX_MPROTECT)
31785 +#ifdef CONFIG_PAX_MPROTECT
31786 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
31791 + *flags &= ~MF_PAX_MPROTECT;
31792 + retval = -EINVAL;
31795 + if ((*flags & MF_PAX_EMUTRAMP)
31797 +#ifdef CONFIG_PAX_EMUTRAMP
31798 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
31803 + *flags &= ~MF_PAX_EMUTRAMP;
31804 + retval = -EINVAL;
31810 +EXPORT_SYMBOL(pax_check_flags);
31812 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
31813 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
31815 + struct task_struct *tsk = current;
31816 + struct mm_struct *mm = current->mm;
31817 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
31818 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
31819 + char *path_exec = NULL;
31820 + char *path_fault = NULL;
31821 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
31823 + if (buffer_exec && buffer_fault) {
31824 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
31826 + down_read(&mm->mmap_sem);
31828 + while (vma && (!vma_exec || !vma_fault)) {
31829 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
31831 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
31833 + vma = vma->vm_next;
31836 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
31837 + if (IS_ERR(path_exec))
31838 + path_exec = "<path too long>";
31840 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
31843 + path_exec = buffer_exec;
31845 + path_exec = "<path too long>";
31849 + start = vma_fault->vm_start;
31850 + end = vma_fault->vm_end;
31851 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
31852 + if (vma_fault->vm_file) {
31853 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
31854 + if (IS_ERR(path_fault))
31855 + path_fault = "<path too long>";
31857 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
31858 + if (path_fault) {
31860 + path_fault = buffer_fault;
31862 + path_fault = "<path too long>";
31865 + path_fault = "<anonymous mapping>";
31867 + up_read(&mm->mmap_sem);
31869 + if (tsk->signal->curr_ip)
31870 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
31872 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
31873 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
31874 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
31875 + task_uid(tsk), task_euid(tsk), pc, sp);
31876 + free_page((unsigned long)buffer_exec);
31877 + free_page((unsigned long)buffer_fault);
31878 + pax_report_insns(pc, sp);
31879 + do_coredump(SIGKILL, SIGKILL, regs);
31883 +#ifdef CONFIG_PAX_REFCOUNT
31884 +void pax_report_refcount_overflow(struct pt_regs *regs)
31886 + if (current->signal->curr_ip)
31887 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31888 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
31890 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31891 + current->comm, task_pid_nr(current), current_uid(), current_euid());
31892 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
31894 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
31898 +#ifdef CONFIG_PAX_USERCOPY
31899 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
31900 +int object_is_on_stack(const void *obj, unsigned long len)
31902 + const void * const stack = task_stack_page(current);
31903 + const void * const stackend = stack + THREAD_SIZE;
31905 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31906 + const void *frame = NULL;
31907 + const void *oldframe;
31910 + if (obj + len < obj)
31913 + if (obj + len <= stack || stackend <= obj)
31916 + if (obj < stack || stackend < obj + len)
31919 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31920 + oldframe = __builtin_frame_address(1);
31922 + frame = __builtin_frame_address(2);
31924 + low ----------------------------------------------> high
31925 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
31926 + ^----------------^
31927 + allow copies only within here
31929 + while (stack <= frame && frame < stackend) {
31930 + /* if obj + len extends past the last frame, this
31931 + check won't pass and the next frame will be 0,
31932 + causing us to bail out and correctly report
31933 + the copy as invalid
31935 + if (obj + len <= frame)
31936 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
31937 + oldframe = frame;
31938 + frame = *(const void * const *)frame;
31947 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
31949 + if (current->signal->curr_ip)
31950 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
31951 + ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
31953 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
31954 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
31956 + gr_handle_kernel_exploit();
31957 + do_group_exit(SIGKILL);
31961 static int zap_process(struct task_struct *start, int exit_code)
31963 struct task_struct *t;
31964 @@ -1852,17 +2144,17 @@ static void wait_for_dump_helpers(struct
31965 pipe = file->f_path.dentry->d_inode->i_pipe;
31970 + atomic_inc(&pipe->readers);
31971 + atomic_dec(&pipe->writers);
31973 - while ((pipe->readers > 1) && (!signal_pending(current))) {
31974 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
31975 wake_up_interruptible_sync(&pipe->wait);
31976 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
31982 + atomic_dec(&pipe->readers);
31983 + atomic_inc(&pipe->writers);
31987 @@ -1938,6 +2230,9 @@ void do_coredump(long signr, int exit_co
31989 audit_core_dumps(signr);
31991 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
31992 + gr_handle_brute_attach(current, cprm.mm_flags);
31994 binfmt = mm->binfmt;
31995 if (!binfmt || !binfmt->core_dump)
31997 @@ -1978,6 +2273,8 @@ void do_coredump(long signr, int exit_co
31998 goto fail_corename;
32001 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
32005 char **helper_argv;
32006 diff -urNp linux-2.6.38.4/fs/ext2/balloc.c linux-2.6.38.4/fs/ext2/balloc.c
32007 --- linux-2.6.38.4/fs/ext2/balloc.c 2011-03-14 21:20:32.000000000 -0400
32008 +++ linux-2.6.38.4/fs/ext2/balloc.c 2011-04-17 15:57:32.000000000 -0400
32009 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
32011 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
32012 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
32013 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
32014 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
32015 sbi->s_resuid != current_fsuid() &&
32016 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
32018 diff -urNp linux-2.6.38.4/fs/ext2/xattr.c linux-2.6.38.4/fs/ext2/xattr.c
32019 --- linux-2.6.38.4/fs/ext2/xattr.c 2011-03-14 21:20:32.000000000 -0400
32020 +++ linux-2.6.38.4/fs/ext2/xattr.c 2011-04-17 15:57:32.000000000 -0400
32025 -# define ea_idebug(f...)
32026 -# define ea_bdebug(f...)
32027 +# define ea_idebug(inode, f...) do {} while (0)
32028 +# define ea_bdebug(bh, f...) do {} while (0)
32031 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
32032 diff -urNp linux-2.6.38.4/fs/ext3/balloc.c linux-2.6.38.4/fs/ext3/balloc.c
32033 --- linux-2.6.38.4/fs/ext3/balloc.c 2011-03-14 21:20:32.000000000 -0400
32034 +++ linux-2.6.38.4/fs/ext3/balloc.c 2011-04-17 15:57:32.000000000 -0400
32035 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
32037 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
32038 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
32039 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
32040 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
32041 sbi->s_resuid != current_fsuid() &&
32042 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
32044 diff -urNp linux-2.6.38.4/fs/ext3/namei.c linux-2.6.38.4/fs/ext3/namei.c
32045 --- linux-2.6.38.4/fs/ext3/namei.c 2011-04-18 17:27:14.000000000 -0400
32046 +++ linux-2.6.38.4/fs/ext3/namei.c 2011-04-17 15:57:32.000000000 -0400
32047 @@ -1159,7 +1159,7 @@ static struct ext3_dir_entry_2 *do_split
32048 char *data1 = (*bh)->b_data, *data2;
32049 unsigned split, move, size;
32050 struct ext3_dir_entry_2 *de = NULL, *de2;
32054 bh2 = ext3_append (handle, dir, &newblock, &err);
32056 diff -urNp linux-2.6.38.4/fs/ext3/xattr.c linux-2.6.38.4/fs/ext3/xattr.c
32057 --- linux-2.6.38.4/fs/ext3/xattr.c 2011-03-14 21:20:32.000000000 -0400
32058 +++ linux-2.6.38.4/fs/ext3/xattr.c 2011-04-17 15:57:32.000000000 -0400
32063 -# define ea_idebug(f...)
32064 -# define ea_bdebug(f...)
32065 +# define ea_idebug(f...) do {} while (0)
32066 +# define ea_bdebug(f...) do {} while (0)
32069 static void ext3_xattr_cache_insert(struct buffer_head *);
32070 diff -urNp linux-2.6.38.4/fs/ext4/balloc.c linux-2.6.38.4/fs/ext4/balloc.c
32071 --- linux-2.6.38.4/fs/ext4/balloc.c 2011-03-14 21:20:32.000000000 -0400
32072 +++ linux-2.6.38.4/fs/ext4/balloc.c 2011-04-17 15:57:32.000000000 -0400
32073 @@ -519,7 +519,7 @@ static int ext4_has_free_blocks(struct e
32074 /* Hm, nope. Are (enough) root reserved blocks available? */
32075 if (sbi->s_resuid == current_fsuid() ||
32076 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
32077 - capable(CAP_SYS_RESOURCE)) {
32078 + capable_nolog(CAP_SYS_RESOURCE)) {
32079 if (free_blocks >= (nblocks + dirty_blocks))
32082 diff -urNp linux-2.6.38.4/fs/ext4/ext4.h linux-2.6.38.4/fs/ext4/ext4.h
32083 --- linux-2.6.38.4/fs/ext4/ext4.h 2011-03-14 21:20:32.000000000 -0400
32084 +++ linux-2.6.38.4/fs/ext4/ext4.h 2011-04-17 15:57:32.000000000 -0400
32085 @@ -1166,19 +1166,19 @@ struct ext4_sb_info {
32086 unsigned long s_mb_last_start;
32088 /* stats for buddy allocator */
32089 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
32090 - atomic_t s_bal_success; /* we found long enough chunks */
32091 - atomic_t s_bal_allocated; /* in blocks */
32092 - atomic_t s_bal_ex_scanned; /* total extents scanned */
32093 - atomic_t s_bal_goals; /* goal hits */
32094 - atomic_t s_bal_breaks; /* too long searches */
32095 - atomic_t s_bal_2orders; /* 2^order hits */
32096 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
32097 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
32098 + atomic_unchecked_t s_bal_allocated; /* in blocks */
32099 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
32100 + atomic_unchecked_t s_bal_goals; /* goal hits */
32101 + atomic_unchecked_t s_bal_breaks; /* too long searches */
32102 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
32103 spinlock_t s_bal_lock;
32104 unsigned long s_mb_buddies_generated;
32105 unsigned long long s_mb_generation_time;
32106 - atomic_t s_mb_lost_chunks;
32107 - atomic_t s_mb_preallocated;
32108 - atomic_t s_mb_discarded;
32109 + atomic_unchecked_t s_mb_lost_chunks;
32110 + atomic_unchecked_t s_mb_preallocated;
32111 + atomic_unchecked_t s_mb_discarded;
32112 atomic_t s_lock_busy;
32114 /* locality groups */
32115 diff -urNp linux-2.6.38.4/fs/ext4/mballoc.c linux-2.6.38.4/fs/ext4/mballoc.c
32116 --- linux-2.6.38.4/fs/ext4/mballoc.c 2011-03-14 21:20:32.000000000 -0400
32117 +++ linux-2.6.38.4/fs/ext4/mballoc.c 2011-04-17 15:57:32.000000000 -0400
32118 @@ -1846,7 +1846,7 @@ void ext4_mb_simple_scan_group(struct ex
32119 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
32121 if (EXT4_SB(sb)->s_mb_stats)
32122 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
32123 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
32127 @@ -2140,7 +2140,7 @@ repeat:
32128 ac->ac_status = AC_STATUS_CONTINUE;
32129 ac->ac_flags |= EXT4_MB_HINT_FIRST;
32131 - atomic_inc(&sbi->s_mb_lost_chunks);
32132 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
32136 @@ -2606,25 +2606,25 @@ int ext4_mb_release(struct super_block *
32137 if (sbi->s_mb_stats) {
32139 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
32140 - atomic_read(&sbi->s_bal_allocated),
32141 - atomic_read(&sbi->s_bal_reqs),
32142 - atomic_read(&sbi->s_bal_success));
32143 + atomic_read_unchecked(&sbi->s_bal_allocated),
32144 + atomic_read_unchecked(&sbi->s_bal_reqs),
32145 + atomic_read_unchecked(&sbi->s_bal_success));
32147 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
32148 "%u 2^N hits, %u breaks, %u lost\n",
32149 - atomic_read(&sbi->s_bal_ex_scanned),
32150 - atomic_read(&sbi->s_bal_goals),
32151 - atomic_read(&sbi->s_bal_2orders),
32152 - atomic_read(&sbi->s_bal_breaks),
32153 - atomic_read(&sbi->s_mb_lost_chunks));
32154 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
32155 + atomic_read_unchecked(&sbi->s_bal_goals),
32156 + atomic_read_unchecked(&sbi->s_bal_2orders),
32157 + atomic_read_unchecked(&sbi->s_bal_breaks),
32158 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
32160 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
32161 sbi->s_mb_buddies_generated++,
32162 sbi->s_mb_generation_time);
32164 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
32165 - atomic_read(&sbi->s_mb_preallocated),
32166 - atomic_read(&sbi->s_mb_discarded));
32167 + atomic_read_unchecked(&sbi->s_mb_preallocated),
32168 + atomic_read_unchecked(&sbi->s_mb_discarded));
32171 free_percpu(sbi->s_locality_groups);
32172 @@ -3100,16 +3100,16 @@ static void ext4_mb_collect_stats(struct
32173 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
32175 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
32176 - atomic_inc(&sbi->s_bal_reqs);
32177 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
32178 + atomic_inc_unchecked(&sbi->s_bal_reqs);
32179 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
32180 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
32181 - atomic_inc(&sbi->s_bal_success);
32182 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
32183 + atomic_inc_unchecked(&sbi->s_bal_success);
32184 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
32185 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
32186 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
32187 - atomic_inc(&sbi->s_bal_goals);
32188 + atomic_inc_unchecked(&sbi->s_bal_goals);
32189 if (ac->ac_found > sbi->s_mb_max_to_scan)
32190 - atomic_inc(&sbi->s_bal_breaks);
32191 + atomic_inc_unchecked(&sbi->s_bal_breaks);
32194 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
32195 @@ -3507,7 +3507,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
32196 trace_ext4_mb_new_inode_pa(ac, pa);
32198 ext4_mb_use_inode_pa(ac, pa);
32199 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
32200 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
32202 ei = EXT4_I(ac->ac_inode);
32203 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
32204 @@ -3567,7 +3567,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
32205 trace_ext4_mb_new_group_pa(ac, pa);
32207 ext4_mb_use_group_pa(ac, pa);
32208 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
32209 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
32211 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
32213 @@ -3654,7 +3654,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
32214 * from the bitmap and continue.
32217 - atomic_add(free, &sbi->s_mb_discarded);
32218 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
32222 @@ -3672,7 +3672,7 @@ ext4_mb_release_group_pa(struct ext4_bud
32223 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
32224 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
32225 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
32226 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
32227 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
32228 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
32231 diff -urNp linux-2.6.38.4/fs/ext4/namei.c linux-2.6.38.4/fs/ext4/namei.c
32232 --- linux-2.6.38.4/fs/ext4/namei.c 2011-03-14 21:20:32.000000000 -0400
32233 +++ linux-2.6.38.4/fs/ext4/namei.c 2011-04-17 15:57:32.000000000 -0400
32234 @@ -1161,7 +1161,7 @@ static struct ext4_dir_entry_2 *do_split
32235 char *data1 = (*bh)->b_data, *data2;
32236 unsigned split, move, size;
32237 struct ext4_dir_entry_2 *de = NULL, *de2;
32241 bh2 = ext4_append (handle, dir, &newblock, &err);
32243 diff -urNp linux-2.6.38.4/fs/ext4/xattr.c linux-2.6.38.4/fs/ext4/xattr.c
32244 --- linux-2.6.38.4/fs/ext4/xattr.c 2011-03-14 21:20:32.000000000 -0400
32245 +++ linux-2.6.38.4/fs/ext4/xattr.c 2011-04-17 15:57:32.000000000 -0400
32250 -# define ea_idebug(f...)
32251 -# define ea_bdebug(f...)
32252 +# define ea_idebug(inode, f...) do {} while (0)
32253 +# define ea_bdebug(bh, f...) do {} while (0)
32256 static void ext4_xattr_cache_insert(struct buffer_head *);
32257 diff -urNp linux-2.6.38.4/fs/fcntl.c linux-2.6.38.4/fs/fcntl.c
32258 --- linux-2.6.38.4/fs/fcntl.c 2011-03-14 21:20:32.000000000 -0400
32259 +++ linux-2.6.38.4/fs/fcntl.c 2011-04-17 15:57:32.000000000 -0400
32260 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
32264 + if (gr_handle_chroot_fowner(pid, type))
32266 + if (gr_check_protected_task_fowner(pid, type))
32269 f_modown(filp, pid, type, force);
32272 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
32275 case F_DUPFD_CLOEXEC:
32276 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
32277 if (arg >= rlimit(RLIMIT_NOFILE))
32279 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
32280 @@ -808,14 +814,14 @@ static int __init fcntl_init(void)
32281 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
32282 * is defined as O_NONBLOCK on some platforms and not on others.
32284 - BUILD_BUG_ON(18 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
32285 + BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
32286 O_RDONLY | O_WRONLY | O_RDWR |
32287 O_CREAT | O_EXCL | O_NOCTTY |
32288 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
32289 __O_SYNC | O_DSYNC | FASYNC |
32290 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
32291 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
32293 + __FMODE_EXEC | FMODE_GREXEC
32296 fasync_cache = kmem_cache_create("fasync_cache",
32297 diff -urNp linux-2.6.38.4/fs/fifo.c linux-2.6.38.4/fs/fifo.c
32298 --- linux-2.6.38.4/fs/fifo.c 2011-03-14 21:20:32.000000000 -0400
32299 +++ linux-2.6.38.4/fs/fifo.c 2011-04-17 15:57:32.000000000 -0400
32300 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
32302 filp->f_op = &read_pipefifo_fops;
32304 - if (pipe->readers++ == 0)
32305 + if (atomic_inc_return(&pipe->readers) == 1)
32306 wake_up_partner(inode);
32308 - if (!pipe->writers) {
32309 + if (!atomic_read(&pipe->writers)) {
32310 if ((filp->f_flags & O_NONBLOCK)) {
32311 /* suppress POLLHUP until we have
32313 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
32314 * errno=ENXIO when there is no process reading the FIFO.
32317 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
32318 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
32321 filp->f_op = &write_pipefifo_fops;
32323 - if (!pipe->writers++)
32324 + if (atomic_inc_return(&pipe->writers) == 1)
32325 wake_up_partner(inode);
32327 - if (!pipe->readers) {
32328 + if (!atomic_read(&pipe->readers)) {
32329 wait_for_partner(inode, &pipe->r_counter);
32330 if (signal_pending(current))
32332 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
32334 filp->f_op = &rdwr_pipefifo_fops;
32338 + atomic_inc(&pipe->readers);
32339 + atomic_inc(&pipe->writers);
32342 - if (pipe->readers == 1 || pipe->writers == 1)
32343 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
32344 wake_up_partner(inode);
32347 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
32351 - if (!--pipe->readers)
32352 + if (atomic_dec_and_test(&pipe->readers))
32353 wake_up_interruptible(&pipe->wait);
32354 ret = -ERESTARTSYS;
32358 - if (!--pipe->writers)
32359 + if (atomic_dec_and_test(&pipe->writers))
32360 wake_up_interruptible(&pipe->wait);
32361 ret = -ERESTARTSYS;
32365 - if (!pipe->readers && !pipe->writers)
32366 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
32367 free_pipe_info(inode);
32370 diff -urNp linux-2.6.38.4/fs/file.c linux-2.6.38.4/fs/file.c
32371 --- linux-2.6.38.4/fs/file.c 2011-03-14 21:20:32.000000000 -0400
32372 +++ linux-2.6.38.4/fs/file.c 2011-04-17 15:57:32.000000000 -0400
32374 #include <linux/slab.h>
32375 #include <linux/vmalloc.h>
32376 #include <linux/file.h>
32377 +#include <linux/security.h>
32378 #include <linux/fdtable.h>
32379 #include <linux/bitops.h>
32380 #include <linux/interrupt.h>
32381 @@ -250,6 +251,7 @@ int expand_files(struct files_struct *fi
32382 * N.B. For clone tasks sharing a files structure, this test
32383 * will limit the total number of files that can be opened.
32385 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
32386 if (nr >= rlimit(RLIMIT_NOFILE))
32389 diff -urNp linux-2.6.38.4/fs/filesystems.c linux-2.6.38.4/fs/filesystems.c
32390 --- linux-2.6.38.4/fs/filesystems.c 2011-03-14 21:20:32.000000000 -0400
32391 +++ linux-2.6.38.4/fs/filesystems.c 2011-04-17 15:57:32.000000000 -0400
32392 @@ -275,7 +275,12 @@ struct file_system_type *get_fs_type(con
32393 int len = dot ? dot - name : strlen(name);
32395 fs = __get_fs_type(name, len);
32397 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
32398 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
32400 if (!fs && (request_module("%.*s", len, name) == 0))
32402 fs = __get_fs_type(name, len);
32404 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
32405 diff -urNp linux-2.6.38.4/fs/fs_struct.c linux-2.6.38.4/fs/fs_struct.c
32406 --- linux-2.6.38.4/fs/fs_struct.c 2011-03-14 21:20:32.000000000 -0400
32407 +++ linux-2.6.38.4/fs/fs_struct.c 2011-04-17 15:57:32.000000000 -0400
32409 #include <linux/slab.h>
32410 #include <linux/fs_struct.h>
32411 #include <linux/vserver/global.h>
32412 +#include <linux/grsecurity.h>
32413 #include "internal.h"
32415 static inline void path_get_longterm(struct path *path)
32416 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
32417 old_root = fs->root;
32419 path_get_longterm(path);
32420 + gr_set_chroot_entries(current, path);
32421 write_seqcount_end(&fs->seq);
32422 spin_unlock(&fs->lock);
32423 if (old_root.dentry)
32424 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
32425 && fs->root.mnt == old_root->mnt) {
32426 path_get_longterm(new_root);
32427 fs->root = *new_root;
32428 + gr_set_chroot_entries(p, new_root);
32431 if (fs->pwd.dentry == old_root->dentry
32432 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
32433 spin_lock(&fs->lock);
32434 write_seqcount_begin(&fs->seq);
32436 - kill = !--fs->users;
32437 + gr_clear_chroot_entries(tsk);
32438 + kill = !atomic_dec_return(&fs->users);
32439 write_seqcount_end(&fs->seq);
32440 spin_unlock(&fs->lock);
32442 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
32443 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
32444 /* We don't need to lock fs - think why ;-) */
32447 + atomic_set(&fs->users, 1);
32449 spin_lock_init(&fs->lock);
32450 seqcount_init(&fs->seq);
32451 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
32452 spin_lock(&old->lock);
32453 fs->root = old->root;
32454 path_get_longterm(&fs->root);
32455 + /* instead of calling gr_set_chroot_entries here,
32456 + we call it from every caller of this function
32458 fs->pwd = old->pwd;
32459 path_get_longterm(&fs->pwd);
32460 spin_unlock(&old->lock);
32461 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
32463 task_lock(current);
32464 spin_lock(&fs->lock);
32465 - kill = !--fs->users;
32466 + kill = !atomic_dec_return(&fs->users);
32467 current->fs = new_fs;
32468 + gr_set_chroot_entries(current, &new_fs->root);
32469 spin_unlock(&fs->lock);
32470 task_unlock(current);
32472 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
32474 /* to be mentioned only in INIT_TASK */
32475 struct fs_struct init_fs = {
32477 + .users = ATOMIC_INIT(1),
32478 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
32479 .seq = SEQCNT_ZERO,
32481 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
32482 task_lock(current);
32484 spin_lock(&init_fs.lock);
32486 + atomic_inc(&init_fs.users);
32487 spin_unlock(&init_fs.lock);
32489 spin_lock(&fs->lock);
32490 current->fs = &init_fs;
32491 - kill = !--fs->users;
32492 + gr_set_chroot_entries(current, ¤t->fs->root);
32493 + kill = !atomic_dec_return(&fs->users);
32494 spin_unlock(&fs->lock);
32496 task_unlock(current);
32497 diff -urNp linux-2.6.38.4/fs/fuse/control.c linux-2.6.38.4/fs/fuse/control.c
32498 --- linux-2.6.38.4/fs/fuse/control.c 2011-03-14 21:20:32.000000000 -0400
32499 +++ linux-2.6.38.4/fs/fuse/control.c 2011-04-17 15:57:32.000000000 -0400
32500 @@ -298,7 +298,7 @@ void fuse_ctl_remove_conn(struct fuse_co
32502 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
32504 - struct tree_descr empty_descr = {""};
32505 + struct tree_descr empty_descr = {"", NULL, 0};
32506 struct fuse_conn *fc;
32509 diff -urNp linux-2.6.38.4/fs/fuse/cuse.c linux-2.6.38.4/fs/fuse/cuse.c
32510 --- linux-2.6.38.4/fs/fuse/cuse.c 2011-03-14 21:20:32.000000000 -0400
32511 +++ linux-2.6.38.4/fs/fuse/cuse.c 2011-04-17 15:57:32.000000000 -0400
32512 @@ -530,8 +530,18 @@ static int cuse_channel_release(struct i
32516 -static struct file_operations cuse_channel_fops; /* initialized during init */
32518 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
32519 + .owner = THIS_MODULE,
32520 + .llseek = no_llseek,
32521 + .read = do_sync_read,
32522 + .aio_read = fuse_dev_read,
32523 + .write = do_sync_write,
32524 + .aio_write = fuse_dev_write,
32525 + .poll = fuse_dev_poll,
32526 + .open = cuse_channel_open,
32527 + .release = cuse_channel_release,
32528 + .fasync = fuse_dev_fasync,
32531 /**************************************************************************
32532 * Misc stuff and module initializatiion
32533 @@ -577,12 +587,6 @@ static int __init cuse_init(void)
32534 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
32535 INIT_LIST_HEAD(&cuse_conntbl[i]);
32537 - /* inherit and extend fuse_dev_operations */
32538 - cuse_channel_fops = fuse_dev_operations;
32539 - cuse_channel_fops.owner = THIS_MODULE;
32540 - cuse_channel_fops.open = cuse_channel_open;
32541 - cuse_channel_fops.release = cuse_channel_release;
32543 cuse_class = class_create(THIS_MODULE, "cuse");
32544 if (IS_ERR(cuse_class))
32545 return PTR_ERR(cuse_class);
32546 diff -urNp linux-2.6.38.4/fs/fuse/dev.c linux-2.6.38.4/fs/fuse/dev.c
32547 --- linux-2.6.38.4/fs/fuse/dev.c 2011-03-14 21:20:32.000000000 -0400
32548 +++ linux-2.6.38.4/fs/fuse/dev.c 2011-04-17 15:57:32.000000000 -0400
32549 @@ -1183,7 +1183,7 @@ static ssize_t fuse_dev_do_read(struct f
32553 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
32554 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
32555 unsigned long nr_segs, loff_t pos)
32557 struct fuse_copy_state cs;
32558 @@ -1197,6 +1197,8 @@ static ssize_t fuse_dev_read(struct kioc
32559 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
32562 +EXPORT_SYMBOL_GPL(fuse_dev_read);
32564 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
32565 struct pipe_buffer *buf)
32567 @@ -1240,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(stru
32571 - if (!pipe->readers) {
32572 + if (!atomic_read(&pipe->readers)) {
32573 send_sig(SIGPIPE, current, 0);
32576 @@ -1733,7 +1735,7 @@ static ssize_t fuse_dev_do_write(struct
32580 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
32581 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
32582 unsigned long nr_segs, loff_t pos)
32584 struct fuse_copy_state cs;
32585 @@ -1746,6 +1748,8 @@ static ssize_t fuse_dev_write(struct kio
32586 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
32589 +EXPORT_SYMBOL_GPL(fuse_dev_write);
32591 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
32592 struct file *out, loff_t *ppos,
32593 size_t len, unsigned int flags)
32594 @@ -1824,7 +1828,7 @@ out:
32598 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
32599 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
32601 unsigned mask = POLLOUT | POLLWRNORM;
32602 struct fuse_conn *fc = fuse_get_conn(file);
32603 @@ -1843,6 +1847,8 @@ static unsigned fuse_dev_poll(struct fil
32607 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
32610 * Abort all requests on the given list (pending or processing)
32612 @@ -1962,7 +1968,7 @@ int fuse_dev_release(struct inode *inode
32614 EXPORT_SYMBOL_GPL(fuse_dev_release);
32616 -static int fuse_dev_fasync(int fd, struct file *file, int on)
32617 +int fuse_dev_fasync(int fd, struct file *file, int on)
32619 struct fuse_conn *fc = fuse_get_conn(file);
32621 @@ -1972,6 +1978,8 @@ static int fuse_dev_fasync(int fd, struc
32622 return fasync_helper(fd, file, on, &fc->fasync);
32625 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
32627 const struct file_operations fuse_dev_operations = {
32628 .owner = THIS_MODULE,
32629 .llseek = no_llseek,
32630 diff -urNp linux-2.6.38.4/fs/fuse/dir.c linux-2.6.38.4/fs/fuse/dir.c
32631 --- linux-2.6.38.4/fs/fuse/dir.c 2011-03-14 21:20:32.000000000 -0400
32632 +++ linux-2.6.38.4/fs/fuse/dir.c 2011-04-17 15:57:32.000000000 -0400
32633 @@ -1133,7 +1133,7 @@ static char *read_link(struct dentry *de
32637 -static void free_link(char *link)
32638 +static void free_link(const char *link)
32641 free_page((unsigned long) link);
32642 diff -urNp linux-2.6.38.4/fs/fuse/fuse_i.h linux-2.6.38.4/fs/fuse/fuse_i.h
32643 --- linux-2.6.38.4/fs/fuse/fuse_i.h 2011-03-14 21:20:32.000000000 -0400
32644 +++ linux-2.6.38.4/fs/fuse/fuse_i.h 2011-04-17 15:57:32.000000000 -0400
32645 @@ -541,6 +541,16 @@ extern const struct file_operations fuse
32647 extern const struct dentry_operations fuse_dentry_operations;
32649 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
32650 + unsigned long nr_segs, loff_t pos);
32652 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
32653 + unsigned long nr_segs, loff_t pos);
32655 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
32657 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
32660 * Inode to nodeid comparison.
32662 diff -urNp linux-2.6.38.4/fs/hfs/inode.c linux-2.6.38.4/fs/hfs/inode.c
32663 --- linux-2.6.38.4/fs/hfs/inode.c 2011-03-14 21:20:32.000000000 -0400
32664 +++ linux-2.6.38.4/fs/hfs/inode.c 2011-04-17 15:57:32.000000000 -0400
32665 @@ -447,7 +447,7 @@ int hfs_write_inode(struct inode *inode,
32667 if (S_ISDIR(main_inode->i_mode)) {
32668 if (fd.entrylength < sizeof(struct hfs_cat_dir))
32671 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
32672 sizeof(struct hfs_cat_dir));
32673 if (rec.type != HFS_CDR_DIR ||
32674 @@ -468,7 +468,7 @@ int hfs_write_inode(struct inode *inode,
32675 sizeof(struct hfs_cat_file));
32677 if (fd.entrylength < sizeof(struct hfs_cat_file))
32680 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
32681 sizeof(struct hfs_cat_file));
32682 if (rec.type != HFS_CDR_FIL ||
32683 diff -urNp linux-2.6.38.4/fs/hfsplus/inode.c linux-2.6.38.4/fs/hfsplus/inode.c
32684 --- linux-2.6.38.4/fs/hfsplus/inode.c 2011-03-14 21:20:32.000000000 -0400
32685 +++ linux-2.6.38.4/fs/hfsplus/inode.c 2011-04-17 15:57:32.000000000 -0400
32686 @@ -498,7 +498,7 @@ int hfsplus_cat_read_inode(struct inode
32687 struct hfsplus_cat_folder *folder = &entry.folder;
32689 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
32692 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
32693 sizeof(struct hfsplus_cat_folder));
32694 hfsplus_get_perms(inode, &folder->permissions, 1);
32695 @@ -515,7 +515,7 @@ int hfsplus_cat_read_inode(struct inode
32696 struct hfsplus_cat_file *file = &entry.file;
32698 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
32701 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
32702 sizeof(struct hfsplus_cat_file));
32704 @@ -572,7 +572,7 @@ int hfsplus_cat_write_inode(struct inode
32705 struct hfsplus_cat_folder *folder = &entry.folder;
32707 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
32710 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
32711 sizeof(struct hfsplus_cat_folder));
32712 /* simple node checks? */
32713 @@ -594,7 +594,7 @@ int hfsplus_cat_write_inode(struct inode
32714 struct hfsplus_cat_file *file = &entry.file;
32716 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
32719 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
32720 sizeof(struct hfsplus_cat_file));
32721 hfsplus_inode_write_fork(inode, &file->data_fork);
32722 diff -urNp linux-2.6.38.4/fs/hugetlbfs/inode.c linux-2.6.38.4/fs/hugetlbfs/inode.c
32723 --- linux-2.6.38.4/fs/hugetlbfs/inode.c 2011-03-14 21:20:32.000000000 -0400
32724 +++ linux-2.6.38.4/fs/hugetlbfs/inode.c 2011-04-17 15:57:32.000000000 -0400
32725 @@ -915,7 +915,7 @@ static struct file_system_type hugetlbfs
32726 .kill_sb = kill_litter_super,
32729 -static struct vfsmount *hugetlbfs_vfsmount;
32730 +struct vfsmount *hugetlbfs_vfsmount;
32732 static int can_do_hugetlb_shm(void)
32734 diff -urNp linux-2.6.38.4/fs/jffs2/debug.h linux-2.6.38.4/fs/jffs2/debug.h
32735 --- linux-2.6.38.4/fs/jffs2/debug.h 2011-03-14 21:20:32.000000000 -0400
32736 +++ linux-2.6.38.4/fs/jffs2/debug.h 2011-04-17 15:57:32.000000000 -0400
32737 @@ -53,13 +53,13 @@
32738 #if CONFIG_JFFS2_FS_DEBUG > 0
32742 +#define D1(x) do {} while (0);
32745 #if CONFIG_JFFS2_FS_DEBUG > 1
32749 +#define D2(x) do {} while (0);
32752 /* The prefixes of JFFS2 messages */
32753 @@ -115,73 +115,73 @@
32754 #ifdef JFFS2_DBG_READINODE_MESSAGES
32755 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32757 -#define dbg_readinode(fmt, ...)
32758 +#define dbg_readinode(fmt, ...) do {} while (0)
32760 #ifdef JFFS2_DBG_READINODE2_MESSAGES
32761 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32763 -#define dbg_readinode2(fmt, ...)
32764 +#define dbg_readinode2(fmt, ...) do {} while (0)
32767 /* Fragtree build debugging messages */
32768 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
32769 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32771 -#define dbg_fragtree(fmt, ...)
32772 +#define dbg_fragtree(fmt, ...) do {} while (0)
32774 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
32775 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32777 -#define dbg_fragtree2(fmt, ...)
32778 +#define dbg_fragtree2(fmt, ...) do {} while (0)
32781 /* Directory entry list manilulation debugging messages */
32782 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
32783 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32785 -#define dbg_dentlist(fmt, ...)
32786 +#define dbg_dentlist(fmt, ...) do {} while (0)
32789 /* Print the messages about manipulating node_refs */
32790 #ifdef JFFS2_DBG_NODEREF_MESSAGES
32791 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32793 -#define dbg_noderef(fmt, ...)
32794 +#define dbg_noderef(fmt, ...) do {} while (0)
32797 /* Manipulations with the list of inodes (JFFS2 inocache) */
32798 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
32799 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32801 -#define dbg_inocache(fmt, ...)
32802 +#define dbg_inocache(fmt, ...) do {} while (0)
32805 /* Summary debugging messages */
32806 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
32807 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32809 -#define dbg_summary(fmt, ...)
32810 +#define dbg_summary(fmt, ...) do {} while (0)
32813 /* File system build messages */
32814 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
32815 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32817 -#define dbg_fsbuild(fmt, ...)
32818 +#define dbg_fsbuild(fmt, ...) do {} while (0)
32821 /* Watch the object allocations */
32822 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
32823 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32825 -#define dbg_memalloc(fmt, ...)
32826 +#define dbg_memalloc(fmt, ...) do {} while (0)
32829 /* Watch the XATTR subsystem */
32830 #ifdef JFFS2_DBG_XATTR_MESSAGES
32831 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32833 -#define dbg_xattr(fmt, ...)
32834 +#define dbg_xattr(fmt, ...) do {} while (0)
32837 /* "Sanity" checks */
32838 diff -urNp linux-2.6.38.4/fs/jffs2/erase.c linux-2.6.38.4/fs/jffs2/erase.c
32839 --- linux-2.6.38.4/fs/jffs2/erase.c 2011-03-14 21:20:32.000000000 -0400
32840 +++ linux-2.6.38.4/fs/jffs2/erase.c 2011-04-17 15:57:32.000000000 -0400
32841 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
32842 struct jffs2_unknown_node marker = {
32843 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
32844 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
32845 - .totlen = cpu_to_je32(c->cleanmarker_size)
32846 + .totlen = cpu_to_je32(c->cleanmarker_size),
32847 + .hdr_crc = cpu_to_je32(0)
32850 jffs2_prealloc_raw_node_refs(c, jeb, 1);
32851 diff -urNp linux-2.6.38.4/fs/jffs2/summary.h linux-2.6.38.4/fs/jffs2/summary.h
32852 --- linux-2.6.38.4/fs/jffs2/summary.h 2011-03-14 21:20:32.000000000 -0400
32853 +++ linux-2.6.38.4/fs/jffs2/summary.h 2011-04-17 15:57:32.000000000 -0400
32854 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
32856 #define jffs2_sum_active() (0)
32857 #define jffs2_sum_init(a) (0)
32858 -#define jffs2_sum_exit(a)
32859 -#define jffs2_sum_disable_collecting(a)
32860 +#define jffs2_sum_exit(a) do {} while (0)
32861 +#define jffs2_sum_disable_collecting(a) do {} while (0)
32862 #define jffs2_sum_is_disabled(a) (0)
32863 -#define jffs2_sum_reset_collected(a)
32864 +#define jffs2_sum_reset_collected(a) do {} while (0)
32865 #define jffs2_sum_add_kvec(a,b,c,d) (0)
32866 -#define jffs2_sum_move_collected(a,b)
32867 +#define jffs2_sum_move_collected(a,b) do {} while (0)
32868 #define jffs2_sum_write_sumnode(a) (0)
32869 -#define jffs2_sum_add_padding_mem(a,b)
32870 -#define jffs2_sum_add_inode_mem(a,b,c)
32871 -#define jffs2_sum_add_dirent_mem(a,b,c)
32872 -#define jffs2_sum_add_xattr_mem(a,b,c)
32873 -#define jffs2_sum_add_xref_mem(a,b,c)
32874 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
32875 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
32876 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
32877 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
32878 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
32879 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
32881 #endif /* CONFIG_JFFS2_SUMMARY */
32882 diff -urNp linux-2.6.38.4/fs/jffs2/wbuf.c linux-2.6.38.4/fs/jffs2/wbuf.c
32883 --- linux-2.6.38.4/fs/jffs2/wbuf.c 2011-03-14 21:20:32.000000000 -0400
32884 +++ linux-2.6.38.4/fs/jffs2/wbuf.c 2011-04-17 15:57:32.000000000 -0400
32885 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
32887 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
32888 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
32889 - .totlen = constant_cpu_to_je32(8)
32890 + .totlen = constant_cpu_to_je32(8),
32891 + .hdr_crc = constant_cpu_to_je32(0)
32895 diff -urNp linux-2.6.38.4/fs/Kconfig.binfmt linux-2.6.38.4/fs/Kconfig.binfmt
32896 --- linux-2.6.38.4/fs/Kconfig.binfmt 2011-03-14 21:20:32.000000000 -0400
32897 +++ linux-2.6.38.4/fs/Kconfig.binfmt 2011-04-17 15:57:32.000000000 -0400
32898 @@ -86,7 +86,7 @@ config HAVE_AOUT
32901 tristate "Kernel support for a.out and ECOFF binaries"
32902 - depends on HAVE_AOUT
32903 + depends on HAVE_AOUT && BROKEN
32905 A.out (Assembler.OUTput) is a set of formats for libraries and
32906 executables used in the earliest versions of UNIX. Linux used
32907 diff -urNp linux-2.6.38.4/fs/libfs.c linux-2.6.38.4/fs/libfs.c
32908 --- linux-2.6.38.4/fs/libfs.c 2011-03-14 21:20:32.000000000 -0400
32909 +++ linux-2.6.38.4/fs/libfs.c 2011-04-17 15:57:32.000000000 -0400
32910 @@ -138,6 +138,8 @@ int dcache_readdir(struct file * filp, v
32911 struct dentry *dentry = filp->f_path.dentry;
32912 struct dentry *cursor = filp->private_data;
32913 struct list_head *p, *q = &cursor->d_u.d_child;
32914 + char d_name[DNAME_INLINE_LEN];
32915 + const char *name;
32917 int i = filp->f_pos;
32919 @@ -172,7 +174,12 @@ int dcache_readdir(struct file * filp, v
32921 spin_unlock(&next->d_lock);
32922 spin_unlock(&dentry->d_lock);
32923 - if (filldir(dirent, next->d_name.name,
32924 + if (next->d_name.len < DNAME_INLINE_LEN) {
32925 + memcpy(d_name, next->d_name.name, next->d_name.len);
32928 + name = next->d_name.name;
32929 + if (filldir(dirent, name,
32930 next->d_name.len, filp->f_pos,
32931 next->d_inode->i_ino,
32932 dt_type(next->d_inode)) < 0)
32933 diff -urNp linux-2.6.38.4/fs/lockd/svc.c linux-2.6.38.4/fs/lockd/svc.c
32934 --- linux-2.6.38.4/fs/lockd/svc.c 2011-03-14 21:20:32.000000000 -0400
32935 +++ linux-2.6.38.4/fs/lockd/svc.c 2011-04-17 15:57:32.000000000 -0400
32938 static struct svc_program nlmsvc_program;
32940 -struct nlmsvc_binding * nlmsvc_ops;
32941 +const struct nlmsvc_binding * nlmsvc_ops;
32942 EXPORT_SYMBOL_GPL(nlmsvc_ops);
32944 static DEFINE_MUTEX(nlmsvc_mutex);
32945 diff -urNp linux-2.6.38.4/fs/locks.c linux-2.6.38.4/fs/locks.c
32946 --- linux-2.6.38.4/fs/locks.c 2011-03-14 21:20:32.000000000 -0400
32947 +++ linux-2.6.38.4/fs/locks.c 2011-04-17 15:57:32.000000000 -0400
32948 @@ -2044,16 +2044,16 @@ void locks_remove_flock(struct file *fil
32951 if (filp->f_op && filp->f_op->flock) {
32952 - struct file_lock fl = {
32953 + struct file_lock flock = {
32954 .fl_pid = current->tgid,
32956 .fl_flags = FL_FLOCK,
32957 .fl_type = F_UNLCK,
32958 .fl_end = OFFSET_MAX,
32960 - filp->f_op->flock(filp, F_SETLKW, &fl);
32961 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
32962 - fl.fl_ops->fl_release_private(&fl);
32963 + filp->f_op->flock(filp, F_SETLKW, &flock);
32964 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
32965 + flock.fl_ops->fl_release_private(&flock);
32969 diff -urNp linux-2.6.38.4/fs/namei.c linux-2.6.38.4/fs/namei.c
32970 --- linux-2.6.38.4/fs/namei.c 2011-04-22 19:20:59.000000000 -0400
32971 +++ linux-2.6.38.4/fs/namei.c 2011-04-22 19:21:23.000000000 -0400
32972 @@ -226,14 +226,6 @@ int generic_permission(struct inode *ino
32976 - * Read/write DACs are always overridable.
32977 - * Executable DACs are overridable if at least one exec bit is set.
32979 - if (!(mask & MAY_EXEC) || execute_ok(inode))
32980 - if (capable(CAP_DAC_OVERRIDE))
32984 * Searching includes executable on directories, else just read.
32986 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
32987 @@ -241,6 +233,14 @@ int generic_permission(struct inode *ino
32988 if (capable(CAP_DAC_READ_SEARCH))
32992 + * Read/write DACs are always overridable.
32993 + * Executable DACs are overridable if at least one exec bit is set.
32995 + if (!(mask & MAY_EXEC) || execute_ok(inode))
32996 + if (capable(CAP_DAC_OVERRIDE))
33002 @@ -687,7 +687,8 @@ static inline int exec_permission(struct
33003 if (ret == -ECHILD)
33006 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
33007 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
33008 + capable(CAP_DAC_OVERRIDE))
33012 @@ -776,7 +777,7 @@ __do_follow_link(const struct path *link
33013 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
33014 error = PTR_ERR(*p);
33016 - char *s = nd_get_link(nd);
33017 + const char *s = nd_get_link(nd);
33020 error = __vfs_follow_link(nd, s);
33021 @@ -815,6 +816,13 @@ static inline int do_follow_link(struct
33022 err = security_inode_follow_link(path->dentry, nd);
33026 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
33027 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
33032 current->link_count++;
33033 current->total_link_count++;
33035 @@ -1506,13 +1514,36 @@ return_reval:
33037 if (nameidata_drop_rcu_last_maybe(nd))
33040 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
33042 + goto err_and_ret;
33047 if (!(nd->flags & LOOKUP_RCU))
33048 path_put_conditional(&next, nd);
33051 +#ifdef CONFIG_GRKERNSEC
33052 + /* we do this because we can't operate here on an rcu'd dentry,
33053 + acquire a properly-referenced copy
33055 + if (nameidata_drop_rcu_last_maybe(nd))
33059 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
33063 +#ifndef CONFIG_GRKERNSEC
33064 + /* since we convert to ref-walk above, always put the path if we reach
33067 if (!(nd->flags & LOOKUP_RCU))
33069 path_put(&nd->path);
33072 @@ -1739,6 +1770,9 @@ static int do_path_lookup(int dfd, const
33075 if (likely(!retval)) {
33076 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
33079 if (unlikely(!audit_dummy_context())) {
33080 if (nd->path.dentry && nd->inode)
33081 audit_inode(name, nd->path.dentry);
33082 @@ -2079,6 +2113,30 @@ int vfs_create(struct inode *dir, struct
33087 + * Note that while the flag value (low two bits) for sys_open means:
33089 + * 01 - write-only
33090 + * 10 - read-write
33092 + * it is changed into
33093 + * 00 - no permissions needed
33094 + * 01 - read-permission
33095 + * 10 - write-permission
33096 + * 11 - read-write
33097 + * for the internal routines (ie open_namei()/follow_link() etc)
33098 + * This is more logical, and also allows the 00 "no perm needed"
33099 + * to be used for symlinks (where the permissions are checked
33103 +static inline int open_to_namei_flags(int flag)
33105 + if ((flag+1) & O_ACCMODE)
33110 int may_open(struct path *path, int acc_mode, int flag)
33112 struct dentry *dentry = path->dentry;
33113 @@ -2127,7 +2185,27 @@ int may_open(struct path *path, int acc_
33115 * Ensure there are no outstanding leases on the file.
33117 - return break_lease(inode, flag);
33118 + error = break_lease(inode, flag);
33123 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
33128 + if (gr_handle_rawio(inode)) {
33133 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
33141 static int handle_truncate(struct file *filp)
33142 @@ -2162,6 +2240,12 @@ static int __open_namei_create(struct na
33145 struct dentry *dir = nd->path.dentry;
33146 + int flag = open_to_namei_flags(open_flag);
33148 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
33153 if (!IS_POSIXACL(dir->d_inode))
33154 mode &= ~current_umask();
33155 @@ -2169,6 +2253,8 @@ static int __open_namei_create(struct na
33158 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
33160 + gr_handle_create(path->dentry, nd->path.mnt);
33162 mutex_unlock(&dir->d_inode->i_mutex);
33163 dput(nd->path.dentry);
33164 @@ -2180,30 +2266,6 @@ out_unlock:
33165 return may_open(&nd->path, 0, open_flag & ~O_TRUNC);
33169 - * Note that while the flag value (low two bits) for sys_open means:
33171 - * 01 - write-only
33172 - * 10 - read-write
33174 - * it is changed into
33175 - * 00 - no permissions needed
33176 - * 01 - read-permission
33177 - * 10 - write-permission
33178 - * 11 - read-write
33179 - * for the internal routines (ie open_namei()/follow_link() etc)
33180 - * This is more logical, and also allows the 00 "no perm needed"
33181 - * to be used for symlinks (where the permissions are checked
33185 -static inline int open_to_namei_flags(int flag)
33187 - if ((flag+1) & O_ACCMODE)
33192 static int open_will_truncate(int flag, struct inode *inode)
33195 @@ -2274,6 +2336,7 @@ static struct file *do_last(struct namei
33196 int mode, const char *pathname)
33198 struct dentry *dir = nd->path.dentry;
33199 + int flag = open_to_namei_flags(open_flag);
33201 int error = -EISDIR;
33203 @@ -2352,6 +2415,14 @@ static struct file *do_last(struct namei
33205 * It already exists.
33208 + /* only check if O_CREAT is specified, all other checks need to go
33210 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
33212 + goto exit_mutex_unlock;
33215 mutex_unlock(&dir->d_inode->i_mutex);
33216 audit_inode(pathname, path->dentry);
33218 @@ -2535,6 +2606,11 @@ reval:
33219 error = security_inode_follow_link(link.dentry, &nd);
33222 + if (gr_handle_follow_link(link.dentry->d_parent->d_inode,
33223 + link.dentry->d_inode, link.dentry, nd.path.mnt)) {
33227 error = __do_follow_link(&link, &nd, &cookie);
33228 if (unlikely(error)) {
33229 if (!IS_ERR(cookie) && linki->i_op->put_link)
33230 @@ -2705,6 +2781,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
33231 error = may_mknod(mode);
33235 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
33240 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
33245 error = mnt_want_write(nd.path.mnt);
33248 @@ -2725,6 +2812,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
33251 mnt_drop_write(nd.path.mnt);
33254 + gr_handle_create(dentry, nd.path.mnt);
33258 @@ -2777,6 +2867,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
33259 if (IS_ERR(dentry))
33262 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
33267 if (!IS_POSIXACL(nd.path.dentry->d_inode))
33268 mode &= ~current_umask();
33269 error = mnt_want_write(nd.path.mnt);
33270 @@ -2788,6 +2883,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
33271 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
33273 mnt_drop_write(nd.path.mnt);
33276 + gr_handle_create(dentry, nd.path.mnt);
33281 @@ -2867,6 +2966,8 @@ static long do_rmdir(int dfd, const char
33283 struct dentry *dentry;
33284 struct nameidata nd;
33285 + ino_t saved_ino = 0;
33286 + dev_t saved_dev = 0;
33288 error = user_path_parent(dfd, pathname, &nd, &name);
33290 @@ -2891,6 +2992,19 @@ static long do_rmdir(int dfd, const char
33291 error = PTR_ERR(dentry);
33292 if (IS_ERR(dentry))
33295 + if (dentry->d_inode != NULL) {
33296 + if (dentry->d_inode->i_nlink <= 1) {
33297 + saved_ino = dentry->d_inode->i_ino;
33298 + saved_dev = gr_get_dev_from_dentry(dentry);
33301 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
33307 error = mnt_want_write(nd.path.mnt);
33310 @@ -2898,6 +3012,8 @@ static long do_rmdir(int dfd, const char
33313 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
33314 + if (!error && (saved_dev || saved_ino))
33315 + gr_handle_delete(saved_ino, saved_dev);
33317 mnt_drop_write(nd.path.mnt);
33319 @@ -2960,6 +3076,8 @@ static long do_unlinkat(int dfd, const c
33320 struct dentry *dentry;
33321 struct nameidata nd;
33322 struct inode *inode = NULL;
33323 + ino_t saved_ino = 0;
33324 + dev_t saved_dev = 0;
33326 error = user_path_parent(dfd, pathname, &nd, &name);
33328 @@ -2979,8 +3097,17 @@ static long do_unlinkat(int dfd, const c
33329 if (nd.last.name[nd.last.len])
33331 inode = dentry->d_inode;
33335 + if (inode->i_nlink <= 1) {
33336 + saved_ino = inode->i_ino;
33337 + saved_dev = gr_get_dev_from_dentry(dentry);
33339 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
33344 error = mnt_want_write(nd.path.mnt);
33347 @@ -2988,6 +3115,8 @@ static long do_unlinkat(int dfd, const c
33350 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
33351 + if (!error && (saved_ino || saved_dev))
33352 + gr_handle_delete(saved_ino, saved_dev);
33354 mnt_drop_write(nd.path.mnt);
33356 @@ -3065,6 +3194,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
33357 if (IS_ERR(dentry))
33360 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
33365 error = mnt_want_write(nd.path.mnt);
33368 @@ -3072,6 +3206,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
33370 goto out_drop_write;
33371 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
33373 + gr_handle_create(dentry, nd.path.mnt);
33375 mnt_drop_write(nd.path.mnt);
33377 @@ -3164,6 +3300,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
33378 error = PTR_ERR(new_dentry);
33379 if (IS_ERR(new_dentry))
33382 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
33383 + old_path.dentry->d_inode,
33384 + old_path.dentry->d_inode->i_mode, to)) {
33389 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
33390 + old_path.dentry, old_path.mnt, to)) {
33395 error = mnt_want_write(nd.path.mnt);
33398 @@ -3171,6 +3321,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
33400 goto out_drop_write;
33401 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
33403 + gr_handle_create(new_dentry, nd.path.mnt);
33405 mnt_drop_write(nd.path.mnt);
33407 @@ -3404,6 +3556,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
33408 if (new_dentry == trap)
33411 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
33412 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
33417 error = mnt_want_write(oldnd.path.mnt);
33420 @@ -3413,6 +3571,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
33422 error = vfs_rename(old_dir->d_inode, old_dentry,
33423 new_dir->d_inode, new_dentry);
33425 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
33426 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
33428 mnt_drop_write(oldnd.path.mnt);
33430 @@ -3438,6 +3599,8 @@ SYSCALL_DEFINE2(rename, const char __use
33432 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
33435 + const char *newlink;
33438 len = PTR_ERR(link);
33439 @@ -3447,7 +3610,14 @@ int vfs_readlink(struct dentry *dentry,
33440 len = strlen(link);
33441 if (len > (unsigned) buflen)
33443 - if (copy_to_user(buffer, link, len))
33445 + if (len < sizeof(tmpbuf)) {
33446 + memcpy(tmpbuf, link, len);
33447 + newlink = tmpbuf;
33451 + if (copy_to_user(buffer, newlink, len))
33455 diff -urNp linux-2.6.38.4/fs/namespace.c linux-2.6.38.4/fs/namespace.c
33456 --- linux-2.6.38.4/fs/namespace.c 2011-04-18 17:27:16.000000000 -0400
33457 +++ linux-2.6.38.4/fs/namespace.c 2011-04-17 15:57:32.000000000 -0400
33458 @@ -1285,6 +1285,9 @@ static int do_umount(struct vfsmount *mn
33459 if (!(sb->s_flags & MS_RDONLY))
33460 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
33461 up_write(&sb->s_umount);
33463 + gr_log_remount(mnt->mnt_devname, retval);
33468 @@ -1304,6 +1307,9 @@ static int do_umount(struct vfsmount *mn
33469 br_write_unlock(vfsmount_lock);
33470 up_write(&namespace_sem);
33471 release_mounts(&umount_list);
33473 + gr_log_unmount(mnt->mnt_devname, retval);
33478 @@ -2241,6 +2247,16 @@ long do_mount(char *dev_name, char *dir_
33479 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
33482 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
33487 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
33492 if (flags & MS_REMOUNT)
33493 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
33495 @@ -2255,6 +2271,9 @@ long do_mount(char *dev_name, char *dir_
33496 dev_name, data_page);
33500 + gr_log_mount(dev_name, dir_name, retval);
33505 @@ -2480,6 +2499,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
33509 + if (gr_handle_chroot_pivot()) {
33515 get_fs_root(current->fs, &root);
33516 down_write(&namespace_sem);
33517 mutex_lock(&old.dentry->d_inode->i_mutex);
33518 diff -urNp linux-2.6.38.4/fs/nfs/inode.c linux-2.6.38.4/fs/nfs/inode.c
33519 --- linux-2.6.38.4/fs/nfs/inode.c 2011-03-14 21:20:32.000000000 -0400
33520 +++ linux-2.6.38.4/fs/nfs/inode.c 2011-04-17 15:57:32.000000000 -0400
33521 @@ -998,16 +998,16 @@ static int nfs_size_need_update(const st
33522 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
33525 -static atomic_long_t nfs_attr_generation_counter;
33526 +static atomic_long_unchecked_t nfs_attr_generation_counter;
33528 static unsigned long nfs_read_attr_generation_counter(void)
33530 - return atomic_long_read(&nfs_attr_generation_counter);
33531 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
33534 unsigned long nfs_inc_attr_generation_counter(void)
33536 - return atomic_long_inc_return(&nfs_attr_generation_counter);
33537 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
33540 void nfs_fattr_init(struct nfs_fattr *fattr)
33541 diff -urNp linux-2.6.38.4/fs/nfs/nfs4proc.c linux-2.6.38.4/fs/nfs/nfs4proc.c
33542 --- linux-2.6.38.4/fs/nfs/nfs4proc.c 2011-03-14 21:20:32.000000000 -0400
33543 +++ linux-2.6.38.4/fs/nfs/nfs4proc.c 2011-04-17 15:57:32.000000000 -0400
33544 @@ -1198,7 +1198,7 @@ static int _nfs4_do_open_reclaim(struct
33545 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
33547 struct nfs_server *server = NFS_SERVER(state->inode);
33548 - struct nfs4_exception exception = { };
33549 + struct nfs4_exception exception = {0, 0};
33552 err = _nfs4_do_open_reclaim(ctx, state);
33553 @@ -1240,7 +1240,7 @@ static int _nfs4_open_delegation_recall(
33555 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
33557 - struct nfs4_exception exception = { };
33558 + struct nfs4_exception exception = {0, 0};
33559 struct nfs_server *server = NFS_SERVER(state->inode);
33562 @@ -1615,7 +1615,7 @@ static int _nfs4_open_expired(struct nfs
33563 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
33565 struct nfs_server *server = NFS_SERVER(state->inode);
33566 - struct nfs4_exception exception = { };
33567 + struct nfs4_exception exception = {0, 0};
33571 @@ -1730,7 +1730,7 @@ out_err:
33573 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
33575 - struct nfs4_exception exception = { };
33576 + struct nfs4_exception exception = {0, 0};
33577 struct nfs4_state *res;
33580 @@ -1821,7 +1821,7 @@ static int nfs4_do_setattr(struct inode
33581 struct nfs4_state *state)
33583 struct nfs_server *server = NFS_SERVER(inode);
33584 - struct nfs4_exception exception = { };
33585 + struct nfs4_exception exception = {0, 0};
33588 err = nfs4_handle_exception(server,
33589 @@ -2111,7 +2111,7 @@ static int _nfs4_server_capabilities(str
33591 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
33593 - struct nfs4_exception exception = { };
33594 + struct nfs4_exception exception = {0, 0};
33597 err = nfs4_handle_exception(server,
33598 @@ -2145,7 +2145,7 @@ static int _nfs4_lookup_root(struct nfs_
33599 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
33600 struct nfs_fsinfo *info)
33602 - struct nfs4_exception exception = { };
33603 + struct nfs4_exception exception = {0, 0};
33606 err = nfs4_handle_exception(server,
33607 @@ -2233,7 +2233,7 @@ static int _nfs4_proc_getattr(struct nfs
33609 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
33611 - struct nfs4_exception exception = { };
33612 + struct nfs4_exception exception = {0, 0};
33615 err = nfs4_handle_exception(server,
33616 @@ -2321,7 +2321,7 @@ static int nfs4_proc_lookupfh(struct nfs
33617 struct qstr *name, struct nfs_fh *fhandle,
33618 struct nfs_fattr *fattr)
33620 - struct nfs4_exception exception = { };
33621 + struct nfs4_exception exception = {0, 0};
33624 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
33625 @@ -2350,7 +2350,7 @@ static int _nfs4_proc_lookup(struct inod
33627 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
33629 - struct nfs4_exception exception = { };
33630 + struct nfs4_exception exception = {0, 0};
33633 err = nfs4_handle_exception(NFS_SERVER(dir),
33634 @@ -2417,7 +2417,7 @@ static int _nfs4_proc_access(struct inod
33636 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
33638 - struct nfs4_exception exception = { };
33639 + struct nfs4_exception exception = {0, 0};
33642 err = nfs4_handle_exception(NFS_SERVER(inode),
33643 @@ -2473,7 +2473,7 @@ static int _nfs4_proc_readlink(struct in
33644 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
33645 unsigned int pgbase, unsigned int pglen)
33647 - struct nfs4_exception exception = { };
33648 + struct nfs4_exception exception = {0, 0};
33651 err = nfs4_handle_exception(NFS_SERVER(inode),
33652 @@ -2568,7 +2568,7 @@ out:
33654 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
33656 - struct nfs4_exception exception = { };
33657 + struct nfs4_exception exception = {0, 0};
33660 err = nfs4_handle_exception(NFS_SERVER(dir),
33661 @@ -2673,7 +2673,7 @@ out:
33662 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
33663 struct inode *new_dir, struct qstr *new_name)
33665 - struct nfs4_exception exception = { };
33666 + struct nfs4_exception exception = {0, 0};
33669 err = nfs4_handle_exception(NFS_SERVER(old_dir),
33670 @@ -2722,7 +2722,7 @@ out:
33672 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
33674 - struct nfs4_exception exception = { };
33675 + struct nfs4_exception exception = {0, 0};
33678 err = nfs4_handle_exception(NFS_SERVER(inode),
33679 @@ -2814,7 +2814,7 @@ out:
33680 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
33681 struct page *page, unsigned int len, struct iattr *sattr)
33683 - struct nfs4_exception exception = { };
33684 + struct nfs4_exception exception = {0, 0};
33687 err = nfs4_handle_exception(NFS_SERVER(dir),
33688 @@ -2845,7 +2845,7 @@ out:
33689 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
33690 struct iattr *sattr)
33692 - struct nfs4_exception exception = { };
33693 + struct nfs4_exception exception = {0, 0};
33696 sattr->ia_mode &= ~current_umask();
33697 @@ -2899,7 +2899,7 @@ static int _nfs4_proc_readdir(struct den
33698 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
33699 u64 cookie, struct page **pages, unsigned int count, int plus)
33701 - struct nfs4_exception exception = { };
33702 + struct nfs4_exception exception = {0, 0};
33705 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
33706 @@ -2947,7 +2947,7 @@ out:
33707 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
33708 struct iattr *sattr, dev_t rdev)
33710 - struct nfs4_exception exception = { };
33711 + struct nfs4_exception exception = {0, 0};
33714 sattr->ia_mode &= ~current_umask();
33715 @@ -2981,7 +2981,7 @@ static int _nfs4_proc_statfs(struct nfs_
33717 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
33719 - struct nfs4_exception exception = { };
33720 + struct nfs4_exception exception = {0, 0};
33723 err = nfs4_handle_exception(server,
33724 @@ -3012,7 +3012,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
33726 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
33728 - struct nfs4_exception exception = { };
33729 + struct nfs4_exception exception = {0, 0};
33733 @@ -3058,7 +3058,7 @@ static int _nfs4_proc_pathconf(struct nf
33734 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
33735 struct nfs_pathconf *pathconf)
33737 - struct nfs4_exception exception = { };
33738 + struct nfs4_exception exception = {0, 0};
33742 @@ -3404,7 +3404,7 @@ out_free:
33744 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
33746 - struct nfs4_exception exception = { };
33747 + struct nfs4_exception exception = {0, 0};
33750 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
33751 @@ -3479,7 +3479,7 @@ static int __nfs4_proc_set_acl(struct in
33753 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
33755 - struct nfs4_exception exception = { };
33756 + struct nfs4_exception exception = {0, 0};
33759 err = nfs4_handle_exception(NFS_SERVER(inode),
33760 @@ -3760,7 +3760,7 @@ out:
33761 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
33763 struct nfs_server *server = NFS_SERVER(inode);
33764 - struct nfs4_exception exception = { };
33765 + struct nfs4_exception exception = {0, 0};
33768 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
33769 @@ -3834,7 +3834,7 @@ out:
33771 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
33773 - struct nfs4_exception exception = { };
33774 + struct nfs4_exception exception = {0, 0};
33778 @@ -4239,7 +4239,7 @@ static int _nfs4_do_setlk(struct nfs4_st
33779 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
33781 struct nfs_server *server = NFS_SERVER(state->inode);
33782 - struct nfs4_exception exception = { };
33783 + struct nfs4_exception exception = {0, 0};
33787 @@ -4257,7 +4257,7 @@ static int nfs4_lock_reclaim(struct nfs4
33788 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
33790 struct nfs_server *server = NFS_SERVER(state->inode);
33791 - struct nfs4_exception exception = { };
33792 + struct nfs4_exception exception = {0, 0};
33795 err = nfs4_set_lock_state(state, request);
33796 @@ -4321,7 +4321,7 @@ out:
33798 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
33800 - struct nfs4_exception exception = { };
33801 + struct nfs4_exception exception = {0, 0};
33805 @@ -4381,7 +4381,7 @@ nfs4_proc_lock(struct file *filp, int cm
33806 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
33808 struct nfs_server *server = NFS_SERVER(state->inode);
33809 - struct nfs4_exception exception = { };
33810 + struct nfs4_exception exception = {0, 0};
33813 err = nfs4_set_lock_state(state, fl);
33814 diff -urNp linux-2.6.38.4/fs/nfsd/lockd.c linux-2.6.38.4/fs/nfsd/lockd.c
33815 --- linux-2.6.38.4/fs/nfsd/lockd.c 2011-04-18 17:27:18.000000000 -0400
33816 +++ linux-2.6.38.4/fs/nfsd/lockd.c 2011-04-17 16:53:48.000000000 -0400
33817 @@ -60,7 +60,7 @@ nlm_fclose(struct file *filp)
33821 -static struct nlmsvc_binding nfsd_nlm_ops = {
33822 +static const struct nlmsvc_binding nfsd_nlm_ops = {
33823 .fopen = nlm_fopen, /* open file for locking */
33824 .fclose = nlm_fclose, /* close file */
33826 diff -urNp linux-2.6.38.4/fs/nfsd/nfsctl.c linux-2.6.38.4/fs/nfsd/nfsctl.c
33827 --- linux-2.6.38.4/fs/nfsd/nfsctl.c 2011-03-14 21:20:32.000000000 -0400
33828 +++ linux-2.6.38.4/fs/nfsd/nfsctl.c 2011-04-17 15:57:32.000000000 -0400
33829 @@ -180,7 +180,7 @@ static int export_features_open(struct i
33830 return single_open(file, export_features_show, NULL);
33833 -static struct file_operations export_features_operations = {
33834 +static const struct file_operations export_features_operations = {
33835 .open = export_features_open,
33837 .llseek = seq_lseek,
33838 diff -urNp linux-2.6.38.4/fs/nfsd/vfs.c linux-2.6.38.4/fs/nfsd/vfs.c
33839 --- linux-2.6.38.4/fs/nfsd/vfs.c 2011-03-14 21:20:32.000000000 -0400
33840 +++ linux-2.6.38.4/fs/nfsd/vfs.c 2011-04-17 15:57:32.000000000 -0400
33841 @@ -898,7 +898,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
33845 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
33846 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
33850 @@ -1002,7 +1002,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
33852 /* Write the data. */
33853 oldfs = get_fs(); set_fs(KERNEL_DS);
33854 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
33855 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
33859 @@ -1518,7 +1518,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
33862 oldfs = get_fs(); set_fs(KERNEL_DS);
33863 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
33864 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
33868 diff -urNp linux-2.6.38.4/fs/nls/nls_base.c linux-2.6.38.4/fs/nls/nls_base.c
33869 --- linux-2.6.38.4/fs/nls/nls_base.c 2011-03-14 21:20:32.000000000 -0400
33870 +++ linux-2.6.38.4/fs/nls/nls_base.c 2011-04-17 15:57:32.000000000 -0400
33871 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
33872 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
33873 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
33874 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
33875 - {0, /* end of table */}
33876 + {0, 0, 0, 0, 0, /* end of table */}
33879 #define UNICODE_MAX 0x0010ffff
33880 diff -urNp linux-2.6.38.4/fs/notify/dnotify/dnotify.c linux-2.6.38.4/fs/notify/dnotify/dnotify.c
33881 --- linux-2.6.38.4/fs/notify/dnotify/dnotify.c 2011-03-14 21:20:32.000000000 -0400
33882 +++ linux-2.6.38.4/fs/notify/dnotify/dnotify.c 2011-04-17 15:57:32.000000000 -0400
33883 @@ -151,7 +151,7 @@ static void dnotify_free_mark(struct fsn
33884 kmem_cache_free(dnotify_mark_cache, dn_mark);
33887 -static struct fsnotify_ops dnotify_fsnotify_ops = {
33888 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
33889 .handle_event = dnotify_handle_event,
33890 .should_send_event = dnotify_should_send_event,
33891 .free_group_priv = NULL,
33892 diff -urNp linux-2.6.38.4/fs/ntfs/dir.c linux-2.6.38.4/fs/ntfs/dir.c
33893 --- linux-2.6.38.4/fs/ntfs/dir.c 2011-03-14 21:20:32.000000000 -0400
33894 +++ linux-2.6.38.4/fs/ntfs/dir.c 2011-04-17 15:57:32.000000000 -0400
33895 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
33896 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
33897 ~(s64)(ndir->itype.index.block_size - 1)));
33898 /* Bounds checks. */
33899 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
33900 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
33901 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
33902 "inode 0x%lx or driver bug.", vdir->i_ino);
33904 diff -urNp linux-2.6.38.4/fs/ntfs/file.c linux-2.6.38.4/fs/ntfs/file.c
33905 --- linux-2.6.38.4/fs/ntfs/file.c 2011-03-14 21:20:32.000000000 -0400
33906 +++ linux-2.6.38.4/fs/ntfs/file.c 2011-04-17 15:57:32.000000000 -0400
33907 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
33908 #endif /* NTFS_RW */
33911 -const struct file_operations ntfs_empty_file_ops = {};
33912 +const struct file_operations ntfs_empty_file_ops __read_only;
33914 -const struct inode_operations ntfs_empty_inode_ops = {};
33915 +const struct inode_operations ntfs_empty_inode_ops __read_only;
33916 diff -urNp linux-2.6.38.4/fs/ocfs2/localalloc.c linux-2.6.38.4/fs/ocfs2/localalloc.c
33917 --- linux-2.6.38.4/fs/ocfs2/localalloc.c 2011-03-14 21:20:32.000000000 -0400
33918 +++ linux-2.6.38.4/fs/ocfs2/localalloc.c 2011-04-17 15:57:32.000000000 -0400
33919 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
33923 - atomic_inc(&osb->alloc_stats.moves);
33924 + atomic_inc_unchecked(&osb->alloc_stats.moves);
33928 diff -urNp linux-2.6.38.4/fs/ocfs2/ocfs2.h linux-2.6.38.4/fs/ocfs2/ocfs2.h
33929 --- linux-2.6.38.4/fs/ocfs2/ocfs2.h 2011-03-14 21:20:32.000000000 -0400
33930 +++ linux-2.6.38.4/fs/ocfs2/ocfs2.h 2011-04-17 15:57:32.000000000 -0400
33931 @@ -230,11 +230,11 @@ enum ocfs2_vol_state
33933 struct ocfs2_alloc_stats
33936 - atomic_t local_data;
33937 - atomic_t bitmap_data;
33938 - atomic_t bg_allocs;
33939 - atomic_t bg_extends;
33940 + atomic_unchecked_t moves;
33941 + atomic_unchecked_t local_data;
33942 + atomic_unchecked_t bitmap_data;
33943 + atomic_unchecked_t bg_allocs;
33944 + atomic_unchecked_t bg_extends;
33947 enum ocfs2_local_alloc_state
33948 diff -urNp linux-2.6.38.4/fs/ocfs2/suballoc.c linux-2.6.38.4/fs/ocfs2/suballoc.c
33949 --- linux-2.6.38.4/fs/ocfs2/suballoc.c 2011-03-14 21:20:32.000000000 -0400
33950 +++ linux-2.6.38.4/fs/ocfs2/suballoc.c 2011-04-17 15:57:32.000000000 -0400
33951 @@ -877,7 +877,7 @@ static int ocfs2_reserve_suballoc_bits(s
33952 mlog_errno(status);
33955 - atomic_inc(&osb->alloc_stats.bg_extends);
33956 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
33958 /* You should never ask for this much metadata */
33959 BUG_ON(bits_wanted >
33960 @@ -2012,7 +2012,7 @@ int ocfs2_claim_metadata(handle_t *handl
33961 mlog_errno(status);
33964 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33965 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33967 *suballoc_loc = res.sr_bg_blkno;
33968 *suballoc_bit_start = res.sr_bit_offset;
33969 @@ -2219,7 +2219,7 @@ int ocfs2_claim_new_inode(handle_t *hand
33970 mlog_errno(status);
33973 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33974 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33976 BUG_ON(res.sr_bits != 1);
33978 @@ -2324,7 +2324,7 @@ int __ocfs2_claim_clusters(handle_t *han
33982 - atomic_inc(&osb->alloc_stats.local_data);
33983 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
33985 if (min_clusters > (osb->bitmap_cpg - 1)) {
33986 /* The only paths asking for contiguousness
33987 @@ -2350,7 +2350,7 @@ int __ocfs2_claim_clusters(handle_t *han
33988 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
33990 res.sr_bit_offset);
33991 - atomic_inc(&osb->alloc_stats.bitmap_data);
33992 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
33993 *num_clusters = res.sr_bits;
33996 diff -urNp linux-2.6.38.4/fs/ocfs2/super.c linux-2.6.38.4/fs/ocfs2/super.c
33997 --- linux-2.6.38.4/fs/ocfs2/super.c 2011-03-14 21:20:32.000000000 -0400
33998 +++ linux-2.6.38.4/fs/ocfs2/super.c 2011-04-17 15:57:32.000000000 -0400
33999 @@ -297,11 +297,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
34000 "%10s => GlobalAllocs: %d LocalAllocs: %d "
34001 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
34003 - atomic_read(&osb->alloc_stats.bitmap_data),
34004 - atomic_read(&osb->alloc_stats.local_data),
34005 - atomic_read(&osb->alloc_stats.bg_allocs),
34006 - atomic_read(&osb->alloc_stats.moves),
34007 - atomic_read(&osb->alloc_stats.bg_extends));
34008 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
34009 + atomic_read_unchecked(&osb->alloc_stats.local_data),
34010 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
34011 + atomic_read_unchecked(&osb->alloc_stats.moves),
34012 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
34014 out += snprintf(buf + out, len - out,
34015 "%10s => State: %u Descriptor: %llu Size: %u bits "
34016 @@ -2141,11 +2141,11 @@ static int ocfs2_initialize_super(struct
34017 spin_lock_init(&osb->osb_xattr_lock);
34018 ocfs2_init_steal_slots(osb);
34020 - atomic_set(&osb->alloc_stats.moves, 0);
34021 - atomic_set(&osb->alloc_stats.local_data, 0);
34022 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
34023 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
34024 - atomic_set(&osb->alloc_stats.bg_extends, 0);
34025 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
34026 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
34027 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
34028 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
34029 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
34031 /* Copy the blockcheck stats from the superblock probe */
34032 osb->osb_ecc_stats = *stats;
34033 diff -urNp linux-2.6.38.4/fs/ocfs2/symlink.c linux-2.6.38.4/fs/ocfs2/symlink.c
34034 --- linux-2.6.38.4/fs/ocfs2/symlink.c 2011-03-14 21:20:32.000000000 -0400
34035 +++ linux-2.6.38.4/fs/ocfs2/symlink.c 2011-04-17 15:57:32.000000000 -0400
34036 @@ -148,7 +148,7 @@ bail:
34038 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
34040 - char *link = nd_get_link(nd);
34041 + const char *link = nd_get_link(nd);
34045 diff -urNp linux-2.6.38.4/fs/open.c linux-2.6.38.4/fs/open.c
34046 --- linux-2.6.38.4/fs/open.c 2011-03-14 21:20:32.000000000 -0400
34047 +++ linux-2.6.38.4/fs/open.c 2011-04-17 15:57:32.000000000 -0400
34048 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
34049 error = locks_verify_truncate(inode, NULL, length);
34051 error = security_path_truncate(&path);
34053 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
34057 error = do_truncate(path.dentry, length, 0, NULL);
34059 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
34060 if (__mnt_is_readonly(path.mnt))
34063 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
34069 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
34073 + gr_log_chdir(path.dentry, path.mnt);
34075 set_fs_pwd(current->fs, &path);
34078 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
34081 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
34083 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
34087 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
34090 set_fs_pwd(current->fs, &file->f_path);
34092 @@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
34096 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
34097 + goto dput_and_out;
34099 + if (gr_handle_chroot_caps(&path)) {
34101 + goto dput_and_out;
34104 set_fs_root(current->fs, &path);
34106 + gr_handle_chroot_chdir(&path);
34111 @@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
34112 err = mnt_want_write_file(file);
34116 mutex_lock(&inode->i_mutex);
34118 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
34123 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
34126 if (mode == (mode_t) -1)
34127 mode = inode->i_mode;
34129 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
34134 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
34135 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
34136 err = notify_change(dentry, &newattrs);
34137 @@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
34138 error = mnt_want_write(path.mnt);
34142 mutex_lock(&inode->i_mutex);
34144 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
34149 error = security_path_chmod(path.dentry, path.mnt, mode);
34152 if (mode == (mode_t) -1)
34153 mode = inode->i_mode;
34155 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
34160 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
34161 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
34162 error = notify_change(path.dentry, &newattrs);
34163 @@ -528,6 +581,9 @@ static int chown_common(struct path *pat
34165 struct iattr newattrs;
34167 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
34170 newattrs.ia_valid = ATTR_CTIME;
34171 if (user != (uid_t) -1) {
34172 newattrs.ia_valid |= ATTR_UID;
34173 @@ -898,7 +954,10 @@ long do_sys_open(int dfd, const char __u
34174 if (!IS_ERR(tmp)) {
34175 fd = get_unused_fd_flags(flags);
34177 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
34179 + /* don't allow to be set by userland */
34180 + flags &= ~FMODE_GREXEC;
34181 + f = do_filp_open(dfd, tmp, flags, mode, 0);
34185 diff -urNp linux-2.6.38.4/fs/partitions/ldm.c linux-2.6.38.4/fs/partitions/ldm.c
34186 --- linux-2.6.38.4/fs/partitions/ldm.c 2011-03-14 21:20:32.000000000 -0400
34187 +++ linux-2.6.38.4/fs/partitions/ldm.c 2011-04-18 19:31:25.000000000 -0400
34188 @@ -1299,6 +1299,11 @@ static bool ldm_frag_add (const u8 *data
34190 BUG_ON (!data || !frags);
34192 + if (size < 2 * VBLK_SIZE_HEAD) {
34193 + ldm_error("Value of size is to small.");
34197 group = get_unaligned_be32(data + 0x08);
34198 rec = get_unaligned_be16(data + 0x0C);
34199 num = get_unaligned_be16(data + 0x0E);
34200 @@ -1307,13 +1312,18 @@ static bool ldm_frag_add (const u8 *data
34204 + if (rec >= num) {
34205 + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
34209 list_for_each (item, frags) {
34210 f = list_entry (item, struct frag, list);
34211 if (f->group == group)
34215 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
34216 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
34218 ldm_crit ("Out of memory.");
34220 @@ -1334,10 +1344,9 @@ found:
34222 f->map |= (1 << rec);
34225 - data += VBLK_SIZE_HEAD;
34226 - size -= VBLK_SIZE_HEAD;
34228 + data += VBLK_SIZE_HEAD;
34229 + size -= VBLK_SIZE_HEAD;
34231 memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
34234 diff -urNp linux-2.6.38.4/fs/pipe.c linux-2.6.38.4/fs/pipe.c
34235 --- linux-2.6.38.4/fs/pipe.c 2011-03-14 21:20:32.000000000 -0400
34236 +++ linux-2.6.38.4/fs/pipe.c 2011-04-17 15:57:32.000000000 -0400
34237 @@ -420,9 +420,9 @@ redo:
34239 if (bufs) /* More to do? */
34241 - if (!pipe->writers)
34242 + if (!atomic_read(&pipe->writers))
34244 - if (!pipe->waiting_writers) {
34245 + if (!atomic_read(&pipe->waiting_writers)) {
34246 /* syscall merging: Usually we must not sleep
34247 * if O_NONBLOCK is set, or if we got some data.
34248 * But if a writer sleeps in kernel space, then
34249 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
34250 mutex_lock(&inode->i_mutex);
34251 pipe = inode->i_pipe;
34253 - if (!pipe->readers) {
34254 + if (!atomic_read(&pipe->readers)) {
34255 send_sig(SIGPIPE, current, 0);
34258 @@ -530,7 +530,7 @@ redo1:
34262 - if (!pipe->readers) {
34263 + if (!atomic_read(&pipe->readers)) {
34264 send_sig(SIGPIPE, current, 0);
34267 @@ -616,9 +616,9 @@ redo2:
34268 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
34271 - pipe->waiting_writers++;
34272 + atomic_inc(&pipe->waiting_writers);
34274 - pipe->waiting_writers--;
34275 + atomic_dec(&pipe->waiting_writers);
34278 mutex_unlock(&inode->i_mutex);
34279 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
34281 if (filp->f_mode & FMODE_READ) {
34282 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
34283 - if (!pipe->writers && filp->f_version != pipe->w_counter)
34284 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
34288 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
34289 * Most Unices do not set POLLERR for FIFOs but on Linux they
34290 * behave exactly like pipes for poll().
34292 - if (!pipe->readers)
34293 + if (!atomic_read(&pipe->readers))
34297 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
34299 mutex_lock(&inode->i_mutex);
34300 pipe = inode->i_pipe;
34301 - pipe->readers -= decr;
34302 - pipe->writers -= decw;
34303 + atomic_sub(decr, &pipe->readers);
34304 + atomic_sub(decw, &pipe->writers);
34306 - if (!pipe->readers && !pipe->writers) {
34307 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
34308 free_pipe_info(inode);
34310 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
34311 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
34313 if (inode->i_pipe) {
34315 - inode->i_pipe->readers++;
34316 + atomic_inc(&inode->i_pipe->readers);
34319 mutex_unlock(&inode->i_mutex);
34320 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
34322 if (inode->i_pipe) {
34324 - inode->i_pipe->writers++;
34325 + atomic_inc(&inode->i_pipe->writers);
34328 mutex_unlock(&inode->i_mutex);
34329 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
34330 if (inode->i_pipe) {
34332 if (filp->f_mode & FMODE_READ)
34333 - inode->i_pipe->readers++;
34334 + atomic_inc(&inode->i_pipe->readers);
34335 if (filp->f_mode & FMODE_WRITE)
34336 - inode->i_pipe->writers++;
34337 + atomic_inc(&inode->i_pipe->writers);
34340 mutex_unlock(&inode->i_mutex);
34341 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
34342 inode->i_pipe = NULL;
34345 -static struct vfsmount *pipe_mnt __read_mostly;
34346 +struct vfsmount *pipe_mnt __read_mostly;
34349 * pipefs_dname() is called from d_path().
34350 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
34352 inode->i_pipe = pipe;
34354 - pipe->readers = pipe->writers = 1;
34355 + atomic_set(&pipe->readers, 1);
34356 + atomic_set(&pipe->writers, 1);
34357 inode->i_fop = &rdwr_pipefifo_fops;
34360 diff -urNp linux-2.6.38.4/fs/proc/array.c linux-2.6.38.4/fs/proc/array.c
34361 --- linux-2.6.38.4/fs/proc/array.c 2011-04-18 17:27:16.000000000 -0400
34362 +++ linux-2.6.38.4/fs/proc/array.c 2011-04-20 18:14:54.000000000 -0400
34364 #include <linux/tty.h>
34365 #include <linux/string.h>
34366 #include <linux/mman.h>
34367 +#include <linux/grsecurity.h>
34368 #include <linux/proc_fs.h>
34369 #include <linux/ioport.h>
34370 #include <linux/uaccess.h>
34371 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
34375 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
34376 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
34379 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
34380 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
34381 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
34382 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
34383 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
34384 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
34386 + seq_printf(m, "PaX:\t-----\n");
34390 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
34391 struct pid *pid, struct task_struct *task)
34393 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
34394 cpuset_task_status_allowed(m, task);
34395 task_vs_id(m, task);
34396 task_context_switch_counts(m, task);
34398 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
34399 + task_pax(m, task);
34402 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
34403 + task_grsec_rbac(m, task);
34409 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34410 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
34411 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
34412 + _mm->pax_flags & MF_PAX_SEGMEXEC))
34415 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
34416 struct pid *pid, struct task_struct *task, int whole)
34418 @@ -449,6 +480,19 @@ static int do_task_stat(struct seq_file
34419 gtime = task->gtime;
34422 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34423 + if (PAX_RAND_FLAGS(mm)) {
34429 +#ifdef CONFIG_GRKERNSEC_HIDESYM
34435 /* scale priority and nice values from timeslices to -20..20 */
34436 /* to make it look like a "normal" Unix priority/nice value */
34437 priority = task_prio(task);
34438 @@ -489,9 +533,15 @@ static int do_task_stat(struct seq_file
34440 mm ? get_mm_rss(mm) : 0,
34442 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34443 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
34444 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
34445 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
34447 mm ? (permitted ? mm->start_code : 1) : 0,
34448 mm ? (permitted ? mm->end_code : 1) : 0,
34449 (permitted && mm) ? mm->start_stack : 0,
34453 /* The signal information here is obsolete.
34454 @@ -544,3 +594,18 @@ int proc_pid_statm(struct seq_file *m, s
34459 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
34460 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
34463 + unsigned long flags;
34465 + if (lock_task_sighand(task, &flags)) {
34466 + curr_ip = task->signal->curr_ip;
34467 + unlock_task_sighand(task, &flags);
34470 + return sprintf(buffer, "%pI4\n", &curr_ip);
34473 diff -urNp linux-2.6.38.4/fs/proc/base.c linux-2.6.38.4/fs/proc/base.c
34474 --- linux-2.6.38.4/fs/proc/base.c 2011-04-22 19:20:59.000000000 -0400
34475 +++ linux-2.6.38.4/fs/proc/base.c 2011-04-22 19:21:23.000000000 -0400
34476 @@ -104,6 +104,22 @@ struct pid_entry {
34480 +struct getdents_callback {
34481 + struct linux_dirent __user * current_dir;
34482 + struct linux_dirent __user * previous;
34483 + struct file * file;
34488 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
34489 + loff_t offset, u64 ino, unsigned int d_type)
34491 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
34492 + buf->error = -EINVAL;
34496 #define NOD(NAME, MODE, IOP, FOP, OP) { \
34498 .len = sizeof(NAME) - 1, \
34499 @@ -203,6 +219,9 @@ static int check_mem_permission(struct t
34500 if (task == current)
34503 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
34507 * If current is actively ptrace'ing, and would also be
34508 * permitted to freshly attach with ptrace now, permit it.
34509 @@ -250,6 +269,9 @@ static int proc_pid_cmdline(struct task_
34511 goto out_mm; /* Shh! No looking before we're done */
34513 + if (gr_acl_handle_procpidmem(task))
34516 len = mm->arg_end - mm->arg_start;
34518 if (len > PAGE_SIZE)
34519 @@ -277,12 +299,28 @@ out:
34523 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34524 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
34525 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
34526 + _mm->pax_flags & MF_PAX_SEGMEXEC))
34529 static int proc_pid_auxv(struct task_struct *task, char *buffer)
34532 struct mm_struct *mm = get_task_mm(task);
34534 unsigned int nwords = 0;
34536 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34537 + /* allow if we're currently ptracing this task */
34538 + if (PAX_RAND_FLAGS(mm) &&
34539 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
34547 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
34548 @@ -296,7 +334,7 @@ static int proc_pid_auxv(struct task_str
34552 -#ifdef CONFIG_KALLSYMS
34553 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34555 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
34556 * Returns the resolved symbol. If that fails, simply return the address.
34557 @@ -318,7 +356,7 @@ static int proc_pid_wchan(struct task_st
34559 #endif /* CONFIG_KALLSYMS */
34561 -#ifdef CONFIG_STACKTRACE
34562 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34564 #define MAX_STACK_TRACE_DEPTH 64
34566 @@ -503,7 +541,7 @@ static int proc_pid_limits(struct task_s
34570 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
34571 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
34572 static int proc_pid_syscall(struct task_struct *task, char *buffer)
34575 @@ -528,7 +566,7 @@ static int proc_pid_syscall(struct task_
34576 /************************************************************************/
34578 /* permission checks */
34579 -static int proc_fd_access_allowed(struct inode *inode)
34580 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
34582 struct task_struct *task;
34584 @@ -538,7 +576,10 @@ static int proc_fd_access_allowed(struct
34586 task = get_proc_task(inode);
34588 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
34590 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
34592 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
34593 put_task_struct(task);
34596 @@ -917,6 +958,9 @@ static ssize_t environ_read(struct file
34600 + if (gr_acl_handle_procpidmem(task))
34603 if (!ptrace_may_access(task, PTRACE_MODE_READ))
34606 @@ -1606,7 +1650,7 @@ static void *proc_pid_follow_link(struct
34607 path_put(&nd->path);
34609 /* Are we allowed to snoop on the tasks file descriptors? */
34610 - if (!proc_fd_access_allowed(inode))
34611 + if (!proc_fd_access_allowed(inode,0))
34614 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
34615 @@ -1645,8 +1689,18 @@ static int proc_pid_readlink(struct dent
34618 /* Are we allowed to snoop on the tasks file descriptors? */
34619 - if (!proc_fd_access_allowed(inode))
34621 + /* logging this is needed for learning on chromium to work properly,
34622 + but we don't want to flood the logs from 'ps' which does a readlink
34623 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
34624 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
34626 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
34627 + if (!proc_fd_access_allowed(inode,0))
34630 + if (!proc_fd_access_allowed(inode,1))
34634 error = PROC_I(inode)->op.proc_get_link(inode, &path);
34636 @@ -1712,7 +1766,11 @@ static struct inode *proc_pid_make_inode
34638 cred = __task_cred(task);
34639 inode->i_uid = cred->euid;
34640 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34641 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
34643 inode->i_gid = cred->egid;
34647 security_task_to_inode(task, inode);
34648 @@ -1730,6 +1788,9 @@ static int pid_getattr(struct vfsmount *
34649 struct inode *inode = dentry->d_inode;
34650 struct task_struct *task;
34651 const struct cred *cred;
34652 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34653 + const struct cred *tmpcred = current_cred();
34656 generic_fillattr(inode, stat);
34658 @@ -1737,12 +1798,34 @@ static int pid_getattr(struct vfsmount *
34661 task = pid_task(proc_pid(inode), PIDTYPE_PID);
34663 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
34664 + rcu_read_unlock();
34669 + cred = __task_cred(task);
34670 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34671 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
34672 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34673 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
34677 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
34678 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34679 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
34680 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34681 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
34683 task_dumpable(task)) {
34684 - cred = __task_cred(task);
34685 stat->uid = cred->euid;
34686 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34687 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
34689 stat->gid = cred->egid;
34694 @@ -1780,11 +1863,20 @@ static int pid_revalidate(struct dentry
34697 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
34698 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34699 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
34700 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34701 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
34703 task_dumpable(task)) {
34705 cred = __task_cred(task);
34706 inode->i_uid = cred->euid;
34707 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34708 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
34710 inode->i_gid = cred->egid;
34715 @@ -1905,7 +1997,8 @@ static int proc_fd_info(struct inode *in
34716 int fd = proc_fd(inode);
34719 - files = get_files_struct(task);
34720 + if (!gr_acl_handle_procpidmem(task))
34721 + files = get_files_struct(task);
34722 put_task_struct(task);
34725 @@ -2165,15 +2258,25 @@ static const struct file_operations proc
34727 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
34729 + struct task_struct *task;
34732 if (flags & IPERM_FLAG_RCU)
34734 rv = generic_permission(inode, mask, flags, NULL);
34738 if (task_pid(current) == proc_pid(inode))
34741 + task = get_proc_task(inode);
34742 + if (task == NULL)
34745 + if (gr_acl_handle_procpidmem(task))
34748 + put_task_struct(task);
34753 @@ -2283,6 +2386,9 @@ static struct dentry *proc_pident_lookup
34757 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
34761 * Yes, it does not scale. And it should not. Don't add
34762 * new entries into /proc/<tgid>/ without very good reasons.
34763 @@ -2327,6 +2433,9 @@ static int proc_pident_readdir(struct fi
34767 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
34773 @@ -2597,7 +2706,7 @@ static void *proc_self_follow_link(struc
34774 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
34777 - char *s = nd_get_link(nd);
34778 + const char *s = nd_get_link(nd);
34782 @@ -2777,7 +2886,7 @@ static const struct pid_entry tgid_base_
34783 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
34785 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
34786 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
34787 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
34788 INF("syscall", S_IRUSR, proc_pid_syscall),
34790 INF("cmdline", S_IRUGO, proc_pid_cmdline),
34791 @@ -2802,10 +2911,10 @@ static const struct pid_entry tgid_base_
34792 #ifdef CONFIG_SECURITY
34793 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
34795 -#ifdef CONFIG_KALLSYMS
34796 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34797 INF("wchan", S_IRUGO, proc_pid_wchan),
34799 -#ifdef CONFIG_STACKTRACE
34800 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34801 ONE("stack", S_IRUSR, proc_pid_stack),
34803 #ifdef CONFIG_SCHEDSTATS
34804 @@ -2836,6 +2945,9 @@ static const struct pid_entry tgid_base_
34805 INF("io", S_IRUGO, proc_tgid_io_accounting),
34807 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
34808 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
34809 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
34813 static int proc_tgid_base_readdir(struct file * filp,
34814 @@ -2961,7 +3073,14 @@ static struct dentry *proc_pid_instantia
34818 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34819 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
34820 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34821 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
34822 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
34824 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
34826 inode->i_op = &proc_tgid_base_inode_operations;
34827 inode->i_fop = &proc_tgid_base_operations;
34828 inode->i_flags|=S_IMMUTABLE;
34829 @@ -3003,7 +3122,11 @@ struct dentry *proc_pid_lookup(struct in
34833 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
34834 + goto out_put_task;
34836 result = proc_pid_instantiate(dir, dentry, task, NULL);
34838 put_task_struct(task);
34841 @@ -3068,6 +3191,11 @@ int proc_pid_readdir(struct file * filp,
34844 struct task_struct *reaper;
34845 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34846 + const struct cred *tmpcred = current_cred();
34847 + const struct cred *itercred;
34849 + filldir_t __filldir = filldir;
34850 struct tgid_iter iter;
34851 struct pid_namespace *ns;
34853 @@ -3091,8 +3219,27 @@ int proc_pid_readdir(struct file * filp,
34854 for (iter = next_tgid(ns, iter);
34856 iter.tgid += 1, iter = next_tgid(ns, iter)) {
34857 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34859 + itercred = __task_cred(iter.task);
34861 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
34862 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34863 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
34864 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34865 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
34870 + __filldir = &gr_fake_filldir;
34872 + __filldir = filldir;
34873 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34874 + rcu_read_unlock();
34876 filp->f_pos = iter.tgid + TGID_OFFSET;
34877 if (!vx_proc_task_visible(iter.task))
34879 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
34880 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
34881 put_task_struct(iter.task);
34882 @@ -3119,7 +3266,7 @@ static const struct pid_entry tid_base_s
34883 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
34885 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
34886 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
34887 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
34888 INF("syscall", S_IRUSR, proc_pid_syscall),
34890 INF("cmdline", S_IRUGO, proc_pid_cmdline),
34891 @@ -3143,10 +3290,10 @@ static const struct pid_entry tid_base_s
34892 #ifdef CONFIG_SECURITY
34893 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
34895 -#ifdef CONFIG_KALLSYMS
34896 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34897 INF("wchan", S_IRUGO, proc_pid_wchan),
34899 -#ifdef CONFIG_STACKTRACE
34900 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
34901 ONE("stack", S_IRUSR, proc_pid_stack),
34903 #ifdef CONFIG_SCHEDSTATS
34904 diff -urNp linux-2.6.38.4/fs/proc/cmdline.c linux-2.6.38.4/fs/proc/cmdline.c
34905 --- linux-2.6.38.4/fs/proc/cmdline.c 2011-03-14 21:20:32.000000000 -0400
34906 +++ linux-2.6.38.4/fs/proc/cmdline.c 2011-04-17 15:57:32.000000000 -0400
34907 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
34909 static int __init proc_cmdline_init(void)
34911 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34912 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
34914 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
34918 module_init(proc_cmdline_init);
34919 diff -urNp linux-2.6.38.4/fs/proc/devices.c linux-2.6.38.4/fs/proc/devices.c
34920 --- linux-2.6.38.4/fs/proc/devices.c 2011-03-14 21:20:32.000000000 -0400
34921 +++ linux-2.6.38.4/fs/proc/devices.c 2011-04-17 15:57:32.000000000 -0400
34922 @@ -64,7 +64,11 @@ static const struct file_operations proc
34924 static int __init proc_devices_init(void)
34926 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34927 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
34929 proc_create("devices", 0, NULL, &proc_devinfo_operations);
34933 module_init(proc_devices_init);
34934 diff -urNp linux-2.6.38.4/fs/proc/inode.c linux-2.6.38.4/fs/proc/inode.c
34935 --- linux-2.6.38.4/fs/proc/inode.c 2011-03-14 21:20:32.000000000 -0400
34936 +++ linux-2.6.38.4/fs/proc/inode.c 2011-04-17 15:57:32.000000000 -0400
34937 @@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
34939 inode->i_mode = de->mode;
34940 inode->i_uid = de->uid;
34941 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
34942 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
34944 inode->i_gid = de->gid;
34948 inode->i_size = de->size;
34949 diff -urNp linux-2.6.38.4/fs/proc/internal.h linux-2.6.38.4/fs/proc/internal.h
34950 --- linux-2.6.38.4/fs/proc/internal.h 2011-03-14 21:20:32.000000000 -0400
34951 +++ linux-2.6.38.4/fs/proc/internal.h 2011-04-17 15:57:32.000000000 -0400
34952 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
34953 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
34954 struct pid *pid, struct task_struct *task);
34956 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
34957 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
34959 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
34961 extern const struct file_operations proc_maps_operations;
34962 diff -urNp linux-2.6.38.4/fs/proc/Kconfig linux-2.6.38.4/fs/proc/Kconfig
34963 --- linux-2.6.38.4/fs/proc/Kconfig 2011-03-14 21:20:32.000000000 -0400
34964 +++ linux-2.6.38.4/fs/proc/Kconfig 2011-04-17 15:57:32.000000000 -0400
34965 @@ -30,12 +30,12 @@ config PROC_FS
34968 bool "/proc/kcore support" if !ARM
34969 - depends on PROC_FS && MMU
34970 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
34973 bool "/proc/vmcore support"
34974 - depends on PROC_FS && CRASH_DUMP
34976 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
34979 Exports the dump image of crashed kernel in ELF format.
34981 @@ -59,8 +59,8 @@ config PROC_SYSCTL
34984 config PROC_PAGE_MONITOR
34986 - depends on PROC_FS && MMU
34988 + depends on PROC_FS && MMU && !GRKERNSEC
34989 bool "Enable /proc page monitoring" if EXPERT
34991 Various /proc files exist to monitor process memory utilization:
34992 diff -urNp linux-2.6.38.4/fs/proc/kcore.c linux-2.6.38.4/fs/proc/kcore.c
34993 --- linux-2.6.38.4/fs/proc/kcore.c 2011-03-14 21:20:32.000000000 -0400
34994 +++ linux-2.6.38.4/fs/proc/kcore.c 2011-04-17 15:57:32.000000000 -0400
34995 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
34996 * the addresses in the elf_phdr on our list.
34998 start = kc_offset_to_vaddr(*fpos - elf_buflen);
34999 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
35000 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
35001 + if (tsz > buflen)
35006 struct kcore_list *m;
35008 @@ -509,20 +510,23 @@ read_kcore(struct file *file, char __use
35011 if (kern_addr_valid(start)) {
35014 + mm_segment_t oldfs;
35016 - n = copy_to_user(buffer, (char *)start, tsz);
35018 - * We cannot distingush between fault on source
35019 - * and fault on destination. When this happens
35020 - * we clear too and hope it will trigger the
35024 - if (clear_user(buffer + tsz - n,
35026 + elf_buf = kmalloc(tsz, GFP_KERNEL);
35029 + oldfs = get_fs();
35030 + set_fs(KERNEL_DS);
35031 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
35033 + if (copy_to_user(buffer, elf_buf, tsz)) {
35041 if (clear_user(buffer, tsz))
35043 @@ -542,6 +546,9 @@ read_kcore(struct file *file, char __use
35045 static int open_kcore(struct inode *inode, struct file *filp)
35047 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
35050 if (!capable(CAP_SYS_RAWIO))
35052 if (kcore_need_update)
35053 diff -urNp linux-2.6.38.4/fs/proc/meminfo.c linux-2.6.38.4/fs/proc/meminfo.c
35054 --- linux-2.6.38.4/fs/proc/meminfo.c 2011-03-14 21:20:32.000000000 -0400
35055 +++ linux-2.6.38.4/fs/proc/meminfo.c 2011-04-17 15:57:32.000000000 -0400
35056 @@ -157,7 +157,7 @@ static int meminfo_proc_show(struct seq_
35058 vmi.largest_chunk >> 10
35059 #ifdef CONFIG_MEMORY_FAILURE
35060 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
35061 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
35063 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
35064 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
35065 diff -urNp linux-2.6.38.4/fs/proc/nommu.c linux-2.6.38.4/fs/proc/nommu.c
35066 --- linux-2.6.38.4/fs/proc/nommu.c 2011-03-14 21:20:32.000000000 -0400
35067 +++ linux-2.6.38.4/fs/proc/nommu.c 2011-04-17 15:57:32.000000000 -0400
35068 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
35071 seq_printf(m, "%*c", len, ' ');
35072 - seq_path(m, &file->f_path, "");
35073 + seq_path(m, &file->f_path, "\n\\");
35077 diff -urNp linux-2.6.38.4/fs/proc/proc_net.c linux-2.6.38.4/fs/proc/proc_net.c
35078 --- linux-2.6.38.4/fs/proc/proc_net.c 2011-03-14 21:20:32.000000000 -0400
35079 +++ linux-2.6.38.4/fs/proc/proc_net.c 2011-04-17 15:57:32.000000000 -0400
35080 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
35081 struct task_struct *task;
35082 struct nsproxy *ns;
35083 struct net *net = NULL;
35084 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35085 + const struct cred *cred = current_cred();
35088 +#ifdef CONFIG_GRKERNSEC_PROC_USER
35091 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35092 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
35097 task = pid_task(proc_pid(dir), PIDTYPE_PID);
35098 diff -urNp linux-2.6.38.4/fs/proc/proc_sysctl.c linux-2.6.38.4/fs/proc/proc_sysctl.c
35099 --- linux-2.6.38.4/fs/proc/proc_sysctl.c 2011-03-14 21:20:32.000000000 -0400
35100 +++ linux-2.6.38.4/fs/proc/proc_sysctl.c 2011-04-17 15:57:32.000000000 -0400
35102 #include <linux/namei.h>
35103 #include "internal.h"
35105 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
35107 static const struct dentry_operations proc_sys_dentry_operations;
35108 static const struct file_operations proc_sys_file_operations;
35109 static const struct inode_operations proc_sys_inode_operations;
35110 @@ -112,6 +114,9 @@ static struct dentry *proc_sys_lookup(st
35114 + if (gr_handle_sysctl(p, MAY_EXEC))
35117 err = ERR_PTR(-ENOMEM);
35118 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
35120 @@ -231,6 +236,9 @@ static int scan(struct ctl_table_header
35121 if (*pos < file->f_pos)
35124 + if (gr_handle_sysctl(table, 0))
35127 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
35130 @@ -359,6 +367,9 @@ static int proc_sys_getattr(struct vfsmo
35132 return PTR_ERR(head);
35134 + if (table && gr_handle_sysctl(table, MAY_EXEC))
35137 generic_fillattr(inode, stat);
35139 stat->mode = (stat->mode & S_IFMT) | table->mode;
35140 diff -urNp linux-2.6.38.4/fs/proc/root.c linux-2.6.38.4/fs/proc/root.c
35141 --- linux-2.6.38.4/fs/proc/root.c 2011-03-14 21:20:32.000000000 -0400
35142 +++ linux-2.6.38.4/fs/proc/root.c 2011-04-17 15:57:32.000000000 -0400
35143 @@ -132,7 +132,15 @@ void __init proc_root_init(void)
35144 #ifdef CONFIG_PROC_DEVICETREE
35145 proc_device_tree_init();
35147 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
35148 +#ifdef CONFIG_GRKERNSEC_PROC_USER
35149 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
35150 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35151 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
35154 proc_mkdir("bus", NULL);
35159 diff -urNp linux-2.6.38.4/fs/proc/task_mmu.c linux-2.6.38.4/fs/proc/task_mmu.c
35160 --- linux-2.6.38.4/fs/proc/task_mmu.c 2011-04-18 17:27:16.000000000 -0400
35161 +++ linux-2.6.38.4/fs/proc/task_mmu.c 2011-04-18 19:35:47.000000000 -0400
35162 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
35163 "VmExe:\t%8lu kB\n"
35164 "VmLib:\t%8lu kB\n"
35165 "VmPTE:\t%8lu kB\n"
35166 - "VmSwap:\t%8lu kB\n",
35167 - hiwater_vm << (PAGE_SHIFT-10),
35168 + "VmSwap:\t%8lu kB\n"
35170 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
35171 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
35174 + ,hiwater_vm << (PAGE_SHIFT-10),
35175 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
35176 mm->locked_vm << (PAGE_SHIFT-10),
35177 hiwater_rss << (PAGE_SHIFT-10),
35178 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
35179 data << (PAGE_SHIFT-10),
35180 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
35181 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
35182 - swap << (PAGE_SHIFT-10));
35183 + swap << (PAGE_SHIFT-10)
35185 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
35186 + , mm->context.user_cs_base, mm->context.user_cs_limit
35192 unsigned long task_vsize(struct mm_struct *mm)
35193 @@ -180,7 +191,8 @@ static void m_stop(struct seq_file *m, v
35194 struct proc_maps_private *priv = m->private;
35195 struct vm_area_struct *vma = v;
35197 - vma_stop(priv, vma);
35198 + if (!IS_ERR(vma))
35199 + vma_stop(priv, vma);
35201 put_task_struct(priv->task);
35203 @@ -204,6 +216,12 @@ static int do_maps_open(struct inode *in
35207 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35208 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
35209 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
35210 + _mm->pax_flags & MF_PAX_SEGMEXEC))
35213 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
35215 struct mm_struct *mm = vma->vm_mm;
35216 @@ -211,7 +229,6 @@ static void show_map_vma(struct seq_file
35217 int flags = vma->vm_flags;
35218 unsigned long ino = 0;
35219 unsigned long long pgoff = 0;
35220 - unsigned long start;
35224 @@ -222,20 +239,23 @@ static void show_map_vma(struct seq_file
35225 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
35228 - /* We don't show the stack guard page in /proc/maps */
35229 - start = vma->vm_start;
35230 - if (vma->vm_flags & VM_GROWSDOWN)
35231 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
35232 - start += PAGE_SIZE;
35234 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
35236 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35237 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
35238 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
35243 flags & VM_READ ? 'r' : '-',
35244 flags & VM_WRITE ? 'w' : '-',
35245 flags & VM_EXEC ? 'x' : '-',
35246 flags & VM_MAYSHARE ? 's' : 'p',
35247 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35248 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
35252 MAJOR(dev), MINOR(dev), ino, &len);
35255 @@ -244,16 +264,16 @@ static void show_map_vma(struct seq_file
35258 pad_len_spaces(m, len);
35259 - seq_path(m, &file->f_path, "\n");
35260 + seq_path(m, &file->f_path, "\n\\");
35262 const char *name = arch_vma_name(vma);
35265 - if (vma->vm_start <= mm->brk &&
35266 - vma->vm_end >= mm->start_brk) {
35267 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
35269 - } else if (vma->vm_start <= mm->start_stack &&
35270 - vma->vm_end >= mm->start_stack) {
35271 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
35272 + (vma->vm_start <= mm->start_stack &&
35273 + vma->vm_end >= mm->start_stack)) {
35277 @@ -399,11 +419,16 @@ static int show_smap(struct seq_file *m,
35280 memset(&mss, 0, sizeof mss);
35282 - /* mmap_sem is held in m_start */
35283 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
35284 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
35286 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35287 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
35290 + /* mmap_sem is held in m_start */
35291 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
35292 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
35293 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35296 show_map_vma(m, vma);
35299 @@ -420,7 +445,11 @@ static int show_smap(struct seq_file *m,
35300 "KernelPageSize: %8lu kB\n"
35301 "MMUPageSize: %8lu kB\n"
35302 "Locked: %8lu kB\n",
35303 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
35304 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
35306 (vma->vm_end - vma->vm_start) >> 10,
35308 mss.resident >> 10,
35309 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
35310 mss.shared_clean >> 10,
35311 diff -urNp linux-2.6.38.4/fs/proc/task_nommu.c linux-2.6.38.4/fs/proc/task_nommu.c
35312 --- linux-2.6.38.4/fs/proc/task_nommu.c 2011-03-14 21:20:32.000000000 -0400
35313 +++ linux-2.6.38.4/fs/proc/task_nommu.c 2011-04-17 15:57:32.000000000 -0400
35314 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
35316 bytes += kobjsize(mm);
35318 - if (current->fs && current->fs->users > 1)
35319 + if (current->fs && atomic_read(¤t->fs->users) > 1)
35320 sbytes += kobjsize(current->fs);
35322 bytes += kobjsize(current->fs);
35323 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
35326 pad_len_spaces(m, len);
35327 - seq_path(m, &file->f_path, "");
35328 + seq_path(m, &file->f_path, "\n\\");
35330 if (vma->vm_start <= mm->start_stack &&
35331 vma->vm_end >= mm->start_stack) {
35332 diff -urNp linux-2.6.38.4/fs/readdir.c linux-2.6.38.4/fs/readdir.c
35333 --- linux-2.6.38.4/fs/readdir.c 2011-03-14 21:20:32.000000000 -0400
35334 +++ linux-2.6.38.4/fs/readdir.c 2011-04-17 15:57:32.000000000 -0400
35336 #include <linux/security.h>
35337 #include <linux/syscalls.h>
35338 #include <linux/unistd.h>
35339 +#include <linux/namei.h>
35341 #include <asm/uaccess.h>
35343 @@ -67,6 +68,7 @@ struct old_linux_dirent {
35345 struct readdir_callback {
35346 struct old_linux_dirent __user * dirent;
35347 + struct file * file;
35351 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
35352 buf->result = -EOVERFLOW;
35356 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
35360 dirent = buf->dirent;
35361 if (!access_ok(VERIFY_WRITE, dirent,
35362 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
35365 buf.dirent = dirent;
35368 error = vfs_readdir(file, fillonedir, &buf);
35370 @@ -142,6 +149,7 @@ struct linux_dirent {
35371 struct getdents_callback {
35372 struct linux_dirent __user * current_dir;
35373 struct linux_dirent __user * previous;
35374 + struct file * file;
35378 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
35379 buf->error = -EOVERFLOW;
35383 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
35386 dirent = buf->previous;
35388 if (__put_user(offset, &dirent->d_off))
35389 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
35390 buf.previous = NULL;
35395 error = vfs_readdir(file, filldir, &buf);
35397 @@ -229,6 +242,7 @@ out:
35398 struct getdents_callback64 {
35399 struct linux_dirent64 __user * current_dir;
35400 struct linux_dirent64 __user * previous;
35401 + struct file *file;
35405 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
35406 buf->error = -EINVAL; /* only used if we fail.. */
35407 if (reclen > buf->count)
35410 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
35413 dirent = buf->previous;
35415 if (__put_user(offset, &dirent->d_off))
35416 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
35418 buf.current_dir = dirent;
35419 buf.previous = NULL;
35424 diff -urNp linux-2.6.38.4/fs/reiserfs/do_balan.c linux-2.6.38.4/fs/reiserfs/do_balan.c
35425 --- linux-2.6.38.4/fs/reiserfs/do_balan.c 2011-03-14 21:20:32.000000000 -0400
35426 +++ linux-2.6.38.4/fs/reiserfs/do_balan.c 2011-04-17 15:57:32.000000000 -0400
35427 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
35431 - atomic_inc(&(fs_generation(tb->tb_sb)));
35432 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
35433 do_balance_starts(tb);
35435 /* balance leaf returns 0 except if combining L R and S into
35436 diff -urNp linux-2.6.38.4/fs/reiserfs/item_ops.c linux-2.6.38.4/fs/reiserfs/item_ops.c
35437 --- linux-2.6.38.4/fs/reiserfs/item_ops.c 2011-03-14 21:20:32.000000000 -0400
35438 +++ linux-2.6.38.4/fs/reiserfs/item_ops.c 2011-04-17 15:57:32.000000000 -0400
35439 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
35440 vi->vi_index, vi->vi_type, vi->vi_ih);
35443 -static struct item_operations stat_data_ops = {
35444 +static const struct item_operations stat_data_ops = {
35445 .bytes_number = sd_bytes_number,
35446 .decrement_key = sd_decrement_key,
35447 .is_left_mergeable = sd_is_left_mergeable,
35448 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
35449 vi->vi_index, vi->vi_type, vi->vi_ih);
35452 -static struct item_operations direct_ops = {
35453 +static const struct item_operations direct_ops = {
35454 .bytes_number = direct_bytes_number,
35455 .decrement_key = direct_decrement_key,
35456 .is_left_mergeable = direct_is_left_mergeable,
35457 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
35458 vi->vi_index, vi->vi_type, vi->vi_ih);
35461 -static struct item_operations indirect_ops = {
35462 +static const struct item_operations indirect_ops = {
35463 .bytes_number = indirect_bytes_number,
35464 .decrement_key = indirect_decrement_key,
35465 .is_left_mergeable = indirect_is_left_mergeable,
35466 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
35470 -static struct item_operations direntry_ops = {
35471 +static const struct item_operations direntry_ops = {
35472 .bytes_number = direntry_bytes_number,
35473 .decrement_key = direntry_decrement_key,
35474 .is_left_mergeable = direntry_is_left_mergeable,
35475 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
35476 "Invalid item type observed, run fsck ASAP");
35479 -static struct item_operations errcatch_ops = {
35480 +static const struct item_operations errcatch_ops = {
35481 errcatch_bytes_number,
35482 errcatch_decrement_key,
35483 errcatch_is_left_mergeable,
35484 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
35485 #error Item types must use disk-format assigned values.
35488 -struct item_operations *item_ops[TYPE_ANY + 1] = {
35489 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
35493 diff -urNp linux-2.6.38.4/fs/reiserfs/procfs.c linux-2.6.38.4/fs/reiserfs/procfs.c
35494 --- linux-2.6.38.4/fs/reiserfs/procfs.c 2011-03-14 21:20:32.000000000 -0400
35495 +++ linux-2.6.38.4/fs/reiserfs/procfs.c 2011-04-17 15:57:32.000000000 -0400
35496 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
35497 "SMALL_TAILS " : "NO_TAILS ",
35498 replay_only(sb) ? "REPLAY_ONLY " : "",
35499 convert_reiserfs(sb) ? "CONV " : "",
35500 - atomic_read(&r->s_generation_counter),
35501 + atomic_read_unchecked(&r->s_generation_counter),
35502 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
35503 SF(s_do_balance), SF(s_unneeded_left_neighbor),
35504 SF(s_good_search_by_key_reada), SF(s_bmaps),
35505 diff -urNp linux-2.6.38.4/fs/select.c linux-2.6.38.4/fs/select.c
35506 --- linux-2.6.38.4/fs/select.c 2011-03-14 21:20:32.000000000 -0400
35507 +++ linux-2.6.38.4/fs/select.c 2011-04-17 15:57:32.000000000 -0400
35509 #include <linux/module.h>
35510 #include <linux/slab.h>
35511 #include <linux/poll.h>
35512 +#include <linux/security.h>
35513 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
35514 #include <linux/file.h>
35515 #include <linux/fdtable.h>
35516 @@ -840,6 +841,7 @@ int do_sys_poll(struct pollfd __user *uf
35517 struct poll_list *walk = head;
35518 unsigned long todo = nfds;
35520 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
35521 if (nfds > rlimit(RLIMIT_NOFILE))
35524 diff -urNp linux-2.6.38.4/fs/seq_file.c linux-2.6.38.4/fs/seq_file.c
35525 --- linux-2.6.38.4/fs/seq_file.c 2011-03-14 21:20:32.000000000 -0400
35526 +++ linux-2.6.38.4/fs/seq_file.c 2011-04-17 15:57:32.000000000 -0400
35527 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
35531 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
35532 + m->size = PAGE_SIZE;
35533 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
35537 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
35541 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
35543 + m->buf = kmalloc(m->size, GFP_KERNEL);
35544 return !m->buf ? -ENOMEM : -EAGAIN;
35547 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
35548 m->version = file->f_version;
35549 /* grab buffer if we didn't have one */
35551 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
35552 + m->size = PAGE_SIZE;
35553 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
35557 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
35561 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
35563 + m->buf = kmalloc(m->size, GFP_KERNEL);
35567 diff -urNp linux-2.6.38.4/fs/splice.c linux-2.6.38.4/fs/splice.c
35568 --- linux-2.6.38.4/fs/splice.c 2011-03-14 21:20:32.000000000 -0400
35569 +++ linux-2.6.38.4/fs/splice.c 2011-04-17 15:57:32.000000000 -0400
35570 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
35574 - if (!pipe->readers) {
35575 + if (!atomic_read(&pipe->readers)) {
35576 send_sig(SIGPIPE, current, 0);
35579 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
35583 - pipe->waiting_writers++;
35584 + atomic_inc(&pipe->waiting_writers);
35586 - pipe->waiting_writers--;
35587 + atomic_dec(&pipe->waiting_writers);
35591 @@ -556,7 +556,7 @@ static ssize_t kernel_readv(struct file
35594 /* The cast to a user pointer is valid due to the set_fs() */
35595 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
35596 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
35600 @@ -571,7 +571,7 @@ static ssize_t kernel_write(struct file
35603 /* The cast to a user pointer is valid due to the set_fs() */
35604 - res = vfs_write(file, (const char __user *)buf, count, &pos);
35605 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
35609 @@ -622,7 +622,7 @@ ssize_t default_file_splice_read(struct
35612 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
35613 - vec[i].iov_base = (void __user *) page_address(page);
35614 + vec[i].iov_base = (__force void __user *) page_address(page);
35615 vec[i].iov_len = this_len;
35616 spd.pages[i] = page;
35618 @@ -842,10 +842,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
35619 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
35621 while (!pipe->nrbufs) {
35622 - if (!pipe->writers)
35623 + if (!atomic_read(&pipe->writers))
35626 - if (!pipe->waiting_writers && sd->num_spliced)
35627 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
35630 if (sd->flags & SPLICE_F_NONBLOCK)
35631 @@ -1178,7 +1178,7 @@ ssize_t splice_direct_to_actor(struct fi
35632 * out of the pipe right after the splice_to_pipe(). So set
35633 * PIPE_READERS appropriately.
35635 - pipe->readers = 1;
35636 + atomic_set(&pipe->readers, 1);
35638 current->splice_pipe = pipe;
35640 @@ -1730,9 +1730,9 @@ static int ipipe_prep(struct pipe_inode_
35641 ret = -ERESTARTSYS;
35644 - if (!pipe->writers)
35645 + if (!atomic_read(&pipe->writers))
35647 - if (!pipe->waiting_writers) {
35648 + if (!atomic_read(&pipe->waiting_writers)) {
35649 if (flags & SPLICE_F_NONBLOCK) {
35652 @@ -1764,7 +1764,7 @@ static int opipe_prep(struct pipe_inode_
35655 while (pipe->nrbufs >= pipe->buffers) {
35656 - if (!pipe->readers) {
35657 + if (!atomic_read(&pipe->readers)) {
35658 send_sig(SIGPIPE, current, 0);
35661 @@ -1777,9 +1777,9 @@ static int opipe_prep(struct pipe_inode_
35662 ret = -ERESTARTSYS;
35665 - pipe->waiting_writers++;
35666 + atomic_inc(&pipe->waiting_writers);
35668 - pipe->waiting_writers--;
35669 + atomic_dec(&pipe->waiting_writers);
35673 @@ -1815,14 +1815,14 @@ retry:
35674 pipe_double_lock(ipipe, opipe);
35677 - if (!opipe->readers) {
35678 + if (!atomic_read(&opipe->readers)) {
35679 send_sig(SIGPIPE, current, 0);
35685 - if (!ipipe->nrbufs && !ipipe->writers)
35686 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
35690 @@ -1922,7 +1922,7 @@ static int link_pipe(struct pipe_inode_i
35691 pipe_double_lock(ipipe, opipe);
35694 - if (!opipe->readers) {
35695 + if (!atomic_read(&opipe->readers)) {
35696 send_sig(SIGPIPE, current, 0);
35699 @@ -1967,7 +1967,7 @@ static int link_pipe(struct pipe_inode_i
35700 * return EAGAIN if we have the potential of some data in the
35701 * future, otherwise just return 0
35703 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
35704 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
35707 pipe_unlock(ipipe);
35708 diff -urNp linux-2.6.38.4/fs/sysfs/mount.c linux-2.6.38.4/fs/sysfs/mount.c
35709 --- linux-2.6.38.4/fs/sysfs/mount.c 2011-03-14 21:20:32.000000000 -0400
35710 +++ linux-2.6.38.4/fs/sysfs/mount.c 2011-04-17 15:57:32.000000000 -0400
35711 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
35713 .s_count = ATOMIC_INIT(1),
35714 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
35715 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
35716 + .s_mode = S_IFDIR | S_IRWXU,
35718 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
35723 diff -urNp linux-2.6.38.4/fs/sysfs/symlink.c linux-2.6.38.4/fs/sysfs/symlink.c
35724 --- linux-2.6.38.4/fs/sysfs/symlink.c 2011-03-14 21:20:32.000000000 -0400
35725 +++ linux-2.6.38.4/fs/sysfs/symlink.c 2011-04-17 15:57:32.000000000 -0400
35726 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
35728 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
35730 - char *page = nd_get_link(nd);
35731 + const char *page = nd_get_link(nd);
35733 free_page((unsigned long)page);
35735 diff -urNp linux-2.6.38.4/fs/udf/misc.c linux-2.6.38.4/fs/udf/misc.c
35736 --- linux-2.6.38.4/fs/udf/misc.c 2011-03-14 21:20:32.000000000 -0400
35737 +++ linux-2.6.38.4/fs/udf/misc.c 2011-04-17 15:57:32.000000000 -0400
35738 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
35739 iinfo->i_lenEAttr += size;
35740 return (struct genericFormat *)&ea[offset];
35744 + if (loc & 0x02) {
35749 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
35751 u8 udf_tag_checksum(const struct tag *t)
35753 - u8 *data = (u8 *)t;
35754 + const u8 *data = (const u8 *)t;
35757 for (i = 0; i < sizeof(struct tag); ++i)
35758 diff -urNp linux-2.6.38.4/fs/udf/udfdecl.h linux-2.6.38.4/fs/udf/udfdecl.h
35759 --- linux-2.6.38.4/fs/udf/udfdecl.h 2011-03-14 21:20:32.000000000 -0400
35760 +++ linux-2.6.38.4/fs/udf/udfdecl.h 2011-04-17 15:57:32.000000000 -0400
35761 @@ -26,7 +26,7 @@ do { \
35765 -#define udf_debug(f, a...) /**/
35766 +#define udf_debug(f, a...) do {} while (0)
35769 #define udf_info(f, a...) \
35770 diff -urNp linux-2.6.38.4/fs/utimes.c linux-2.6.38.4/fs/utimes.c
35771 --- linux-2.6.38.4/fs/utimes.c 2011-03-14 21:20:32.000000000 -0400
35772 +++ linux-2.6.38.4/fs/utimes.c 2011-04-17 15:57:32.000000000 -0400
35774 #include <linux/compiler.h>
35775 #include <linux/file.h>
35776 #include <linux/fs.h>
35777 +#include <linux/security.h>
35778 #include <linux/linkage.h>
35779 #include <linux/mount.h>
35780 #include <linux/namei.h>
35781 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
35782 goto mnt_drop_write_and_out;
35786 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
35788 + goto mnt_drop_write_and_out;
35791 mutex_lock(&inode->i_mutex);
35792 error = notify_change(path->dentry, &newattrs);
35793 mutex_unlock(&inode->i_mutex);
35794 diff -urNp linux-2.6.38.4/fs/xattr_acl.c linux-2.6.38.4/fs/xattr_acl.c
35795 --- linux-2.6.38.4/fs/xattr_acl.c 2011-03-14 21:20:32.000000000 -0400
35796 +++ linux-2.6.38.4/fs/xattr_acl.c 2011-04-17 15:57:32.000000000 -0400
35799 posix_acl_from_xattr(const void *value, size_t size)
35801 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
35802 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
35803 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
35804 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
35806 struct posix_acl *acl;
35807 struct posix_acl_entry *acl_e;
35808 diff -urNp linux-2.6.38.4/fs/xattr.c linux-2.6.38.4/fs/xattr.c
35809 --- linux-2.6.38.4/fs/xattr.c 2011-03-14 21:20:32.000000000 -0400
35810 +++ linux-2.6.38.4/fs/xattr.c 2011-04-17 15:57:32.000000000 -0400
35811 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
35812 * Extended attribute SET operations
35815 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
35816 +setxattr(struct path *path, const char __user *name, const void __user *value,
35817 size_t size, int flags)
35820 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
35821 return PTR_ERR(kvalue);
35824 - error = vfs_setxattr(d, kname, kvalue, size, flags);
35825 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
35830 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
35835 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
35837 error = mnt_want_write(path.mnt);
35839 - error = setxattr(path.dentry, name, value, size, flags);
35840 + error = setxattr(&path, name, value, size, flags);
35841 mnt_drop_write(path.mnt);
35844 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
35846 error = mnt_want_write(path.mnt);
35848 - error = setxattr(path.dentry, name, value, size, flags);
35849 + error = setxattr(&path, name, value, size, flags);
35850 mnt_drop_write(path.mnt);
35853 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
35854 const void __user *,value, size_t, size, int, flags)
35857 - struct dentry *dentry;
35858 int error = -EBADF;
35863 - dentry = f->f_path.dentry;
35864 - audit_inode(NULL, dentry);
35865 + audit_inode(NULL, f->f_path.dentry);
35866 error = mnt_want_write_file(f);
35868 - error = setxattr(dentry, name, value, size, flags);
35869 + error = setxattr(&f->f_path, name, value, size, flags);
35870 mnt_drop_write(f->f_path.mnt);
35873 diff -urNp linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl32.c
35874 --- linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-14 21:20:32.000000000 -0400
35875 +++ linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-04-17 15:57:32.000000000 -0400
35876 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
35877 xfs_fsop_geom_t fsgeo;
35880 + memset(&fsgeo, 0, sizeof(fsgeo));
35881 error = xfs_fs_geometry(mp, &fsgeo, 3);
35884 diff -urNp linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl.c
35885 --- linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl.c 2011-03-14 21:20:32.000000000 -0400
35886 +++ linux-2.6.38.4/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 20:08:09.000000000 -0400
35887 @@ -128,7 +128,7 @@ xfs_find_handle(
35891 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
35892 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
35893 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
35896 diff -urNp linux-2.6.38.4/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.38.4/fs/xfs/linux-2.6/xfs_iops.c
35897 --- linux-2.6.38.4/fs/xfs/linux-2.6/xfs_iops.c 2011-03-14 21:20:32.000000000 -0400
35898 +++ linux-2.6.38.4/fs/xfs/linux-2.6/xfs_iops.c 2011-04-17 15:57:32.000000000 -0400
35899 @@ -436,7 +436,7 @@ xfs_vn_put_link(
35900 struct nameidata *nd,
35903 - char *s = nd_get_link(nd);
35904 + const char *s = nd_get_link(nd);
35908 diff -urNp linux-2.6.38.4/fs/xfs/xfs_bmap.c linux-2.6.38.4/fs/xfs/xfs_bmap.c
35909 --- linux-2.6.38.4/fs/xfs/xfs_bmap.c 2011-03-14 21:20:32.000000000 -0400
35910 +++ linux-2.6.38.4/fs/xfs/xfs_bmap.c 2011-04-17 15:57:32.000000000 -0400
35911 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
35915 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
35916 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
35920 diff -urNp linux-2.6.38.4/fs/xfs/xfs_dir2_sf.c linux-2.6.38.4/fs/xfs/xfs_dir2_sf.c
35921 --- linux-2.6.38.4/fs/xfs/xfs_dir2_sf.c 2011-03-14 21:20:32.000000000 -0400
35922 +++ linux-2.6.38.4/fs/xfs/xfs_dir2_sf.c 2011-04-18 22:03:12.000000000 -0400
35923 @@ -780,7 +780,15 @@ xfs_dir2_sf_getdents(
35926 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
35927 - if (filldir(dirent, (char *)sfep->name, sfep->namelen,
35928 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
35929 + char name[sfep->namelen];
35930 + memcpy(name, sfep->name, sfep->namelen);
35931 + if (filldir(dirent, name, sfep->namelen,
35932 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
35933 + *offset = off & 0x7fffffff;
35936 + } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
35937 off & 0x7fffffff, ino, DT_UNKNOWN)) {
35938 *offset = off & 0x7fffffff;
35940 diff -urNp linux-2.6.38.4/grsecurity/gracl_alloc.c linux-2.6.38.4/grsecurity/gracl_alloc.c
35941 --- linux-2.6.38.4/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
35942 +++ linux-2.6.38.4/grsecurity/gracl_alloc.c 2011-04-17 15:57:32.000000000 -0400
35944 +#include <linux/kernel.h>
35945 +#include <linux/mm.h>
35946 +#include <linux/slab.h>
35947 +#include <linux/vmalloc.h>
35948 +#include <linux/gracl.h>
35949 +#include <linux/grsecurity.h>
35951 +static unsigned long alloc_stack_next = 1;
35952 +static unsigned long alloc_stack_size = 1;
35953 +static void **alloc_stack;
35955 +static __inline__ int
35958 + if (alloc_stack_next == 1)
35961 + kfree(alloc_stack[alloc_stack_next - 2]);
35963 + alloc_stack_next--;
35968 +static __inline__ int
35969 +alloc_push(void *buf)
35971 + if (alloc_stack_next >= alloc_stack_size)
35974 + alloc_stack[alloc_stack_next - 1] = buf;
35976 + alloc_stack_next++;
35982 +acl_alloc(unsigned long len)
35984 + void *ret = NULL;
35986 + if (!len || len > PAGE_SIZE)
35989 + ret = kmalloc(len, GFP_KERNEL);
35992 + if (alloc_push(ret)) {
36003 +acl_alloc_num(unsigned long num, unsigned long len)
36005 + if (!len || (num > (PAGE_SIZE / len)))
36008 + return acl_alloc(num * len);
36012 +acl_free_all(void)
36014 + if (gr_acl_is_enabled() || !alloc_stack)
36017 + while (alloc_pop()) ;
36019 + if (alloc_stack) {
36020 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
36021 + kfree(alloc_stack);
36023 + vfree(alloc_stack);
36026 + alloc_stack = NULL;
36027 + alloc_stack_size = 1;
36028 + alloc_stack_next = 1;
36034 +acl_alloc_stack_init(unsigned long size)
36036 + if ((size * sizeof (void *)) <= PAGE_SIZE)
36038 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
36040 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
36042 + alloc_stack_size = size;
36044 + if (!alloc_stack)
36049 diff -urNp linux-2.6.38.4/grsecurity/gracl.c linux-2.6.38.4/grsecurity/gracl.c
36050 --- linux-2.6.38.4/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
36051 +++ linux-2.6.38.4/grsecurity/gracl.c 2011-04-17 15:57:32.000000000 -0400
36053 +#include <linux/kernel.h>
36054 +#include <linux/module.h>
36055 +#include <linux/sched.h>
36056 +#include <linux/mm.h>
36057 +#include <linux/file.h>
36058 +#include <linux/fs.h>
36059 +#include <linux/namei.h>
36060 +#include <linux/mount.h>
36061 +#include <linux/tty.h>
36062 +#include <linux/proc_fs.h>
36063 +#include <linux/smp_lock.h>
36064 +#include <linux/lglock.h>
36065 +#include <linux/slab.h>
36066 +#include <linux/vmalloc.h>
36067 +#include <linux/types.h>
36068 +#include <linux/sysctl.h>
36069 +#include <linux/netdevice.h>
36070 +#include <linux/ptrace.h>
36071 +#include <linux/gracl.h>
36072 +#include <linux/gralloc.h>
36073 +#include <linux/grsecurity.h>
36074 +#include <linux/grinternal.h>
36075 +#include <linux/pid_namespace.h>
36076 +#include <linux/fdtable.h>
36077 +#include <linux/percpu.h>
36079 +#include <asm/uaccess.h>
36080 +#include <asm/errno.h>
36081 +#include <asm/mman.h>
36083 +static struct acl_role_db acl_role_set;
36084 +static struct name_db name_set;
36085 +static struct inodev_db inodev_set;
36087 +/* for keeping track of userspace pointers used for subjects, so we
36088 + can share references in the kernel as well
36091 +static struct path real_root;
36093 +static struct acl_subj_map_db subj_map_set;
36095 +static struct acl_role_label *default_role;
36097 +static struct acl_role_label *role_list;
36099 +static u16 acl_sp_role_value;
36101 +extern char *gr_shared_page[4];
36102 +static DEFINE_MUTEX(gr_dev_mutex);
36103 +DEFINE_RWLOCK(gr_inode_lock);
36105 +struct gr_arg *gr_usermode;
36107 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
36109 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
36110 +extern void gr_clear_learn_entries(void);
36112 +#ifdef CONFIG_GRKERNSEC_RESLOG
36113 +extern void gr_log_resource(const struct task_struct *task,
36114 + const int res, const unsigned long wanted, const int gt);
36117 +unsigned char *gr_system_salt;
36118 +unsigned char *gr_system_sum;
36120 +static struct sprole_pw **acl_special_roles = NULL;
36121 +static __u16 num_sprole_pws = 0;
36123 +static struct acl_role_label *kernel_role = NULL;
36125 +static unsigned int gr_auth_attempts = 0;
36126 +static unsigned long gr_auth_expires = 0UL;
36128 +extern struct vfsmount *sock_mnt;
36129 +extern struct vfsmount *pipe_mnt;
36130 +extern struct vfsmount *shm_mnt;
36131 +#ifdef CONFIG_HUGETLBFS
36132 +extern struct vfsmount *hugetlbfs_vfsmount;
36135 +static struct acl_object_label *fakefs_obj;
36137 +extern int gr_init_uidset(void);
36138 +extern void gr_free_uidset(void);
36139 +extern void gr_remove_uid(uid_t uid);
36140 +extern int gr_find_uid(uid_t uid);
36142 +DECLARE_BRLOCK(vfsmount_lock);
36145 +gr_acl_is_enabled(void)
36147 + return (gr_status & GR_READY);
36150 +#ifdef CONFIG_BTRFS_FS
36151 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
36152 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
36155 +static inline dev_t __get_dev(const struct dentry *dentry)
36157 +#ifdef CONFIG_BTRFS_FS
36158 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
36159 + return get_btrfs_dev_from_inode(dentry->d_inode);
36162 + return dentry->d_inode->i_sb->s_dev;
36165 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
36167 + return __get_dev(dentry);
36170 +static char gr_task_roletype_to_char(struct task_struct *task)
36172 + switch (task->role->roletype &
36173 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
36174 + GR_ROLE_SPECIAL)) {
36175 + case GR_ROLE_DEFAULT:
36177 + case GR_ROLE_USER:
36179 + case GR_ROLE_GROUP:
36181 + case GR_ROLE_SPECIAL:
36188 +char gr_roletype_to_char(void)
36190 + return gr_task_roletype_to_char(current);
36194 +gr_acl_tpe_check(void)
36196 + if (unlikely(!(gr_status & GR_READY)))
36198 + if (current->role->roletype & GR_ROLE_TPE)
36205 +gr_handle_rawio(const struct inode *inode)
36207 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
36208 + if (inode && S_ISBLK(inode->i_mode) &&
36209 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
36210 + !capable(CAP_SYS_RAWIO))
36217 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
36219 + if (likely(lena != lenb))
36222 + return !memcmp(a, b, lena);
36225 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
36227 + *buflen -= namelen;
36229 + return -ENAMETOOLONG;
36230 + *buffer -= namelen;
36231 + memcpy(*buffer, str, namelen);
36235 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
36237 + return prepend(buffer, buflen, name->name, name->len);
36240 +static int prepend_path(const struct path *path, struct path *root,
36241 + char **buffer, int *buflen)
36243 + struct dentry *dentry = path->dentry;
36244 + struct vfsmount *vfsmnt = path->mnt;
36245 + bool slash = false;
36248 + while (dentry != root->dentry || vfsmnt != root->mnt) {
36249 + struct dentry * parent;
36251 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
36252 + /* Global root? */
36253 + if (vfsmnt->mnt_parent == vfsmnt) {
36256 + dentry = vfsmnt->mnt_mountpoint;
36257 + vfsmnt = vfsmnt->mnt_parent;
36260 + parent = dentry->d_parent;
36261 + prefetch(parent);
36262 + spin_lock(&dentry->d_lock);
36263 + error = prepend_name(buffer, buflen, &dentry->d_name);
36264 + spin_unlock(&dentry->d_lock);
36266 + error = prepend(buffer, buflen, "/", 1);
36275 + if (!error && !slash)
36276 + error = prepend(buffer, buflen, "/", 1);
36281 +/* this must be called with vfsmount_lock and rename_lock held */
36283 +static char *__our_d_path(const struct path *path, struct path *root,
36284 + char *buf, int buflen)
36286 + char *res = buf + buflen;
36289 + prepend(&res, &buflen, "\0", 1);
36290 + error = prepend_path(path, root, &res, &buflen);
36292 + return ERR_PTR(error);
36298 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
36302 + retval = __our_d_path(path, root, buf, buflen);
36303 + if (unlikely(IS_ERR(retval)))
36304 + retval = strcpy(buf, "<path too long>");
36305 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
36306 + retval[1] = '\0';
36312 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
36313 + char *buf, int buflen)
36315 + struct path path;
36318 + path.dentry = (struct dentry *)dentry;
36319 + path.mnt = (struct vfsmount *)vfsmnt;
36321 + /* we can use real_root.dentry, real_root.mnt, because this is only called
36322 + by the RBAC system */
36323 + res = gen_full_path(&path, &real_root, buf, buflen);
36329 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
36330 + char *buf, int buflen)
36333 + struct path path;
36334 + struct path root;
36335 + struct task_struct *reaper = &init_task;
36337 + path.dentry = (struct dentry *)dentry;
36338 + path.mnt = (struct vfsmount *)vfsmnt;
36340 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
36341 + get_fs_root(reaper->fs, &root);
36343 + write_seqlock(&rename_lock);
36344 + br_read_lock(vfsmount_lock);
36345 + res = gen_full_path(&path, &root, buf, buflen);
36346 + br_read_unlock(vfsmount_lock);
36347 + write_sequnlock(&rename_lock);
36354 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
36357 + write_seqlock(&rename_lock);
36358 + br_read_lock(vfsmount_lock);
36359 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
36361 + br_read_unlock(vfsmount_lock);
36362 + write_sequnlock(&rename_lock);
36367 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
36369 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
36374 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
36376 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
36381 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
36383 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
36388 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
36390 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
36395 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
36397 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
36402 +to_gr_audit(const __u32 reqmode)
36404 + /* masks off auditable permission flags, then shifts them to create
36405 + auditing flags, and adds the special case of append auditing if
36406 + we're requesting write */
36407 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
36410 +struct acl_subject_label *
36411 +lookup_subject_map(const struct acl_subject_label *userp)
36413 + unsigned int index = shash(userp, subj_map_set.s_size);
36414 + struct subject_map *match;
36416 + match = subj_map_set.s_hash[index];
36418 + while (match && match->user != userp)
36419 + match = match->next;
36421 + if (match != NULL)
36422 + return match->kernel;
36428 +insert_subj_map_entry(struct subject_map *subjmap)
36430 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
36431 + struct subject_map **curr;
36433 + subjmap->prev = NULL;
36435 + curr = &subj_map_set.s_hash[index];
36436 + if (*curr != NULL)
36437 + (*curr)->prev = subjmap;
36439 + subjmap->next = *curr;
36445 +static struct acl_role_label *
36446 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
36449 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
36450 + struct acl_role_label *match;
36451 + struct role_allowed_ip *ipp;
36453 + u32 curr_ip = task->signal->curr_ip;
36455 + task->signal->saved_ip = curr_ip;
36457 + match = acl_role_set.r_hash[index];
36460 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
36461 + for (x = 0; x < match->domain_child_num; x++) {
36462 + if (match->domain_children[x] == uid)
36465 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
36467 + match = match->next;
36470 + if (match == NULL) {
36472 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
36473 + match = acl_role_set.r_hash[index];
36476 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
36477 + for (x = 0; x < match->domain_child_num; x++) {
36478 + if (match->domain_children[x] == gid)
36481 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
36483 + match = match->next;
36486 + if (match == NULL)
36487 + match = default_role;
36488 + if (match->allowed_ips == NULL)
36491 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
36493 + ((ntohl(curr_ip) & ipp->netmask) ==
36494 + (ntohl(ipp->addr) & ipp->netmask)))
36497 + match = default_role;
36499 + } else if (match->allowed_ips == NULL) {
36502 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
36504 + ((ntohl(curr_ip) & ipp->netmask) ==
36505 + (ntohl(ipp->addr) & ipp->netmask)))
36514 +struct acl_subject_label *
36515 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
36516 + const struct acl_role_label *role)
36518 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
36519 + struct acl_subject_label *match;
36521 + match = role->subj_hash[index];
36523 + while (match && (match->inode != ino || match->device != dev ||
36524 + (match->mode & GR_DELETED))) {
36525 + match = match->next;
36528 + if (match && !(match->mode & GR_DELETED))
36534 +struct acl_subject_label *
36535 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
36536 + const struct acl_role_label *role)
36538 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
36539 + struct acl_subject_label *match;
36541 + match = role->subj_hash[index];
36543 + while (match && (match->inode != ino || match->device != dev ||
36544 + !(match->mode & GR_DELETED))) {
36545 + match = match->next;
36548 + if (match && (match->mode & GR_DELETED))
36554 +static struct acl_object_label *
36555 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
36556 + const struct acl_subject_label *subj)
36558 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
36559 + struct acl_object_label *match;
36561 + match = subj->obj_hash[index];
36563 + while (match && (match->inode != ino || match->device != dev ||
36564 + (match->mode & GR_DELETED))) {
36565 + match = match->next;
36568 + if (match && !(match->mode & GR_DELETED))
36574 +static struct acl_object_label *
36575 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
36576 + const struct acl_subject_label *subj)
36578 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
36579 + struct acl_object_label *match;
36581 + match = subj->obj_hash[index];
36583 + while (match && (match->inode != ino || match->device != dev ||
36584 + !(match->mode & GR_DELETED))) {
36585 + match = match->next;
36588 + if (match && (match->mode & GR_DELETED))
36591 + match = subj->obj_hash[index];
36593 + while (match && (match->inode != ino || match->device != dev ||
36594 + (match->mode & GR_DELETED))) {
36595 + match = match->next;
36598 + if (match && !(match->mode & GR_DELETED))
36604 +static struct name_entry *
36605 +lookup_name_entry(const char *name)
36607 + unsigned int len = strlen(name);
36608 + unsigned int key = full_name_hash(name, len);
36609 + unsigned int index = key % name_set.n_size;
36610 + struct name_entry *match;
36612 + match = name_set.n_hash[index];
36614 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
36615 + match = match->next;
36620 +static struct name_entry *
36621 +lookup_name_entry_create(const char *name)
36623 + unsigned int len = strlen(name);
36624 + unsigned int key = full_name_hash(name, len);
36625 + unsigned int index = key % name_set.n_size;
36626 + struct name_entry *match;
36628 + match = name_set.n_hash[index];
36630 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
36631 + !match->deleted))
36632 + match = match->next;
36634 + if (match && match->deleted)
36637 + match = name_set.n_hash[index];
36639 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
36641 + match = match->next;
36643 + if (match && !match->deleted)
36649 +static struct inodev_entry *
36650 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
36652 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
36653 + struct inodev_entry *match;
36655 + match = inodev_set.i_hash[index];
36657 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
36658 + match = match->next;
36664 +insert_inodev_entry(struct inodev_entry *entry)
36666 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
36667 + inodev_set.i_size);
36668 + struct inodev_entry **curr;
36670 + entry->prev = NULL;
36672 + curr = &inodev_set.i_hash[index];
36673 + if (*curr != NULL)
36674 + (*curr)->prev = entry;
36676 + entry->next = *curr;
36683 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
36685 + unsigned int index =
36686 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
36687 + struct acl_role_label **curr;
36688 + struct acl_role_label *tmp;
36690 + curr = &acl_role_set.r_hash[index];
36692 + /* if role was already inserted due to domains and already has
36693 + a role in the same bucket as it attached, then we need to
36694 + combine these two buckets
36696 + if (role->next) {
36697 + tmp = role->next;
36698 + while (tmp->next)
36700 + tmp->next = *curr;
36702 + role->next = *curr;
36709 +insert_acl_role_label(struct acl_role_label *role)
36713 + if (role_list == NULL) {
36714 + role_list = role;
36715 + role->prev = NULL;
36717 + role->prev = role_list;
36718 + role_list = role;
36721 + /* used for hash chains */
36722 + role->next = NULL;
36724 + if (role->roletype & GR_ROLE_DOMAIN) {
36725 + for (i = 0; i < role->domain_child_num; i++)
36726 + __insert_acl_role_label(role, role->domain_children[i]);
36728 + __insert_acl_role_label(role, role->uidgid);
36732 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
36734 + struct name_entry **curr, *nentry;
36735 + struct inodev_entry *ientry;
36736 + unsigned int len = strlen(name);
36737 + unsigned int key = full_name_hash(name, len);
36738 + unsigned int index = key % name_set.n_size;
36740 + curr = &name_set.n_hash[index];
36742 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
36743 + curr = &((*curr)->next);
36745 + if (*curr != NULL)
36748 + nentry = acl_alloc(sizeof (struct name_entry));
36749 + if (nentry == NULL)
36751 + ientry = acl_alloc(sizeof (struct inodev_entry));
36752 + if (ientry == NULL)
36754 + ientry->nentry = nentry;
36756 + nentry->key = key;
36757 + nentry->name = name;
36758 + nentry->inode = inode;
36759 + nentry->device = device;
36760 + nentry->len = len;
36761 + nentry->deleted = deleted;
36763 + nentry->prev = NULL;
36764 + curr = &name_set.n_hash[index];
36765 + if (*curr != NULL)
36766 + (*curr)->prev = nentry;
36767 + nentry->next = *curr;
36770 + /* insert us into the table searchable by inode/dev */
36771 + insert_inodev_entry(ientry);
36777 +insert_acl_obj_label(struct acl_object_label *obj,
36778 + struct acl_subject_label *subj)
36780 + unsigned int index =
36781 + fhash(obj->inode, obj->device, subj->obj_hash_size);
36782 + struct acl_object_label **curr;
36785 + obj->prev = NULL;
36787 + curr = &subj->obj_hash[index];
36788 + if (*curr != NULL)
36789 + (*curr)->prev = obj;
36791 + obj->next = *curr;
36798 +insert_acl_subj_label(struct acl_subject_label *obj,
36799 + struct acl_role_label *role)
36801 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
36802 + struct acl_subject_label **curr;
36804 + obj->prev = NULL;
36806 + curr = &role->subj_hash[index];
36807 + if (*curr != NULL)
36808 + (*curr)->prev = obj;
36810 + obj->next = *curr;
36816 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
36819 +create_table(__u32 * len, int elementsize)
36821 + unsigned int table_sizes[] = {
36822 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
36823 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
36824 + 4194301, 8388593, 16777213, 33554393, 67108859
36826 + void *newtable = NULL;
36827 + unsigned int pwr = 0;
36829 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
36830 + table_sizes[pwr] <= *len)
36833 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
36836 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
36838 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
36840 + newtable = vmalloc(table_sizes[pwr] * elementsize);
36842 + *len = table_sizes[pwr];
36848 +init_variables(const struct gr_arg *arg)
36850 + struct task_struct *reaper = &init_task;
36851 + unsigned int stacksize;
36853 + subj_map_set.s_size = arg->role_db.num_subjects;
36854 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
36855 + name_set.n_size = arg->role_db.num_objects;
36856 + inodev_set.i_size = arg->role_db.num_objects;
36858 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
36859 + !name_set.n_size || !inodev_set.i_size)
36862 + if (!gr_init_uidset())
36865 + /* set up the stack that holds allocation info */
36867 + stacksize = arg->role_db.num_pointers + 5;
36869 + if (!acl_alloc_stack_init(stacksize))
36872 + /* grab reference for the real root dentry and vfsmount */
36873 + get_fs_root(reaper->fs, &real_root);
36875 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
36876 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
36879 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
36880 + if (fakefs_obj == NULL)
36882 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
36884 + subj_map_set.s_hash =
36885 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
36886 + acl_role_set.r_hash =
36887 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
36888 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
36889 + inodev_set.i_hash =
36890 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
36892 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
36893 + !name_set.n_hash || !inodev_set.i_hash)
36896 + memset(subj_map_set.s_hash, 0,
36897 + sizeof(struct subject_map *) * subj_map_set.s_size);
36898 + memset(acl_role_set.r_hash, 0,
36899 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
36900 + memset(name_set.n_hash, 0,
36901 + sizeof (struct name_entry *) * name_set.n_size);
36902 + memset(inodev_set.i_hash, 0,
36903 + sizeof (struct inodev_entry *) * inodev_set.i_size);
36908 +/* free information not needed after startup
36909 + currently contains user->kernel pointer mappings for subjects
36913 +free_init_variables(void)
36917 + if (subj_map_set.s_hash) {
36918 + for (i = 0; i < subj_map_set.s_size; i++) {
36919 + if (subj_map_set.s_hash[i]) {
36920 + kfree(subj_map_set.s_hash[i]);
36921 + subj_map_set.s_hash[i] = NULL;
36925 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
36927 + kfree(subj_map_set.s_hash);
36929 + vfree(subj_map_set.s_hash);
36936 +free_variables(void)
36938 + struct acl_subject_label *s;
36939 + struct acl_role_label *r;
36940 + struct task_struct *task, *task2;
36943 + gr_clear_learn_entries();
36945 + read_lock(&tasklist_lock);
36946 + do_each_thread(task2, task) {
36947 + task->acl_sp_role = 0;
36948 + task->acl_role_id = 0;
36949 + task->acl = NULL;
36950 + task->role = NULL;
36951 + } while_each_thread(task2, task);
36952 + read_unlock(&tasklist_lock);
36954 + /* release the reference to the real root dentry and vfsmount */
36955 + path_put(&real_root);
36957 + /* free all object hash tables */
36959 + FOR_EACH_ROLE_START(r)
36960 + if (r->subj_hash == NULL)
36962 + FOR_EACH_SUBJECT_START(r, s, x)
36963 + if (s->obj_hash == NULL)
36965 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
36966 + kfree(s->obj_hash);
36968 + vfree(s->obj_hash);
36969 + FOR_EACH_SUBJECT_END(s, x)
36970 + FOR_EACH_NESTED_SUBJECT_START(r, s)
36971 + if (s->obj_hash == NULL)
36973 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
36974 + kfree(s->obj_hash);
36976 + vfree(s->obj_hash);
36977 + FOR_EACH_NESTED_SUBJECT_END(s)
36978 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
36979 + kfree(r->subj_hash);
36981 + vfree(r->subj_hash);
36982 + r->subj_hash = NULL;
36984 + FOR_EACH_ROLE_END(r)
36988 + if (acl_role_set.r_hash) {
36989 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
36991 + kfree(acl_role_set.r_hash);
36993 + vfree(acl_role_set.r_hash);
36995 + if (name_set.n_hash) {
36996 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
36998 + kfree(name_set.n_hash);
37000 + vfree(name_set.n_hash);
37003 + if (inodev_set.i_hash) {
37004 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
37006 + kfree(inodev_set.i_hash);
37008 + vfree(inodev_set.i_hash);
37011 + gr_free_uidset();
37013 + memset(&name_set, 0, sizeof (struct name_db));
37014 + memset(&inodev_set, 0, sizeof (struct inodev_db));
37015 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
37016 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
37018 + default_role = NULL;
37019 + role_list = NULL;
37025 +count_user_objs(struct acl_object_label *userp)
37027 + struct acl_object_label o_tmp;
37031 + if (copy_from_user(&o_tmp, userp,
37032 + sizeof (struct acl_object_label)))
37035 + userp = o_tmp.prev;
37042 +static struct acl_subject_label *
37043 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
37046 +copy_user_glob(struct acl_object_label *obj)
37048 + struct acl_object_label *g_tmp, **guser;
37049 + unsigned int len;
37052 + if (obj->globbed == NULL)
37055 + guser = &obj->globbed;
37057 + g_tmp = (struct acl_object_label *)
37058 + acl_alloc(sizeof (struct acl_object_label));
37059 + if (g_tmp == NULL)
37062 + if (copy_from_user(g_tmp, *guser,
37063 + sizeof (struct acl_object_label)))
37066 + len = strnlen_user(g_tmp->filename, PATH_MAX);
37068 + if (!len || len >= PATH_MAX)
37071 + if ((tmp = (char *) acl_alloc(len)) == NULL)
37074 + if (copy_from_user(tmp, g_tmp->filename, len))
37076 + tmp[len-1] = '\0';
37077 + g_tmp->filename = tmp;
37080 + guser = &(g_tmp->next);
37087 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
37088 + struct acl_role_label *role)
37090 + struct acl_object_label *o_tmp;
37091 + unsigned int len;
37096 + if ((o_tmp = (struct acl_object_label *)
37097 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
37100 + if (copy_from_user(o_tmp, userp,
37101 + sizeof (struct acl_object_label)))
37104 + userp = o_tmp->prev;
37106 + len = strnlen_user(o_tmp->filename, PATH_MAX);
37108 + if (!len || len >= PATH_MAX)
37111 + if ((tmp = (char *) acl_alloc(len)) == NULL)
37114 + if (copy_from_user(tmp, o_tmp->filename, len))
37116 + tmp[len-1] = '\0';
37117 + o_tmp->filename = tmp;
37119 + insert_acl_obj_label(o_tmp, subj);
37120 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
37121 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
37124 + ret = copy_user_glob(o_tmp);
37128 + if (o_tmp->nested) {
37129 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
37130 + if (IS_ERR(o_tmp->nested))
37131 + return PTR_ERR(o_tmp->nested);
37133 + /* insert into nested subject list */
37134 + o_tmp->nested->next = role->hash->first;
37135 + role->hash->first = o_tmp->nested;
37143 +count_user_subjs(struct acl_subject_label *userp)
37145 + struct acl_subject_label s_tmp;
37149 + if (copy_from_user(&s_tmp, userp,
37150 + sizeof (struct acl_subject_label)))
37153 + userp = s_tmp.prev;
37154 + /* do not count nested subjects against this count, since
37155 + they are not included in the hash table, but are
37156 + attached to objects. We have already counted
37157 + the subjects in userspace for the allocation
37160 + if (!(s_tmp.mode & GR_NESTED))
37168 +copy_user_allowedips(struct acl_role_label *rolep)
37170 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
37172 + ruserip = rolep->allowed_ips;
37174 + while (ruserip) {
37177 + if ((rtmp = (struct role_allowed_ip *)
37178 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
37181 + if (copy_from_user(rtmp, ruserip,
37182 + sizeof (struct role_allowed_ip)))
37185 + ruserip = rtmp->prev;
37188 + rtmp->prev = NULL;
37189 + rolep->allowed_ips = rtmp;
37191 + rlast->next = rtmp;
37192 + rtmp->prev = rlast;
37196 + rtmp->next = NULL;
37203 +copy_user_transitions(struct acl_role_label *rolep)
37205 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
37207 + unsigned int len;
37210 + rusertp = rolep->transitions;
37212 + while (rusertp) {
37215 + if ((rtmp = (struct role_transition *)
37216 + acl_alloc(sizeof (struct role_transition))) == NULL)
37219 + if (copy_from_user(rtmp, rusertp,
37220 + sizeof (struct role_transition)))
37223 + rusertp = rtmp->prev;
37225 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
37227 + if (!len || len >= GR_SPROLE_LEN)
37230 + if ((tmp = (char *) acl_alloc(len)) == NULL)
37233 + if (copy_from_user(tmp, rtmp->rolename, len))
37235 + tmp[len-1] = '\0';
37236 + rtmp->rolename = tmp;
37239 + rtmp->prev = NULL;
37240 + rolep->transitions = rtmp;
37242 + rlast->next = rtmp;
37243 + rtmp->prev = rlast;
37247 + rtmp->next = NULL;
37253 +static struct acl_subject_label *
37254 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
37256 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
37257 + unsigned int len;
37260 + struct acl_ip_label **i_tmp, *i_utmp2;
37261 + struct gr_hash_struct ghash;
37262 + struct subject_map *subjmap;
37263 + unsigned int i_num;
37266 + s_tmp = lookup_subject_map(userp);
37268 + /* we've already copied this subject into the kernel, just return
37269 + the reference to it, and don't copy it over again
37274 + if ((s_tmp = (struct acl_subject_label *)
37275 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
37276 + return ERR_PTR(-ENOMEM);
37278 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
37279 + if (subjmap == NULL)
37280 + return ERR_PTR(-ENOMEM);
37282 + subjmap->user = userp;
37283 + subjmap->kernel = s_tmp;
37284 + insert_subj_map_entry(subjmap);
37286 + if (copy_from_user(s_tmp, userp,
37287 + sizeof (struct acl_subject_label)))
37288 + return ERR_PTR(-EFAULT);
37290 + len = strnlen_user(s_tmp->filename, PATH_MAX);
37292 + if (!len || len >= PATH_MAX)
37293 + return ERR_PTR(-EINVAL);
37295 + if ((tmp = (char *) acl_alloc(len)) == NULL)
37296 + return ERR_PTR(-ENOMEM);
37298 + if (copy_from_user(tmp, s_tmp->filename, len))
37299 + return ERR_PTR(-EFAULT);
37300 + tmp[len-1] = '\0';
37301 + s_tmp->filename = tmp;
37303 + if (!strcmp(s_tmp->filename, "/"))
37304 + role->root_label = s_tmp;
37306 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
37307 + return ERR_PTR(-EFAULT);
37309 + /* copy user and group transition tables */
37311 + if (s_tmp->user_trans_num) {
37314 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
37315 + if (uidlist == NULL)
37316 + return ERR_PTR(-ENOMEM);
37317 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
37318 + return ERR_PTR(-EFAULT);
37320 + s_tmp->user_transitions = uidlist;
37323 + if (s_tmp->group_trans_num) {
37326 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
37327 + if (gidlist == NULL)
37328 + return ERR_PTR(-ENOMEM);
37329 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
37330 + return ERR_PTR(-EFAULT);
37332 + s_tmp->group_transitions = gidlist;
37335 + /* set up object hash table */
37336 + num_objs = count_user_objs(ghash.first);
37338 + s_tmp->obj_hash_size = num_objs;
37339 + s_tmp->obj_hash =
37340 + (struct acl_object_label **)
37341 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
37343 + if (!s_tmp->obj_hash)
37344 + return ERR_PTR(-ENOMEM);
37346 + memset(s_tmp->obj_hash, 0,
37347 + s_tmp->obj_hash_size *
37348 + sizeof (struct acl_object_label *));
37350 + /* add in objects */
37351 + err = copy_user_objs(ghash.first, s_tmp, role);
37354 + return ERR_PTR(err);
37356 + /* set pointer for parent subject */
37357 + if (s_tmp->parent_subject) {
37358 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
37360 + if (IS_ERR(s_tmp2))
37363 + s_tmp->parent_subject = s_tmp2;
37366 + /* add in ip acls */
37368 + if (!s_tmp->ip_num) {
37369 + s_tmp->ips = NULL;
37374 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
37375 + sizeof (struct acl_ip_label *));
37378 + return ERR_PTR(-ENOMEM);
37380 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
37381 + *(i_tmp + i_num) =
37382 + (struct acl_ip_label *)
37383 + acl_alloc(sizeof (struct acl_ip_label));
37384 + if (!*(i_tmp + i_num))
37385 + return ERR_PTR(-ENOMEM);
37387 + if (copy_from_user
37388 + (&i_utmp2, s_tmp->ips + i_num,
37389 + sizeof (struct acl_ip_label *)))
37390 + return ERR_PTR(-EFAULT);
37392 + if (copy_from_user
37393 + (*(i_tmp + i_num), i_utmp2,
37394 + sizeof (struct acl_ip_label)))
37395 + return ERR_PTR(-EFAULT);
37397 + if ((*(i_tmp + i_num))->iface == NULL)
37400 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
37401 + if (!len || len >= IFNAMSIZ)
37402 + return ERR_PTR(-EINVAL);
37403 + tmp = acl_alloc(len);
37405 + return ERR_PTR(-ENOMEM);
37406 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
37407 + return ERR_PTR(-EFAULT);
37408 + (*(i_tmp + i_num))->iface = tmp;
37411 + s_tmp->ips = i_tmp;
37414 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
37415 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
37416 + return ERR_PTR(-ENOMEM);
37422 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
37424 + struct acl_subject_label s_pre;
37425 + struct acl_subject_label * ret;
37429 + if (copy_from_user(&s_pre, userp,
37430 + sizeof (struct acl_subject_label)))
37433 + /* do not add nested subjects here, add
37434 + while parsing objects
37437 + if (s_pre.mode & GR_NESTED) {
37438 + userp = s_pre.prev;
37442 + ret = do_copy_user_subj(userp, role);
37444 + err = PTR_ERR(ret);
37448 + insert_acl_subj_label(ret, role);
37450 + userp = s_pre.prev;
37457 +copy_user_acl(struct gr_arg *arg)
37459 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
37460 + struct sprole_pw *sptmp;
37461 + struct gr_hash_struct *ghash;
37462 + uid_t *domainlist;
37463 + unsigned int r_num;
37464 + unsigned int len;
37470 + /* we need a default and kernel role */
37471 + if (arg->role_db.num_roles < 2)
37474 + /* copy special role authentication info from userspace */
37476 + num_sprole_pws = arg->num_sprole_pws;
37477 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
37479 + if (!acl_special_roles) {
37484 + for (i = 0; i < num_sprole_pws; i++) {
37485 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
37490 + if (copy_from_user(sptmp, arg->sprole_pws + i,
37491 + sizeof (struct sprole_pw))) {
37497 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
37499 + if (!len || len >= GR_SPROLE_LEN) {
37504 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
37509 + if (copy_from_user(tmp, sptmp->rolename, len)) {
37513 + tmp[len-1] = '\0';
37514 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
37515 + printk(KERN_ALERT "Copying special role %s\n", tmp);
37517 + sptmp->rolename = tmp;
37518 + acl_special_roles[i] = sptmp;
37521 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
37523 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
37524 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
37531 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
37532 + sizeof (struct acl_role_label *))) {
37537 + if (copy_from_user(r_tmp, r_utmp2,
37538 + sizeof (struct acl_role_label))) {
37543 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
37545 + if (!len || len >= PATH_MAX) {
37550 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
37554 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
37558 + tmp[len-1] = '\0';
37559 + r_tmp->rolename = tmp;
37561 + if (!strcmp(r_tmp->rolename, "default")
37562 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
37563 + default_role = r_tmp;
37564 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
37565 + kernel_role = r_tmp;
37568 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
37572 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
37577 + r_tmp->hash = ghash;
37579 + num_subjs = count_user_subjs(r_tmp->hash->first);
37581 + r_tmp->subj_hash_size = num_subjs;
37582 + r_tmp->subj_hash =
37583 + (struct acl_subject_label **)
37584 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
37586 + if (!r_tmp->subj_hash) {
37591 + err = copy_user_allowedips(r_tmp);
37595 + /* copy domain info */
37596 + if (r_tmp->domain_children != NULL) {
37597 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
37598 + if (domainlist == NULL) {
37602 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
37606 + r_tmp->domain_children = domainlist;
37609 + err = copy_user_transitions(r_tmp);
37613 + memset(r_tmp->subj_hash, 0,
37614 + r_tmp->subj_hash_size *
37615 + sizeof (struct acl_subject_label *));
37617 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
37622 + /* set nested subject list to null */
37623 + r_tmp->hash->first = NULL;
37625 + insert_acl_role_label(r_tmp);
37630 + free_variables();
37637 +gracl_init(struct gr_arg *args)
37641 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
37642 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
37644 + if (init_variables(args)) {
37645 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
37647 + free_variables();
37651 + error = copy_user_acl(args);
37652 + free_init_variables();
37654 + free_variables();
37658 + if ((error = gr_set_acls(0))) {
37659 + free_variables();
37663 + pax_open_kernel();
37664 + gr_status |= GR_READY;
37665 + pax_close_kernel();
37671 +/* derived from glibc fnmatch() 0: match, 1: no match*/
37674 +glob_match(const char *p, const char *n)
37678 + while ((c = *p++) != '\0') {
37683 + else if (*n == '/')
37691 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
37694 + else if (c == '?') {
37704 + const char *endp;
37706 + if ((endp = strchr(n, '/')) == NULL)
37707 + endp = n + strlen(n);
37710 + for (--p; n < endp; ++n)
37711 + if (!glob_match(p, n))
37713 + } else if (c == '/') {
37714 + while (*n != '\0' && *n != '/')
37716 + if (*n == '/' && !glob_match(p, n + 1))
37719 + for (--p; n < endp; ++n)
37720 + if (*n == c && !glob_match(p, n))
37731 + if (*n == '\0' || *n == '/')
37734 + not = (*p == '!' || *p == '^');
37740 + unsigned char fn = (unsigned char)*n;
37750 + if (c == '-' && *p != ']') {
37751 + unsigned char cend = *p++;
37753 + if (cend == '\0')
37756 + if (cold <= fn && fn <= cend)
37770 + while (c != ']') {
37797 +static struct acl_object_label *
37798 +chk_glob_label(struct acl_object_label *globbed,
37799 + struct dentry *dentry, struct vfsmount *mnt, char **path)
37801 + struct acl_object_label *tmp;
37803 + if (*path == NULL)
37804 + *path = gr_to_filename_nolock(dentry, mnt);
37809 + if (!glob_match(tmp->filename, *path))
37817 +static struct acl_object_label *
37818 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
37819 + const ino_t curr_ino, const dev_t curr_dev,
37820 + const struct acl_subject_label *subj, char **path, const int checkglob)
37822 + struct acl_subject_label *tmpsubj;
37823 + struct acl_object_label *retval;
37824 + struct acl_object_label *retval2;
37826 + tmpsubj = (struct acl_subject_label *) subj;
37827 + read_lock(&gr_inode_lock);
37829 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
37831 + if (checkglob && retval->globbed) {
37832 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
37833 + (struct vfsmount *)orig_mnt, path);
37835 + retval = retval2;
37839 + } while ((tmpsubj = tmpsubj->parent_subject));
37840 + read_unlock(&gr_inode_lock);
37845 +static __inline__ struct acl_object_label *
37846 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
37847 + struct dentry *curr_dentry,
37848 + const struct acl_subject_label *subj, char **path, const int checkglob)
37850 + int newglob = checkglob;
37854 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
37855 + as we don't want a / * rule to match instead of the / object
37856 + don't do this for create lookups that call this function though, since they're looking up
37857 + on the parent and thus need globbing checks on all paths
37859 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
37860 + newglob = GR_NO_GLOB;
37862 + spin_lock(&curr_dentry->d_lock);
37863 + inode = curr_dentry->d_inode->i_ino;
37864 + device = __get_dev(curr_dentry);
37865 + spin_unlock(&curr_dentry->d_lock);
37867 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
37870 +static struct acl_object_label *
37871 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37872 + const struct acl_subject_label *subj, char *path, const int checkglob)
37874 + struct dentry *dentry = (struct dentry *) l_dentry;
37875 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
37876 + struct acl_object_label *retval;
37877 + struct dentry *parent;
37879 + write_seqlock(&rename_lock);
37880 + br_read_lock(vfsmount_lock);
37882 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt || mnt == sock_mnt ||
37883 +#ifdef CONFIG_HUGETLBFS
37884 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
37886 + /* ignore Eric Biederman */
37887 + IS_PRIVATE(l_dentry->d_inode))) {
37888 + retval = fakefs_obj;
37893 + if (dentry == real_root.dentry && mnt == real_root.mnt)
37896 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
37897 + if (mnt->mnt_parent == mnt)
37900 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
37901 + if (retval != NULL)
37904 + dentry = mnt->mnt_mountpoint;
37905 + mnt = mnt->mnt_parent;
37909 + parent = dentry->d_parent;
37910 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
37911 + if (retval != NULL)
37917 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
37919 + /* real_root is pinned so we don't have to hold a reference */
37920 + if (retval == NULL)
37921 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
37923 + br_read_unlock(vfsmount_lock);
37924 + write_sequnlock(&rename_lock);
37926 + BUG_ON(retval == NULL);
37931 +static __inline__ struct acl_object_label *
37932 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37933 + const struct acl_subject_label *subj)
37935 + char *path = NULL;
37936 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
37939 +static __inline__ struct acl_object_label *
37940 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37941 + const struct acl_subject_label *subj)
37943 + char *path = NULL;
37944 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
37947 +static __inline__ struct acl_object_label *
37948 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37949 + const struct acl_subject_label *subj, char *path)
37951 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
37954 +static struct acl_subject_label *
37955 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
37956 + const struct acl_role_label *role)
37958 + struct dentry *dentry = (struct dentry *) l_dentry;
37959 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
37960 + struct acl_subject_label *retval;
37961 + struct dentry *parent;
37963 + write_seqlock(&rename_lock);
37964 + br_read_lock(vfsmount_lock);
37967 + if (dentry == real_root.dentry && mnt == real_root.mnt)
37969 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
37970 + if (mnt->mnt_parent == mnt)
37973 + spin_lock(&dentry->d_lock);
37974 + read_lock(&gr_inode_lock);
37976 + lookup_acl_subj_label(dentry->d_inode->i_ino,
37977 + __get_dev(dentry), role);
37978 + read_unlock(&gr_inode_lock);
37979 + spin_unlock(&dentry->d_lock);
37980 + if (retval != NULL)
37983 + dentry = mnt->mnt_mountpoint;
37984 + mnt = mnt->mnt_parent;
37988 + spin_lock(&dentry->d_lock);
37989 + read_lock(&gr_inode_lock);
37990 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
37991 + __get_dev(dentry), role);
37992 + read_unlock(&gr_inode_lock);
37993 + parent = dentry->d_parent;
37994 + spin_unlock(&dentry->d_lock);
37996 + if (retval != NULL)
38002 + spin_lock(&dentry->d_lock);
38003 + read_lock(&gr_inode_lock);
38004 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
38005 + __get_dev(dentry), role);
38006 + read_unlock(&gr_inode_lock);
38007 + spin_unlock(&dentry->d_lock);
38009 + if (unlikely(retval == NULL)) {
38010 + /* real_root is pinned, we don't need to hold a reference */
38011 + read_lock(&gr_inode_lock);
38012 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
38013 + __get_dev(real_root.dentry), role);
38014 + read_unlock(&gr_inode_lock);
38017 + br_read_unlock(vfsmount_lock);
38018 + write_sequnlock(&rename_lock);
38020 + BUG_ON(retval == NULL);
38026 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
38028 + struct task_struct *task = current;
38029 + const struct cred *cred = current_cred();
38031 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
38032 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
38033 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
38034 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
38040 +gr_log_learn_sysctl(const char *path, const __u32 mode)
38042 + struct task_struct *task = current;
38043 + const struct cred *cred = current_cred();
38045 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
38046 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
38047 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
38048 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
38054 +gr_log_learn_id_change(const char type, const unsigned int real,
38055 + const unsigned int effective, const unsigned int fs)
38057 + struct task_struct *task = current;
38058 + const struct cred *cred = current_cred();
38060 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
38061 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
38062 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
38063 + type, real, effective, fs, &task->signal->saved_ip);
38069 +gr_check_link(const struct dentry * new_dentry,
38070 + const struct dentry * parent_dentry,
38071 + const struct vfsmount * parent_mnt,
38072 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
38074 + struct acl_object_label *obj;
38075 + __u32 oldmode, newmode;
38078 + if (unlikely(!(gr_status & GR_READY)))
38079 + return (GR_CREATE | GR_LINK);
38081 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
38082 + oldmode = obj->mode;
38084 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38085 + oldmode |= (GR_CREATE | GR_LINK);
38087 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
38088 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
38089 + needmode |= GR_SETID | GR_AUDIT_SETID;
38092 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
38093 + oldmode | needmode);
38095 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
38096 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
38097 + GR_INHERIT | GR_AUDIT_INHERIT);
38099 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
38102 + if ((oldmode & needmode) != needmode)
38105 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
38106 + if ((newmode & needmode) != needmode)
38109 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
38112 + needmode = oldmode;
38113 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
38114 + needmode |= GR_SETID;
38116 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
38117 + gr_log_learn(old_dentry, old_mnt, needmode);
38118 + return (GR_CREATE | GR_LINK);
38119 + } else if (newmode & GR_SUPPRESS)
38120 + return GR_SUPPRESS;
38126 +gr_search_file(const struct dentry * dentry, const __u32 mode,
38127 + const struct vfsmount * mnt)
38129 + __u32 retval = mode;
38130 + struct acl_subject_label *curracl;
38131 + struct acl_object_label *currobj;
38133 + if (unlikely(!(gr_status & GR_READY)))
38134 + return (mode & ~GR_AUDITS);
38136 + curracl = current->acl;
38138 + currobj = chk_obj_label(dentry, mnt, curracl);
38139 + retval = currobj->mode & mode;
38141 + /* if we're opening a specified transfer file for writing
38142 + (e.g. /dev/initctl), then transfer our role to init
38144 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
38145 + current->role->roletype & GR_ROLE_PERSIST)) {
38146 + struct task_struct *task = init_pid_ns.child_reaper;
38148 + if (task->role != current->role) {
38149 + task->acl_sp_role = 0;
38150 + task->acl_role_id = current->acl_role_id;
38151 + task->role = current->role;
38153 + read_lock(&grsec_exec_file_lock);
38154 + gr_apply_subject_to_task(task);
38155 + read_unlock(&grsec_exec_file_lock);
38156 + rcu_read_unlock();
38157 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
38162 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
38163 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
38164 + __u32 new_mode = mode;
38166 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38168 + retval = new_mode;
38170 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
38171 + new_mode |= GR_INHERIT;
38173 + if (!(mode & GR_NOLEARN))
38174 + gr_log_learn(dentry, mnt, new_mode);
38181 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
38182 + const struct vfsmount * mnt, const __u32 mode)
38184 + struct name_entry *match;
38185 + struct acl_object_label *matchpo;
38186 + struct acl_subject_label *curracl;
38190 + if (unlikely(!(gr_status & GR_READY)))
38191 + return (mode & ~GR_AUDITS);
38193 + preempt_disable();
38194 + path = gr_to_filename_rbac(new_dentry, mnt);
38195 + match = lookup_name_entry_create(path);
38198 + goto check_parent;
38200 + curracl = current->acl;
38202 + read_lock(&gr_inode_lock);
38203 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
38204 + read_unlock(&gr_inode_lock);
38207 + if ((matchpo->mode & mode) !=
38208 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
38209 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
38210 + __u32 new_mode = mode;
38212 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38214 + gr_log_learn(new_dentry, mnt, new_mode);
38216 + preempt_enable();
38219 + preempt_enable();
38220 + return (matchpo->mode & mode);
38224 + curracl = current->acl;
38226 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
38227 + retval = matchpo->mode & mode;
38229 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
38230 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
38231 + __u32 new_mode = mode;
38233 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38235 + gr_log_learn(new_dentry, mnt, new_mode);
38236 + preempt_enable();
38240 + preempt_enable();
38245 +gr_check_hidden_task(const struct task_struct *task)
38247 + if (unlikely(!(gr_status & GR_READY)))
38250 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
38257 +gr_check_protected_task(const struct task_struct *task)
38259 + if (unlikely(!(gr_status & GR_READY) || !task))
38262 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
38263 + task->acl != current->acl)
38270 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
38272 + struct task_struct *p;
38275 + if (unlikely(!(gr_status & GR_READY) || !pid))
38278 + read_lock(&tasklist_lock);
38279 + do_each_pid_task(pid, type, p) {
38280 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
38281 + p->acl != current->acl) {
38285 + } while_each_pid_task(pid, type, p);
38287 + read_unlock(&tasklist_lock);
38293 +gr_copy_label(struct task_struct *tsk)
38295 + tsk->signal->used_accept = 0;
38296 + tsk->acl_sp_role = 0;
38297 + tsk->acl_role_id = current->acl_role_id;
38298 + tsk->acl = current->acl;
38299 + tsk->role = current->role;
38300 + tsk->signal->curr_ip = current->signal->curr_ip;
38301 + tsk->signal->saved_ip = current->signal->saved_ip;
38302 + if (current->exec_file)
38303 + get_file(current->exec_file);
38304 + tsk->exec_file = current->exec_file;
38305 + tsk->is_writable = current->is_writable;
38306 + if (unlikely(current->signal->used_accept)) {
38307 + current->signal->curr_ip = 0;
38308 + current->signal->saved_ip = 0;
38315 +gr_set_proc_res(struct task_struct *task)
38317 + struct acl_subject_label *proc;
38318 + unsigned short i;
38320 + proc = task->acl;
38322 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
38325 + for (i = 0; i < RLIM_NLIMITS; i++) {
38326 + if (!(proc->resmask & (1 << i)))
38329 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
38330 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
38337 +gr_check_user_change(int real, int effective, int fs)
38344 + int effectiveok = 0;
38347 + if (unlikely(!(gr_status & GR_READY)))
38350 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38351 + gr_log_learn_id_change('u', real, effective, fs);
38353 + num = current->acl->user_trans_num;
38354 + uidlist = current->acl->user_transitions;
38356 + if (uidlist == NULL)
38361 + if (effective == -1)
38366 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
38367 + for (i = 0; i < num; i++) {
38368 + curuid = (int)uidlist[i];
38369 + if (real == curuid)
38371 + if (effective == curuid)
38373 + if (fs == curuid)
38376 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
38377 + for (i = 0; i < num; i++) {
38378 + curuid = (int)uidlist[i];
38379 + if (real == curuid)
38381 + if (effective == curuid)
38383 + if (fs == curuid)
38386 + /* not in deny list */
38394 + if (realok && effectiveok && fsok)
38397 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
38403 +gr_check_group_change(int real, int effective, int fs)
38410 + int effectiveok = 0;
38413 + if (unlikely(!(gr_status & GR_READY)))
38416 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38417 + gr_log_learn_id_change('g', real, effective, fs);
38419 + num = current->acl->group_trans_num;
38420 + gidlist = current->acl->group_transitions;
38422 + if (gidlist == NULL)
38427 + if (effective == -1)
38432 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
38433 + for (i = 0; i < num; i++) {
38434 + curgid = (int)gidlist[i];
38435 + if (real == curgid)
38437 + if (effective == curgid)
38439 + if (fs == curgid)
38442 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
38443 + for (i = 0; i < num; i++) {
38444 + curgid = (int)gidlist[i];
38445 + if (real == curgid)
38447 + if (effective == curgid)
38449 + if (fs == curgid)
38452 + /* not in deny list */
38460 + if (realok && effectiveok && fsok)
38463 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
38469 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
38471 + struct acl_role_label *role = task->role;
38472 + struct acl_subject_label *subj = NULL;
38473 + struct acl_object_label *obj;
38474 + struct file *filp;
38476 + if (unlikely(!(gr_status & GR_READY)))
38479 + filp = task->exec_file;
38481 + /* kernel process, we'll give them the kernel role */
38482 + if (unlikely(!filp)) {
38483 + task->role = kernel_role;
38484 + task->acl = kernel_role->root_label;
38486 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
38487 + role = lookup_acl_role_label(task, uid, gid);
38489 + /* perform subject lookup in possibly new role
38490 + we can use this result below in the case where role == task->role
38492 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
38494 + /* if we changed uid/gid, but result in the same role
38495 + and are using inheritance, don't lose the inherited subject
38496 + if current subject is other than what normal lookup
38497 + would result in, we arrived via inheritance, don't
38500 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
38501 + (subj == task->acl)))
38502 + task->acl = subj;
38504 + task->role = role;
38506 + task->is_writable = 0;
38508 + /* ignore additional mmap checks for processes that are writable
38509 + by the default ACL */
38510 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38511 + if (unlikely(obj->mode & GR_WRITE))
38512 + task->is_writable = 1;
38513 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
38514 + if (unlikely(obj->mode & GR_WRITE))
38515 + task->is_writable = 1;
38517 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
38518 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
38521 + gr_set_proc_res(task);
38527 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
38528 + const int unsafe_share)
38530 + struct task_struct *task = current;
38531 + struct acl_subject_label *newacl;
38532 + struct acl_object_label *obj;
38535 + if (unlikely(!(gr_status & GR_READY)))
38538 + newacl = chk_subj_label(dentry, mnt, task->role);
38541 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
38542 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
38543 + !(task->role->roletype & GR_ROLE_GOD) &&
38544 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
38545 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
38546 + task_unlock(task);
38547 + if (unsafe_share)
38548 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
38550 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
38553 + task_unlock(task);
38555 + obj = chk_obj_label(dentry, mnt, task->acl);
38556 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
38558 + if (!(task->acl->mode & GR_INHERITLEARN) &&
38559 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
38561 + task->acl = obj->nested;
38563 + task->acl = newacl;
38564 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
38565 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
38567 + task->is_writable = 0;
38569 + /* ignore additional mmap checks for processes that are writable
38570 + by the default ACL */
38571 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
38572 + if (unlikely(obj->mode & GR_WRITE))
38573 + task->is_writable = 1;
38574 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
38575 + if (unlikely(obj->mode & GR_WRITE))
38576 + task->is_writable = 1;
38578 + gr_set_proc_res(task);
38580 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
38581 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
38586 +/* always called with valid inodev ptr */
38588 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
38590 + struct acl_object_label *matchpo;
38591 + struct acl_subject_label *matchps;
38592 + struct acl_subject_label *subj;
38593 + struct acl_role_label *role;
38596 + FOR_EACH_ROLE_START(role)
38597 + FOR_EACH_SUBJECT_START(role, subj, x)
38598 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
38599 + matchpo->mode |= GR_DELETED;
38600 + FOR_EACH_SUBJECT_END(subj,x)
38601 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
38602 + if (subj->inode == ino && subj->device == dev)
38603 + subj->mode |= GR_DELETED;
38604 + FOR_EACH_NESTED_SUBJECT_END(subj)
38605 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
38606 + matchps->mode |= GR_DELETED;
38607 + FOR_EACH_ROLE_END(role)
38609 + inodev->nentry->deleted = 1;
38615 +gr_handle_delete(const ino_t ino, const dev_t dev)
38617 + struct inodev_entry *inodev;
38619 + if (unlikely(!(gr_status & GR_READY)))
38622 + write_lock(&gr_inode_lock);
38623 + inodev = lookup_inodev_entry(ino, dev);
38624 + if (inodev != NULL)
38625 + do_handle_delete(inodev, ino, dev);
38626 + write_unlock(&gr_inode_lock);
38632 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
38633 + const ino_t newinode, const dev_t newdevice,
38634 + struct acl_subject_label *subj)
38636 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
38637 + struct acl_object_label *match;
38639 + match = subj->obj_hash[index];
38641 + while (match && (match->inode != oldinode ||
38642 + match->device != olddevice ||
38643 + !(match->mode & GR_DELETED)))
38644 + match = match->next;
38646 + if (match && (match->inode == oldinode)
38647 + && (match->device == olddevice)
38648 + && (match->mode & GR_DELETED)) {
38649 + if (match->prev == NULL) {
38650 + subj->obj_hash[index] = match->next;
38651 + if (match->next != NULL)
38652 + match->next->prev = NULL;
38654 + match->prev->next = match->next;
38655 + if (match->next != NULL)
38656 + match->next->prev = match->prev;
38658 + match->prev = NULL;
38659 + match->next = NULL;
38660 + match->inode = newinode;
38661 + match->device = newdevice;
38662 + match->mode &= ~GR_DELETED;
38664 + insert_acl_obj_label(match, subj);
38671 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
38672 + const ino_t newinode, const dev_t newdevice,
38673 + struct acl_role_label *role)
38675 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
38676 + struct acl_subject_label *match;
38678 + match = role->subj_hash[index];
38680 + while (match && (match->inode != oldinode ||
38681 + match->device != olddevice ||
38682 + !(match->mode & GR_DELETED)))
38683 + match = match->next;
38685 + if (match && (match->inode == oldinode)
38686 + && (match->device == olddevice)
38687 + && (match->mode & GR_DELETED)) {
38688 + if (match->prev == NULL) {
38689 + role->subj_hash[index] = match->next;
38690 + if (match->next != NULL)
38691 + match->next->prev = NULL;
38693 + match->prev->next = match->next;
38694 + if (match->next != NULL)
38695 + match->next->prev = match->prev;
38697 + match->prev = NULL;
38698 + match->next = NULL;
38699 + match->inode = newinode;
38700 + match->device = newdevice;
38701 + match->mode &= ~GR_DELETED;
38703 + insert_acl_subj_label(match, role);
38710 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
38711 + const ino_t newinode, const dev_t newdevice)
38713 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
38714 + struct inodev_entry *match;
38716 + match = inodev_set.i_hash[index];
38718 + while (match && (match->nentry->inode != oldinode ||
38719 + match->nentry->device != olddevice || !match->nentry->deleted))
38720 + match = match->next;
38722 + if (match && (match->nentry->inode == oldinode)
38723 + && (match->nentry->device == olddevice) &&
38724 + match->nentry->deleted) {
38725 + if (match->prev == NULL) {
38726 + inodev_set.i_hash[index] = match->next;
38727 + if (match->next != NULL)
38728 + match->next->prev = NULL;
38730 + match->prev->next = match->next;
38731 + if (match->next != NULL)
38732 + match->next->prev = match->prev;
38734 + match->prev = NULL;
38735 + match->next = NULL;
38736 + match->nentry->inode = newinode;
38737 + match->nentry->device = newdevice;
38738 + match->nentry->deleted = 0;
38740 + insert_inodev_entry(match);
38747 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
38748 + const struct vfsmount *mnt)
38750 + struct acl_subject_label *subj;
38751 + struct acl_role_label *role;
38753 + ino_t ino = dentry->d_inode->i_ino;
38754 + dev_t dev = __get_dev(dentry);
38756 + FOR_EACH_ROLE_START(role)
38757 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
38759 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
38760 + if ((subj->inode == ino) && (subj->device == dev)) {
38761 + subj->inode = ino;
38762 + subj->device = dev;
38764 + FOR_EACH_NESTED_SUBJECT_END(subj)
38765 + FOR_EACH_SUBJECT_START(role, subj, x)
38766 + update_acl_obj_label(matchn->inode, matchn->device,
38768 + FOR_EACH_SUBJECT_END(subj,x)
38769 + FOR_EACH_ROLE_END(role)
38771 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
38777 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
38779 + struct name_entry *matchn;
38781 + if (unlikely(!(gr_status & GR_READY)))
38784 + preempt_disable();
38785 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
38787 + if (unlikely((unsigned long)matchn)) {
38788 + write_lock(&gr_inode_lock);
38789 + do_handle_create(matchn, dentry, mnt);
38790 + write_unlock(&gr_inode_lock);
38792 + preempt_enable();
38798 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
38799 + struct dentry *old_dentry,
38800 + struct dentry *new_dentry,
38801 + struct vfsmount *mnt, const __u8 replace)
38803 + struct name_entry *matchn;
38804 + struct inodev_entry *inodev;
38805 + ino_t old_ino = old_dentry->d_inode->i_ino;
38806 + dev_t old_dev = __get_dev(old_dentry);
38808 + /* vfs_rename swaps the name and parent link for old_dentry and
38810 + at this point, old_dentry has the new name, parent link, and inode
38811 + for the renamed file
38812 + if a file is being replaced by a rename, new_dentry has the inode
38813 + and name for the replaced file
38816 + if (unlikely(!(gr_status & GR_READY)))
38819 + preempt_disable();
38820 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
38822 + /* we wouldn't have to check d_inode if it weren't for
38823 + NFS silly-renaming
38826 + write_lock(&gr_inode_lock);
38827 + if (unlikely(replace && new_dentry->d_inode)) {
38828 + ino_t new_ino = new_dentry->d_inode->i_ino;
38829 + dev_t new_dev = __get_dev(new_dentry);
38831 + inodev = lookup_inodev_entry(new_ino, new_dev);
38832 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
38833 + do_handle_delete(inodev, new_ino, new_dev);
38836 + inodev = lookup_inodev_entry(old_ino, old_dev);
38837 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
38838 + do_handle_delete(inodev, old_ino, old_dev);
38840 + if (unlikely((unsigned long)matchn))
38841 + do_handle_create(matchn, old_dentry, mnt);
38843 + write_unlock(&gr_inode_lock);
38844 + preempt_enable();
38850 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
38851 + unsigned char **sum)
38853 + struct acl_role_label *r;
38854 + struct role_allowed_ip *ipp;
38855 + struct role_transition *trans;
38858 + u32 curr_ip = current->signal->curr_ip;
38860 + current->signal->saved_ip = curr_ip;
38862 + /* check transition table */
38864 + for (trans = current->role->transitions; trans; trans = trans->next) {
38865 + if (!strcmp(rolename, trans->rolename)) {
38874 + /* handle special roles that do not require authentication
38877 + FOR_EACH_ROLE_START(r)
38878 + if (!strcmp(rolename, r->rolename) &&
38879 + (r->roletype & GR_ROLE_SPECIAL)) {
38881 + if (r->allowed_ips != NULL) {
38882 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
38883 + if ((ntohl(curr_ip) & ipp->netmask) ==
38884 + (ntohl(ipp->addr) & ipp->netmask))
38892 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
38893 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
38899 + FOR_EACH_ROLE_END(r)
38901 + for (i = 0; i < num_sprole_pws; i++) {
38902 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
38903 + *salt = acl_special_roles[i]->salt;
38904 + *sum = acl_special_roles[i]->sum;
38913 +assign_special_role(char *rolename)
38915 + struct acl_object_label *obj;
38916 + struct acl_role_label *r;
38917 + struct acl_role_label *assigned = NULL;
38918 + struct task_struct *tsk;
38919 + struct file *filp;
38921 + FOR_EACH_ROLE_START(r)
38922 + if (!strcmp(rolename, r->rolename) &&
38923 + (r->roletype & GR_ROLE_SPECIAL)) {
38927 + FOR_EACH_ROLE_END(r)
38932 + read_lock(&tasklist_lock);
38933 + read_lock(&grsec_exec_file_lock);
38935 + tsk = current->real_parent;
38939 + filp = tsk->exec_file;
38940 + if (filp == NULL)
38943 + tsk->is_writable = 0;
38945 + tsk->acl_sp_role = 1;
38946 + tsk->acl_role_id = ++acl_sp_role_value;
38947 + tsk->role = assigned;
38948 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
38950 + /* ignore additional mmap checks for processes that are writable
38951 + by the default ACL */
38952 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38953 + if (unlikely(obj->mode & GR_WRITE))
38954 + tsk->is_writable = 1;
38955 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
38956 + if (unlikely(obj->mode & GR_WRITE))
38957 + tsk->is_writable = 1;
38959 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
38960 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
38964 + read_unlock(&grsec_exec_file_lock);
38965 + read_unlock(&tasklist_lock);
38969 +int gr_check_secure_terminal(struct task_struct *task)
38971 + struct task_struct *p, *p2, *p3;
38972 + struct files_struct *files;
38973 + struct fdtable *fdt;
38974 + struct file *our_file = NULL, *file;
38977 + if (task->signal->tty == NULL)
38980 + files = get_files_struct(task);
38981 + if (files != NULL) {
38983 + fdt = files_fdtable(files);
38984 + for (i=0; i < fdt->max_fds; i++) {
38985 + file = fcheck_files(files, i);
38986 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
38991 + rcu_read_unlock();
38992 + put_files_struct(files);
38995 + if (our_file == NULL)
38998 + read_lock(&tasklist_lock);
38999 + do_each_thread(p2, p) {
39000 + files = get_files_struct(p);
39001 + if (files == NULL ||
39002 + (p->signal && p->signal->tty == task->signal->tty)) {
39003 + if (files != NULL)
39004 + put_files_struct(files);
39008 + fdt = files_fdtable(files);
39009 + for (i=0; i < fdt->max_fds; i++) {
39010 + file = fcheck_files(files, i);
39011 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
39012 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
39014 + while (p3->pid > 0) {
39017 + p3 = p3->real_parent;
39021 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
39022 + gr_handle_alertkill(p);
39023 + rcu_read_unlock();
39024 + put_files_struct(files);
39025 + read_unlock(&tasklist_lock);
39030 + rcu_read_unlock();
39031 + put_files_struct(files);
39032 + } while_each_thread(p2, p);
39033 + read_unlock(&tasklist_lock);
39040 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
39042 + struct gr_arg_wrapper uwrap;
39043 + unsigned char *sprole_salt = NULL;
39044 + unsigned char *sprole_sum = NULL;
39045 + int error = sizeof (struct gr_arg_wrapper);
39048 + mutex_lock(&gr_dev_mutex);
39050 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
39055 + if (count != sizeof (struct gr_arg_wrapper)) {
39056 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
39062 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
39063 + gr_auth_expires = 0;
39064 + gr_auth_attempts = 0;
39067 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
39072 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
39077 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
39082 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
39083 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
39084 + time_after(gr_auth_expires, get_seconds())) {
39089 + /* if non-root trying to do anything other than use a special role,
39090 + do not attempt authentication, do not count towards authentication
39094 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
39095 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
39101 + /* ensure pw and special role name are null terminated */
39103 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
39104 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
39107 + * We have our enough of the argument structure..(we have yet
39108 + * to copy_from_user the tables themselves) . Copy the tables
39109 + * only if we need them, i.e. for loading operations. */
39111 + switch (gr_usermode->mode) {
39113 + if (gr_status & GR_READY) {
39115 + if (!gr_check_secure_terminal(current))
39120 + case GR_SHUTDOWN:
39121 + if ((gr_status & GR_READY)
39122 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
39123 + pax_open_kernel();
39124 + gr_status &= ~GR_READY;
39125 + pax_close_kernel();
39127 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
39128 + free_variables();
39129 + memset(gr_usermode, 0, sizeof (struct gr_arg));
39130 + memset(gr_system_salt, 0, GR_SALT_LEN);
39131 + memset(gr_system_sum, 0, GR_SHA_LEN);
39132 + } else if (gr_status & GR_READY) {
39133 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
39136 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
39141 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
39142 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
39144 + if (gr_status & GR_READY)
39148 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
39152 + if (!(gr_status & GR_READY)) {
39153 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
39155 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
39156 + preempt_disable();
39158 + pax_open_kernel();
39159 + gr_status &= ~GR_READY;
39160 + pax_close_kernel();
39162 + free_variables();
39163 + if (!(error2 = gracl_init(gr_usermode))) {
39164 + preempt_enable();
39165 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
39167 + preempt_enable();
39169 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
39172 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
39177 + if (unlikely(!(gr_status & GR_READY))) {
39178 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
39183 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
39184 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
39185 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
39186 + struct acl_subject_label *segvacl;
39188 + lookup_acl_subj_label(gr_usermode->segv_inode,
39189 + gr_usermode->segv_device,
39192 + segvacl->crashes = 0;
39193 + segvacl->expires = 0;
39195 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
39196 + gr_remove_uid(gr_usermode->segv_uid);
39199 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
39204 + case GR_SPROLEPAM:
39205 + if (unlikely(!(gr_status & GR_READY))) {
39206 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
39211 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
39212 + current->role->expires = 0;
39213 + current->role->auth_attempts = 0;
39216 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
39217 + time_after(current->role->expires, get_seconds())) {
39222 + if (lookup_special_role_auth
39223 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
39224 + && ((!sprole_salt && !sprole_sum)
39225 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
39227 + assign_special_role(gr_usermode->sp_role);
39228 + read_lock(&tasklist_lock);
39229 + if (current->real_parent)
39230 + p = current->real_parent->role->rolename;
39231 + read_unlock(&tasklist_lock);
39232 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
39233 + p, acl_sp_role_value);
39235 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
39237 + if(!(current->role->auth_attempts++))
39238 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
39243 + case GR_UNSPROLE:
39244 + if (unlikely(!(gr_status & GR_READY))) {
39245 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
39250 + if (current->role->roletype & GR_ROLE_SPECIAL) {
39254 + read_lock(&tasklist_lock);
39255 + if (current->real_parent) {
39256 + p = current->real_parent->role->rolename;
39257 + i = current->real_parent->acl_role_id;
39259 + read_unlock(&tasklist_lock);
39261 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
39269 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
39274 + if (error != -EPERM)
39277 + if(!(gr_auth_attempts++))
39278 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
39281 + mutex_unlock(&gr_dev_mutex);
39285 +/* must be called with
39287 + read_lock(&tasklist_lock);
39288 + read_lock(&grsec_exec_file_lock);
39290 +int gr_apply_subject_to_task(struct task_struct *task)
39292 + struct acl_object_label *obj;
39294 + struct acl_subject_label *tmpsubj;
39295 + struct file *filp;
39296 + struct name_entry *nmatch;
39298 + filp = task->exec_file;
39299 + if (filp == NULL)
39302 + /* the following is to apply the correct subject
39303 + on binaries running when the RBAC system
39304 + is enabled, when the binaries have been
39305 + replaced or deleted since their execution
39307 + when the RBAC system starts, the inode/dev
39308 + from exec_file will be one the RBAC system
39309 + is unaware of. It only knows the inode/dev
39310 + of the present file on disk, or the absence
39313 + preempt_disable();
39314 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
39316 + nmatch = lookup_name_entry(tmpname);
39317 + preempt_enable();
39320 + if (nmatch->deleted)
39321 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
39323 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
39324 + if (tmpsubj != NULL)
39325 + task->acl = tmpsubj;
39327 + if (tmpsubj == NULL)
39328 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
39331 + struct acl_subject_label *curr;
39332 + curr = task->acl;
39334 + task->is_writable = 0;
39335 + /* ignore additional mmap checks for processes that are writable
39336 + by the default ACL */
39337 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
39338 + if (unlikely(obj->mode & GR_WRITE))
39339 + task->is_writable = 1;
39340 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
39341 + if (unlikely(obj->mode & GR_WRITE))
39342 + task->is_writable = 1;
39344 + gr_set_proc_res(task);
39346 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
39347 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
39357 +gr_set_acls(const int type)
39359 + struct task_struct *task, *task2;
39360 + struct acl_role_label *role = current->role;
39361 + __u16 acl_role_id = current->acl_role_id;
39362 + const struct cred *cred;
39366 + read_lock(&tasklist_lock);
39367 + read_lock(&grsec_exec_file_lock);
39368 + do_each_thread(task2, task) {
39369 + /* check to see if we're called from the exit handler,
39370 + if so, only replace ACLs that have inherited the admin
39373 + if (type && (task->role != role ||
39374 + task->acl_role_id != acl_role_id))
39377 + task->acl_role_id = 0;
39378 + task->acl_sp_role = 0;
39380 + if (task->exec_file) {
39381 + cred = __task_cred(task);
39382 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
39383 + ret = gr_apply_subject_to_task(task);
39385 + read_unlock(&grsec_exec_file_lock);
39386 + read_unlock(&tasklist_lock);
39387 + rcu_read_unlock();
39388 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
39392 + // it's a kernel process
39393 + task->role = kernel_role;
39394 + task->acl = kernel_role->root_label;
39395 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
39396 + task->acl->mode &= ~GR_PROCFIND;
39399 + } while_each_thread(task2, task);
39400 + read_unlock(&grsec_exec_file_lock);
39401 + read_unlock(&tasklist_lock);
39402 + rcu_read_unlock();
39408 +gr_learn_resource(const struct task_struct *task,
39409 + const int res, const unsigned long wanted, const int gt)
39411 + struct acl_subject_label *acl;
39412 + const struct cred *cred;
39414 + if (unlikely((gr_status & GR_READY) &&
39415 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
39416 + goto skip_reslog;
39418 +#ifdef CONFIG_GRKERNSEC_RESLOG
39419 + gr_log_resource(task, res, wanted, gt);
39423 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
39428 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
39429 + !(acl->resmask & (1 << (unsigned short) res))))
39432 + if (wanted >= acl->res[res].rlim_cur) {
39433 + unsigned long res_add;
39435 + res_add = wanted;
39438 + res_add += GR_RLIM_CPU_BUMP;
39440 + case RLIMIT_FSIZE:
39441 + res_add += GR_RLIM_FSIZE_BUMP;
39443 + case RLIMIT_DATA:
39444 + res_add += GR_RLIM_DATA_BUMP;
39446 + case RLIMIT_STACK:
39447 + res_add += GR_RLIM_STACK_BUMP;
39449 + case RLIMIT_CORE:
39450 + res_add += GR_RLIM_CORE_BUMP;
39453 + res_add += GR_RLIM_RSS_BUMP;
39455 + case RLIMIT_NPROC:
39456 + res_add += GR_RLIM_NPROC_BUMP;
39458 + case RLIMIT_NOFILE:
39459 + res_add += GR_RLIM_NOFILE_BUMP;
39461 + case RLIMIT_MEMLOCK:
39462 + res_add += GR_RLIM_MEMLOCK_BUMP;
39465 + res_add += GR_RLIM_AS_BUMP;
39467 + case RLIMIT_LOCKS:
39468 + res_add += GR_RLIM_LOCKS_BUMP;
39470 + case RLIMIT_SIGPENDING:
39471 + res_add += GR_RLIM_SIGPENDING_BUMP;
39473 + case RLIMIT_MSGQUEUE:
39474 + res_add += GR_RLIM_MSGQUEUE_BUMP;
39476 + case RLIMIT_NICE:
39477 + res_add += GR_RLIM_NICE_BUMP;
39479 + case RLIMIT_RTPRIO:
39480 + res_add += GR_RLIM_RTPRIO_BUMP;
39482 + case RLIMIT_RTTIME:
39483 + res_add += GR_RLIM_RTTIME_BUMP;
39487 + acl->res[res].rlim_cur = res_add;
39489 + if (wanted > acl->res[res].rlim_max)
39490 + acl->res[res].rlim_max = res_add;
39492 + /* only log the subject filename, since resource logging is supported for
39493 + single-subject learning only */
39495 + cred = __task_cred(task);
39496 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
39497 + task->role->roletype, cred->uid, cred->gid, acl->filename,
39498 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
39499 + "", (unsigned long) res, &task->signal->saved_ip);
39500 + rcu_read_unlock();
39506 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
39508 +pax_set_initial_flags(struct linux_binprm *bprm)
39510 + struct task_struct *task = current;
39511 + struct acl_subject_label *proc;
39512 + unsigned long flags;
39514 + if (unlikely(!(gr_status & GR_READY)))
39517 + flags = pax_get_flags(task);
39519 + proc = task->acl;
39521 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
39522 + flags &= ~MF_PAX_PAGEEXEC;
39523 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
39524 + flags &= ~MF_PAX_SEGMEXEC;
39525 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
39526 + flags &= ~MF_PAX_RANDMMAP;
39527 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
39528 + flags &= ~MF_PAX_EMUTRAMP;
39529 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
39530 + flags &= ~MF_PAX_MPROTECT;
39532 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
39533 + flags |= MF_PAX_PAGEEXEC;
39534 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
39535 + flags |= MF_PAX_SEGMEXEC;
39536 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
39537 + flags |= MF_PAX_RANDMMAP;
39538 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
39539 + flags |= MF_PAX_EMUTRAMP;
39540 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
39541 + flags |= MF_PAX_MPROTECT;
39543 + pax_set_flags(task, flags);
39549 +#ifdef CONFIG_SYSCTL
39550 +/* Eric Biederman likes breaking userland ABI and every inode-based security
39551 + system to save 35kb of memory */
39553 +/* we modify the passed in filename, but adjust it back before returning */
39554 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
39556 + struct name_entry *nmatch;
39557 + char *p, *lastp = NULL;
39558 + struct acl_object_label *obj = NULL, *tmp;
39559 + struct acl_subject_label *tmpsubj;
39562 + read_lock(&gr_inode_lock);
39564 + p = name + len - 1;
39566 + nmatch = lookup_name_entry(name);
39567 + if (lastp != NULL)
39570 + if (nmatch == NULL)
39571 + goto next_component;
39572 + tmpsubj = current->acl;
39574 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
39575 + if (obj != NULL) {
39576 + tmp = obj->globbed;
39578 + if (!glob_match(tmp->filename, name)) {
39586 + } while ((tmpsubj = tmpsubj->parent_subject));
39592 + while (*p != '/')
39604 + read_unlock(&gr_inode_lock);
39605 + /* obj returned will always be non-null */
39609 +/* returns 0 when allowing, non-zero on error
39610 + op of 0 is used for readdir, so we don't log the names of hidden files
39613 +gr_handle_sysctl(const struct ctl_table *table, const int op)
39615 + struct ctl_table *tmp;
39616 + const char *proc_sys = "/proc/sys";
39618 + struct acl_object_label *obj;
39619 + unsigned short len = 0, pos = 0, depth = 0, i;
39623 + if (unlikely(!(gr_status & GR_READY)))
39626 + /* for now, ignore operations on non-sysctl entries if it's not a
39628 + if (table->child != NULL && op != 0)
39632 + /* it's only a read if it's an entry, read on dirs is for readdir */
39633 + if (op & MAY_READ)
39635 + if (op & MAY_WRITE)
39636 + mode |= GR_WRITE;
39638 + preempt_disable();
39640 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
39642 + /* it's only a read/write if it's an actual entry, not a dir
39643 + (which are opened for readdir)
39646 + /* convert the requested sysctl entry into a pathname */
39648 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
39649 + len += strlen(tmp->procname);
39654 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
39659 + memset(path, 0, PAGE_SIZE);
39661 + memcpy(path, proc_sys, strlen(proc_sys));
39663 + pos += strlen(proc_sys);
39665 + for (; depth > 0; depth--) {
39668 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
39669 + if (depth == i) {
39670 + memcpy(path + pos, tmp->procname,
39671 + strlen(tmp->procname));
39672 + pos += strlen(tmp->procname);
39678 + obj = gr_lookup_by_name(path, pos);
39679 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
39681 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
39682 + ((err & mode) != mode))) {
39683 + __u32 new_mode = mode;
39685 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
39688 + gr_log_learn_sysctl(path, new_mode);
39689 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
39690 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
39692 + } else if (!(err & GR_FIND)) {
39694 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
39695 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
39696 + path, (mode & GR_READ) ? " reading" : "",
39697 + (mode & GR_WRITE) ? " writing" : "");
39699 + } else if ((err & mode) != mode) {
39701 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
39702 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
39703 + path, (mode & GR_READ) ? " reading" : "",
39704 + (mode & GR_WRITE) ? " writing" : "");
39710 + preempt_enable();
39717 +gr_handle_proc_ptrace(struct task_struct *task)
39719 + struct file *filp;
39720 + struct task_struct *tmp = task;
39721 + struct task_struct *curtemp = current;
39724 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
39725 + if (unlikely(!(gr_status & GR_READY)))
39729 + read_lock(&tasklist_lock);
39730 + read_lock(&grsec_exec_file_lock);
39731 + filp = task->exec_file;
39733 + while (tmp->pid > 0) {
39734 + if (tmp == curtemp)
39736 + tmp = tmp->real_parent;
39739 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
39740 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
39741 + read_unlock(&grsec_exec_file_lock);
39742 + read_unlock(&tasklist_lock);
39746 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
39747 + if (!(gr_status & GR_READY)) {
39748 + read_unlock(&grsec_exec_file_lock);
39749 + read_unlock(&tasklist_lock);
39754 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
39755 + read_unlock(&grsec_exec_file_lock);
39756 + read_unlock(&tasklist_lock);
39758 + if (retmode & GR_NOPTRACE)
39761 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
39762 + && (current->acl != task->acl || (current->acl != current->role->root_label
39763 + && current->pid != task->pid)))
39769 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
39771 + if (unlikely(!(gr_status & GR_READY)))
39774 + if (!(current->role->roletype & GR_ROLE_GOD))
39777 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
39778 + p->role->rolename, gr_task_roletype_to_char(p),
39779 + p->acl->filename);
39783 +gr_handle_ptrace(struct task_struct *task, const long request)
39785 + struct task_struct *tmp = task;
39786 + struct task_struct *curtemp = current;
39789 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
39790 + if (unlikely(!(gr_status & GR_READY)))
39794 + read_lock(&tasklist_lock);
39795 + while (tmp->pid > 0) {
39796 + if (tmp == curtemp)
39798 + tmp = tmp->real_parent;
39801 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
39802 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
39803 + read_unlock(&tasklist_lock);
39804 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
39807 + read_unlock(&tasklist_lock);
39809 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
39810 + if (!(gr_status & GR_READY))
39814 + read_lock(&grsec_exec_file_lock);
39815 + if (unlikely(!task->exec_file)) {
39816 + read_unlock(&grsec_exec_file_lock);
39820 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
39821 + read_unlock(&grsec_exec_file_lock);
39823 + if (retmode & GR_NOPTRACE) {
39824 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
39828 + if (retmode & GR_PTRACERD) {
39829 + switch (request) {
39830 + case PTRACE_POKETEXT:
39831 + case PTRACE_POKEDATA:
39832 + case PTRACE_POKEUSR:
39833 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
39834 + case PTRACE_SETREGS:
39835 + case PTRACE_SETFPREGS:
39838 + case PTRACE_SETFPXREGS:
39840 +#ifdef CONFIG_ALTIVEC
39841 + case PTRACE_SETVRREGS:
39847 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
39848 + !(current->role->roletype & GR_ROLE_GOD) &&
39849 + (current->acl != task->acl)) {
39850 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
39857 +static int is_writable_mmap(const struct file *filp)
39859 + struct task_struct *task = current;
39860 + struct acl_object_label *obj, *obj2;
39862 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
39863 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
39864 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
39865 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
39866 + task->role->root_label);
39867 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
39868 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
39876 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
39880 + if (unlikely(!file || !(prot & PROT_EXEC)))
39883 + if (is_writable_mmap(file))
39887 + gr_search_file(file->f_path.dentry,
39888 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
39889 + file->f_path.mnt);
39891 + if (!gr_tpe_allow(file))
39894 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
39895 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
39897 + } else if (unlikely(!(mode & GR_EXEC))) {
39899 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
39900 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
39908 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
39912 + if (unlikely(!file || !(prot & PROT_EXEC)))
39915 + if (is_writable_mmap(file))
39919 + gr_search_file(file->f_path.dentry,
39920 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
39921 + file->f_path.mnt);
39923 + if (!gr_tpe_allow(file))
39926 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
39927 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
39929 + } else if (unlikely(!(mode & GR_EXEC))) {
39931 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
39932 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
39940 +gr_acl_handle_psacct(struct task_struct *task, const long code)
39942 + unsigned long runtime;
39943 + unsigned long cputime;
39944 + unsigned int wday, cday;
39948 + struct timespec timeval;
39950 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
39951 + !(task->acl->mode & GR_PROCACCT)))
39954 + do_posix_clock_monotonic_gettime(&timeval);
39955 + runtime = timeval.tv_sec - task->start_time.tv_sec;
39956 + wday = runtime / (3600 * 24);
39957 + runtime -= wday * (3600 * 24);
39958 + whr = runtime / 3600;
39959 + runtime -= whr * 3600;
39960 + wmin = runtime / 60;
39961 + runtime -= wmin * 60;
39964 + cputime = (task->utime + task->stime) / HZ;
39965 + cday = cputime / (3600 * 24);
39966 + cputime -= cday * (3600 * 24);
39967 + chr = cputime / 3600;
39968 + cputime -= chr * 3600;
39969 + cmin = cputime / 60;
39970 + cputime -= cmin * 60;
39973 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
39978 +void gr_set_kernel_label(struct task_struct *task)
39980 + if (gr_status & GR_READY) {
39981 + task->role = kernel_role;
39982 + task->acl = kernel_role->root_label;
39987 +#ifdef CONFIG_TASKSTATS
39988 +int gr_is_taskstats_denied(int pid)
39990 + struct task_struct *task;
39991 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
39992 + const struct cred *cred;
39996 + /* restrict taskstats viewing to un-chrooted root users
39997 + who have the 'view' subject flag if the RBAC system is enabled
40001 + read_lock(&tasklist_lock);
40002 + task = find_task_by_vpid(pid);
40004 +#ifdef CONFIG_GRKERNSEC_CHROOT
40005 + if (proc_is_chrooted(task))
40008 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
40009 + cred = __task_cred(task);
40010 +#ifdef CONFIG_GRKERNSEC_PROC_USER
40011 + if (cred->uid != 0)
40013 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
40014 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
40018 + if (gr_status & GR_READY) {
40019 + if (!(task->acl->mode & GR_VIEW))
40025 + read_unlock(&tasklist_lock);
40026 + rcu_read_unlock();
40032 +/* AUXV entries are filled via a descendant of search_binary_handler
40033 + after we've already applied the subject for the target
40035 +int gr_acl_enable_at_secure(void)
40037 + if (unlikely(!(gr_status & GR_READY)))
40040 + if (current->acl->mode & GR_ATSECURE)
40046 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
40048 + struct task_struct *task = current;
40049 + struct dentry *dentry = file->f_path.dentry;
40050 + struct vfsmount *mnt = file->f_path.mnt;
40051 + struct acl_object_label *obj, *tmp;
40052 + struct acl_subject_label *subj;
40053 + unsigned int bufsize;
40056 + dev_t dev = __get_dev(dentry);
40058 + if (unlikely(!(gr_status & GR_READY)))
40061 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
40064 + /* ignore Eric Biederman */
40065 + if (IS_PRIVATE(dentry->d_inode))
40068 + subj = task->acl;
40070 + obj = lookup_acl_obj_label(ino, dev, subj);
40072 + return (obj->mode & GR_FIND) ? 1 : 0;
40073 + } while ((subj = subj->parent_subject));
40075 + /* this is purely an optimization since we're looking for an object
40076 + for the directory we're doing a readdir on
40077 + if it's possible for any globbed object to match the entry we're
40078 + filling into the directory, then the object we find here will be
40079 + an anchor point with attached globbed objects
40081 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
40082 + if (obj->globbed == NULL)
40083 + return (obj->mode & GR_FIND) ? 1 : 0;
40085 + is_not_root = ((obj->filename[0] == '/') &&
40086 + (obj->filename[1] == '\0')) ? 0 : 1;
40087 + bufsize = PAGE_SIZE - namelen - is_not_root;
40089 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
40090 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
40093 + preempt_disable();
40094 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
40097 + bufsize = strlen(path);
40099 + /* if base is "/", don't append an additional slash */
40101 + *(path + bufsize) = '/';
40102 + memcpy(path + bufsize + is_not_root, name, namelen);
40103 + *(path + bufsize + namelen + is_not_root) = '\0';
40105 + tmp = obj->globbed;
40107 + if (!glob_match(tmp->filename, path)) {
40108 + preempt_enable();
40109 + return (tmp->mode & GR_FIND) ? 1 : 0;
40113 + preempt_enable();
40114 + return (obj->mode & GR_FIND) ? 1 : 0;
40117 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
40118 +EXPORT_SYMBOL(gr_acl_is_enabled);
40120 +EXPORT_SYMBOL(gr_learn_resource);
40121 +EXPORT_SYMBOL(gr_set_kernel_label);
40122 +#ifdef CONFIG_SECURITY
40123 +EXPORT_SYMBOL(gr_check_user_change);
40124 +EXPORT_SYMBOL(gr_check_group_change);
40127 diff -urNp linux-2.6.38.4/grsecurity/gracl_cap.c linux-2.6.38.4/grsecurity/gracl_cap.c
40128 --- linux-2.6.38.4/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
40129 +++ linux-2.6.38.4/grsecurity/gracl_cap.c 2011-04-17 15:57:32.000000000 -0400
40131 +#include <linux/kernel.h>
40132 +#include <linux/module.h>
40133 +#include <linux/sched.h>
40134 +#include <linux/gracl.h>
40135 +#include <linux/grsecurity.h>
40136 +#include <linux/grinternal.h>
40138 +static const char *captab_log[] = {
40140 + "CAP_DAC_OVERRIDE",
40141 + "CAP_DAC_READ_SEARCH",
40148 + "CAP_LINUX_IMMUTABLE",
40149 + "CAP_NET_BIND_SERVICE",
40150 + "CAP_NET_BROADCAST",
40155 + "CAP_SYS_MODULE",
40157 + "CAP_SYS_CHROOT",
40158 + "CAP_SYS_PTRACE",
40163 + "CAP_SYS_RESOURCE",
40165 + "CAP_SYS_TTY_CONFIG",
40168 + "CAP_AUDIT_WRITE",
40169 + "CAP_AUDIT_CONTROL",
40171 + "CAP_MAC_OVERRIDE",
40176 +EXPORT_SYMBOL(gr_is_capable);
40177 +EXPORT_SYMBOL(gr_is_capable_nolog);
40180 +gr_is_capable(const int cap)
40182 + struct task_struct *task = current;
40183 + const struct cred *cred = current_cred();
40184 + struct acl_subject_label *curracl;
40185 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
40186 + kernel_cap_t cap_audit = __cap_empty_set;
40188 + if (!gr_acl_is_enabled())
40191 + curracl = task->acl;
40193 + cap_drop = curracl->cap_lower;
40194 + cap_mask = curracl->cap_mask;
40195 + cap_audit = curracl->cap_invert_audit;
40197 + while ((curracl = curracl->parent_subject)) {
40198 + /* if the cap isn't specified in the current computed mask but is specified in the
40199 + current level subject, and is lowered in the current level subject, then add
40200 + it to the set of dropped capabilities
40201 + otherwise, add the current level subject's mask to the current computed mask
40203 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
40204 + cap_raise(cap_mask, cap);
40205 + if (cap_raised(curracl->cap_lower, cap))
40206 + cap_raise(cap_drop, cap);
40207 + if (cap_raised(curracl->cap_invert_audit, cap))
40208 + cap_raise(cap_audit, cap);
40212 + if (!cap_raised(cap_drop, cap)) {
40213 + if (cap_raised(cap_audit, cap))
40214 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
40218 + curracl = task->acl;
40220 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
40221 + && cap_raised(cred->cap_effective, cap)) {
40222 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
40223 + task->role->roletype, cred->uid,
40224 + cred->gid, task->exec_file ?
40225 + gr_to_filename(task->exec_file->f_path.dentry,
40226 + task->exec_file->f_path.mnt) : curracl->filename,
40227 + curracl->filename, 0UL,
40228 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
40232 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
40233 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
40238 +gr_is_capable_nolog(const int cap)
40240 + struct acl_subject_label *curracl;
40241 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
40243 + if (!gr_acl_is_enabled())
40246 + curracl = current->acl;
40248 + cap_drop = curracl->cap_lower;
40249 + cap_mask = curracl->cap_mask;
40251 + while ((curracl = curracl->parent_subject)) {
40252 + /* if the cap isn't specified in the current computed mask but is specified in the
40253 + current level subject, and is lowered in the current level subject, then add
40254 + it to the set of dropped capabilities
40255 + otherwise, add the current level subject's mask to the current computed mask
40257 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
40258 + cap_raise(cap_mask, cap);
40259 + if (cap_raised(curracl->cap_lower, cap))
40260 + cap_raise(cap_drop, cap);
40264 + if (!cap_raised(cap_drop, cap))
40270 diff -urNp linux-2.6.38.4/grsecurity/gracl_fs.c linux-2.6.38.4/grsecurity/gracl_fs.c
40271 --- linux-2.6.38.4/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
40272 +++ linux-2.6.38.4/grsecurity/gracl_fs.c 2011-04-17 15:57:32.000000000 -0400
40274 +#include <linux/kernel.h>
40275 +#include <linux/sched.h>
40276 +#include <linux/types.h>
40277 +#include <linux/fs.h>
40278 +#include <linux/file.h>
40279 +#include <linux/stat.h>
40280 +#include <linux/grsecurity.h>
40281 +#include <linux/grinternal.h>
40282 +#include <linux/gracl.h>
40285 +gr_acl_handle_hidden_file(const struct dentry * dentry,
40286 + const struct vfsmount * mnt)
40290 + if (unlikely(!dentry->d_inode))
40294 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
40296 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
40297 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
40299 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
40300 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
40302 + } else if (unlikely(!(mode & GR_FIND)))
40309 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
40312 + __u32 reqmode = GR_FIND;
40315 + if (unlikely(!dentry->d_inode))
40318 + if (unlikely(fmode & O_APPEND))
40319 + reqmode |= GR_APPEND;
40320 + else if (unlikely(fmode & FMODE_WRITE))
40321 + reqmode |= GR_WRITE;
40322 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
40323 + reqmode |= GR_READ;
40324 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
40325 + reqmode &= ~GR_READ;
40327 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
40330 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
40331 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
40332 + reqmode & GR_READ ? " reading" : "",
40333 + reqmode & GR_WRITE ? " writing" : reqmode &
40334 + GR_APPEND ? " appending" : "");
40337 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
40339 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
40340 + reqmode & GR_READ ? " reading" : "",
40341 + reqmode & GR_WRITE ? " writing" : reqmode &
40342 + GR_APPEND ? " appending" : "");
40344 + } else if (unlikely((mode & reqmode) != reqmode))
40351 +gr_acl_handle_creat(const struct dentry * dentry,
40352 + const struct dentry * p_dentry,
40353 + const struct vfsmount * p_mnt, const int fmode,
40356 + __u32 reqmode = GR_WRITE | GR_CREATE;
40359 + if (unlikely(fmode & O_APPEND))
40360 + reqmode |= GR_APPEND;
40361 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
40362 + reqmode |= GR_READ;
40363 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
40364 + reqmode |= GR_SETID;
40367 + gr_check_create(dentry, p_dentry, p_mnt,
40368 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
40370 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
40371 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
40372 + reqmode & GR_READ ? " reading" : "",
40373 + reqmode & GR_WRITE ? " writing" : reqmode &
40374 + GR_APPEND ? " appending" : "");
40377 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
40379 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
40380 + reqmode & GR_READ ? " reading" : "",
40381 + reqmode & GR_WRITE ? " writing" : reqmode &
40382 + GR_APPEND ? " appending" : "");
40384 + } else if (unlikely((mode & reqmode) != reqmode))
40391 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
40394 + __u32 mode, reqmode = GR_FIND;
40396 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
40397 + reqmode |= GR_EXEC;
40398 + if (fmode & S_IWOTH)
40399 + reqmode |= GR_WRITE;
40400 + if (fmode & S_IROTH)
40401 + reqmode |= GR_READ;
40404 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
40407 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
40408 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
40409 + reqmode & GR_READ ? " reading" : "",
40410 + reqmode & GR_WRITE ? " writing" : "",
40411 + reqmode & GR_EXEC ? " executing" : "");
40414 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
40416 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
40417 + reqmode & GR_READ ? " reading" : "",
40418 + reqmode & GR_WRITE ? " writing" : "",
40419 + reqmode & GR_EXEC ? " executing" : "");
40421 + } else if (unlikely((mode & reqmode) != reqmode))
40427 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
40431 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
40433 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
40434 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
40436 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
40437 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
40439 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
40442 + return (reqmode);
40446 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
40448 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
40452 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
40454 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
40458 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
40460 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
40464 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
40466 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
40470 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
40473 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
40476 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
40477 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
40478 + GR_FCHMOD_ACL_MSG);
40480 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
40485 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
40488 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
40489 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
40490 + GR_CHMOD_ACL_MSG);
40492 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
40497 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
40499 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
40503 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
40505 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
40509 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
40511 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
40515 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
40517 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
40518 + GR_UNIXCONNECT_ACL_MSG);
40521 +/* hardlinks require at minimum create permission,
40522 + any additional privilege required is based on the
40523 + privilege of the file being linked to
40526 +gr_acl_handle_link(const struct dentry * new_dentry,
40527 + const struct dentry * parent_dentry,
40528 + const struct vfsmount * parent_mnt,
40529 + const struct dentry * old_dentry,
40530 + const struct vfsmount * old_mnt, const char *to)
40533 + __u32 needmode = GR_CREATE | GR_LINK;
40534 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
40537 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
40540 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
40541 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
40543 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
40544 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
40546 + } else if (unlikely((mode & needmode) != needmode))
40553 +gr_acl_handle_symlink(const struct dentry * new_dentry,
40554 + const struct dentry * parent_dentry,
40555 + const struct vfsmount * parent_mnt, const char *from)
40557 + __u32 needmode = GR_WRITE | GR_CREATE;
40561 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
40562 + GR_CREATE | GR_AUDIT_CREATE |
40563 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
40565 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
40566 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
40568 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
40569 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
40571 + } else if (unlikely((mode & needmode) != needmode))
40574 + return (GR_WRITE | GR_CREATE);
40577 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
40581 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
40583 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
40584 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
40586 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
40587 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
40589 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
40592 + return (reqmode);
40596 +gr_acl_handle_mknod(const struct dentry * new_dentry,
40597 + const struct dentry * parent_dentry,
40598 + const struct vfsmount * parent_mnt,
40601 + __u32 reqmode = GR_WRITE | GR_CREATE;
40602 + if (unlikely(mode & (S_ISUID | S_ISGID)))
40603 + reqmode |= GR_SETID;
40605 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
40606 + reqmode, GR_MKNOD_ACL_MSG);
40610 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
40611 + const struct dentry *parent_dentry,
40612 + const struct vfsmount *parent_mnt)
40614 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
40615 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
40618 +#define RENAME_CHECK_SUCCESS(old, new) \
40619 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
40620 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
40623 +gr_acl_handle_rename(struct dentry *new_dentry,
40624 + struct dentry *parent_dentry,
40625 + const struct vfsmount *parent_mnt,
40626 + struct dentry *old_dentry,
40627 + struct inode *old_parent_inode,
40628 + struct vfsmount *old_mnt, const char *newname)
40630 + __u32 comp1, comp2;
40633 + if (unlikely(!gr_acl_is_enabled()))
40636 + if (!new_dentry->d_inode) {
40637 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
40638 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
40639 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
40640 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
40641 + GR_DELETE | GR_AUDIT_DELETE |
40642 + GR_AUDIT_READ | GR_AUDIT_WRITE |
40643 + GR_SUPPRESS, old_mnt);
40645 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
40646 + GR_CREATE | GR_DELETE |
40647 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
40648 + GR_AUDIT_READ | GR_AUDIT_WRITE |
40649 + GR_SUPPRESS, parent_mnt);
40651 + gr_search_file(old_dentry,
40652 + GR_READ | GR_WRITE | GR_AUDIT_READ |
40653 + GR_DELETE | GR_AUDIT_DELETE |
40654 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
40657 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
40658 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
40659 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
40660 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
40661 + && !(comp2 & GR_SUPPRESS)) {
40662 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
40664 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
40671 +gr_acl_handle_exit(void)
40675 + struct file *exec_file;
40677 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
40678 + !(current->role->roletype & GR_ROLE_PERSIST))) {
40679 + id = current->acl_role_id;
40680 + rolename = current->role->rolename;
40682 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
40685 + write_lock(&grsec_exec_file_lock);
40686 + exec_file = current->exec_file;
40687 + current->exec_file = NULL;
40688 + write_unlock(&grsec_exec_file_lock);
40695 +gr_acl_handle_procpidmem(const struct task_struct *task)
40697 + if (unlikely(!gr_acl_is_enabled()))
40700 + if (task != current && task->acl->mode & GR_PROTPROCFD)
40705 diff -urNp linux-2.6.38.4/grsecurity/gracl_ip.c linux-2.6.38.4/grsecurity/gracl_ip.c
40706 --- linux-2.6.38.4/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
40707 +++ linux-2.6.38.4/grsecurity/gracl_ip.c 2011-04-17 15:57:32.000000000 -0400
40709 +#include <linux/kernel.h>
40710 +#include <asm/uaccess.h>
40711 +#include <asm/errno.h>
40712 +#include <net/sock.h>
40713 +#include <linux/file.h>
40714 +#include <linux/fs.h>
40715 +#include <linux/net.h>
40716 +#include <linux/in.h>
40717 +#include <linux/skbuff.h>
40718 +#include <linux/ip.h>
40719 +#include <linux/udp.h>
40720 +#include <linux/smp_lock.h>
40721 +#include <linux/types.h>
40722 +#include <linux/sched.h>
40723 +#include <linux/netdevice.h>
40724 +#include <linux/inetdevice.h>
40725 +#include <linux/gracl.h>
40726 +#include <linux/grsecurity.h>
40727 +#include <linux/grinternal.h>
40729 +#define GR_BIND 0x01
40730 +#define GR_CONNECT 0x02
40731 +#define GR_INVERT 0x04
40732 +#define GR_BINDOVERRIDE 0x08
40733 +#define GR_CONNECTOVERRIDE 0x10
40734 +#define GR_SOCK_FAMILY 0x20
40736 +static const char * gr_protocols[IPPROTO_MAX] = {
40737 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
40738 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
40739 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
40740 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
40741 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
40742 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
40743 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
40744 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
40745 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
40746 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
40747 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
40748 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
40749 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
40750 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
40751 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
40752 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
40753 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
40754 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
40755 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
40756 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
40757 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
40758 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
40759 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
40760 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
40761 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
40762 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
40763 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
40764 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
40765 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
40766 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
40767 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
40768 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
40771 +static const char * gr_socktypes[SOCK_MAX] = {
40772 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
40773 + "unknown:7", "unknown:8", "unknown:9", "packet"
40776 +static const char * gr_sockfamilies[AF_MAX+1] = {
40777 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
40778 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
40779 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
40780 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
40784 +gr_proto_to_name(unsigned char proto)
40786 + return gr_protocols[proto];
40790 +gr_socktype_to_name(unsigned char type)
40792 + return gr_socktypes[type];
40796 +gr_sockfamily_to_name(unsigned char family)
40798 + return gr_sockfamilies[family];
40802 +gr_search_socket(const int domain, const int type, const int protocol)
40804 + struct acl_subject_label *curr;
40805 + const struct cred *cred = current_cred();
40807 + if (unlikely(!gr_acl_is_enabled()))
40810 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
40811 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
40812 + goto exit; // let the kernel handle it
40814 + curr = current->acl;
40816 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
40817 + /* the family is allowed, if this is PF_INET allow it only if
40818 + the extra sock type/protocol checks pass */
40819 + if (domain == PF_INET)
40823 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
40824 + __u32 fakeip = 0;
40825 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
40826 + current->role->roletype, cred->uid,
40827 + cred->gid, current->exec_file ?
40828 + gr_to_filename(current->exec_file->f_path.dentry,
40829 + current->exec_file->f_path.mnt) :
40830 + curr->filename, curr->filename,
40831 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
40832 + ¤t->signal->saved_ip);
40839 + /* the rest of this checking is for IPv4 only */
40843 + if ((curr->ip_type & (1 << type)) &&
40844 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
40847 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
40848 + /* we don't place acls on raw sockets , and sometimes
40849 + dgram/ip sockets are opened for ioctl and not
40850 + bind/connect, so we'll fake a bind learn log */
40851 + if (type == SOCK_RAW || type == SOCK_PACKET) {
40852 + __u32 fakeip = 0;
40853 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
40854 + current->role->roletype, cred->uid,
40855 + cred->gid, current->exec_file ?
40856 + gr_to_filename(current->exec_file->f_path.dentry,
40857 + current->exec_file->f_path.mnt) :
40858 + curr->filename, curr->filename,
40859 + &fakeip, 0, type,
40860 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
40861 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
40862 + __u32 fakeip = 0;
40863 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
40864 + current->role->roletype, cred->uid,
40865 + cred->gid, current->exec_file ?
40866 + gr_to_filename(current->exec_file->f_path.dentry,
40867 + current->exec_file->f_path.mnt) :
40868 + curr->filename, curr->filename,
40869 + &fakeip, 0, type,
40870 + protocol, GR_BIND, ¤t->signal->saved_ip);
40872 + /* we'll log when they use connect or bind */
40877 + if (domain == PF_INET)
40878 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
40879 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
40881 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
40882 + gr_socktype_to_name(type), protocol);
40889 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
40891 + if ((ip->mode & mode) &&
40892 + (ip_port >= ip->low) &&
40893 + (ip_port <= ip->high) &&
40894 + ((ntohl(ip_addr) & our_netmask) ==
40895 + (ntohl(our_addr) & our_netmask))
40896 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
40897 + && (ip->type & (1 << type))) {
40898 + if (ip->mode & GR_INVERT)
40899 + return 2; // specifically denied
40901 + return 1; // allowed
40904 + return 0; // not specifically allowed, may continue parsing
40908 +gr_search_connectbind(const int full_mode, struct sock *sk,
40909 + struct sockaddr_in *addr, const int type)
40911 + char iface[IFNAMSIZ] = {0};
40912 + struct acl_subject_label *curr;
40913 + struct acl_ip_label *ip;
40914 + struct inet_sock *isk;
40915 + struct net_device *dev;
40916 + struct in_device *idev;
40919 + int mode = full_mode & (GR_BIND | GR_CONNECT);
40920 + __u32 ip_addr = 0;
40922 + __u32 our_netmask;
40924 + __u16 ip_port = 0;
40925 + const struct cred *cred = current_cred();
40927 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
40930 + curr = current->acl;
40931 + isk = inet_sk(sk);
40933 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
40934 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
40935 + addr->sin_addr.s_addr = curr->inaddr_any_override;
40936 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
40937 + struct sockaddr_in saddr;
40940 + saddr.sin_family = AF_INET;
40941 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
40942 + saddr.sin_port = isk->inet_sport;
40944 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
40948 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
40956 + ip_addr = addr->sin_addr.s_addr;
40957 + ip_port = ntohs(addr->sin_port);
40959 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
40960 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
40961 + current->role->roletype, cred->uid,
40962 + cred->gid, current->exec_file ?
40963 + gr_to_filename(current->exec_file->f_path.dentry,
40964 + current->exec_file->f_path.mnt) :
40965 + curr->filename, curr->filename,
40966 + &ip_addr, ip_port, type,
40967 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
40971 + for (i = 0; i < curr->ip_num; i++) {
40972 + ip = *(curr->ips + i);
40973 + if (ip->iface != NULL) {
40974 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
40975 + p = strchr(iface, ':');
40978 + dev = dev_get_by_name(sock_net(sk), iface);
40981 + idev = in_dev_get(dev);
40982 + if (idev == NULL) {
40988 + if (!strcmp(ip->iface, ifa->ifa_label)) {
40989 + our_addr = ifa->ifa_address;
40990 + our_netmask = 0xffffffff;
40991 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
40993 + rcu_read_unlock();
40994 + in_dev_put(idev);
40997 + } else if (ret == 2) {
40998 + rcu_read_unlock();
40999 + in_dev_put(idev);
41004 + } endfor_ifa(idev);
41005 + rcu_read_unlock();
41006 + in_dev_put(idev);
41009 + our_addr = ip->addr;
41010 + our_netmask = ip->netmask;
41011 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
41014 + else if (ret == 2)
41020 + if (mode == GR_BIND)
41021 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
41022 + else if (mode == GR_CONNECT)
41023 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
41029 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
41031 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
41035 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
41037 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
41040 +int gr_search_listen(struct socket *sock)
41042 + struct sock *sk = sock->sk;
41043 + struct sockaddr_in addr;
41045 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
41046 + addr.sin_port = inet_sk(sk)->inet_sport;
41048 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
41051 +int gr_search_accept(struct socket *sock)
41053 + struct sock *sk = sock->sk;
41054 + struct sockaddr_in addr;
41056 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
41057 + addr.sin_port = inet_sk(sk)->inet_sport;
41059 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
41063 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
41066 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
41068 + struct sockaddr_in sin;
41069 + const struct inet_sock *inet = inet_sk(sk);
41071 + sin.sin_addr.s_addr = inet->inet_daddr;
41072 + sin.sin_port = inet->inet_dport;
41074 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
41079 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
41081 + struct sockaddr_in sin;
41083 + if (unlikely(skb->len < sizeof (struct udphdr)))
41084 + return 0; // skip this packet
41086 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
41087 + sin.sin_port = udp_hdr(skb)->source;
41089 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
41091 diff -urNp linux-2.6.38.4/grsecurity/gracl_learn.c linux-2.6.38.4/grsecurity/gracl_learn.c
41092 --- linux-2.6.38.4/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
41093 +++ linux-2.6.38.4/grsecurity/gracl_learn.c 2011-04-17 15:57:32.000000000 -0400
41095 +#include <linux/kernel.h>
41096 +#include <linux/mm.h>
41097 +#include <linux/sched.h>
41098 +#include <linux/poll.h>
41099 +#include <linux/smp_lock.h>
41100 +#include <linux/string.h>
41101 +#include <linux/file.h>
41102 +#include <linux/types.h>
41103 +#include <linux/vmalloc.h>
41104 +#include <linux/grinternal.h>
41106 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
41107 + size_t count, loff_t *ppos);
41108 +extern int gr_acl_is_enabled(void);
41110 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
41111 +static int gr_learn_attached;
41113 +/* use a 512k buffer */
41114 +#define LEARN_BUFFER_SIZE (512 * 1024)
41116 +static DEFINE_SPINLOCK(gr_learn_lock);
41117 +static DEFINE_MUTEX(gr_learn_user_mutex);
41119 +/* we need to maintain two buffers, so that the kernel context of grlearn
41120 + uses a semaphore around the userspace copying, and the other kernel contexts
41121 + use a spinlock when copying into the buffer, since they cannot sleep
41123 +static char *learn_buffer;
41124 +static char *learn_buffer_user;
41125 +static int learn_buffer_len;
41126 +static int learn_buffer_user_len;
41129 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
41131 + DECLARE_WAITQUEUE(wait, current);
41132 + ssize_t retval = 0;
41134 + add_wait_queue(&learn_wait, &wait);
41135 + set_current_state(TASK_INTERRUPTIBLE);
41137 + mutex_lock(&gr_learn_user_mutex);
41138 + spin_lock(&gr_learn_lock);
41139 + if (learn_buffer_len)
41141 + spin_unlock(&gr_learn_lock);
41142 + mutex_unlock(&gr_learn_user_mutex);
41143 + if (file->f_flags & O_NONBLOCK) {
41144 + retval = -EAGAIN;
41147 + if (signal_pending(current)) {
41148 + retval = -ERESTARTSYS;
41155 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
41156 + learn_buffer_user_len = learn_buffer_len;
41157 + retval = learn_buffer_len;
41158 + learn_buffer_len = 0;
41160 + spin_unlock(&gr_learn_lock);
41162 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
41163 + retval = -EFAULT;
41165 + mutex_unlock(&gr_learn_user_mutex);
41167 + set_current_state(TASK_RUNNING);
41168 + remove_wait_queue(&learn_wait, &wait);
41172 +static unsigned int
41173 +poll_learn(struct file * file, poll_table * wait)
41175 + poll_wait(file, &learn_wait, wait);
41177 + if (learn_buffer_len)
41178 + return (POLLIN | POLLRDNORM);
41184 +gr_clear_learn_entries(void)
41188 + mutex_lock(&gr_learn_user_mutex);
41189 + if (learn_buffer != NULL) {
41190 + spin_lock(&gr_learn_lock);
41191 + tmp = learn_buffer;
41192 + learn_buffer = NULL;
41193 + spin_unlock(&gr_learn_lock);
41194 + vfree(learn_buffer);
41196 + if (learn_buffer_user != NULL) {
41197 + vfree(learn_buffer_user);
41198 + learn_buffer_user = NULL;
41200 + learn_buffer_len = 0;
41201 + mutex_unlock(&gr_learn_user_mutex);
41207 +gr_add_learn_entry(const char *fmt, ...)
41210 + unsigned int len;
41212 + if (!gr_learn_attached)
41215 + spin_lock(&gr_learn_lock);
41217 + /* leave a gap at the end so we know when it's "full" but don't have to
41218 + compute the exact length of the string we're trying to append
41220 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
41221 + spin_unlock(&gr_learn_lock);
41222 + wake_up_interruptible(&learn_wait);
41225 + if (learn_buffer == NULL) {
41226 + spin_unlock(&gr_learn_lock);
41230 + va_start(args, fmt);
41231 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
41234 + learn_buffer_len += len + 1;
41236 + spin_unlock(&gr_learn_lock);
41237 + wake_up_interruptible(&learn_wait);
41243 +open_learn(struct inode *inode, struct file *file)
41245 + if (file->f_mode & FMODE_READ && gr_learn_attached)
41247 + if (file->f_mode & FMODE_READ) {
41249 + mutex_lock(&gr_learn_user_mutex);
41250 + if (learn_buffer == NULL)
41251 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
41252 + if (learn_buffer_user == NULL)
41253 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
41254 + if (learn_buffer == NULL) {
41255 + retval = -ENOMEM;
41258 + if (learn_buffer_user == NULL) {
41259 + retval = -ENOMEM;
41262 + learn_buffer_len = 0;
41263 + learn_buffer_user_len = 0;
41264 + gr_learn_attached = 1;
41266 + mutex_unlock(&gr_learn_user_mutex);
41273 +close_learn(struct inode *inode, struct file *file)
41277 + if (file->f_mode & FMODE_READ) {
41278 + mutex_lock(&gr_learn_user_mutex);
41279 + if (learn_buffer != NULL) {
41280 + spin_lock(&gr_learn_lock);
41281 + tmp = learn_buffer;
41282 + learn_buffer = NULL;
41283 + spin_unlock(&gr_learn_lock);
41286 + if (learn_buffer_user != NULL) {
41287 + vfree(learn_buffer_user);
41288 + learn_buffer_user = NULL;
41290 + learn_buffer_len = 0;
41291 + learn_buffer_user_len = 0;
41292 + gr_learn_attached = 0;
41293 + mutex_unlock(&gr_learn_user_mutex);
41299 +const struct file_operations grsec_fops = {
41300 + .read = read_learn,
41301 + .write = write_grsec_handler,
41302 + .open = open_learn,
41303 + .release = close_learn,
41304 + .poll = poll_learn,
41306 diff -urNp linux-2.6.38.4/grsecurity/gracl_res.c linux-2.6.38.4/grsecurity/gracl_res.c
41307 --- linux-2.6.38.4/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
41308 +++ linux-2.6.38.4/grsecurity/gracl_res.c 2011-04-17 15:57:32.000000000 -0400
41310 +#include <linux/kernel.h>
41311 +#include <linux/sched.h>
41312 +#include <linux/gracl.h>
41313 +#include <linux/grinternal.h>
41315 +static const char *restab_log[] = {
41316 + [RLIMIT_CPU] = "RLIMIT_CPU",
41317 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
41318 + [RLIMIT_DATA] = "RLIMIT_DATA",
41319 + [RLIMIT_STACK] = "RLIMIT_STACK",
41320 + [RLIMIT_CORE] = "RLIMIT_CORE",
41321 + [RLIMIT_RSS] = "RLIMIT_RSS",
41322 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
41323 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
41324 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
41325 + [RLIMIT_AS] = "RLIMIT_AS",
41326 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
41327 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
41328 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
41329 + [RLIMIT_NICE] = "RLIMIT_NICE",
41330 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
41331 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
41332 + [GR_CRASH_RES] = "RLIMIT_CRASH"
41336 +gr_log_resource(const struct task_struct *task,
41337 + const int res, const unsigned long wanted, const int gt)
41339 + const struct cred *cred;
41340 + unsigned long rlim;
41342 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
41345 + // not yet supported resource
41346 + if (unlikely(!restab_log[res]))
41349 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
41350 + rlim = task_rlimit_max(task, res);
41352 + rlim = task_rlimit(task, res);
41354 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
41358 + cred = __task_cred(task);
41360 + if (res == RLIMIT_NPROC &&
41361 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
41362 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
41363 + goto out_rcu_unlock;
41364 + else if (res == RLIMIT_MEMLOCK &&
41365 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
41366 + goto out_rcu_unlock;
41367 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
41368 + goto out_rcu_unlock;
41369 + rcu_read_unlock();
41371 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
41375 + rcu_read_unlock();
41378 diff -urNp linux-2.6.38.4/grsecurity/gracl_segv.c linux-2.6.38.4/grsecurity/gracl_segv.c
41379 --- linux-2.6.38.4/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
41380 +++ linux-2.6.38.4/grsecurity/gracl_segv.c 2011-04-17 15:57:32.000000000 -0400
41382 +#include <linux/kernel.h>
41383 +#include <linux/mm.h>
41384 +#include <asm/uaccess.h>
41385 +#include <asm/errno.h>
41386 +#include <asm/mman.h>
41387 +#include <net/sock.h>
41388 +#include <linux/file.h>
41389 +#include <linux/fs.h>
41390 +#include <linux/net.h>
41391 +#include <linux/in.h>
41392 +#include <linux/smp_lock.h>
41393 +#include <linux/slab.h>
41394 +#include <linux/types.h>
41395 +#include <linux/sched.h>
41396 +#include <linux/timer.h>
41397 +#include <linux/gracl.h>
41398 +#include <linux/grsecurity.h>
41399 +#include <linux/grinternal.h>
41401 +static struct crash_uid *uid_set;
41402 +static unsigned short uid_used;
41403 +static DEFINE_SPINLOCK(gr_uid_lock);
41404 +extern rwlock_t gr_inode_lock;
41405 +extern struct acl_subject_label *
41406 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
41407 + struct acl_role_label *role);
41409 +#ifdef CONFIG_BTRFS_FS
41410 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
41411 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
41414 +static inline dev_t __get_dev(const struct dentry *dentry)
41416 +#ifdef CONFIG_BTRFS_FS
41417 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
41418 + return get_btrfs_dev_from_inode(dentry->d_inode);
41421 + return dentry->d_inode->i_sb->s_dev;
41425 +gr_init_uidset(void)
41428 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
41431 + return uid_set ? 1 : 0;
41435 +gr_free_uidset(void)
41444 +gr_find_uid(const uid_t uid)
41446 + struct crash_uid *tmp = uid_set;
41448 + int low = 0, high = uid_used - 1, mid;
41450 + while (high >= low) {
41451 + mid = (low + high) >> 1;
41452 + buid = tmp[mid].uid;
41464 +static __inline__ void
41465 +gr_insertsort(void)
41467 + unsigned short i, j;
41468 + struct crash_uid index;
41470 + for (i = 1; i < uid_used; i++) {
41471 + index = uid_set[i];
41473 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
41474 + uid_set[j] = uid_set[j - 1];
41477 + uid_set[j] = index;
41483 +static __inline__ void
41484 +gr_insert_uid(const uid_t uid, const unsigned long expires)
41488 + if (uid_used == GR_UIDTABLE_MAX)
41491 + loc = gr_find_uid(uid);
41494 + uid_set[loc].expires = expires;
41498 + uid_set[uid_used].uid = uid;
41499 + uid_set[uid_used].expires = expires;
41508 +gr_remove_uid(const unsigned short loc)
41510 + unsigned short i;
41512 + for (i = loc + 1; i < uid_used; i++)
41513 + uid_set[i - 1] = uid_set[i];
41521 +gr_check_crash_uid(const uid_t uid)
41526 + if (unlikely(!gr_acl_is_enabled()))
41529 + spin_lock(&gr_uid_lock);
41530 + loc = gr_find_uid(uid);
41535 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
41536 + gr_remove_uid(loc);
41541 + spin_unlock(&gr_uid_lock);
41545 +static __inline__ int
41546 +proc_is_setxid(const struct cred *cred)
41548 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
41549 + cred->uid != cred->fsuid)
41551 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
41552 + cred->gid != cred->fsgid)
41558 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
41561 +gr_handle_crash(struct task_struct *task, const int sig)
41563 + struct acl_subject_label *curr;
41564 + struct acl_subject_label *curr2;
41565 + struct task_struct *tsk, *tsk2;
41566 + const struct cred *cred;
41567 + const struct cred *cred2;
41569 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
41572 + if (unlikely(!gr_acl_is_enabled()))
41575 + curr = task->acl;
41577 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
41580 + if (time_before_eq(curr->expires, get_seconds())) {
41581 + curr->expires = 0;
41582 + curr->crashes = 0;
41587 + if (!curr->expires)
41588 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
41590 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
41591 + time_after(curr->expires, get_seconds())) {
41593 + cred = __task_cred(task);
41594 + if (cred->uid && proc_is_setxid(cred)) {
41595 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
41596 + spin_lock(&gr_uid_lock);
41597 + gr_insert_uid(cred->uid, curr->expires);
41598 + spin_unlock(&gr_uid_lock);
41599 + curr->expires = 0;
41600 + curr->crashes = 0;
41601 + read_lock(&tasklist_lock);
41602 + do_each_thread(tsk2, tsk) {
41603 + cred2 = __task_cred(tsk);
41604 + if (tsk != task && cred2->uid == cred->uid)
41605 + gr_fake_force_sig(SIGKILL, tsk);
41606 + } while_each_thread(tsk2, tsk);
41607 + read_unlock(&tasklist_lock);
41609 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
41610 + read_lock(&tasklist_lock);
41611 + do_each_thread(tsk2, tsk) {
41612 + if (likely(tsk != task)) {
41613 + curr2 = tsk->acl;
41615 + if (curr2->device == curr->device &&
41616 + curr2->inode == curr->inode)
41617 + gr_fake_force_sig(SIGKILL, tsk);
41619 + } while_each_thread(tsk2, tsk);
41620 + read_unlock(&tasklist_lock);
41622 + rcu_read_unlock();
41629 +gr_check_crash_exec(const struct file *filp)
41631 + struct acl_subject_label *curr;
41633 + if (unlikely(!gr_acl_is_enabled()))
41636 + read_lock(&gr_inode_lock);
41637 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
41638 + __get_dev(filp->f_path.dentry),
41640 + read_unlock(&gr_inode_lock);
41642 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
41643 + (!curr->crashes && !curr->expires))
41646 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
41647 + time_after(curr->expires, get_seconds()))
41649 + else if (time_before_eq(curr->expires, get_seconds())) {
41650 + curr->crashes = 0;
41651 + curr->expires = 0;
41658 +gr_handle_alertkill(struct task_struct *task)
41660 + struct acl_subject_label *curracl;
41662 + struct task_struct *p, *p2;
41664 + if (unlikely(!gr_acl_is_enabled()))
41667 + curracl = task->acl;
41668 + curr_ip = task->signal->curr_ip;
41670 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
41671 + read_lock(&tasklist_lock);
41672 + do_each_thread(p2, p) {
41673 + if (p->signal->curr_ip == curr_ip)
41674 + gr_fake_force_sig(SIGKILL, p);
41675 + } while_each_thread(p2, p);
41676 + read_unlock(&tasklist_lock);
41677 + } else if (curracl->mode & GR_KILLPROC)
41678 + gr_fake_force_sig(SIGKILL, task);
41682 diff -urNp linux-2.6.38.4/grsecurity/gracl_shm.c linux-2.6.38.4/grsecurity/gracl_shm.c
41683 --- linux-2.6.38.4/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
41684 +++ linux-2.6.38.4/grsecurity/gracl_shm.c 2011-04-17 15:57:32.000000000 -0400
41686 +#include <linux/kernel.h>
41687 +#include <linux/mm.h>
41688 +#include <linux/sched.h>
41689 +#include <linux/file.h>
41690 +#include <linux/ipc.h>
41691 +#include <linux/gracl.h>
41692 +#include <linux/grsecurity.h>
41693 +#include <linux/grinternal.h>
41696 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41697 + const time_t shm_createtime, const uid_t cuid, const int shmid)
41699 + struct task_struct *task;
41701 + if (!gr_acl_is_enabled())
41705 + read_lock(&tasklist_lock);
41707 + task = find_task_by_vpid(shm_cprid);
41709 + if (unlikely(!task))
41710 + task = find_task_by_vpid(shm_lapid);
41712 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
41713 + (task->pid == shm_lapid)) &&
41714 + (task->acl->mode & GR_PROTSHM) &&
41715 + (task->acl != current->acl))) {
41716 + read_unlock(&tasklist_lock);
41717 + rcu_read_unlock();
41718 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
41721 + read_unlock(&tasklist_lock);
41722 + rcu_read_unlock();
41726 diff -urNp linux-2.6.38.4/grsecurity/grsec_chdir.c linux-2.6.38.4/grsecurity/grsec_chdir.c
41727 --- linux-2.6.38.4/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
41728 +++ linux-2.6.38.4/grsecurity/grsec_chdir.c 2011-04-17 15:57:32.000000000 -0400
41730 +#include <linux/kernel.h>
41731 +#include <linux/sched.h>
41732 +#include <linux/fs.h>
41733 +#include <linux/file.h>
41734 +#include <linux/grsecurity.h>
41735 +#include <linux/grinternal.h>
41738 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
41740 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
41741 + if ((grsec_enable_chdir && grsec_enable_group &&
41742 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
41743 + !grsec_enable_group)) {
41744 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
41749 diff -urNp linux-2.6.38.4/grsecurity/grsec_chroot.c linux-2.6.38.4/grsecurity/grsec_chroot.c
41750 --- linux-2.6.38.4/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
41751 +++ linux-2.6.38.4/grsecurity/grsec_chroot.c 2011-04-17 15:57:32.000000000 -0400
41753 +#include <linux/kernel.h>
41754 +#include <linux/module.h>
41755 +#include <linux/sched.h>
41756 +#include <linux/file.h>
41757 +#include <linux/fs.h>
41758 +#include <linux/mount.h>
41759 +#include <linux/types.h>
41760 +#include <linux/pid_namespace.h>
41761 +#include <linux/grsecurity.h>
41762 +#include <linux/grinternal.h>
41764 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
41766 +#ifdef CONFIG_GRKERNSEC
41767 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
41768 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
41769 + task->gr_is_chrooted = 1;
41771 + task->gr_is_chrooted = 0;
41773 + task->gr_chroot_dentry = path->dentry;
41778 +void gr_clear_chroot_entries(struct task_struct *task)
41780 +#ifdef CONFIG_GRKERNSEC
41781 + task->gr_is_chrooted = 0;
41782 + task->gr_chroot_dentry = NULL;
41788 +gr_handle_chroot_unix(struct pid *pid)
41790 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41791 + struct task_struct *p;
41793 + if (unlikely(!grsec_enable_chroot_unix))
41796 + if (likely(!proc_is_chrooted(current)))
41800 + read_lock(&tasklist_lock);
41801 + p = pid_task(pid, PIDTYPE_PID);
41802 + if (unlikely(p && !have_same_root(current, p))) {
41803 + read_unlock(&tasklist_lock);
41804 + rcu_read_unlock();
41805 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
41808 + read_unlock(&tasklist_lock);
41809 + rcu_read_unlock();
41815 +gr_handle_chroot_nice(void)
41817 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41818 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
41819 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
41827 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
41829 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41830 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
41831 + && proc_is_chrooted(current)) {
41832 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
41840 +gr_handle_chroot_rawio(const struct inode *inode)
41842 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41843 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
41844 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
41851 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
41853 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
41854 + struct task_struct *p;
41856 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
41859 + read_lock(&tasklist_lock);
41860 + do_each_pid_task(pid, type, p) {
41861 + if (!have_same_root(current, p)) {
41865 + } while_each_pid_task(pid, type, p);
41867 + read_unlock(&tasklist_lock);
41874 +gr_pid_is_chrooted(struct task_struct *p)
41876 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
41877 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
41880 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
41881 + !have_same_root(current, p)) {
41888 +EXPORT_SYMBOL(gr_pid_is_chrooted);
41890 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
41891 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
41893 + struct path path, currentroot;
41896 + path.dentry = (struct dentry *)u_dentry;
41897 + path.mnt = (struct vfsmount *)u_mnt;
41898 + get_fs_root(current->fs, ¤troot);
41899 + if (path_is_under(&path, ¤troot))
41901 + path_put(¤troot);
41908 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
41910 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41911 + if (!grsec_enable_chroot_fchdir)
41914 + if (!proc_is_chrooted(current))
41916 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
41917 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
41925 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41926 + const time_t shm_createtime)
41928 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41929 + struct pid *pid = NULL;
41930 + time_t starttime;
41932 + if (unlikely(!grsec_enable_chroot_shmat))
41935 + if (likely(!proc_is_chrooted(current)))
41939 + read_lock(&tasklist_lock);
41941 + pid = find_vpid(shm_cprid);
41943 + struct task_struct *p;
41944 + p = pid_task(pid, PIDTYPE_PID);
41947 + starttime = p->start_time.tv_sec;
41948 + if (unlikely(!have_same_root(current, p) &&
41949 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
41950 + read_unlock(&tasklist_lock);
41951 + rcu_read_unlock();
41952 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
41956 + pid = find_vpid(shm_lapid);
41958 + struct task_struct *p;
41959 + p = pid_task(pid, PIDTYPE_PID);
41962 + if (unlikely(!have_same_root(current, p))) {
41963 + read_unlock(&tasklist_lock);
41964 + rcu_read_unlock();
41965 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
41971 + read_unlock(&tasklist_lock);
41972 + rcu_read_unlock();
41978 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
41980 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41981 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
41982 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
41988 +gr_handle_chroot_mknod(const struct dentry *dentry,
41989 + const struct vfsmount *mnt, const int mode)
41991 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41992 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
41993 + proc_is_chrooted(current)) {
41994 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
42002 +gr_handle_chroot_mount(const struct dentry *dentry,
42003 + const struct vfsmount *mnt, const char *dev_name)
42005 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
42006 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
42007 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
42015 +gr_handle_chroot_pivot(void)
42017 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
42018 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
42019 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
42027 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
42029 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
42030 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
42031 + !gr_is_outside_chroot(dentry, mnt)) {
42032 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
42040 +gr_handle_chroot_caps(struct path *path)
42042 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
42043 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
42044 + (init_task.fs->root.dentry != path->dentry) &&
42045 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
42047 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
42048 + const struct cred *old = current_cred();
42049 + struct cred *new = prepare_creds();
42053 + new->cap_permitted = cap_drop(old->cap_permitted,
42055 + new->cap_inheritable = cap_drop(old->cap_inheritable,
42057 + new->cap_effective = cap_drop(old->cap_effective,
42060 + commit_creds(new);
42069 +gr_handle_chroot_sysctl(const int op)
42071 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
42072 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
42073 + proc_is_chrooted(current))
42080 +gr_handle_chroot_chdir(struct path *path)
42082 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
42083 + if (grsec_enable_chroot_chdir)
42084 + set_fs_pwd(current->fs, path);
42090 +gr_handle_chroot_chmod(const struct dentry *dentry,
42091 + const struct vfsmount *mnt, const int mode)
42093 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
42094 + /* allow chmod +s on directories, but not files */
42095 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
42096 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
42097 + proc_is_chrooted(current)) {
42098 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
42105 +#ifdef CONFIG_SECURITY
42106 +EXPORT_SYMBOL(gr_handle_chroot_caps);
42108 diff -urNp linux-2.6.38.4/grsecurity/grsec_disabled.c linux-2.6.38.4/grsecurity/grsec_disabled.c
42109 --- linux-2.6.38.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
42110 +++ linux-2.6.38.4/grsecurity/grsec_disabled.c 2011-04-17 15:57:32.000000000 -0400
42112 +#include <linux/kernel.h>
42113 +#include <linux/module.h>
42114 +#include <linux/sched.h>
42115 +#include <linux/file.h>
42116 +#include <linux/fs.h>
42117 +#include <linux/kdev_t.h>
42118 +#include <linux/net.h>
42119 +#include <linux/in.h>
42120 +#include <linux/ip.h>
42121 +#include <linux/skbuff.h>
42122 +#include <linux/sysctl.h>
42124 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
42126 +pax_set_initial_flags(struct linux_binprm *bprm)
42132 +#ifdef CONFIG_SYSCTL
42134 +gr_handle_sysctl(const struct ctl_table * table, const int op)
42140 +#ifdef CONFIG_TASKSTATS
42141 +int gr_is_taskstats_denied(int pid)
42148 +gr_acl_is_enabled(void)
42154 +gr_handle_rawio(const struct inode *inode)
42160 +gr_acl_handle_psacct(struct task_struct *task, const long code)
42166 +gr_handle_ptrace(struct task_struct *task, const long request)
42172 +gr_handle_proc_ptrace(struct task_struct *task)
42178 +gr_learn_resource(const struct task_struct *task,
42179 + const int res, const unsigned long wanted, const int gt)
42185 +gr_set_acls(const int type)
42191 +gr_check_hidden_task(const struct task_struct *tsk)
42197 +gr_check_protected_task(const struct task_struct *task)
42203 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
42209 +gr_copy_label(struct task_struct *tsk)
42215 +gr_set_pax_flags(struct task_struct *task)
42221 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
42222 + const int unsafe_share)
42228 +gr_handle_delete(const ino_t ino, const dev_t dev)
42234 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
42240 +gr_handle_crash(struct task_struct *task, const int sig)
42246 +gr_check_crash_exec(const struct file *filp)
42252 +gr_check_crash_uid(const uid_t uid)
42258 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
42259 + struct dentry *old_dentry,
42260 + struct dentry *new_dentry,
42261 + struct vfsmount *mnt, const __u8 replace)
42267 +gr_search_socket(const int family, const int type, const int protocol)
42273 +gr_search_connectbind(const int mode, const struct socket *sock,
42274 + const struct sockaddr_in *addr)
42280 +gr_is_capable(const int cap)
42286 +gr_is_capable_nolog(const int cap)
42292 +gr_handle_alertkill(struct task_struct *task)
42298 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
42304 +gr_acl_handle_hidden_file(const struct dentry * dentry,
42305 + const struct vfsmount * mnt)
42311 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
42318 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
42324 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
42330 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
42331 + unsigned int *vm_flags)
42337 +gr_acl_handle_truncate(const struct dentry * dentry,
42338 + const struct vfsmount * mnt)
42344 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
42350 +gr_acl_handle_access(const struct dentry * dentry,
42351 + const struct vfsmount * mnt, const int fmode)
42357 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
42364 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
42371 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
42377 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
42383 +grsecurity_init(void)
42389 +gr_acl_handle_mknod(const struct dentry * new_dentry,
42390 + const struct dentry * parent_dentry,
42391 + const struct vfsmount * parent_mnt,
42398 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
42399 + const struct dentry * parent_dentry,
42400 + const struct vfsmount * parent_mnt)
42406 +gr_acl_handle_symlink(const struct dentry * new_dentry,
42407 + const struct dentry * parent_dentry,
42408 + const struct vfsmount * parent_mnt, const char *from)
42414 +gr_acl_handle_link(const struct dentry * new_dentry,
42415 + const struct dentry * parent_dentry,
42416 + const struct vfsmount * parent_mnt,
42417 + const struct dentry * old_dentry,
42418 + const struct vfsmount * old_mnt, const char *to)
42424 +gr_acl_handle_rename(const struct dentry *new_dentry,
42425 + const struct dentry *parent_dentry,
42426 + const struct vfsmount *parent_mnt,
42427 + const struct dentry *old_dentry,
42428 + const struct inode *old_parent_inode,
42429 + const struct vfsmount *old_mnt, const char *newname)
42435 +gr_acl_handle_filldir(const struct file *file, const char *name,
42436 + const int namelen, const ino_t ino)
42442 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
42443 + const time_t shm_createtime, const uid_t cuid, const int shmid)
42449 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
42455 +gr_search_accept(const struct socket *sock)
42461 +gr_search_listen(const struct socket *sock)
42467 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
42473 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
42479 +gr_acl_handle_creat(const struct dentry * dentry,
42480 + const struct dentry * p_dentry,
42481 + const struct vfsmount * p_mnt, const int fmode,
42488 +gr_acl_handle_exit(void)
42494 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
42500 +gr_set_role_label(const uid_t uid, const gid_t gid)
42506 +gr_acl_handle_procpidmem(const struct task_struct *task)
42512 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
42518 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
42524 +gr_set_kernel_label(struct task_struct *task)
42530 +gr_check_user_change(int real, int effective, int fs)
42536 +gr_check_group_change(int real, int effective, int fs)
42541 +int gr_acl_enable_at_secure(void)
42546 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
42548 + return dentry->d_inode->i_sb->s_dev;
42551 +EXPORT_SYMBOL(gr_is_capable);
42552 +EXPORT_SYMBOL(gr_is_capable_nolog);
42553 +EXPORT_SYMBOL(gr_learn_resource);
42554 +EXPORT_SYMBOL(gr_set_kernel_label);
42555 +#ifdef CONFIG_SECURITY
42556 +EXPORT_SYMBOL(gr_check_user_change);
42557 +EXPORT_SYMBOL(gr_check_group_change);
42559 diff -urNp linux-2.6.38.4/grsecurity/grsec_exec.c linux-2.6.38.4/grsecurity/grsec_exec.c
42560 --- linux-2.6.38.4/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
42561 +++ linux-2.6.38.4/grsecurity/grsec_exec.c 2011-04-17 15:57:32.000000000 -0400
42563 +#include <linux/kernel.h>
42564 +#include <linux/sched.h>
42565 +#include <linux/file.h>
42566 +#include <linux/binfmts.h>
42567 +#include <linux/smp_lock.h>
42568 +#include <linux/fs.h>
42569 +#include <linux/types.h>
42570 +#include <linux/grdefs.h>
42571 +#include <linux/grinternal.h>
42572 +#include <linux/capability.h>
42573 +#include <linux/compat.h>
42575 +#include <asm/uaccess.h>
42577 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42578 +static char gr_exec_arg_buf[132];
42579 +static DEFINE_MUTEX(gr_exec_arg_mutex);
42583 +gr_handle_nproc(void)
42585 +#ifdef CONFIG_GRKERNSEC_EXECVE
42586 + const struct cred *cred = current_cred();
42587 + if (grsec_enable_execve && cred->user &&
42588 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
42589 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
42590 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
42598 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
42600 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42601 + char *grarg = gr_exec_arg_buf;
42602 + unsigned int i, x, execlen = 0;
42605 + if (!((grsec_enable_execlog && grsec_enable_group &&
42606 + in_group_p(grsec_audit_gid))
42607 + || (grsec_enable_execlog && !grsec_enable_group)))
42610 + mutex_lock(&gr_exec_arg_mutex);
42611 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
42613 + if (unlikely(argv == NULL))
42616 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
42617 + const char __user *p;
42618 + unsigned int len;
42620 + if (copy_from_user(&p, argv + i, sizeof(p)))
42624 + len = strnlen_user(p, 128 - execlen);
42625 + if (len > 128 - execlen)
42626 + len = 128 - execlen;
42627 + else if (len > 0)
42629 + if (copy_from_user(grarg + execlen, p, len))
42632 + /* rewrite unprintable characters */
42633 + for (x = 0; x < len; x++) {
42634 + c = *(grarg + execlen + x);
42635 + if (c < 32 || c > 126)
42636 + *(grarg + execlen + x) = ' ';
42640 + *(grarg + execlen) = ' ';
42641 + *(grarg + execlen + 1) = '\0';
42646 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
42647 + bprm->file->f_path.mnt, grarg);
42648 + mutex_unlock(&gr_exec_arg_mutex);
42653 +#ifdef CONFIG_COMPAT
42655 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
42657 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42658 + char *grarg = gr_exec_arg_buf;
42659 + unsigned int i, x, execlen = 0;
42662 + if (!((grsec_enable_execlog && grsec_enable_group &&
42663 + in_group_p(grsec_audit_gid))
42664 + || (grsec_enable_execlog && !grsec_enable_group)))
42667 + mutex_lock(&gr_exec_arg_mutex);
42668 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
42670 + if (unlikely(argv == NULL))
42673 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
42675 + unsigned int len;
42677 + if (get_user(p, argv + i))
42679 + len = strnlen_user(compat_ptr(p), 128 - execlen);
42680 + if (len > 128 - execlen)
42681 + len = 128 - execlen;
42682 + else if (len > 0)
42686 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
42689 + /* rewrite unprintable characters */
42690 + for (x = 0; x < len; x++) {
42691 + c = *(grarg + execlen + x);
42692 + if (c < 32 || c > 126)
42693 + *(grarg + execlen + x) = ' ';
42697 + *(grarg + execlen) = ' ';
42698 + *(grarg + execlen + 1) = '\0';
42703 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
42704 + bprm->file->f_path.mnt, grarg);
42705 + mutex_unlock(&gr_exec_arg_mutex);
42710 diff -urNp linux-2.6.38.4/grsecurity/grsec_fifo.c linux-2.6.38.4/grsecurity/grsec_fifo.c
42711 --- linux-2.6.38.4/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
42712 +++ linux-2.6.38.4/grsecurity/grsec_fifo.c 2011-04-17 15:57:32.000000000 -0400
42714 +#include <linux/kernel.h>
42715 +#include <linux/sched.h>
42716 +#include <linux/fs.h>
42717 +#include <linux/file.h>
42718 +#include <linux/grinternal.h>
42721 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
42722 + const struct dentry *dir, const int flag, const int acc_mode)
42724 +#ifdef CONFIG_GRKERNSEC_FIFO
42725 + const struct cred *cred = current_cred();
42727 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
42728 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
42729 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
42730 + (cred->fsuid != dentry->d_inode->i_uid)) {
42731 + if (!inode_permission(dentry->d_inode, acc_mode))
42732 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
42738 diff -urNp linux-2.6.38.4/grsecurity/grsec_fork.c linux-2.6.38.4/grsecurity/grsec_fork.c
42739 --- linux-2.6.38.4/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
42740 +++ linux-2.6.38.4/grsecurity/grsec_fork.c 2011-04-17 15:57:32.000000000 -0400
42742 +#include <linux/kernel.h>
42743 +#include <linux/sched.h>
42744 +#include <linux/grsecurity.h>
42745 +#include <linux/grinternal.h>
42746 +#include <linux/errno.h>
42749 +gr_log_forkfail(const int retval)
42751 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
42752 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
42753 + switch (retval) {
42755 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
42758 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
42765 diff -urNp linux-2.6.38.4/grsecurity/grsec_init.c linux-2.6.38.4/grsecurity/grsec_init.c
42766 --- linux-2.6.38.4/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
42767 +++ linux-2.6.38.4/grsecurity/grsec_init.c 2011-04-17 15:57:32.000000000 -0400
42769 +#include <linux/kernel.h>
42770 +#include <linux/sched.h>
42771 +#include <linux/mm.h>
42772 +#include <linux/smp_lock.h>
42773 +#include <linux/gracl.h>
42774 +#include <linux/slab.h>
42775 +#include <linux/vmalloc.h>
42776 +#include <linux/percpu.h>
42777 +#include <linux/module.h>
42779 +int grsec_enable_link;
42780 +int grsec_enable_dmesg;
42781 +int grsec_enable_harden_ptrace;
42782 +int grsec_enable_fifo;
42783 +int grsec_enable_execve;
42784 +int grsec_enable_execlog;
42785 +int grsec_enable_signal;
42786 +int grsec_enable_forkfail;
42787 +int grsec_enable_audit_ptrace;
42788 +int grsec_enable_time;
42789 +int grsec_enable_audit_textrel;
42790 +int grsec_enable_group;
42791 +int grsec_audit_gid;
42792 +int grsec_enable_chdir;
42793 +int grsec_enable_mount;
42794 +int grsec_enable_rofs;
42795 +int grsec_enable_chroot_findtask;
42796 +int grsec_enable_chroot_mount;
42797 +int grsec_enable_chroot_shmat;
42798 +int grsec_enable_chroot_fchdir;
42799 +int grsec_enable_chroot_double;
42800 +int grsec_enable_chroot_pivot;
42801 +int grsec_enable_chroot_chdir;
42802 +int grsec_enable_chroot_chmod;
42803 +int grsec_enable_chroot_mknod;
42804 +int grsec_enable_chroot_nice;
42805 +int grsec_enable_chroot_execlog;
42806 +int grsec_enable_chroot_caps;
42807 +int grsec_enable_chroot_sysctl;
42808 +int grsec_enable_chroot_unix;
42809 +int grsec_enable_tpe;
42810 +int grsec_tpe_gid;
42811 +int grsec_enable_blackhole;
42812 +#ifdef CONFIG_IPV6_MODULE
42813 +EXPORT_SYMBOL(grsec_enable_blackhole);
42815 +int grsec_lastack_retries;
42816 +int grsec_enable_tpe_all;
42817 +int grsec_enable_tpe_invert;
42818 +int grsec_enable_socket_all;
42819 +int grsec_socket_all_gid;
42820 +int grsec_enable_socket_client;
42821 +int grsec_socket_client_gid;
42822 +int grsec_enable_socket_server;
42823 +int grsec_socket_server_gid;
42824 +int grsec_resource_logging;
42825 +int grsec_disable_privio;
42826 +int grsec_enable_log_rwxmaps;
42829 +DEFINE_SPINLOCK(grsec_alert_lock);
42830 +unsigned long grsec_alert_wtime = 0;
42831 +unsigned long grsec_alert_fyet = 0;
42833 +DEFINE_SPINLOCK(grsec_audit_lock);
42835 +DEFINE_RWLOCK(grsec_exec_file_lock);
42837 +char *gr_shared_page[4];
42839 +char *gr_alert_log_fmt;
42840 +char *gr_audit_log_fmt;
42841 +char *gr_alert_log_buf;
42842 +char *gr_audit_log_buf;
42844 +extern struct gr_arg *gr_usermode;
42845 +extern unsigned char *gr_system_salt;
42846 +extern unsigned char *gr_system_sum;
42849 +grsecurity_init(void)
42852 + /* create the per-cpu shared pages */
42855 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
42858 + for (j = 0; j < 4; j++) {
42859 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
42860 + if (gr_shared_page[j] == NULL) {
42861 + panic("Unable to allocate grsecurity shared page");
42866 + /* allocate log buffers */
42867 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
42868 + if (!gr_alert_log_fmt) {
42869 + panic("Unable to allocate grsecurity alert log format buffer");
42872 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
42873 + if (!gr_audit_log_fmt) {
42874 + panic("Unable to allocate grsecurity audit log format buffer");
42877 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
42878 + if (!gr_alert_log_buf) {
42879 + panic("Unable to allocate grsecurity alert log buffer");
42882 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
42883 + if (!gr_audit_log_buf) {
42884 + panic("Unable to allocate grsecurity audit log buffer");
42888 + /* allocate memory for authentication structure */
42889 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
42890 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
42891 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
42893 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
42894 + panic("Unable to allocate grsecurity authentication structure");
42899 +#ifdef CONFIG_GRKERNSEC_IO
42900 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
42901 + grsec_disable_privio = 1;
42902 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
42903 + grsec_disable_privio = 1;
42905 + grsec_disable_privio = 0;
42909 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42910 + /* for backward compatibility, tpe_invert always defaults to on if
42911 + enabled in the kernel
42913 + grsec_enable_tpe_invert = 1;
42916 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
42917 +#ifndef CONFIG_GRKERNSEC_SYSCTL
42921 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42922 + grsec_enable_audit_textrel = 1;
42924 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42925 + grsec_enable_log_rwxmaps = 1;
42927 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
42928 + grsec_enable_group = 1;
42929 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
42931 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
42932 + grsec_enable_chdir = 1;
42934 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
42935 + grsec_enable_harden_ptrace = 1;
42937 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42938 + grsec_enable_mount = 1;
42940 +#ifdef CONFIG_GRKERNSEC_LINK
42941 + grsec_enable_link = 1;
42943 +#ifdef CONFIG_GRKERNSEC_DMESG
42944 + grsec_enable_dmesg = 1;
42946 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
42947 + grsec_enable_blackhole = 1;
42948 + grsec_lastack_retries = 4;
42950 +#ifdef CONFIG_GRKERNSEC_FIFO
42951 + grsec_enable_fifo = 1;
42953 +#ifdef CONFIG_GRKERNSEC_EXECVE
42954 + grsec_enable_execve = 1;
42956 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42957 + grsec_enable_execlog = 1;
42959 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42960 + grsec_enable_signal = 1;
42962 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
42963 + grsec_enable_forkfail = 1;
42965 +#ifdef CONFIG_GRKERNSEC_TIME
42966 + grsec_enable_time = 1;
42968 +#ifdef CONFIG_GRKERNSEC_RESLOG
42969 + grsec_resource_logging = 1;
42971 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
42972 + grsec_enable_chroot_findtask = 1;
42974 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
42975 + grsec_enable_chroot_unix = 1;
42977 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
42978 + grsec_enable_chroot_mount = 1;
42980 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
42981 + grsec_enable_chroot_fchdir = 1;
42983 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
42984 + grsec_enable_chroot_shmat = 1;
42986 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42987 + grsec_enable_audit_ptrace = 1;
42989 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
42990 + grsec_enable_chroot_double = 1;
42992 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
42993 + grsec_enable_chroot_pivot = 1;
42995 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
42996 + grsec_enable_chroot_chdir = 1;
42998 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
42999 + grsec_enable_chroot_chmod = 1;
43001 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
43002 + grsec_enable_chroot_mknod = 1;
43004 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
43005 + grsec_enable_chroot_nice = 1;
43007 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
43008 + grsec_enable_chroot_execlog = 1;
43010 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
43011 + grsec_enable_chroot_caps = 1;
43013 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
43014 + grsec_enable_chroot_sysctl = 1;
43016 +#ifdef CONFIG_GRKERNSEC_TPE
43017 + grsec_enable_tpe = 1;
43018 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
43019 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43020 + grsec_enable_tpe_all = 1;
43023 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
43024 + grsec_enable_socket_all = 1;
43025 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
43027 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
43028 + grsec_enable_socket_client = 1;
43029 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
43031 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
43032 + grsec_enable_socket_server = 1;
43033 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
43039 diff -urNp linux-2.6.38.4/grsecurity/grsec_link.c linux-2.6.38.4/grsecurity/grsec_link.c
43040 --- linux-2.6.38.4/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
43041 +++ linux-2.6.38.4/grsecurity/grsec_link.c 2011-04-17 15:57:32.000000000 -0400
43043 +#include <linux/kernel.h>
43044 +#include <linux/sched.h>
43045 +#include <linux/fs.h>
43046 +#include <linux/file.h>
43047 +#include <linux/grinternal.h>
43050 +gr_handle_follow_link(const struct inode *parent,
43051 + const struct inode *inode,
43052 + const struct dentry *dentry, const struct vfsmount *mnt)
43054 +#ifdef CONFIG_GRKERNSEC_LINK
43055 + const struct cred *cred = current_cred();
43057 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
43058 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
43059 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
43060 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
43068 +gr_handle_hardlink(const struct dentry *dentry,
43069 + const struct vfsmount *mnt,
43070 + struct inode *inode, const int mode, const char *to)
43072 +#ifdef CONFIG_GRKERNSEC_LINK
43073 + const struct cred *cred = current_cred();
43075 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
43076 + (!S_ISREG(mode) || (mode & S_ISUID) ||
43077 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
43078 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
43079 + !capable(CAP_FOWNER) && cred->uid) {
43080 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
43086 diff -urNp linux-2.6.38.4/grsecurity/grsec_log.c linux-2.6.38.4/grsecurity/grsec_log.c
43087 --- linux-2.6.38.4/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
43088 +++ linux-2.6.38.4/grsecurity/grsec_log.c 2011-04-17 15:57:32.000000000 -0400
43090 +#include <linux/kernel.h>
43091 +#include <linux/sched.h>
43092 +#include <linux/file.h>
43093 +#include <linux/tty.h>
43094 +#include <linux/fs.h>
43095 +#include <linux/grinternal.h>
43097 +#ifdef CONFIG_TREE_PREEMPT_RCU
43098 +#define DISABLE_PREEMPT() preempt_disable()
43099 +#define ENABLE_PREEMPT() preempt_enable()
43101 +#define DISABLE_PREEMPT()
43102 +#define ENABLE_PREEMPT()
43105 +#define BEGIN_LOCKS(x) \
43106 + DISABLE_PREEMPT(); \
43107 + rcu_read_lock(); \
43108 + read_lock(&tasklist_lock); \
43109 + read_lock(&grsec_exec_file_lock); \
43110 + if (x != GR_DO_AUDIT) \
43111 + spin_lock(&grsec_alert_lock); \
43113 + spin_lock(&grsec_audit_lock)
43115 +#define END_LOCKS(x) \
43116 + if (x != GR_DO_AUDIT) \
43117 + spin_unlock(&grsec_alert_lock); \
43119 + spin_unlock(&grsec_audit_lock); \
43120 + read_unlock(&grsec_exec_file_lock); \
43121 + read_unlock(&tasklist_lock); \
43122 + rcu_read_unlock(); \
43123 + ENABLE_PREEMPT(); \
43124 + if (x == GR_DONT_AUDIT) \
43125 + gr_handle_alertkill(current)
43132 +extern char *gr_alert_log_fmt;
43133 +extern char *gr_audit_log_fmt;
43134 +extern char *gr_alert_log_buf;
43135 +extern char *gr_audit_log_buf;
43137 +static int gr_log_start(int audit)
43139 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
43140 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
43141 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
43143 + if (audit == GR_DO_AUDIT)
43146 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
43147 + grsec_alert_wtime = jiffies;
43148 + grsec_alert_fyet = 0;
43149 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
43150 + grsec_alert_fyet++;
43151 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
43152 + grsec_alert_wtime = jiffies;
43153 + grsec_alert_fyet++;
43154 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
43156 + } else return FLOODING;
43159 + memset(buf, 0, PAGE_SIZE);
43160 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
43161 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
43162 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
43163 + } else if (current->signal->curr_ip) {
43164 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
43165 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
43166 + } else if (gr_acl_is_enabled()) {
43167 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
43168 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
43170 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
43171 + strcpy(buf, fmt);
43174 + return NO_FLOODING;
43177 +static void gr_log_middle(int audit, const char *msg, va_list ap)
43178 + __attribute__ ((format (printf, 2, 0)));
43180 +static void gr_log_middle(int audit, const char *msg, va_list ap)
43182 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
43183 + unsigned int len = strlen(buf);
43185 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
43190 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
43191 + __attribute__ ((format (printf, 2, 3)));
43193 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
43195 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
43196 + unsigned int len = strlen(buf);
43199 + va_start(ap, msg);
43200 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
43206 +static void gr_log_end(int audit)
43208 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
43209 + unsigned int len = strlen(buf);
43211 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
43212 + printk("%s\n", buf);
43217 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
43220 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
43221 + char *str1, *str2, *str3;
43224 + unsigned long ulong1, ulong2;
43225 + struct dentry *dentry;
43226 + struct vfsmount *mnt;
43227 + struct file *file;
43228 + struct task_struct *task;
43229 + const struct cred *cred, *pcred;
43232 + BEGIN_LOCKS(audit);
43233 + logtype = gr_log_start(audit);
43234 + if (logtype == FLOODING) {
43235 + END_LOCKS(audit);
43238 + va_start(ap, argtypes);
43239 + switch (argtypes) {
43240 + case GR_TTYSNIFF:
43241 + task = va_arg(ap, struct task_struct *);
43242 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
43244 + case GR_SYSCTL_HIDDEN:
43245 + str1 = va_arg(ap, char *);
43246 + gr_log_middle_varargs(audit, msg, result, str1);
43249 + dentry = va_arg(ap, struct dentry *);
43250 + mnt = va_arg(ap, struct vfsmount *);
43251 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
43253 + case GR_RBAC_STR:
43254 + dentry = va_arg(ap, struct dentry *);
43255 + mnt = va_arg(ap, struct vfsmount *);
43256 + str1 = va_arg(ap, char *);
43257 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
43259 + case GR_STR_RBAC:
43260 + str1 = va_arg(ap, char *);
43261 + dentry = va_arg(ap, struct dentry *);
43262 + mnt = va_arg(ap, struct vfsmount *);
43263 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
43265 + case GR_RBAC_MODE2:
43266 + dentry = va_arg(ap, struct dentry *);
43267 + mnt = va_arg(ap, struct vfsmount *);
43268 + str1 = va_arg(ap, char *);
43269 + str2 = va_arg(ap, char *);
43270 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
43272 + case GR_RBAC_MODE3:
43273 + dentry = va_arg(ap, struct dentry *);
43274 + mnt = va_arg(ap, struct vfsmount *);
43275 + str1 = va_arg(ap, char *);
43276 + str2 = va_arg(ap, char *);
43277 + str3 = va_arg(ap, char *);
43278 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
43280 + case GR_FILENAME:
43281 + dentry = va_arg(ap, struct dentry *);
43282 + mnt = va_arg(ap, struct vfsmount *);
43283 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
43285 + case GR_STR_FILENAME:
43286 + str1 = va_arg(ap, char *);
43287 + dentry = va_arg(ap, struct dentry *);
43288 + mnt = va_arg(ap, struct vfsmount *);
43289 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
43291 + case GR_FILENAME_STR:
43292 + dentry = va_arg(ap, struct dentry *);
43293 + mnt = va_arg(ap, struct vfsmount *);
43294 + str1 = va_arg(ap, char *);
43295 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
43297 + case GR_FILENAME_TWO_INT:
43298 + dentry = va_arg(ap, struct dentry *);
43299 + mnt = va_arg(ap, struct vfsmount *);
43300 + num1 = va_arg(ap, int);
43301 + num2 = va_arg(ap, int);
43302 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
43304 + case GR_FILENAME_TWO_INT_STR:
43305 + dentry = va_arg(ap, struct dentry *);
43306 + mnt = va_arg(ap, struct vfsmount *);
43307 + num1 = va_arg(ap, int);
43308 + num2 = va_arg(ap, int);
43309 + str1 = va_arg(ap, char *);
43310 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
43313 + file = va_arg(ap, struct file *);
43314 + ulong1 = va_arg(ap, unsigned long);
43315 + ulong2 = va_arg(ap, unsigned long);
43316 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
43319 + task = va_arg(ap, struct task_struct *);
43320 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
43322 + case GR_RESOURCE:
43323 + task = va_arg(ap, struct task_struct *);
43324 + cred = __task_cred(task);
43325 + pcred = __task_cred(task->real_parent);
43326 + ulong1 = va_arg(ap, unsigned long);
43327 + str1 = va_arg(ap, char *);
43328 + ulong2 = va_arg(ap, unsigned long);
43329 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
43332 + task = va_arg(ap, struct task_struct *);
43333 + cred = __task_cred(task);
43334 + pcred = __task_cred(task->real_parent);
43335 + str1 = va_arg(ap, char *);
43336 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
43339 + str1 = va_arg(ap, char *);
43340 + voidptr = va_arg(ap, void *);
43341 + gr_log_middle_varargs(audit, msg, str1, voidptr);
43344 + task = va_arg(ap, struct task_struct *);
43345 + cred = __task_cred(task);
43346 + pcred = __task_cred(task->real_parent);
43347 + num1 = va_arg(ap, int);
43348 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
43351 + task = va_arg(ap, struct task_struct *);
43352 + cred = __task_cred(task);
43353 + pcred = __task_cred(task->real_parent);
43354 + ulong1 = va_arg(ap, unsigned long);
43355 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
43358 + task = va_arg(ap, struct task_struct *);
43359 + cred = __task_cred(task);
43360 + pcred = __task_cred(task->real_parent);
43361 + ulong1 = va_arg(ap, unsigned long);
43362 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
43365 + file = va_arg(ap, struct file *);
43366 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
43370 + unsigned int wday, cday;
43374 + char cur_tty[64] = { 0 };
43375 + char parent_tty[64] = { 0 };
43377 + task = va_arg(ap, struct task_struct *);
43378 + wday = va_arg(ap, unsigned int);
43379 + cday = va_arg(ap, unsigned int);
43380 + whr = va_arg(ap, int);
43381 + chr = va_arg(ap, int);
43382 + wmin = va_arg(ap, int);
43383 + cmin = va_arg(ap, int);
43384 + wsec = va_arg(ap, int);
43385 + csec = va_arg(ap, int);
43386 + ulong1 = va_arg(ap, unsigned long);
43387 + cred = __task_cred(task);
43388 + pcred = __task_cred(task->real_parent);
43390 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
43394 + gr_log_middle(audit, msg, ap);
43397 + gr_log_end(audit);
43398 + END_LOCKS(audit);
43400 diff -urNp linux-2.6.38.4/grsecurity/grsec_mem.c linux-2.6.38.4/grsecurity/grsec_mem.c
43401 --- linux-2.6.38.4/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
43402 +++ linux-2.6.38.4/grsecurity/grsec_mem.c 2011-04-17 15:57:32.000000000 -0400
43404 +#include <linux/kernel.h>
43405 +#include <linux/sched.h>
43406 +#include <linux/mm.h>
43407 +#include <linux/mman.h>
43408 +#include <linux/grinternal.h>
43411 +gr_handle_ioperm(void)
43413 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
43418 +gr_handle_iopl(void)
43420 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
43425 +gr_handle_mem_readwrite(u64 from, u64 to)
43427 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
43432 +gr_handle_vm86(void)
43434 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
43437 diff -urNp linux-2.6.38.4/grsecurity/grsec_mount.c linux-2.6.38.4/grsecurity/grsec_mount.c
43438 --- linux-2.6.38.4/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
43439 +++ linux-2.6.38.4/grsecurity/grsec_mount.c 2011-04-17 15:57:32.000000000 -0400
43441 +#include <linux/kernel.h>
43442 +#include <linux/sched.h>
43443 +#include <linux/mount.h>
43444 +#include <linux/grsecurity.h>
43445 +#include <linux/grinternal.h>
43448 +gr_log_remount(const char *devname, const int retval)
43450 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
43451 + if (grsec_enable_mount && (retval >= 0))
43452 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
43458 +gr_log_unmount(const char *devname, const int retval)
43460 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
43461 + if (grsec_enable_mount && (retval >= 0))
43462 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
43468 +gr_log_mount(const char *from, const char *to, const int retval)
43470 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
43471 + if (grsec_enable_mount && (retval >= 0))
43472 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
43478 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
43480 +#ifdef CONFIG_GRKERNSEC_ROFS
43481 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
43482 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
43491 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
43493 +#ifdef CONFIG_GRKERNSEC_ROFS
43494 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
43495 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
43496 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
43503 diff -urNp linux-2.6.38.4/grsecurity/grsec_pax.c linux-2.6.38.4/grsecurity/grsec_pax.c
43504 --- linux-2.6.38.4/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
43505 +++ linux-2.6.38.4/grsecurity/grsec_pax.c 2011-04-17 15:57:32.000000000 -0400
43507 +#include <linux/kernel.h>
43508 +#include <linux/sched.h>
43509 +#include <linux/mm.h>
43510 +#include <linux/file.h>
43511 +#include <linux/grinternal.h>
43512 +#include <linux/grsecurity.h>
43515 +gr_log_textrel(struct vm_area_struct * vma)
43517 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
43518 + if (grsec_enable_audit_textrel)
43519 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
43525 +gr_log_rwxmmap(struct file *file)
43527 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
43528 + if (grsec_enable_log_rwxmaps)
43529 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
43535 +gr_log_rwxmprotect(struct file *file)
43537 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
43538 + if (grsec_enable_log_rwxmaps)
43539 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
43543 diff -urNp linux-2.6.38.4/grsecurity/grsec_ptrace.c linux-2.6.38.4/grsecurity/grsec_ptrace.c
43544 --- linux-2.6.38.4/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
43545 +++ linux-2.6.38.4/grsecurity/grsec_ptrace.c 2011-04-17 15:57:32.000000000 -0400
43547 +#include <linux/kernel.h>
43548 +#include <linux/sched.h>
43549 +#include <linux/grinternal.h>
43550 +#include <linux/grsecurity.h>
43553 +gr_audit_ptrace(struct task_struct *task)
43555 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
43556 + if (grsec_enable_audit_ptrace)
43557 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
43561 diff -urNp linux-2.6.38.4/grsecurity/grsec_sig.c linux-2.6.38.4/grsecurity/grsec_sig.c
43562 --- linux-2.6.38.4/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
43563 +++ linux-2.6.38.4/grsecurity/grsec_sig.c 2011-04-17 15:57:32.000000000 -0400
43565 +#include <linux/kernel.h>
43566 +#include <linux/sched.h>
43567 +#include <linux/delay.h>
43568 +#include <linux/grsecurity.h>
43569 +#include <linux/grinternal.h>
43570 +#include <linux/hardirq.h>
43572 +char *signames[] = {
43573 + [SIGSEGV] = "Segmentation fault",
43574 + [SIGILL] = "Illegal instruction",
43575 + [SIGABRT] = "Abort",
43576 + [SIGBUS] = "Invalid alignment/Bus error"
43580 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
43582 +#ifdef CONFIG_GRKERNSEC_SIGNAL
43583 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
43584 + (sig == SIGABRT) || (sig == SIGBUS))) {
43585 + if (t->pid == current->pid) {
43586 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
43588 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
43596 +gr_handle_signal(const struct task_struct *p, const int sig)
43598 +#ifdef CONFIG_GRKERNSEC
43599 + if (current->pid > 1 && gr_check_protected_task(p)) {
43600 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
43602 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
43609 +#ifdef CONFIG_GRKERNSEC
43610 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
43612 +int gr_fake_force_sig(int sig, struct task_struct *t)
43614 + unsigned long int flags;
43615 + int ret, blocked, ignored;
43616 + struct k_sigaction *action;
43618 + spin_lock_irqsave(&t->sighand->siglock, flags);
43619 + action = &t->sighand->action[sig-1];
43620 + ignored = action->sa.sa_handler == SIG_IGN;
43621 + blocked = sigismember(&t->blocked, sig);
43622 + if (blocked || ignored) {
43623 + action->sa.sa_handler = SIG_DFL;
43625 + sigdelset(&t->blocked, sig);
43626 + recalc_sigpending_and_wake(t);
43629 + if (action->sa.sa_handler == SIG_DFL)
43630 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
43631 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
43633 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
43639 +#ifdef CONFIG_GRKERNSEC_BRUTE
43640 +#define GR_USER_BAN_TIME (15 * 60)
43642 +static int __get_dumpable(unsigned long mm_flags)
43646 + ret = mm_flags & MMF_DUMPABLE_MASK;
43647 + return (ret >= 2) ? 2 : ret;
43651 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
43653 +#ifdef CONFIG_GRKERNSEC_BRUTE
43657 + read_lock(&tasklist_lock);
43658 + read_lock(&grsec_exec_file_lock);
43659 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
43660 + p->real_parent->brute = 1;
43662 + const struct cred *cred = __task_cred(p), *cred2;
43663 + struct task_struct *tsk, *tsk2;
43665 + if (!__get_dumpable(mm_flags) && cred->uid) {
43666 + struct user_struct *user;
43670 + /* this is put upon execution past expiration */
43671 + user = find_user(uid);
43672 + if (user == NULL)
43674 + user->banned = 1;
43675 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
43676 + if (user->ban_expires == ~0UL)
43677 + user->ban_expires--;
43679 + do_each_thread(tsk2, tsk) {
43680 + cred2 = __task_cred(tsk);
43681 + if (tsk != p && cred2->uid == uid)
43682 + gr_fake_force_sig(SIGKILL, tsk);
43683 + } while_each_thread(tsk2, tsk);
43687 + read_unlock(&grsec_exec_file_lock);
43688 + read_unlock(&tasklist_lock);
43689 + rcu_read_unlock();
43692 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
43698 +void gr_handle_brute_check(void)
43700 +#ifdef CONFIG_GRKERNSEC_BRUTE
43701 + if (current->brute)
43702 + msleep(30 * 1000);
43707 +void gr_handle_kernel_exploit(void)
43709 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
43710 + const struct cred *cred;
43711 + struct task_struct *tsk, *tsk2;
43712 + struct user_struct *user;
43715 + if (in_irq() || in_serving_softirq() || in_nmi())
43716 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
43718 + uid = current_uid();
43721 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
43723 + /* kill all the processes of this user, hold a reference
43724 + to their creds struct, and prevent them from creating
43725 + another process until system reset
43727 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
43728 + /* we intentionally leak this ref */
43729 + user = get_uid(current->cred->user);
43731 + user->banned = 1;
43732 + user->ban_expires = ~0UL;
43735 + read_lock(&tasklist_lock);
43736 + do_each_thread(tsk2, tsk) {
43737 + cred = __task_cred(tsk);
43738 + if (cred->uid == uid)
43739 + gr_fake_force_sig(SIGKILL, tsk);
43740 + } while_each_thread(tsk2, tsk);
43741 + read_unlock(&tasklist_lock);
43746 +int gr_process_user_ban(void)
43748 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
43749 + if (unlikely(current->cred->user->banned)) {
43750 + struct user_struct *user = current->cred->user;
43751 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
43752 + user->banned = 0;
43753 + user->ban_expires = 0;
43762 diff -urNp linux-2.6.38.4/grsecurity/grsec_sock.c linux-2.6.38.4/grsecurity/grsec_sock.c
43763 --- linux-2.6.38.4/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
43764 +++ linux-2.6.38.4/grsecurity/grsec_sock.c 2011-04-17 15:57:32.000000000 -0400
43766 +#include <linux/kernel.h>
43767 +#include <linux/module.h>
43768 +#include <linux/sched.h>
43769 +#include <linux/file.h>
43770 +#include <linux/net.h>
43771 +#include <linux/in.h>
43772 +#include <linux/ip.h>
43773 +#include <net/sock.h>
43774 +#include <net/inet_sock.h>
43775 +#include <linux/grsecurity.h>
43776 +#include <linux/grinternal.h>
43777 +#include <linux/gracl.h>
43779 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
43780 +EXPORT_SYMBOL(gr_cap_rtnetlink);
43782 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
43783 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
43785 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
43786 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
43788 +#ifdef CONFIG_UNIX_MODULE
43789 +EXPORT_SYMBOL(gr_acl_handle_unix);
43790 +EXPORT_SYMBOL(gr_acl_handle_mknod);
43791 +EXPORT_SYMBOL(gr_handle_chroot_unix);
43792 +EXPORT_SYMBOL(gr_handle_create);
43795 +#ifdef CONFIG_GRKERNSEC
43796 +#define gr_conn_table_size 32749
43797 +struct conn_table_entry {
43798 + struct conn_table_entry *next;
43799 + struct signal_struct *sig;
43802 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
43803 +DEFINE_SPINLOCK(gr_conn_table_lock);
43805 +extern const char * gr_socktype_to_name(unsigned char type);
43806 +extern const char * gr_proto_to_name(unsigned char proto);
43807 +extern const char * gr_sockfamily_to_name(unsigned char family);
43809 +static __inline__ int
43810 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
43812 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
43815 +static __inline__ int
43816 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
43817 + __u16 sport, __u16 dport)
43819 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
43820 + sig->gr_sport == sport && sig->gr_dport == dport))
43826 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
43828 + struct conn_table_entry **match;
43829 + unsigned int index;
43831 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
43832 + sig->gr_sport, sig->gr_dport,
43833 + gr_conn_table_size);
43835 + newent->sig = sig;
43837 + match = &gr_conn_table[index];
43838 + newent->next = *match;
43844 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
43846 + struct conn_table_entry *match, *last = NULL;
43847 + unsigned int index;
43849 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
43850 + sig->gr_sport, sig->gr_dport,
43851 + gr_conn_table_size);
43853 + match = gr_conn_table[index];
43854 + while (match && !conn_match(match->sig,
43855 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
43856 + sig->gr_dport)) {
43858 + match = match->next;
43863 + last->next = match->next;
43865 + gr_conn_table[index] = NULL;
43872 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
43873 + __u16 sport, __u16 dport)
43875 + struct conn_table_entry *match;
43876 + unsigned int index;
43878 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
43880 + match = gr_conn_table[index];
43881 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
43882 + match = match->next;
43885 + return match->sig;
43892 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
43894 +#ifdef CONFIG_GRKERNSEC
43895 + struct signal_struct *sig = task->signal;
43896 + struct conn_table_entry *newent;
43898 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
43899 + if (newent == NULL)
43901 + /* no bh lock needed since we are called with bh disabled */
43902 + spin_lock(&gr_conn_table_lock);
43903 + gr_del_task_from_ip_table_nolock(sig);
43904 + sig->gr_saddr = inet->inet_rcv_saddr;
43905 + sig->gr_daddr = inet->inet_daddr;
43906 + sig->gr_sport = inet->inet_sport;
43907 + sig->gr_dport = inet->inet_dport;
43908 + gr_add_to_task_ip_table_nolock(sig, newent);
43909 + spin_unlock(&gr_conn_table_lock);
43914 +void gr_del_task_from_ip_table(struct task_struct *task)
43916 +#ifdef CONFIG_GRKERNSEC
43917 + spin_lock_bh(&gr_conn_table_lock);
43918 + gr_del_task_from_ip_table_nolock(task->signal);
43919 + spin_unlock_bh(&gr_conn_table_lock);
43925 +gr_attach_curr_ip(const struct sock *sk)
43927 +#ifdef CONFIG_GRKERNSEC
43928 + struct signal_struct *p, *set;
43929 + const struct inet_sock *inet = inet_sk(sk);
43931 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
43934 + set = current->signal;
43936 + spin_lock_bh(&gr_conn_table_lock);
43937 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
43938 + inet->inet_dport, inet->inet_sport);
43939 + if (unlikely(p != NULL)) {
43940 + set->curr_ip = p->curr_ip;
43941 + set->used_accept = 1;
43942 + gr_del_task_from_ip_table_nolock(p);
43943 + spin_unlock_bh(&gr_conn_table_lock);
43946 + spin_unlock_bh(&gr_conn_table_lock);
43948 + set->curr_ip = inet->inet_daddr;
43949 + set->used_accept = 1;
43955 +gr_handle_sock_all(const int family, const int type, const int protocol)
43957 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
43958 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
43959 + (family != AF_UNIX)) {
43960 + if (family == AF_INET)
43961 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
43963 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
43971 +gr_handle_sock_server(const struct sockaddr *sck)
43973 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
43974 + if (grsec_enable_socket_server &&
43975 + in_group_p(grsec_socket_server_gid) &&
43976 + sck && (sck->sa_family != AF_UNIX) &&
43977 + (sck->sa_family != AF_LOCAL)) {
43978 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
43986 +gr_handle_sock_server_other(const struct sock *sck)
43988 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
43989 + if (grsec_enable_socket_server &&
43990 + in_group_p(grsec_socket_server_gid) &&
43991 + sck && (sck->sk_family != AF_UNIX) &&
43992 + (sck->sk_family != AF_LOCAL)) {
43993 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
44001 +gr_handle_sock_client(const struct sockaddr *sck)
44003 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
44004 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
44005 + sck && (sck->sa_family != AF_UNIX) &&
44006 + (sck->sa_family != AF_LOCAL)) {
44007 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
44015 +gr_cap_rtnetlink(struct sock *sock)
44017 +#ifdef CONFIG_GRKERNSEC
44018 + if (!gr_acl_is_enabled())
44019 + return current_cap();
44020 + else if (sock->sk_protocol == NETLINK_ISCSI &&
44021 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
44022 + gr_is_capable(CAP_SYS_ADMIN))
44023 + return current_cap();
44024 + else if (sock->sk_protocol == NETLINK_AUDIT &&
44025 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
44026 + gr_is_capable(CAP_AUDIT_WRITE) &&
44027 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
44028 + gr_is_capable(CAP_AUDIT_CONTROL))
44029 + return current_cap();
44030 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
44031 + ((sock->sk_protocol == NETLINK_ROUTE) ?
44032 + gr_is_capable_nolog(CAP_NET_ADMIN) :
44033 + gr_is_capable(CAP_NET_ADMIN)))
44034 + return current_cap();
44036 + return __cap_empty_set;
44038 + return current_cap();
44041 diff -urNp linux-2.6.38.4/grsecurity/grsec_sysctl.c linux-2.6.38.4/grsecurity/grsec_sysctl.c
44042 --- linux-2.6.38.4/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
44043 +++ linux-2.6.38.4/grsecurity/grsec_sysctl.c 2011-04-17 15:57:32.000000000 -0400
44045 +#include <linux/kernel.h>
44046 +#include <linux/sched.h>
44047 +#include <linux/sysctl.h>
44048 +#include <linux/grsecurity.h>
44049 +#include <linux/grinternal.h>
44052 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
44054 +#ifdef CONFIG_GRKERNSEC_SYSCTL
44055 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
44056 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
44063 +#ifdef CONFIG_GRKERNSEC_ROFS
44064 +static int __maybe_unused one = 1;
44067 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
44068 +struct ctl_table grsecurity_table[] = {
44069 +#ifdef CONFIG_GRKERNSEC_SYSCTL
44070 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
44071 +#ifdef CONFIG_GRKERNSEC_IO
44073 + .procname = "disable_priv_io",
44074 + .data = &grsec_disable_privio,
44075 + .maxlen = sizeof(int),
44077 + .proc_handler = &proc_dointvec,
44081 +#ifdef CONFIG_GRKERNSEC_LINK
44083 + .procname = "linking_restrictions",
44084 + .data = &grsec_enable_link,
44085 + .maxlen = sizeof(int),
44087 + .proc_handler = &proc_dointvec,
44090 +#ifdef CONFIG_GRKERNSEC_FIFO
44092 + .procname = "fifo_restrictions",
44093 + .data = &grsec_enable_fifo,
44094 + .maxlen = sizeof(int),
44096 + .proc_handler = &proc_dointvec,
44099 +#ifdef CONFIG_GRKERNSEC_EXECVE
44101 + .procname = "execve_limiting",
44102 + .data = &grsec_enable_execve,
44103 + .maxlen = sizeof(int),
44105 + .proc_handler = &proc_dointvec,
44108 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
44110 + .procname = "ip_blackhole",
44111 + .data = &grsec_enable_blackhole,
44112 + .maxlen = sizeof(int),
44114 + .proc_handler = &proc_dointvec,
44117 + .procname = "lastack_retries",
44118 + .data = &grsec_lastack_retries,
44119 + .maxlen = sizeof(int),
44121 + .proc_handler = &proc_dointvec,
44124 +#ifdef CONFIG_GRKERNSEC_EXECLOG
44126 + .procname = "exec_logging",
44127 + .data = &grsec_enable_execlog,
44128 + .maxlen = sizeof(int),
44130 + .proc_handler = &proc_dointvec,
44133 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
44135 + .procname = "rwxmap_logging",
44136 + .data = &grsec_enable_log_rwxmaps,
44137 + .maxlen = sizeof(int),
44139 + .proc_handler = &proc_dointvec,
44142 +#ifdef CONFIG_GRKERNSEC_SIGNAL
44144 + .procname = "signal_logging",
44145 + .data = &grsec_enable_signal,
44146 + .maxlen = sizeof(int),
44148 + .proc_handler = &proc_dointvec,
44151 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
44153 + .procname = "forkfail_logging",
44154 + .data = &grsec_enable_forkfail,
44155 + .maxlen = sizeof(int),
44157 + .proc_handler = &proc_dointvec,
44160 +#ifdef CONFIG_GRKERNSEC_TIME
44162 + .procname = "timechange_logging",
44163 + .data = &grsec_enable_time,
44164 + .maxlen = sizeof(int),
44166 + .proc_handler = &proc_dointvec,
44169 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
44171 + .procname = "chroot_deny_shmat",
44172 + .data = &grsec_enable_chroot_shmat,
44173 + .maxlen = sizeof(int),
44175 + .proc_handler = &proc_dointvec,
44178 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
44180 + .procname = "chroot_deny_unix",
44181 + .data = &grsec_enable_chroot_unix,
44182 + .maxlen = sizeof(int),
44184 + .proc_handler = &proc_dointvec,
44187 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
44189 + .procname = "chroot_deny_mount",
44190 + .data = &grsec_enable_chroot_mount,
44191 + .maxlen = sizeof(int),
44193 + .proc_handler = &proc_dointvec,
44196 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
44198 + .procname = "chroot_deny_fchdir",
44199 + .data = &grsec_enable_chroot_fchdir,
44200 + .maxlen = sizeof(int),
44202 + .proc_handler = &proc_dointvec,
44205 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
44207 + .procname = "chroot_deny_chroot",
44208 + .data = &grsec_enable_chroot_double,
44209 + .maxlen = sizeof(int),
44211 + .proc_handler = &proc_dointvec,
44214 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
44216 + .procname = "chroot_deny_pivot",
44217 + .data = &grsec_enable_chroot_pivot,
44218 + .maxlen = sizeof(int),
44220 + .proc_handler = &proc_dointvec,
44223 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
44225 + .procname = "chroot_enforce_chdir",
44226 + .data = &grsec_enable_chroot_chdir,
44227 + .maxlen = sizeof(int),
44229 + .proc_handler = &proc_dointvec,
44232 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
44234 + .procname = "chroot_deny_chmod",
44235 + .data = &grsec_enable_chroot_chmod,
44236 + .maxlen = sizeof(int),
44238 + .proc_handler = &proc_dointvec,
44241 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
44243 + .procname = "chroot_deny_mknod",
44244 + .data = &grsec_enable_chroot_mknod,
44245 + .maxlen = sizeof(int),
44247 + .proc_handler = &proc_dointvec,
44250 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
44252 + .procname = "chroot_restrict_nice",
44253 + .data = &grsec_enable_chroot_nice,
44254 + .maxlen = sizeof(int),
44256 + .proc_handler = &proc_dointvec,
44259 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
44261 + .procname = "chroot_execlog",
44262 + .data = &grsec_enable_chroot_execlog,
44263 + .maxlen = sizeof(int),
44265 + .proc_handler = &proc_dointvec,
44268 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
44270 + .procname = "chroot_caps",
44271 + .data = &grsec_enable_chroot_caps,
44272 + .maxlen = sizeof(int),
44274 + .proc_handler = &proc_dointvec,
44277 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
44279 + .procname = "chroot_deny_sysctl",
44280 + .data = &grsec_enable_chroot_sysctl,
44281 + .maxlen = sizeof(int),
44283 + .proc_handler = &proc_dointvec,
44286 +#ifdef CONFIG_GRKERNSEC_TPE
44288 + .procname = "tpe",
44289 + .data = &grsec_enable_tpe,
44290 + .maxlen = sizeof(int),
44292 + .proc_handler = &proc_dointvec,
44295 + .procname = "tpe_gid",
44296 + .data = &grsec_tpe_gid,
44297 + .maxlen = sizeof(int),
44299 + .proc_handler = &proc_dointvec,
44302 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
44304 + .procname = "tpe_invert",
44305 + .data = &grsec_enable_tpe_invert,
44306 + .maxlen = sizeof(int),
44308 + .proc_handler = &proc_dointvec,
44311 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
44313 + .procname = "tpe_restrict_all",
44314 + .data = &grsec_enable_tpe_all,
44315 + .maxlen = sizeof(int),
44317 + .proc_handler = &proc_dointvec,
44320 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
44322 + .procname = "socket_all",
44323 + .data = &grsec_enable_socket_all,
44324 + .maxlen = sizeof(int),
44326 + .proc_handler = &proc_dointvec,
44329 + .procname = "socket_all_gid",
44330 + .data = &grsec_socket_all_gid,
44331 + .maxlen = sizeof(int),
44333 + .proc_handler = &proc_dointvec,
44336 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
44338 + .procname = "socket_client",
44339 + .data = &grsec_enable_socket_client,
44340 + .maxlen = sizeof(int),
44342 + .proc_handler = &proc_dointvec,
44345 + .procname = "socket_client_gid",
44346 + .data = &grsec_socket_client_gid,
44347 + .maxlen = sizeof(int),
44349 + .proc_handler = &proc_dointvec,
44352 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
44354 + .procname = "socket_server",
44355 + .data = &grsec_enable_socket_server,
44356 + .maxlen = sizeof(int),
44358 + .proc_handler = &proc_dointvec,
44361 + .procname = "socket_server_gid",
44362 + .data = &grsec_socket_server_gid,
44363 + .maxlen = sizeof(int),
44365 + .proc_handler = &proc_dointvec,
44368 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
44370 + .procname = "audit_group",
44371 + .data = &grsec_enable_group,
44372 + .maxlen = sizeof(int),
44374 + .proc_handler = &proc_dointvec,
44377 + .procname = "audit_gid",
44378 + .data = &grsec_audit_gid,
44379 + .maxlen = sizeof(int),
44381 + .proc_handler = &proc_dointvec,
44384 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
44386 + .procname = "audit_chdir",
44387 + .data = &grsec_enable_chdir,
44388 + .maxlen = sizeof(int),
44390 + .proc_handler = &proc_dointvec,
44393 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
44395 + .procname = "audit_mount",
44396 + .data = &grsec_enable_mount,
44397 + .maxlen = sizeof(int),
44399 + .proc_handler = &proc_dointvec,
44402 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
44404 + .procname = "audit_textrel",
44405 + .data = &grsec_enable_audit_textrel,
44406 + .maxlen = sizeof(int),
44408 + .proc_handler = &proc_dointvec,
44411 +#ifdef CONFIG_GRKERNSEC_DMESG
44413 + .procname = "dmesg",
44414 + .data = &grsec_enable_dmesg,
44415 + .maxlen = sizeof(int),
44417 + .proc_handler = &proc_dointvec,
44420 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
44422 + .procname = "chroot_findtask",
44423 + .data = &grsec_enable_chroot_findtask,
44424 + .maxlen = sizeof(int),
44426 + .proc_handler = &proc_dointvec,
44429 +#ifdef CONFIG_GRKERNSEC_RESLOG
44431 + .procname = "resource_logging",
44432 + .data = &grsec_resource_logging,
44433 + .maxlen = sizeof(int),
44435 + .proc_handler = &proc_dointvec,
44438 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
44440 + .procname = "audit_ptrace",
44441 + .data = &grsec_enable_audit_ptrace,
44442 + .maxlen = sizeof(int),
44444 + .proc_handler = &proc_dointvec,
44447 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
44449 + .procname = "harden_ptrace",
44450 + .data = &grsec_enable_harden_ptrace,
44451 + .maxlen = sizeof(int),
44453 + .proc_handler = &proc_dointvec,
44457 + .procname = "grsec_lock",
44458 + .data = &grsec_lock,
44459 + .maxlen = sizeof(int),
44461 + .proc_handler = &proc_dointvec,
44464 +#ifdef CONFIG_GRKERNSEC_ROFS
44466 + .procname = "romount_protect",
44467 + .data = &grsec_enable_rofs,
44468 + .maxlen = sizeof(int),
44470 + .proc_handler = &proc_dointvec_minmax,
44478 diff -urNp linux-2.6.38.4/grsecurity/grsec_time.c linux-2.6.38.4/grsecurity/grsec_time.c
44479 --- linux-2.6.38.4/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
44480 +++ linux-2.6.38.4/grsecurity/grsec_time.c 2011-04-17 15:57:32.000000000 -0400
44482 +#include <linux/kernel.h>
44483 +#include <linux/sched.h>
44484 +#include <linux/grinternal.h>
44485 +#include <linux/module.h>
44488 +gr_log_timechange(void)
44490 +#ifdef CONFIG_GRKERNSEC_TIME
44491 + if (grsec_enable_time)
44492 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
44497 +EXPORT_SYMBOL(gr_log_timechange);
44498 diff -urNp linux-2.6.38.4/grsecurity/grsec_tpe.c linux-2.6.38.4/grsecurity/grsec_tpe.c
44499 --- linux-2.6.38.4/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
44500 +++ linux-2.6.38.4/grsecurity/grsec_tpe.c 2011-04-17 15:57:32.000000000 -0400
44502 +#include <linux/kernel.h>
44503 +#include <linux/sched.h>
44504 +#include <linux/file.h>
44505 +#include <linux/fs.h>
44506 +#include <linux/grinternal.h>
44508 +extern int gr_acl_tpe_check(void);
44511 +gr_tpe_allow(const struct file *file)
44513 +#ifdef CONFIG_GRKERNSEC
44514 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
44515 + const struct cred *cred = current_cred();
44517 + if (cred->uid && ((grsec_enable_tpe &&
44518 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
44519 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
44520 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
44522 + in_group_p(grsec_tpe_gid)
44524 + ) || gr_acl_tpe_check()) &&
44525 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
44526 + (inode->i_mode & S_IWOTH))))) {
44527 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
44530 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
44531 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
44532 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
44533 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
44534 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
44541 diff -urNp linux-2.6.38.4/grsecurity/grsum.c linux-2.6.38.4/grsecurity/grsum.c
44542 --- linux-2.6.38.4/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
44543 +++ linux-2.6.38.4/grsecurity/grsum.c 2011-04-17 15:57:32.000000000 -0400
44545 +#include <linux/err.h>
44546 +#include <linux/kernel.h>
44547 +#include <linux/sched.h>
44548 +#include <linux/mm.h>
44549 +#include <linux/scatterlist.h>
44550 +#include <linux/crypto.h>
44551 +#include <linux/gracl.h>
44554 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
44555 +#error "crypto and sha256 must be built into the kernel"
44559 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
44562 + struct crypto_hash *tfm;
44563 + struct hash_desc desc;
44564 + struct scatterlist sg;
44565 + unsigned char temp_sum[GR_SHA_LEN];
44566 + volatile int retval = 0;
44567 + volatile int dummy = 0;
44570 + sg_init_table(&sg, 1);
44572 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
44573 + if (IS_ERR(tfm)) {
44574 + /* should never happen, since sha256 should be built in */
44581 + crypto_hash_init(&desc);
44584 + sg_set_buf(&sg, p, GR_SALT_LEN);
44585 + crypto_hash_update(&desc, &sg, sg.length);
44588 + sg_set_buf(&sg, p, strlen(p));
44590 + crypto_hash_update(&desc, &sg, sg.length);
44592 + crypto_hash_final(&desc, temp_sum);
44594 + memset(entry->pw, 0, GR_PW_LEN);
44596 + for (i = 0; i < GR_SHA_LEN; i++)
44597 + if (sum[i] != temp_sum[i])
44600 + dummy = 1; // waste a cycle
44602 + crypto_free_hash(tfm);
44606 diff -urNp linux-2.6.38.4/grsecurity/Kconfig linux-2.6.38.4/grsecurity/Kconfig
44607 --- linux-2.6.38.4/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
44608 +++ linux-2.6.38.4/grsecurity/Kconfig 2011-04-17 15:57:32.000000000 -0400
44611 +# grecurity configuration
44617 + bool "Grsecurity"
44619 + select CRYPTO_SHA256
44621 + If you say Y here, you will be able to configure many features
44622 + that will enhance the security of your system. It is highly
44623 + recommended that you say Y here and read through the help
44624 + for each option so that you fully understand the features and
44625 + can evaluate their usefulness for your machine.
44628 + prompt "Security Level"
44629 + depends on GRKERNSEC
44630 + default GRKERNSEC_CUSTOM
44632 +config GRKERNSEC_LOW
44634 + select GRKERNSEC_LINK
44635 + select GRKERNSEC_FIFO
44636 + select GRKERNSEC_EXECVE
44637 + select GRKERNSEC_RANDNET
44638 + select GRKERNSEC_DMESG
44639 + select GRKERNSEC_CHROOT
44640 + select GRKERNSEC_CHROOT_CHDIR
44643 + If you choose this option, several of the grsecurity options will
44644 + be enabled that will give you greater protection against a number
44645 + of attacks, while assuring that none of your software will have any
44646 + conflicts with the additional security measures. If you run a lot
44647 + of unusual software, or you are having problems with the higher
44648 + security levels, you should say Y here. With this option, the
44649 + following features are enabled:
44651 + - Linking restrictions
44652 + - FIFO restrictions
44653 + - Enforcing RLIMIT_NPROC on execve
44654 + - Restricted dmesg
44655 + - Enforced chdir("/") on chroot
44656 + - Runtime module disabling
44658 +config GRKERNSEC_MEDIUM
44661 + select PAX_EI_PAX
44662 + select PAX_PT_PAX_FLAGS
44663 + select PAX_HAVE_ACL_FLAGS
44664 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
44665 + select GRKERNSEC_CHROOT
44666 + select GRKERNSEC_CHROOT_SYSCTL
44667 + select GRKERNSEC_LINK
44668 + select GRKERNSEC_FIFO
44669 + select GRKERNSEC_EXECVE
44670 + select GRKERNSEC_DMESG
44671 + select GRKERNSEC_RANDNET
44672 + select GRKERNSEC_FORKFAIL
44673 + select GRKERNSEC_TIME
44674 + select GRKERNSEC_SIGNAL
44675 + select GRKERNSEC_CHROOT
44676 + select GRKERNSEC_CHROOT_UNIX
44677 + select GRKERNSEC_CHROOT_MOUNT
44678 + select GRKERNSEC_CHROOT_PIVOT
44679 + select GRKERNSEC_CHROOT_DOUBLE
44680 + select GRKERNSEC_CHROOT_CHDIR
44681 + select GRKERNSEC_CHROOT_MKNOD
44682 + select GRKERNSEC_PROC
44683 + select GRKERNSEC_PROC_USERGROUP
44684 + select PAX_RANDUSTACK
44686 + select PAX_RANDMMAP
44687 + select PAX_REFCOUNT if (X86 || SPARC64)
44688 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
44691 + If you say Y here, several features in addition to those included
44692 + in the low additional security level will be enabled. These
44693 + features provide even more security to your system, though in rare
44694 + cases they may be incompatible with very old or poorly written
44695 + software. If you enable this option, make sure that your auth
44696 + service (identd) is running as gid 1001. With this option,
44697 + the following features (in addition to those provided in the
44698 + low additional security level) will be enabled:
44700 + - Failed fork logging
44701 + - Time change logging
44703 + - Deny mounts in chroot
44704 + - Deny double chrooting
44705 + - Deny sysctl writes in chroot
44706 + - Deny mknod in chroot
44707 + - Deny access to abstract AF_UNIX sockets out of chroot
44708 + - Deny pivot_root in chroot
44709 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
44710 + - /proc restrictions with special GID set to 10 (usually wheel)
44711 + - Address Space Layout Randomization (ASLR)
44712 + - Prevent exploitation of most refcount overflows
44713 + - Bounds checking of copying between the kernel and userland
44715 +config GRKERNSEC_HIGH
44717 + select GRKERNSEC_LINK
44718 + select GRKERNSEC_FIFO
44719 + select GRKERNSEC_EXECVE
44720 + select GRKERNSEC_DMESG
44721 + select GRKERNSEC_FORKFAIL
44722 + select GRKERNSEC_TIME
44723 + select GRKERNSEC_SIGNAL
44724 + select GRKERNSEC_CHROOT
44725 + select GRKERNSEC_CHROOT_SHMAT
44726 + select GRKERNSEC_CHROOT_UNIX
44727 + select GRKERNSEC_CHROOT_MOUNT
44728 + select GRKERNSEC_CHROOT_FCHDIR
44729 + select GRKERNSEC_CHROOT_PIVOT
44730 + select GRKERNSEC_CHROOT_DOUBLE
44731 + select GRKERNSEC_CHROOT_CHDIR
44732 + select GRKERNSEC_CHROOT_MKNOD
44733 + select GRKERNSEC_CHROOT_CAPS
44734 + select GRKERNSEC_CHROOT_SYSCTL
44735 + select GRKERNSEC_CHROOT_FINDTASK
44736 + select GRKERNSEC_SYSFS_RESTRICT
44737 + select GRKERNSEC_PROC
44738 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
44739 + select GRKERNSEC_HIDESYM
44740 + select GRKERNSEC_BRUTE
44741 + select GRKERNSEC_PROC_USERGROUP
44742 + select GRKERNSEC_KMEM
44743 + select GRKERNSEC_RESLOG
44744 + select GRKERNSEC_RANDNET
44745 + select GRKERNSEC_PROC_ADD
44746 + select GRKERNSEC_CHROOT_CHMOD
44747 + select GRKERNSEC_CHROOT_NICE
44748 + select GRKERNSEC_AUDIT_MOUNT
44749 + select GRKERNSEC_MODHARDEN if (MODULES)
44750 + select GRKERNSEC_HARDEN_PTRACE
44751 + select GRKERNSEC_VM86 if (X86_32)
44752 + select GRKERNSEC_KERN_LOCKOUT if (X86)
44754 + select PAX_RANDUSTACK
44756 + select PAX_RANDMMAP
44757 + select PAX_NOEXEC
44758 + select PAX_MPROTECT
44759 + select PAX_EI_PAX
44760 + select PAX_PT_PAX_FLAGS
44761 + select PAX_HAVE_ACL_FLAGS
44762 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
44763 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
44764 + select PAX_RANDKSTACK if (X86_TSC && X86)
44765 + select PAX_SEGMEXEC if (X86_32)
44766 + select PAX_PAGEEXEC
44767 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
44768 + select PAX_EMUTRAMP if (PARISC)
44769 + select PAX_EMUSIGRT if (PARISC)
44770 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
44771 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
44772 + select PAX_REFCOUNT if (X86 || SPARC64)
44773 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
44775 + If you say Y here, many of the features of grsecurity will be
44776 + enabled, which will protect you against many kinds of attacks
44777 + against your system. The heightened security comes at a cost
44778 + of an increased chance of incompatibilities with rare software
44779 + on your machine. Since this security level enables PaX, you should
44780 + view <http://pax.grsecurity.net> and read about the PaX
44781 + project. While you are there, download chpax and run it on
44782 + binaries that cause problems with PaX. Also remember that
44783 + since the /proc restrictions are enabled, you must run your
44784 + identd as gid 1001. This security level enables the following
44785 + features in addition to those listed in the low and medium
44788 + - Additional /proc restrictions
44789 + - Chmod restrictions in chroot
44790 + - No signals, ptrace, or viewing of processes outside of chroot
44791 + - Capability restrictions in chroot
44792 + - Deny fchdir out of chroot
44793 + - Priority restrictions in chroot
44794 + - Segmentation-based implementation of PaX
44795 + - Mprotect restrictions
44796 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
44797 + - Kernel stack randomization
44798 + - Mount/unmount/remount logging
44799 + - Kernel symbol hiding
44800 + - Prevention of memory exhaustion-based exploits
44801 + - Hardening of module auto-loading
44802 + - Ptrace restrictions
44803 + - Restricted vm86 mode
44804 + - Restricted sysfs/debugfs
44805 + - Active kernel exploit response
44807 +config GRKERNSEC_CUSTOM
44810 + If you say Y here, you will be able to configure every grsecurity
44811 + option, which allows you to enable many more features that aren't
44812 + covered in the basic security levels. These additional features
44813 + include TPE, socket restrictions, and the sysctl system for
44814 + grsecurity. It is advised that you read through the help for
44815 + each option to determine its usefulness in your situation.
44819 +menu "Address Space Protection"
44820 +depends on GRKERNSEC
44822 +config GRKERNSEC_KMEM
44823 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
44824 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
44826 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
44827 + be written to via mmap or otherwise to modify the running kernel.
44828 + /dev/port will also not be allowed to be opened. If you have module
44829 + support disabled, enabling this will close up four ways that are
44830 + currently used to insert malicious code into the running kernel.
44831 + Even with all these features enabled, we still highly recommend that
44832 + you use the RBAC system, as it is still possible for an attacker to
44833 + modify the running kernel through privileged I/O granted by ioperm/iopl.
44834 + If you are not using XFree86, you may be able to stop this additional
44835 + case by enabling the 'Disable privileged I/O' option. Though nothing
44836 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
44837 + but only to video memory, which is the only writing we allow in this
44838 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
44839 + not be allowed to mprotect it with PROT_WRITE later.
44840 + It is highly recommended that you say Y here if you meet all the
44841 + conditions above.
44843 +config GRKERNSEC_VM86
44844 + bool "Restrict VM86 mode"
44845 + depends on X86_32
44848 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
44849 + make use of a special execution mode on 32bit x86 processors called
44850 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
44851 + video cards and will still work with this option enabled. The purpose
44852 + of the option is to prevent exploitation of emulation errors in
44853 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
44854 + Nearly all users should be able to enable this option.
44856 +config GRKERNSEC_IO
44857 + bool "Disable privileged I/O"
44860 + select RTC_INTF_DEV
44861 + select RTC_DRV_CMOS
44864 + If you say Y here, all ioperm and iopl calls will return an error.
44865 + Ioperm and iopl can be used to modify the running kernel.
44866 + Unfortunately, some programs need this access to operate properly,
44867 + the most notable of which are XFree86 and hwclock. hwclock can be
44868 + remedied by having RTC support in the kernel, so real-time
44869 + clock support is enabled if this option is enabled, to ensure
44870 + that hwclock operates correctly. XFree86 still will not
44871 + operate correctly with this option enabled, so DO NOT CHOOSE Y
44872 + IF YOU USE XFree86. If you use XFree86 and you still want to
44873 + protect your kernel against modification, use the RBAC system.
44875 +config GRKERNSEC_PROC_MEMMAP
44876 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
44877 + default y if (PAX_NOEXEC || PAX_ASLR)
44878 + depends on PAX_NOEXEC || PAX_ASLR
44880 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
44881 + give no information about the addresses of its mappings if
44882 + PaX features that rely on random addresses are enabled on the task.
44883 + If you use PaX it is greatly recommended that you say Y here as it
44884 + closes up a hole that makes the full ASLR useless for suid
44887 +config GRKERNSEC_BRUTE
44888 + bool "Deter exploit bruteforcing"
44890 + If you say Y here, attempts to bruteforce exploits against forking
44891 + daemons such as apache or sshd, as well as against suid/sgid binaries
44892 + will be deterred. When a child of a forking daemon is killed by PaX
44893 + or crashes due to an illegal instruction or other suspicious signal,
44894 + the parent process will be delayed 30 seconds upon every subsequent
44895 + fork until the administrator is able to assess the situation and
44896 + restart the daemon.
44897 + In the suid/sgid case, the attempt is logged, the user has all their
44898 + processes terminated, and they are prevented from executing any further
44899 + processes for 15 minutes.
44900 + It is recommended that you also enable signal logging in the auditing
44901 + section so that logs are generated when a process triggers a suspicious
44904 +config GRKERNSEC_MODHARDEN
44905 + bool "Harden module auto-loading"
44906 + depends on MODULES
44908 + If you say Y here, module auto-loading in response to use of some
44909 + feature implemented by an unloaded module will be restricted to
44910 + root users. Enabling this option helps defend against attacks
44911 + by unprivileged users who abuse the auto-loading behavior to
44912 + cause a vulnerable module to load that is then exploited.
44914 + If this option prevents a legitimate use of auto-loading for a
44915 + non-root user, the administrator can execute modprobe manually
44916 + with the exact name of the module mentioned in the alert log.
44917 + Alternatively, the administrator can add the module to the list
44918 + of modules loaded at boot by modifying init scripts.
44920 + Modification of init scripts will most likely be needed on
44921 + Ubuntu servers with encrypted home directory support enabled,
44922 + as the first non-root user logging in will cause the ecb(aes),
44923 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
44925 +config GRKERNSEC_HIDESYM
44926 + bool "Hide kernel symbols"
44928 + If you say Y here, getting information on loaded modules, and
44929 + displaying all kernel symbols through a syscall will be restricted
44930 + to users with CAP_SYS_MODULE. For software compatibility reasons,
44931 + /proc/kallsyms will be restricted to the root user. The RBAC
44932 + system can hide that entry even from root.
44934 + This option also prevents leaking of kernel addresses through
44935 + several /proc entries.
44937 + Note that this option is only effective provided the following
44938 + conditions are met:
44939 + 1) The kernel using grsecurity is not precompiled by some distribution
44940 + 2) You have also enabled GRKERNSEC_DMESG
44941 + 3) You are using the RBAC system and hiding other files such as your
44942 + kernel image and System.map. Alternatively, enabling this option
44943 + causes the permissions on /boot, /lib/modules, and the kernel
44944 + source directory to change at compile time to prevent
44945 + reading by non-root users.
44946 + If the above conditions are met, this option will aid in providing a
44947 + useful protection against local kernel exploitation of overflows
44948 + and arbitrary read/write vulnerabilities.
44950 +config GRKERNSEC_KERN_LOCKOUT
44951 + bool "Active kernel exploit response"
44954 + If you say Y here, when a PaX alert is triggered due to suspicious
44955 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
44956 + or an OOPs occurs due to bad memory accesses, instead of just
44957 + terminating the offending process (and potentially allowing
44958 + a subsequent exploit from the same user), we will take one of two
44960 + If the user was root, we will panic the system
44961 + If the user was non-root, we will log the attempt, terminate
44962 + all processes owned by the user, then prevent them from creating
44963 + any new processes until the system is restarted
44964 + This deters repeated kernel exploitation/bruteforcing attempts
44965 + and is useful for later forensics.
44968 +menu "Role Based Access Control Options"
44969 +depends on GRKERNSEC
44971 +config GRKERNSEC_RBAC_DEBUG
44974 +config GRKERNSEC_NO_RBAC
44975 + bool "Disable RBAC system"
44977 + If you say Y here, the /dev/grsec device will be removed from the kernel,
44978 + preventing the RBAC system from being enabled. You should only say Y
44979 + here if you have no intention of using the RBAC system, so as to prevent
44980 + an attacker with root access from misusing the RBAC system to hide files
44981 + and processes when loadable module support and /dev/[k]mem have been
44984 +config GRKERNSEC_ACL_HIDEKERN
44985 + bool "Hide kernel processes"
44987 + If you say Y here, all kernel threads will be hidden to all
44988 + processes but those whose subject has the "view hidden processes"
44991 +config GRKERNSEC_ACL_MAXTRIES
44992 + int "Maximum tries before password lockout"
44995 + This option enforces the maximum number of times a user can attempt
44996 + to authorize themselves with the grsecurity RBAC system before being
44997 + denied the ability to attempt authorization again for a specified time.
44998 + The lower the number, the harder it will be to brute-force a password.
45000 +config GRKERNSEC_ACL_TIMEOUT
45001 + int "Time to wait after max password tries, in seconds"
45004 + This option specifies the time the user must wait after attempting to
45005 + authorize to the RBAC system with the maximum number of invalid
45006 + passwords. The higher the number, the harder it will be to brute-force
45010 +menu "Filesystem Protections"
45011 +depends on GRKERNSEC
45013 +config GRKERNSEC_PROC
45014 + bool "Proc restrictions"
45016 + If you say Y here, the permissions of the /proc filesystem
45017 + will be altered to enhance system security and privacy. You MUST
45018 + choose either a user only restriction or a user and group restriction.
45019 + Depending upon the option you choose, you can either restrict users to
45020 + see only the processes they themselves run, or choose a group that can
45021 + view all processes and files normally restricted to root if you choose
45022 + the "restrict to user only" option. NOTE: If you're running identd as
45023 + a non-root user, you will have to run it as the group you specify here.
45025 +config GRKERNSEC_PROC_USER
45026 + bool "Restrict /proc to user only"
45027 + depends on GRKERNSEC_PROC
45029 + If you say Y here, non-root users will only be able to view their own
45030 + processes, and restricts them from viewing network-related information,
45031 + and viewing kernel symbol and module information.
45033 +config GRKERNSEC_PROC_USERGROUP
45034 + bool "Allow special group"
45035 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
45037 + If you say Y here, you will be able to select a group that will be
45038 + able to view all processes and network-related information. If you've
45039 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
45040 + remain hidden. This option is useful if you want to run identd as
45043 +config GRKERNSEC_PROC_GID
45044 + int "GID for special group"
45045 + depends on GRKERNSEC_PROC_USERGROUP
45048 +config GRKERNSEC_PROC_ADD
45049 + bool "Additional restrictions"
45050 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
45052 + If you say Y here, additional restrictions will be placed on
45053 + /proc that keep normal users from viewing device information and
45054 + slabinfo information that could be useful for exploits.
45056 +config GRKERNSEC_LINK
45057 + bool "Linking restrictions"
45059 + If you say Y here, /tmp race exploits will be prevented, since users
45060 + will no longer be able to follow symlinks owned by other users in
45061 + world-writable +t directories (e.g. /tmp), unless the owner of the
45062 + symlink is the owner of the directory. users will also not be
45063 + able to hardlink to files they do not own. If the sysctl option is
45064 + enabled, a sysctl option with name "linking_restrictions" is created.
45066 +config GRKERNSEC_FIFO
45067 + bool "FIFO restrictions"
45069 + If you say Y here, users will not be able to write to FIFOs they don't
45070 + own in world-writable +t directories (e.g. /tmp), unless the owner of
45071 + the FIFO is the same owner of the directory it's held in. If the sysctl
45072 + option is enabled, a sysctl option with name "fifo_restrictions" is
45075 +config GRKERNSEC_SYSFS_RESTRICT
45076 + bool "Sysfs/debugfs restriction"
45079 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
45080 + any filesystem normally mounted under it (e.g. debugfs) will only
45081 + be accessible by root. These filesystems generally provide access
45082 + to hardware and debug information that isn't appropriate for unprivileged
45083 + users of the system. Sysfs and debugfs have also become a large source
45084 + of new vulnerabilities, ranging from infoleaks to local compromise.
45085 + There has been very little oversight with an eye toward security involved
45086 + in adding new exporters of information to these filesystems, so their
45087 + use is discouraged.
45088 + This option is equivalent to a chmod 0700 of the mount paths.
45090 +config GRKERNSEC_ROFS
45091 + bool "Runtime read-only mount protection"
45093 + If you say Y here, a sysctl option with name "romount_protect" will
45094 + be created. By setting this option to 1 at runtime, filesystems
45095 + will be protected in the following ways:
45096 + * No new writable mounts will be allowed
45097 + * Existing read-only mounts won't be able to be remounted read/write
45098 + * Write operations will be denied on all block devices
45099 + This option acts independently of grsec_lock: once it is set to 1,
45100 + it cannot be turned off. Therefore, please be mindful of the resulting
45101 + behavior if this option is enabled in an init script on a read-only
45102 + filesystem. This feature is mainly intended for secure embedded systems.
45104 +config GRKERNSEC_CHROOT
45105 + bool "Chroot jail restrictions"
45107 + If you say Y here, you will be able to choose several options that will
45108 + make breaking out of a chrooted jail much more difficult. If you
45109 + encounter no software incompatibilities with the following options, it
45110 + is recommended that you enable each one.
45112 +config GRKERNSEC_CHROOT_MOUNT
45113 + bool "Deny mounts"
45114 + depends on GRKERNSEC_CHROOT
45116 + If you say Y here, processes inside a chroot will not be able to
45117 + mount or remount filesystems. If the sysctl option is enabled, a
45118 + sysctl option with name "chroot_deny_mount" is created.
45120 +config GRKERNSEC_CHROOT_DOUBLE
45121 + bool "Deny double-chroots"
45122 + depends on GRKERNSEC_CHROOT
45124 + If you say Y here, processes inside a chroot will not be able to chroot
45125 + again outside the chroot. This is a widely used method of breaking
45126 + out of a chroot jail and should not be allowed. If the sysctl
45127 + option is enabled, a sysctl option with name
45128 + "chroot_deny_chroot" is created.
45130 +config GRKERNSEC_CHROOT_PIVOT
45131 + bool "Deny pivot_root in chroot"
45132 + depends on GRKERNSEC_CHROOT
45134 + If you say Y here, processes inside a chroot will not be able to use
45135 + a function called pivot_root() that was introduced in Linux 2.3.41. It
45136 + works similar to chroot in that it changes the root filesystem. This
45137 + function could be misused in a chrooted process to attempt to break out
45138 + of the chroot, and therefore should not be allowed. If the sysctl
45139 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
45142 +config GRKERNSEC_CHROOT_CHDIR
45143 + bool "Enforce chdir(\"/\") on all chroots"
45144 + depends on GRKERNSEC_CHROOT
45146 + If you say Y here, the current working directory of all newly-chrooted
45147 + applications will be set to the the root directory of the chroot.
45148 + The man page on chroot(2) states:
45149 + Note that this call does not change the current working
45150 + directory, so that `.' can be outside the tree rooted at
45151 + `/'. In particular, the super-user can escape from a
45152 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
45154 + It is recommended that you say Y here, since it's not known to break
45155 + any software. If the sysctl option is enabled, a sysctl option with
45156 + name "chroot_enforce_chdir" is created.
45158 +config GRKERNSEC_CHROOT_CHMOD
45159 + bool "Deny (f)chmod +s"
45160 + depends on GRKERNSEC_CHROOT
45162 + If you say Y here, processes inside a chroot will not be able to chmod
45163 + or fchmod files to make them have suid or sgid bits. This protects
45164 + against another published method of breaking a chroot. If the sysctl
45165 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
45168 +config GRKERNSEC_CHROOT_FCHDIR
45169 + bool "Deny fchdir out of chroot"
45170 + depends on GRKERNSEC_CHROOT
45172 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
45173 + to a file descriptor of the chrooting process that points to a directory
45174 + outside the filesystem will be stopped. If the sysctl option
45175 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
45177 +config GRKERNSEC_CHROOT_MKNOD
45178 + bool "Deny mknod"
45179 + depends on GRKERNSEC_CHROOT
45181 + If you say Y here, processes inside a chroot will not be allowed to
45182 + mknod. The problem with using mknod inside a chroot is that it
45183 + would allow an attacker to create a device entry that is the same
45184 + as one on the physical root of your system, which could range from
45185 + anything from the console device to a device for your harddrive (which
45186 + they could then use to wipe the drive or steal data). It is recommended
45187 + that you say Y here, unless you run into software incompatibilities.
45188 + If the sysctl option is enabled, a sysctl option with name
45189 + "chroot_deny_mknod" is created.
45191 +config GRKERNSEC_CHROOT_SHMAT
45192 + bool "Deny shmat() out of chroot"
45193 + depends on GRKERNSEC_CHROOT
45195 + If you say Y here, processes inside a chroot will not be able to attach
45196 + to shared memory segments that were created outside of the chroot jail.
45197 + It is recommended that you say Y here. If the sysctl option is enabled,
45198 + a sysctl option with name "chroot_deny_shmat" is created.
45200 +config GRKERNSEC_CHROOT_UNIX
45201 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
45202 + depends on GRKERNSEC_CHROOT
45204 + If you say Y here, processes inside a chroot will not be able to
45205 + connect to abstract (meaning not belonging to a filesystem) Unix
45206 + domain sockets that were bound outside of a chroot. It is recommended
45207 + that you say Y here. If the sysctl option is enabled, a sysctl option
45208 + with name "chroot_deny_unix" is created.
45210 +config GRKERNSEC_CHROOT_FINDTASK
45211 + bool "Protect outside processes"
45212 + depends on GRKERNSEC_CHROOT
45214 + If you say Y here, processes inside a chroot will not be able to
45215 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
45216 + getsid, or view any process outside of the chroot. If the sysctl
45217 + option is enabled, a sysctl option with name "chroot_findtask" is
45220 +config GRKERNSEC_CHROOT_NICE
45221 + bool "Restrict priority changes"
45222 + depends on GRKERNSEC_CHROOT
45224 + If you say Y here, processes inside a chroot will not be able to raise
45225 + the priority of processes in the chroot, or alter the priority of
45226 + processes outside the chroot. This provides more security than simply
45227 + removing CAP_SYS_NICE from the process' capability set. If the
45228 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
45231 +config GRKERNSEC_CHROOT_SYSCTL
45232 + bool "Deny sysctl writes"
45233 + depends on GRKERNSEC_CHROOT
45235 + If you say Y here, an attacker in a chroot will not be able to
45236 + write to sysctl entries, either by sysctl(2) or through a /proc
45237 + interface. It is strongly recommended that you say Y here. If the
45238 + sysctl option is enabled, a sysctl option with name
45239 + "chroot_deny_sysctl" is created.
45241 +config GRKERNSEC_CHROOT_CAPS
45242 + bool "Capability restrictions"
45243 + depends on GRKERNSEC_CHROOT
45245 + If you say Y here, the capabilities on all root processes within a
45246 + chroot jail will be lowered to stop module insertion, raw i/o,
45247 + system and net admin tasks, rebooting the system, modifying immutable
45248 + files, modifying IPC owned by another, and changing the system time.
45249 + This is left an option because it can break some apps. Disable this
45250 + if your chrooted apps are having problems performing those kinds of
45251 + tasks. If the sysctl option is enabled, a sysctl option with
45252 + name "chroot_caps" is created.
45255 +menu "Kernel Auditing"
45256 +depends on GRKERNSEC
45258 +config GRKERNSEC_AUDIT_GROUP
45259 + bool "Single group for auditing"
45261 + If you say Y here, the exec, chdir, and (un)mount logging features
45262 + will only operate on a group you specify. This option is recommended
45263 + if you only want to watch certain users instead of having a large
45264 + amount of logs from the entire system. If the sysctl option is enabled,
45265 + a sysctl option with name "audit_group" is created.
45267 +config GRKERNSEC_AUDIT_GID
45268 + int "GID for auditing"
45269 + depends on GRKERNSEC_AUDIT_GROUP
45272 +config GRKERNSEC_EXECLOG
45273 + bool "Exec logging"
45275 + If you say Y here, all execve() calls will be logged (since the
45276 + other exec*() calls are frontends to execve(), all execution
45277 + will be logged). Useful for shell-servers that like to keep track
45278 + of their users. If the sysctl option is enabled, a sysctl option with
45279 + name "exec_logging" is created.
45280 + WARNING: This option when enabled will produce a LOT of logs, especially
45281 + on an active system.
45283 +config GRKERNSEC_RESLOG
45284 + bool "Resource logging"
45286 + If you say Y here, all attempts to overstep resource limits will
45287 + be logged with the resource name, the requested size, and the current
45288 + limit. It is highly recommended that you say Y here. If the sysctl
45289 + option is enabled, a sysctl option with name "resource_logging" is
45290 + created. If the RBAC system is enabled, the sysctl value is ignored.
45292 +config GRKERNSEC_CHROOT_EXECLOG
45293 + bool "Log execs within chroot"
45295 + If you say Y here, all executions inside a chroot jail will be logged
45296 + to syslog. This can cause a large amount of logs if certain
45297 + applications (eg. djb's daemontools) are installed on the system, and
45298 + is therefore left as an option. If the sysctl option is enabled, a
45299 + sysctl option with name "chroot_execlog" is created.
45301 +config GRKERNSEC_AUDIT_PTRACE
45302 + bool "Ptrace logging"
45304 + If you say Y here, all attempts to attach to a process via ptrace
45305 + will be logged. If the sysctl option is enabled, a sysctl option
45306 + with name "audit_ptrace" is created.
45308 +config GRKERNSEC_AUDIT_CHDIR
45309 + bool "Chdir logging"
45311 + If you say Y here, all chdir() calls will be logged. If the sysctl
45312 + option is enabled, a sysctl option with name "audit_chdir" is created.
45314 +config GRKERNSEC_AUDIT_MOUNT
45315 + bool "(Un)Mount logging"
45317 + If you say Y here, all mounts and unmounts will be logged. If the
45318 + sysctl option is enabled, a sysctl option with name "audit_mount" is
45321 +config GRKERNSEC_SIGNAL
45322 + bool "Signal logging"
45324 + If you say Y here, certain important signals will be logged, such as
45325 + SIGSEGV, which will as a result inform you of when a error in a program
45326 + occurred, which in some cases could mean a possible exploit attempt.
45327 + If the sysctl option is enabled, a sysctl option with name
45328 + "signal_logging" is created.
45330 +config GRKERNSEC_FORKFAIL
45331 + bool "Fork failure logging"
45333 + If you say Y here, all failed fork() attempts will be logged.
45334 + This could suggest a fork bomb, or someone attempting to overstep
45335 + their process limit. If the sysctl option is enabled, a sysctl option
45336 + with name "forkfail_logging" is created.
45338 +config GRKERNSEC_TIME
45339 + bool "Time change logging"
45341 + If you say Y here, any changes of the system clock will be logged.
45342 + If the sysctl option is enabled, a sysctl option with name
45343 + "timechange_logging" is created.
45345 +config GRKERNSEC_PROC_IPADDR
45346 + bool "/proc/<pid>/ipaddr support"
45348 + If you say Y here, a new entry will be added to each /proc/<pid>
45349 + directory that contains the IP address of the person using the task.
45350 + The IP is carried across local TCP and AF_UNIX stream sockets.
45351 + This information can be useful for IDS/IPSes to perform remote response
45352 + to a local attack. The entry is readable by only the owner of the
45353 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
45354 + the RBAC system), and thus does not create privacy concerns.
45356 +config GRKERNSEC_RWXMAP_LOG
45357 + bool 'Denied RWX mmap/mprotect logging'
45358 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
45360 + If you say Y here, calls to mmap() and mprotect() with explicit
45361 + usage of PROT_WRITE and PROT_EXEC together will be logged when
45362 + denied by the PAX_MPROTECT feature. If the sysctl option is
45363 + enabled, a sysctl option with name "rwxmap_logging" is created.
45365 +config GRKERNSEC_AUDIT_TEXTREL
45366 + bool 'ELF text relocations logging (READ HELP)'
45367 + depends on PAX_MPROTECT
45369 + If you say Y here, text relocations will be logged with the filename
45370 + of the offending library or binary. The purpose of the feature is
45371 + to help Linux distribution developers get rid of libraries and
45372 + binaries that need text relocations which hinder the future progress
45373 + of PaX. Only Linux distribution developers should say Y here, and
45374 + never on a production machine, as this option creates an information
45375 + leak that could aid an attacker in defeating the randomization of
45376 + a single memory region. If the sysctl option is enabled, a sysctl
45377 + option with name "audit_textrel" is created.
45381 +menu "Executable Protections"
45382 +depends on GRKERNSEC
45384 +config GRKERNSEC_EXECVE
45385 + bool "Enforce RLIMIT_NPROC on execs"
45387 + If you say Y here, users with a resource limit on processes will
45388 + have the value checked during execve() calls. The current system
45389 + only checks the system limit during fork() calls. If the sysctl option
45390 + is enabled, a sysctl option with name "execve_limiting" is created.
45392 +config GRKERNSEC_DMESG
45393 + bool "Dmesg(8) restriction"
45395 + If you say Y here, non-root users will not be able to use dmesg(8)
45396 + to view up to the last 4kb of messages in the kernel's log buffer.
45397 + The kernel's log buffer often contains kernel addresses and other
45398 + identifying information useful to an attacker in fingerprinting a
45399 + system for a targeted exploit.
45400 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
45403 +config GRKERNSEC_HARDEN_PTRACE
45404 + bool "Deter ptrace-based process snooping"
45406 + If you say Y here, TTY sniffers and other malicious monitoring
45407 + programs implemented through ptrace will be defeated. If you
45408 + have been using the RBAC system, this option has already been
45409 + enabled for several years for all users, with the ability to make
45410 + fine-grained exceptions.
45412 + This option only affects the ability of non-root users to ptrace
45413 + processes that are not a descendent of the ptracing process.
45414 + This means that strace ./binary and gdb ./binary will still work,
45415 + but attaching to arbitrary processes will not. If the sysctl
45416 + option is enabled, a sysctl option with name "harden_ptrace" is
45419 +config GRKERNSEC_TPE
45420 + bool "Trusted Path Execution (TPE)"
45422 + If you say Y here, you will be able to choose a gid to add to the
45423 + supplementary groups of users you want to mark as "untrusted."
45424 + These users will not be able to execute any files that are not in
45425 + root-owned directories writable only by root. If the sysctl option
45426 + is enabled, a sysctl option with name "tpe" is created.
45428 +config GRKERNSEC_TPE_ALL
45429 + bool "Partially restrict all non-root users"
45430 + depends on GRKERNSEC_TPE
45432 + If you say Y here, all non-root users will be covered under
45433 + a weaker TPE restriction. This is separate from, and in addition to,
45434 + the main TPE options that you have selected elsewhere. Thus, if a
45435 + "trusted" GID is chosen, this restriction applies to even that GID.
45436 + Under this restriction, all non-root users will only be allowed to
45437 + execute files in directories they own that are not group or
45438 + world-writable, or in directories owned by root and writable only by
45439 + root. If the sysctl option is enabled, a sysctl option with name
45440 + "tpe_restrict_all" is created.
45442 +config GRKERNSEC_TPE_INVERT
45443 + bool "Invert GID option"
45444 + depends on GRKERNSEC_TPE
45446 + If you say Y here, the group you specify in the TPE configuration will
45447 + decide what group TPE restrictions will be *disabled* for. This
45448 + option is useful if you want TPE restrictions to be applied to most
45449 + users on the system. If the sysctl option is enabled, a sysctl option
45450 + with name "tpe_invert" is created. Unlike other sysctl options, this
45451 + entry will default to on for backward-compatibility.
45453 +config GRKERNSEC_TPE_GID
45454 + int "GID for untrusted users"
45455 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
45458 + Setting this GID determines what group TPE restrictions will be
45459 + *enabled* for. If the sysctl option is enabled, a sysctl option
45460 + with name "tpe_gid" is created.
45462 +config GRKERNSEC_TPE_GID
45463 + int "GID for trusted users"
45464 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
45467 + Setting this GID determines what group TPE restrictions will be
45468 + *disabled* for. If the sysctl option is enabled, a sysctl option
45469 + with name "tpe_gid" is created.
45472 +menu "Network Protections"
45473 +depends on GRKERNSEC
45475 +config GRKERNSEC_RANDNET
45476 + bool "Larger entropy pools"
45478 + If you say Y here, the entropy pools used for many features of Linux
45479 + and grsecurity will be doubled in size. Since several grsecurity
45480 + features use additional randomness, it is recommended that you say Y
45481 + here. Saying Y here has a similar effect as modifying
45482 + /proc/sys/kernel/random/poolsize.
45484 +config GRKERNSEC_BLACKHOLE
45485 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
45487 + If you say Y here, neither TCP resets nor ICMP
45488 + destination-unreachable packets will be sent in response to packets
45489 + sent to ports for which no associated listening process exists.
45490 + This feature supports both IPV4 and IPV6 and exempts the
45491 + loopback interface from blackholing. Enabling this feature
45492 + makes a host more resilient to DoS attacks and reduces network
45493 + visibility against scanners.
45495 + The blackhole feature as-implemented is equivalent to the FreeBSD
45496 + blackhole feature, as it prevents RST responses to all packets, not
45497 + just SYNs. Under most application behavior this causes no
45498 + problems, but applications (like haproxy) may not close certain
45499 + connections in a way that cleanly terminates them on the remote
45500 + end, leaving the remote host in LAST_ACK state. Because of this
45501 + side-effect and to prevent intentional LAST_ACK DoSes, this
45502 + feature also adds automatic mitigation against such attacks.
45503 + The mitigation drastically reduces the amount of time a socket
45504 + can spend in LAST_ACK state. If you're using haproxy and not
45505 + all servers it connects to have this option enabled, consider
45506 + disabling this feature on the haproxy host.
45508 + If the sysctl option is enabled, two sysctl options with names
45509 + "ip_blackhole" and "lastack_retries" will be created.
45510 + While "ip_blackhole" takes the standard zero/non-zero on/off
45511 + toggle, "lastack_retries" uses the same kinds of values as
45512 + "tcp_retries1" and "tcp_retries2". The default value of 4
45513 + prevents a socket from lasting more than 45 seconds in LAST_ACK
45516 +config GRKERNSEC_SOCKET
45517 + bool "Socket restrictions"
45519 + If you say Y here, you will be able to choose from several options.
45520 + If you assign a GID on your system and add it to the supplementary
45521 + groups of users you want to restrict socket access to, this patch
45522 + will perform up to three things, based on the option(s) you choose.
45524 +config GRKERNSEC_SOCKET_ALL
45525 + bool "Deny any sockets to group"
45526 + depends on GRKERNSEC_SOCKET
45528 + If you say Y here, you will be able to choose a GID of whose users will
45529 + be unable to connect to other hosts from your machine or run server
45530 + applications from your machine. If the sysctl option is enabled, a
45531 + sysctl option with name "socket_all" is created.
45533 +config GRKERNSEC_SOCKET_ALL_GID
45534 + int "GID to deny all sockets for"
45535 + depends on GRKERNSEC_SOCKET_ALL
45538 + Here you can choose the GID to disable socket access for. Remember to
45539 + add the users you want socket access disabled for to the GID
45540 + specified here. If the sysctl option is enabled, a sysctl option
45541 + with name "socket_all_gid" is created.
45543 +config GRKERNSEC_SOCKET_CLIENT
45544 + bool "Deny client sockets to group"
45545 + depends on GRKERNSEC_SOCKET
45547 + If you say Y here, you will be able to choose a GID of whose users will
45548 + be unable to connect to other hosts from your machine, but will be
45549 + able to run servers. If this option is enabled, all users in the group
45550 + you specify will have to use passive mode when initiating ftp transfers
45551 + from the shell on your machine. If the sysctl option is enabled, a
45552 + sysctl option with name "socket_client" is created.
45554 +config GRKERNSEC_SOCKET_CLIENT_GID
45555 + int "GID to deny client sockets for"
45556 + depends on GRKERNSEC_SOCKET_CLIENT
45559 + Here you can choose the GID to disable client socket access for.
45560 + Remember to add the users you want client socket access disabled for to
45561 + the GID specified here. If the sysctl option is enabled, a sysctl
45562 + option with name "socket_client_gid" is created.
45564 +config GRKERNSEC_SOCKET_SERVER
45565 + bool "Deny server sockets to group"
45566 + depends on GRKERNSEC_SOCKET
45568 + If you say Y here, you will be able to choose a GID of whose users will
45569 + be unable to run server applications from your machine. If the sysctl
45570 + option is enabled, a sysctl option with name "socket_server" is created.
45572 +config GRKERNSEC_SOCKET_SERVER_GID
45573 + int "GID to deny server sockets for"
45574 + depends on GRKERNSEC_SOCKET_SERVER
45577 + Here you can choose the GID to disable server socket access for.
45578 + Remember to add the users you want server socket access disabled for to
45579 + the GID specified here. If the sysctl option is enabled, a sysctl
45580 + option with name "socket_server_gid" is created.
45583 +menu "Sysctl support"
45584 +depends on GRKERNSEC && SYSCTL
45586 +config GRKERNSEC_SYSCTL
45587 + bool "Sysctl support"
45589 + If you say Y here, you will be able to change the options that
45590 + grsecurity runs with at bootup, without having to recompile your
45591 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
45592 + to enable (1) or disable (0) various features. All the sysctl entries
45593 + are mutable until the "grsec_lock" entry is set to a non-zero value.
45594 + All features enabled in the kernel configuration are disabled at boot
45595 + if you do not say Y to the "Turn on features by default" option.
45596 + All options should be set at startup, and the grsec_lock entry should
45597 + be set to a non-zero value after all the options are set.
45598 + *THIS IS EXTREMELY IMPORTANT*
45600 +config GRKERNSEC_SYSCTL_DISTRO
45601 + bool "Extra sysctl support for distro makers (READ HELP)"
45602 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
45604 + If you say Y here, additional sysctl options will be created
45605 + for features that affect processes running as root. Therefore,
45606 + it is critical when using this option that the grsec_lock entry be
45607 + enabled after boot. Only distros with prebuilt kernel packages
45608 + with this option enabled that can ensure grsec_lock is enabled
45609 + after boot should use this option.
45610 + *Failure to set grsec_lock after boot makes all grsec features
45611 + this option covers useless*
45613 + Currently this option creates the following sysctl entries:
45614 + "Disable Privileged I/O": "disable_priv_io"
45616 +config GRKERNSEC_SYSCTL_ON
45617 + bool "Turn on features by default"
45618 + depends on GRKERNSEC_SYSCTL
45620 + If you say Y here, instead of having all features enabled in the
45621 + kernel configuration disabled at boot time, the features will be
45622 + enabled at boot time. It is recommended you say Y here unless
45623 + there is some reason you would want all sysctl-tunable features to
45624 + be disabled by default. As mentioned elsewhere, it is important
45625 + to enable the grsec_lock entry once you have finished modifying
45626 + the sysctl entries.
45629 +menu "Logging Options"
45630 +depends on GRKERNSEC
45632 +config GRKERNSEC_FLOODTIME
45633 + int "Seconds in between log messages (minimum)"
45636 + This option allows you to enforce the number of seconds between
45637 + grsecurity log messages. The default should be suitable for most
45638 + people, however, if you choose to change it, choose a value small enough
45639 + to allow informative logs to be produced, but large enough to
45640 + prevent flooding.
45642 +config GRKERNSEC_FLOODBURST
45643 + int "Number of messages in a burst (maximum)"
45646 + This option allows you to choose the maximum number of messages allowed
45647 + within the flood time interval you chose in a separate option. The
45648 + default should be suitable for most people, however if you find that
45649 + many of your logs are being interpreted as flooding, you may want to
45650 + raise this value.
45655 diff -urNp linux-2.6.38.4/grsecurity/Makefile linux-2.6.38.4/grsecurity/Makefile
45656 --- linux-2.6.38.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
45657 +++ linux-2.6.38.4/grsecurity/Makefile 2011-04-17 15:57:32.000000000 -0400
45659 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
45660 +# during 2001-2009 it has been completely redesigned by Brad Spengler
45661 +# into an RBAC system
45663 +# All code in this directory and various hooks inserted throughout the kernel
45664 +# are copyright Brad Spengler - Open Source Security, Inc., and released
45665 +# under the GPL v2 or higher
45667 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
45668 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
45669 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
45671 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
45672 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
45673 + gracl_learn.o grsec_log.o
45674 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
45676 +ifndef CONFIG_GRKERNSEC
45677 +obj-y += grsec_disabled.o
45680 +ifdef CONFIG_GRKERNSEC_HIDESYM
45681 +extra-y := grsec_hidesym.o
45682 +$(obj)/grsec_hidesym.o:
45683 + @-chmod -f 500 /boot
45684 + @-chmod -f 500 /lib/modules
45686 + @echo ' grsec: protected kernel image paths'
45688 diff -urNp linux-2.6.38.4/include/acpi/acoutput.h linux-2.6.38.4/include/acpi/acoutput.h
45689 --- linux-2.6.38.4/include/acpi/acoutput.h 2011-03-14 21:20:32.000000000 -0400
45690 +++ linux-2.6.38.4/include/acpi/acoutput.h 2011-04-17 15:57:32.000000000 -0400
45691 @@ -269,8 +269,8 @@
45692 * leaving no executable debug code!
45694 #define ACPI_FUNCTION_NAME(a)
45695 -#define ACPI_DEBUG_PRINT(pl)
45696 -#define ACPI_DEBUG_PRINT_RAW(pl)
45697 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
45698 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
45700 #endif /* ACPI_DEBUG_OUTPUT */
45702 diff -urNp linux-2.6.38.4/include/acpi/acpi_drivers.h linux-2.6.38.4/include/acpi/acpi_drivers.h
45703 --- linux-2.6.38.4/include/acpi/acpi_drivers.h 2011-03-14 21:20:32.000000000 -0400
45704 +++ linux-2.6.38.4/include/acpi/acpi_drivers.h 2011-04-17 15:57:32.000000000 -0400
45705 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
45707 -------------------------------------------------------------------------- */
45708 struct acpi_dock_ops {
45709 - acpi_notify_handler handler;
45710 - acpi_notify_handler uevent;
45711 + const acpi_notify_handler handler;
45712 + const acpi_notify_handler uevent;
45715 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
45716 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
45717 extern int register_dock_notifier(struct notifier_block *nb);
45718 extern void unregister_dock_notifier(struct notifier_block *nb);
45719 extern int register_hotplug_dock_device(acpi_handle handle,
45720 - struct acpi_dock_ops *ops,
45721 + const struct acpi_dock_ops *ops,
45723 extern void unregister_hotplug_dock_device(acpi_handle handle);
45725 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
45728 static inline int register_hotplug_dock_device(acpi_handle handle,
45729 - struct acpi_dock_ops *ops,
45730 + const struct acpi_dock_ops *ops,
45734 diff -urNp linux-2.6.38.4/include/asm-generic/atomic-long.h linux-2.6.38.4/include/asm-generic/atomic-long.h
45735 --- linux-2.6.38.4/include/asm-generic/atomic-long.h 2011-03-14 21:20:32.000000000 -0400
45736 +++ linux-2.6.38.4/include/asm-generic/atomic-long.h 2011-04-17 15:57:32.000000000 -0400
45739 typedef atomic64_t atomic_long_t;
45741 +#ifdef CONFIG_PAX_REFCOUNT
45742 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
45744 +typedef atomic64_t atomic_long_unchecked_t;
45747 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
45749 static inline long atomic_long_read(atomic_long_t *l)
45750 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
45751 return (long)atomic64_read(v);
45754 +#ifdef CONFIG_PAX_REFCOUNT
45755 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
45757 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45759 + return (long)atomic64_read_unchecked(v);
45763 static inline void atomic_long_set(atomic_long_t *l, long i)
45765 atomic64_t *v = (atomic64_t *)l;
45766 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
45767 atomic64_set(v, i);
45770 +#ifdef CONFIG_PAX_REFCOUNT
45771 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
45773 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45775 + atomic64_set_unchecked(v, i);
45779 static inline void atomic_long_inc(atomic_long_t *l)
45781 atomic64_t *v = (atomic64_t *)l;
45782 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
45786 +#ifdef CONFIG_PAX_REFCOUNT
45787 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
45789 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45791 + atomic64_inc_unchecked(v);
45795 static inline void atomic_long_dec(atomic_long_t *l)
45797 atomic64_t *v = (atomic64_t *)l;
45798 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
45802 +#ifdef CONFIG_PAX_REFCOUNT
45803 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
45805 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45807 + atomic64_dec_unchecked(v);
45811 static inline void atomic_long_add(long i, atomic_long_t *l)
45813 atomic64_t *v = (atomic64_t *)l;
45814 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
45815 atomic64_add(i, v);
45818 +#ifdef CONFIG_PAX_REFCOUNT
45819 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
45821 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45823 + atomic64_add_unchecked(i, v);
45827 static inline void atomic_long_sub(long i, atomic_long_t *l)
45829 atomic64_t *v = (atomic64_t *)l;
45830 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
45831 atomic64_sub(i, v);
45834 +#ifdef CONFIG_PAX_REFCOUNT
45835 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
45837 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45839 + atomic64_sub_unchecked(i, v);
45843 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
45845 atomic64_t *v = (atomic64_t *)l;
45846 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
45847 return (long)atomic64_inc_return(v);
45850 +#ifdef CONFIG_PAX_REFCOUNT
45851 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
45853 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
45855 + return (long)atomic64_inc_return_unchecked(v);
45859 static inline long atomic_long_dec_return(atomic_long_t *l)
45861 atomic64_t *v = (atomic64_t *)l;
45862 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
45864 typedef atomic_t atomic_long_t;
45866 +#ifdef CONFIG_PAX_REFCOUNT
45867 +typedef atomic_unchecked_t atomic_long_unchecked_t;
45869 +typedef atomic_t atomic_long_unchecked_t;
45872 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
45873 static inline long atomic_long_read(atomic_long_t *l)
45875 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
45876 return (long)atomic_read(v);
45879 +#ifdef CONFIG_PAX_REFCOUNT
45880 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
45882 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45884 + return (long)atomic_read_unchecked(v);
45888 static inline void atomic_long_set(atomic_long_t *l, long i)
45890 atomic_t *v = (atomic_t *)l;
45891 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
45895 +#ifdef CONFIG_PAX_REFCOUNT
45896 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
45898 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45900 + atomic_set_unchecked(v, i);
45904 static inline void atomic_long_inc(atomic_long_t *l)
45906 atomic_t *v = (atomic_t *)l;
45907 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
45911 +#ifdef CONFIG_PAX_REFCOUNT
45912 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
45914 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45916 + atomic_inc_unchecked(v);
45920 static inline void atomic_long_dec(atomic_long_t *l)
45922 atomic_t *v = (atomic_t *)l;
45923 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
45927 +#ifdef CONFIG_PAX_REFCOUNT
45928 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
45930 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45932 + atomic_dec_unchecked(v);
45936 static inline void atomic_long_add(long i, atomic_long_t *l)
45938 atomic_t *v = (atomic_t *)l;
45939 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
45943 +#ifdef CONFIG_PAX_REFCOUNT
45944 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
45946 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45948 + atomic_add_unchecked(i, v);
45952 static inline void atomic_long_sub(long i, atomic_long_t *l)
45954 atomic_t *v = (atomic_t *)l;
45955 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
45959 +#ifdef CONFIG_PAX_REFCOUNT
45960 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
45962 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45964 + atomic_sub_unchecked(i, v);
45968 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
45970 atomic_t *v = (atomic_t *)l;
45971 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
45972 return (long)atomic_inc_return(v);
45975 +#ifdef CONFIG_PAX_REFCOUNT
45976 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
45978 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
45980 + return (long)atomic_inc_return_unchecked(v);
45984 static inline long atomic_long_dec_return(atomic_long_t *l)
45986 atomic_t *v = (atomic_t *)l;
45987 @@ -255,4 +393,41 @@ static inline long atomic_long_add_unles
45989 #endif /* BITS_PER_LONG == 64 */
45991 +#ifdef CONFIG_PAX_REFCOUNT
45992 +static inline void pax_refcount_needs_these_functions(void)
45994 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
45995 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
45996 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
45997 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
45998 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
45999 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
46000 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
46002 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
46003 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
46004 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
46005 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
46006 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
46007 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
46008 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
46011 +#define atomic_read_unchecked(v) atomic_read(v)
46012 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
46013 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
46014 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
46015 +#define atomic_inc_unchecked(v) atomic_inc(v)
46016 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
46017 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
46019 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
46020 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
46021 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
46022 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
46023 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
46024 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
46025 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
46028 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
46029 diff -urNp linux-2.6.38.4/include/asm-generic/dma-mapping-common.h linux-2.6.38.4/include/asm-generic/dma-mapping-common.h
46030 --- linux-2.6.38.4/include/asm-generic/dma-mapping-common.h 2011-03-14 21:20:32.000000000 -0400
46031 +++ linux-2.6.38.4/include/asm-generic/dma-mapping-common.h 2011-04-17 15:57:32.000000000 -0400
46032 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
46033 enum dma_data_direction dir,
46034 struct dma_attrs *attrs)
46036 - struct dma_map_ops *ops = get_dma_ops(dev);
46037 + const struct dma_map_ops *ops = get_dma_ops(dev);
46040 kmemcheck_mark_initialized(ptr, size);
46041 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
46042 enum dma_data_direction dir,
46043 struct dma_attrs *attrs)
46045 - struct dma_map_ops *ops = get_dma_ops(dev);
46046 + const struct dma_map_ops *ops = get_dma_ops(dev);
46048 BUG_ON(!valid_dma_direction(dir));
46049 if (ops->unmap_page)
46050 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
46051 int nents, enum dma_data_direction dir,
46052 struct dma_attrs *attrs)
46054 - struct dma_map_ops *ops = get_dma_ops(dev);
46055 + const struct dma_map_ops *ops = get_dma_ops(dev);
46057 struct scatterlist *s;
46059 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
46060 int nents, enum dma_data_direction dir,
46061 struct dma_attrs *attrs)
46063 - struct dma_map_ops *ops = get_dma_ops(dev);
46064 + const struct dma_map_ops *ops = get_dma_ops(dev);
46066 BUG_ON(!valid_dma_direction(dir));
46067 debug_dma_unmap_sg(dev, sg, nents, dir);
46068 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
46069 size_t offset, size_t size,
46070 enum dma_data_direction dir)
46072 - struct dma_map_ops *ops = get_dma_ops(dev);
46073 + const struct dma_map_ops *ops = get_dma_ops(dev);
46076 kmemcheck_mark_initialized(page_address(page) + offset, size);
46077 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
46078 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
46079 size_t size, enum dma_data_direction dir)
46081 - struct dma_map_ops *ops = get_dma_ops(dev);
46082 + const struct dma_map_ops *ops = get_dma_ops(dev);
46084 BUG_ON(!valid_dma_direction(dir));
46085 if (ops->unmap_page)
46086 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
46088 enum dma_data_direction dir)
46090 - struct dma_map_ops *ops = get_dma_ops(dev);
46091 + const struct dma_map_ops *ops = get_dma_ops(dev);
46093 BUG_ON(!valid_dma_direction(dir));
46094 if (ops->sync_single_for_cpu)
46095 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
46096 dma_addr_t addr, size_t size,
46097 enum dma_data_direction dir)
46099 - struct dma_map_ops *ops = get_dma_ops(dev);
46100 + const struct dma_map_ops *ops = get_dma_ops(dev);
46102 BUG_ON(!valid_dma_direction(dir));
46103 if (ops->sync_single_for_device)
46104 @@ -139,7 +139,7 @@ static inline void
46105 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
46106 int nelems, enum dma_data_direction dir)
46108 - struct dma_map_ops *ops = get_dma_ops(dev);
46109 + const struct dma_map_ops *ops = get_dma_ops(dev);
46111 BUG_ON(!valid_dma_direction(dir));
46112 if (ops->sync_sg_for_cpu)
46113 @@ -151,7 +151,7 @@ static inline void
46114 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
46115 int nelems, enum dma_data_direction dir)
46117 - struct dma_map_ops *ops = get_dma_ops(dev);
46118 + const struct dma_map_ops *ops = get_dma_ops(dev);
46120 BUG_ON(!valid_dma_direction(dir));
46121 if (ops->sync_sg_for_device)
46122 diff -urNp linux-2.6.38.4/include/asm-generic/futex.h linux-2.6.38.4/include/asm-generic/futex.h
46123 --- linux-2.6.38.4/include/asm-generic/futex.h 2011-03-14 21:20:32.000000000 -0400
46124 +++ linux-2.6.38.4/include/asm-generic/futex.h 2011-04-17 15:57:32.000000000 -0400
46126 #include <asm/errno.h>
46129 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
46130 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
46132 int op = (encoded_op >> 28) & 7;
46133 int cmp = (encoded_op >> 24) & 15;
46134 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
46138 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
46139 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
46143 diff -urNp linux-2.6.38.4/include/asm-generic/int-l64.h linux-2.6.38.4/include/asm-generic/int-l64.h
46144 --- linux-2.6.38.4/include/asm-generic/int-l64.h 2011-03-14 21:20:32.000000000 -0400
46145 +++ linux-2.6.38.4/include/asm-generic/int-l64.h 2011-04-17 15:57:32.000000000 -0400
46146 @@ -46,6 +46,8 @@ typedef unsigned int u32;
46147 typedef signed long s64;
46148 typedef unsigned long u64;
46150 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
46153 #define U8_C(x) x ## U
46155 diff -urNp linux-2.6.38.4/include/asm-generic/int-ll64.h linux-2.6.38.4/include/asm-generic/int-ll64.h
46156 --- linux-2.6.38.4/include/asm-generic/int-ll64.h 2011-03-14 21:20:32.000000000 -0400
46157 +++ linux-2.6.38.4/include/asm-generic/int-ll64.h 2011-04-17 15:57:32.000000000 -0400
46158 @@ -51,6 +51,8 @@ typedef unsigned int u32;
46159 typedef signed long long s64;
46160 typedef unsigned long long u64;
46162 +typedef unsigned long long intoverflow_t;
46165 #define U8_C(x) x ## U
46167 diff -urNp linux-2.6.38.4/include/asm-generic/kmap_types.h linux-2.6.38.4/include/asm-generic/kmap_types.h
46168 --- linux-2.6.38.4/include/asm-generic/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
46169 +++ linux-2.6.38.4/include/asm-generic/kmap_types.h 2011-04-17 15:57:32.000000000 -0400
46170 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
46172 KMAP_D(18) KM_NMI_PTE,
46174 +KMAP_D(20) KM_CLEARPAGE,
46176 * Remember to update debug_kmap_atomic() when adding new kmap types!
46178 -KMAP_D(20) KM_TYPE_NR
46179 +KMAP_D(21) KM_TYPE_NR
46183 diff -urNp linux-2.6.38.4/include/asm-generic/pgtable.h linux-2.6.38.4/include/asm-generic/pgtable.h
46184 --- linux-2.6.38.4/include/asm-generic/pgtable.h 2011-03-14 21:20:32.000000000 -0400
46185 +++ linux-2.6.38.4/include/asm-generic/pgtable.h 2011-04-17 15:57:32.000000000 -0400
46186 @@ -447,6 +447,14 @@ static inline int pmd_write(pmd_t pmd)
46187 #endif /* __HAVE_ARCH_PMD_WRITE */
46190 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
46191 +static inline unsigned long pax_open_kernel(void) { return 0; }
46194 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
46195 +static inline unsigned long pax_close_kernel(void) { return 0; }
46198 #endif /* !__ASSEMBLY__ */
46200 #endif /* _ASM_GENERIC_PGTABLE_H */
46201 diff -urNp linux-2.6.38.4/include/asm-generic/pgtable-nopmd.h linux-2.6.38.4/include/asm-generic/pgtable-nopmd.h
46202 --- linux-2.6.38.4/include/asm-generic/pgtable-nopmd.h 2011-03-14 21:20:32.000000000 -0400
46203 +++ linux-2.6.38.4/include/asm-generic/pgtable-nopmd.h 2011-04-17 15:57:32.000000000 -0400
46205 #ifndef _PGTABLE_NOPMD_H
46206 #define _PGTABLE_NOPMD_H
46208 -#ifndef __ASSEMBLY__
46210 #include <asm-generic/pgtable-nopud.h>
46214 #define __PAGETABLE_PMD_FOLDED
46216 +#define PMD_SHIFT PUD_SHIFT
46217 +#define PTRS_PER_PMD 1
46218 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
46219 +#define PMD_MASK (~(PMD_SIZE-1))
46221 +#ifndef __ASSEMBLY__
46226 * Having the pmd type consist of a pud gets the size right, and allows
46227 * us to conceptually access the pud entry that this pmd is folded into
46228 @@ -16,11 +21,6 @@ struct mm_struct;
46230 typedef struct { pud_t pud; } pmd_t;
46232 -#define PMD_SHIFT PUD_SHIFT
46233 -#define PTRS_PER_PMD 1
46234 -#define PMD_SIZE (1UL << PMD_SHIFT)
46235 -#define PMD_MASK (~(PMD_SIZE-1))
46238 * The "pud_xxx()" functions here are trivial for a folded two-level
46239 * setup: the pmd is never bad, and a pmd always exists (as it's folded
46240 diff -urNp linux-2.6.38.4/include/asm-generic/pgtable-nopud.h linux-2.6.38.4/include/asm-generic/pgtable-nopud.h
46241 --- linux-2.6.38.4/include/asm-generic/pgtable-nopud.h 2011-03-14 21:20:32.000000000 -0400
46242 +++ linux-2.6.38.4/include/asm-generic/pgtable-nopud.h 2011-04-17 15:57:32.000000000 -0400
46244 #ifndef _PGTABLE_NOPUD_H
46245 #define _PGTABLE_NOPUD_H
46247 -#ifndef __ASSEMBLY__
46249 #define __PAGETABLE_PUD_FOLDED
46251 +#define PUD_SHIFT PGDIR_SHIFT
46252 +#define PTRS_PER_PUD 1
46253 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
46254 +#define PUD_MASK (~(PUD_SIZE-1))
46256 +#ifndef __ASSEMBLY__
46259 * Having the pud type consist of a pgd gets the size right, and allows
46260 * us to conceptually access the pgd entry that this pud is folded into
46263 typedef struct { pgd_t pgd; } pud_t;
46265 -#define PUD_SHIFT PGDIR_SHIFT
46266 -#define PTRS_PER_PUD 1
46267 -#define PUD_SIZE (1UL << PUD_SHIFT)
46268 -#define PUD_MASK (~(PUD_SIZE-1))
46271 * The "pgd_xxx()" functions here are trivial for a folded two-level
46272 * setup: the pud is never bad, and a pud always exists (as it's folded
46273 diff -urNp linux-2.6.38.4/include/asm-generic/vmlinux.lds.h linux-2.6.38.4/include/asm-generic/vmlinux.lds.h
46274 --- linux-2.6.38.4/include/asm-generic/vmlinux.lds.h 2011-03-14 21:20:32.000000000 -0400
46275 +++ linux-2.6.38.4/include/asm-generic/vmlinux.lds.h 2011-04-17 15:57:32.000000000 -0400
46276 @@ -213,6 +213,7 @@
46277 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
46278 VMLINUX_SYMBOL(__start_rodata) = .; \
46279 *(.rodata) *(.rodata.*) \
46280 + *(.data..read_only) \
46281 *(__vermagic) /* Kernel version magic */ \
46283 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
46284 @@ -696,14 +697,15 @@
46285 * section in the linker script will go there too. @phdr should have
46288 - * Note that this macros defines __per_cpu_load as an absolute symbol.
46289 + * Note that this macros defines per_cpu_load as an absolute symbol.
46290 * If there is no need to put the percpu section at a predetermined
46291 * address, use PERCPU().
46293 #define PERCPU_VADDR(vaddr, phdr) \
46294 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
46295 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
46296 + per_cpu_load = .; \
46297 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
46299 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
46300 VMLINUX_SYMBOL(__per_cpu_start) = .; \
46301 *(.data..percpu..first) \
46302 . = ALIGN(PAGE_SIZE); \
46303 @@ -713,7 +715,7 @@
46304 *(.data..percpu..shared_aligned) \
46305 VMLINUX_SYMBOL(__per_cpu_end) = .; \
46307 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
46308 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
46311 * PERCPU - define output section for percpu area, simple version
46312 diff -urNp linux-2.6.38.4/include/drm/drm_pciids.h linux-2.6.38.4/include/drm/drm_pciids.h
46313 --- linux-2.6.38.4/include/drm/drm_pciids.h 2011-04-18 17:27:18.000000000 -0400
46314 +++ linux-2.6.38.4/include/drm/drm_pciids.h 2011-04-17 16:58:34.000000000 -0400
46315 @@ -460,7 +460,7 @@
46316 {0x1002, 0x9805, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
46317 {0x1002, 0x9806, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
46318 {0x1002, 0x9807, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
46320 + {0, 0, 0, 0, 0, 0}
46322 #define r128_PCI_IDS \
46323 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46324 @@ -500,14 +500,14 @@
46325 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46326 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46327 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46329 + {0, 0, 0, 0, 0, 0}
46331 #define mga_PCI_IDS \
46332 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
46333 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
46334 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
46335 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
46337 + {0, 0, 0, 0, 0, 0}
46339 #define mach64_PCI_IDS \
46340 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46341 @@ -530,7 +530,7 @@
46342 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46343 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46344 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46346 + {0, 0, 0, 0, 0, 0}
46348 #define sisdrv_PCI_IDS \
46349 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46350 @@ -541,7 +541,7 @@
46351 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46352 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
46353 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
46355 + {0, 0, 0, 0, 0, 0}
46357 #define tdfx_PCI_IDS \
46358 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46359 @@ -550,7 +550,7 @@
46360 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46361 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46362 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46364 + {0, 0, 0, 0, 0, 0}
46366 #define viadrv_PCI_IDS \
46367 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46368 @@ -562,14 +562,14 @@
46369 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46370 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
46371 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
46373 + {0, 0, 0, 0, 0, 0}
46375 #define i810_PCI_IDS \
46376 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46377 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46378 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46379 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46381 + {0, 0, 0, 0, 0, 0}
46383 #define i830_PCI_IDS \
46384 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46385 @@ -577,11 +577,11 @@
46386 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46387 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46388 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46390 + {0, 0, 0, 0, 0, 0}
46392 #define gamma_PCI_IDS \
46393 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
46395 + {0, 0, 0, 0, 0, 0}
46397 #define savage_PCI_IDS \
46398 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
46399 @@ -607,10 +607,10 @@
46400 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
46401 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
46402 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
46404 + {0, 0, 0, 0, 0, 0}
46406 #define ffb_PCI_IDS \
46408 + {0, 0, 0, 0, 0, 0}
46410 #define i915_PCI_IDS \
46411 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
46412 @@ -644,4 +644,4 @@
46413 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
46414 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
46415 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
46417 + {0, 0, 0, 0, 0, 0}
46418 diff -urNp linux-2.6.38.4/include/drm/drmP.h linux-2.6.38.4/include/drm/drmP.h
46419 --- linux-2.6.38.4/include/drm/drmP.h 2011-03-14 21:20:32.000000000 -0400
46420 +++ linux-2.6.38.4/include/drm/drmP.h 2011-04-17 15:57:32.000000000 -0400
46422 #include <linux/workqueue.h>
46423 #include <linux/poll.h>
46424 #include <asm/pgalloc.h>
46425 +#include <asm/local.h>
46428 #include <linux/idr.h>
46429 @@ -881,7 +882,7 @@ struct drm_driver {
46430 void (*vgaarb_irq)(struct drm_device *dev, bool state);
46432 /* Driver private ops for this object */
46433 - struct vm_operations_struct *gem_vm_ops;
46434 + const struct vm_operations_struct *gem_vm_ops;
46438 @@ -894,7 +895,7 @@ struct drm_driver {
46440 struct drm_ioctl_desc *ioctls;
46442 - struct file_operations fops;
46443 + const struct file_operations fops;
46444 struct pci_driver pci_driver;
46445 struct platform_device *platform_device;
46446 /* List of devices hanging off this driver */
46447 @@ -991,7 +992,7 @@ struct drm_device {
46449 /** \name Usage Counters */
46451 - int open_count; /**< Outstanding files open */
46452 + local_t open_count; /**< Outstanding files open */
46453 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
46454 atomic_t vma_count; /**< Outstanding vma areas open */
46455 int buf_use; /**< Buffers in use -- cannot alloc */
46456 @@ -1002,7 +1003,7 @@ struct drm_device {
46458 unsigned long counters;
46459 enum drm_stat_type types[15];
46460 - atomic_t counts[15];
46461 + atomic_unchecked_t counts[15];
46464 struct list_head filelist;
46465 @@ -1101,7 +1102,7 @@ struct drm_device {
46466 struct platform_device *platformdev; /**< Platform device struture */
46468 struct drm_sg_mem *sg; /**< Scatter gather memory */
46469 - unsigned int num_crtcs; /**< Number of CRTCs on this device */
46470 + unsigned int num_crtcs; /**< Number of CRTCs on this device */
46471 void *dev_private; /**< device private data */
46473 struct address_space *dev_mapping;
46474 diff -urNp linux-2.6.38.4/include/linux/a.out.h linux-2.6.38.4/include/linux/a.out.h
46475 --- linux-2.6.38.4/include/linux/a.out.h 2011-03-14 21:20:32.000000000 -0400
46476 +++ linux-2.6.38.4/include/linux/a.out.h 2011-04-17 15:57:32.000000000 -0400
46477 @@ -39,6 +39,14 @@ enum machine_type {
46478 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
46481 +/* Constants for the N_FLAGS field */
46482 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
46483 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
46484 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
46485 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
46486 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
46487 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
46489 #if !defined (N_MAGIC)
46490 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
46492 diff -urNp linux-2.6.38.4/include/linux/atmdev.h linux-2.6.38.4/include/linux/atmdev.h
46493 --- linux-2.6.38.4/include/linux/atmdev.h 2011-04-18 17:27:18.000000000 -0400
46494 +++ linux-2.6.38.4/include/linux/atmdev.h 2011-04-17 16:53:48.000000000 -0400
46495 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
46498 struct k_atm_aal_stats {
46499 -#define __HANDLE_ITEM(i) atomic_t i
46500 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
46502 #undef __HANDLE_ITEM
46504 diff -urNp linux-2.6.38.4/include/linux/binfmts.h linux-2.6.38.4/include/linux/binfmts.h
46505 --- linux-2.6.38.4/include/linux/binfmts.h 2011-03-14 21:20:32.000000000 -0400
46506 +++ linux-2.6.38.4/include/linux/binfmts.h 2011-04-17 15:57:32.000000000 -0400
46507 @@ -92,6 +92,7 @@ struct linux_binfmt {
46508 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
46509 int (*load_shlib)(struct file *);
46510 int (*core_dump)(struct coredump_params *cprm);
46511 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
46512 unsigned long min_coredump; /* minimal dump size */
46515 diff -urNp linux-2.6.38.4/include/linux/blkdev.h linux-2.6.38.4/include/linux/blkdev.h
46516 --- linux-2.6.38.4/include/linux/blkdev.h 2011-03-14 21:20:32.000000000 -0400
46517 +++ linux-2.6.38.4/include/linux/blkdev.h 2011-04-17 15:57:32.000000000 -0400
46518 @@ -1247,22 +1247,22 @@ queue_max_integrity_segments(struct requ
46519 #endif /* CONFIG_BLK_DEV_INTEGRITY */
46521 struct block_device_operations {
46522 - int (*open) (struct block_device *, fmode_t);
46523 - int (*release) (struct gendisk *, fmode_t);
46524 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
46525 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
46526 - int (*direct_access) (struct block_device *, sector_t,
46527 + int (* const open) (struct block_device *, fmode_t);
46528 + int (* const release) (struct gendisk *, fmode_t);
46529 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
46530 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
46531 + int (* const direct_access) (struct block_device *, sector_t,
46532 void **, unsigned long *);
46533 - unsigned int (*check_events) (struct gendisk *disk,
46534 + unsigned int (* const check_events) (struct gendisk *disk,
46535 unsigned int clearing);
46536 /* ->media_changed() is DEPRECATED, use ->check_events() instead */
46537 - int (*media_changed) (struct gendisk *);
46538 - void (*unlock_native_capacity) (struct gendisk *);
46539 - int (*revalidate_disk) (struct gendisk *);
46540 - int (*getgeo)(struct block_device *, struct hd_geometry *);
46541 + int (* const media_changed) (struct gendisk *);
46542 + void (* const unlock_native_capacity) (struct gendisk *);
46543 + int (* const revalidate_disk) (struct gendisk *);
46544 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
46545 /* this callback is with swap_lock and sometimes page table lock held */
46546 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
46547 - struct module *owner;
46548 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
46549 + struct module * const owner;
46552 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
46553 diff -urNp linux-2.6.38.4/include/linux/byteorder/little_endian.h linux-2.6.38.4/include/linux/byteorder/little_endian.h
46554 --- linux-2.6.38.4/include/linux/byteorder/little_endian.h 2011-03-14 21:20:32.000000000 -0400
46555 +++ linux-2.6.38.4/include/linux/byteorder/little_endian.h 2011-04-17 15:57:32.000000000 -0400
46556 @@ -42,51 +42,51 @@
46558 static inline __le64 __cpu_to_le64p(const __u64 *p)
46560 - return (__force __le64)*p;
46561 + return (__force const __le64)*p;
46563 static inline __u64 __le64_to_cpup(const __le64 *p)
46565 - return (__force __u64)*p;
46566 + return (__force const __u64)*p;
46568 static inline __le32 __cpu_to_le32p(const __u32 *p)
46570 - return (__force __le32)*p;
46571 + return (__force const __le32)*p;
46573 static inline __u32 __le32_to_cpup(const __le32 *p)
46575 - return (__force __u32)*p;
46576 + return (__force const __u32)*p;
46578 static inline __le16 __cpu_to_le16p(const __u16 *p)
46580 - return (__force __le16)*p;
46581 + return (__force const __le16)*p;
46583 static inline __u16 __le16_to_cpup(const __le16 *p)
46585 - return (__force __u16)*p;
46586 + return (__force const __u16)*p;
46588 static inline __be64 __cpu_to_be64p(const __u64 *p)
46590 - return (__force __be64)__swab64p(p);
46591 + return (__force const __be64)__swab64p(p);
46593 static inline __u64 __be64_to_cpup(const __be64 *p)
46595 - return __swab64p((__u64 *)p);
46596 + return __swab64p((const __u64 *)p);
46598 static inline __be32 __cpu_to_be32p(const __u32 *p)
46600 - return (__force __be32)__swab32p(p);
46601 + return (__force const __be32)__swab32p(p);
46603 static inline __u32 __be32_to_cpup(const __be32 *p)
46605 - return __swab32p((__u32 *)p);
46606 + return __swab32p((const __u32 *)p);
46608 static inline __be16 __cpu_to_be16p(const __u16 *p)
46610 - return (__force __be16)__swab16p(p);
46611 + return (__force const __be16)__swab16p(p);
46613 static inline __u16 __be16_to_cpup(const __be16 *p)
46615 - return __swab16p((__u16 *)p);
46616 + return __swab16p((const __u16 *)p);
46618 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
46619 #define __le64_to_cpus(x) do { (void)(x); } while (0)
46620 diff -urNp linux-2.6.38.4/include/linux/cache.h linux-2.6.38.4/include/linux/cache.h
46621 --- linux-2.6.38.4/include/linux/cache.h 2011-03-14 21:20:32.000000000 -0400
46622 +++ linux-2.6.38.4/include/linux/cache.h 2011-04-17 15:57:32.000000000 -0400
46624 #define __read_mostly
46627 +#ifndef __read_only
46628 +#define __read_only __read_mostly
46631 #ifndef ____cacheline_aligned
46632 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
46634 diff -urNp linux-2.6.38.4/include/linux/capability.h linux-2.6.38.4/include/linux/capability.h
46635 --- linux-2.6.38.4/include/linux/capability.h 2011-03-14 21:20:32.000000000 -0400
46636 +++ linux-2.6.38.4/include/linux/capability.h 2011-04-17 15:57:32.000000000 -0400
46637 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
46638 (security_real_capable_noaudit((t), (cap)) == 0)
46640 extern int capable(int cap);
46641 +int capable_nolog(int cap);
46643 /* audit system wants to get cap info from files as well */
46645 diff -urNp linux-2.6.38.4/include/linux/compiler-gcc4.h linux-2.6.38.4/include/linux/compiler-gcc4.h
46646 --- linux-2.6.38.4/include/linux/compiler-gcc4.h 2011-03-14 21:20:32.000000000 -0400
46647 +++ linux-2.6.38.4/include/linux/compiler-gcc4.h 2011-04-17 15:57:32.000000000 -0400
46652 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
46653 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
46654 +#define __bos0(ptr) __bos((ptr), 0)
46655 +#define __bos1(ptr) __bos((ptr), 1)
46658 #if __GNUC_MINOR__ > 0
46659 diff -urNp linux-2.6.38.4/include/linux/compiler.h linux-2.6.38.4/include/linux/compiler.h
46660 --- linux-2.6.38.4/include/linux/compiler.h 2011-03-14 21:20:32.000000000 -0400
46661 +++ linux-2.6.38.4/include/linux/compiler.h 2011-04-17 15:57:32.000000000 -0400
46662 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
46666 +#ifndef __alloc_size
46667 +#define __alloc_size
46682 /* Simple shorthand for a section definition */
46684 # define __section(S) __attribute__ ((__section__(#S)))
46685 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
46686 * use is to mediate communication between process-level code and irq/NMI
46687 * handlers, all running on the same CPU.
46689 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
46690 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
46691 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
46693 #endif /* __LINUX_COMPILER_H */
46694 diff -urNp linux-2.6.38.4/include/linux/cpuset.h linux-2.6.38.4/include/linux/cpuset.h
46695 --- linux-2.6.38.4/include/linux/cpuset.h 2011-03-14 21:20:32.000000000 -0400
46696 +++ linux-2.6.38.4/include/linux/cpuset.h 2011-04-17 15:57:32.000000000 -0400
46697 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
46701 - --ACCESS_ONCE(current->mems_allowed_change_disable);
46702 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
46705 static inline void set_mems_allowed(nodemask_t nodemask)
46706 diff -urNp linux-2.6.38.4/include/linux/decompress/mm.h linux-2.6.38.4/include/linux/decompress/mm.h
46707 --- linux-2.6.38.4/include/linux/decompress/mm.h 2011-03-14 21:20:32.000000000 -0400
46708 +++ linux-2.6.38.4/include/linux/decompress/mm.h 2011-04-17 15:57:32.000000000 -0400
46709 @@ -77,7 +77,7 @@ static void free(void *where)
46710 * warnings when not needed (indeed large_malloc / large_free are not
46711 * needed by inflate */
46713 -#define malloc(a) kmalloc(a, GFP_KERNEL)
46714 +#define malloc(a) kmalloc((a), GFP_KERNEL)
46715 #define free(a) kfree(a)
46717 #define large_malloc(a) vmalloc(a)
46718 diff -urNp linux-2.6.38.4/include/linux/dma-mapping.h linux-2.6.38.4/include/linux/dma-mapping.h
46719 --- linux-2.6.38.4/include/linux/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
46720 +++ linux-2.6.38.4/include/linux/dma-mapping.h 2011-04-17 15:57:32.000000000 -0400
46721 @@ -16,40 +16,40 @@ enum dma_data_direction {
46724 struct dma_map_ops {
46725 - void* (*alloc_coherent)(struct device *dev, size_t size,
46726 + void* (* const alloc_coherent)(struct device *dev, size_t size,
46727 dma_addr_t *dma_handle, gfp_t gfp);
46728 - void (*free_coherent)(struct device *dev, size_t size,
46729 + void (* const free_coherent)(struct device *dev, size_t size,
46730 void *vaddr, dma_addr_t dma_handle);
46731 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
46732 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
46733 unsigned long offset, size_t size,
46734 enum dma_data_direction dir,
46735 struct dma_attrs *attrs);
46736 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
46737 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
46738 size_t size, enum dma_data_direction dir,
46739 struct dma_attrs *attrs);
46740 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
46741 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
46742 int nents, enum dma_data_direction dir,
46743 struct dma_attrs *attrs);
46744 - void (*unmap_sg)(struct device *dev,
46745 + void (* const unmap_sg)(struct device *dev,
46746 struct scatterlist *sg, int nents,
46747 enum dma_data_direction dir,
46748 struct dma_attrs *attrs);
46749 - void (*sync_single_for_cpu)(struct device *dev,
46750 + void (* const sync_single_for_cpu)(struct device *dev,
46751 dma_addr_t dma_handle, size_t size,
46752 enum dma_data_direction dir);
46753 - void (*sync_single_for_device)(struct device *dev,
46754 + void (* const sync_single_for_device)(struct device *dev,
46755 dma_addr_t dma_handle, size_t size,
46756 enum dma_data_direction dir);
46757 - void (*sync_sg_for_cpu)(struct device *dev,
46758 + void (* const sync_sg_for_cpu)(struct device *dev,
46759 struct scatterlist *sg, int nents,
46760 enum dma_data_direction dir);
46761 - void (*sync_sg_for_device)(struct device *dev,
46762 + void (* const sync_sg_for_device)(struct device *dev,
46763 struct scatterlist *sg, int nents,
46764 enum dma_data_direction dir);
46765 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
46766 - int (*dma_supported)(struct device *dev, u64 mask);
46767 - int (*set_dma_mask)(struct device *dev, u64 mask);
46769 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
46770 + int (* const dma_supported)(struct device *dev, u64 mask);
46771 + int (* set_dma_mask)(struct device *dev, u64 mask);
46772 + const int is_phys;
46775 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
46776 diff -urNp linux-2.6.38.4/include/linux/elf.h linux-2.6.38.4/include/linux/elf.h
46777 --- linux-2.6.38.4/include/linux/elf.h 2011-03-14 21:20:32.000000000 -0400
46778 +++ linux-2.6.38.4/include/linux/elf.h 2011-04-17 15:57:32.000000000 -0400
46779 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
46780 #define PT_GNU_EH_FRAME 0x6474e550
46782 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
46783 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
46785 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
46787 +/* Constants for the e_flags field */
46788 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
46789 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
46790 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
46791 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
46792 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
46793 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
46796 * Extended Numbering
46797 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
46798 #define DT_DEBUG 21
46799 #define DT_TEXTREL 22
46800 #define DT_JMPREL 23
46801 +#define DT_FLAGS 30
46802 + #define DF_TEXTREL 0x00000004
46803 #define DT_ENCODING 32
46804 #define OLD_DT_LOOS 0x60000000
46805 #define DT_LOOS 0x6000000d
46806 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
46810 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
46811 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
46812 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
46813 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
46814 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
46815 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
46816 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
46817 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
46818 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
46819 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
46820 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
46821 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
46823 typedef struct elf32_phdr{
46825 Elf32_Off p_offset;
46826 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
46832 #define ELFMAG0 0x7f /* EI_MAG */
46833 #define ELFMAG1 'E'
46834 #define ELFMAG2 'L'
46835 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
46836 #define elf_note elf32_note
46837 #define elf_addr_t Elf32_Off
46838 #define Elf_Half Elf32_Half
46839 +#define elf_dyn Elf32_Dyn
46843 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
46844 #define elf_note elf64_note
46845 #define elf_addr_t Elf64_Off
46846 #define Elf_Half Elf64_Half
46847 +#define elf_dyn Elf64_Dyn
46851 diff -urNp linux-2.6.38.4/include/linux/fs.h linux-2.6.38.4/include/linux/fs.h
46852 --- linux-2.6.38.4/include/linux/fs.h 2011-03-14 21:20:32.000000000 -0400
46853 +++ linux-2.6.38.4/include/linux/fs.h 2011-04-17 15:57:32.000000000 -0400
46854 @@ -105,6 +105,11 @@ struct inodes_stat_t {
46855 /* File was opened by fanotify and shouldn't generate fanotify events */
46856 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
46858 +/* Hack for grsec so as not to require read permission simply to execute
46861 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
46864 * The below are the various read and write types that we support. Some of
46865 * them include behavioral modifiers that send information down to the
46866 @@ -581,42 +586,42 @@ typedef int (*read_actor_t)(read_descrip
46867 unsigned long, unsigned long);
46869 struct address_space_operations {
46870 - int (*writepage)(struct page *page, struct writeback_control *wbc);
46871 - int (*readpage)(struct file *, struct page *);
46872 - void (*sync_page)(struct page *);
46873 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
46874 + int (* const readpage)(struct file *, struct page *);
46875 + void (* const sync_page)(struct page *);
46877 /* Write back some dirty pages from this mapping. */
46878 - int (*writepages)(struct address_space *, struct writeback_control *);
46879 + int (* const writepages)(struct address_space *, struct writeback_control *);
46881 /* Set a page dirty. Return true if this dirtied it */
46882 - int (*set_page_dirty)(struct page *page);
46883 + int (* const set_page_dirty)(struct page *page);
46885 - int (*readpages)(struct file *filp, struct address_space *mapping,
46886 + int (* const readpages)(struct file *filp, struct address_space *mapping,
46887 struct list_head *pages, unsigned nr_pages);
46889 - int (*write_begin)(struct file *, struct address_space *mapping,
46890 + int (* const write_begin)(struct file *, struct address_space *mapping,
46891 loff_t pos, unsigned len, unsigned flags,
46892 struct page **pagep, void **fsdata);
46893 - int (*write_end)(struct file *, struct address_space *mapping,
46894 + int (* const write_end)(struct file *, struct address_space *mapping,
46895 loff_t pos, unsigned len, unsigned copied,
46896 struct page *page, void *fsdata);
46898 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
46899 - sector_t (*bmap)(struct address_space *, sector_t);
46900 - void (*invalidatepage) (struct page *, unsigned long);
46901 - int (*releasepage) (struct page *, gfp_t);
46902 - void (*freepage)(struct page *);
46903 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
46904 + sector_t (* const bmap)(struct address_space *, sector_t);
46905 + void (* const invalidatepage) (struct page *, unsigned long);
46906 + int (* const releasepage) (struct page *, gfp_t);
46907 + void (* const freepage)(struct page *);
46908 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
46909 loff_t offset, unsigned long nr_segs);
46910 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
46911 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
46912 void **, unsigned long *);
46913 /* migrate the contents of a page to the specified target */
46914 - int (*migratepage) (struct address_space *,
46915 + int (* const migratepage) (struct address_space *,
46916 struct page *, struct page *);
46917 - int (*launder_page) (struct page *);
46918 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
46919 + int (* const launder_page) (struct page *);
46920 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
46922 - int (*error_remove_page)(struct address_space *, struct page *);
46923 + int (* const error_remove_page)(struct address_space *, struct page *);
46927 @@ -1059,17 +1064,17 @@ static inline int file_check_writeable(s
46928 typedef struct files_struct *fl_owner_t;
46930 struct file_lock_operations {
46931 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
46932 - void (*fl_release_private)(struct file_lock *);
46933 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
46934 + void (* const fl_release_private)(struct file_lock *);
46937 struct lock_manager_operations {
46938 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
46939 - void (*fl_notify)(struct file_lock *); /* unblock callback */
46940 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
46941 - void (*fl_release_private)(struct file_lock *);
46942 - void (*fl_break)(struct file_lock *);
46943 - int (*fl_change)(struct file_lock **, int);
46944 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
46945 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
46946 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
46947 + void (* const fl_release_private)(struct file_lock *);
46948 + void (* const fl_break)(struct file_lock *);
46949 + int (* const fl_change)(struct file_lock **, int);
46952 struct lock_manager {
46953 diff -urNp linux-2.6.38.4/include/linux/fs_struct.h linux-2.6.38.4/include/linux/fs_struct.h
46954 --- linux-2.6.38.4/include/linux/fs_struct.h 2011-03-14 21:20:32.000000000 -0400
46955 +++ linux-2.6.38.4/include/linux/fs_struct.h 2011-04-17 15:57:32.000000000 -0400
46957 #include <linux/seqlock.h>
46965 diff -urNp linux-2.6.38.4/include/linux/genhd.h linux-2.6.38.4/include/linux/genhd.h
46966 --- linux-2.6.38.4/include/linux/genhd.h 2011-03-14 21:20:32.000000000 -0400
46967 +++ linux-2.6.38.4/include/linux/genhd.h 2011-04-17 15:57:32.000000000 -0400
46968 @@ -183,7 +183,7 @@ struct gendisk {
46969 struct kobject *slave_dir;
46971 struct timer_rand_state *random;
46972 - atomic_t sync_io; /* RAID */
46973 + atomic_unchecked_t sync_io; /* RAID */
46974 struct disk_events *ev;
46975 #ifdef CONFIG_BLK_DEV_INTEGRITY
46976 struct blk_integrity *integrity;
46977 diff -urNp linux-2.6.38.4/include/linux/gracl.h linux-2.6.38.4/include/linux/gracl.h
46978 --- linux-2.6.38.4/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
46979 +++ linux-2.6.38.4/include/linux/gracl.h 2011-04-17 15:57:32.000000000 -0400
46984 +#include <linux/grdefs.h>
46985 +#include <linux/resource.h>
46986 +#include <linux/capability.h>
46987 +#include <linux/dcache.h>
46988 +#include <asm/resource.h>
46990 +/* Major status information */
46992 +#define GR_VERSION "grsecurity 2.2.2"
46993 +#define GRSECURITY_VERSION 0x2202
47004 + GR_SPROLEPAM = 8,
47007 +/* Password setup definitions
47008 + * kernel/grhash.c */
47011 + GR_SALT_LEN = 16,
47016 + GR_SPROLE_LEN = 64,
47025 +#define GR_NLIMITS 32
47027 +/* Begin Data Structures */
47029 +struct sprole_pw {
47030 + unsigned char *rolename;
47031 + unsigned char salt[GR_SALT_LEN];
47032 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
47035 +struct name_entry {
47042 + struct name_entry *prev;
47043 + struct name_entry *next;
47046 +struct inodev_entry {
47047 + struct name_entry *nentry;
47048 + struct inodev_entry *prev;
47049 + struct inodev_entry *next;
47052 +struct acl_role_db {
47053 + struct acl_role_label **r_hash;
47057 +struct inodev_db {
47058 + struct inodev_entry **i_hash;
47063 + struct name_entry **n_hash;
47067 +struct crash_uid {
47069 + unsigned long expires;
47072 +struct gr_hash_struct {
47074 + void **nametable;
47076 + __u32 table_size;
47081 +/* Userspace Grsecurity ACL data structures */
47083 +struct acl_subject_label {
47088 + kernel_cap_t cap_mask;
47089 + kernel_cap_t cap_lower;
47090 + kernel_cap_t cap_invert_audit;
47092 + struct rlimit res[GR_NLIMITS];
47095 + __u8 user_trans_type;
47096 + __u8 group_trans_type;
47097 + uid_t *user_transitions;
47098 + gid_t *group_transitions;
47099 + __u16 user_trans_num;
47100 + __u16 group_trans_num;
47102 + __u32 sock_families[2];
47103 + __u32 ip_proto[8];
47105 + struct acl_ip_label **ips;
47107 + __u32 inaddr_any_override;
47110 + unsigned long expires;
47112 + struct acl_subject_label *parent_subject;
47113 + struct gr_hash_struct *hash;
47114 + struct acl_subject_label *prev;
47115 + struct acl_subject_label *next;
47117 + struct acl_object_label **obj_hash;
47118 + __u32 obj_hash_size;
47122 +struct role_allowed_ip {
47126 + struct role_allowed_ip *prev;
47127 + struct role_allowed_ip *next;
47130 +struct role_transition {
47133 + struct role_transition *prev;
47134 + struct role_transition *next;
47137 +struct acl_role_label {
47142 + __u16 auth_attempts;
47143 + unsigned long expires;
47145 + struct acl_subject_label *root_label;
47146 + struct gr_hash_struct *hash;
47148 + struct acl_role_label *prev;
47149 + struct acl_role_label *next;
47151 + struct role_transition *transitions;
47152 + struct role_allowed_ip *allowed_ips;
47153 + uid_t *domain_children;
47154 + __u16 domain_child_num;
47156 + struct acl_subject_label **subj_hash;
47157 + __u32 subj_hash_size;
47160 +struct user_acl_role_db {
47161 + struct acl_role_label **r_table;
47162 + __u32 num_pointers; /* Number of allocations to track */
47163 + __u32 num_roles; /* Number of roles */
47164 + __u32 num_domain_children; /* Number of domain children */
47165 + __u32 num_subjects; /* Number of subjects */
47166 + __u32 num_objects; /* Number of objects */
47169 +struct acl_object_label {
47175 + struct acl_subject_label *nested;
47176 + struct acl_object_label *globbed;
47178 + /* next two structures not used */
47180 + struct acl_object_label *prev;
47181 + struct acl_object_label *next;
47184 +struct acl_ip_label {
47193 + /* next two structures not used */
47195 + struct acl_ip_label *prev;
47196 + struct acl_ip_label *next;
47200 + struct user_acl_role_db role_db;
47201 + unsigned char pw[GR_PW_LEN];
47202 + unsigned char salt[GR_SALT_LEN];
47203 + unsigned char sum[GR_SHA_LEN];
47204 + unsigned char sp_role[GR_SPROLE_LEN];
47205 + struct sprole_pw *sprole_pws;
47206 + dev_t segv_device;
47207 + ino_t segv_inode;
47209 + __u16 num_sprole_pws;
47213 +struct gr_arg_wrapper {
47214 + struct gr_arg *arg;
47219 +struct subject_map {
47220 + struct acl_subject_label *user;
47221 + struct acl_subject_label *kernel;
47222 + struct subject_map *prev;
47223 + struct subject_map *next;
47226 +struct acl_subj_map_db {
47227 + struct subject_map **s_hash;
47231 +/* End Data Structures Section */
47233 +/* Hash functions generated by empirical testing by Brad Spengler
47234 + Makes good use of the low bits of the inode. Generally 0-1 times
47235 + in loop for successful match. 0-3 for unsuccessful match.
47236 + Shift/add algorithm with modulus of table size and an XOR*/
47238 +static __inline__ unsigned int
47239 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
47241 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
47244 + static __inline__ unsigned int
47245 +shash(const struct acl_subject_label *userp, const unsigned int sz)
47247 + return ((const unsigned long)userp % sz);
47250 +static __inline__ unsigned int
47251 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
47253 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
47256 +static __inline__ unsigned int
47257 +nhash(const char *name, const __u16 len, const unsigned int sz)
47259 + return full_name_hash((const unsigned char *)name, len) % sz;
47262 +#define FOR_EACH_ROLE_START(role) \
47263 + role = role_list; \
47266 +#define FOR_EACH_ROLE_END(role) \
47267 + role = role->prev; \
47270 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
47273 + while (iter < role->subj_hash_size) { \
47274 + if (subj == NULL) \
47275 + subj = role->subj_hash[iter]; \
47276 + if (subj == NULL) { \
47281 +#define FOR_EACH_SUBJECT_END(subj,iter) \
47282 + subj = subj->next; \
47283 + if (subj == NULL) \
47288 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
47289 + subj = role->hash->first; \
47290 + while (subj != NULL) {
47292 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
47293 + subj = subj->next; \
47298 diff -urNp linux-2.6.38.4/include/linux/gralloc.h linux-2.6.38.4/include/linux/gralloc.h
47299 --- linux-2.6.38.4/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
47300 +++ linux-2.6.38.4/include/linux/gralloc.h 2011-04-17 15:57:32.000000000 -0400
47302 +#ifndef __GRALLOC_H
47303 +#define __GRALLOC_H
47305 +void acl_free_all(void);
47306 +int acl_alloc_stack_init(unsigned long size);
47307 +void *acl_alloc(unsigned long len);
47308 +void *acl_alloc_num(unsigned long num, unsigned long len);
47311 diff -urNp linux-2.6.38.4/include/linux/grdefs.h linux-2.6.38.4/include/linux/grdefs.h
47312 --- linux-2.6.38.4/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
47313 +++ linux-2.6.38.4/include/linux/grdefs.h 2011-04-17 15:57:32.000000000 -0400
47318 +/* Begin grsecurity status declarations */
47322 + GR_STATUS_INIT = 0x00 // disabled state
47325 +/* Begin ACL declarations */
47330 + GR_ROLE_USER = 0x0001,
47331 + GR_ROLE_GROUP = 0x0002,
47332 + GR_ROLE_DEFAULT = 0x0004,
47333 + GR_ROLE_SPECIAL = 0x0008,
47334 + GR_ROLE_AUTH = 0x0010,
47335 + GR_ROLE_NOPW = 0x0020,
47336 + GR_ROLE_GOD = 0x0040,
47337 + GR_ROLE_LEARN = 0x0080,
47338 + GR_ROLE_TPE = 0x0100,
47339 + GR_ROLE_DOMAIN = 0x0200,
47340 + GR_ROLE_PAM = 0x0400,
47341 + GR_ROLE_PERSIST = 0x0800
47344 +/* ACL Subject and Object mode flags */
47346 + GR_DELETED = 0x80000000
47349 +/* ACL Object-only mode flags */
47351 + GR_READ = 0x00000001,
47352 + GR_APPEND = 0x00000002,
47353 + GR_WRITE = 0x00000004,
47354 + GR_EXEC = 0x00000008,
47355 + GR_FIND = 0x00000010,
47356 + GR_INHERIT = 0x00000020,
47357 + GR_SETID = 0x00000040,
47358 + GR_CREATE = 0x00000080,
47359 + GR_DELETE = 0x00000100,
47360 + GR_LINK = 0x00000200,
47361 + GR_AUDIT_READ = 0x00000400,
47362 + GR_AUDIT_APPEND = 0x00000800,
47363 + GR_AUDIT_WRITE = 0x00001000,
47364 + GR_AUDIT_EXEC = 0x00002000,
47365 + GR_AUDIT_FIND = 0x00004000,
47366 + GR_AUDIT_INHERIT= 0x00008000,
47367 + GR_AUDIT_SETID = 0x00010000,
47368 + GR_AUDIT_CREATE = 0x00020000,
47369 + GR_AUDIT_DELETE = 0x00040000,
47370 + GR_AUDIT_LINK = 0x00080000,
47371 + GR_PTRACERD = 0x00100000,
47372 + GR_NOPTRACE = 0x00200000,
47373 + GR_SUPPRESS = 0x00400000,
47374 + GR_NOLEARN = 0x00800000,
47375 + GR_INIT_TRANSFER= 0x01000000
47378 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
47379 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
47380 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
47382 +/* ACL subject-only mode flags */
47384 + GR_KILL = 0x00000001,
47385 + GR_VIEW = 0x00000002,
47386 + GR_PROTECTED = 0x00000004,
47387 + GR_LEARN = 0x00000008,
47388 + GR_OVERRIDE = 0x00000010,
47389 + /* just a placeholder, this mode is only used in userspace */
47390 + GR_DUMMY = 0x00000020,
47391 + GR_PROTSHM = 0x00000040,
47392 + GR_KILLPROC = 0x00000080,
47393 + GR_KILLIPPROC = 0x00000100,
47394 + /* just a placeholder, this mode is only used in userspace */
47395 + GR_NOTROJAN = 0x00000200,
47396 + GR_PROTPROCFD = 0x00000400,
47397 + GR_PROCACCT = 0x00000800,
47398 + GR_RELAXPTRACE = 0x00001000,
47399 + GR_NESTED = 0x00002000,
47400 + GR_INHERITLEARN = 0x00004000,
47401 + GR_PROCFIND = 0x00008000,
47402 + GR_POVERRIDE = 0x00010000,
47403 + GR_KERNELAUTH = 0x00020000,
47404 + GR_ATSECURE = 0x00040000
47408 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
47409 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
47410 + GR_PAX_ENABLE_MPROTECT = 0x0004,
47411 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
47412 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
47413 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
47414 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
47415 + GR_PAX_DISABLE_MPROTECT = 0x0400,
47416 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
47417 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
47421 + GR_ID_USER = 0x01,
47422 + GR_ID_GROUP = 0x02,
47426 + GR_ID_ALLOW = 0x01,
47427 + GR_ID_DENY = 0x02,
47430 +#define GR_CRASH_RES 31
47431 +#define GR_UIDTABLE_MAX 500
47433 +/* begin resource learning section */
47435 + GR_RLIM_CPU_BUMP = 60,
47436 + GR_RLIM_FSIZE_BUMP = 50000,
47437 + GR_RLIM_DATA_BUMP = 10000,
47438 + GR_RLIM_STACK_BUMP = 1000,
47439 + GR_RLIM_CORE_BUMP = 10000,
47440 + GR_RLIM_RSS_BUMP = 500000,
47441 + GR_RLIM_NPROC_BUMP = 1,
47442 + GR_RLIM_NOFILE_BUMP = 5,
47443 + GR_RLIM_MEMLOCK_BUMP = 50000,
47444 + GR_RLIM_AS_BUMP = 500000,
47445 + GR_RLIM_LOCKS_BUMP = 2,
47446 + GR_RLIM_SIGPENDING_BUMP = 5,
47447 + GR_RLIM_MSGQUEUE_BUMP = 10000,
47448 + GR_RLIM_NICE_BUMP = 1,
47449 + GR_RLIM_RTPRIO_BUMP = 1,
47450 + GR_RLIM_RTTIME_BUMP = 1000000
47454 diff -urNp linux-2.6.38.4/include/linux/grinternal.h linux-2.6.38.4/include/linux/grinternal.h
47455 --- linux-2.6.38.4/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
47456 +++ linux-2.6.38.4/include/linux/grinternal.h 2011-04-17 15:57:32.000000000 -0400
47458 +#ifndef __GRINTERNAL_H
47459 +#define __GRINTERNAL_H
47461 +#ifdef CONFIG_GRKERNSEC
47463 +#include <linux/fs.h>
47464 +#include <linux/mnt_namespace.h>
47465 +#include <linux/nsproxy.h>
47466 +#include <linux/gracl.h>
47467 +#include <linux/grdefs.h>
47468 +#include <linux/grmsg.h>
47470 +void gr_add_learn_entry(const char *fmt, ...)
47471 + __attribute__ ((format (printf, 1, 2)));
47472 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
47473 + const struct vfsmount *mnt);
47474 +__u32 gr_check_create(const struct dentry *new_dentry,
47475 + const struct dentry *parent,
47476 + const struct vfsmount *mnt, const __u32 mode);
47477 +int gr_check_protected_task(const struct task_struct *task);
47478 +__u32 to_gr_audit(const __u32 reqmode);
47479 +int gr_set_acls(const int type);
47480 +int gr_apply_subject_to_task(struct task_struct *task);
47481 +int gr_acl_is_enabled(void);
47482 +char gr_roletype_to_char(void);
47484 +void gr_handle_alertkill(struct task_struct *task);
47485 +char *gr_to_filename(const struct dentry *dentry,
47486 + const struct vfsmount *mnt);
47487 +char *gr_to_filename1(const struct dentry *dentry,
47488 + const struct vfsmount *mnt);
47489 +char *gr_to_filename2(const struct dentry *dentry,
47490 + const struct vfsmount *mnt);
47491 +char *gr_to_filename3(const struct dentry *dentry,
47492 + const struct vfsmount *mnt);
47494 +extern int grsec_enable_harden_ptrace;
47495 +extern int grsec_enable_link;
47496 +extern int grsec_enable_fifo;
47497 +extern int grsec_enable_execve;
47498 +extern int grsec_enable_shm;
47499 +extern int grsec_enable_execlog;
47500 +extern int grsec_enable_signal;
47501 +extern int grsec_enable_audit_ptrace;
47502 +extern int grsec_enable_forkfail;
47503 +extern int grsec_enable_time;
47504 +extern int grsec_enable_rofs;
47505 +extern int grsec_enable_chroot_shmat;
47506 +extern int grsec_enable_chroot_findtask;
47507 +extern int grsec_enable_chroot_mount;
47508 +extern int grsec_enable_chroot_double;
47509 +extern int grsec_enable_chroot_pivot;
47510 +extern int grsec_enable_chroot_chdir;
47511 +extern int grsec_enable_chroot_chmod;
47512 +extern int grsec_enable_chroot_mknod;
47513 +extern int grsec_enable_chroot_fchdir;
47514 +extern int grsec_enable_chroot_nice;
47515 +extern int grsec_enable_chroot_execlog;
47516 +extern int grsec_enable_chroot_caps;
47517 +extern int grsec_enable_chroot_sysctl;
47518 +extern int grsec_enable_chroot_unix;
47519 +extern int grsec_enable_tpe;
47520 +extern int grsec_tpe_gid;
47521 +extern int grsec_enable_tpe_all;
47522 +extern int grsec_enable_tpe_invert;
47523 +extern int grsec_enable_socket_all;
47524 +extern int grsec_socket_all_gid;
47525 +extern int grsec_enable_socket_client;
47526 +extern int grsec_socket_client_gid;
47527 +extern int grsec_enable_socket_server;
47528 +extern int grsec_socket_server_gid;
47529 +extern int grsec_audit_gid;
47530 +extern int grsec_enable_group;
47531 +extern int grsec_enable_audit_textrel;
47532 +extern int grsec_enable_log_rwxmaps;
47533 +extern int grsec_enable_mount;
47534 +extern int grsec_enable_chdir;
47535 +extern int grsec_resource_logging;
47536 +extern int grsec_enable_blackhole;
47537 +extern int grsec_lastack_retries;
47538 +extern int grsec_lock;
47540 +extern spinlock_t grsec_alert_lock;
47541 +extern unsigned long grsec_alert_wtime;
47542 +extern unsigned long grsec_alert_fyet;
47544 +extern spinlock_t grsec_audit_lock;
47546 +extern rwlock_t grsec_exec_file_lock;
47548 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
47549 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
47550 + (tsk)->exec_file->f_vfsmnt) : "/")
47552 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
47553 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
47554 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
47556 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
47557 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
47558 + (tsk)->exec_file->f_vfsmnt) : "/")
47560 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
47561 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
47562 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
47564 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
47566 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
47568 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
47569 + (task)->pid, (cred)->uid, \
47570 + (cred)->euid, (cred)->gid, (cred)->egid, \
47571 + gr_parent_task_fullpath(task), \
47572 + (task)->real_parent->comm, (task)->real_parent->pid, \
47573 + (pcred)->uid, (pcred)->euid, \
47574 + (pcred)->gid, (pcred)->egid
47576 +#define GR_CHROOT_CAPS {{ \
47577 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
47578 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
47579 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
47580 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
47581 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
47582 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
47584 +#define security_learn(normal_msg,args...) \
47586 + read_lock(&grsec_exec_file_lock); \
47587 + gr_add_learn_entry(normal_msg "\n", ## args); \
47588 + read_unlock(&grsec_exec_file_lock); \
47594 + /* used for non-audit messages that we shouldn't kill the task on */
47595 + GR_DONT_AUDIT_GOOD
47606 + GR_SYSCTL_HIDDEN,
47609 + GR_ONE_INT_TWO_STR,
47616 + GR_FIVE_INT_TWO_STR,
47622 + GR_FILENAME_TWO_INT,
47623 + GR_FILENAME_TWO_INT_STR,
47636 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
47637 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
47638 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
47639 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
47640 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
47641 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
47642 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
47643 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
47644 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
47645 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
47646 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
47647 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
47648 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
47649 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
47650 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
47651 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
47652 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
47653 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
47654 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
47655 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
47656 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
47657 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
47658 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
47659 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
47660 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
47661 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
47662 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
47663 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
47664 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
47665 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
47666 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
47667 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
47668 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
47669 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
47670 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
47672 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
47677 diff -urNp linux-2.6.38.4/include/linux/grmsg.h linux-2.6.38.4/include/linux/grmsg.h
47678 --- linux-2.6.38.4/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
47679 +++ linux-2.6.38.4/include/linux/grmsg.h 2011-04-17 15:57:32.000000000 -0400
47681 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
47682 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
47683 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
47684 +#define GR_STOPMOD_MSG "denied modification of module state by "
47685 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
47686 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
47687 +#define GR_IOPERM_MSG "denied use of ioperm() by "
47688 +#define GR_IOPL_MSG "denied use of iopl() by "
47689 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
47690 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
47691 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
47692 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
47693 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
47694 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
47695 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
47696 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
47697 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
47698 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
47699 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
47700 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
47701 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
47702 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
47703 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
47704 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
47705 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
47706 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
47707 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
47708 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
47709 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
47710 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
47711 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
47712 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
47713 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
47714 +#define GR_NPROC_MSG "denied overstep of process limit by "
47715 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
47716 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
47717 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
47718 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
47719 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
47720 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
47721 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
47722 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
47723 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
47724 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
47725 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
47726 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
47727 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
47728 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
47729 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
47730 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
47731 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
47732 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
47733 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
47734 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
47735 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
47736 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
47737 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
47738 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
47739 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
47740 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
47741 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
47742 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
47743 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
47744 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
47745 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
47746 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
47747 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
47748 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
47749 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
47750 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
47751 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
47752 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
47753 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
47754 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
47755 +#define GR_NICE_CHROOT_MSG "denied priority change by "
47756 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
47757 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
47758 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
47759 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
47760 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
47761 +#define GR_TIME_MSG "time set by "
47762 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
47763 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
47764 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
47765 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
47766 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
47767 +#define GR_BIND_MSG "denied bind() by "
47768 +#define GR_CONNECT_MSG "denied connect() by "
47769 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
47770 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
47771 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
47772 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
47773 +#define GR_CAP_ACL_MSG "use of %s denied for "
47774 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
47775 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
47776 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
47777 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
47778 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
47779 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
47780 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
47781 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
47782 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
47783 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
47784 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
47785 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
47786 +#define GR_VM86_MSG "denied use of vm86 by "
47787 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
47788 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
47789 diff -urNp linux-2.6.38.4/include/linux/grsecurity.h linux-2.6.38.4/include/linux/grsecurity.h
47790 --- linux-2.6.38.4/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
47791 +++ linux-2.6.38.4/include/linux/grsecurity.h 2011-04-17 15:57:32.000000000 -0400
47793 +#ifndef GR_SECURITY_H
47794 +#define GR_SECURITY_H
47795 +#include <linux/fs.h>
47796 +#include <linux/fs_struct.h>
47797 +#include <linux/binfmts.h>
47798 +#include <linux/gracl.h>
47799 +#include <linux/compat.h>
47801 +/* notify of brain-dead configs */
47802 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
47803 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
47805 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
47806 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
47808 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
47809 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
47811 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
47812 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
47814 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
47815 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
47818 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
47819 +void gr_handle_brute_check(void);
47820 +void gr_handle_kernel_exploit(void);
47821 +int gr_process_user_ban(void);
47823 +char gr_roletype_to_char(void);
47825 +int gr_acl_enable_at_secure(void);
47827 +int gr_check_user_change(int real, int effective, int fs);
47828 +int gr_check_group_change(int real, int effective, int fs);
47830 +void gr_del_task_from_ip_table(struct task_struct *p);
47832 +int gr_pid_is_chrooted(struct task_struct *p);
47833 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
47834 +int gr_handle_chroot_nice(void);
47835 +int gr_handle_chroot_sysctl(const int op);
47836 +int gr_handle_chroot_setpriority(struct task_struct *p,
47837 + const int niceval);
47838 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
47839 +int gr_handle_chroot_chroot(const struct dentry *dentry,
47840 + const struct vfsmount *mnt);
47841 +int gr_handle_chroot_caps(struct path *path);
47842 +void gr_handle_chroot_chdir(struct path *path);
47843 +int gr_handle_chroot_chmod(const struct dentry *dentry,
47844 + const struct vfsmount *mnt, const int mode);
47845 +int gr_handle_chroot_mknod(const struct dentry *dentry,
47846 + const struct vfsmount *mnt, const int mode);
47847 +int gr_handle_chroot_mount(const struct dentry *dentry,
47848 + const struct vfsmount *mnt,
47849 + const char *dev_name);
47850 +int gr_handle_chroot_pivot(void);
47851 +int gr_handle_chroot_unix(struct pid *pid);
47853 +int gr_handle_rawio(const struct inode *inode);
47854 +int gr_handle_nproc(void);
47856 +void gr_handle_ioperm(void);
47857 +void gr_handle_iopl(void);
47859 +int gr_tpe_allow(const struct file *file);
47861 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
47862 +void gr_clear_chroot_entries(struct task_struct *task);
47864 +void gr_log_forkfail(const int retval);
47865 +void gr_log_timechange(void);
47866 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
47867 +void gr_log_chdir(const struct dentry *dentry,
47868 + const struct vfsmount *mnt);
47869 +void gr_log_chroot_exec(const struct dentry *dentry,
47870 + const struct vfsmount *mnt);
47871 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
47872 +#ifdef CONFIG_COMPAT
47873 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
47875 +void gr_log_remount(const char *devname, const int retval);
47876 +void gr_log_unmount(const char *devname, const int retval);
47877 +void gr_log_mount(const char *from, const char *to, const int retval);
47878 +void gr_log_textrel(struct vm_area_struct *vma);
47879 +void gr_log_rwxmmap(struct file *file);
47880 +void gr_log_rwxmprotect(struct file *file);
47882 +int gr_handle_follow_link(const struct inode *parent,
47883 + const struct inode *inode,
47884 + const struct dentry *dentry,
47885 + const struct vfsmount *mnt);
47886 +int gr_handle_fifo(const struct dentry *dentry,
47887 + const struct vfsmount *mnt,
47888 + const struct dentry *dir, const int flag,
47889 + const int acc_mode);
47890 +int gr_handle_hardlink(const struct dentry *dentry,
47891 + const struct vfsmount *mnt,
47892 + struct inode *inode,
47893 + const int mode, const char *to);
47895 +int gr_is_capable(const int cap);
47896 +int gr_is_capable_nolog(const int cap);
47897 +void gr_learn_resource(const struct task_struct *task, const int limit,
47898 + const unsigned long wanted, const int gt);
47899 +void gr_copy_label(struct task_struct *tsk);
47900 +void gr_handle_crash(struct task_struct *task, const int sig);
47901 +int gr_handle_signal(const struct task_struct *p, const int sig);
47902 +int gr_check_crash_uid(const uid_t uid);
47903 +int gr_check_protected_task(const struct task_struct *task);
47904 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
47905 +int gr_acl_handle_mmap(const struct file *file,
47906 + const unsigned long prot);
47907 +int gr_acl_handle_mprotect(const struct file *file,
47908 + const unsigned long prot);
47909 +int gr_check_hidden_task(const struct task_struct *tsk);
47910 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
47911 + const struct vfsmount *mnt);
47912 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
47913 + const struct vfsmount *mnt);
47914 +__u32 gr_acl_handle_access(const struct dentry *dentry,
47915 + const struct vfsmount *mnt, const int fmode);
47916 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
47917 + const struct vfsmount *mnt, mode_t mode);
47918 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
47919 + const struct vfsmount *mnt, mode_t mode);
47920 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
47921 + const struct vfsmount *mnt);
47922 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
47923 + const struct vfsmount *mnt);
47924 +int gr_handle_ptrace(struct task_struct *task, const long request);
47925 +int gr_handle_proc_ptrace(struct task_struct *task);
47926 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
47927 + const struct vfsmount *mnt);
47928 +int gr_check_crash_exec(const struct file *filp);
47929 +int gr_acl_is_enabled(void);
47930 +void gr_set_kernel_label(struct task_struct *task);
47931 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
47932 + const gid_t gid);
47933 +int gr_set_proc_label(const struct dentry *dentry,
47934 + const struct vfsmount *mnt,
47935 + const int unsafe_share);
47936 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
47937 + const struct vfsmount *mnt);
47938 +__u32 gr_acl_handle_open(const struct dentry *dentry,
47939 + const struct vfsmount *mnt, const int fmode);
47940 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
47941 + const struct dentry *p_dentry,
47942 + const struct vfsmount *p_mnt, const int fmode,
47943 + const int imode);
47944 +void gr_handle_create(const struct dentry *dentry,
47945 + const struct vfsmount *mnt);
47946 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
47947 + const struct dentry *parent_dentry,
47948 + const struct vfsmount *parent_mnt,
47950 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
47951 + const struct dentry *parent_dentry,
47952 + const struct vfsmount *parent_mnt);
47953 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
47954 + const struct vfsmount *mnt);
47955 +void gr_handle_delete(const ino_t ino, const dev_t dev);
47956 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
47957 + const struct vfsmount *mnt);
47958 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
47959 + const struct dentry *parent_dentry,
47960 + const struct vfsmount *parent_mnt,
47961 + const char *from);
47962 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
47963 + const struct dentry *parent_dentry,
47964 + const struct vfsmount *parent_mnt,
47965 + const struct dentry *old_dentry,
47966 + const struct vfsmount *old_mnt, const char *to);
47967 +int gr_acl_handle_rename(struct dentry *new_dentry,
47968 + struct dentry *parent_dentry,
47969 + const struct vfsmount *parent_mnt,
47970 + struct dentry *old_dentry,
47971 + struct inode *old_parent_inode,
47972 + struct vfsmount *old_mnt, const char *newname);
47973 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
47974 + struct dentry *old_dentry,
47975 + struct dentry *new_dentry,
47976 + struct vfsmount *mnt, const __u8 replace);
47977 +__u32 gr_check_link(const struct dentry *new_dentry,
47978 + const struct dentry *parent_dentry,
47979 + const struct vfsmount *parent_mnt,
47980 + const struct dentry *old_dentry,
47981 + const struct vfsmount *old_mnt);
47982 +int gr_acl_handle_filldir(const struct file *file, const char *name,
47983 + const unsigned int namelen, const ino_t ino);
47985 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
47986 + const struct vfsmount *mnt);
47987 +void gr_acl_handle_exit(void);
47988 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
47989 +int gr_acl_handle_procpidmem(const struct task_struct *task);
47990 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
47991 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
47992 +void gr_audit_ptrace(struct task_struct *task);
47993 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
47995 +#ifdef CONFIG_GRKERNSEC
47996 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
47997 +void gr_handle_vm86(void);
47998 +void gr_handle_mem_readwrite(u64 from, u64 to);
48000 +extern int grsec_enable_dmesg;
48001 +extern int grsec_disable_privio;
48005 diff -urNp linux-2.6.38.4/include/linux/grsock.h linux-2.6.38.4/include/linux/grsock.h
48006 --- linux-2.6.38.4/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
48007 +++ linux-2.6.38.4/include/linux/grsock.h 2011-04-17 15:57:32.000000000 -0400
48009 +#ifndef __GRSOCK_H
48010 +#define __GRSOCK_H
48012 +extern void gr_attach_curr_ip(const struct sock *sk);
48013 +extern int gr_handle_sock_all(const int family, const int type,
48014 + const int protocol);
48015 +extern int gr_handle_sock_server(const struct sockaddr *sck);
48016 +extern int gr_handle_sock_server_other(const struct sock *sck);
48017 +extern int gr_handle_sock_client(const struct sockaddr *sck);
48018 +extern int gr_search_connect(struct socket * sock,
48019 + struct sockaddr_in * addr);
48020 +extern int gr_search_bind(struct socket * sock,
48021 + struct sockaddr_in * addr);
48022 +extern int gr_search_listen(struct socket * sock);
48023 +extern int gr_search_accept(struct socket * sock);
48024 +extern int gr_search_socket(const int domain, const int type,
48025 + const int protocol);
48028 diff -urNp linux-2.6.38.4/include/linux/highmem.h linux-2.6.38.4/include/linux/highmem.h
48029 --- linux-2.6.38.4/include/linux/highmem.h 2011-03-14 21:20:32.000000000 -0400
48030 +++ linux-2.6.38.4/include/linux/highmem.h 2011-04-17 15:57:32.000000000 -0400
48031 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
48032 kunmap_atomic(kaddr, KM_USER0);
48035 +static inline void sanitize_highpage(struct page *page)
48038 + unsigned long flags;
48040 + local_irq_save(flags);
48041 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
48042 + clear_page(kaddr);
48043 + kunmap_atomic(kaddr, KM_CLEARPAGE);
48044 + local_irq_restore(flags);
48047 static inline void zero_user_segments(struct page *page,
48048 unsigned start1, unsigned end1,
48049 unsigned start2, unsigned end2)
48050 diff -urNp linux-2.6.38.4/include/linux/init.h linux-2.6.38.4/include/linux/init.h
48051 --- linux-2.6.38.4/include/linux/init.h 2011-03-14 21:20:32.000000000 -0400
48052 +++ linux-2.6.38.4/include/linux/init.h 2011-04-17 15:57:32.000000000 -0400
48053 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
48055 /* Each module must use one module_init(). */
48056 #define module_init(initfn) \
48057 - static inline initcall_t __inittest(void) \
48058 + static inline __used initcall_t __inittest(void) \
48059 { return initfn; } \
48060 int init_module(void) __attribute__((alias(#initfn)));
48062 /* This is only required if you want to be unloadable. */
48063 #define module_exit(exitfn) \
48064 - static inline exitcall_t __exittest(void) \
48065 + static inline __used exitcall_t __exittest(void) \
48066 { return exitfn; } \
48067 void cleanup_module(void) __attribute__((alias(#exitfn)));
48069 diff -urNp linux-2.6.38.4/include/linux/init_task.h linux-2.6.38.4/include/linux/init_task.h
48070 --- linux-2.6.38.4/include/linux/init_task.h 2011-03-14 21:20:32.000000000 -0400
48071 +++ linux-2.6.38.4/include/linux/init_task.h 2011-04-18 18:02:13.000000000 -0400
48072 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
48077 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
48079 +#define INIT_TASK_THREAD_INFO
48083 * Because of the reduced scope of CAP_SETPCAP when filesystem
48084 * capabilities are in effect, it is safe to allow CAP_SETPCAP to
48085 @@ -163,6 +169,7 @@ extern struct cred init_cred;
48086 RCU_INIT_POINTER(.cred, &init_cred), \
48087 .comm = "swapper", \
48088 .thread = INIT_THREAD, \
48089 + INIT_TASK_THREAD_INFO \
48091 .files = &init_files, \
48092 .signal = &init_signals, \
48093 diff -urNp linux-2.6.38.4/include/linux/interrupt.h linux-2.6.38.4/include/linux/interrupt.h
48094 --- linux-2.6.38.4/include/linux/interrupt.h 2011-03-14 21:20:32.000000000 -0400
48095 +++ linux-2.6.38.4/include/linux/interrupt.h 2011-04-17 15:57:32.000000000 -0400
48096 @@ -393,7 +393,7 @@ enum
48097 /* map softirq index to softirq name. update 'softirq_to_name' in
48098 * kernel/softirq.c when adding a new softirq.
48100 -extern char *softirq_to_name[NR_SOFTIRQS];
48101 +extern const char * const softirq_to_name[NR_SOFTIRQS];
48103 /* softirq mask and active fields moved to irq_cpustat_t in
48104 * asm/hardirq.h to get better cache usage. KAO
48105 @@ -401,12 +401,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
48107 struct softirq_action
48109 - void (*action)(struct softirq_action *);
48110 + void (*action)(void);
48113 asmlinkage void do_softirq(void);
48114 asmlinkage void __do_softirq(void);
48115 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
48116 +extern void open_softirq(int nr, void (*action)(void));
48117 extern void softirq_init(void);
48118 static inline void __raise_softirq_irqoff(unsigned int nr)
48120 diff -urNp linux-2.6.38.4/include/linux/jbd2.h linux-2.6.38.4/include/linux/jbd2.h
48121 --- linux-2.6.38.4/include/linux/jbd2.h 2011-03-14 21:20:32.000000000 -0400
48122 +++ linux-2.6.38.4/include/linux/jbd2.h 2011-04-17 15:57:32.000000000 -0400
48123 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
48127 -#define jbd_debug(f, a...) /**/
48128 +#define jbd_debug(f, a...) do {} while (0)
48131 extern void *jbd2_alloc(size_t size, gfp_t flags);
48132 diff -urNp linux-2.6.38.4/include/linux/jbd.h linux-2.6.38.4/include/linux/jbd.h
48133 --- linux-2.6.38.4/include/linux/jbd.h 2011-03-14 21:20:32.000000000 -0400
48134 +++ linux-2.6.38.4/include/linux/jbd.h 2011-04-17 15:57:32.000000000 -0400
48135 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
48139 -#define jbd_debug(f, a...) /**/
48140 +#define jbd_debug(f, a...) do {} while (0)
48143 static inline void *jbd_alloc(size_t size, gfp_t flags)
48144 diff -urNp linux-2.6.38.4/include/linux/kallsyms.h linux-2.6.38.4/include/linux/kallsyms.h
48145 --- linux-2.6.38.4/include/linux/kallsyms.h 2011-03-14 21:20:32.000000000 -0400
48146 +++ linux-2.6.38.4/include/linux/kallsyms.h 2011-04-17 15:57:32.000000000 -0400
48151 -#ifdef CONFIG_KALLSYMS
48152 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
48153 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
48154 /* Lookup the address for a symbol. Returns 0 if not found. */
48155 unsigned long kallsyms_lookup_name(const char *name);
48157 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
48158 /* Stupid that this does nothing, but I didn't create this mess. */
48159 #define __print_symbol(fmt, addr)
48160 #endif /*CONFIG_KALLSYMS*/
48161 +#else /* when included by kallsyms.c, vsnprintf.c, or
48162 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
48163 +extern void __print_symbol(const char *fmt, unsigned long address);
48164 +extern int sprint_symbol(char *buffer, unsigned long address);
48165 +const char *kallsyms_lookup(unsigned long addr,
48166 + unsigned long *symbolsize,
48167 + unsigned long *offset,
48168 + char **modname, char *namebuf);
48171 /* This macro allows us to keep printk typechecking */
48172 static void __check_printsym_format(const char *fmt, ...)
48173 diff -urNp linux-2.6.38.4/include/linux/kgdb.h linux-2.6.38.4/include/linux/kgdb.h
48174 --- linux-2.6.38.4/include/linux/kgdb.h 2011-03-14 21:20:32.000000000 -0400
48175 +++ linux-2.6.38.4/include/linux/kgdb.h 2011-04-17 15:57:32.000000000 -0400
48176 @@ -269,22 +269,22 @@ struct kgdb_arch {
48180 - int (*read_char) (void);
48181 - void (*write_char) (u8);
48182 - void (*flush) (void);
48183 - int (*init) (void);
48184 - void (*pre_exception) (void);
48185 - void (*post_exception) (void);
48186 + int (* const read_char) (void);
48187 + void (* const write_char) (u8);
48188 + void (* const flush) (void);
48189 + int (* const init) (void);
48190 + void (* const pre_exception) (void);
48191 + void (* const post_exception) (void);
48195 -extern struct kgdb_arch arch_kgdb_ops;
48196 +extern const struct kgdb_arch arch_kgdb_ops;
48198 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
48200 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
48201 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
48202 -extern struct kgdb_io *dbg_io_ops;
48203 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
48204 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
48205 +extern const struct kgdb_io *dbg_io_ops;
48207 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
48208 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
48209 diff -urNp linux-2.6.38.4/include/linux/kmod.h linux-2.6.38.4/include/linux/kmod.h
48210 --- linux-2.6.38.4/include/linux/kmod.h 2011-03-14 21:20:32.000000000 -0400
48211 +++ linux-2.6.38.4/include/linux/kmod.h 2011-04-17 15:57:32.000000000 -0400
48212 @@ -33,6 +33,8 @@ extern char modprobe_path[]; /* for sysc
48213 * usually useless though. */
48214 extern int __request_module(bool wait, const char *name, ...) \
48215 __attribute__((format(printf, 2, 3)));
48216 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
48217 + __attribute__((format(printf, 3, 4)));
48218 #define request_module(mod...) __request_module(true, mod)
48219 #define request_module_nowait(mod...) __request_module(false, mod)
48220 #define try_then_request_module(x, mod...) \
48221 diff -urNp linux-2.6.38.4/include/linux/kvm_host.h linux-2.6.38.4/include/linux/kvm_host.h
48222 --- linux-2.6.38.4/include/linux/kvm_host.h 2011-03-14 21:20:32.000000000 -0400
48223 +++ linux-2.6.38.4/include/linux/kvm_host.h 2011-04-17 15:57:32.000000000 -0400
48224 @@ -288,7 +288,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
48225 void vcpu_load(struct kvm_vcpu *vcpu);
48226 void vcpu_put(struct kvm_vcpu *vcpu);
48228 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
48229 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
48230 struct module *module);
48231 void kvm_exit(void);
48233 @@ -428,7 +428,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
48234 struct kvm_guest_debug *dbg);
48235 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
48237 -int kvm_arch_init(void *opaque);
48238 +int kvm_arch_init(const void *opaque);
48239 void kvm_arch_exit(void);
48241 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
48242 diff -urNp linux-2.6.38.4/include/linux/libata.h linux-2.6.38.4/include/linux/libata.h
48243 --- linux-2.6.38.4/include/linux/libata.h 2011-03-14 21:20:32.000000000 -0400
48244 +++ linux-2.6.38.4/include/linux/libata.h 2011-04-17 15:57:32.000000000 -0400
48245 @@ -65,11 +65,11 @@
48246 #ifdef ATA_VERBOSE_DEBUG
48247 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
48249 -#define VPRINTK(fmt, args...)
48250 +#define VPRINTK(fmt, args...) do {} while (0)
48251 #endif /* ATA_VERBOSE_DEBUG */
48253 -#define DPRINTK(fmt, args...)
48254 -#define VPRINTK(fmt, args...)
48255 +#define DPRINTK(fmt, args...) do {} while (0)
48256 +#define VPRINTK(fmt, args...) do {} while (0)
48257 #endif /* ATA_DEBUG */
48259 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
48260 @@ -530,11 +530,11 @@ struct ata_ioports {
48264 - struct device *dev;
48265 + struct device *dev;
48266 void __iomem * const *iomap;
48267 unsigned int n_ports;
48268 void *private_data;
48269 - struct ata_port_operations *ops;
48270 + const struct ata_port_operations *ops;
48271 unsigned long flags;
48273 struct mutex eh_mutex;
48274 @@ -725,7 +725,7 @@ struct ata_link {
48277 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
48278 - struct ata_port_operations *ops;
48279 + const struct ata_port_operations *ops;
48281 /* Flags owned by the EH context. Only EH should touch these once the
48283 @@ -913,7 +913,7 @@ struct ata_port_info {
48284 unsigned long pio_mask;
48285 unsigned long mwdma_mask;
48286 unsigned long udma_mask;
48287 - struct ata_port_operations *port_ops;
48288 + const struct ata_port_operations *port_ops;
48289 void *private_data;
48292 @@ -937,7 +937,7 @@ extern const unsigned long sata_deb_timi
48293 extern const unsigned long sata_deb_timing_hotplug[];
48294 extern const unsigned long sata_deb_timing_long[];
48296 -extern struct ata_port_operations ata_dummy_port_ops;
48297 +extern const struct ata_port_operations ata_dummy_port_ops;
48298 extern const struct ata_port_info ata_dummy_port_info;
48300 static inline const unsigned long *
48301 @@ -983,7 +983,7 @@ extern int ata_host_activate(struct ata_
48302 struct scsi_host_template *sht);
48303 extern void ata_host_detach(struct ata_host *host);
48304 extern void ata_host_init(struct ata_host *, struct device *,
48305 - unsigned long, struct ata_port_operations *);
48306 + unsigned long, const struct ata_port_operations *);
48307 extern int ata_scsi_detect(struct scsi_host_template *sht);
48308 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
48309 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
48310 diff -urNp linux-2.6.38.4/include/linux/lockd/bind.h linux-2.6.38.4/include/linux/lockd/bind.h
48311 --- linux-2.6.38.4/include/linux/lockd/bind.h 2011-03-14 21:20:32.000000000 -0400
48312 +++ linux-2.6.38.4/include/linux/lockd/bind.h 2011-04-17 15:57:32.000000000 -0400
48313 @@ -23,13 +23,13 @@ struct svc_rqst;
48314 * This is the set of functions for lockd->nfsd communication
48316 struct nlmsvc_binding {
48317 - __be32 (*fopen)(struct svc_rqst *,
48318 + __be32 (* const fopen)(struct svc_rqst *,
48321 - void (*fclose)(struct file *);
48322 + void (* const fclose)(struct file *);
48325 -extern struct nlmsvc_binding * nlmsvc_ops;
48326 +extern const struct nlmsvc_binding * nlmsvc_ops;
48329 * Similar to nfs_client_initdata, but without the NFS-specific
48330 diff -urNp linux-2.6.38.4/include/linux/mm.h linux-2.6.38.4/include/linux/mm.h
48331 --- linux-2.6.38.4/include/linux/mm.h 2011-04-18 17:27:16.000000000 -0400
48332 +++ linux-2.6.38.4/include/linux/mm.h 2011-04-17 15:57:32.000000000 -0400
48333 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
48335 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
48336 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
48338 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
48339 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
48340 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
48342 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
48345 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
48346 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
48348 @@ -992,12 +999,6 @@ int set_page_dirty(struct page *page);
48349 int set_page_dirty_lock(struct page *page);
48350 int clear_page_dirty_for_io(struct page *page);
48352 -/* Is the vma a continuation of the stack vma above it? */
48353 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
48355 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
48358 extern unsigned long move_page_tables(struct vm_area_struct *vma,
48359 unsigned long old_addr, struct vm_area_struct *new_vma,
48360 unsigned long new_addr, unsigned long len);
48361 @@ -1149,6 +1150,15 @@ struct shrinker {
48362 extern void register_shrinker(struct shrinker *);
48363 extern void unregister_shrinker(struct shrinker *);
48366 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
48368 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
48370 + return __pgprot(0);
48374 int vma_wants_writenotify(struct vm_area_struct *vma);
48376 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
48377 @@ -1438,6 +1448,7 @@ out:
48380 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
48381 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
48383 extern unsigned long do_brk(unsigned long, unsigned long);
48385 @@ -1494,6 +1505,10 @@ extern struct vm_area_struct * find_vma(
48386 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
48387 struct vm_area_struct **pprev);
48389 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
48390 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
48391 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
48393 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
48394 NULL if none. Assume start_addr < end_addr. */
48395 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
48396 @@ -1510,15 +1525,6 @@ static inline unsigned long vma_pages(st
48397 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
48401 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
48403 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
48405 - return __pgprot(0);
48409 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
48410 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
48411 unsigned long pfn, unsigned long size, pgprot_t);
48412 @@ -1627,7 +1633,7 @@ extern int unpoison_memory(unsigned long
48413 extern int sysctl_memory_failure_early_kill;
48414 extern int sysctl_memory_failure_recovery;
48415 extern void shake_page(struct page *p, int access);
48416 -extern atomic_long_t mce_bad_pages;
48417 +extern atomic_long_unchecked_t mce_bad_pages;
48418 extern int soft_offline_page(struct page *page, int flags);
48419 #ifdef CONFIG_MEMORY_FAILURE
48420 int is_hwpoison_address(unsigned long addr);
48421 @@ -1649,5 +1655,11 @@ extern void copy_user_huge_page(struct p
48422 unsigned int pages_per_huge_page);
48423 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
48425 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
48426 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
48428 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
48431 #endif /* __KERNEL__ */
48432 #endif /* _LINUX_MM_H */
48433 diff -urNp linux-2.6.38.4/include/linux/mm_types.h linux-2.6.38.4/include/linux/mm_types.h
48434 --- linux-2.6.38.4/include/linux/mm_types.h 2011-03-14 21:20:32.000000000 -0400
48435 +++ linux-2.6.38.4/include/linux/mm_types.h 2011-04-17 15:57:32.000000000 -0400
48436 @@ -183,6 +183,8 @@ struct vm_area_struct {
48438 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
48441 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
48444 struct core_thread {
48445 @@ -315,6 +317,24 @@ struct mm_struct {
48447 /* How many tasks sharing this mm are OOM_DISABLE */
48448 atomic_t oom_disable_count;
48450 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
48451 + unsigned long pax_flags;
48454 +#ifdef CONFIG_PAX_DLRESOLVE
48455 + unsigned long call_dl_resolve;
48458 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
48459 + unsigned long call_syscall;
48462 +#ifdef CONFIG_PAX_ASLR
48463 + unsigned long delta_mmap; /* randomized offset */
48464 + unsigned long delta_stack; /* randomized offset */
48469 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
48470 diff -urNp linux-2.6.38.4/include/linux/mmu_notifier.h linux-2.6.38.4/include/linux/mmu_notifier.h
48471 --- linux-2.6.38.4/include/linux/mmu_notifier.h 2011-03-14 21:20:32.000000000 -0400
48472 +++ linux-2.6.38.4/include/linux/mmu_notifier.h 2011-04-17 15:57:32.000000000 -0400
48473 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
48475 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
48479 struct vm_area_struct *___vma = __vma; \
48480 unsigned long ___address = __address; \
48481 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
48482 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
48483 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
48488 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
48489 diff -urNp linux-2.6.38.4/include/linux/mmzone.h linux-2.6.38.4/include/linux/mmzone.h
48490 --- linux-2.6.38.4/include/linux/mmzone.h 2011-03-14 21:20:32.000000000 -0400
48491 +++ linux-2.6.38.4/include/linux/mmzone.h 2011-04-17 15:57:32.000000000 -0400
48492 @@ -355,7 +355,7 @@ struct zone {
48493 unsigned long flags; /* zone flags, see below */
48495 /* Zone statistics */
48496 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48497 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48500 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
48501 diff -urNp linux-2.6.38.4/include/linux/mod_devicetable.h linux-2.6.38.4/include/linux/mod_devicetable.h
48502 --- linux-2.6.38.4/include/linux/mod_devicetable.h 2011-03-14 21:20:32.000000000 -0400
48503 +++ linux-2.6.38.4/include/linux/mod_devicetable.h 2011-04-17 15:57:32.000000000 -0400
48505 typedef unsigned long kernel_ulong_t;
48508 -#define PCI_ANY_ID (~0)
48509 +#define PCI_ANY_ID ((__u16)~0)
48511 struct pci_device_id {
48512 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
48513 @@ -131,7 +131,7 @@ struct usb_device_id {
48514 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
48515 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
48517 -#define HID_ANY_ID (~0)
48518 +#define HID_ANY_ID (~0U)
48520 struct hid_device_id {
48522 diff -urNp linux-2.6.38.4/include/linux/module.h linux-2.6.38.4/include/linux/module.h
48523 --- linux-2.6.38.4/include/linux/module.h 2011-03-14 21:20:32.000000000 -0400
48524 +++ linux-2.6.38.4/include/linux/module.h 2011-04-17 15:57:32.000000000 -0400
48525 @@ -324,19 +324,16 @@ struct module
48528 /* If this is non-NULL, vfree after init() returns */
48529 - void *module_init;
48530 + void *module_init_rx, *module_init_rw;
48532 /* Here is the actual code + data, vfree'd on unload. */
48533 - void *module_core;
48534 + void *module_core_rx, *module_core_rw;
48536 /* Here are the sizes of the init and core sections */
48537 - unsigned int init_size, core_size;
48538 + unsigned int init_size_rw, core_size_rw;
48540 /* The size of the executable code in each section. */
48541 - unsigned int init_text_size, core_text_size;
48543 - /* Size of RO sections of the module (text+rodata) */
48544 - unsigned int init_ro_size, core_ro_size;
48545 + unsigned int init_size_rx, core_size_rx;
48547 /* Arch-specific module values */
48548 struct mod_arch_specific arch;
48549 @@ -441,16 +438,46 @@ bool is_module_address(unsigned long add
48550 bool is_module_percpu_address(unsigned long addr);
48551 bool is_module_text_address(unsigned long addr);
48553 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
48556 +#ifdef CONFIG_PAX_KERNEXEC
48557 + if (ktla_ktva(addr) >= (unsigned long)start &&
48558 + ktla_ktva(addr) < (unsigned long)start + size)
48562 + return ((void *)addr >= start && (void *)addr < start + size);
48565 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
48567 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
48570 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
48572 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
48575 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
48577 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
48580 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
48582 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
48585 static inline int within_module_core(unsigned long addr, struct module *mod)
48587 - return (unsigned long)mod->module_core <= addr &&
48588 - addr < (unsigned long)mod->module_core + mod->core_size;
48589 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
48592 static inline int within_module_init(unsigned long addr, struct module *mod)
48594 - return (unsigned long)mod->module_init <= addr &&
48595 - addr < (unsigned long)mod->module_init + mod->init_size;
48596 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
48599 /* Search for module by name: must hold module_mutex. */
48600 diff -urNp linux-2.6.38.4/include/linux/moduleloader.h linux-2.6.38.4/include/linux/moduleloader.h
48601 --- linux-2.6.38.4/include/linux/moduleloader.h 2011-03-14 21:20:32.000000000 -0400
48602 +++ linux-2.6.38.4/include/linux/moduleloader.h 2011-04-17 15:57:32.000000000 -0400
48603 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
48604 sections. Returns NULL on failure. */
48605 void *module_alloc(unsigned long size);
48607 +#ifdef CONFIG_PAX_KERNEXEC
48608 +void *module_alloc_exec(unsigned long size);
48610 +#define module_alloc_exec(x) module_alloc(x)
48613 /* Free memory returned from module_alloc. */
48614 void module_free(struct module *mod, void *module_region);
48616 +#ifdef CONFIG_PAX_KERNEXEC
48617 +void module_free_exec(struct module *mod, void *module_region);
48619 +#define module_free_exec(x, y) module_free((x), (y))
48622 /* Apply the given relocation to the (simplified) ELF. Return -error
48624 int apply_relocate(Elf_Shdr *sechdrs,
48625 diff -urNp linux-2.6.38.4/include/linux/moduleparam.h linux-2.6.38.4/include/linux/moduleparam.h
48626 --- linux-2.6.38.4/include/linux/moduleparam.h 2011-03-14 21:20:32.000000000 -0400
48627 +++ linux-2.6.38.4/include/linux/moduleparam.h 2011-04-17 15:57:32.000000000 -0400
48628 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
48629 * @len is usually just sizeof(string).
48631 #define module_param_string(name, string, len, perm) \
48632 - static const struct kparam_string __param_string_##name \
48633 + static const struct kparam_string __param_string_##name __used \
48634 = { len, string }; \
48635 __module_param_call(MODULE_PARAM_PREFIX, name, \
48636 ¶m_ops_string, \
48637 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
48638 * module_param_named() for why this might be necessary.
48640 #define module_param_array_named(name, array, type, nump, perm) \
48641 - static const struct kparam_array __param_arr_##name \
48642 + static const struct kparam_array __param_arr_##name __used \
48643 = { ARRAY_SIZE(array), nump, ¶m_ops_##type, \
48644 sizeof(array[0]), array }; \
48645 __module_param_call(MODULE_PARAM_PREFIX, name, \
48646 diff -urNp linux-2.6.38.4/include/linux/mutex.h linux-2.6.38.4/include/linux/mutex.h
48647 --- linux-2.6.38.4/include/linux/mutex.h 2011-03-14 21:20:32.000000000 -0400
48648 +++ linux-2.6.38.4/include/linux/mutex.h 2011-04-17 17:44:37.000000000 -0400
48649 @@ -51,7 +51,7 @@ struct mutex {
48650 spinlock_t wait_lock;
48651 struct list_head wait_list;
48652 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
48653 - struct thread_info *owner;
48654 + struct task_struct *owner;
48656 #ifdef CONFIG_DEBUG_MUTEXES
48658 diff -urNp linux-2.6.38.4/include/linux/namei.h linux-2.6.38.4/include/linux/namei.h
48659 --- linux-2.6.38.4/include/linux/namei.h 2011-03-14 21:20:32.000000000 -0400
48660 +++ linux-2.6.38.4/include/linux/namei.h 2011-04-17 15:57:32.000000000 -0400
48661 @@ -25,7 +25,7 @@ struct nameidata {
48665 - char *saved_names[MAX_NESTED_LINKS + 1];
48666 + const char *saved_names[MAX_NESTED_LINKS + 1];
48670 @@ -88,12 +88,12 @@ extern int follow_up(struct path *);
48671 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
48672 extern void unlock_rename(struct dentry *, struct dentry *);
48674 -static inline void nd_set_link(struct nameidata *nd, char *path)
48675 +static inline void nd_set_link(struct nameidata *nd, const char *path)
48677 nd->saved_names[nd->depth] = path;
48680 -static inline char *nd_get_link(struct nameidata *nd)
48681 +static inline const char *nd_get_link(const struct nameidata *nd)
48683 return nd->saved_names[nd->depth];
48685 diff -urNp linux-2.6.38.4/include/linux/netfilter/xt_gradm.h linux-2.6.38.4/include/linux/netfilter/xt_gradm.h
48686 --- linux-2.6.38.4/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
48687 +++ linux-2.6.38.4/include/linux/netfilter/xt_gradm.h 2011-04-17 15:57:32.000000000 -0400
48689 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
48690 +#define _LINUX_NETFILTER_XT_GRADM_H 1
48692 +struct xt_gradm_mtinfo {
48698 diff -urNp linux-2.6.38.4/include/linux/oprofile.h linux-2.6.38.4/include/linux/oprofile.h
48699 --- linux-2.6.38.4/include/linux/oprofile.h 2011-03-14 21:20:32.000000000 -0400
48700 +++ linux-2.6.38.4/include/linux/oprofile.h 2011-04-17 15:57:32.000000000 -0400
48701 @@ -132,9 +132,9 @@ int oprofilefs_create_ulong(struct super
48702 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
48703 char const * name, ulong * val);
48705 -/** Create a file for read-only access to an atomic_t. */
48706 +/** Create a file for read-only access to an atomic_unchecked_t. */
48707 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
48708 - char const * name, atomic_t * val);
48709 + char const * name, atomic_unchecked_t * val);
48711 /** create a directory */
48712 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
48713 diff -urNp linux-2.6.38.4/include/linux/pipe_fs_i.h linux-2.6.38.4/include/linux/pipe_fs_i.h
48714 --- linux-2.6.38.4/include/linux/pipe_fs_i.h 2011-03-14 21:20:32.000000000 -0400
48715 +++ linux-2.6.38.4/include/linux/pipe_fs_i.h 2011-04-17 15:57:32.000000000 -0400
48716 @@ -46,9 +46,9 @@ struct pipe_buffer {
48717 struct pipe_inode_info {
48718 wait_queue_head_t wait;
48719 unsigned int nrbufs, curbuf, buffers;
48720 - unsigned int readers;
48721 - unsigned int writers;
48722 - unsigned int waiting_writers;
48723 + atomic_t readers;
48724 + atomic_t writers;
48725 + atomic_t waiting_writers;
48726 unsigned int r_counter;
48727 unsigned int w_counter;
48728 struct page *tmp_page;
48729 diff -urNp linux-2.6.38.4/include/linux/pm_runtime.h linux-2.6.38.4/include/linux/pm_runtime.h
48730 --- linux-2.6.38.4/include/linux/pm_runtime.h 2011-03-14 21:20:32.000000000 -0400
48731 +++ linux-2.6.38.4/include/linux/pm_runtime.h 2011-04-17 15:57:32.000000000 -0400
48732 @@ -89,7 +89,7 @@ static inline bool pm_runtime_enabled(st
48734 static inline void pm_runtime_mark_last_busy(struct device *dev)
48736 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
48737 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
48740 #else /* !CONFIG_PM_RUNTIME */
48741 diff -urNp linux-2.6.38.4/include/linux/poison.h linux-2.6.38.4/include/linux/poison.h
48742 --- linux-2.6.38.4/include/linux/poison.h 2011-03-14 21:20:32.000000000 -0400
48743 +++ linux-2.6.38.4/include/linux/poison.h 2011-04-17 15:57:32.000000000 -0400
48745 * under normal circumstances, used to verify that nobody uses
48746 * non-initialized list entries.
48748 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
48749 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
48750 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
48751 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
48753 /********** include/linux/timer.h **********/
48755 diff -urNp linux-2.6.38.4/include/linux/proc_fs.h linux-2.6.38.4/include/linux/proc_fs.h
48756 --- linux-2.6.38.4/include/linux/proc_fs.h 2011-03-14 21:20:32.000000000 -0400
48757 +++ linux-2.6.38.4/include/linux/proc_fs.h 2011-04-17 15:57:32.000000000 -0400
48758 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
48759 return proc_create_data(name, mode, parent, proc_fops, NULL);
48762 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
48763 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
48765 +#ifdef CONFIG_GRKERNSEC_PROC_USER
48766 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
48767 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48768 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
48770 + return proc_create_data(name, mode, parent, proc_fops, NULL);
48775 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
48776 mode_t mode, struct proc_dir_entry *base,
48777 read_proc_t *read_proc, void * data)
48778 diff -urNp linux-2.6.38.4/include/linux/ptrace.h linux-2.6.38.4/include/linux/ptrace.h
48779 --- linux-2.6.38.4/include/linux/ptrace.h 2011-03-14 21:20:32.000000000 -0400
48780 +++ linux-2.6.38.4/include/linux/ptrace.h 2011-04-17 15:57:32.000000000 -0400
48781 @@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
48782 extern void exit_ptrace(struct task_struct *tracer);
48783 #define PTRACE_MODE_READ 1
48784 #define PTRACE_MODE_ATTACH 2
48785 -/* Returns 0 on success, -errno on denial. */
48786 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
48787 /* Returns true on success, false on denial. */
48788 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
48789 +/* Returns true on success, false on denial. */
48790 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
48792 static inline int ptrace_reparented(struct task_struct *child)
48794 diff -urNp linux-2.6.38.4/include/linux/random.h linux-2.6.38.4/include/linux/random.h
48795 --- linux-2.6.38.4/include/linux/random.h 2011-03-14 21:20:32.000000000 -0400
48796 +++ linux-2.6.38.4/include/linux/random.h 2011-04-17 15:57:32.000000000 -0400
48797 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
48799 u32 prandom32(struct rnd_state *);
48801 +static inline unsigned long pax_get_random_long(void)
48803 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
48807 * Handle minimum values for seeds
48809 static inline u32 __seed(u32 x, u32 m)
48811 - return (x < m) ? x + m : x;
48812 + return (x <= m) ? x + m + 1 : x;
48816 diff -urNp linux-2.6.38.4/include/linux/reiserfs_fs.h linux-2.6.38.4/include/linux/reiserfs_fs.h
48817 --- linux-2.6.38.4/include/linux/reiserfs_fs.h 2011-03-14 21:20:32.000000000 -0400
48818 +++ linux-2.6.38.4/include/linux/reiserfs_fs.h 2011-04-17 15:57:32.000000000 -0400
48819 @@ -1403,7 +1403,7 @@ static inline loff_t max_reiserfs_offset
48820 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
48822 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
48823 -#define get_generation(s) atomic_read (&fs_generation(s))
48824 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
48825 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
48826 #define __fs_changed(gen,s) (gen != get_generation (s))
48827 #define fs_changed(gen,s) \
48828 @@ -1615,24 +1615,24 @@ static inline struct super_block *sb_fro
48831 struct item_operations {
48832 - int (*bytes_number) (struct item_head * ih, int block_size);
48833 - void (*decrement_key) (struct cpu_key *);
48834 - int (*is_left_mergeable) (struct reiserfs_key * ih,
48835 + int (* const bytes_number) (struct item_head * ih, int block_size);
48836 + void (* const decrement_key) (struct cpu_key *);
48837 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
48838 unsigned long bsize);
48839 - void (*print_item) (struct item_head *, char *item);
48840 - void (*check_item) (struct item_head *, char *item);
48841 + void (* const print_item) (struct item_head *, char *item);
48842 + void (* const check_item) (struct item_head *, char *item);
48844 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
48845 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
48846 int is_affected, int insert_size);
48847 - int (*check_left) (struct virtual_item * vi, int free,
48848 + int (* const check_left) (struct virtual_item * vi, int free,
48849 int start_skip, int end_skip);
48850 - int (*check_right) (struct virtual_item * vi, int free);
48851 - int (*part_size) (struct virtual_item * vi, int from, int to);
48852 - int (*unit_num) (struct virtual_item * vi);
48853 - void (*print_vi) (struct virtual_item * vi);
48854 + int (* const check_right) (struct virtual_item * vi, int free);
48855 + int (* const part_size) (struct virtual_item * vi, int from, int to);
48856 + int (* const unit_num) (struct virtual_item * vi);
48857 + void (* const print_vi) (struct virtual_item * vi);
48860 -extern struct item_operations *item_ops[TYPE_ANY + 1];
48861 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
48863 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
48864 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
48865 diff -urNp linux-2.6.38.4/include/linux/reiserfs_fs_sb.h linux-2.6.38.4/include/linux/reiserfs_fs_sb.h
48866 --- linux-2.6.38.4/include/linux/reiserfs_fs_sb.h 2011-03-14 21:20:32.000000000 -0400
48867 +++ linux-2.6.38.4/include/linux/reiserfs_fs_sb.h 2011-04-17 15:57:32.000000000 -0400
48868 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
48869 /* Comment? -Hans */
48870 wait_queue_head_t s_wait;
48871 /* To be obsoleted soon by per buffer seals.. -Hans */
48872 - atomic_t s_generation_counter; // increased by one every time the
48873 + atomic_unchecked_t s_generation_counter; // increased by one every time the
48874 // tree gets re-balanced
48875 unsigned long s_properties; /* File system properties. Currently holds
48876 on-disk FS format */
48877 diff -urNp linux-2.6.38.4/include/linux/rmap.h linux-2.6.38.4/include/linux/rmap.h
48878 --- linux-2.6.38.4/include/linux/rmap.h 2011-03-14 21:20:32.000000000 -0400
48879 +++ linux-2.6.38.4/include/linux/rmap.h 2011-04-17 15:57:32.000000000 -0400
48880 @@ -145,8 +145,8 @@ static inline void anon_vma_unlock(struc
48881 void anon_vma_init(void); /* create anon_vma_cachep */
48882 int anon_vma_prepare(struct vm_area_struct *);
48883 void unlink_anon_vmas(struct vm_area_struct *);
48884 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
48885 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
48886 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
48887 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
48888 void __anon_vma_link(struct vm_area_struct *);
48889 void anon_vma_free(struct anon_vma *);
48891 diff -urNp linux-2.6.38.4/include/linux/sched.h linux-2.6.38.4/include/linux/sched.h
48892 --- linux-2.6.38.4/include/linux/sched.h 2011-04-22 19:20:59.000000000 -0400
48893 +++ linux-2.6.38.4/include/linux/sched.h 2011-04-22 19:21:35.000000000 -0400
48894 @@ -99,6 +99,7 @@ struct robust_list_head;
48897 struct perf_event_context;
48898 +struct linux_binprm;
48901 * List of flags we want to share for kernel threads,
48902 @@ -359,7 +360,7 @@ extern signed long schedule_timeout_inte
48903 extern signed long schedule_timeout_killable(signed long timeout);
48904 extern signed long schedule_timeout_uninterruptible(signed long timeout);
48905 asmlinkage void schedule(void);
48906 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
48907 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
48910 struct user_namespace;
48911 @@ -380,10 +381,13 @@ struct user_namespace;
48912 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
48914 extern int sysctl_max_map_count;
48915 +extern unsigned long sysctl_heap_stack_gap;
48917 #include <linux/aio.h>
48920 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
48921 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
48922 extern void arch_pick_mmap_layout(struct mm_struct *mm);
48923 extern unsigned long
48924 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
48925 @@ -628,6 +632,17 @@ struct signal_struct {
48926 #ifdef CONFIG_TASKSTATS
48927 struct taskstats *stats;
48930 +#ifdef CONFIG_GRKERNSEC
48937 + u8 used_accept:1;
48940 #ifdef CONFIG_AUDIT
48941 unsigned audit_tty;
48942 struct tty_audit_buf *tty_audit_buf;
48943 @@ -700,6 +715,11 @@ struct user_struct {
48944 struct key *session_keyring; /* UID's default session keyring */
48947 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
48948 + unsigned int banned;
48949 + unsigned long ban_expires;
48952 /* Hash table maintenance information */
48953 struct hlist_node uidhash_node;
48955 @@ -1310,8 +1330,8 @@ struct task_struct {
48956 struct list_head thread_group;
48958 struct completion *vfork_done; /* for vfork() */
48959 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
48960 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
48961 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
48962 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
48964 cputime_t utime, stime, utimescaled, stimescaled;
48966 @@ -1327,13 +1347,6 @@ struct task_struct {
48967 struct task_cputime cputime_expires;
48968 struct list_head cpu_timers[3];
48970 -/* process credentials */
48971 - const struct cred __rcu *real_cred; /* objective and real subjective task
48972 - * credentials (COW) */
48973 - const struct cred __rcu *cred; /* effective (overridable) subjective task
48974 - * credentials (COW) */
48975 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
48977 char comm[TASK_COMM_LEN]; /* executable name excluding path
48978 - access with [gs]et_task_comm (which lock
48979 it with task_lock())
48980 @@ -1350,8 +1363,16 @@ struct task_struct {
48982 /* CPU-specific state of this task */
48983 struct thread_struct thread;
48984 +/* thread_info moved to task_struct */
48986 + struct thread_info tinfo;
48988 /* filesystem information */
48989 struct fs_struct *fs;
48991 + const struct cred __rcu *cred; /* effective (overridable) subjective task
48992 + * credentials (COW) */
48994 /* open file information */
48995 struct files_struct *files;
48997 @@ -1398,6 +1419,11 @@ struct task_struct {
48998 struct rt_mutex_waiter *pi_blocked_on;
49001 +/* process credentials */
49002 + const struct cred __rcu *real_cred; /* objective and real subjective task
49003 + * credentials (COW) */
49004 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
49006 #ifdef CONFIG_DEBUG_MUTEXES
49007 /* mutex deadlock detection */
49008 struct mutex_waiter *blocked_on;
49009 @@ -1502,6 +1528,21 @@ struct task_struct {
49010 unsigned long default_timer_slack_ns;
49012 struct list_head *scm_work_list;
49014 +#ifdef CONFIG_GRKERNSEC
49016 + struct dentry *gr_chroot_dentry;
49017 + struct acl_subject_label *acl;
49018 + struct acl_role_label *role;
49019 + struct file *exec_file;
49021 + /* is this the task that authenticated to the special role */
49025 + u8 gr_is_chrooted;
49028 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
49029 /* Index of current stored address in ret_stack */
49030 int curr_ret_stack;
49031 @@ -1533,6 +1574,51 @@ struct task_struct {
49035 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
49036 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
49037 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
49038 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
49039 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
49040 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
49042 +#ifdef CONFIG_PAX_SOFTMODE
49043 +extern unsigned int pax_softmode;
49046 +extern int pax_check_flags(unsigned long *);
49048 +/* if tsk != current then task_lock must be held on it */
49049 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49050 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
49052 + if (likely(tsk->mm))
49053 + return tsk->mm->pax_flags;
49058 +/* if tsk != current then task_lock must be held on it */
49059 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
49061 + if (likely(tsk->mm)) {
49062 + tsk->mm->pax_flags = flags;
49069 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
49070 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
49071 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
49072 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
49075 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
49076 +void pax_report_insns(void *pc, void *sp);
49077 +void pax_report_refcount_overflow(struct pt_regs *regs);
49078 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type);
49080 /* Future-safe accessor for struct task_struct's cpus_allowed. */
49081 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
49083 @@ -2002,7 +2088,9 @@ void yield(void);
49084 extern struct exec_domain default_exec_domain;
49086 union thread_union {
49087 +#ifndef CONFIG_X86
49088 struct thread_info thread_info;
49090 unsigned long stack[THREAD_SIZE/sizeof(long)];
49093 @@ -2172,7 +2260,7 @@ extern void __cleanup_sighand(struct sig
49094 extern void exit_itimers(struct signal_struct *);
49095 extern void flush_itimer_signals(void);
49097 -extern NORET_TYPE void do_group_exit(int);
49098 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
49100 extern void daemonize(const char *, ...);
49101 extern int allow_signal(int);
49102 @@ -2313,13 +2401,17 @@ static inline unsigned long *end_of_stac
49106 -static inline int object_is_on_stack(void *obj)
49107 +static inline int object_starts_on_stack(void *obj)
49109 - void *stack = task_stack_page(current);
49110 + const void *stack = task_stack_page(current);
49112 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
49115 +#ifdef CONFIG_PAX_USERCOPY
49116 +extern int object_is_on_stack(const void *obj, unsigned long len);
49119 extern void thread_info_cache_init(void);
49121 #ifdef CONFIG_DEBUG_STACK_USAGE
49122 diff -urNp linux-2.6.38.4/include/linux/screen_info.h linux-2.6.38.4/include/linux/screen_info.h
49123 --- linux-2.6.38.4/include/linux/screen_info.h 2011-03-14 21:20:32.000000000 -0400
49124 +++ linux-2.6.38.4/include/linux/screen_info.h 2011-04-17 15:57:32.000000000 -0400
49125 @@ -43,7 +43,8 @@ struct screen_info {
49126 __u16 pages; /* 0x32 */
49127 __u16 vesa_attributes; /* 0x34 */
49128 __u32 capabilities; /* 0x36 */
49129 - __u8 _reserved[6]; /* 0x3a */
49130 + __u16 vesapm_size; /* 0x3a */
49131 + __u8 _reserved[4]; /* 0x3c */
49132 } __attribute__((packed));
49134 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
49135 diff -urNp linux-2.6.38.4/include/linux/security.h linux-2.6.38.4/include/linux/security.h
49136 --- linux-2.6.38.4/include/linux/security.h 2011-03-14 21:20:32.000000000 -0400
49137 +++ linux-2.6.38.4/include/linux/security.h 2011-04-17 15:57:32.000000000 -0400
49139 #include <linux/key.h>
49140 #include <linux/xfrm.h>
49141 #include <linux/slab.h>
49142 +#include <linux/grsecurity.h>
49143 #include <net/flow.h>
49145 /* Maximum number of letters for an LSM name string */
49146 diff -urNp linux-2.6.38.4/include/linux/shm.h linux-2.6.38.4/include/linux/shm.h
49147 --- linux-2.6.38.4/include/linux/shm.h 2011-03-14 21:20:32.000000000 -0400
49148 +++ linux-2.6.38.4/include/linux/shm.h 2011-04-17 15:57:32.000000000 -0400
49149 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
49152 struct user_struct *mlock_user;
49153 +#ifdef CONFIG_GRKERNSEC
49154 + time_t shm_createtime;
49159 /* shm_mode upper byte flags */
49160 diff -urNp linux-2.6.38.4/include/linux/skbuff.h linux-2.6.38.4/include/linux/skbuff.h
49161 --- linux-2.6.38.4/include/linux/skbuff.h 2011-03-14 21:20:32.000000000 -0400
49162 +++ linux-2.6.38.4/include/linux/skbuff.h 2011-04-17 15:57:32.000000000 -0400
49163 @@ -589,7 +589,7 @@ static inline struct skb_shared_hwtstamp
49165 static inline int skb_queue_empty(const struct sk_buff_head *list)
49167 - return list->next == (struct sk_buff *)list;
49168 + return list->next == (const struct sk_buff *)list;
49172 @@ -602,7 +602,7 @@ static inline int skb_queue_empty(const
49173 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
49174 const struct sk_buff *skb)
49176 - return skb->next == (struct sk_buff *)list;
49177 + return skb->next == (const struct sk_buff *)list;
49181 @@ -615,7 +615,7 @@ static inline bool skb_queue_is_last(con
49182 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
49183 const struct sk_buff *skb)
49185 - return skb->prev == (struct sk_buff *)list;
49186 + return skb->prev == (const struct sk_buff *)list;
49190 diff -urNp linux-2.6.38.4/include/linux/slab.h linux-2.6.38.4/include/linux/slab.h
49191 --- linux-2.6.38.4/include/linux/slab.h 2011-03-14 21:20:32.000000000 -0400
49192 +++ linux-2.6.38.4/include/linux/slab.h 2011-04-17 15:57:32.000000000 -0400
49193 @@ -11,12 +11,20 @@
49195 #include <linux/gfp.h>
49196 #include <linux/types.h>
49197 +#include <linux/err.h>
49200 * Flags to pass to kmem_cache_create().
49201 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
49203 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
49205 +#ifdef CONFIG_PAX_USERCOPY
49206 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
49208 +#define SLAB_USERCOPY 0x00000000UL
49211 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
49212 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
49213 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
49214 @@ -87,10 +95,13 @@
49215 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
49216 * Both make kfree a no-op.
49218 -#define ZERO_SIZE_PTR ((void *)16)
49219 +#define ZERO_SIZE_PTR \
49221 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
49222 + (void *)(-MAX_ERRNO-1L); \
49225 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
49226 - (unsigned long)ZERO_SIZE_PTR)
49227 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
49230 * struct kmem_cache related prototypes
49231 @@ -142,6 +153,7 @@ void * __must_check krealloc(const void
49232 void kfree(const void *);
49233 void kzfree(const void *);
49234 size_t ksize(const void *);
49235 +void check_object_size(const void *ptr, unsigned long n, bool to);
49238 * Allocator specific definitions. These are mainly used to establish optimized
49239 @@ -334,4 +346,37 @@ static inline void *kzalloc_node(size_t
49241 void __init kmem_cache_init_late(void);
49243 +#define kmalloc(x, y) \
49245 + void *___retval; \
49246 + intoverflow_t ___x = (intoverflow_t)x; \
49247 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
49248 + ___retval = NULL; \
49250 + ___retval = kmalloc((size_t)___x, (y)); \
49254 +#define kmalloc_node(x, y, z) \
49256 + void *___retval; \
49257 + intoverflow_t ___x = (intoverflow_t)x; \
49258 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
49259 + ___retval = NULL; \
49261 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
49265 +#define kzalloc(x, y) \
49267 + void *___retval; \
49268 + intoverflow_t ___x = (intoverflow_t)x; \
49269 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
49270 + ___retval = NULL; \
49272 + ___retval = kzalloc((size_t)___x, (y)); \
49276 #endif /* _LINUX_SLAB_H */
49277 diff -urNp linux-2.6.38.4/include/linux/slub_def.h linux-2.6.38.4/include/linux/slub_def.h
49278 --- linux-2.6.38.4/include/linux/slub_def.h 2011-03-14 21:20:32.000000000 -0400
49279 +++ linux-2.6.38.4/include/linux/slub_def.h 2011-04-17 15:57:32.000000000 -0400
49280 @@ -79,7 +79,7 @@ struct kmem_cache {
49281 struct kmem_cache_order_objects max;
49282 struct kmem_cache_order_objects min;
49283 gfp_t allocflags; /* gfp flags to use on each alloc */
49284 - int refcount; /* Refcount for slab cache destroy */
49285 + atomic_t refcount; /* Refcount for slab cache destroy */
49286 void (*ctor)(void *);
49287 int inuse; /* Offset to metadata */
49288 int align; /* Alignment */
49289 diff -urNp linux-2.6.38.4/include/linux/sonet.h linux-2.6.38.4/include/linux/sonet.h
49290 --- linux-2.6.38.4/include/linux/sonet.h 2011-03-14 21:20:32.000000000 -0400
49291 +++ linux-2.6.38.4/include/linux/sonet.h 2011-04-17 15:57:32.000000000 -0400
49292 @@ -61,7 +61,7 @@ struct sonet_stats {
49293 #include <asm/atomic.h>
49295 struct k_sonet_stats {
49296 -#define __HANDLE_ITEM(i) atomic_t i
49297 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
49299 #undef __HANDLE_ITEM
49301 diff -urNp linux-2.6.38.4/include/linux/sunrpc/clnt.h linux-2.6.38.4/include/linux/sunrpc/clnt.h
49302 --- linux-2.6.38.4/include/linux/sunrpc/clnt.h 2011-03-14 21:20:32.000000000 -0400
49303 +++ linux-2.6.38.4/include/linux/sunrpc/clnt.h 2011-04-17 15:57:32.000000000 -0400
49304 @@ -168,9 +168,9 @@ static inline unsigned short rpc_get_por
49306 switch (sap->sa_family) {
49308 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
49309 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
49311 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
49312 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
49316 @@ -203,7 +203,7 @@ static inline bool __rpc_cmp_addr4(const
49317 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
49318 const struct sockaddr *src)
49320 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
49321 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
49322 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
49324 dsin->sin_family = ssin->sin_family;
49325 @@ -300,7 +300,7 @@ static inline u32 rpc_get_scope_id(const
49326 if (sa->sa_family != AF_INET6)
49329 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
49330 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
49333 #endif /* __KERNEL__ */
49334 diff -urNp linux-2.6.38.4/include/linux/suspend.h linux-2.6.38.4/include/linux/suspend.h
49335 --- linux-2.6.38.4/include/linux/suspend.h 2011-03-14 21:20:32.000000000 -0400
49336 +++ linux-2.6.38.4/include/linux/suspend.h 2011-04-17 15:57:32.000000000 -0400
49337 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
49338 * which require special recovery actions in that situation.
49340 struct platform_suspend_ops {
49341 - int (*valid)(suspend_state_t state);
49342 - int (*begin)(suspend_state_t state);
49343 - int (*prepare)(void);
49344 - int (*prepare_late)(void);
49345 - int (*enter)(suspend_state_t state);
49346 - void (*wake)(void);
49347 - void (*finish)(void);
49348 - void (*end)(void);
49349 - void (*recover)(void);
49350 + int (* const valid)(suspend_state_t state);
49351 + int (* const begin)(suspend_state_t state);
49352 + int (* const prepare)(void);
49353 + int (* const prepare_late)(void);
49354 + int (* const enter)(suspend_state_t state);
49355 + void (* const wake)(void);
49356 + void (* const finish)(void);
49357 + void (* const end)(void);
49358 + void (* const recover)(void);
49361 #ifdef CONFIG_SUSPEND
49362 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
49363 * platforms which require special recovery actions in that situation.
49365 struct platform_hibernation_ops {
49366 - int (*begin)(void);
49367 - void (*end)(void);
49368 - int (*pre_snapshot)(void);
49369 - void (*finish)(void);
49370 - int (*prepare)(void);
49371 - int (*enter)(void);
49372 - void (*leave)(void);
49373 - int (*pre_restore)(void);
49374 - void (*restore_cleanup)(void);
49375 - void (*recover)(void);
49376 + int (* const begin)(void);
49377 + void (* const end)(void);
49378 + int (* const pre_snapshot)(void);
49379 + void (* const finish)(void);
49380 + int (* const prepare)(void);
49381 + int (* const enter)(void);
49382 + void (* const leave)(void);
49383 + int (* const pre_restore)(void);
49384 + void (* const restore_cleanup)(void);
49385 + void (* const recover)(void);
49388 #ifdef CONFIG_HIBERNATION
49389 diff -urNp linux-2.6.38.4/include/linux/sysctl.h linux-2.6.38.4/include/linux/sysctl.h
49390 --- linux-2.6.38.4/include/linux/sysctl.h 2011-03-14 21:20:32.000000000 -0400
49391 +++ linux-2.6.38.4/include/linux/sysctl.h 2011-04-17 15:57:32.000000000 -0400
49392 @@ -155,7 +155,11 @@ enum
49393 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
49397 +#ifdef CONFIG_PAX_SOFTMODE
49399 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
49403 /* CTL_VM names: */
49405 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
49407 extern int proc_dostring(struct ctl_table *, int,
49408 void __user *, size_t *, loff_t *);
49409 +extern int proc_dostring_modpriv(struct ctl_table *, int,
49410 + void __user *, size_t *, loff_t *);
49411 extern int proc_dointvec(struct ctl_table *, int,
49412 void __user *, size_t *, loff_t *);
49413 extern int proc_dointvec_minmax(struct ctl_table *, int,
49414 diff -urNp linux-2.6.38.4/include/linux/sysfs.h linux-2.6.38.4/include/linux/sysfs.h
49415 --- linux-2.6.38.4/include/linux/sysfs.h 2011-03-14 21:20:32.000000000 -0400
49416 +++ linux-2.6.38.4/include/linux/sysfs.h 2011-04-17 15:57:32.000000000 -0400
49417 @@ -110,8 +110,8 @@ struct bin_attribute {
49418 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
49421 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
49422 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
49423 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
49424 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
49427 struct sysfs_dirent;
49428 diff -urNp linux-2.6.38.4/include/linux/tty.h linux-2.6.38.4/include/linux/tty.h
49429 --- linux-2.6.38.4/include/linux/tty.h 2011-03-14 21:20:32.000000000 -0400
49430 +++ linux-2.6.38.4/include/linux/tty.h 2011-04-17 15:57:32.000000000 -0400
49432 #include <linux/tty_driver.h>
49433 #include <linux/tty_ldisc.h>
49434 #include <linux/mutex.h>
49435 +#include <linux/poll.h>
49436 +#include <linux/smp_lock.h>
49438 #include <asm/system.h>
49440 @@ -465,7 +467,6 @@ extern int tty_perform_flush(struct tty_
49441 extern dev_t tty_devnum(struct tty_struct *tty);
49442 extern void proc_clear_tty(struct task_struct *p);
49443 extern struct tty_struct *get_current_tty(void);
49444 -extern void tty_default_fops(struct file_operations *fops);
49445 extern struct tty_struct *alloc_tty_struct(void);
49446 extern int tty_add_file(struct tty_struct *tty, struct file *file);
49447 extern void free_tty_struct(struct tty_struct *tty);
49448 @@ -528,6 +529,18 @@ extern void tty_ldisc_begin(void);
49449 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
49450 extern void tty_ldisc_enable(struct tty_struct *tty);
49453 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
49454 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
49455 +extern unsigned int tty_poll(struct file *, poll_table *);
49456 +#ifdef CONFIG_COMPAT
49457 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
49458 + unsigned long arg);
49460 +#define tty_compat_ioctl NULL
49462 +extern int tty_release(struct inode *, struct file *);
49463 +extern int tty_fasync(int fd, struct file *filp, int on);
49466 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
49467 diff -urNp linux-2.6.38.4/include/linux/tty_ldisc.h linux-2.6.38.4/include/linux/tty_ldisc.h
49468 --- linux-2.6.38.4/include/linux/tty_ldisc.h 2011-03-14 21:20:32.000000000 -0400
49469 +++ linux-2.6.38.4/include/linux/tty_ldisc.h 2011-04-17 15:57:32.000000000 -0400
49470 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
49472 struct module *owner;
49475 + atomic_t refcount;
49479 diff -urNp linux-2.6.38.4/include/linux/types.h linux-2.6.38.4/include/linux/types.h
49480 --- linux-2.6.38.4/include/linux/types.h 2011-03-14 21:20:32.000000000 -0400
49481 +++ linux-2.6.38.4/include/linux/types.h 2011-04-17 15:57:32.000000000 -0400
49482 @@ -207,10 +207,26 @@ typedef struct {
49486 +#ifdef CONFIG_PAX_REFCOUNT
49489 +} atomic_unchecked_t;
49491 +typedef atomic_t atomic_unchecked_t;
49494 #ifdef CONFIG_64BIT
49499 +#ifdef CONFIG_PAX_REFCOUNT
49502 +} atomic64_unchecked_t;
49504 +typedef atomic64_t atomic64_unchecked_t;
49509 diff -urNp linux-2.6.38.4/include/linux/uaccess.h linux-2.6.38.4/include/linux/uaccess.h
49510 --- linux-2.6.38.4/include/linux/uaccess.h 2011-03-14 21:20:32.000000000 -0400
49511 +++ linux-2.6.38.4/include/linux/uaccess.h 2011-04-17 15:57:32.000000000 -0400
49512 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
49514 mm_segment_t old_fs = get_fs(); \
49516 - set_fs(KERNEL_DS); \
49517 pagefault_disable(); \
49518 + set_fs(KERNEL_DS); \
49519 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
49520 - pagefault_enable(); \
49522 + pagefault_enable(); \
49526 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
49527 * Safely read from address @src to the buffer at @dst. If a kernel fault
49528 * happens, handle that and return -EFAULT.
49530 -extern long probe_kernel_read(void *dst, void *src, size_t size);
49531 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
49532 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
49533 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
49536 * probe_kernel_write(): safely attempt to write to a location
49537 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
49538 * Safely write to address @dst from the buffer at @src. If a kernel fault
49539 * happens, handle that and return -EFAULT.
49541 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
49542 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
49543 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
49544 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
49546 #endif /* __LINUX_UACCESS_H__ */
49547 diff -urNp linux-2.6.38.4/include/linux/unaligned/access_ok.h linux-2.6.38.4/include/linux/unaligned/access_ok.h
49548 --- linux-2.6.38.4/include/linux/unaligned/access_ok.h 2011-03-14 21:20:32.000000000 -0400
49549 +++ linux-2.6.38.4/include/linux/unaligned/access_ok.h 2011-04-17 15:57:32.000000000 -0400
49552 static inline u16 get_unaligned_le16(const void *p)
49554 - return le16_to_cpup((__le16 *)p);
49555 + return le16_to_cpup((const __le16 *)p);
49558 static inline u32 get_unaligned_le32(const void *p)
49560 - return le32_to_cpup((__le32 *)p);
49561 + return le32_to_cpup((const __le32 *)p);
49564 static inline u64 get_unaligned_le64(const void *p)
49566 - return le64_to_cpup((__le64 *)p);
49567 + return le64_to_cpup((const __le64 *)p);
49570 static inline u16 get_unaligned_be16(const void *p)
49572 - return be16_to_cpup((__be16 *)p);
49573 + return be16_to_cpup((const __be16 *)p);
49576 static inline u32 get_unaligned_be32(const void *p)
49578 - return be32_to_cpup((__be32 *)p);
49579 + return be32_to_cpup((const __be32 *)p);
49582 static inline u64 get_unaligned_be64(const void *p)
49584 - return be64_to_cpup((__be64 *)p);
49585 + return be64_to_cpup((const __be64 *)p);
49588 static inline void put_unaligned_le16(u16 val, void *p)
49589 diff -urNp linux-2.6.38.4/include/linux/usb/hcd.h linux-2.6.38.4/include/linux/usb/hcd.h
49590 --- linux-2.6.38.4/include/linux/usb/hcd.h 2011-04-18 17:27:14.000000000 -0400
49591 +++ linux-2.6.38.4/include/linux/usb/hcd.h 2011-04-17 15:57:32.000000000 -0400
49592 @@ -589,7 +589,7 @@ struct usb_mon_operations {
49593 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
49596 -extern struct usb_mon_operations *mon_ops;
49597 +extern const struct usb_mon_operations *mon_ops;
49599 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
49601 @@ -611,7 +611,7 @@ static inline void usbmon_urb_complete(s
49602 (*mon_ops->urb_complete)(bus, urb, status);
49605 -int usb_mon_register(struct usb_mon_operations *ops);
49606 +int usb_mon_register(const struct usb_mon_operations *ops);
49607 void usb_mon_deregister(void);
49610 diff -urNp linux-2.6.38.4/include/linux/vmalloc.h linux-2.6.38.4/include/linux/vmalloc.h
49611 --- linux-2.6.38.4/include/linux/vmalloc.h 2011-03-14 21:20:32.000000000 -0400
49612 +++ linux-2.6.38.4/include/linux/vmalloc.h 2011-04-17 15:57:32.000000000 -0400
49613 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
49614 #define VM_MAP 0x00000004 /* vmap()ed pages */
49615 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
49616 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
49618 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
49619 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
49622 /* bits [20..32] reserved for arch specific ioremap internals */
49625 @@ -123,4 +128,103 @@ struct vm_struct **pcpu_get_vm_areas(con
49626 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
49629 +#define vmalloc(x) \
49631 + void *___retval; \
49632 + intoverflow_t ___x = (intoverflow_t)x; \
49633 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
49634 + ___retval = NULL; \
49636 + ___retval = vmalloc((unsigned long)___x); \
49640 +#define vzalloc(x) \
49642 + void *___retval; \
49643 + intoverflow_t ___x = (intoverflow_t)x; \
49644 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
49645 + ___retval = NULL; \
49647 + ___retval = vzalloc((unsigned long)___x); \
49651 +#define __vmalloc(x, y, z) \
49653 + void *___retval; \
49654 + intoverflow_t ___x = (intoverflow_t)x; \
49655 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
49656 + ___retval = NULL; \
49658 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
49662 +#define vmalloc_user(x) \
49664 + void *___retval; \
49665 + intoverflow_t ___x = (intoverflow_t)x; \
49666 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
49667 + ___retval = NULL; \
49669 + ___retval = vmalloc_user((unsigned long)___x); \
49673 +#define vmalloc_exec(x) \
49675 + void *___retval; \
49676 + intoverflow_t ___x = (intoverflow_t)x; \
49677 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
49678 + ___retval = NULL; \
49680 + ___retval = vmalloc_exec((unsigned long)___x); \
49684 +#define vmalloc_node(x, y) \
49686 + void *___retval; \
49687 + intoverflow_t ___x = (intoverflow_t)x; \
49688 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
49689 + ___retval = NULL; \
49691 + ___retval = vmalloc_node((unsigned long)___x, (y));\
49695 +#define vzalloc_node(x, y) \
49697 + void *___retval; \
49698 + intoverflow_t ___x = (intoverflow_t)x; \
49699 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
49700 + ___retval = NULL; \
49702 + ___retval = vzalloc_node((unsigned long)___x, (y));\
49706 +#define vmalloc_32(x) \
49708 + void *___retval; \
49709 + intoverflow_t ___x = (intoverflow_t)x; \
49710 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
49711 + ___retval = NULL; \
49713 + ___retval = vmalloc_32((unsigned long)___x); \
49717 +#define vmalloc_32_user(x) \
49719 +void *___retval; \
49720 + intoverflow_t ___x = (intoverflow_t)x; \
49721 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
49722 + ___retval = NULL; \
49724 + ___retval = vmalloc_32_user((unsigned long)___x);\
49728 #endif /* _LINUX_VMALLOC_H */
49729 diff -urNp linux-2.6.38.4/include/linux/vmstat.h linux-2.6.38.4/include/linux/vmstat.h
49730 --- linux-2.6.38.4/include/linux/vmstat.h 2011-03-14 21:20:32.000000000 -0400
49731 +++ linux-2.6.38.4/include/linux/vmstat.h 2011-04-17 15:57:32.000000000 -0400
49732 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
49734 * Zone based page accounting with per cpu differentials.
49736 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
49737 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
49739 static inline void zone_page_state_add(long x, struct zone *zone,
49740 enum zone_stat_item item)
49742 - atomic_long_add(x, &zone->vm_stat[item]);
49743 - atomic_long_add(x, &vm_stat[item]);
49744 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
49745 + atomic_long_add_unchecked(x, &vm_stat[item]);
49748 static inline unsigned long global_page_state(enum zone_stat_item item)
49750 - long x = atomic_long_read(&vm_stat[item]);
49751 + long x = atomic_long_read_unchecked(&vm_stat[item]);
49755 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
49756 static inline unsigned long zone_page_state(struct zone *zone,
49757 enum zone_stat_item item)
49759 - long x = atomic_long_read(&zone->vm_stat[item]);
49760 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
49764 @@ -179,7 +179,7 @@ static inline unsigned long zone_page_st
49765 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
49766 enum zone_stat_item item)
49768 - long x = atomic_long_read(&zone->vm_stat[item]);
49769 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
49773 @@ -273,8 +273,8 @@ static inline void __mod_zone_page_state
49775 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
49777 - atomic_long_inc(&zone->vm_stat[item]);
49778 - atomic_long_inc(&vm_stat[item]);
49779 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
49780 + atomic_long_inc_unchecked(&vm_stat[item]);
49783 static inline void __inc_zone_page_state(struct page *page,
49784 @@ -285,8 +285,8 @@ static inline void __inc_zone_page_state
49786 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
49788 - atomic_long_dec(&zone->vm_stat[item]);
49789 - atomic_long_dec(&vm_stat[item]);
49790 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
49791 + atomic_long_dec_unchecked(&vm_stat[item]);
49794 static inline void __dec_zone_page_state(struct page *page,
49795 diff -urNp linux-2.6.38.4/include/net/inetpeer.h linux-2.6.38.4/include/net/inetpeer.h
49796 --- linux-2.6.38.4/include/net/inetpeer.h 2011-03-14 21:20:32.000000000 -0400
49797 +++ linux-2.6.38.4/include/net/inetpeer.h 2011-04-17 15:57:32.000000000 -0400
49798 @@ -38,8 +38,8 @@ struct inet_peer {
49802 - atomic_t rid; /* Frag reception counter */
49803 - atomic_t ip_id_count; /* IP ID for the next packet */
49804 + atomic_unchecked_t rid; /* Frag reception counter */
49805 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
49807 __u32 tcp_ts_stamp;
49809 @@ -88,7 +88,7 @@ static inline __u16 inet_getid(struct in
49812 inet_peer_refcheck(p);
49813 - return atomic_add_return(more, &p->ip_id_count) - more;
49814 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
49817 #endif /* _NET_INETPEER_H */
49818 diff -urNp linux-2.6.38.4/include/net/irda/ircomm_tty.h linux-2.6.38.4/include/net/irda/ircomm_tty.h
49819 --- linux-2.6.38.4/include/net/irda/ircomm_tty.h 2011-03-14 21:20:32.000000000 -0400
49820 +++ linux-2.6.38.4/include/net/irda/ircomm_tty.h 2011-04-17 15:57:32.000000000 -0400
49822 #include <linux/termios.h>
49823 #include <linux/timer.h>
49824 #include <linux/tty.h> /* struct tty_struct */
49825 +#include <asm/local.h>
49827 #include <net/irda/irias_object.h>
49828 #include <net/irda/ircomm_core.h>
49829 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
49830 unsigned short close_delay;
49831 unsigned short closing_wait; /* time to wait before closing */
49834 - int blocked_open; /* # of blocked opens */
49835 + local_t open_count;
49836 + local_t blocked_open; /* # of blocked opens */
49838 /* Protect concurent access to :
49839 * o self->open_count
49840 diff -urNp linux-2.6.38.4/include/net/neighbour.h linux-2.6.38.4/include/net/neighbour.h
49841 --- linux-2.6.38.4/include/net/neighbour.h 2011-03-14 21:20:32.000000000 -0400
49842 +++ linux-2.6.38.4/include/net/neighbour.h 2011-04-17 15:57:32.000000000 -0400
49843 @@ -118,12 +118,12 @@ struct neighbour {
49847 - void (*solicit)(struct neighbour *, struct sk_buff*);
49848 - void (*error_report)(struct neighbour *, struct sk_buff*);
49849 - int (*output)(struct sk_buff*);
49850 - int (*connected_output)(struct sk_buff*);
49851 - int (*hh_output)(struct sk_buff*);
49852 - int (*queue_xmit)(struct sk_buff*);
49853 + void (* const solicit)(struct neighbour *, struct sk_buff*);
49854 + void (* const error_report)(struct neighbour *, struct sk_buff*);
49855 + int (* const output)(struct sk_buff*);
49856 + int (* const connected_output)(struct sk_buff*);
49857 + int (* const hh_output)(struct sk_buff*);
49858 + int (* const queue_xmit)(struct sk_buff*);
49861 struct pneigh_entry {
49862 diff -urNp linux-2.6.38.4/include/net/netlink.h linux-2.6.38.4/include/net/netlink.h
49863 --- linux-2.6.38.4/include/net/netlink.h 2011-03-14 21:20:32.000000000 -0400
49864 +++ linux-2.6.38.4/include/net/netlink.h 2011-04-17 15:57:32.000000000 -0400
49865 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
49866 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
49869 - skb_trim(skb, (unsigned char *) mark - skb->data);
49870 + skb_trim(skb, (const unsigned char *) mark - skb->data);
49874 diff -urNp linux-2.6.38.4/include/net/sctp/sctp.h linux-2.6.38.4/include/net/sctp/sctp.h
49875 --- linux-2.6.38.4/include/net/sctp/sctp.h 2011-03-14 21:20:32.000000000 -0400
49876 +++ linux-2.6.38.4/include/net/sctp/sctp.h 2011-04-17 15:57:32.000000000 -0400
49877 @@ -316,9 +316,9 @@ do { \
49879 #else /* SCTP_DEBUG */
49881 -#define SCTP_DEBUG_PRINTK(whatever...)
49882 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
49883 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
49884 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
49885 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
49886 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
49887 #define SCTP_ENABLE_DEBUG
49888 #define SCTP_DISABLE_DEBUG
49889 #define SCTP_ASSERT(expr, str, func)
49890 diff -urNp linux-2.6.38.4/include/net/tcp.h linux-2.6.38.4/include/net/tcp.h
49891 --- linux-2.6.38.4/include/net/tcp.h 2011-03-14 21:20:32.000000000 -0400
49892 +++ linux-2.6.38.4/include/net/tcp.h 2011-04-17 15:57:32.000000000 -0400
49893 @@ -1382,7 +1382,7 @@ enum tcp_seq_states {
49894 struct tcp_seq_afinfo {
49896 sa_family_t family;
49897 - struct file_operations seq_fops;
49898 + struct file_operations seq_fops; /* cannot be const */
49899 struct seq_operations seq_ops;
49902 diff -urNp linux-2.6.38.4/include/net/udp.h linux-2.6.38.4/include/net/udp.h
49903 --- linux-2.6.38.4/include/net/udp.h 2011-03-14 21:20:32.000000000 -0400
49904 +++ linux-2.6.38.4/include/net/udp.h 2011-04-17 15:57:32.000000000 -0400
49905 @@ -223,7 +223,7 @@ struct udp_seq_afinfo {
49907 sa_family_t family;
49908 struct udp_table *udp_table;
49909 - struct file_operations seq_fops;
49910 + struct file_operations seq_fops; /* cannot be const */
49911 struct seq_operations seq_ops;
49914 diff -urNp linux-2.6.38.4/include/sound/ac97_codec.h linux-2.6.38.4/include/sound/ac97_codec.h
49915 --- linux-2.6.38.4/include/sound/ac97_codec.h 2011-03-14 21:20:32.000000000 -0400
49916 +++ linux-2.6.38.4/include/sound/ac97_codec.h 2011-04-17 15:57:32.000000000 -0400
49917 @@ -419,15 +419,15 @@
49920 struct snd_ac97_build_ops {
49921 - int (*build_3d) (struct snd_ac97 *ac97);
49922 - int (*build_specific) (struct snd_ac97 *ac97);
49923 - int (*build_spdif) (struct snd_ac97 *ac97);
49924 - int (*build_post_spdif) (struct snd_ac97 *ac97);
49925 + int (* const build_3d) (struct snd_ac97 *ac97);
49926 + int (* const build_specific) (struct snd_ac97 *ac97);
49927 + int (* const build_spdif) (struct snd_ac97 *ac97);
49928 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
49930 - void (*suspend) (struct snd_ac97 *ac97);
49931 - void (*resume) (struct snd_ac97 *ac97);
49932 + void (* const suspend) (struct snd_ac97 *ac97);
49933 + void (* const resume) (struct snd_ac97 *ac97);
49935 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
49936 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
49939 struct snd_ac97_bus_ops {
49940 diff -urNp linux-2.6.38.4/include/trace/events/irq.h linux-2.6.38.4/include/trace/events/irq.h
49941 --- linux-2.6.38.4/include/trace/events/irq.h 2011-03-14 21:20:32.000000000 -0400
49942 +++ linux-2.6.38.4/include/trace/events/irq.h 2011-04-17 15:57:32.000000000 -0400
49943 @@ -36,7 +36,7 @@ struct softirq_action;
49945 TRACE_EVENT(irq_handler_entry,
49947 - TP_PROTO(int irq, struct irqaction *action),
49948 + TP_PROTO(int irq, const struct irqaction *action),
49950 TP_ARGS(irq, action),
49952 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
49954 TRACE_EVENT(irq_handler_exit,
49956 - TP_PROTO(int irq, struct irqaction *action, int ret),
49957 + TP_PROTO(int irq, const struct irqaction *action, int ret),
49959 TP_ARGS(irq, action, ret),
49961 diff -urNp linux-2.6.38.4/include/video/uvesafb.h linux-2.6.38.4/include/video/uvesafb.h
49962 --- linux-2.6.38.4/include/video/uvesafb.h 2011-03-14 21:20:32.000000000 -0400
49963 +++ linux-2.6.38.4/include/video/uvesafb.h 2011-04-17 15:57:32.000000000 -0400
49964 @@ -177,6 +177,7 @@ struct uvesafb_par {
49965 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
49966 u8 pmi_setpal; /* PMI for palette changes */
49967 u16 *pmi_base; /* protected mode interface location */
49968 + u8 *pmi_code; /* protected mode code location */
49971 u8 *vbe_state_orig; /*
49972 diff -urNp linux-2.6.38.4/init/do_mounts.c linux-2.6.38.4/init/do_mounts.c
49973 --- linux-2.6.38.4/init/do_mounts.c 2011-03-14 21:20:32.000000000 -0400
49974 +++ linux-2.6.38.4/init/do_mounts.c 2011-04-17 15:57:32.000000000 -0400
49975 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
49977 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
49979 - int err = sys_mount(name, "/root", fs, flags, data);
49980 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
49984 @@ -382,18 +382,18 @@ void __init change_floppy(char *fmt, ...
49985 va_start(args, fmt);
49986 vsprintf(buf, fmt, args);
49988 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
49989 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
49991 sys_ioctl(fd, FDEJECT, 0);
49994 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
49995 - fd = sys_open("/dev/console", O_RDWR, 0);
49996 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
49998 sys_ioctl(fd, TCGETS, (long)&termios);
49999 termios.c_lflag &= ~ICANON;
50000 sys_ioctl(fd, TCSETSF, (long)&termios);
50001 - sys_read(fd, &c, 1);
50002 + sys_read(fd, (char __user *)&c, 1);
50003 termios.c_lflag |= ICANON;
50004 sys_ioctl(fd, TCSETSF, (long)&termios);
50006 @@ -487,6 +487,6 @@ void __init prepare_namespace(void)
50009 devtmpfs_mount("dev");
50010 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
50011 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
50012 sys_chroot((const char __user __force *)".");
50014 diff -urNp linux-2.6.38.4/init/do_mounts.h linux-2.6.38.4/init/do_mounts.h
50015 --- linux-2.6.38.4/init/do_mounts.h 2011-03-14 21:20:32.000000000 -0400
50016 +++ linux-2.6.38.4/init/do_mounts.h 2011-04-17 15:57:32.000000000 -0400
50017 @@ -15,15 +15,15 @@ extern int root_mountflags;
50019 static inline int create_dev(char *name, dev_t dev)
50021 - sys_unlink(name);
50022 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
50023 + sys_unlink((__force char __user *)name);
50024 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
50027 #if BITS_PER_LONG == 32
50028 static inline u32 bstat(char *name)
50030 struct stat64 stat;
50031 - if (sys_stat64(name, &stat) != 0)
50032 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
50034 if (!S_ISBLK(stat.st_mode))
50036 diff -urNp linux-2.6.38.4/init/do_mounts_initrd.c linux-2.6.38.4/init/do_mounts_initrd.c
50037 --- linux-2.6.38.4/init/do_mounts_initrd.c 2011-03-14 21:20:32.000000000 -0400
50038 +++ linux-2.6.38.4/init/do_mounts_initrd.c 2011-04-17 15:57:32.000000000 -0400
50039 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
50040 create_dev("/dev/root.old", Root_RAM0);
50041 /* mount initrd on rootfs' /root */
50042 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
50043 - sys_mkdir("/old", 0700);
50044 - root_fd = sys_open("/", 0, 0);
50045 - old_fd = sys_open("/old", 0, 0);
50046 + sys_mkdir((__force const char __user *)"/old", 0700);
50047 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
50048 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
50049 /* move initrd over / and chdir/chroot in initrd root */
50050 - sys_chdir("/root");
50051 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
50053 + sys_chdir((__force const char __user *)"/root");
50054 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
50055 + sys_chroot((__force const char __user *)".");
50058 * In case that a resume from disk is carried out by linuxrc or one of
50059 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
50061 /* move initrd to rootfs' /old */
50062 sys_fchdir(old_fd);
50063 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
50064 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
50065 /* switch root and cwd back to / of rootfs */
50066 sys_fchdir(root_fd);
50068 + sys_chroot((__force const char __user *)".");
50070 sys_close(root_fd);
50072 if (new_decode_dev(real_root_dev) == Root_RAM0) {
50073 - sys_chdir("/old");
50074 + sys_chdir((__force const char __user *)"/old");
50078 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
50081 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
50082 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
50083 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
50087 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
50088 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
50089 if (error == -ENOENT)
50090 printk("/initrd does not exist. Ignored.\n");
50092 printk("failed\n");
50093 printk(KERN_NOTICE "Unmounting old root\n");
50094 - sys_umount("/old", MNT_DETACH);
50095 + sys_umount((__force char __user *)"/old", MNT_DETACH);
50096 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
50099 @@ -116,11 +116,11 @@ int __init initrd_load(void)
50100 * mounted in the normal path.
50102 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
50103 - sys_unlink("/initrd.image");
50104 + sys_unlink((__force const char __user *)"/initrd.image");
50109 - sys_unlink("/initrd.image");
50110 + sys_unlink((__force const char __user *)"/initrd.image");
50113 diff -urNp linux-2.6.38.4/init/do_mounts_md.c linux-2.6.38.4/init/do_mounts_md.c
50114 --- linux-2.6.38.4/init/do_mounts_md.c 2011-03-14 21:20:32.000000000 -0400
50115 +++ linux-2.6.38.4/init/do_mounts_md.c 2011-04-17 15:57:32.000000000 -0400
50116 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
50117 partitioned ? "_d" : "", minor,
50118 md_setup_args[ent].device_names);
50120 - fd = sys_open(name, 0, 0);
50121 + fd = sys_open((__force char __user *)name, 0, 0);
50123 printk(KERN_ERR "md: open failed - cannot start "
50124 "array %s\n", name);
50125 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
50129 - fd = sys_open(name, 0, 0);
50130 + fd = sys_open((__force char __user *)name, 0, 0);
50131 sys_ioctl(fd, BLKRRPART, 0);
50134 diff -urNp linux-2.6.38.4/init/initramfs.c linux-2.6.38.4/init/initramfs.c
50135 --- linux-2.6.38.4/init/initramfs.c 2011-03-14 21:20:32.000000000 -0400
50136 +++ linux-2.6.38.4/init/initramfs.c 2011-04-17 15:57:32.000000000 -0400
50137 @@ -74,7 +74,7 @@ static void __init free_hash(void)
50141 -static long __init do_utime(char __user *filename, time_t mtime)
50142 +static long __init do_utime(__force char __user *filename, time_t mtime)
50144 struct timespec t[2];
50146 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
50147 struct dir_entry *de, *tmp;
50148 list_for_each_entry_safe(de, tmp, &dir_list, list) {
50149 list_del(&de->list);
50150 - do_utime(de->name, de->mtime);
50151 + do_utime((__force char __user *)de->name, de->mtime);
50155 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
50157 char *old = find_link(major, minor, ino, mode, collected);
50159 - return (sys_link(old, collected) < 0) ? -1 : 1;
50160 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
50164 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
50168 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
50169 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
50170 if (S_ISDIR(st.st_mode))
50172 + sys_rmdir((__force char __user *)path);
50174 - sys_unlink(path);
50175 + sys_unlink((__force char __user *)path);
50179 @@ -305,7 +305,7 @@ static int __init do_name(void)
50180 int openflags = O_WRONLY|O_CREAT;
50182 openflags |= O_TRUNC;
50183 - wfd = sys_open(collected, openflags, mode);
50184 + wfd = sys_open((__force char __user *)collected, openflags, mode);
50187 sys_fchown(wfd, uid, gid);
50188 @@ -317,17 +317,17 @@ static int __init do_name(void)
50191 } else if (S_ISDIR(mode)) {
50192 - sys_mkdir(collected, mode);
50193 - sys_chown(collected, uid, gid);
50194 - sys_chmod(collected, mode);
50195 + sys_mkdir((__force char __user *)collected, mode);
50196 + sys_chown((__force char __user *)collected, uid, gid);
50197 + sys_chmod((__force char __user *)collected, mode);
50198 dir_add(collected, mtime);
50199 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
50200 S_ISFIFO(mode) || S_ISSOCK(mode)) {
50201 if (maybe_link() == 0) {
50202 - sys_mknod(collected, mode, rdev);
50203 - sys_chown(collected, uid, gid);
50204 - sys_chmod(collected, mode);
50205 - do_utime(collected, mtime);
50206 + sys_mknod((__force char __user *)collected, mode, rdev);
50207 + sys_chown((__force char __user *)collected, uid, gid);
50208 + sys_chmod((__force char __user *)collected, mode);
50209 + do_utime((__force char __user *)collected, mtime);
50213 @@ -336,15 +336,15 @@ static int __init do_name(void)
50214 static int __init do_copy(void)
50216 if (count >= body_len) {
50217 - sys_write(wfd, victim, body_len);
50218 + sys_write(wfd, (__force char __user *)victim, body_len);
50220 - do_utime(vcollected, mtime);
50221 + do_utime((__force char __user *)vcollected, mtime);
50227 - sys_write(wfd, victim, count);
50228 + sys_write(wfd, (__force char __user *)victim, count);
50232 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
50234 collected[N_ALIGN(name_len) + body_len] = '\0';
50235 clean_path(collected, 0);
50236 - sys_symlink(collected + N_ALIGN(name_len), collected);
50237 - sys_lchown(collected, uid, gid);
50238 - do_utime(collected, mtime);
50239 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
50240 + sys_lchown((__force char __user *)collected, uid, gid);
50241 + do_utime((__force char __user *)collected, mtime);
50243 next_state = Reset;
50245 diff -urNp linux-2.6.38.4/init/Kconfig linux-2.6.38.4/init/Kconfig
50246 --- linux-2.6.38.4/init/Kconfig 2011-03-14 21:20:32.000000000 -0400
50247 +++ linux-2.6.38.4/init/Kconfig 2011-04-17 15:57:32.000000000 -0400
50248 @@ -1185,7 +1185,7 @@ config SLUB_DEBUG
50251 bool "Disable heap randomization"
50255 Randomizing heap placement makes heap exploits harder, but it
50256 also breaks ancient binaries (including anything libc5 based).
50257 diff -urNp linux-2.6.38.4/init/main.c linux-2.6.38.4/init/main.c
50258 --- linux-2.6.38.4/init/main.c 2011-03-14 21:20:32.000000000 -0400
50259 +++ linux-2.6.38.4/init/main.c 2011-04-17 15:57:32.000000000 -0400
50260 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
50261 extern void tc_init(void);
50264 +extern void grsecurity_init(void);
50267 * Debug helper: via this flag we know that we are in 'early bootup code'
50268 * where only the boot processor is running with IRQ disabled. This means
50269 @@ -206,6 +208,47 @@ static int __init set_reset_devices(char
50271 __setup("reset_devices", set_reset_devices);
50273 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
50274 +extern char pax_enter_kernel_user[];
50275 +extern char pax_exit_kernel_user[];
50276 +extern pgdval_t clone_pgd_mask;
50279 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
50280 +static int __init setup_pax_nouderef(char *str)
50282 +#ifdef CONFIG_X86_32
50283 + unsigned int cpu;
50285 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
50286 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
50287 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
50288 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
50289 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
50291 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
50293 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
50294 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
50295 + clone_pgd_mask = ~(pgdval_t)0UL;
50300 +early_param("pax_nouderef", setup_pax_nouderef);
50303 +#ifdef CONFIG_PAX_SOFTMODE
50304 +unsigned int pax_softmode;
50306 +static int __init setup_pax_softmode(char *str)
50308 + get_option(&str, &pax_softmode);
50311 +__setup("pax_softmode=", setup_pax_softmode);
50314 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
50315 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
50316 static const char *panic_later, *panic_param;
50317 @@ -751,6 +794,7 @@ int __init_or_module do_one_initcall(ini
50319 int count = preempt_count();
50321 + const char *msg1 = "", *msg2 = "";
50323 if (initcall_debug)
50324 ret = do_one_initcall_debug(fn);
50325 @@ -763,15 +807,15 @@ int __init_or_module do_one_initcall(ini
50326 sprintf(msgbuf, "error code %d ", ret);
50328 if (preempt_count() != count) {
50329 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
50330 + msg1 = " preemption imbalance";
50331 preempt_count() = count;
50333 if (irqs_disabled()) {
50334 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
50335 + msg2 = " disabled interrupts";
50336 local_irq_enable();
50339 - printk("initcall %pF returned with %s\n", fn, msgbuf);
50340 + if (msgbuf[0] || *msg1 || *msg2) {
50341 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
50345 @@ -898,7 +942,7 @@ static int __init kernel_init(void * unu
50348 /* Open the /dev/console on the rootfs, this should never fail */
50349 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
50350 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
50351 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
50354 @@ -911,11 +955,13 @@ static int __init kernel_init(void * unu
50355 if (!ramdisk_execute_command)
50356 ramdisk_execute_command = "/init";
50358 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
50359 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
50360 ramdisk_execute_command = NULL;
50361 prepare_namespace();
50364 + grsecurity_init();
50367 * Ok, we have completed the initial bootup, and
50368 * we're essentially up and running. Get rid of the
50369 diff -urNp linux-2.6.38.4/ipc/mqueue.c linux-2.6.38.4/ipc/mqueue.c
50370 --- linux-2.6.38.4/ipc/mqueue.c 2011-03-14 21:20:32.000000000 -0400
50371 +++ linux-2.6.38.4/ipc/mqueue.c 2011-04-17 15:57:32.000000000 -0400
50372 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
50373 mq_bytes = (mq_msg_tblsz +
50374 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
50376 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
50377 spin_lock(&mq_lock);
50378 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
50379 u->mq_bytes + mq_bytes >
50380 diff -urNp linux-2.6.38.4/ipc/shm.c linux-2.6.38.4/ipc/shm.c
50381 --- linux-2.6.38.4/ipc/shm.c 2011-03-14 21:20:32.000000000 -0400
50382 +++ linux-2.6.38.4/ipc/shm.c 2011-04-17 15:57:32.000000000 -0400
50383 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
50384 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
50387 +#ifdef CONFIG_GRKERNSEC
50388 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
50389 + const time_t shm_createtime, const uid_t cuid,
50390 + const int shmid);
50391 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
50392 + const time_t shm_createtime);
50395 void shm_init_ns(struct ipc_namespace *ns)
50397 ns->shm_ctlmax = SHMMAX;
50398 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
50399 shp->shm_lprid = 0;
50400 shp->shm_atim = shp->shm_dtim = 0;
50401 shp->shm_ctim = get_seconds();
50402 +#ifdef CONFIG_GRKERNSEC
50404 + struct timespec timeval;
50405 + do_posix_clock_monotonic_gettime(&timeval);
50407 + shp->shm_createtime = timeval.tv_sec;
50410 shp->shm_segsz = size;
50411 shp->shm_nattch = 0;
50412 shp->shm_file = file;
50413 @@ -761,8 +777,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
50417 - struct file *uninitialized_var(shm_file);
50419 lru_add_drain_all(); /* drain pagevecs to lru lists */
50421 shp = shm_lock_check(ns, shmid);
50422 @@ -895,9 +909,21 @@ long do_shmat(int shmid, char __user *sh
50426 +#ifdef CONFIG_GRKERNSEC
50427 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
50428 + shp->shm_perm.cuid, shmid) ||
50429 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
50435 path = shp->shm_file->f_path;
50438 +#ifdef CONFIG_GRKERNSEC
50439 + shp->shm_lapid = current->pid;
50441 size = i_size_read(path.dentry->d_inode);
50444 diff -urNp linux-2.6.38.4/kernel/acct.c linux-2.6.38.4/kernel/acct.c
50445 --- linux-2.6.38.4/kernel/acct.c 2011-03-14 21:20:32.000000000 -0400
50446 +++ linux-2.6.38.4/kernel/acct.c 2011-04-17 15:57:32.000000000 -0400
50447 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
50449 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
50450 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
50451 - file->f_op->write(file, (char *)&ac,
50452 + file->f_op->write(file, (__force char __user *)&ac,
50453 sizeof(acct_t), &file->f_pos);
50454 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
50456 diff -urNp linux-2.6.38.4/kernel/capability.c linux-2.6.38.4/kernel/capability.c
50457 --- linux-2.6.38.4/kernel/capability.c 2011-03-14 21:20:32.000000000 -0400
50458 +++ linux-2.6.38.4/kernel/capability.c 2011-04-17 15:57:32.000000000 -0400
50459 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
50460 * before modification is attempted and the application
50463 + if (tocopy > ARRAY_SIZE(kdata))
50466 if (copy_to_user(dataptr, kdata, tocopy
50467 * sizeof(struct __user_cap_data_struct))) {
50469 @@ -306,10 +309,26 @@ int capable(int cap)
50473 - if (security_capable(current_cred(), cap) == 0) {
50474 + if (security_capable(current_cred(), cap) == 0 && gr_is_capable(cap)) {
50475 current->flags |= PF_SUPERPRIV;
50481 +int capable_nolog(int cap)
50483 + if (unlikely(!cap_valid(cap))) {
50484 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
50488 + if (security_capable(current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
50489 + current->flags |= PF_SUPERPRIV;
50495 EXPORT_SYMBOL(capable);
50496 +EXPORT_SYMBOL(capable_nolog);
50497 diff -urNp linux-2.6.38.4/kernel/compat.c linux-2.6.38.4/kernel/compat.c
50498 --- linux-2.6.38.4/kernel/compat.c 2011-03-14 21:20:32.000000000 -0400
50499 +++ linux-2.6.38.4/kernel/compat.c 2011-04-17 15:57:32.000000000 -0400
50502 #include <linux/linkage.h>
50503 #include <linux/compat.h>
50504 +#include <linux/module.h>
50505 #include <linux/errno.h>
50506 #include <linux/time.h>
50507 #include <linux/signal.h>
50508 diff -urNp linux-2.6.38.4/kernel/configs.c linux-2.6.38.4/kernel/configs.c
50509 --- linux-2.6.38.4/kernel/configs.c 2011-03-14 21:20:32.000000000 -0400
50510 +++ linux-2.6.38.4/kernel/configs.c 2011-04-17 15:57:32.000000000 -0400
50511 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
50512 struct proc_dir_entry *entry;
50514 /* create the current config file */
50515 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
50516 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
50517 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
50518 + &ikconfig_file_ops);
50519 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50520 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
50521 + &ikconfig_file_ops);
50524 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
50525 &ikconfig_file_ops);
50531 diff -urNp linux-2.6.38.4/kernel/cred.c linux-2.6.38.4/kernel/cred.c
50532 --- linux-2.6.38.4/kernel/cred.c 2011-03-14 21:20:32.000000000 -0400
50533 +++ linux-2.6.38.4/kernel/cred.c 2011-04-17 15:57:32.000000000 -0400
50534 @@ -483,6 +483,8 @@ int commit_creds(struct cred *new)
50536 get_cred(new); /* we will require a ref for the subj creds too */
50538 + gr_set_role_label(task, new->uid, new->gid);
50540 /* dumpability changes */
50541 if (old->euid != new->euid ||
50542 old->egid != new->egid ||
50543 diff -urNp linux-2.6.38.4/kernel/debug/debug_core.c linux-2.6.38.4/kernel/debug/debug_core.c
50544 --- linux-2.6.38.4/kernel/debug/debug_core.c 2011-03-14 21:20:32.000000000 -0400
50545 +++ linux-2.6.38.4/kernel/debug/debug_core.c 2011-04-17 15:57:32.000000000 -0400
50546 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
50547 /* Guard for recursive entry */
50548 static int exception_level;
50550 -struct kgdb_io *dbg_io_ops;
50551 +const struct kgdb_io *dbg_io_ops;
50552 static DEFINE_SPINLOCK(kgdb_registration_lock);
50554 /* kgdb console driver is loaded */
50555 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
50557 * Register it with the KGDB core.
50559 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
50560 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
50564 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
50566 * Unregister it with the KGDB core.
50568 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
50569 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
50571 BUG_ON(kgdb_connected);
50573 diff -urNp linux-2.6.38.4/kernel/debug/kdb/kdb_main.c linux-2.6.38.4/kernel/debug/kdb/kdb_main.c
50574 --- linux-2.6.38.4/kernel/debug/kdb/kdb_main.c 2011-03-14 21:20:32.000000000 -0400
50575 +++ linux-2.6.38.4/kernel/debug/kdb/kdb_main.c 2011-04-17 15:57:32.000000000 -0400
50576 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
50577 list_for_each_entry(mod, kdb_modules, list) {
50579 kdb_printf("%-20s%8u 0x%p ", mod->name,
50580 - mod->core_size, (void *)mod);
50581 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
50582 #ifdef CONFIG_MODULE_UNLOAD
50583 kdb_printf("%4d ", module_refcount(mod));
50585 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
50586 kdb_printf(" (Loading)");
50588 kdb_printf(" (Live)");
50589 - kdb_printf(" 0x%p", mod->module_core);
50590 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
50592 #ifdef CONFIG_MODULE_UNLOAD
50594 diff -urNp linux-2.6.38.4/kernel/exit.c linux-2.6.38.4/kernel/exit.c
50595 --- linux-2.6.38.4/kernel/exit.c 2011-03-14 21:20:32.000000000 -0400
50596 +++ linux-2.6.38.4/kernel/exit.c 2011-04-17 15:57:32.000000000 -0400
50598 #include <asm/pgtable.h>
50599 #include <asm/mmu_context.h>
50601 +#ifdef CONFIG_GRKERNSEC
50602 +extern rwlock_t grsec_exec_file_lock;
50605 static void exit_mm(struct task_struct * tsk);
50607 static void __unhash_process(struct task_struct *p, bool group_dead)
50608 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
50609 struct task_struct *leader;
50612 + gr_del_task_from_ip_table(p);
50614 tracehook_prepare_release_task(p);
50615 /* don't need to get the RCU readlock here - the process is dead and
50616 * can't be modifying its own credentials. But shut RCU-lockdep up */
50617 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
50619 write_lock_irq(&tasklist_lock);
50621 +#ifdef CONFIG_GRKERNSEC
50622 + write_lock(&grsec_exec_file_lock);
50623 + if (current->exec_file) {
50624 + fput(current->exec_file);
50625 + current->exec_file = NULL;
50627 + write_unlock(&grsec_exec_file_lock);
50630 ptrace_unlink(current);
50631 /* Reparent to init */
50632 current->real_parent = current->parent = kthreadd_task;
50633 list_move_tail(¤t->sibling, ¤t->real_parent->children);
50635 + gr_set_kernel_label(current);
50637 /* Set the exit signal to SIGCHLD so we signal init on exit */
50638 current->exit_signal = SIGCHLD;
50640 @@ -394,7 +411,7 @@ int allow_signal(int sig)
50641 * know it'll be handled, so that they don't get converted to
50642 * SIGKILL or just silently dropped.
50644 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
50645 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
50646 recalc_sigpending();
50647 spin_unlock_irq(¤t->sighand->siglock);
50649 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
50650 vsnprintf(current->comm, sizeof(current->comm), name, args);
50653 +#ifdef CONFIG_GRKERNSEC
50654 + write_lock(&grsec_exec_file_lock);
50655 + if (current->exec_file) {
50656 + fput(current->exec_file);
50657 + current->exec_file = NULL;
50659 + write_unlock(&grsec_exec_file_lock);
50662 + gr_set_kernel_label(current);
50665 * If we were started as result of loading a module, close all of the
50666 * user space pages. We don't need them, and if we didn't close them
50667 @@ -905,17 +933,17 @@ NORET_TYPE void do_exit(long code)
50668 struct task_struct *tsk = current;
50671 - profile_task_exit(tsk);
50673 - WARN_ON(atomic_read(&tsk->fs_excl));
50676 + * Check this first since set_fs() below depends on
50677 + * current_thread_info(), which we better not access when we're in
50678 + * interrupt context. Other than that, we want to do the set_fs()
50679 + * as early as possible.
50681 if (unlikely(in_interrupt()))
50682 panic("Aiee, killing interrupt handler!");
50683 - if (unlikely(!tsk->pid))
50684 - panic("Attempted to kill the idle task!");
50687 - * If do_exit is called because this processes oopsed, it's possible
50688 + * If do_exit is called because this processes Oops'ed, it's possible
50689 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
50690 * continuing. Amongst other possible reasons, this is to prevent
50691 * mm_release()->clear_child_tid() from writing to a user-controlled
50692 @@ -923,6 +951,13 @@ NORET_TYPE void do_exit(long code)
50696 + profile_task_exit(tsk);
50698 + WARN_ON(atomic_read(&tsk->fs_excl));
50700 + if (unlikely(!tsk->pid))
50701 + panic("Attempted to kill the idle task!");
50703 tracehook_report_exit(&code);
50705 validate_creds_for_do_exit(tsk);
50706 @@ -983,6 +1018,9 @@ NORET_TYPE void do_exit(long code)
50707 tsk->exit_code = code;
50708 taskstats_exit(tsk, group_dead);
50710 + gr_acl_handle_psacct(tsk, code);
50711 + gr_acl_handle_exit();
50716 diff -urNp linux-2.6.38.4/kernel/fork.c linux-2.6.38.4/kernel/fork.c
50717 --- linux-2.6.38.4/kernel/fork.c 2011-03-14 21:20:32.000000000 -0400
50718 +++ linux-2.6.38.4/kernel/fork.c 2011-04-17 15:57:32.000000000 -0400
50719 @@ -280,7 +280,7 @@ static struct task_struct *dup_task_stru
50720 *stackend = STACK_END_MAGIC; /* for overflow detection */
50722 #ifdef CONFIG_CC_STACKPROTECTOR
50723 - tsk->stack_canary = get_random_int();
50724 + tsk->stack_canary = pax_get_random_long();
50727 /* One for us, one for whoever does the "release_task()" (usually parent) */
50728 @@ -302,13 +302,78 @@ out:
50732 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
50734 + struct vm_area_struct *tmp;
50735 + unsigned long charge;
50736 + struct mempolicy *pol;
50737 + struct file *file;
50740 + if (mpnt->vm_flags & VM_ACCOUNT) {
50741 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
50742 + if (security_vm_enough_memory(len))
50746 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
50751 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
50752 + pol = mpol_dup(vma_policy(mpnt));
50754 + goto fail_nomem_policy;
50755 + vma_set_policy(tmp, pol);
50756 + if (anon_vma_fork(tmp, mpnt))
50757 + goto fail_nomem_anon_vma_fork;
50758 + tmp->vm_flags &= ~VM_LOCKED;
50759 + tmp->vm_next = tmp->vm_prev = NULL;
50760 + tmp->vm_mirror = NULL;
50761 + file = tmp->vm_file;
50763 + struct inode *inode = file->f_path.dentry->d_inode;
50764 + struct address_space *mapping = file->f_mapping;
50767 + if (tmp->vm_flags & VM_DENYWRITE)
50768 + atomic_dec(&inode->i_writecount);
50769 + spin_lock(&mapping->i_mmap_lock);
50770 + if (tmp->vm_flags & VM_SHARED)
50771 + mapping->i_mmap_writable++;
50772 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
50773 + flush_dcache_mmap_lock(mapping);
50774 + /* insert tmp into the share list, just after mpnt */
50775 + vma_prio_tree_add(tmp, mpnt);
50776 + flush_dcache_mmap_unlock(mapping);
50777 + spin_unlock(&mapping->i_mmap_lock);
50781 + * Clear hugetlb-related page reserves for children. This only
50782 + * affects MAP_PRIVATE mappings. Faults generated by the child
50783 + * are not guaranteed to succeed, even if read-only
50785 + if (is_vm_hugetlb_page(tmp))
50786 + reset_vma_resv_huge_pages(tmp);
50790 +fail_nomem_anon_vma_fork:
50792 +fail_nomem_policy:
50793 + kmem_cache_free(vm_area_cachep, tmp);
50795 + vm_unacct_memory(charge);
50799 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
50801 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
50802 struct rb_node **rb_link, *rb_parent;
50804 - unsigned long charge;
50805 - struct mempolicy *pol;
50807 down_write(&oldmm->mmap_sem);
50808 flush_cache_dup_mm(oldmm);
50809 @@ -320,8 +385,8 @@ static int dup_mmap(struct mm_struct *mm
50812 mm->mmap_cache = NULL;
50813 - mm->free_area_cache = oldmm->mmap_base;
50814 - mm->cached_hole_size = ~0UL;
50815 + mm->free_area_cache = oldmm->free_area_cache;
50816 + mm->cached_hole_size = oldmm->cached_hole_size;
50818 cpumask_clear(mm_cpumask(mm));
50819 mm->mm_rb = RB_ROOT;
50820 @@ -337,8 +402,6 @@ static int dup_mmap(struct mm_struct *mm
50823 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
50824 - struct file *file;
50826 if (mpnt->vm_flags & VM_DONTCOPY) {
50827 long pages = vma_pages(mpnt);
50828 mm->total_vm -= pages;
50829 @@ -346,56 +409,13 @@ static int dup_mmap(struct mm_struct *mm
50834 - if (mpnt->vm_flags & VM_ACCOUNT) {
50835 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
50836 - if (security_vm_enough_memory(len))
50840 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
50844 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
50845 - pol = mpol_dup(vma_policy(mpnt));
50846 - retval = PTR_ERR(pol);
50848 - goto fail_nomem_policy;
50849 - vma_set_policy(tmp, pol);
50851 - if (anon_vma_fork(tmp, mpnt))
50852 - goto fail_nomem_anon_vma_fork;
50853 - tmp->vm_flags &= ~VM_LOCKED;
50854 - tmp->vm_next = tmp->vm_prev = NULL;
50855 - file = tmp->vm_file;
50857 - struct inode *inode = file->f_path.dentry->d_inode;
50858 - struct address_space *mapping = file->f_mapping;
50861 - if (tmp->vm_flags & VM_DENYWRITE)
50862 - atomic_dec(&inode->i_writecount);
50863 - spin_lock(&mapping->i_mmap_lock);
50864 - if (tmp->vm_flags & VM_SHARED)
50865 - mapping->i_mmap_writable++;
50866 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
50867 - flush_dcache_mmap_lock(mapping);
50868 - /* insert tmp into the share list, just after mpnt */
50869 - vma_prio_tree_add(tmp, mpnt);
50870 - flush_dcache_mmap_unlock(mapping);
50871 - spin_unlock(&mapping->i_mmap_lock);
50872 + tmp = dup_vma(mm, mpnt);
50874 + retval = -ENOMEM;
50879 - * Clear hugetlb-related page reserves for children. This only
50880 - * affects MAP_PRIVATE mappings. Faults generated by the child
50881 - * are not guaranteed to succeed, even if read-only
50883 - if (is_vm_hugetlb_page(tmp))
50884 - reset_vma_resv_huge_pages(tmp);
50887 * Link in the new vma and copy the page table entries.
50890 @@ -416,6 +436,31 @@ static int dup_mmap(struct mm_struct *mm
50895 +#ifdef CONFIG_PAX_SEGMEXEC
50896 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
50897 + struct vm_area_struct *mpnt_m;
50899 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
50900 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
50902 + if (!mpnt->vm_mirror)
50905 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
50906 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
50907 + mpnt->vm_mirror = mpnt_m;
50909 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
50910 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
50911 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
50912 + mpnt->vm_mirror->vm_mirror = mpnt;
50919 /* a new mm has just been created */
50920 arch_dup_mmap(oldmm, mm);
50922 @@ -424,14 +469,6 @@ out:
50923 flush_tlb_mm(oldmm);
50924 up_write(&oldmm->mmap_sem);
50926 -fail_nomem_anon_vma_fork:
50928 -fail_nomem_policy:
50929 - kmem_cache_free(vm_area_cachep, tmp);
50931 - retval = -ENOMEM;
50932 - vm_unacct_memory(charge);
50936 static inline int mm_alloc_pgd(struct mm_struct * mm)
50937 @@ -778,13 +815,14 @@ static int copy_fs(unsigned long clone_f
50938 spin_unlock(&fs->lock);
50942 + atomic_inc(&fs->users);
50943 spin_unlock(&fs->lock);
50946 tsk->fs = copy_fs_struct(fs);
50949 + gr_set_chroot_entries(tsk, &tsk->fs->root);
50953 @@ -1042,10 +1080,13 @@ static struct task_struct *copy_process(
50955 if (!vx_nproc_avail(1))
50956 goto bad_fork_free;
50958 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
50960 if (atomic_read(&p->real_cred->user->processes) >=
50961 task_rlimit(p, RLIMIT_NPROC)) {
50962 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
50963 - p->real_cred->user != INIT_USER)
50964 + if (p->real_cred->user != INIT_USER &&
50965 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
50966 goto bad_fork_free;
50969 @@ -1199,6 +1240,8 @@ static struct task_struct *copy_process(
50970 goto bad_fork_free_pid;
50973 + gr_copy_label(p);
50975 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
50977 * Clear TID on mm_release()?
50978 @@ -1356,6 +1399,8 @@ bad_fork_cleanup_count:
50982 + gr_log_forkfail(retval);
50984 return ERR_PTR(retval);
50987 @@ -1444,6 +1489,8 @@ long do_fork(unsigned long clone_flags,
50988 if (clone_flags & CLONE_PARENT_SETTID)
50989 put_user(nr, parent_tidptr);
50991 + gr_handle_brute_check();
50993 if (clone_flags & CLONE_VFORK) {
50994 p->vfork_done = &vfork;
50995 init_completion(&vfork);
50996 @@ -1559,7 +1606,7 @@ static int unshare_fs(unsigned long unsh
50999 /* don't need lock here; in the worst case we'll do useless copy */
51000 - if (fs->users == 1)
51001 + if (atomic_read(&fs->users) == 1)
51004 *new_fsp = copy_fs_struct(fs);
51005 @@ -1682,7 +1729,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
51007 spin_lock(&fs->lock);
51008 current->fs = new_fs;
51010 + gr_set_chroot_entries(current, ¤t->fs->root);
51011 + if (atomic_dec_return(&fs->users))
51015 diff -urNp linux-2.6.38.4/kernel/futex.c linux-2.6.38.4/kernel/futex.c
51016 --- linux-2.6.38.4/kernel/futex.c 2011-04-22 19:20:59.000000000 -0400
51017 +++ linux-2.6.38.4/kernel/futex.c 2011-04-22 19:21:35.000000000 -0400
51019 #include <linux/mount.h>
51020 #include <linux/pagemap.h>
51021 #include <linux/syscalls.h>
51022 +#include <linux/ptrace.h>
51023 #include <linux/signal.h>
51024 #include <linux/module.h>
51025 #include <linux/magic.h>
51026 @@ -236,6 +237,11 @@ get_futex_key(u32 __user *uaddr, int fsh
51027 struct page *page, *page_head;
51030 +#ifdef CONFIG_PAX_SEGMEXEC
51031 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
51036 * The futex address must be "naturally" aligned.
51038 @@ -2404,7 +2410,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
51040 struct robust_list_head __user *head;
51042 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
51043 const struct cred *cred = current_cred(), *pcred;
51046 if (!futex_cmpxchg_enabled)
51048 @@ -2420,11 +2428,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
51052 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51053 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
51056 pcred = __task_cred(p);
51057 if (cred->euid != pcred->euid &&
51058 cred->euid != pcred->uid &&
51059 !capable(CAP_SYS_PTRACE))
51062 head = p->robust_list;
51065 @@ -2667,6 +2680,7 @@ static int __init futex_init(void)
51069 + mm_segment_t oldfs;
51072 * This will fail and we want it. Some arch implementations do
51073 @@ -2678,7 +2692,10 @@ static int __init futex_init(void)
51074 * implementation, the non-functional ones will return
51077 + oldfs = get_fs();
51079 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
51081 if (curval == -EFAULT)
51082 futex_cmpxchg_enabled = 1;
51084 diff -urNp linux-2.6.38.4/kernel/futex_compat.c linux-2.6.38.4/kernel/futex_compat.c
51085 --- linux-2.6.38.4/kernel/futex_compat.c 2011-03-14 21:20:32.000000000 -0400
51086 +++ linux-2.6.38.4/kernel/futex_compat.c 2011-04-17 15:57:32.000000000 -0400
51088 #include <linux/compat.h>
51089 #include <linux/nsproxy.h>
51090 #include <linux/futex.h>
51091 +#include <linux/ptrace.h>
51093 #include <asm/uaccess.h>
51095 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
51097 struct compat_robust_list_head __user *head;
51099 - const struct cred *cred = current_cred(), *pcred;
51100 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
51101 + const struct cred *cred = current_cred();
51102 + const struct cred *pcred;
51105 if (!futex_cmpxchg_enabled)
51107 @@ -152,11 +156,16 @@ compat_sys_get_robust_list(int pid, comp
51111 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51112 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
51115 pcred = __task_cred(p);
51116 if (cred->euid != pcred->euid &&
51117 cred->euid != pcred->uid &&
51118 !capable(CAP_SYS_PTRACE))
51121 head = p->compat_robust_list;
51124 diff -urNp linux-2.6.38.4/kernel/gcov/base.c linux-2.6.38.4/kernel/gcov/base.c
51125 --- linux-2.6.38.4/kernel/gcov/base.c 2011-03-14 21:20:32.000000000 -0400
51126 +++ linux-2.6.38.4/kernel/gcov/base.c 2011-04-17 15:57:32.000000000 -0400
51127 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
51130 #ifdef CONFIG_MODULES
51131 -static inline int within(void *addr, void *start, unsigned long size)
51133 - return ((addr >= start) && (addr < start + size));
51136 /* Update list and generate events when modules are unloaded. */
51137 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
51139 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
51141 /* Remove entries located in module from linked list. */
51142 for (info = gcov_info_head; info; info = info->next) {
51143 - if (within(info, mod->module_core, mod->core_size)) {
51144 + if (within_module_core_rw((unsigned long)info, mod)) {
51146 prev->next = info->next;
51148 diff -urNp linux-2.6.38.4/kernel/hrtimer.c linux-2.6.38.4/kernel/hrtimer.c
51149 --- linux-2.6.38.4/kernel/hrtimer.c 2011-03-14 21:20:32.000000000 -0400
51150 +++ linux-2.6.38.4/kernel/hrtimer.c 2011-04-17 15:57:32.000000000 -0400
51151 @@ -1371,7 +1371,7 @@ void hrtimer_peek_ahead_timers(void)
51152 local_irq_restore(flags);
51155 -static void run_hrtimer_softirq(struct softirq_action *h)
51156 +static void run_hrtimer_softirq(void)
51158 hrtimer_peek_ahead_timers();
51160 diff -urNp linux-2.6.38.4/kernel/jump_label.c linux-2.6.38.4/kernel/jump_label.c
51161 --- linux-2.6.38.4/kernel/jump_label.c 2011-03-14 21:20:32.000000000 -0400
51162 +++ linux-2.6.38.4/kernel/jump_label.c 2011-04-17 15:57:32.000000000 -0400
51163 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
51164 mutex_unlock(&jump_label_mutex);
51167 +static void jump_label_swap(void *a, void *b, int size)
51169 + struct jump_entry t;
51171 + t = *(struct jump_entry *)a;
51172 + pax_open_kernel();
51173 + *(struct jump_entry *)a = *(struct jump_entry *)b;
51174 + *(struct jump_entry *)b = t;
51175 + pax_close_kernel();
51178 static int jump_label_cmp(const void *a, const void *b)
51180 const struct jump_entry *jea = a;
51181 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
51183 size = (((unsigned long)stop - (unsigned long)start)
51184 / sizeof(struct jump_entry));
51185 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
51186 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
51189 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
51190 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
51191 count = e_module->nr_entries;
51192 iter = e_module->table;
51194 - if (within_module_init(iter->code, mod))
51195 + if (within_module_init(iter->code, mod)) {
51196 + pax_open_kernel();
51198 + pax_close_kernel();
51203 diff -urNp linux-2.6.38.4/kernel/kallsyms.c linux-2.6.38.4/kernel/kallsyms.c
51204 --- linux-2.6.38.4/kernel/kallsyms.c 2011-03-14 21:20:32.000000000 -0400
51205 +++ linux-2.6.38.4/kernel/kallsyms.c 2011-04-17 15:57:32.000000000 -0400
51207 * Changed the compression method from stem compression to "table lookup"
51208 * compression (see scripts/kallsyms.c for a more complete description)
51210 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51211 +#define __INCLUDED_BY_HIDESYM 1
51213 #include <linux/kallsyms.h>
51214 #include <linux/module.h>
51215 #include <linux/init.h>
51216 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
51218 static inline int is_kernel_inittext(unsigned long addr)
51220 + if (system_state != SYSTEM_BOOTING)
51223 if (addr >= (unsigned long)_sinittext
51224 && addr <= (unsigned long)_einittext)
51229 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51230 +#ifdef CONFIG_MODULES
51231 +static inline int is_module_text(unsigned long addr)
51233 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
51236 + addr = ktla_ktva(addr);
51237 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
51240 +static inline int is_module_text(unsigned long addr)
51247 static inline int is_kernel_text(unsigned long addr)
51249 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
51250 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
51252 static inline int is_kernel(unsigned long addr)
51255 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51256 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
51259 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
51261 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
51265 return in_gate_area_no_task(addr);
51268 static int is_ksym_addr(unsigned long addr)
51271 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51272 + if (is_module_text(addr))
51277 return is_kernel(addr);
51279 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
51281 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
51283 - iter->name[0] = '\0';
51284 iter->nameoff = get_symbol_offset(new_pos);
51285 iter->pos = new_pos;
51287 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
51289 struct kallsym_iter *iter = m->private;
51291 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51292 + if (current_uid())
51296 /* Some debugging symbols have no name. Ignore them. */
51297 if (!iter->name[0])
51299 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
51300 struct kallsym_iter *iter;
51303 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
51304 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
51307 reset_iter(iter, 0);
51308 diff -urNp linux-2.6.38.4/kernel/kmod.c linux-2.6.38.4/kernel/kmod.c
51309 --- linux-2.6.38.4/kernel/kmod.c 2011-03-14 21:20:32.000000000 -0400
51310 +++ linux-2.6.38.4/kernel/kmod.c 2011-04-17 15:57:32.000000000 -0400
51311 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
51312 * If module auto-loading support is disabled then this function
51313 * becomes a no-operation.
51315 -int __request_module(bool wait, const char *fmt, ...)
51316 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
51319 char module_name[MODULE_NAME_LEN];
51320 unsigned int max_modprobes;
51322 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
51323 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
51324 static char *envp[] = { "HOME=/",
51326 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
51327 @@ -80,9 +79,7 @@ int __request_module(bool wait, const ch
51328 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
51329 static int kmod_loop_msg;
51331 - va_start(args, fmt);
51332 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
51334 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
51335 if (ret >= MODULE_NAME_LEN)
51336 return -ENAMETOOLONG;
51338 @@ -90,6 +87,20 @@ int __request_module(bool wait, const ch
51342 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
51343 + if (!current_uid()) {
51344 + /* hack to workaround consolekit/udisks stupidity */
51345 + read_lock(&tasklist_lock);
51346 + if (!strcmp(current->comm, "mount") &&
51347 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
51348 + read_unlock(&tasklist_lock);
51349 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
51352 + read_unlock(&tasklist_lock);
51356 /* If modprobe needs a service that is in a module, we get a recursive
51357 * loop. Limit the number of running kmod threads to max_threads/2 or
51358 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
51359 @@ -123,6 +134,47 @@ int __request_module(bool wait, const ch
51360 atomic_dec(&kmod_concurrent);
51364 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
51369 + va_start(args, fmt);
51370 + ret = ____request_module(wait, module_param, fmt, args);
51376 +int __request_module(bool wait, const char *fmt, ...)
51381 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
51382 + if (current_uid()) {
51383 + char module_param[MODULE_NAME_LEN];
51385 + memset(module_param, 0, sizeof(module_param));
51387 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
51389 + va_start(args, fmt);
51390 + ret = ____request_module(wait, module_param, fmt, args);
51397 + va_start(args, fmt);
51398 + ret = ____request_module(wait, NULL, fmt, args);
51404 EXPORT_SYMBOL(__request_module);
51405 #endif /* CONFIG_MODULES */
51407 diff -urNp linux-2.6.38.4/kernel/kprobes.c linux-2.6.38.4/kernel/kprobes.c
51408 --- linux-2.6.38.4/kernel/kprobes.c 2011-03-14 21:20:32.000000000 -0400
51409 +++ linux-2.6.38.4/kernel/kprobes.c 2011-04-17 15:57:32.000000000 -0400
51410 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
51411 * kernel image and loaded module images reside. This is required
51412 * so x86_64 can correctly handle the %rip-relative fixups.
51414 - kip->insns = module_alloc(PAGE_SIZE);
51415 + kip->insns = module_alloc_exec(PAGE_SIZE);
51419 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
51421 if (!list_is_singular(&kip->list)) {
51422 list_del(&kip->list);
51423 - module_free(NULL, kip->insns);
51424 + module_free_exec(NULL, kip->insns);
51428 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
51431 unsigned long offset = 0, size = 0;
51432 - char *modname, namebuf[128];
51433 + char *modname, namebuf[KSYM_NAME_LEN];
51434 const char *symbol_name;
51436 struct kprobe_blackpoint *kb;
51437 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
51438 const char *sym = NULL;
51439 unsigned int i = *(loff_t *) v;
51440 unsigned long offset = 0;
51441 - char *modname, namebuf[128];
51442 + char *modname, namebuf[KSYM_NAME_LEN];
51444 head = &kprobe_table[i];
51446 diff -urNp linux-2.6.38.4/kernel/lockdep.c linux-2.6.38.4/kernel/lockdep.c
51447 --- linux-2.6.38.4/kernel/lockdep.c 2011-03-14 21:20:32.000000000 -0400
51448 +++ linux-2.6.38.4/kernel/lockdep.c 2011-04-17 15:57:32.000000000 -0400
51449 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
51450 end = (unsigned long) &_end,
51451 addr = (unsigned long) obj;
51453 +#ifdef CONFIG_PAX_KERNEXEC
51454 + start = ktla_ktva(start);
51460 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
51461 if (!static_obj(lock->key)) {
51463 printk("INFO: trying to register non-static key.\n");
51464 + printk("lock:%pS key:%pS.\n", lock, lock->key);
51465 printk("the code is fine but needs lockdep annotation.\n");
51466 printk("turning off the locking correctness validator.\n");
51468 @@ -2752,7 +2757,7 @@ static int __lock_acquire(struct lockdep
51472 - atomic_inc((atomic_t *)&class->ops);
51473 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
51474 if (very_verbose(class)) {
51475 printk("\nacquire class [%p] %s", class->key, class->name);
51476 if (class->name_version > 1)
51477 diff -urNp linux-2.6.38.4/kernel/lockdep_proc.c linux-2.6.38.4/kernel/lockdep_proc.c
51478 --- linux-2.6.38.4/kernel/lockdep_proc.c 2011-03-14 21:20:32.000000000 -0400
51479 +++ linux-2.6.38.4/kernel/lockdep_proc.c 2011-04-17 15:57:32.000000000 -0400
51480 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
51482 static void print_name(struct seq_file *m, struct lock_class *class)
51485 + char str[KSYM_NAME_LEN];
51486 const char *name = class->name;
51489 diff -urNp linux-2.6.38.4/kernel/module.c linux-2.6.38.4/kernel/module.c
51490 --- linux-2.6.38.4/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
51491 +++ linux-2.6.38.4/kernel/module.c 2011-04-17 16:05:04.000000000 -0400
51493 #include <linux/kmemleak.h>
51494 #include <linux/jump_label.h>
51495 #include <linux/pfn.h>
51496 +#include <linux/grsecurity.h>
51498 #define CREATE_TRACE_POINTS
51499 #include <trace/events/module.h>
51500 @@ -118,7 +119,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
51502 /* Bounds of module allocation, for speeding __module_address.
51503 * Protected by module_mutex. */
51504 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
51505 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
51506 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
51508 int register_module_notifier(struct notifier_block * nb)
51510 @@ -282,7 +284,7 @@ bool each_symbol(bool (*fn)(const struct
51513 list_for_each_entry_rcu(mod, &modules, list) {
51514 - struct symsearch arr[] = {
51515 + struct symsearch modarr[] = {
51516 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
51517 NOT_GPL_ONLY, false },
51518 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
51519 @@ -304,7 +306,7 @@ bool each_symbol(bool (*fn)(const struct
51523 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
51524 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
51528 @@ -415,7 +417,7 @@ static inline void __percpu *mod_percpu(
51529 static int percpu_modalloc(struct module *mod,
51530 unsigned long size, unsigned long align)
51532 - if (align > PAGE_SIZE) {
51533 + if (align-1 >= PAGE_SIZE) {
51534 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
51535 mod->name, align, PAGE_SIZE);
51537 @@ -1143,7 +1145,7 @@ resolve_symbol_wait(struct module *mod,
51539 #ifdef CONFIG_SYSFS
51541 -#ifdef CONFIG_KALLSYMS
51542 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
51543 static inline bool sect_empty(const Elf_Shdr *sect)
51545 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
51546 @@ -1612,17 +1614,17 @@ void unset_section_ro_nx(struct module *
51548 unsigned long total_pages;
51550 - if (mod->module_core == module_region) {
51551 + if (mod->module_core_rx == module_region) {
51552 /* Set core as NX+RW */
51553 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_core, mod->core_size);
51554 - set_memory_nx((unsigned long)mod->module_core, total_pages);
51555 - set_memory_rw((unsigned long)mod->module_core, total_pages);
51556 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_core_rx, mod->core_size_rx);
51557 + set_memory_nx((unsigned long)mod->module_core_rx, total_pages);
51558 + set_memory_rw((unsigned long)mod->module_core_rx, total_pages);
51560 - } else if (mod->module_init == module_region) {
51561 + } else if (mod->module_init_rx == module_region) {
51562 /* Set init as NX+RW */
51563 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_init, mod->init_size);
51564 - set_memory_nx((unsigned long)mod->module_init, total_pages);
51565 - set_memory_rw((unsigned long)mod->module_init, total_pages);
51566 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_init_rx, mod->init_size_rx);
51567 + set_memory_nx((unsigned long)mod->module_init_rx, total_pages);
51568 + set_memory_rw((unsigned long)mod->module_init_rx, total_pages);
51572 @@ -1633,14 +1635,14 @@ void set_all_modules_text_rw()
51574 mutex_lock(&module_mutex);
51575 list_for_each_entry_rcu(mod, &modules, list) {
51576 - if ((mod->module_core) && (mod->core_text_size)) {
51577 - set_page_attributes(mod->module_core,
51578 - mod->module_core + mod->core_text_size,
51579 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
51580 + set_page_attributes(mod->module_core_rx,
51581 + mod->module_core_rx + mod->core_size_rx,
51584 - if ((mod->module_init) && (mod->init_text_size)) {
51585 - set_page_attributes(mod->module_init,
51586 - mod->module_init + mod->init_text_size,
51587 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
51588 + set_page_attributes(mod->module_init_rx,
51589 + mod->module_init_rx + mod->init_size_rx,
51593 @@ -1654,14 +1656,14 @@ void set_all_modules_text_ro()
51595 mutex_lock(&module_mutex);
51596 list_for_each_entry_rcu(mod, &modules, list) {
51597 - if ((mod->module_core) && (mod->core_text_size)) {
51598 - set_page_attributes(mod->module_core,
51599 - mod->module_core + mod->core_text_size,
51600 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
51601 + set_page_attributes(mod->module_core_rx,
51602 + mod->module_core_rx + mod->core_size_rx,
51605 - if ((mod->module_init) && (mod->init_text_size)) {
51606 - set_page_attributes(mod->module_init,
51607 - mod->module_init + mod->init_text_size,
51608 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
51609 + set_page_attributes(mod->module_init_rx,
51610 + mod->module_init_rx + mod->init_size_rx,
51614 @@ -1696,17 +1698,20 @@ static void free_module(struct module *m
51615 destroy_params(mod->kp, mod->num_kp);
51617 /* This may be NULL, but that's OK */
51618 - unset_section_ro_nx(mod, mod->module_init);
51619 - module_free(mod, mod->module_init);
51620 + unset_section_ro_nx(mod, mod->module_init_rx);
51621 + module_free(mod, mod->module_init_rw);
51622 + module_free_exec(mod, mod->module_init_rx);
51624 percpu_modfree(mod);
51626 /* Free lock-classes: */
51627 - lockdep_free_key_range(mod->module_core, mod->core_size);
51628 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
51629 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
51631 /* Finally, free the core (containing the module structure) */
51632 - unset_section_ro_nx(mod, mod->module_core);
51633 - module_free(mod, mod->module_core);
51634 + unset_section_ro_nx(mod, mod->module_core_rx);
51635 + module_free_exec(mod, mod->module_core_rx);
51636 + module_free(mod, mod->module_core_rw);
51639 update_protections(current->mm);
51640 @@ -1775,10 +1780,25 @@ static int simplify_symbols(struct modul
51643 const struct kernel_symbol *ksym;
51644 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
51645 + int is_fs_load = 0;
51646 + int register_filesystem_found = 0;
51648 + if (strstr(mod->args, "grsec_modharden_fs"))
51652 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
51653 const char *name = info->strtab + sym[i].st_name;
51655 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
51656 + /* it's a real shame this will never get ripped and copied
51659 + if (is_fs_load && !strcmp(name, "register_filesystem"))
51660 + register_filesystem_found = 1;
51663 switch (sym[i].st_shndx) {
51665 /* We compiled with -fno-common. These are not
51666 @@ -1799,7 +1819,9 @@ static int simplify_symbols(struct modul
51667 ksym = resolve_symbol_wait(mod, info, name);
51668 /* Ok if resolved. */
51669 if (ksym && !IS_ERR(ksym)) {
51670 + pax_open_kernel();
51671 sym[i].st_value = ksym->value;
51672 + pax_close_kernel();
51676 @@ -1818,11 +1840,20 @@ static int simplify_symbols(struct modul
51677 secbase = (unsigned long)mod_percpu(mod);
51679 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
51680 + pax_open_kernel();
51681 sym[i].st_value += secbase;
51682 + pax_close_kernel();
51687 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
51688 + if (is_fs_load && !register_filesystem_found) {
51689 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
51697 @@ -1906,22 +1937,12 @@ static void layout_sections(struct modul
51698 || s->sh_entsize != ~0UL
51699 || strstarts(sname, ".init"))
51701 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
51702 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
51703 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
51705 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
51706 DEBUGP("\t%s\n", name);
51709 - case 0: /* executable */
51710 - mod->core_size = debug_align(mod->core_size);
51711 - mod->core_text_size = mod->core_size;
51713 - case 1: /* RO: text and ro-data */
51714 - mod->core_size = debug_align(mod->core_size);
51715 - mod->core_ro_size = mod->core_size;
51717 - case 3: /* whole core */
51718 - mod->core_size = debug_align(mod->core_size);
51723 DEBUGP("Init section allocation order:\n");
51724 @@ -1935,23 +1956,13 @@ static void layout_sections(struct modul
51725 || s->sh_entsize != ~0UL
51726 || !strstarts(sname, ".init"))
51728 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
51729 - | INIT_OFFSET_MASK);
51730 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
51731 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
51733 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
51734 + s->sh_entsize |= INIT_OFFSET_MASK;
51735 DEBUGP("\t%s\n", sname);
51738 - case 0: /* executable */
51739 - mod->init_size = debug_align(mod->init_size);
51740 - mod->init_text_size = mod->init_size;
51742 - case 1: /* RO: text and ro-data */
51743 - mod->init_size = debug_align(mod->init_size);
51744 - mod->init_ro_size = mod->init_size;
51746 - case 3: /* whole init */
51747 - mod->init_size = debug_align(mod->init_size);
51753 @@ -2119,7 +2130,7 @@ static void layout_symtab(struct module
51755 /* Put symbol section at end of init part of module. */
51756 symsect->sh_flags |= SHF_ALLOC;
51757 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
51758 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
51759 info->index.sym) | INIT_OFFSET_MASK;
51760 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
51762 @@ -2136,19 +2147,19 @@ static void layout_symtab(struct module
51765 /* Append room for core symbols at end of core part. */
51766 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
51767 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
51768 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
51769 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
51771 /* Put string table section at end of init part of module. */
51772 strsect->sh_flags |= SHF_ALLOC;
51773 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
51774 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
51775 info->index.str) | INIT_OFFSET_MASK;
51776 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
51778 /* Append room for core symbols' strings at end of core part. */
51779 - info->stroffs = mod->core_size;
51780 + info->stroffs = mod->core_size_rx;
51781 __set_bit(0, info->strmap);
51782 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
51783 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
51786 static void add_kallsyms(struct module *mod, const struct load_info *info)
51787 @@ -2164,11 +2175,13 @@ static void add_kallsyms(struct module *
51788 /* Make sure we get permanent strtab: don't use info->strtab. */
51789 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
51791 + pax_open_kernel();
51793 /* Set types up while we still have access to sections. */
51794 for (i = 0; i < mod->num_symtab; i++)
51795 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
51797 - mod->core_symtab = dst = mod->module_core + info->symoffs;
51798 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
51801 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
51802 @@ -2181,10 +2194,12 @@ static void add_kallsyms(struct module *
51804 mod->core_num_syms = ndst;
51806 - mod->core_strtab = s = mod->module_core + info->stroffs;
51807 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
51808 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
51809 if (test_bit(i, info->strmap))
51810 *++s = mod->strtab[i];
51812 + pax_close_kernel();
51815 static inline void layout_symtab(struct module *mod, struct load_info *info)
51816 @@ -2213,17 +2228,33 @@ static void dynamic_debug_remove(struct
51817 ddebug_remove_module(debug->modname);
51820 -static void *module_alloc_update_bounds(unsigned long size)
51821 +static void *module_alloc_update_bounds_rw(unsigned long size)
51823 void *ret = module_alloc(size);
51826 mutex_lock(&module_mutex);
51827 /* Update module bounds. */
51828 - if ((unsigned long)ret < module_addr_min)
51829 - module_addr_min = (unsigned long)ret;
51830 - if ((unsigned long)ret + size > module_addr_max)
51831 - module_addr_max = (unsigned long)ret + size;
51832 + if ((unsigned long)ret < module_addr_min_rw)
51833 + module_addr_min_rw = (unsigned long)ret;
51834 + if ((unsigned long)ret + size > module_addr_max_rw)
51835 + module_addr_max_rw = (unsigned long)ret + size;
51836 + mutex_unlock(&module_mutex);
51841 +static void *module_alloc_update_bounds_rx(unsigned long size)
51843 + void *ret = module_alloc_exec(size);
51846 + mutex_lock(&module_mutex);
51847 + /* Update module bounds. */
51848 + if ((unsigned long)ret < module_addr_min_rx)
51849 + module_addr_min_rx = (unsigned long)ret;
51850 + if ((unsigned long)ret + size > module_addr_max_rx)
51851 + module_addr_max_rx = (unsigned long)ret + size;
51852 mutex_unlock(&module_mutex);
51855 @@ -2516,7 +2547,7 @@ static int move_module(struct module *mo
51858 /* Do the allocs. */
51859 - ptr = module_alloc_update_bounds(mod->core_size);
51860 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
51862 * The pointer to this block is stored in the module structure
51863 * which is inside the block. Just mark it as not being a
51864 @@ -2526,23 +2557,50 @@ static int move_module(struct module *mo
51868 - memset(ptr, 0, mod->core_size);
51869 - mod->module_core = ptr;
51870 + memset(ptr, 0, mod->core_size_rw);
51871 + mod->module_core_rw = ptr;
51873 - ptr = module_alloc_update_bounds(mod->init_size);
51874 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
51876 * The pointer to this block is stored in the module structure
51877 * which is inside the block. This block doesn't need to be
51878 * scanned as it contains data and code that will be freed
51879 * after the module is initialized.
51881 - kmemleak_ignore(ptr);
51882 - if (!ptr && mod->init_size) {
51883 - module_free(mod, mod->module_core);
51884 + kmemleak_not_leak(ptr);
51885 + if (!ptr && mod->init_size_rw) {
51886 + module_free(mod, mod->module_core_rw);
51889 - memset(ptr, 0, mod->init_size);
51890 - mod->module_init = ptr;
51891 + memset(ptr, 0, mod->init_size_rw);
51892 + mod->module_init_rw = ptr;
51894 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
51895 + kmemleak_not_leak(ptr);
51897 + module_free(mod, mod->module_init_rw);
51898 + module_free(mod, mod->module_core_rw);
51902 + pax_open_kernel();
51903 + memset(ptr, 0, mod->core_size_rx);
51904 + pax_close_kernel();
51905 + mod->module_core_rx = ptr;
51907 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
51908 + kmemleak_not_leak(ptr);
51909 + if (!ptr && mod->init_size_rx) {
51910 + module_free_exec(mod, mod->module_core_rx);
51911 + module_free(mod, mod->module_init_rw);
51912 + module_free(mod, mod->module_core_rw);
51916 + pax_open_kernel();
51917 + memset(ptr, 0, mod->init_size_rx);
51918 + pax_close_kernel();
51919 + mod->module_init_rx = ptr;
51921 /* Transfer each section which specifies SHF_ALLOC */
51922 DEBUGP("final section addresses:\n");
51923 @@ -2553,16 +2611,45 @@ static int move_module(struct module *mo
51924 if (!(shdr->sh_flags & SHF_ALLOC))
51927 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
51928 - dest = mod->module_init
51929 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
51931 - dest = mod->module_core + shdr->sh_entsize;
51932 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
51933 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
51934 + dest = mod->module_init_rw
51935 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
51937 + dest = mod->module_init_rx
51938 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
51940 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
51941 + dest = mod->module_core_rw + shdr->sh_entsize;
51943 + dest = mod->module_core_rx + shdr->sh_entsize;
51946 + if (shdr->sh_type != SHT_NOBITS) {
51948 +#ifdef CONFIG_PAX_KERNEXEC
51949 +#ifdef CONFIG_X86_64
51950 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
51951 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
51953 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
51954 + pax_open_kernel();
51955 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
51956 + pax_close_kernel();
51960 - if (shdr->sh_type != SHT_NOBITS)
51961 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
51963 /* Update sh_addr to point to copy in image. */
51964 - shdr->sh_addr = (unsigned long)dest;
51966 +#ifdef CONFIG_PAX_KERNEXEC
51967 + if (shdr->sh_flags & SHF_EXECINSTR)
51968 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
51972 + shdr->sh_addr = (unsigned long)dest;
51973 DEBUGP("\t0x%lx %s\n",
51974 shdr->sh_addr, info->secstrings + shdr->sh_name);
51976 @@ -2613,12 +2700,12 @@ static void flush_module_icache(const st
51977 * Do it before processing of module parameters, so the module
51978 * can provide parameter accessor functions of its own.
51980 - if (mod->module_init)
51981 - flush_icache_range((unsigned long)mod->module_init,
51982 - (unsigned long)mod->module_init
51983 - + mod->init_size);
51984 - flush_icache_range((unsigned long)mod->module_core,
51985 - (unsigned long)mod->module_core + mod->core_size);
51986 + if (mod->module_init_rx)
51987 + flush_icache_range((unsigned long)mod->module_init_rx,
51988 + (unsigned long)mod->module_init_rx
51989 + + mod->init_size_rx);
51990 + flush_icache_range((unsigned long)mod->module_core_rx,
51991 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
51995 @@ -2690,8 +2777,10 @@ static void module_deallocate(struct mod
51997 kfree(info->strmap);
51998 percpu_modfree(mod);
51999 - module_free(mod, mod->module_init);
52000 - module_free(mod, mod->module_core);
52001 + module_free_exec(mod, mod->module_init_rx);
52002 + module_free_exec(mod, mod->module_core_rx);
52003 + module_free(mod, mod->module_init_rw);
52004 + module_free(mod, mod->module_core_rw);
52007 static int post_relocation(struct module *mod, const struct load_info *info)
52008 @@ -2748,9 +2837,38 @@ static struct module *load_module(void _
52012 + /* Now copy in args */
52013 + mod->args = strndup_user(uargs, ~0UL >> 1);
52014 + if (IS_ERR(mod->args)) {
52015 + err = PTR_ERR(mod->args);
52016 + goto free_unload;
52019 /* Set up MODINFO_ATTR fields */
52020 setup_modinfo(mod, &info);
52022 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
52026 + if (strstr(mod->args, "grsec_modharden_netdev")) {
52027 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
52029 + goto free_modinfo;
52030 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
52031 + p += strlen("grsec_modharden_normal");
52032 + p2 = strstr(p, "_");
52035 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
52039 + goto free_modinfo;
52044 /* Fix up syms, so that st_value is a pointer to location. */
52045 err = simplify_symbols(mod, &info);
52047 @@ -2766,13 +2884,6 @@ static struct module *load_module(void _
52049 flush_module_icache(mod);
52051 - /* Now copy in args */
52052 - mod->args = strndup_user(uargs, ~0UL >> 1);
52053 - if (IS_ERR(mod->args)) {
52054 - err = PTR_ERR(mod->args);
52055 - goto free_arch_cleanup;
52058 /* Mark state as coming so strong_try_module_get() ignores us. */
52059 mod->state = MODULE_STATE_COMING;
52061 @@ -2832,11 +2943,10 @@ static struct module *load_module(void _
52063 mutex_unlock(&module_mutex);
52064 synchronize_sched();
52065 - kfree(mod->args);
52066 - free_arch_cleanup:
52067 module_arch_cleanup(mod);
52070 + kfree(mod->args);
52072 module_unload_free(mod);
52074 @@ -2877,16 +2987,16 @@ SYSCALL_DEFINE3(init_module, void __user
52075 MODULE_STATE_COMING, mod);
52077 /* Set RO and NX regions for core */
52078 - set_section_ro_nx(mod->module_core,
52079 - mod->core_text_size,
52080 - mod->core_ro_size,
52082 + set_section_ro_nx(mod->module_core_rx,
52083 + mod->core_size_rx,
52084 + mod->core_size_rx,
52085 + mod->core_size_rx);
52087 /* Set RO and NX regions for init */
52088 - set_section_ro_nx(mod->module_init,
52089 - mod->init_text_size,
52090 - mod->init_ro_size,
52092 + set_section_ro_nx(mod->module_init_rx,
52093 + mod->init_size_rx,
52094 + mod->init_size_rx,
52095 + mod->init_size_rx);
52098 /* Start the module */
52099 @@ -2931,11 +3041,13 @@ SYSCALL_DEFINE3(init_module, void __user
52100 mod->symtab = mod->core_symtab;
52101 mod->strtab = mod->core_strtab;
52103 - unset_section_ro_nx(mod, mod->module_init);
52104 - module_free(mod, mod->module_init);
52105 - mod->module_init = NULL;
52106 - mod->init_size = 0;
52107 - mod->init_text_size = 0;
52108 + unset_section_ro_nx(mod, mod->module_init_rx);
52109 + module_free(mod, mod->module_init_rw);
52110 + module_free_exec(mod, mod->module_init_rx);
52111 + mod->module_init_rw = NULL;
52112 + mod->module_init_rx = NULL;
52113 + mod->init_size_rw = 0;
52114 + mod->init_size_rx = 0;
52115 mutex_unlock(&module_mutex);
52118 @@ -2966,10 +3078,16 @@ static const char *get_ksymbol(struct mo
52119 unsigned long nextval;
52121 /* At worse, next value is at end of module */
52122 - if (within_module_init(addr, mod))
52123 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
52124 + if (within_module_init_rx(addr, mod))
52125 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
52126 + else if (within_module_init_rw(addr, mod))
52127 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
52128 + else if (within_module_core_rx(addr, mod))
52129 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
52130 + else if (within_module_core_rw(addr, mod))
52131 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
52133 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
52136 /* Scan for closest preceeding symbol, and next symbol. (ELF
52137 starts real symbols at 1). */
52138 @@ -3215,7 +3333,7 @@ static int m_show(struct seq_file *m, vo
52141 seq_printf(m, "%s %u",
52142 - mod->name, mod->init_size + mod->core_size);
52143 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
52144 print_unload_info(m, mod);
52146 /* Informative for users. */
52147 @@ -3224,7 +3342,7 @@ static int m_show(struct seq_file *m, vo
52148 mod->state == MODULE_STATE_COMING ? "Loading":
52150 /* Used by oprofile and other similar tools. */
52151 - seq_printf(m, " 0x%p", mod->module_core);
52152 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
52156 @@ -3260,7 +3378,17 @@ static const struct file_operations proc
52158 static int __init proc_modules_init(void)
52160 +#ifndef CONFIG_GRKERNSEC_HIDESYM
52161 +#ifdef CONFIG_GRKERNSEC_PROC_USER
52162 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
52163 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52164 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
52166 proc_create("modules", 0, NULL, &proc_modules_operations);
52169 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
52173 module_init(proc_modules_init);
52174 @@ -3319,12 +3447,12 @@ struct module *__module_address(unsigned
52176 struct module *mod;
52178 - if (addr < module_addr_min || addr > module_addr_max)
52179 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
52180 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
52183 list_for_each_entry_rcu(mod, &modules, list)
52184 - if (within_module_core(addr, mod)
52185 - || within_module_init(addr, mod))
52186 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
52190 @@ -3358,11 +3486,20 @@ bool is_module_text_address(unsigned lon
52192 struct module *__module_text_address(unsigned long addr)
52194 - struct module *mod = __module_address(addr);
52195 + struct module *mod;
52197 +#ifdef CONFIG_X86_32
52198 + addr = ktla_ktva(addr);
52201 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
52204 + mod = __module_address(addr);
52207 /* Make sure it's within the text section. */
52208 - if (!within(addr, mod->module_init, mod->init_text_size)
52209 - && !within(addr, mod->module_core, mod->core_text_size))
52210 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
52214 diff -urNp linux-2.6.38.4/kernel/mutex.c linux-2.6.38.4/kernel/mutex.c
52215 --- linux-2.6.38.4/kernel/mutex.c 2011-03-14 21:20:32.000000000 -0400
52216 +++ linux-2.6.38.4/kernel/mutex.c 2011-04-17 16:24:38.000000000 -0400
52217 @@ -160,7 +160,7 @@ __mutex_lock_common(struct mutex *lock,
52221 - struct thread_info *owner;
52222 + struct task_struct *owner;
52225 * If we own the BKL, then don't spin. The owner of
52226 @@ -205,7 +205,7 @@ __mutex_lock_common(struct mutex *lock,
52227 spin_lock_mutex(&lock->wait_lock, flags);
52229 debug_mutex_lock_common(lock, &waiter);
52230 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
52231 + debug_mutex_add_waiter(lock, &waiter, task);
52233 /* add waiting tasks to the end of the waitqueue (FIFO): */
52234 list_add_tail(&waiter.list, &lock->wait_list);
52235 @@ -234,8 +234,7 @@ __mutex_lock_common(struct mutex *lock,
52236 * TASK_UNINTERRUPTIBLE case.)
52238 if (unlikely(signal_pending_state(state, task))) {
52239 - mutex_remove_waiter(lock, &waiter,
52240 - task_thread_info(task));
52241 + mutex_remove_waiter(lock, &waiter, task);
52242 mutex_release(&lock->dep_map, 1, ip);
52243 spin_unlock_mutex(&lock->wait_lock, flags);
52245 @@ -256,7 +255,7 @@ __mutex_lock_common(struct mutex *lock,
52247 lock_acquired(&lock->dep_map, ip);
52248 /* got the lock - rejoice! */
52249 - mutex_remove_waiter(lock, &waiter, current_thread_info());
52250 + mutex_remove_waiter(lock, &waiter, current);
52251 mutex_set_owner(lock);
52253 /* set it to 0 if there are no waiters left: */
52254 diff -urNp linux-2.6.38.4/kernel/mutex-debug.c linux-2.6.38.4/kernel/mutex-debug.c
52255 --- linux-2.6.38.4/kernel/mutex-debug.c 2011-03-14 21:20:32.000000000 -0400
52256 +++ linux-2.6.38.4/kernel/mutex-debug.c 2011-04-17 16:23:07.000000000 -0400
52257 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
52260 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
52261 - struct thread_info *ti)
52262 + struct task_struct *task)
52264 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
52266 /* Mark the current thread as blocked on the lock: */
52267 - ti->task->blocked_on = waiter;
52268 + task->blocked_on = waiter;
52271 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
52272 - struct thread_info *ti)
52273 + struct task_struct *task)
52275 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
52276 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
52277 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
52278 - ti->task->blocked_on = NULL;
52279 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
52280 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter->task);
52281 + task->blocked_on = NULL;
52283 list_del_init(&waiter->list);
52284 waiter->task = NULL;
52285 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
52288 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
52289 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
52290 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
52291 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
52292 mutex_clear_owner(lock);
52294 diff -urNp linux-2.6.38.4/kernel/mutex-debug.h linux-2.6.38.4/kernel/mutex-debug.h
52295 --- linux-2.6.38.4/kernel/mutex-debug.h 2011-03-14 21:20:32.000000000 -0400
52296 +++ linux-2.6.38.4/kernel/mutex-debug.h 2011-04-17 16:26:49.000000000 -0400
52297 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
52298 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
52299 extern void debug_mutex_add_waiter(struct mutex *lock,
52300 struct mutex_waiter *waiter,
52301 - struct thread_info *ti);
52302 + struct task_struct *task);
52303 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
52304 - struct thread_info *ti);
52305 + struct task_struct *task);
52306 extern void debug_mutex_unlock(struct mutex *lock);
52307 extern void debug_mutex_init(struct mutex *lock, const char *name,
52308 struct lock_class_key *key);
52310 static inline void mutex_set_owner(struct mutex *lock)
52312 - lock->owner = current_thread_info();
52313 + lock->owner = current;
52316 static inline void mutex_clear_owner(struct mutex *lock)
52317 diff -urNp linux-2.6.38.4/kernel/mutex.h linux-2.6.38.4/kernel/mutex.h
52318 --- linux-2.6.38.4/kernel/mutex.h 2011-03-14 21:20:32.000000000 -0400
52319 +++ linux-2.6.38.4/kernel/mutex.h 2011-04-17 16:24:51.000000000 -0400
52322 static inline void mutex_set_owner(struct mutex *lock)
52324 - lock->owner = current_thread_info();
52325 + lock->owner = current;
52328 static inline void mutex_clear_owner(struct mutex *lock)
52329 diff -urNp linux-2.6.38.4/kernel/panic.c linux-2.6.38.4/kernel/panic.c
52330 --- linux-2.6.38.4/kernel/panic.c 2011-03-14 21:20:32.000000000 -0400
52331 +++ linux-2.6.38.4/kernel/panic.c 2011-04-17 15:57:32.000000000 -0400
52332 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
52335 printk(KERN_WARNING "------------[ cut here ]------------\n");
52336 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
52337 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
52338 board = dmi_get_system_info(DMI_PRODUCT_NAME);
52340 printk(KERN_WARNING "Hardware name: %s\n", board);
52341 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
52343 void __stack_chk_fail(void)
52345 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
52347 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
52348 __builtin_return_address(0));
52350 EXPORT_SYMBOL(__stack_chk_fail);
52351 diff -urNp linux-2.6.38.4/kernel/pid.c linux-2.6.38.4/kernel/pid.c
52352 --- linux-2.6.38.4/kernel/pid.c 2011-04-22 19:20:59.000000000 -0400
52353 +++ linux-2.6.38.4/kernel/pid.c 2011-04-18 19:22:06.000000000 -0400
52355 #include <linux/rculist.h>
52356 #include <linux/bootmem.h>
52357 #include <linux/hash.h>
52358 +#include <linux/security.h>
52359 #include <linux/pid_namespace.h>
52360 #include <linux/init_task.h>
52361 #include <linux/syscalls.h>
52362 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
52364 int pid_max = PID_MAX_DEFAULT;
52366 -#define RESERVED_PIDS 300
52367 +#define RESERVED_PIDS 500
52369 int pid_max_min = RESERVED_PIDS + 1;
52370 int pid_max_max = PID_MAX_LIMIT;
52371 @@ -419,8 +420,15 @@ EXPORT_SYMBOL(pid_task);
52373 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
52375 + struct task_struct *task;
52377 rcu_lockdep_assert(rcu_read_lock_held());
52378 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
52379 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
52381 + if (gr_pid_is_chrooted(task))
52387 struct task_struct *find_task_by_vpid(pid_t vnr)
52388 diff -urNp linux-2.6.38.4/kernel/posix-cpu-timers.c linux-2.6.38.4/kernel/posix-cpu-timers.c
52389 --- linux-2.6.38.4/kernel/posix-cpu-timers.c 2011-03-14 21:20:32.000000000 -0400
52390 +++ linux-2.6.38.4/kernel/posix-cpu-timers.c 2011-04-17 15:57:32.000000000 -0400
52392 #include <linux/posix-timers.h>
52393 #include <linux/errno.h>
52394 #include <linux/math64.h>
52395 +#include <linux/security.h>
52396 #include <asm/uaccess.h>
52397 #include <linux/kernel_stat.h>
52398 #include <trace/events/timer.h>
52399 diff -urNp linux-2.6.38.4/kernel/posix-timers.c linux-2.6.38.4/kernel/posix-timers.c
52400 --- linux-2.6.38.4/kernel/posix-timers.c 2011-03-14 21:20:32.000000000 -0400
52401 +++ linux-2.6.38.4/kernel/posix-timers.c 2011-04-17 15:57:33.000000000 -0400
52403 #include <linux/compiler.h>
52404 #include <linux/idr.h>
52405 #include <linux/posix-timers.h>
52406 +#include <linux/grsecurity.h>
52407 #include <linux/syscalls.h>
52408 #include <linux/wait.h>
52409 #include <linux/workqueue.h>
52410 @@ -955,6 +956,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
52411 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
52414 + /* only the CLOCK_REALTIME clock can be set, all other clocks
52415 + have their clock_set fptr set to a nosettime dummy function
52416 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
52417 + call common_clock_set, which calls do_sys_settimeofday, which
52421 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
52424 diff -urNp linux-2.6.38.4/kernel/power/poweroff.c linux-2.6.38.4/kernel/power/poweroff.c
52425 --- linux-2.6.38.4/kernel/power/poweroff.c 2011-03-14 21:20:32.000000000 -0400
52426 +++ linux-2.6.38.4/kernel/power/poweroff.c 2011-04-17 15:57:33.000000000 -0400
52427 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
52428 .enable_mask = SYSRQ_ENABLE_BOOT,
52431 -static int pm_sysrq_init(void)
52432 +static int __init pm_sysrq_init(void)
52434 register_sysrq_key('o', &sysrq_poweroff_op);
52436 diff -urNp linux-2.6.38.4/kernel/power/process.c linux-2.6.38.4/kernel/power/process.c
52437 --- linux-2.6.38.4/kernel/power/process.c 2011-03-14 21:20:32.000000000 -0400
52438 +++ linux-2.6.38.4/kernel/power/process.c 2011-04-17 15:57:33.000000000 -0400
52439 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
52440 u64 elapsed_csecs64;
52441 unsigned int elapsed_csecs;
52442 bool wakeup = false;
52443 + bool timedout = false;
52445 do_gettimeofday(&start);
52447 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
52451 + if (time_after(jiffies, end_time))
52453 read_lock(&tasklist_lock);
52454 do_each_thread(g, p) {
52455 if (frozen(p) || !freezable(p))
52456 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
52457 * try_to_stop() after schedule() in ptrace/signal
52458 * stop sees TIF_FREEZE.
52460 - if (!task_is_stopped_or_traced(p) &&
52461 - !freezer_should_skip(p))
52462 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
52465 + printk(KERN_ERR "Task refusing to freeze:\n");
52466 + sched_show_task(p);
52469 } while_each_thread(g, p);
52470 read_unlock(&tasklist_lock);
52472 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
52476 - if (!todo || time_after(jiffies, end_time))
52477 + if (!todo || timedout)
52480 if (pm_wakeup_pending()) {
52481 diff -urNp linux-2.6.38.4/kernel/printk.c linux-2.6.38.4/kernel/printk.c
52482 --- linux-2.6.38.4/kernel/printk.c 2011-03-14 21:20:32.000000000 -0400
52483 +++ linux-2.6.38.4/kernel/printk.c 2011-04-17 15:57:33.000000000 -0400
52484 @@ -279,12 +279,17 @@ static int check_syslog_permissions(int
52485 if (from_file && type != SYSLOG_ACTION_OPEN)
52488 +#ifdef CONFIG_GRKERNSEC_DMESG
52489 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
52493 if (syslog_action_restricted(type)) {
52494 if (vx_capable(CAP_SYSLOG, VXC_SYSLOG))
52496 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
52497 if (capable(CAP_SYS_ADMIN)) {
52498 - WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
52499 + printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
52500 "but no CAP_SYSLOG (deprecated).\n");
52503 diff -urNp linux-2.6.38.4/kernel/ptrace.c linux-2.6.38.4/kernel/ptrace.c
52504 --- linux-2.6.38.4/kernel/ptrace.c 2011-03-14 21:20:32.000000000 -0400
52505 +++ linux-2.6.38.4/kernel/ptrace.c 2011-04-17 15:57:33.000000000 -0400
52506 @@ -116,7 +116,8 @@ int ptrace_check_attach(struct task_stru
52510 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
52511 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
52512 + unsigned int log)
52514 const struct cred *cred = current_cred(), *tcred;
52516 @@ -140,7 +141,9 @@ int __ptrace_may_access(struct task_stru
52517 cred->gid != tcred->egid ||
52518 cred->gid != tcred->sgid ||
52519 cred->gid != tcred->gid) &&
52520 - !capable(CAP_SYS_PTRACE)) {
52521 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
52522 + (log && !capable(CAP_SYS_PTRACE)))
52527 @@ -148,7 +151,9 @@ int __ptrace_may_access(struct task_stru
52530 dumpable = get_dumpable(task->mm);
52531 - if (!dumpable && !capable(CAP_SYS_PTRACE))
52533 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
52534 + (log && !capable(CAP_SYS_PTRACE))))
52537 return security_ptrace_access_check(task, mode);
52538 @@ -158,7 +163,16 @@ bool ptrace_may_access(struct task_struc
52542 - err = __ptrace_may_access(task, mode);
52543 + err = __ptrace_may_access(task, mode, 0);
52544 + task_unlock(task);
52548 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
52552 + err = __ptrace_may_access(task, mode, 1);
52556 @@ -185,7 +199,7 @@ static int ptrace_attach(struct task_str
52560 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
52561 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
52565 @@ -198,7 +212,7 @@ static int ptrace_attach(struct task_str
52566 goto unlock_tasklist;
52568 task->ptrace = PT_PTRACED;
52569 - if (capable(CAP_SYS_PTRACE))
52570 + if (capable_nolog(CAP_SYS_PTRACE))
52571 task->ptrace |= PT_PTRACE_CAP;
52573 __ptrace_link(task, current);
52574 @@ -369,7 +383,7 @@ int ptrace_readdata(struct task_struct *
52578 - if (copy_to_user(dst, buf, retval))
52579 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
52583 @@ -565,7 +579,7 @@ int ptrace_request(struct task_struct *c
52587 - void __user *datavp = (void __user *) data;
52588 + void __user *datavp = (__force void __user *) data;
52589 unsigned long __user *datalp = datavp;
52592 @@ -713,14 +727,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
52593 if (!vx_check(vx_task_xid(child), VS_WATCH_P | VS_IDENT))
52594 goto out_put_task_struct;
52596 + if (gr_handle_ptrace(child, request)) {
52598 + goto out_put_task_struct;
52601 if (request == PTRACE_ATTACH) {
52602 ret = ptrace_attach(child);
52604 * Some architectures need to do book-keeping after
52609 arch_ptrace_attach(child);
52610 + gr_audit_ptrace(child);
52612 goto out_put_task_struct;
52615 @@ -855,14 +876,21 @@ asmlinkage long compat_sys_ptrace(compat
52619 + if (gr_handle_ptrace(child, request)) {
52621 + goto out_put_task_struct;
52624 if (request == PTRACE_ATTACH) {
52625 ret = ptrace_attach(child);
52627 * Some architectures need to do book-keeping after
52632 arch_ptrace_attach(child);
52633 + gr_audit_ptrace(child);
52635 goto out_put_task_struct;
52638 diff -urNp linux-2.6.38.4/kernel/rcutree.c linux-2.6.38.4/kernel/rcutree.c
52639 --- linux-2.6.38.4/kernel/rcutree.c 2011-03-14 21:20:32.000000000 -0400
52640 +++ linux-2.6.38.4/kernel/rcutree.c 2011-04-17 15:57:33.000000000 -0400
52641 @@ -1389,7 +1389,7 @@ __rcu_process_callbacks(struct rcu_state
52643 * Do softirq processing for the current CPU.
52645 -static void rcu_process_callbacks(struct softirq_action *unused)
52646 +static void rcu_process_callbacks(void)
52649 * Memory references from any prior RCU read-side critical sections
52650 diff -urNp linux-2.6.38.4/kernel/rcutree_plugin.h linux-2.6.38.4/kernel/rcutree_plugin.h
52651 --- linux-2.6.38.4/kernel/rcutree_plugin.h 2011-03-14 21:20:32.000000000 -0400
52652 +++ linux-2.6.38.4/kernel/rcutree_plugin.h 2011-04-17 15:57:33.000000000 -0400
52653 @@ -730,7 +730,7 @@ void synchronize_rcu_expedited(void)
52655 /* Clean up and exit. */
52656 smp_mb(); /* ensure expedited GP seen before counter increment. */
52657 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
52658 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
52660 mutex_unlock(&sync_rcu_preempt_exp_mutex);
52662 diff -urNp linux-2.6.38.4/kernel/resource.c linux-2.6.38.4/kernel/resource.c
52663 --- linux-2.6.38.4/kernel/resource.c 2011-03-14 21:20:32.000000000 -0400
52664 +++ linux-2.6.38.4/kernel/resource.c 2011-04-17 15:57:33.000000000 -0400
52665 @@ -133,8 +133,18 @@ static const struct file_operations proc
52667 static int __init ioresources_init(void)
52669 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
52670 +#ifdef CONFIG_GRKERNSEC_PROC_USER
52671 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
52672 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
52673 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52674 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
52675 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
52678 proc_create("ioports", 0, NULL, &proc_ioports_operations);
52679 proc_create("iomem", 0, NULL, &proc_iomem_operations);
52683 __initcall(ioresources_init);
52684 diff -urNp linux-2.6.38.4/kernel/rtmutex.c linux-2.6.38.4/kernel/rtmutex.c
52685 --- linux-2.6.38.4/kernel/rtmutex.c 2011-03-14 21:20:32.000000000 -0400
52686 +++ linux-2.6.38.4/kernel/rtmutex.c 2011-04-17 15:57:33.000000000 -0400
52687 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
52689 raw_spin_lock_irqsave(&pendowner->pi_lock, flags);
52691 - WARN_ON(!pendowner->pi_blocked_on);
52692 + BUG_ON(!pendowner->pi_blocked_on);
52693 WARN_ON(pendowner->pi_blocked_on != waiter);
52694 WARN_ON(pendowner->pi_blocked_on->lock != lock);
52696 diff -urNp linux-2.6.38.4/kernel/sched.c linux-2.6.38.4/kernel/sched.c
52697 --- linux-2.6.38.4/kernel/sched.c 2011-04-18 17:27:14.000000000 -0400
52698 +++ linux-2.6.38.4/kernel/sched.c 2011-04-17 16:29:21.000000000 -0400
52699 @@ -4024,7 +4024,7 @@ EXPORT_SYMBOL(schedule);
52700 * Look out! "owner" is an entirely speculative pointer
52701 * access and not reliable.
52703 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
52704 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
52708 @@ -4038,10 +4038,10 @@ int mutex_spin_on_owner(struct mutex *lo
52709 * DEBUG_PAGEALLOC could have unmapped it if
52710 * the mutex owner just released it and exited.
52712 - if (probe_kernel_address(&owner->cpu, cpu))
52713 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
52716 - cpu = owner->cpu;
52717 + cpu = task_thread_info(owner)->cpu;
52721 @@ -4078,7 +4078,7 @@ int mutex_spin_on_owner(struct mutex *lo
52723 * Is that owner really running on that cpu?
52725 - if (task_thread_info(rq->curr) != owner || need_resched())
52726 + if (rq->curr != owner || need_resched())
52729 arch_mutex_cpu_relax();
52730 @@ -4638,6 +4638,8 @@ int can_nice(const struct task_struct *p
52731 /* convert nice value [19,-20] to rlimit style value [1,40] */
52732 int nice_rlim = 20 - nice;
52734 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
52736 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
52737 capable(CAP_SYS_NICE));
52739 @@ -4671,7 +4673,8 @@ SYSCALL_DEFINE1(nice, int, increment)
52743 - if (increment < 0 && !can_nice(current, nice))
52744 + if (increment < 0 && (!can_nice(current, nice) ||
52745 + gr_handle_chroot_nice()))
52746 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
52748 retval = security_task_setnice(current, nice);
52749 @@ -4814,6 +4817,7 @@ recheck:
52750 unsigned long rlim_rtprio =
52751 task_rlimit(p, RLIMIT_RTPRIO);
52753 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
52754 /* can't set/change the rt policy */
52755 if (policy != p->policy && !rlim_rtprio)
52757 @@ -6942,7 +6946,7 @@ static void init_sched_groups_power(int
52761 - WARN_ON(!sd || !sd->groups);
52762 + BUG_ON(!sd || !sd->groups);
52764 if (cpu != group_first_cpu(sd->groups))
52766 diff -urNp linux-2.6.38.4/kernel/sched_fair.c linux-2.6.38.4/kernel/sched_fair.c
52767 --- linux-2.6.38.4/kernel/sched_fair.c 2011-04-22 19:20:59.000000000 -0400
52768 +++ linux-2.6.38.4/kernel/sched_fair.c 2011-04-22 19:21:39.000000000 -0400
52769 @@ -3957,7 +3957,7 @@ static void nohz_idle_balance(int this_c
52770 * run_rebalance_domains is triggered when needed from the scheduler tick.
52771 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
52773 -static void run_rebalance_domains(struct softirq_action *h)
52774 +static void run_rebalance_domains(void)
52776 int this_cpu = smp_processor_id();
52777 struct rq *this_rq = cpu_rq(this_cpu);
52778 diff -urNp linux-2.6.38.4/kernel/signal.c linux-2.6.38.4/kernel/signal.c
52779 --- linux-2.6.38.4/kernel/signal.c 2011-04-18 17:27:18.000000000 -0400
52780 +++ linux-2.6.38.4/kernel/signal.c 2011-04-17 16:53:48.000000000 -0400
52781 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
52783 int print_fatal_signals __read_mostly;
52785 -static void __user *sig_handler(struct task_struct *t, int sig)
52786 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
52788 return t->sighand->action[sig - 1].sa.sa_handler;
52791 -static int sig_handler_ignored(void __user *handler, int sig)
52792 +static int sig_handler_ignored(__sighandler_t handler, int sig)
52794 /* Is it explicitly or implicitly ignored? */
52795 return handler == SIG_IGN ||
52796 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
52797 static int sig_task_ignored(struct task_struct *t, int sig,
52798 int from_ancestor_ns)
52800 - void __user *handler;
52801 + __sighandler_t handler;
52803 handler = sig_handler(t, sig);
52805 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
52806 atomic_inc(&user->sigpending);
52809 + if (!override_rlimit)
52810 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
52812 if (override_rlimit ||
52813 atomic_read(&user->sigpending) <=
52814 task_rlimit(t, RLIMIT_SIGPENDING)) {
52815 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
52817 int unhandled_signal(struct task_struct *tsk, int sig)
52819 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
52820 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
52821 if (is_global_init(tsk))
52823 if (handler != SIG_IGN && handler != SIG_DFL)
52824 @@ -705,6 +708,10 @@ static int check_kill_permission(int sig
52825 sig, info, t, vx_task_xid(t), t->pid, current->xid);
52829 + if (gr_handle_signal(t, sig))
52833 return security_task_kill(t, info, sig, 0);
52835 @@ -1025,7 +1032,7 @@ __group_send_sig_info(int sig, struct si
52836 return send_signal(sig, info, p, 1);
52841 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
52843 return send_signal(sig, info, t, 0);
52844 @@ -1062,6 +1068,7 @@ force_sig_info(int sig, struct siginfo *
52845 unsigned long int flags;
52846 int ret, blocked, ignored;
52847 struct k_sigaction *action;
52848 + int is_unhandled = 0;
52850 spin_lock_irqsave(&t->sighand->siglock, flags);
52851 action = &t->sighand->action[sig-1];
52852 @@ -1076,9 +1083,18 @@ force_sig_info(int sig, struct siginfo *
52854 if (action->sa.sa_handler == SIG_DFL)
52855 t->signal->flags &= ~SIGNAL_UNKILLABLE;
52856 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
52857 + is_unhandled = 1;
52858 ret = specific_send_sig_info(sig, info, t);
52859 spin_unlock_irqrestore(&t->sighand->siglock, flags);
52861 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
52862 + normal operation */
52863 + if (is_unhandled) {
52864 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
52865 + gr_handle_crash(t, sig);
52871 @@ -1137,8 +1153,11 @@ int group_send_sig_info(int sig, struct
52872 ret = check_kill_permission(sig, info, p);
52876 + if (!ret && sig) {
52877 ret = do_send_sig_info(sig, info, p, true);
52879 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
52884 diff -urNp linux-2.6.38.4/kernel/smp.c linux-2.6.38.4/kernel/smp.c
52885 --- linux-2.6.38.4/kernel/smp.c 2011-04-18 17:27:14.000000000 -0400
52886 +++ linux-2.6.38.4/kernel/smp.c 2011-04-17 15:57:33.000000000 -0400
52887 @@ -583,22 +583,22 @@ int smp_call_function(smp_call_func_t fu
52889 EXPORT_SYMBOL(smp_call_function);
52891 -void ipi_call_lock(void)
52892 +void ipi_call_lock(void) __acquires(call_function.lock)
52894 raw_spin_lock(&call_function.lock);
52897 -void ipi_call_unlock(void)
52898 +void ipi_call_unlock(void) __releases(call_function.lock)
52900 raw_spin_unlock(&call_function.lock);
52903 -void ipi_call_lock_irq(void)
52904 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
52906 raw_spin_lock_irq(&call_function.lock);
52909 -void ipi_call_unlock_irq(void)
52910 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
52912 raw_spin_unlock_irq(&call_function.lock);
52914 diff -urNp linux-2.6.38.4/kernel/softirq.c linux-2.6.38.4/kernel/softirq.c
52915 --- linux-2.6.38.4/kernel/softirq.c 2011-03-14 21:20:32.000000000 -0400
52916 +++ linux-2.6.38.4/kernel/softirq.c 2011-04-17 15:57:33.000000000 -0400
52917 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
52919 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
52921 -char *softirq_to_name[NR_SOFTIRQS] = {
52922 +const char * const softirq_to_name[NR_SOFTIRQS] = {
52923 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
52924 "TASKLET", "SCHED", "HRTIMER", "RCU"
52926 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
52928 asmlinkage void __do_softirq(void)
52930 - struct softirq_action *h;
52931 + const struct softirq_action *h;
52933 int max_restart = MAX_SOFTIRQ_RESTART;
52935 @@ -235,7 +235,7 @@ restart:
52936 kstat_incr_softirqs_this_cpu(vec_nr);
52938 trace_softirq_entry(vec_nr);
52941 trace_softirq_exit(vec_nr);
52942 if (unlikely(prev_count != preempt_count())) {
52943 printk(KERN_ERR "huh, entered softirq %u %s %p"
52944 @@ -365,7 +365,7 @@ void raise_softirq(unsigned int nr)
52945 local_irq_restore(flags);
52948 -void open_softirq(int nr, void (*action)(struct softirq_action *))
52949 +void open_softirq(int nr, void (*action)(void))
52951 softirq_vec[nr].action = action;
52953 @@ -421,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
52955 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
52957 -static void tasklet_action(struct softirq_action *a)
52958 +static void tasklet_action(void)
52960 struct tasklet_struct *list;
52962 @@ -456,7 +456,7 @@ static void tasklet_action(struct softir
52966 -static void tasklet_hi_action(struct softirq_action *a)
52967 +static void tasklet_hi_action(void)
52969 struct tasklet_struct *list;
52971 diff -urNp linux-2.6.38.4/kernel/sys.c linux-2.6.38.4/kernel/sys.c
52972 --- linux-2.6.38.4/kernel/sys.c 2011-03-14 21:20:32.000000000 -0400
52973 +++ linux-2.6.38.4/kernel/sys.c 2011-04-17 15:57:33.000000000 -0400
52974 @@ -136,6 +136,12 @@ static int set_one_prio(struct task_stru
52979 + if (gr_handle_chroot_setpriority(p, niceval)) {
52984 no_nice = security_task_setnice(p, niceval);
52987 @@ -517,6 +523,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
52991 + if (gr_check_group_change(new->gid, new->egid, -1))
52994 if (rgid != (gid_t) -1 ||
52995 (egid != (gid_t) -1 && egid != old->gid))
52996 new->sgid = new->egid;
52997 @@ -546,6 +555,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
52998 old = current_cred();
53002 + if (gr_check_group_change(gid, gid, gid))
53005 if (capable(CAP_SETGID))
53006 new->gid = new->egid = new->sgid = new->fsgid = gid;
53007 else if (gid == old->gid || gid == old->sgid)
53008 @@ -626,6 +639,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
53012 + if (gr_check_user_change(new->uid, new->euid, -1))
53015 if (new->uid != old->uid) {
53016 retval = set_user(new);
53018 @@ -670,6 +686,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
53019 old = current_cred();
53023 + if (gr_check_crash_uid(uid))
53025 + if (gr_check_user_change(uid, uid, uid))
53028 if (capable(CAP_SETUID)) {
53029 new->suid = new->uid = uid;
53030 if (uid != old->uid) {
53031 @@ -724,6 +746,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
53035 + if (gr_check_user_change(ruid, euid, -1))
53038 if (ruid != (uid_t) -1) {
53040 if (ruid != old->uid) {
53041 @@ -788,6 +813,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
53045 + if (gr_check_group_change(rgid, egid, -1))
53048 if (rgid != (gid_t) -1)
53050 if (egid != (gid_t) -1)
53051 @@ -834,6 +862,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
53052 old = current_cred();
53053 old_fsuid = old->fsuid;
53055 + if (gr_check_user_change(-1, -1, uid))
53058 if (uid == old->uid || uid == old->euid ||
53059 uid == old->suid || uid == old->fsuid ||
53060 capable(CAP_SETUID)) {
53061 @@ -844,6 +875,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
53069 @@ -870,12 +902,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
53070 if (gid == old->gid || gid == old->egid ||
53071 gid == old->sgid || gid == old->fsgid ||
53072 capable(CAP_SETGID)) {
53073 + if (gr_check_group_change(-1, -1, gid))
53076 if (gid != old_fsgid) {
53086 @@ -1616,7 +1652,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
53087 error = get_dumpable(me->mm);
53089 case PR_SET_DUMPABLE:
53090 - if (arg2 < 0 || arg2 > 1) {
53095 diff -urNp linux-2.6.38.4/kernel/sysctl.c linux-2.6.38.4/kernel/sysctl.c
53096 --- linux-2.6.38.4/kernel/sysctl.c 2011-04-18 17:27:16.000000000 -0400
53097 +++ linux-2.6.38.4/kernel/sysctl.c 2011-04-17 15:57:33.000000000 -0400
53101 #if defined(CONFIG_SYSCTL)
53102 +#include <linux/grsecurity.h>
53103 +#include <linux/grinternal.h>
53105 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
53106 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
53108 +extern int gr_handle_chroot_sysctl(const int op);
53110 /* External variables not in a header file. */
53111 extern int sysctl_overcommit_memory;
53112 @@ -195,6 +202,7 @@ static int sysrq_sysctl_handler(ctl_tabl
53116 +extern struct ctl_table grsecurity_table[];
53118 static struct ctl_table root_table[];
53119 static struct ctl_table_root sysctl_table_root;
53120 @@ -224,6 +232,20 @@ extern struct ctl_table epoll_table[];
53121 int sysctl_legacy_va_layout;
53124 +#ifdef CONFIG_PAX_SOFTMODE
53125 +static ctl_table pax_table[] = {
53127 + .procname = "softmode",
53128 + .data = &pax_softmode,
53129 + .maxlen = sizeof(unsigned int),
53131 + .proc_handler = &proc_dointvec,
53138 /* The default sysctl tables: */
53140 static struct ctl_table root_table[] = {
53141 @@ -270,6 +292,22 @@ static int max_extfrag_threshold = 1000;
53144 static struct ctl_table kern_table[] = {
53145 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
53147 + .procname = "grsecurity",
53149 + .child = grsecurity_table,
53153 +#ifdef CONFIG_PAX_SOFTMODE
53155 + .procname = "pax",
53157 + .child = pax_table,
53162 .procname = "sched_child_runs_first",
53163 .data = &sysctl_sched_child_runs_first,
53164 @@ -551,7 +589,7 @@ static struct ctl_table kern_table[] = {
53165 .data = &modprobe_path,
53166 .maxlen = KMOD_PATH_LEN,
53168 - .proc_handler = proc_dostring,
53169 + .proc_handler = proc_dostring_modpriv,
53172 .procname = "modules_disabled",
53173 @@ -713,16 +751,20 @@ static struct ctl_table kern_table[] = {
53179 .procname = "kptr_restrict",
53180 .data = &kptr_restrict,
53181 .maxlen = sizeof(int),
53183 .proc_handler = proc_dmesg_restrict,
53184 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53193 .procname = "ngroups_max",
53194 .data = &ngroups_max,
53195 @@ -1187,6 +1229,13 @@ static struct ctl_table vm_table[] = {
53196 .proc_handler = proc_dointvec_minmax,
53200 + .procname = "heap_stack_gap",
53201 + .data = &sysctl_heap_stack_gap,
53202 + .maxlen = sizeof(sysctl_heap_stack_gap),
53204 + .proc_handler = proc_doulongvec_minmax,
53208 .procname = "nr_trim_pages",
53209 @@ -1698,6 +1747,16 @@ int sysctl_perm(struct ctl_table_root *r
53213 + if (table->parent != NULL && table->parent->procname != NULL &&
53214 + table->procname != NULL &&
53215 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
53217 + if (gr_handle_chroot_sysctl(op))
53219 + error = gr_handle_sysctl(table, op);
53223 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
53226 @@ -2105,6 +2164,16 @@ int proc_dostring(struct ctl_table *tabl
53227 buffer, lenp, ppos);
53230 +int proc_dostring_modpriv(struct ctl_table *table, int write,
53231 + void __user *buffer, size_t *lenp, loff_t *ppos)
53233 + if (write && !capable(CAP_SYS_MODULE))
53236 + return _proc_do_string(table->data, table->maxlen, write,
53237 + buffer, lenp, ppos);
53240 static size_t proc_skip_spaces(char **buf)
53243 @@ -2210,6 +2279,8 @@ static int proc_put_long(void __user **b
53247 + if (len > sizeof(tmp))
53248 + len = sizeof(tmp);
53249 if (copy_to_user(*buf, tmp, len))
53252 @@ -2526,8 +2597,11 @@ static int __do_proc_doulongvec_minmax(v
53255 val = convdiv * (*i) / convmul;
53258 err = proc_put_char(&buffer, &left, '\t');
53262 err = proc_put_long(&buffer, &left, val, false);
53265 @@ -2922,6 +2996,12 @@ int proc_dostring(struct ctl_table *tabl
53269 +int proc_dostring_modpriv(struct ctl_table *table, int write,
53270 + void __user *buffer, size_t *lenp, loff_t *ppos)
53275 int proc_dointvec(struct ctl_table *table, int write,
53276 void __user *buffer, size_t *lenp, loff_t *ppos)
53278 @@ -2978,6 +3058,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
53279 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
53280 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
53281 EXPORT_SYMBOL(proc_dostring);
53282 +EXPORT_SYMBOL(proc_dostring_modpriv);
53283 EXPORT_SYMBOL(proc_doulongvec_minmax);
53284 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
53285 EXPORT_SYMBOL(register_sysctl_table);
53286 diff -urNp linux-2.6.38.4/kernel/sysctl_check.c linux-2.6.38.4/kernel/sysctl_check.c
53287 --- linux-2.6.38.4/kernel/sysctl_check.c 2011-03-14 21:20:32.000000000 -0400
53288 +++ linux-2.6.38.4/kernel/sysctl_check.c 2011-04-17 15:57:33.000000000 -0400
53289 @@ -131,6 +131,7 @@ int sysctl_check_table(struct nsproxy *n
53290 set_fail(&fail, table, "Directory with extra2");
53292 if ((table->proc_handler == proc_dostring) ||
53293 + (table->proc_handler == proc_dostring_modpriv) ||
53294 (table->proc_handler == proc_dointvec) ||
53295 (table->proc_handler == proc_dointvec_minmax) ||
53296 (table->proc_handler == proc_dointvec_jiffies) ||
53297 diff -urNp linux-2.6.38.4/kernel/taskstats.c linux-2.6.38.4/kernel/taskstats.c
53298 --- linux-2.6.38.4/kernel/taskstats.c 2011-03-14 21:20:32.000000000 -0400
53299 +++ linux-2.6.38.4/kernel/taskstats.c 2011-04-17 15:57:33.000000000 -0400
53301 #include <linux/cgroup.h>
53302 #include <linux/fs.h>
53303 #include <linux/file.h>
53304 +#include <linux/grsecurity.h>
53305 #include <net/genetlink.h>
53306 #include <asm/atomic.h>
53308 +extern int gr_is_taskstats_denied(int pid);
53311 * Maximum length of a cpumask that can be specified in
53312 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
53313 @@ -549,6 +552,9 @@ err:
53315 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
53317 + if (gr_is_taskstats_denied(current->pid))
53320 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
53321 return cmd_attr_register_cpumask(info);
53322 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
53323 diff -urNp linux-2.6.38.4/kernel/time/tick-broadcast.c linux-2.6.38.4/kernel/time/tick-broadcast.c
53324 --- linux-2.6.38.4/kernel/time/tick-broadcast.c 2011-03-14 21:20:32.000000000 -0400
53325 +++ linux-2.6.38.4/kernel/time/tick-broadcast.c 2011-04-17 15:57:33.000000000 -0400
53326 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
53327 * then clear the broadcast bit.
53329 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
53330 - int cpu = smp_processor_id();
53331 + cpu = smp_processor_id();
53333 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
53334 tick_broadcast_clear_oneshot(cpu);
53335 diff -urNp linux-2.6.38.4/kernel/time/timekeeping.c linux-2.6.38.4/kernel/time/timekeeping.c
53336 --- linux-2.6.38.4/kernel/time/timekeeping.c 2011-03-14 21:20:32.000000000 -0400
53337 +++ linux-2.6.38.4/kernel/time/timekeeping.c 2011-04-17 15:57:33.000000000 -0400
53339 #include <linux/init.h>
53340 #include <linux/mm.h>
53341 #include <linux/sched.h>
53342 +#include <linux/grsecurity.h>
53343 #include <linux/sysdev.h>
53344 #include <linux/clocksource.h>
53345 #include <linux/jiffies.h>
53346 @@ -361,6 +362,8 @@ int do_settimeofday(struct timespec *tv)
53347 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
53350 + gr_log_timechange();
53352 write_seqlock_irqsave(&xtime_lock, flags);
53354 timekeeping_forward_now();
53355 diff -urNp linux-2.6.38.4/kernel/time/timer_list.c linux-2.6.38.4/kernel/time/timer_list.c
53356 --- linux-2.6.38.4/kernel/time/timer_list.c 2011-03-14 21:20:32.000000000 -0400
53357 +++ linux-2.6.38.4/kernel/time/timer_list.c 2011-04-17 15:57:33.000000000 -0400
53358 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
53360 static void print_name_offset(struct seq_file *m, void *sym)
53362 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53363 + SEQ_printf(m, "<%p>", NULL);
53365 char symname[KSYM_NAME_LEN];
53367 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
53368 SEQ_printf(m, "<%pK>", sym);
53370 SEQ_printf(m, "%s", symname);
53375 @@ -112,7 +116,11 @@ next_one:
53377 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
53379 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53380 + SEQ_printf(m, " .base: %p\n", NULL);
53382 SEQ_printf(m, " .base: %pK\n", base);
53384 SEQ_printf(m, " .index: %d\n",
53386 SEQ_printf(m, " .resolution: %Lu nsecs\n",
53387 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
53389 struct proc_dir_entry *pe;
53391 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53392 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
53394 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
53399 diff -urNp linux-2.6.38.4/kernel/time/timer_stats.c linux-2.6.38.4/kernel/time/timer_stats.c
53400 --- linux-2.6.38.4/kernel/time/timer_stats.c 2011-03-14 21:20:32.000000000 -0400
53401 +++ linux-2.6.38.4/kernel/time/timer_stats.c 2011-04-17 15:57:33.000000000 -0400
53402 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
53404 static void print_name_offset(struct seq_file *m, unsigned long addr)
53406 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53407 + seq_printf(m, "<%p>", NULL);
53409 char symname[KSYM_NAME_LEN];
53411 if (lookup_symbol_name(addr, symname) < 0)
53412 seq_printf(m, "<%p>", (void *)addr);
53414 seq_printf(m, "%s", symname);
53418 static int tstats_show(struct seq_file *m, void *v)
53419 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
53421 struct proc_dir_entry *pe;
53423 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53424 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
53426 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
53431 diff -urNp linux-2.6.38.4/kernel/time.c linux-2.6.38.4/kernel/time.c
53432 --- linux-2.6.38.4/kernel/time.c 2011-03-14 21:20:32.000000000 -0400
53433 +++ linux-2.6.38.4/kernel/time.c 2011-04-17 15:57:33.000000000 -0400
53434 @@ -163,6 +163,11 @@ int do_sys_settimeofday(struct timespec
53438 + /* we log in do_settimeofday called below, so don't log twice
53441 + gr_log_timechange();
53443 /* SMP safe, global irq locking makes it work. */
53445 update_vsyscall_tz();
53446 diff -urNp linux-2.6.38.4/kernel/timer.c linux-2.6.38.4/kernel/timer.c
53447 --- linux-2.6.38.4/kernel/timer.c 2011-03-14 21:20:32.000000000 -0400
53448 +++ linux-2.6.38.4/kernel/timer.c 2011-04-17 15:57:33.000000000 -0400
53449 @@ -1276,7 +1276,7 @@ void update_process_times(int user_tick)
53451 * This function runs timers and the timer-tq in bottom half context.
53453 -static void run_timer_softirq(struct softirq_action *h)
53454 +static void run_timer_softirq(void)
53456 struct tvec_base *base = __this_cpu_read(tvec_bases);
53458 diff -urNp linux-2.6.38.4/kernel/trace/ftrace.c linux-2.6.38.4/kernel/trace/ftrace.c
53459 --- linux-2.6.38.4/kernel/trace/ftrace.c 2011-04-18 17:27:14.000000000 -0400
53460 +++ linux-2.6.38.4/kernel/trace/ftrace.c 2011-04-17 15:57:33.000000000 -0400
53461 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
53465 + ret = ftrace_arch_code_modify_prepare();
53466 + FTRACE_WARN_ON(ret);
53470 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
53471 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
53473 ftrace_bug(ret, ip);
53474 rec->flags |= FTRACE_FL_FAILED;
53478 + return ret ? 0 : 1;
53482 diff -urNp linux-2.6.38.4/kernel/trace/ring_buffer.c linux-2.6.38.4/kernel/trace/ring_buffer.c
53483 --- linux-2.6.38.4/kernel/trace/ring_buffer.c 2011-03-14 21:20:32.000000000 -0400
53484 +++ linux-2.6.38.4/kernel/trace/ring_buffer.c 2011-04-17 15:57:33.000000000 -0400
53485 @@ -669,7 +669,7 @@ static struct list_head *rb_list_head(st
53486 * the reader page). But if the next page is a header page,
53487 * its flags will be non zero.
53491 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
53492 struct buffer_page *page, struct list_head *list)
53494 diff -urNp linux-2.6.38.4/kernel/trace/trace.c linux-2.6.38.4/kernel/trace/trace.c
53495 --- linux-2.6.38.4/kernel/trace/trace.c 2011-03-14 21:20:32.000000000 -0400
53496 +++ linux-2.6.38.4/kernel/trace/trace.c 2011-04-17 15:57:33.000000000 -0400
53497 @@ -3967,10 +3967,9 @@ static const struct file_operations trac
53501 -static struct dentry *d_tracer;
53503 struct dentry *tracing_init_dentry(void)
53505 + static struct dentry *d_tracer;
53509 @@ -3990,10 +3989,9 @@ struct dentry *tracing_init_dentry(void)
53513 -static struct dentry *d_percpu;
53515 struct dentry *tracing_dentry_percpu(void)
53517 + static struct dentry *d_percpu;
53519 struct dentry *d_tracer;
53521 diff -urNp linux-2.6.38.4/kernel/trace/trace_events.c linux-2.6.38.4/kernel/trace/trace_events.c
53522 --- linux-2.6.38.4/kernel/trace/trace_events.c 2011-03-14 21:20:32.000000000 -0400
53523 +++ linux-2.6.38.4/kernel/trace/trace_events.c 2011-04-17 15:57:33.000000000 -0400
53524 @@ -1240,10 +1240,10 @@ static LIST_HEAD(ftrace_module_file_list
53525 struct ftrace_module_file_ops {
53526 struct list_head list;
53527 struct module *mod;
53528 - struct file_operations id;
53529 - struct file_operations enable;
53530 - struct file_operations format;
53531 - struct file_operations filter;
53532 + struct file_operations id; /* cannot be const, see trace_create_file_ops() */
53533 + struct file_operations enable; /* cannot be const, see trace_create_file_ops() */
53534 + struct file_operations format; /* cannot be const, see trace_create_file_ops() */
53535 + struct file_operations filter; /* cannot be const, see trace_create_file_ops() */
53538 static struct ftrace_module_file_ops *
53539 diff -urNp linux-2.6.38.4/kernel/trace/trace_output.c linux-2.6.38.4/kernel/trace/trace_output.c
53540 --- linux-2.6.38.4/kernel/trace/trace_output.c 2011-03-14 21:20:32.000000000 -0400
53541 +++ linux-2.6.38.4/kernel/trace/trace_output.c 2011-04-17 15:57:33.000000000 -0400
53542 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
53544 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
53546 - p = mangle_path(s->buffer + s->len, p, "\n");
53547 + p = mangle_path(s->buffer + s->len, p, "\n\\");
53549 s->len = p - s->buffer;
53551 diff -urNp linux-2.6.38.4/kernel/trace/trace_stack.c linux-2.6.38.4/kernel/trace/trace_stack.c
53552 --- linux-2.6.38.4/kernel/trace/trace_stack.c 2011-03-14 21:20:32.000000000 -0400
53553 +++ linux-2.6.38.4/kernel/trace/trace_stack.c 2011-04-17 15:57:33.000000000 -0400
53554 @@ -50,7 +50,7 @@ static inline void check_stack(void)
53557 /* we do not handle interrupt stacks yet */
53558 - if (!object_is_on_stack(&this_size))
53559 + if (!object_starts_on_stack(&this_size))
53562 local_irq_save(flags);
53563 diff -urNp linux-2.6.38.4/kernel/trace/trace_workqueue.c linux-2.6.38.4/kernel/trace/trace_workqueue.c
53564 --- linux-2.6.38.4/kernel/trace/trace_workqueue.c 2011-03-14 21:20:32.000000000 -0400
53565 +++ linux-2.6.38.4/kernel/trace/trace_workqueue.c 2011-04-17 15:57:33.000000000 -0400
53566 @@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
53569 /* Can be inserted from interrupt or user context, need to be atomic */
53570 - atomic_t inserted;
53571 + atomic_unchecked_t inserted;
53573 * Don't need to be atomic, works are serialized in a single workqueue thread
53575 @@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
53576 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
53577 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
53578 if (node->pid == wq_thread->pid) {
53579 - atomic_inc(&node->inserted);
53580 + atomic_inc_unchecked(&node->inserted);
53584 @@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
53585 tsk = get_pid_task(pid, PIDTYPE_PID);
53587 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
53588 - atomic_read(&cws->inserted), cws->executed,
53589 + atomic_read_unchecked(&cws->inserted), cws->executed,
53591 put_task_struct(tsk);
53593 diff -urNp linux-2.6.38.4/lib/bug.c linux-2.6.38.4/lib/bug.c
53594 --- linux-2.6.38.4/lib/bug.c 2011-03-14 21:20:32.000000000 -0400
53595 +++ linux-2.6.38.4/lib/bug.c 2011-04-17 15:57:33.000000000 -0400
53596 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
53597 return BUG_TRAP_TYPE_NONE;
53599 bug = find_bug(bugaddr);
53601 + return BUG_TRAP_TYPE_NONE;
53605 diff -urNp linux-2.6.38.4/lib/debugobjects.c linux-2.6.38.4/lib/debugobjects.c
53606 --- linux-2.6.38.4/lib/debugobjects.c 2011-03-14 21:20:32.000000000 -0400
53607 +++ linux-2.6.38.4/lib/debugobjects.c 2011-04-17 15:57:33.000000000 -0400
53608 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
53612 - is_on_stack = object_is_on_stack(addr);
53613 + is_on_stack = object_starts_on_stack(addr);
53614 if (is_on_stack == onstack)
53617 diff -urNp linux-2.6.38.4/lib/dma-debug.c linux-2.6.38.4/lib/dma-debug.c
53618 --- linux-2.6.38.4/lib/dma-debug.c 2011-03-14 21:20:32.000000000 -0400
53619 +++ linux-2.6.38.4/lib/dma-debug.c 2011-04-17 15:57:33.000000000 -0400
53620 @@ -862,7 +862,7 @@ out:
53622 static void check_for_stack(struct device *dev, void *addr)
53624 - if (object_is_on_stack(addr))
53625 + if (object_starts_on_stack(addr))
53626 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
53627 "stack [addr=%p]\n", addr);
53629 diff -urNp linux-2.6.38.4/lib/inflate.c linux-2.6.38.4/lib/inflate.c
53630 --- linux-2.6.38.4/lib/inflate.c 2011-03-14 21:20:32.000000000 -0400
53631 +++ linux-2.6.38.4/lib/inflate.c 2011-04-17 15:57:33.000000000 -0400
53632 @@ -269,7 +269,7 @@ static void free(void *where)
53633 malloc_ptr = free_mem_ptr;
53636 -#define malloc(a) kmalloc(a, GFP_KERNEL)
53637 +#define malloc(a) kmalloc((a), GFP_KERNEL)
53638 #define free(a) kfree(a)
53641 diff -urNp linux-2.6.38.4/lib/Kconfig.debug linux-2.6.38.4/lib/Kconfig.debug
53642 --- linux-2.6.38.4/lib/Kconfig.debug 2011-04-22 19:20:59.000000000 -0400
53643 +++ linux-2.6.38.4/lib/Kconfig.debug 2011-04-22 19:21:39.000000000 -0400
53644 @@ -1066,6 +1066,7 @@ config LATENCYTOP
53645 depends on DEBUG_KERNEL
53646 depends on STACKTRACE_SUPPORT
53648 + depends on !GRKERNSEC_HIDESYM
53649 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
53651 select KALLSYMS_ALL
53652 diff -urNp linux-2.6.38.4/lib/kref.c linux-2.6.38.4/lib/kref.c
53653 --- linux-2.6.38.4/lib/kref.c 2011-03-14 21:20:32.000000000 -0400
53654 +++ linux-2.6.38.4/lib/kref.c 2011-04-17 15:57:33.000000000 -0400
53655 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
53657 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
53659 - WARN_ON(release == NULL);
53660 + BUG_ON(release == NULL);
53661 WARN_ON(release == (void (*)(struct kref *))kfree);
53663 if (atomic_dec_and_test(&kref->refcount)) {
53664 diff -urNp linux-2.6.38.4/lib/radix-tree.c linux-2.6.38.4/lib/radix-tree.c
53665 --- linux-2.6.38.4/lib/radix-tree.c 2011-03-14 21:20:32.000000000 -0400
53666 +++ linux-2.6.38.4/lib/radix-tree.c 2011-04-17 15:57:33.000000000 -0400
53667 @@ -80,7 +80,7 @@ struct radix_tree_preload {
53669 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
53671 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
53672 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
53674 static inline void *ptr_to_indirect(void *ptr)
53676 diff -urNp linux-2.6.38.4/lib/vsprintf.c linux-2.6.38.4/lib/vsprintf.c
53677 --- linux-2.6.38.4/lib/vsprintf.c 2011-04-22 19:20:59.000000000 -0400
53678 +++ linux-2.6.38.4/lib/vsprintf.c 2011-04-22 19:21:39.000000000 -0400
53680 * - scnprintf and vscnprintf
53683 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53684 +#define __INCLUDED_BY_HIDESYM 1
53686 #include <stdarg.h>
53687 #include <linux/module.h>
53688 #include <linux/types.h>
53689 @@ -433,7 +436,7 @@ char *symbol_string(char *buf, char *end
53690 unsigned long value = (unsigned long) ptr;
53691 #ifdef CONFIG_KALLSYMS
53692 char sym[KSYM_SYMBOL_LEN];
53693 - if (ext != 'f' && ext != 's')
53694 + if (ext != 'f' && ext != 's' && ext != 'a')
53695 sprint_symbol(sym, value);
53697 kallsyms_lookup(value, NULL, NULL, NULL, sym);
53698 @@ -795,7 +798,11 @@ char *uuid_string(char *buf, char *end,
53699 return string(buf, end, uuid, spec);
53702 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53703 +int kptr_restrict = 2;
53705 int kptr_restrict = 1;
53709 * Show a '%p' thing. A kernel extension is that the '%p' is followed
53710 @@ -808,6 +815,8 @@ int kptr_restrict = 1;
53711 * - 'f' For simple symbolic function names without offset
53712 * - 'S' For symbolic direct pointers with offset
53713 * - 's' For symbolic direct pointers without offset
53714 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
53715 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
53716 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
53717 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
53718 * - 'M' For a 6-byte MAC address, it prints the address in the
53719 @@ -852,12 +861,12 @@ char *pointer(const char *fmt, char *buf
53723 - * Print (null) with the same width as a pointer so it makes
53724 + * Print (nil) with the same width as a pointer so it makes
53725 * tabular output look nice.
53727 if (spec.field_width == -1)
53728 spec.field_width = 2 * sizeof(void *);
53729 - return string(buf, end, "(null)", spec);
53730 + return string(buf, end, "(nil)", spec);
53734 @@ -867,6 +876,13 @@ char *pointer(const char *fmt, char *buf
53738 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53741 + return symbol_string(buf, end, ptr, spec, *fmt);
53745 return symbol_string(buf, end, ptr, spec, *fmt);
53748 @@ -1631,11 +1647,11 @@ int bstr_printf(char *buf, size_t size,
53749 typeof(type) value; \
53750 if (sizeof(type) == 8) { \
53751 args = PTR_ALIGN(args, sizeof(u32)); \
53752 - *(u32 *)&value = *(u32 *)args; \
53753 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
53754 + *(u32 *)&value = *(const u32 *)args; \
53755 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
53757 args = PTR_ALIGN(args, sizeof(type)); \
53758 - value = *(typeof(type) *)args; \
53759 + value = *(const typeof(type) *)args; \
53761 args += sizeof(type); \
53763 @@ -1698,7 +1714,7 @@ int bstr_printf(char *buf, size_t size,
53764 case FORMAT_TYPE_STR: {
53765 const char *str_arg = args;
53766 args += strlen(str_arg) + 1;
53767 - str = string(str, end, (char *)str_arg, spec);
53768 + str = string(str, end, str_arg, spec);
53772 diff -urNp linux-2.6.38.4/localversion-grsec linux-2.6.38.4/localversion-grsec
53773 --- linux-2.6.38.4/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
53774 +++ linux-2.6.38.4/localversion-grsec 2011-04-17 15:57:33.000000000 -0400
53777 diff -urNp linux-2.6.38.4/Makefile linux-2.6.38.4/Makefile
53778 --- linux-2.6.38.4/Makefile 2011-04-22 19:20:59.000000000 -0400
53779 +++ linux-2.6.38.4/Makefile 2011-04-22 19:21:10.000000000 -0400
53780 @@ -233,8 +233,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
53784 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
53785 -HOSTCXXFLAGS = -O2
53786 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
53787 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
53789 # Decide whether to build built-in, modular, or both.
53790 # Normally, just do built-in.
53791 @@ -681,7 +681,7 @@ export mod_strip_cmd
53794 ifeq ($(KBUILD_EXTMOD),)
53795 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
53796 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
53798 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
53799 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
53800 diff -urNp linux-2.6.38.4/mm/bootmem.c linux-2.6.38.4/mm/bootmem.c
53801 --- linux-2.6.38.4/mm/bootmem.c 2011-03-14 21:20:32.000000000 -0400
53802 +++ linux-2.6.38.4/mm/bootmem.c 2011-04-17 15:57:33.000000000 -0400
53803 @@ -201,19 +201,30 @@ static void __init __free_pages_memory(u
53804 unsigned long __init free_all_memory_core_early(int nodeid)
53808 + u64 start, end, startrange, endrange;
53809 unsigned long count = 0;
53810 - struct range *range = NULL;
53811 + struct range *range = NULL, rangerange = { 0, 0 };
53814 nr_range = get_free_all_memory_range(&range, nodeid);
53815 + startrange = __pa(range) >> PAGE_SHIFT;
53816 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
53818 for (i = 0; i < nr_range; i++) {
53819 start = range[i].start;
53820 end = range[i].end;
53821 + if (start <= endrange && startrange < end) {
53822 + BUG_ON(rangerange.start | rangerange.end);
53823 + rangerange = range[i];
53826 count += end - start;
53827 __free_pages_memory(start, end);
53829 + start = rangerange.start;
53830 + end = rangerange.end;
53831 + count += end - start;
53832 + __free_pages_memory(start, end);
53836 diff -urNp linux-2.6.38.4/mm/filemap.c linux-2.6.38.4/mm/filemap.c
53837 --- linux-2.6.38.4/mm/filemap.c 2011-03-14 21:20:32.000000000 -0400
53838 +++ linux-2.6.38.4/mm/filemap.c 2011-04-17 15:57:33.000000000 -0400
53839 @@ -1664,7 +1664,7 @@ int generic_file_mmap(struct file * file
53840 struct address_space *mapping = file->f_mapping;
53842 if (!mapping->a_ops->readpage)
53845 file_accessed(file);
53846 vma->vm_ops = &generic_file_vm_ops;
53847 vma->vm_flags |= VM_CAN_NONLINEAR;
53848 @@ -2060,6 +2060,7 @@ inline int generic_write_checks(struct f
53849 *pos = i_size_read(inode);
53851 if (limit != RLIM_INFINITY) {
53852 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
53853 if (*pos >= limit) {
53854 send_sig(SIGXFSZ, current, 0);
53856 diff -urNp linux-2.6.38.4/mm/fremap.c linux-2.6.38.4/mm/fremap.c
53857 --- linux-2.6.38.4/mm/fremap.c 2011-03-14 21:20:32.000000000 -0400
53858 +++ linux-2.6.38.4/mm/fremap.c 2011-04-17 15:57:33.000000000 -0400
53859 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
53861 vma = find_vma(mm, start);
53863 +#ifdef CONFIG_PAX_SEGMEXEC
53864 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
53869 * Make sure the vma is shared, that it supports prefaulting,
53870 * and that the remapped range is valid and fully within
53871 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
53873 * drop PG_Mlocked flag for over-mapped range
53875 - unsigned int saved_flags = vma->vm_flags;
53876 + unsigned long saved_flags = vma->vm_flags;
53877 munlock_vma_pages_range(vma, start, start + size);
53878 vma->vm_flags = saved_flags;
53880 diff -urNp linux-2.6.38.4/mm/highmem.c linux-2.6.38.4/mm/highmem.c
53881 --- linux-2.6.38.4/mm/highmem.c 2011-03-14 21:20:32.000000000 -0400
53882 +++ linux-2.6.38.4/mm/highmem.c 2011-04-17 15:57:33.000000000 -0400
53883 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
53884 * So no dangers, even with speculative execution.
53886 page = pte_page(pkmap_page_table[i]);
53887 + pax_open_kernel();
53888 pte_clear(&init_mm, (unsigned long)page_address(page),
53889 &pkmap_page_table[i]);
53891 + pax_close_kernel();
53892 set_page_address(page, NULL);
53895 @@ -186,9 +187,11 @@ start:
53898 vaddr = PKMAP_ADDR(last_pkmap_nr);
53900 + pax_open_kernel();
53901 set_pte_at(&init_mm, vaddr,
53902 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
53904 + pax_close_kernel();
53905 pkmap_count[last_pkmap_nr] = 1;
53906 set_page_address(page, (void *)vaddr);
53908 diff -urNp linux-2.6.38.4/mm/hugetlb.c linux-2.6.38.4/mm/hugetlb.c
53909 --- linux-2.6.38.4/mm/hugetlb.c 2011-03-14 21:20:32.000000000 -0400
53910 +++ linux-2.6.38.4/mm/hugetlb.c 2011-04-17 15:57:33.000000000 -0400
53911 @@ -2333,6 +2333,27 @@ static int unmap_ref_private(struct mm_s
53915 +#ifdef CONFIG_PAX_SEGMEXEC
53916 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
53918 + struct mm_struct *mm = vma->vm_mm;
53919 + struct vm_area_struct *vma_m;
53920 + unsigned long address_m;
53923 + vma_m = pax_find_mirror_vma(vma);
53927 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
53928 + address_m = address + SEGMEXEC_TASK_SIZE;
53929 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
53930 + get_page(page_m);
53931 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
53932 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
53937 * Hugetlb_cow() should be called with page lock of the original hugepage held.
53939 @@ -2434,6 +2455,11 @@ retry_avoidcopy:
53940 make_huge_pte(vma, new_page, 1));
53941 page_remove_rmap(old_page);
53942 hugepage_add_new_anon_rmap(new_page, vma, address);
53944 +#ifdef CONFIG_PAX_SEGMEXEC
53945 + pax_mirror_huge_pte(vma, address, new_page);
53948 /* Make the old page be freed below */
53949 new_page = old_page;
53950 mmu_notifier_invalidate_range_end(mm,
53951 @@ -2585,6 +2611,10 @@ retry:
53952 && (vma->vm_flags & VM_SHARED)));
53953 set_huge_pte_at(mm, address, ptep, new_pte);
53955 +#ifdef CONFIG_PAX_SEGMEXEC
53956 + pax_mirror_huge_pte(vma, address, page);
53959 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
53960 /* Optimization, do the COW without a second fault */
53961 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
53962 @@ -2614,6 +2644,10 @@ int hugetlb_fault(struct mm_struct *mm,
53963 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
53964 struct hstate *h = hstate_vma(vma);
53966 +#ifdef CONFIG_PAX_SEGMEXEC
53967 + struct vm_area_struct *vma_m;
53970 ptep = huge_pte_offset(mm, address);
53972 entry = huge_ptep_get(ptep);
53973 @@ -2625,6 +2659,26 @@ int hugetlb_fault(struct mm_struct *mm,
53974 VM_FAULT_SET_HINDEX(h - hstates);
53977 +#ifdef CONFIG_PAX_SEGMEXEC
53978 + vma_m = pax_find_mirror_vma(vma);
53980 + unsigned long address_m;
53982 + if (vma->vm_start > vma_m->vm_start) {
53983 + address_m = address;
53984 + address -= SEGMEXEC_TASK_SIZE;
53986 + h = hstate_vma(vma);
53988 + address_m = address + SEGMEXEC_TASK_SIZE;
53990 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
53991 + return VM_FAULT_OOM;
53992 + address_m &= HPAGE_MASK;
53993 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
53997 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
53999 return VM_FAULT_OOM;
54000 diff -urNp linux-2.6.38.4/mm/Kconfig linux-2.6.38.4/mm/Kconfig
54001 --- linux-2.6.38.4/mm/Kconfig 2011-03-14 21:20:32.000000000 -0400
54002 +++ linux-2.6.38.4/mm/Kconfig 2011-04-17 15:57:33.000000000 -0400
54003 @@ -240,7 +240,7 @@ config KSM
54004 config DEFAULT_MMAP_MIN_ADDR
54005 int "Low address space to protect from user allocation"
54010 This is the portion of low virtual memory which should be protected
54011 from userspace allocation. Keeping a user from writing to low pages
54012 diff -urNp linux-2.6.38.4/mm/kmemleak.c linux-2.6.38.4/mm/kmemleak.c
54013 --- linux-2.6.38.4/mm/kmemleak.c 2011-03-14 21:20:32.000000000 -0400
54014 +++ linux-2.6.38.4/mm/kmemleak.c 2011-04-17 15:57:33.000000000 -0400
54015 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
54017 for (i = 0; i < object->trace_len; i++) {
54018 void *ptr = (void *)object->trace[i];
54019 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
54020 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
54024 diff -urNp linux-2.6.38.4/mm/maccess.c linux-2.6.38.4/mm/maccess.c
54025 --- linux-2.6.38.4/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
54026 +++ linux-2.6.38.4/mm/maccess.c 2011-04-17 15:57:33.000000000 -0400
54027 @@ -15,10 +15,10 @@
54028 * happens, handle that and return -EFAULT.
54031 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
54032 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
54033 __attribute__((alias("__probe_kernel_read")));
54035 -long __probe_kernel_read(void *dst, void *src, size_t size)
54036 +long __probe_kernel_read(void *dst, const void *src, size_t size)
54039 mm_segment_t old_fs = get_fs();
54040 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
54041 * Safely write to address @dst from the buffer at @src. If a kernel fault
54042 * happens, handle that and return -EFAULT.
54044 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
54045 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
54046 __attribute__((alias("__probe_kernel_write")));
54048 -long __probe_kernel_write(void *dst, void *src, size_t size)
54049 +long __probe_kernel_write(void *dst, const void *src, size_t size)
54052 mm_segment_t old_fs = get_fs();
54053 diff -urNp linux-2.6.38.4/mm/madvise.c linux-2.6.38.4/mm/madvise.c
54054 --- linux-2.6.38.4/mm/madvise.c 2011-03-14 21:20:32.000000000 -0400
54055 +++ linux-2.6.38.4/mm/madvise.c 2011-04-17 15:57:33.000000000 -0400
54056 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
54058 unsigned long new_flags = vma->vm_flags;
54060 +#ifdef CONFIG_PAX_SEGMEXEC
54061 + struct vm_area_struct *vma_m;
54064 switch (behavior) {
54066 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
54067 @@ -110,6 +114,13 @@ success:
54069 * vm_flags is protected by the mmap_sem held in write mode.
54072 +#ifdef CONFIG_PAX_SEGMEXEC
54073 + vma_m = pax_find_mirror_vma(vma);
54075 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
54078 vma->vm_flags = new_flags;
54081 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
54082 struct vm_area_struct ** prev,
54083 unsigned long start, unsigned long end)
54086 +#ifdef CONFIG_PAX_SEGMEXEC
54087 + struct vm_area_struct *vma_m;
54091 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
54093 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
54094 zap_page_range(vma, start, end - start, &details);
54096 zap_page_range(vma, start, end - start, NULL);
54098 +#ifdef CONFIG_PAX_SEGMEXEC
54099 + vma_m = pax_find_mirror_vma(vma);
54101 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
54102 + struct zap_details details = {
54103 + .nonlinear_vma = vma_m,
54104 + .last_index = ULONG_MAX,
54106 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
54108 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
54115 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
54119 +#ifdef CONFIG_PAX_SEGMEXEC
54120 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
54121 + if (end > SEGMEXEC_TASK_SIZE)
54126 + if (end > TASK_SIZE)
54132 diff -urNp linux-2.6.38.4/mm/memory.c linux-2.6.38.4/mm/memory.c
54133 --- linux-2.6.38.4/mm/memory.c 2011-04-22 19:20:59.000000000 -0400
54134 +++ linux-2.6.38.4/mm/memory.c 2011-04-22 19:53:54.000000000 -0400
54135 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
54138 pmd = pmd_offset(pud, start);
54140 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
54142 pmd_free_tlb(tlb, pmd, start);
54147 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
54148 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
54149 if (end - 1 > ceiling - 1)
54152 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
54153 pud = pud_offset(pgd, start);
54155 pud_free_tlb(tlb, pud, start);
54161 @@ -1410,13 +1417,6 @@ no_page_table:
54165 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
54167 - return (vma->vm_flags & VM_GROWSDOWN) &&
54168 - (vma->vm_start == addr) &&
54169 - !vma_stack_continue(vma->vm_prev, addr);
54172 int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
54173 unsigned long start, int nr_pages, unsigned int gup_flags,
54174 struct page **pages, struct vm_area_struct **vmas,
54175 @@ -1440,12 +1440,13 @@ int __get_user_pages(struct task_struct
54176 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
54180 + while (nr_pages) {
54181 struct vm_area_struct *vma;
54183 - vma = find_extend_vma(mm, start);
54184 + vma = find_vma(mm, start);
54185 if (!vma && in_gate_area(tsk, start)) {
54186 unsigned long pg = start & PAGE_MASK;
54187 + struct vm_area_struct *gate_vma = get_gate_vma(tsk);
54191 @@ -1470,11 +1471,10 @@ int __get_user_pages(struct task_struct
54193 return i ? : -EFAULT;
54195 - vma = get_gate_vma(tsk);
54199 - page = vm_normal_page(vma, start, *pte);
54200 + page = vm_normal_page(gate_vma, start, *pte);
54202 if (!(gup_flags & FOLL_DUMP) &&
54203 is_zero_pfn(pte_pfn(*pte)))
54204 @@ -1488,10 +1488,15 @@ int __get_user_pages(struct task_struct
54210 + vmas[i] = gate_vma;
54212 + start += PAGE_SIZE;
54218 + if (!vma || start < vma->vm_start ||
54219 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
54220 !(vm_flags & vma->vm_flags))
54221 return i ? : -EFAULT;
54222 @@ -1502,13 +1507,6 @@ int __get_user_pages(struct task_struct
54227 - * If we don't actually want the page itself,
54228 - * and it's the stack guard page, just skip it.
54230 - if (!pages && stack_guard_page(vma, start))
54235 unsigned int foll_flags = gup_flags;
54236 @@ -1578,14 +1576,13 @@ int __get_user_pages(struct task_struct
54237 flush_anon_page(vma, page, start);
54238 flush_dcache_page(page);
54244 start += PAGE_SIZE;
54246 } while (nr_pages && start < vma->vm_end);
54247 - } while (nr_pages);
54252 @@ -1734,6 +1731,10 @@ static int insert_page(struct vm_area_st
54253 page_add_file_rmap(page);
54254 set_pte_at(mm, addr, pte, mk_pte(page, prot));
54256 +#ifdef CONFIG_PAX_SEGMEXEC
54257 + pax_mirror_file_pte(vma, addr, page, ptl);
54261 pte_unmap_unlock(pte, ptl);
54263 @@ -1768,10 +1769,22 @@ out:
54264 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
54268 +#ifdef CONFIG_PAX_SEGMEXEC
54269 + struct vm_area_struct *vma_m;
54272 if (addr < vma->vm_start || addr >= vma->vm_end)
54274 if (!page_count(page))
54277 +#ifdef CONFIG_PAX_SEGMEXEC
54278 + vma_m = pax_find_mirror_vma(vma);
54280 + vma_m->vm_flags |= VM_INSERTPAGE;
54283 vma->vm_flags |= VM_INSERTPAGE;
54284 return insert_page(vma, addr, page, vma->vm_page_prot);
54286 @@ -1857,6 +1870,7 @@ int vm_insert_mixed(struct vm_area_struc
54289 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
54290 + BUG_ON(vma->vm_mirror);
54292 if (addr < vma->vm_start || addr >= vma->vm_end)
54294 @@ -2172,6 +2186,186 @@ static inline void cow_user_page(struct
54295 copy_user_highpage(dst, src, va, vma);
54298 +#ifdef CONFIG_PAX_SEGMEXEC
54299 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
54301 + struct mm_struct *mm = vma->vm_mm;
54303 + pte_t *pte, entry;
54305 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
54307 + if (!pte_present(entry)) {
54308 + if (!pte_none(entry)) {
54309 + BUG_ON(pte_file(entry));
54310 + free_swap_and_cache(pte_to_swp_entry(entry));
54311 + pte_clear_not_present_full(mm, address, pte, 0);
54314 + struct page *page;
54316 + flush_cache_page(vma, address, pte_pfn(entry));
54317 + entry = ptep_clear_flush(vma, address, pte);
54318 + BUG_ON(pte_dirty(entry));
54319 + page = vm_normal_page(vma, address, entry);
54321 + update_hiwater_rss(mm);
54322 + if (PageAnon(page))
54323 + dec_mm_counter_fast(mm, MM_ANONPAGES);
54325 + dec_mm_counter_fast(mm, MM_FILEPAGES);
54326 + page_remove_rmap(page);
54327 + page_cache_release(page);
54330 + pte_unmap_unlock(pte, ptl);
54333 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
54335 + * the ptl of the lower mapped page is held on entry and is not released on exit
54336 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
54338 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
54340 + struct mm_struct *mm = vma->vm_mm;
54341 + unsigned long address_m;
54342 + spinlock_t *ptl_m;
54343 + struct vm_area_struct *vma_m;
54345 + pte_t *pte_m, entry_m;
54347 + BUG_ON(!page_m || !PageAnon(page_m));
54349 + vma_m = pax_find_mirror_vma(vma);
54353 + BUG_ON(!PageLocked(page_m));
54354 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
54355 + address_m = address + SEGMEXEC_TASK_SIZE;
54356 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
54357 + pte_m = pte_offset_map(pmd_m, address_m);
54358 + ptl_m = pte_lockptr(mm, pmd_m);
54359 + if (ptl != ptl_m) {
54360 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
54361 + if (!pte_none(*pte_m))
54365 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
54366 + page_cache_get(page_m);
54367 + page_add_anon_rmap(page_m, vma_m, address_m);
54368 + inc_mm_counter_fast(mm, MM_ANONPAGES);
54369 + set_pte_at(mm, address_m, pte_m, entry_m);
54370 + update_mmu_cache(vma_m, address_m, entry_m);
54372 + if (ptl != ptl_m)
54373 + spin_unlock(ptl_m);
54374 + pte_unmap(pte_m);
54375 + unlock_page(page_m);
54378 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
54380 + struct mm_struct *mm = vma->vm_mm;
54381 + unsigned long address_m;
54382 + spinlock_t *ptl_m;
54383 + struct vm_area_struct *vma_m;
54385 + pte_t *pte_m, entry_m;
54387 + BUG_ON(!page_m || PageAnon(page_m));
54389 + vma_m = pax_find_mirror_vma(vma);
54393 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
54394 + address_m = address + SEGMEXEC_TASK_SIZE;
54395 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
54396 + pte_m = pte_offset_map(pmd_m, address_m);
54397 + ptl_m = pte_lockptr(mm, pmd_m);
54398 + if (ptl != ptl_m) {
54399 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
54400 + if (!pte_none(*pte_m))
54404 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
54405 + page_cache_get(page_m);
54406 + page_add_file_rmap(page_m);
54407 + inc_mm_counter_fast(mm, MM_FILEPAGES);
54408 + set_pte_at(mm, address_m, pte_m, entry_m);
54409 + update_mmu_cache(vma_m, address_m, entry_m);
54411 + if (ptl != ptl_m)
54412 + spin_unlock(ptl_m);
54413 + pte_unmap(pte_m);
54416 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
54418 + struct mm_struct *mm = vma->vm_mm;
54419 + unsigned long address_m;
54420 + spinlock_t *ptl_m;
54421 + struct vm_area_struct *vma_m;
54423 + pte_t *pte_m, entry_m;
54425 + vma_m = pax_find_mirror_vma(vma);
54429 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
54430 + address_m = address + SEGMEXEC_TASK_SIZE;
54431 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
54432 + pte_m = pte_offset_map(pmd_m, address_m);
54433 + ptl_m = pte_lockptr(mm, pmd_m);
54434 + if (ptl != ptl_m) {
54435 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
54436 + if (!pte_none(*pte_m))
54440 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
54441 + set_pte_at(mm, address_m, pte_m, entry_m);
54443 + if (ptl != ptl_m)
54444 + spin_unlock(ptl_m);
54445 + pte_unmap(pte_m);
54448 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
54450 + struct page *page_m;
54453 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
54457 + page_m = vm_normal_page(vma, address, entry);
54459 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
54460 + else if (PageAnon(page_m)) {
54461 + if (pax_find_mirror_vma(vma)) {
54462 + pte_unmap_unlock(pte, ptl);
54463 + lock_page(page_m);
54464 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
54465 + if (pte_same(entry, *pte))
54466 + pax_mirror_anon_pte(vma, address, page_m, ptl);
54468 + unlock_page(page_m);
54471 + pax_mirror_file_pte(vma, address, page_m, ptl);
54474 + pte_unmap_unlock(pte, ptl);
54479 * This routine handles present pages, when users try to write
54480 * to a shared page. It is done by copying the page to a new address
54481 @@ -2383,6 +2577,12 @@ gotten:
54483 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
54484 if (likely(pte_same(*page_table, orig_pte))) {
54486 +#ifdef CONFIG_PAX_SEGMEXEC
54487 + if (pax_find_mirror_vma(vma))
54488 + BUG_ON(!trylock_page(new_page));
54492 if (!PageAnon(old_page)) {
54493 dec_mm_counter_fast(mm, MM_FILEPAGES);
54494 @@ -2434,6 +2634,10 @@ gotten:
54495 page_remove_rmap(old_page);
54498 +#ifdef CONFIG_PAX_SEGMEXEC
54499 + pax_mirror_anon_pte(vma, address, new_page, ptl);
54502 /* Free the old page.. */
54503 new_page = old_page;
54504 ret |= VM_FAULT_WRITE;
54505 @@ -2844,6 +3048,11 @@ static int do_swap_page(struct mm_struct
54507 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
54508 try_to_free_swap(page);
54510 +#ifdef CONFIG_PAX_SEGMEXEC
54511 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
54517 @@ -2867,6 +3076,11 @@ static int do_swap_page(struct mm_struct
54519 /* No need to invalidate - it was non-present before */
54520 update_mmu_cache(vma, address, page_table);
54522 +#ifdef CONFIG_PAX_SEGMEXEC
54523 + pax_mirror_anon_pte(vma, address, page, ptl);
54527 pte_unmap_unlock(page_table, ptl);
54529 @@ -2886,40 +3100,6 @@ out_release:
54533 - * This is like a special single-page "expand_{down|up}wards()",
54534 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
54535 - * doesn't hit another vma.
54537 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
54539 - address &= PAGE_MASK;
54540 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
54541 - struct vm_area_struct *prev = vma->vm_prev;
54544 - * Is there a mapping abutting this one below?
54546 - * That's only ok if it's the same stack mapping
54547 - * that has gotten split..
54549 - if (prev && prev->vm_end == address)
54550 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
54552 - expand_stack(vma, address - PAGE_SIZE);
54554 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
54555 - struct vm_area_struct *next = vma->vm_next;
54557 - /* As VM_GROWSDOWN but s/below/above/ */
54558 - if (next && next->vm_start == address + PAGE_SIZE)
54559 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
54561 - expand_upwards(vma, address + PAGE_SIZE);
54567 * We enter with non-exclusive mmap_sem (to exclude vma changes,
54568 * but allow concurrent faults), and pte mapped but not yet locked.
54569 * We return with mmap_sem still held, but pte unmapped and unlocked.
54570 @@ -2928,27 +3108,23 @@ static int do_anonymous_page(struct mm_s
54571 unsigned long address, pte_t *page_table, pmd_t *pmd,
54572 unsigned int flags)
54574 - struct page *page;
54575 + struct page *page = NULL;
54579 - pte_unmap(page_table);
54581 - /* Check if we need to add a guard page to the stack */
54582 - if (check_stack_guard_page(vma, address) < 0)
54583 - return VM_FAULT_SIGBUS;
54585 - /* Use the zero-page for reads */
54586 if (!(flags & FAULT_FLAG_WRITE)) {
54587 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
54588 vma->vm_page_prot));
54589 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
54590 + ptl = pte_lockptr(mm, pmd);
54592 if (!pte_none(*page_table))
54597 /* Allocate our own private page. */
54598 + pte_unmap(page_table);
54600 if (unlikely(anon_vma_prepare(vma)))
54602 page = alloc_zeroed_user_highpage_movable(vma, address);
54603 @@ -2967,6 +3143,11 @@ static int do_anonymous_page(struct mm_s
54604 if (!pte_none(*page_table))
54607 +#ifdef CONFIG_PAX_SEGMEXEC
54608 + if (pax_find_mirror_vma(vma))
54609 + BUG_ON(!trylock_page(page));
54612 inc_mm_counter_fast(mm, MM_ANONPAGES);
54613 page_add_new_anon_rmap(page, vma, address);
54615 @@ -2974,6 +3155,12 @@ setpte:
54617 /* No need to invalidate - it was non-present before */
54618 update_mmu_cache(vma, address, page_table);
54620 +#ifdef CONFIG_PAX_SEGMEXEC
54622 + pax_mirror_anon_pte(vma, address, page, ptl);
54626 pte_unmap_unlock(page_table, ptl);
54628 @@ -3111,6 +3298,12 @@ static int __do_fault(struct mm_struct *
54630 /* Only go through if we didn't race with anybody else... */
54631 if (likely(pte_same(*page_table, orig_pte))) {
54633 +#ifdef CONFIG_PAX_SEGMEXEC
54634 + if (anon && pax_find_mirror_vma(vma))
54635 + BUG_ON(!trylock_page(page));
54638 flush_icache_page(vma, page);
54639 entry = mk_pte(page, vma->vm_page_prot);
54640 if (flags & FAULT_FLAG_WRITE)
54641 @@ -3130,6 +3323,14 @@ static int __do_fault(struct mm_struct *
54643 /* no need to invalidate: a not-present page won't be cached */
54644 update_mmu_cache(vma, address, page_table);
54646 +#ifdef CONFIG_PAX_SEGMEXEC
54648 + pax_mirror_anon_pte(vma, address, page, ptl);
54650 + pax_mirror_file_pte(vma, address, page, ptl);
54655 mem_cgroup_uncharge_page(page);
54656 @@ -3277,6 +3478,12 @@ int handle_pte_fault(struct mm_struct *m
54657 if (flags & FAULT_FLAG_WRITE)
54658 flush_tlb_fix_spurious_fault(vma, address);
54661 +#ifdef CONFIG_PAX_SEGMEXEC
54662 + pax_mirror_pte(vma, address, pte, pmd, ptl);
54667 pte_unmap_unlock(pte, ptl);
54669 @@ -3293,6 +3500,10 @@ int handle_mm_fault(struct mm_struct *mm
54673 +#ifdef CONFIG_PAX_SEGMEXEC
54674 + struct vm_area_struct *vma_m;
54677 __set_current_state(TASK_RUNNING);
54679 count_vm_event(PGFAULT);
54680 @@ -3303,6 +3514,34 @@ int handle_mm_fault(struct mm_struct *mm
54681 if (unlikely(is_vm_hugetlb_page(vma)))
54682 return hugetlb_fault(mm, vma, address, flags);
54684 +#ifdef CONFIG_PAX_SEGMEXEC
54685 + vma_m = pax_find_mirror_vma(vma);
54687 + unsigned long address_m;
54692 + if (vma->vm_start > vma_m->vm_start) {
54693 + address_m = address;
54694 + address -= SEGMEXEC_TASK_SIZE;
54697 + address_m = address + SEGMEXEC_TASK_SIZE;
54699 + pgd_m = pgd_offset(mm, address_m);
54700 + pud_m = pud_alloc(mm, pgd_m, address_m);
54702 + return VM_FAULT_OOM;
54703 + pmd_m = pmd_alloc(mm, pud_m, address_m);
54705 + return VM_FAULT_OOM;
54706 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
54707 + return VM_FAULT_OOM;
54708 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
54712 pgd = pgd_offset(mm, address);
54713 pud = pud_alloc(mm, pgd, address);
54715 @@ -3436,7 +3675,7 @@ static int __init gate_vma_init(void)
54716 gate_vma.vm_start = FIXADDR_USER_START;
54717 gate_vma.vm_end = FIXADDR_USER_END;
54718 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
54719 - gate_vma.vm_page_prot = __P101;
54720 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
54722 * Make sure the vDSO gets into every core dump.
54723 * Dumping its contents makes post-mortem fully interpretable later
54724 diff -urNp linux-2.6.38.4/mm/memory-failure.c linux-2.6.38.4/mm/memory-failure.c
54725 --- linux-2.6.38.4/mm/memory-failure.c 2011-03-14 21:20:32.000000000 -0400
54726 +++ linux-2.6.38.4/mm/memory-failure.c 2011-04-17 15:57:33.000000000 -0400
54727 @@ -58,7 +58,7 @@ int sysctl_memory_failure_early_kill __r
54729 int sysctl_memory_failure_recovery __read_mostly = 1;
54731 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
54732 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
54734 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
54736 @@ -1012,7 +1012,7 @@ int __memory_failure(unsigned long pfn,
54739 nr_pages = 1 << compound_trans_order(hpage);
54740 - atomic_long_add(nr_pages, &mce_bad_pages);
54741 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
54744 * We need/can do nothing about count=0 pages.
54745 @@ -1042,7 +1042,7 @@ int __memory_failure(unsigned long pfn,
54746 if (!PageHWPoison(hpage)
54747 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
54748 || (p != hpage && TestSetPageHWPoison(hpage))) {
54749 - atomic_long_sub(nr_pages, &mce_bad_pages);
54750 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
54753 set_page_hwpoison_huge_page(hpage);
54754 @@ -1100,7 +1100,7 @@ int __memory_failure(unsigned long pfn,
54756 if (hwpoison_filter(p)) {
54757 if (TestClearPageHWPoison(p))
54758 - atomic_long_sub(nr_pages, &mce_bad_pages);
54759 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
54760 unlock_page(hpage);
54763 @@ -1226,7 +1226,7 @@ int unpoison_memory(unsigned long pfn)
54766 if (TestClearPageHWPoison(p))
54767 - atomic_long_sub(nr_pages, &mce_bad_pages);
54768 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
54769 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
54772 @@ -1240,7 +1240,7 @@ int unpoison_memory(unsigned long pfn)
54774 if (TestClearPageHWPoison(page)) {
54775 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
54776 - atomic_long_sub(nr_pages, &mce_bad_pages);
54777 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
54779 if (PageHuge(page))
54780 clear_page_hwpoison_huge_page(page);
54781 @@ -1353,7 +1353,7 @@ static int soft_offline_huge_page(struct
54784 if (!PageHWPoison(hpage))
54785 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
54786 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
54787 set_page_hwpoison_huge_page(hpage);
54788 dequeue_hwpoisoned_huge_page(hpage);
54789 /* keep elevated page count for bad page */
54790 @@ -1482,7 +1482,7 @@ int soft_offline_page(struct page *page,
54794 - atomic_long_add(1, &mce_bad_pages);
54795 + atomic_long_add_unchecked(1, &mce_bad_pages);
54796 SetPageHWPoison(page);
54797 /* keep elevated page count for bad page */
54799 diff -urNp linux-2.6.38.4/mm/mempolicy.c linux-2.6.38.4/mm/mempolicy.c
54800 --- linux-2.6.38.4/mm/mempolicy.c 2011-03-14 21:20:32.000000000 -0400
54801 +++ linux-2.6.38.4/mm/mempolicy.c 2011-04-17 15:57:33.000000000 -0400
54802 @@ -643,6 +643,10 @@ static int mbind_range(struct mm_struct
54803 unsigned long vmstart;
54804 unsigned long vmend;
54806 +#ifdef CONFIG_PAX_SEGMEXEC
54807 + struct vm_area_struct *vma_m;
54810 vma = find_vma_prev(mm, start, &prev);
54811 if (!vma || vma->vm_start > start)
54813 @@ -673,6 +677,16 @@ static int mbind_range(struct mm_struct
54814 err = policy_vma(vma, new_pol);
54818 +#ifdef CONFIG_PAX_SEGMEXEC
54819 + vma_m = pax_find_mirror_vma(vma);
54821 + err = policy_vma(vma_m, new_pol);
54830 @@ -1106,6 +1120,17 @@ static long do_mbind(unsigned long start
54835 +#ifdef CONFIG_PAX_SEGMEXEC
54836 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
54837 + if (end > SEGMEXEC_TASK_SIZE)
54842 + if (end > TASK_SIZE)
54848 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
54852 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
54853 + if (mm != current->mm &&
54854 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
54861 * Check if this process has the right to modify the specified
54862 * process. The right exists if the process has administrative
54863 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
54865 tcred = __task_cred(task);
54866 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
54867 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
54868 - !capable(CAP_SYS_NICE)) {
54869 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
54873 @@ -2635,7 +2667,7 @@ int show_numa_map(struct seq_file *m, vo
54876 seq_printf(m, " file=");
54877 - seq_path(m, &file->f_path, "\n\t= ");
54878 + seq_path(m, &file->f_path, "\n\t\\= ");
54879 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
54880 seq_printf(m, " heap");
54881 } else if (vma->vm_start <= mm->start_stack &&
54882 diff -urNp linux-2.6.38.4/mm/migrate.c linux-2.6.38.4/mm/migrate.c
54883 --- linux-2.6.38.4/mm/migrate.c 2011-03-14 21:20:32.000000000 -0400
54884 +++ linux-2.6.38.4/mm/migrate.c 2011-04-17 15:57:33.000000000 -0400
54885 @@ -1299,6 +1299,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
54889 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
54890 + if (mm != current->mm &&
54891 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
54898 * Check if this process has the right to modify the specified
54899 * process. The right exists if the process has administrative
54900 @@ -1308,8 +1316,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
54902 tcred = __task_cred(task);
54903 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
54904 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
54905 - !capable(CAP_SYS_NICE)) {
54906 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
54910 diff -urNp linux-2.6.38.4/mm/mlock.c linux-2.6.38.4/mm/mlock.c
54911 --- linux-2.6.38.4/mm/mlock.c 2011-04-22 19:20:59.000000000 -0400
54912 +++ linux-2.6.38.4/mm/mlock.c 2011-04-17 15:57:33.000000000 -0400
54914 #include <linux/pagemap.h>
54915 #include <linux/mempolicy.h>
54916 #include <linux/syscalls.h>
54917 +#include <linux/security.h>
54918 #include <linux/sched.h>
54919 #include <linux/module.h>
54920 #include <linux/rmap.h>
54921 @@ -380,6 +381,9 @@ static int do_mlock(unsigned long start,
54925 + if (end > TASK_SIZE)
54928 vma = find_vma_prev(current->mm, start, &prev);
54929 if (!vma || vma->vm_start > start)
54931 @@ -390,6 +394,11 @@ static int do_mlock(unsigned long start,
54932 for (nstart = start ; ; ) {
54933 unsigned int newflags;
54935 +#ifdef CONFIG_PAX_SEGMEXEC
54936 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
54940 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
54942 newflags = vma->vm_flags | VM_LOCKED;
54943 @@ -495,6 +504,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
54944 lock_limit >>= PAGE_SHIFT;
54946 /* check against resource limits */
54947 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
54948 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
54949 error = do_mlock(start, len, 1);
54950 up_write(¤t->mm->mmap_sem);
54951 @@ -518,17 +528,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
54952 static int do_mlockall(int flags)
54954 struct vm_area_struct * vma, * prev = NULL;
54955 - unsigned int def_flags = 0;
54957 if (flags & MCL_FUTURE)
54958 - def_flags = VM_LOCKED;
54959 - current->mm->def_flags = def_flags;
54960 + current->mm->def_flags |= VM_LOCKED;
54962 + current->mm->def_flags &= ~VM_LOCKED;
54963 if (flags == MCL_FUTURE)
54966 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
54967 - unsigned int newflags;
54968 + unsigned long newflags;
54970 +#ifdef CONFIG_PAX_SEGMEXEC
54971 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
54975 + BUG_ON(vma->vm_end > TASK_SIZE);
54976 newflags = vma->vm_flags | VM_LOCKED;
54977 if (!(flags & MCL_CURRENT))
54978 newflags &= ~VM_LOCKED;
54979 @@ -560,6 +576,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
54980 lock_limit >>= PAGE_SHIFT;
54983 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
54984 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
54985 capable(CAP_IPC_LOCK))
54986 ret = do_mlockall(flags);
54987 diff -urNp linux-2.6.38.4/mm/mmap.c linux-2.6.38.4/mm/mmap.c
54988 --- linux-2.6.38.4/mm/mmap.c 2011-04-22 19:20:59.000000000 -0400
54989 +++ linux-2.6.38.4/mm/mmap.c 2011-04-22 19:25:32.000000000 -0400
54991 #define arch_rebalance_pgtables(addr, len) (addr)
54994 +static inline void verify_mm_writelocked(struct mm_struct *mm)
54996 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
54997 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
54998 + up_read(&mm->mmap_sem);
55004 static void unmap_region(struct mm_struct *mm,
55005 struct vm_area_struct *vma, struct vm_area_struct *prev,
55006 unsigned long start, unsigned long end);
55007 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
55008 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
55011 -pgprot_t protection_map[16] = {
55012 +pgprot_t protection_map[16] __read_only = {
55013 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
55014 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
55017 pgprot_t vm_get_page_prot(unsigned long vm_flags)
55019 - return __pgprot(pgprot_val(protection_map[vm_flags &
55020 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
55021 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
55022 pgprot_val(arch_vm_get_page_prot(vm_flags)));
55024 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
55025 + if (!(__supported_pte_mask & _PAGE_NX) &&
55026 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
55027 + (vm_flags & (VM_READ | VM_WRITE)))
55028 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
55033 EXPORT_SYMBOL(vm_get_page_prot);
55035 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
55036 int sysctl_overcommit_ratio = 50; /* default is 50% */
55037 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
55038 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
55039 struct percpu_counter vm_committed_as;
55042 @@ -232,6 +252,7 @@ static struct vm_area_struct *remove_vma
55043 struct vm_area_struct *next = vma->vm_next;
55046 + BUG_ON(vma->vm_mirror);
55047 if (vma->vm_ops && vma->vm_ops->close)
55048 vma->vm_ops->close(vma);
55049 if (vma->vm_file) {
55050 @@ -276,6 +297,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
55051 * not page aligned -Ram Gupta
55053 rlim = rlimit(RLIMIT_DATA);
55054 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
55055 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
55056 (mm->end_data - mm->start_data) > rlim)
55058 @@ -719,6 +741,12 @@ static int
55059 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
55060 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
55063 +#ifdef CONFIG_PAX_SEGMEXEC
55064 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
55068 if (is_mergeable_vma(vma, file, vm_flags) &&
55069 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
55070 if (vma->vm_pgoff == vm_pgoff)
55071 @@ -738,6 +766,12 @@ static int
55072 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
55073 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
55076 +#ifdef CONFIG_PAX_SEGMEXEC
55077 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
55081 if (is_mergeable_vma(vma, file, vm_flags) &&
55082 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
55084 @@ -780,13 +814,20 @@ can_vma_merge_after(struct vm_area_struc
55085 struct vm_area_struct *vma_merge(struct mm_struct *mm,
55086 struct vm_area_struct *prev, unsigned long addr,
55087 unsigned long end, unsigned long vm_flags,
55088 - struct anon_vma *anon_vma, struct file *file,
55089 + struct anon_vma *anon_vma, struct file *file,
55090 pgoff_t pgoff, struct mempolicy *policy)
55092 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
55093 struct vm_area_struct *area, *next;
55096 +#ifdef CONFIG_PAX_SEGMEXEC
55097 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
55098 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
55100 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
55104 * We later require that vma->vm_flags == vm_flags,
55105 * so this tests vma->vm_flags & VM_SPECIAL, too.
55106 @@ -802,6 +843,15 @@ struct vm_area_struct *vma_merge(struct
55107 if (next && next->vm_end == end) /* cases 6, 7, 8 */
55108 next = next->vm_next;
55110 +#ifdef CONFIG_PAX_SEGMEXEC
55112 + prev_m = pax_find_mirror_vma(prev);
55114 + area_m = pax_find_mirror_vma(area);
55116 + next_m = pax_find_mirror_vma(next);
55120 * Can it merge with the predecessor?
55122 @@ -821,9 +871,24 @@ struct vm_area_struct *vma_merge(struct
55124 err = vma_adjust(prev, prev->vm_start,
55125 next->vm_end, prev->vm_pgoff, NULL);
55126 - } else /* cases 2, 5, 7 */
55128 +#ifdef CONFIG_PAX_SEGMEXEC
55129 + if (!err && prev_m)
55130 + err = vma_adjust(prev_m, prev_m->vm_start,
55131 + next_m->vm_end, prev_m->vm_pgoff, NULL);
55134 + } else { /* cases 2, 5, 7 */
55135 err = vma_adjust(prev, prev->vm_start,
55136 end, prev->vm_pgoff, NULL);
55138 +#ifdef CONFIG_PAX_SEGMEXEC
55139 + if (!err && prev_m)
55140 + err = vma_adjust(prev_m, prev_m->vm_start,
55141 + end_m, prev_m->vm_pgoff, NULL);
55147 khugepaged_enter_vma_merge(prev);
55148 @@ -837,12 +902,27 @@ struct vm_area_struct *vma_merge(struct
55149 mpol_equal(policy, vma_policy(next)) &&
55150 can_vma_merge_before(next, vm_flags,
55151 anon_vma, file, pgoff+pglen)) {
55152 - if (prev && addr < prev->vm_end) /* case 4 */
55153 + if (prev && addr < prev->vm_end) { /* case 4 */
55154 err = vma_adjust(prev, prev->vm_start,
55155 addr, prev->vm_pgoff, NULL);
55156 - else /* cases 3, 8 */
55158 +#ifdef CONFIG_PAX_SEGMEXEC
55159 + if (!err && prev_m)
55160 + err = vma_adjust(prev_m, prev_m->vm_start,
55161 + addr_m, prev_m->vm_pgoff, NULL);
55164 + } else { /* cases 3, 8 */
55165 err = vma_adjust(area, addr, next->vm_end,
55166 next->vm_pgoff - pglen, NULL);
55168 +#ifdef CONFIG_PAX_SEGMEXEC
55169 + if (!err && area_m)
55170 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
55171 + next_m->vm_pgoff - pglen, NULL);
55177 khugepaged_enter_vma_merge(area);
55178 @@ -958,14 +1038,11 @@ none:
55179 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
55180 struct file *file, long pages)
55182 - const unsigned long stack_flags
55183 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
55186 mm->shared_vm += pages;
55187 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
55188 mm->exec_vm += pages;
55189 - } else if (flags & stack_flags)
55190 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
55191 mm->stack_vm += pages;
55192 if (flags & (VM_RESERVED|VM_IO))
55193 mm->reserved_vm += pages;
55194 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
55195 * (the exception is when the underlying filesystem is noexec
55196 * mounted, in which case we dont add PROT_EXEC.)
55198 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
55199 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
55200 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
55203 @@ -1018,7 +1095,7 @@ unsigned long do_mmap_pgoff(struct file
55204 /* Obtain the address to map to. we verify (or select) it and ensure
55205 * that it represents a valid section of the address space.
55207 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
55208 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
55209 if (addr & ~PAGE_MASK)
55212 @@ -1029,6 +1106,36 @@ unsigned long do_mmap_pgoff(struct file
55213 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
55214 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
55216 +#ifdef CONFIG_PAX_MPROTECT
55217 + if (mm->pax_flags & MF_PAX_MPROTECT) {
55218 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
55219 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
55220 + gr_log_rwxmmap(file);
55222 +#ifdef CONFIG_PAX_EMUPLT
55223 + vm_flags &= ~VM_EXEC;
55230 + if (!(vm_flags & VM_EXEC))
55231 + vm_flags &= ~VM_MAYEXEC;
55233 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
55234 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
55237 + vm_flags &= ~VM_MAYWRITE;
55241 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
55242 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
55243 + vm_flags &= ~VM_PAGEEXEC;
55246 if (flags & MAP_LOCKED)
55247 if (!can_do_mlock())
55249 @@ -1040,6 +1147,7 @@ unsigned long do_mmap_pgoff(struct file
55250 locked += mm->locked_vm;
55251 lock_limit = rlimit(RLIMIT_MEMLOCK);
55252 lock_limit >>= PAGE_SHIFT;
55253 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
55254 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
55257 @@ -1110,6 +1218,9 @@ unsigned long do_mmap_pgoff(struct file
55261 + if (!gr_acl_handle_mmap(file, prot))
55264 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
55266 EXPORT_SYMBOL(do_mmap_pgoff);
55267 @@ -1187,10 +1298,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
55269 int vma_wants_writenotify(struct vm_area_struct *vma)
55271 - unsigned int vm_flags = vma->vm_flags;
55272 + unsigned long vm_flags = vma->vm_flags;
55274 /* If it was private or non-writable, the write bit is already clear */
55275 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
55276 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
55279 /* The backer wishes to know when pages are first written to? */
55280 @@ -1239,14 +1350,24 @@ unsigned long mmap_region(struct file *f
55281 unsigned long charged = 0;
55282 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
55284 +#ifdef CONFIG_PAX_SEGMEXEC
55285 + struct vm_area_struct *vma_m = NULL;
55289 + * mm->mmap_sem is required to protect against another thread
55290 + * changing the mappings in case we sleep.
55292 + verify_mm_writelocked(mm);
55294 /* Clear old maps */
55297 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
55298 if (vma && vma->vm_start < addr + len) {
55299 if (do_munmap(mm, addr, len))
55301 - goto munmap_back;
55302 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
55303 + BUG_ON(vma && vma->vm_start < addr + len);
55306 /* Check against address space limit. */
55307 @@ -1295,6 +1416,16 @@ munmap_back:
55311 +#ifdef CONFIG_PAX_SEGMEXEC
55312 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
55313 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
55322 vma->vm_start = addr;
55323 vma->vm_end = addr + len;
55324 @@ -1318,6 +1449,19 @@ munmap_back:
55325 error = file->f_op->mmap(file, vma);
55327 goto unmap_and_free_vma;
55329 +#ifdef CONFIG_PAX_SEGMEXEC
55330 + if (vma_m && (vm_flags & VM_EXECUTABLE))
55331 + added_exe_file_vma(mm);
55334 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
55335 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
55336 + vma->vm_flags |= VM_PAGEEXEC;
55337 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
55341 if (vm_flags & VM_EXECUTABLE)
55342 added_exe_file_vma(mm);
55344 @@ -1353,6 +1497,11 @@ munmap_back:
55345 vma_link(mm, vma, prev, rb_link, rb_parent);
55346 file = vma->vm_file;
55348 +#ifdef CONFIG_PAX_SEGMEXEC
55350 + BUG_ON(pax_mirror_vma(vma_m, vma));
55353 /* Once vma denies write, undo our temporary denial count */
55354 if (correct_wcount)
55355 atomic_inc(&inode->i_writecount);
55356 @@ -1361,6 +1510,7 @@ out:
55358 mm->total_vm += len >> PAGE_SHIFT;
55359 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
55360 + track_exec_limit(mm, addr, addr + len, vm_flags);
55361 if (vm_flags & VM_LOCKED) {
55362 if (!mlock_vma_pages_range(vma, addr, addr + len))
55363 mm->locked_vm += (len >> PAGE_SHIFT);
55364 @@ -1378,6 +1528,12 @@ unmap_and_free_vma:
55365 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
55369 +#ifdef CONFIG_PAX_SEGMEXEC
55371 + kmem_cache_free(vm_area_cachep, vma_m);
55374 kmem_cache_free(vm_area_cachep, vma);
55377 @@ -1385,6 +1541,44 @@ unacct_error:
55381 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
55384 +#ifdef CONFIG_STACK_GROWSUP
55385 + if (addr > sysctl_heap_stack_gap)
55386 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
55388 + vma = find_vma(current->mm, 0);
55389 + if (vma && (vma->vm_flags & VM_GROWSUP))
55395 + if (addr + len > vma->vm_start)
55398 + if (vma->vm_flags & VM_GROWSDOWN)
55399 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
55400 +#ifdef CONFIG_STACK_GROWSUP
55401 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
55402 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
55408 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
55410 + if (vma->vm_start < len)
55412 + if (!(vma->vm_flags & VM_GROWSDOWN))
55413 + return vma->vm_start - len;
55414 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
55415 + return vma->vm_start - len - sysctl_heap_stack_gap;
55419 /* Get an address range which is currently unmapped.
55420 * For shmat() with addr=0.
55422 @@ -1411,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp
55423 if (flags & MAP_FIXED)
55426 +#ifdef CONFIG_PAX_RANDMMAP
55427 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
55431 addr = PAGE_ALIGN(addr);
55432 - vma = find_vma(mm, addr);
55433 - if (TASK_SIZE - len >= addr &&
55434 - (!vma || addr + len <= vma->vm_start))
55436 + if (TASK_SIZE - len >= addr) {
55437 + vma = find_vma(mm, addr);
55438 + if (check_heap_stack_gap(vma, addr, len))
55442 if (len > mm->cached_hole_size) {
55443 - start_addr = addr = mm->free_area_cache;
55444 + start_addr = addr = mm->free_area_cache;
55446 - start_addr = addr = TASK_UNMAPPED_BASE;
55447 - mm->cached_hole_size = 0;
55448 + start_addr = addr = mm->mmap_base;
55449 + mm->cached_hole_size = 0;
55453 @@ -1433,34 +1632,40 @@ full_search:
55454 * Start a new search - just in case we missed
55457 - if (start_addr != TASK_UNMAPPED_BASE) {
55458 - addr = TASK_UNMAPPED_BASE;
55459 - start_addr = addr;
55460 + if (start_addr != mm->mmap_base) {
55461 + start_addr = addr = mm->mmap_base;
55462 mm->cached_hole_size = 0;
55467 - if (!vma || addr + len <= vma->vm_start) {
55469 - * Remember the place where we stopped the search:
55471 - mm->free_area_cache = addr + len;
55474 + if (check_heap_stack_gap(vma, addr, len))
55476 if (addr + mm->cached_hole_size < vma->vm_start)
55477 mm->cached_hole_size = vma->vm_start - addr;
55478 addr = vma->vm_end;
55482 + * Remember the place where we stopped the search:
55484 + mm->free_area_cache = addr + len;
55489 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
55492 +#ifdef CONFIG_PAX_SEGMEXEC
55493 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
55498 * Is this a new hole at the lowest possible address?
55500 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
55501 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
55502 mm->free_area_cache = addr;
55503 mm->cached_hole_size = ~0UL;
55505 @@ -1478,7 +1683,7 @@ arch_get_unmapped_area_topdown(struct fi
55507 struct vm_area_struct *vma;
55508 struct mm_struct *mm = current->mm;
55509 - unsigned long addr = addr0;
55510 + unsigned long base = mm->mmap_base, addr = addr0;
55512 /* requested length too big for entire address space */
55513 if (len > TASK_SIZE)
55514 @@ -1487,13 +1692,18 @@ arch_get_unmapped_area_topdown(struct fi
55515 if (flags & MAP_FIXED)
55518 +#ifdef CONFIG_PAX_RANDMMAP
55519 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
55522 /* requesting a specific address */
55524 addr = PAGE_ALIGN(addr);
55525 - vma = find_vma(mm, addr);
55526 - if (TASK_SIZE - len >= addr &&
55527 - (!vma || addr + len <= vma->vm_start))
55529 + if (TASK_SIZE - len >= addr) {
55530 + vma = find_vma(mm, addr);
55531 + if (check_heap_stack_gap(vma, addr, len))
55536 /* check if free_area_cache is useful for us */
55537 @@ -1508,7 +1718,7 @@ arch_get_unmapped_area_topdown(struct fi
55538 /* make sure it can fit in the remaining address space */
55540 vma = find_vma(mm, addr-len);
55541 - if (!vma || addr <= vma->vm_start)
55542 + if (check_heap_stack_gap(vma, addr - len, len))
55543 /* remember the address as a hint for next time */
55544 return (mm->free_area_cache = addr-len);
55546 @@ -1525,7 +1735,7 @@ arch_get_unmapped_area_topdown(struct fi
55547 * return with success:
55549 vma = find_vma(mm, addr);
55550 - if (!vma || addr+len <= vma->vm_start)
55551 + if (check_heap_stack_gap(vma, addr, len))
55552 /* remember the address as a hint for next time */
55553 return (mm->free_area_cache = addr);
55555 @@ -1534,8 +1744,8 @@ arch_get_unmapped_area_topdown(struct fi
55556 mm->cached_hole_size = vma->vm_start - addr;
55558 /* try just below the current vma->vm_start */
55559 - addr = vma->vm_start-len;
55560 - } while (len < vma->vm_start);
55561 + addr = skip_heap_stack_gap(vma, len);
55562 + } while (!IS_ERR_VALUE(addr));
55566 @@ -1544,13 +1754,21 @@ bottomup:
55567 * can happen with large stack limits and large mmap()
55570 + mm->mmap_base = TASK_UNMAPPED_BASE;
55572 +#ifdef CONFIG_PAX_RANDMMAP
55573 + if (mm->pax_flags & MF_PAX_RANDMMAP)
55574 + mm->mmap_base += mm->delta_mmap;
55577 + mm->free_area_cache = mm->mmap_base;
55578 mm->cached_hole_size = ~0UL;
55579 - mm->free_area_cache = TASK_UNMAPPED_BASE;
55580 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
55582 * Restore the topdown base:
55584 - mm->free_area_cache = mm->mmap_base;
55585 + mm->mmap_base = base;
55586 + mm->free_area_cache = base;
55587 mm->cached_hole_size = ~0UL;
55590 @@ -1559,6 +1777,12 @@ bottomup:
55592 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
55595 +#ifdef CONFIG_PAX_SEGMEXEC
55596 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
55601 * Is this a new hole at the highest possible address?
55603 @@ -1566,8 +1790,10 @@ void arch_unmap_area_topdown(struct mm_s
55604 mm->free_area_cache = addr;
55606 /* dont allow allocations above current base */
55607 - if (mm->free_area_cache > mm->mmap_base)
55608 + if (mm->free_area_cache > mm->mmap_base) {
55609 mm->free_area_cache = mm->mmap_base;
55610 + mm->cached_hole_size = ~0UL;
55615 @@ -1675,6 +1901,28 @@ out:
55616 return prev ? prev->vm_next : vma;
55619 +#ifdef CONFIG_PAX_SEGMEXEC
55620 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
55622 + struct vm_area_struct *vma_m;
55624 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
55625 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
55626 + BUG_ON(vma->vm_mirror);
55629 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
55630 + vma_m = vma->vm_mirror;
55631 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
55632 + BUG_ON(vma->vm_file != vma_m->vm_file);
55633 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
55634 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
55635 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
55636 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
55642 * Verify that the stack growth is acceptable and
55643 * update accounting. This is shared with both the
55644 @@ -1691,6 +1939,7 @@ static int acct_stack_growth(struct vm_a
55647 /* Stack limit test */
55648 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
55649 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
55652 @@ -1701,6 +1950,7 @@ static int acct_stack_growth(struct vm_a
55653 locked = mm->locked_vm + grow;
55654 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
55655 limit >>= PAGE_SHIFT;
55656 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
55657 if (locked > limit && !capable(CAP_IPC_LOCK))
55660 @@ -1731,37 +1981,48 @@ static int acct_stack_growth(struct vm_a
55661 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
55662 * vma is the last one with address > vma->vm_end. Have to extend vma.
55664 +#ifndef CONFIG_IA64
55667 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
55672 if (!(vma->vm_flags & VM_GROWSUP))
55675 + /* Also guard against wrapping around to address 0. */
55676 + if (address < PAGE_ALIGN(address+1))
55677 + address = PAGE_ALIGN(address+1);
55682 * We must make sure the anon_vma is allocated
55683 * so that the anon_vma locking is not a noop.
55685 if (unlikely(anon_vma_prepare(vma)))
55687 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
55688 + if (locknext && anon_vma_prepare(vma->vm_next))
55690 vma_lock_anon_vma(vma);
55692 + vma_lock_anon_vma(vma->vm_next);
55695 * vma->vm_start/vm_end cannot change under us because the caller
55696 * is required to hold the mmap_sem in read mode. We need the
55697 - * anon_vma lock to serialize against concurrent expand_stacks.
55698 - * Also guard against wrapping around to address 0.
55699 + * anon_vma locks to serialize against concurrent expand_stacks
55700 + * and expand_upwards.
55702 - if (address < PAGE_ALIGN(address+4))
55703 - address = PAGE_ALIGN(address+4);
55705 - vma_unlock_anon_vma(vma);
55710 /* Somebody else might have raced and expanded it already */
55711 - if (address > vma->vm_end) {
55712 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
55714 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
55715 unsigned long size, grow;
55717 size = address - vma->vm_start;
55718 @@ -1773,6 +2034,8 @@ int expand_upwards(struct vm_area_struct
55719 perf_event_mmap(vma);
55723 + vma_unlock_anon_vma(vma->vm_next);
55724 vma_unlock_anon_vma(vma);
55725 khugepaged_enter_vma_merge(vma);
55727 @@ -1786,6 +2049,8 @@ static int expand_downwards(struct vm_ar
55728 unsigned long address)
55731 + bool lockprev = false;
55732 + struct vm_area_struct *prev;
55735 * We must make sure the anon_vma is allocated
55736 @@ -1799,6 +2064,15 @@ static int expand_downwards(struct vm_ar
55740 + prev = vma->vm_prev;
55741 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
55742 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
55744 + if (lockprev && anon_vma_prepare(prev))
55747 + vma_lock_anon_vma(prev);
55749 vma_lock_anon_vma(vma);
55752 @@ -1808,9 +2082,17 @@ static int expand_downwards(struct vm_ar
55755 /* Somebody else might have raced and expanded it already */
55756 - if (address < vma->vm_start) {
55757 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
55759 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
55760 unsigned long size, grow;
55762 +#ifdef CONFIG_PAX_SEGMEXEC
55763 + struct vm_area_struct *vma_m;
55765 + vma_m = pax_find_mirror_vma(vma);
55768 size = vma->vm_end - address;
55769 grow = (vma->vm_start - address) >> PAGE_SHIFT;
55771 @@ -1820,11 +2102,22 @@ static int expand_downwards(struct vm_ar
55773 vma->vm_start = address;
55774 vma->vm_pgoff -= grow;
55775 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
55777 +#ifdef CONFIG_PAX_SEGMEXEC
55779 + vma_m->vm_start -= grow << PAGE_SHIFT;
55780 + vma_m->vm_pgoff -= grow;
55784 perf_event_mmap(vma);
55788 vma_unlock_anon_vma(vma);
55790 + vma_unlock_anon_vma(prev);
55791 khugepaged_enter_vma_merge(vma);
55794 @@ -1899,6 +2192,13 @@ static void remove_vma_list(struct mm_st
55796 long nrpages = vma_pages(vma);
55798 +#ifdef CONFIG_PAX_SEGMEXEC
55799 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
55800 + vma = remove_vma(vma);
55805 mm->total_vm -= nrpages;
55806 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
55807 vma = remove_vma(vma);
55808 @@ -1944,6 +2244,16 @@ detach_vmas_to_be_unmapped(struct mm_str
55809 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
55810 vma->vm_prev = NULL;
55813 +#ifdef CONFIG_PAX_SEGMEXEC
55814 + if (vma->vm_mirror) {
55815 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
55816 + vma->vm_mirror->vm_mirror = NULL;
55817 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
55818 + vma->vm_mirror = NULL;
55822 rb_erase(&vma->vm_rb, &mm->mm_rb);
55825 @@ -1972,14 +2282,33 @@ static int __split_vma(struct mm_struct
55826 struct vm_area_struct *new;
55829 +#ifdef CONFIG_PAX_SEGMEXEC
55830 + struct vm_area_struct *vma_m, *new_m = NULL;
55831 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
55834 if (is_vm_hugetlb_page(vma) && (addr &
55835 ~(huge_page_mask(hstate_vma(vma)))))
55838 +#ifdef CONFIG_PAX_SEGMEXEC
55839 + vma_m = pax_find_mirror_vma(vma);
55842 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
55846 +#ifdef CONFIG_PAX_SEGMEXEC
55848 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
55850 + kmem_cache_free(vm_area_cachep, new);
55856 /* most fields are the same, copy all, and then fixup */
55859 @@ -1992,6 +2321,22 @@ static int __split_vma(struct mm_struct
55860 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
55863 +#ifdef CONFIG_PAX_SEGMEXEC
55866 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
55867 + new_m->vm_mirror = new;
55868 + new->vm_mirror = new_m;
55871 + new_m->vm_end = addr_m;
55873 + new_m->vm_start = addr_m;
55874 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
55879 pol = mpol_dup(vma_policy(vma));
55881 err = PTR_ERR(pol);
55882 @@ -2017,6 +2362,42 @@ static int __split_vma(struct mm_struct
55884 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
55886 +#ifdef CONFIG_PAX_SEGMEXEC
55887 + if (!err && vma_m) {
55888 + if (anon_vma_clone(new_m, vma_m))
55889 + goto out_free_mpol;
55892 + vma_set_policy(new_m, pol);
55894 + if (new_m->vm_file) {
55895 + get_file(new_m->vm_file);
55896 + if (vma_m->vm_flags & VM_EXECUTABLE)
55897 + added_exe_file_vma(mm);
55900 + if (new_m->vm_ops && new_m->vm_ops->open)
55901 + new_m->vm_ops->open(new_m);
55904 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
55905 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
55907 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
55910 + if (new_m->vm_ops && new_m->vm_ops->close)
55911 + new_m->vm_ops->close(new_m);
55912 + if (new_m->vm_file) {
55913 + if (vma_m->vm_flags & VM_EXECUTABLE)
55914 + removed_exe_file_vma(mm);
55915 + fput(new_m->vm_file);
55925 @@ -2029,10 +2410,18 @@ static int __split_vma(struct mm_struct
55926 removed_exe_file_vma(mm);
55927 fput(new->vm_file);
55929 - unlink_anon_vmas(new);
55934 +#ifdef CONFIG_PAX_SEGMEXEC
55936 + unlink_anon_vmas(new_m);
55937 + kmem_cache_free(vm_area_cachep, new_m);
55941 + unlink_anon_vmas(new);
55942 kmem_cache_free(vm_area_cachep, new);
55945 @@ -2045,6 +2434,15 @@ static int __split_vma(struct mm_struct
55946 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
55947 unsigned long addr, int new_below)
55950 +#ifdef CONFIG_PAX_SEGMEXEC
55951 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
55952 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
55953 + if (mm->map_count >= sysctl_max_map_count-1)
55958 if (mm->map_count >= sysctl_max_map_count)
55961 @@ -2056,11 +2454,30 @@ int split_vma(struct mm_struct *mm, stru
55962 * work. This now handles partial unmappings.
55963 * Jeremy Fitzhardinge <jeremy@goop.org>
55965 +#ifdef CONFIG_PAX_SEGMEXEC
55966 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
55968 + int ret = __do_munmap(mm, start, len);
55969 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
55972 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
55975 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
55977 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
55981 struct vm_area_struct *vma, *prev, *last;
55984 + * mm->mmap_sem is required to protect against another thread
55985 + * changing the mappings in case we sleep.
55987 + verify_mm_writelocked(mm);
55989 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
55992 @@ -2134,6 +2551,8 @@ int do_munmap(struct mm_struct *mm, unsi
55993 /* Fix up all other VM information */
55994 remove_vma_list(mm, vma);
55996 + track_exec_limit(mm, start, end, 0UL);
56001 @@ -2146,22 +2565,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
56003 profile_munmap(addr);
56005 +#ifdef CONFIG_PAX_SEGMEXEC
56006 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
56007 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
56011 down_write(&mm->mmap_sem);
56012 ret = do_munmap(mm, addr, len);
56013 up_write(&mm->mmap_sem);
56017 -static inline void verify_mm_writelocked(struct mm_struct *mm)
56019 -#ifdef CONFIG_DEBUG_VM
56020 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
56022 - up_read(&mm->mmap_sem);
56028 * this is really a simplified "do_mmap". it only handles
56029 * anonymous maps. eventually we may be able to do some
56030 @@ -2175,6 +2590,7 @@ unsigned long do_brk(unsigned long addr,
56031 struct rb_node ** rb_link, * rb_parent;
56032 pgoff_t pgoff = addr >> PAGE_SHIFT;
56034 + unsigned long charged;
56036 len = PAGE_ALIGN(len);
56038 @@ -2186,16 +2602,30 @@ unsigned long do_brk(unsigned long addr,
56040 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
56042 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
56043 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
56044 + flags &= ~VM_EXEC;
56046 +#ifdef CONFIG_PAX_MPROTECT
56047 + if (mm->pax_flags & MF_PAX_MPROTECT)
56048 + flags &= ~VM_MAYEXEC;
56054 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
56055 if (error & ~PAGE_MASK)
56058 + charged = len >> PAGE_SHIFT;
56061 * mlock MCL_FUTURE?
56063 if (mm->def_flags & VM_LOCKED) {
56064 unsigned long locked, lock_limit;
56065 - locked = len >> PAGE_SHIFT;
56066 + locked = charged;
56067 locked += mm->locked_vm;
56068 lock_limit = rlimit(RLIMIT_MEMLOCK);
56069 lock_limit >>= PAGE_SHIFT;
56070 @@ -2212,22 +2642,22 @@ unsigned long do_brk(unsigned long addr,
56072 * Clear old maps. this also does some error checking for us
56075 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
56076 if (vma && vma->vm_start < addr + len) {
56077 if (do_munmap(mm, addr, len))
56079 - goto munmap_back;
56080 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
56081 + BUG_ON(vma && vma->vm_start < addr + len);
56084 /* Check against address space limits *after* clearing old maps... */
56085 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
56086 + if (!may_expand_vm(mm, charged))
56089 if (mm->map_count > sysctl_max_map_count)
56092 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
56093 + if (security_vm_enough_memory(charged))
56096 /* Can we just expand an old private anonymous mapping? */
56097 @@ -2241,7 +2671,7 @@ unsigned long do_brk(unsigned long addr,
56099 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
56101 - vm_unacct_memory(len >> PAGE_SHIFT);
56102 + vm_unacct_memory(charged);
56106 @@ -2255,11 +2685,12 @@ unsigned long do_brk(unsigned long addr,
56107 vma_link(mm, vma, prev, rb_link, rb_parent);
56109 perf_event_mmap(vma);
56110 - mm->total_vm += len >> PAGE_SHIFT;
56111 + mm->total_vm += charged;
56112 if (flags & VM_LOCKED) {
56113 if (!mlock_vma_pages_range(vma, addr, addr + len))
56114 - mm->locked_vm += (len >> PAGE_SHIFT);
56115 + mm->locked_vm += charged;
56117 + track_exec_limit(mm, addr, addr + len, flags);
56121 @@ -2306,8 +2737,10 @@ void exit_mmap(struct mm_struct *mm)
56122 * Walk the list again, actually closing and freeing it,
56123 * with preemption enabled, without holding any MM locks.
56127 + vma->vm_mirror = NULL;
56128 vma = remove_vma(vma);
56131 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
56133 @@ -2321,6 +2754,13 @@ int insert_vm_struct(struct mm_struct *
56134 struct vm_area_struct * __vma, * prev;
56135 struct rb_node ** rb_link, * rb_parent;
56137 +#ifdef CONFIG_PAX_SEGMEXEC
56138 + struct vm_area_struct *vma_m = NULL;
56141 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
56145 * The vm_pgoff of a purely anonymous vma should be irrelevant
56146 * until its first write fault, when page's anon_vma and index
56147 @@ -2343,7 +2783,22 @@ int insert_vm_struct(struct mm_struct *
56148 if ((vma->vm_flags & VM_ACCOUNT) &&
56149 security_vm_enough_memory_mm(mm, vma_pages(vma)))
56152 +#ifdef CONFIG_PAX_SEGMEXEC
56153 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
56154 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
56160 vma_link(mm, vma, prev, rb_link, rb_parent);
56162 +#ifdef CONFIG_PAX_SEGMEXEC
56164 + BUG_ON(pax_mirror_vma(vma_m, vma));
56170 @@ -2361,6 +2816,8 @@ struct vm_area_struct *copy_vma(struct v
56171 struct rb_node **rb_link, *rb_parent;
56172 struct mempolicy *pol;
56174 + BUG_ON(vma->vm_mirror);
56177 * If anonymous vma has not yet been faulted, update new pgoff
56178 * to match new location, to increase its chance of merging.
56179 @@ -2410,6 +2867,39 @@ struct vm_area_struct *copy_vma(struct v
56180 kmem_cache_free(vm_area_cachep, new_vma);
56184 +#ifdef CONFIG_PAX_SEGMEXEC
56185 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
56187 + struct vm_area_struct *prev_m;
56188 + struct rb_node **rb_link_m, *rb_parent_m;
56189 + struct mempolicy *pol_m;
56191 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
56192 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
56193 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
56195 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
56196 + if (anon_vma_clone(vma_m, vma))
56198 + pol_m = vma_policy(vma_m);
56200 + vma_set_policy(vma_m, pol_m);
56201 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
56202 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
56203 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
56204 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
56205 + if (vma_m->vm_file)
56206 + get_file(vma_m->vm_file);
56207 + if (vma_m->vm_ops && vma_m->vm_ops->open)
56208 + vma_m->vm_ops->open(vma_m);
56209 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
56210 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
56211 + vma_m->vm_mirror = vma;
56212 + vma->vm_mirror = vma_m;
56218 * Return true if the calling process may expand its vm space by the passed
56219 @@ -2421,7 +2911,7 @@ int may_expand_vm(struct mm_struct *mm,
56222 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
56224 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
56225 if (cur + npages > lim)
56228 @@ -2492,6 +2982,22 @@ int install_special_mapping(struct mm_st
56229 vma->vm_start = addr;
56230 vma->vm_end = addr + len;
56232 +#ifdef CONFIG_PAX_MPROTECT
56233 + if (mm->pax_flags & MF_PAX_MPROTECT) {
56234 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
56235 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
56237 + if (!(vm_flags & VM_EXEC))
56238 + vm_flags &= ~VM_MAYEXEC;
56240 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
56241 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
56244 + vm_flags &= ~VM_MAYWRITE;
56248 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
56249 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
56251 diff -urNp linux-2.6.38.4/mm/mprotect.c linux-2.6.38.4/mm/mprotect.c
56252 --- linux-2.6.38.4/mm/mprotect.c 2011-03-14 21:20:32.000000000 -0400
56253 +++ linux-2.6.38.4/mm/mprotect.c 2011-04-17 15:57:33.000000000 -0400
56254 @@ -23,10 +23,16 @@
56255 #include <linux/mmu_notifier.h>
56256 #include <linux/migrate.h>
56257 #include <linux/perf_event.h>
56259 +#ifdef CONFIG_PAX_MPROTECT
56260 +#include <linux/elf.h>
56263 #include <asm/uaccess.h>
56264 #include <asm/pgtable.h>
56265 #include <asm/cacheflush.h>
56266 #include <asm/tlbflush.h>
56267 +#include <asm/mmu_context.h>
56269 #ifndef pgprot_modify
56270 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
56271 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
56272 flush_tlb_range(vma, start, end);
56275 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
56276 +/* called while holding the mmap semaphor for writing except stack expansion */
56277 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
56279 + unsigned long oldlimit, newlimit = 0UL;
56281 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
56284 + spin_lock(&mm->page_table_lock);
56285 + oldlimit = mm->context.user_cs_limit;
56286 + if ((prot & VM_EXEC) && oldlimit < end)
56287 + /* USER_CS limit moved up */
56289 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
56290 + /* USER_CS limit moved down */
56291 + newlimit = start;
56294 + mm->context.user_cs_limit = newlimit;
56298 + cpus_clear(mm->context.cpu_user_cs_mask);
56299 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
56302 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
56304 + spin_unlock(&mm->page_table_lock);
56305 + if (newlimit == end) {
56306 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
56308 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
56309 + if (is_vm_hugetlb_page(vma))
56310 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
56312 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
56318 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
56319 unsigned long start, unsigned long end, unsigned long newflags)
56320 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
56322 int dirty_accountable = 0;
56324 +#ifdef CONFIG_PAX_SEGMEXEC
56325 + struct vm_area_struct *vma_m = NULL;
56326 + unsigned long start_m, end_m;
56328 + start_m = start + SEGMEXEC_TASK_SIZE;
56329 + end_m = end + SEGMEXEC_TASK_SIZE;
56332 if (newflags == oldflags) {
56337 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
56338 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
56340 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
56343 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
56348 * If we make a private mapping writable we increase our commit;
56349 * but (without finer accounting) cannot reduce our commit if we
56350 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
56354 +#ifdef CONFIG_PAX_SEGMEXEC
56355 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
56356 + if (start != vma->vm_start) {
56357 + error = split_vma(mm, vma, start, 1);
56360 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
56361 + *pprev = (*pprev)->vm_next;
56364 + if (end != vma->vm_end) {
56365 + error = split_vma(mm, vma, end, 0);
56370 + if (pax_find_mirror_vma(vma)) {
56371 + error = __do_munmap(mm, start_m, end_m - start_m);
56375 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
56380 + vma->vm_flags = newflags;
56381 + error = pax_mirror_vma(vma_m, vma);
56383 + vma->vm_flags = oldflags;
56391 * First try to merge with previous and/or next vma.
56393 @@ -204,9 +306,21 @@ success:
56394 * vm_flags and vm_page_prot are protected by the mmap_sem
56395 * held in write mode.
56398 +#ifdef CONFIG_PAX_SEGMEXEC
56399 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
56400 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
56403 vma->vm_flags = newflags;
56405 +#ifdef CONFIG_PAX_MPROTECT
56406 + if (mm->binfmt && mm->binfmt->handle_mprotect)
56407 + mm->binfmt->handle_mprotect(vma, newflags);
56410 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
56411 - vm_get_page_prot(newflags));
56412 + vm_get_page_prot(vma->vm_flags));
56414 if (vma_wants_writenotify(vma)) {
56415 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
56416 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
56421 +#ifdef CONFIG_PAX_SEGMEXEC
56422 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
56423 + if (end > SEGMEXEC_TASK_SIZE)
56428 + if (end > TASK_SIZE)
56431 if (!arch_validate_prot(prot))
56434 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
56436 * Does the application expect PROT_READ to imply PROT_EXEC:
56438 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
56439 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
56442 vm_flags = calc_vm_prot_bits(prot);
56443 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
56444 if (start > vma->vm_start)
56447 +#ifdef CONFIG_PAX_MPROTECT
56448 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
56449 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
56452 for (nstart = start ; ; ) {
56453 unsigned long newflags;
56455 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
56457 /* newflags >> 4 shift VM_MAY% in place of VM_% */
56458 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
56459 + if (prot & (PROT_WRITE | PROT_EXEC))
56460 + gr_log_rwxmprotect(vma->vm_file);
56466 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
56470 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
56471 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
56475 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
56479 if (nstart < prev->vm_end)
56480 diff -urNp linux-2.6.38.4/mm/mremap.c linux-2.6.38.4/mm/mremap.c
56481 --- linux-2.6.38.4/mm/mremap.c 2011-04-18 17:27:18.000000000 -0400
56482 +++ linux-2.6.38.4/mm/mremap.c 2011-04-17 16:53:48.000000000 -0400
56483 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
56485 pte = ptep_clear_flush(vma, old_addr, old_pte);
56486 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
56488 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
56489 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
56490 + pte = pte_exprotect(pte);
56493 set_pte_at(mm, new_addr, new_pte, pte);
56496 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
56497 if (is_vm_hugetlb_page(vma))
56500 +#ifdef CONFIG_PAX_SEGMEXEC
56501 + if (pax_find_mirror_vma(vma))
56505 /* We can't remap across vm area boundaries */
56506 if (old_len > vma->vm_end - addr)
56508 @@ -329,20 +340,25 @@ static unsigned long mremap_to(unsigned
56509 unsigned long ret = -EINVAL;
56510 unsigned long charged = 0;
56511 unsigned long map_flags;
56512 + unsigned long pax_task_size = TASK_SIZE;
56514 if (new_addr & ~PAGE_MASK)
56517 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
56518 +#ifdef CONFIG_PAX_SEGMEXEC
56519 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
56520 + pax_task_size = SEGMEXEC_TASK_SIZE;
56523 + pax_task_size -= PAGE_SIZE;
56525 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
56528 /* Check if the location we're moving into overlaps the
56529 * old location at all, and fail if it does.
56531 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
56534 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
56535 + if (addr + old_len > new_addr && new_addr + new_len > addr)
56538 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
56539 @@ -414,6 +430,7 @@ unsigned long do_mremap(unsigned long ad
56540 struct vm_area_struct *vma;
56541 unsigned long ret = -EINVAL;
56542 unsigned long charged = 0;
56543 + unsigned long pax_task_size = TASK_SIZE;
56545 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
56547 @@ -432,6 +449,17 @@ unsigned long do_mremap(unsigned long ad
56551 +#ifdef CONFIG_PAX_SEGMEXEC
56552 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
56553 + pax_task_size = SEGMEXEC_TASK_SIZE;
56556 + pax_task_size -= PAGE_SIZE;
56558 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
56559 + old_len > pax_task_size || addr > pax_task_size-old_len)
56562 if (flags & MREMAP_FIXED) {
56563 if (flags & MREMAP_MAYMOVE)
56564 ret = mremap_to(addr, old_len, new_addr, new_len);
56565 @@ -481,6 +509,7 @@ unsigned long do_mremap(unsigned long ad
56569 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
56573 @@ -507,7 +536,13 @@ unsigned long do_mremap(unsigned long ad
56574 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
56578 + map_flags = vma->vm_flags;
56579 ret = move_vma(vma, addr, old_len, new_len, new_addr);
56580 + if (!(ret & ~PAGE_MASK)) {
56581 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
56582 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
56586 if (ret & ~PAGE_MASK)
56587 diff -urNp linux-2.6.38.4/mm/nommu.c linux-2.6.38.4/mm/nommu.c
56588 --- linux-2.6.38.4/mm/nommu.c 2011-03-14 21:20:32.000000000 -0400
56589 +++ linux-2.6.38.4/mm/nommu.c 2011-04-17 15:57:33.000000000 -0400
56590 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
56591 int sysctl_overcommit_ratio = 50; /* default is 50% */
56592 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
56593 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
56594 -int heap_stack_gap = 0;
56596 atomic_long_t mmap_pages_allocated;
56598 @@ -833,15 +832,6 @@ struct vm_area_struct *find_vma(struct m
56599 EXPORT_SYMBOL(find_vma);
56603 - * - we don't extend stack VMAs under NOMMU conditions
56605 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
56607 - return find_vma(mm, addr);
56611 * expand a stack to a given address
56612 * - not supported under NOMMU conditions
56614 @@ -1563,6 +1553,7 @@ int split_vma(struct mm_struct *mm, stru
56616 /* most fields are the same, copy all, and then fixup */
56618 + INIT_LIST_HEAD(&new->anon_vma_chain);
56619 *region = *vma->vm_region;
56620 new->vm_region = region;
56622 diff -urNp linux-2.6.38.4/mm/page_alloc.c linux-2.6.38.4/mm/page_alloc.c
56623 --- linux-2.6.38.4/mm/page_alloc.c 2011-04-18 17:27:16.000000000 -0400
56624 +++ linux-2.6.38.4/mm/page_alloc.c 2011-04-17 15:57:33.000000000 -0400
56625 @@ -644,6 +644,10 @@ static bool free_pages_prepare(struct pa
56629 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
56630 + unsigned long index = 1UL << order;
56633 trace_mm_page_free_direct(page, order);
56634 kmemcheck_free_shadow(page, order);
56636 @@ -659,6 +663,12 @@ static bool free_pages_prepare(struct pa
56637 debug_check_no_obj_freed(page_address(page),
56638 PAGE_SIZE << order);
56641 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
56642 + for (; index; --index)
56643 + sanitize_highpage(page + index - 1);
56646 arch_free_page(page, order);
56647 kernel_map_pages(page, 1 << order, 0);
56649 @@ -773,8 +783,10 @@ static int prep_new_page(struct page *pa
56650 arch_alloc_page(page, order);
56651 kernel_map_pages(page, 1 << order, 1);
56653 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
56654 if (gfp_flags & __GFP_ZERO)
56655 prep_zero_page(page, order, gfp_flags);
56658 if (order && (gfp_flags & __GFP_COMP))
56659 prep_compound_page(page, order);
56660 diff -urNp linux-2.6.38.4/mm/percpu.c linux-2.6.38.4/mm/percpu.c
56661 --- linux-2.6.38.4/mm/percpu.c 2011-03-14 21:20:32.000000000 -0400
56662 +++ linux-2.6.38.4/mm/percpu.c 2011-04-17 15:57:33.000000000 -0400
56663 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
56664 static unsigned int pcpu_last_unit_cpu __read_mostly;
56666 /* the address of the first chunk which starts with the kernel static area */
56667 -void *pcpu_base_addr __read_mostly;
56668 +void *pcpu_base_addr __read_only;
56669 EXPORT_SYMBOL_GPL(pcpu_base_addr);
56671 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
56672 diff -urNp linux-2.6.38.4/mm/rmap.c linux-2.6.38.4/mm/rmap.c
56673 --- linux-2.6.38.4/mm/rmap.c 2011-03-14 21:20:32.000000000 -0400
56674 +++ linux-2.6.38.4/mm/rmap.c 2011-04-17 15:57:33.000000000 -0400
56675 @@ -117,6 +117,10 @@ int anon_vma_prepare(struct vm_area_stru
56676 struct anon_vma *anon_vma = vma->anon_vma;
56677 struct anon_vma_chain *avc;
56679 +#ifdef CONFIG_PAX_SEGMEXEC
56680 + struct anon_vma_chain *avc_m = NULL;
56684 if (unlikely(!anon_vma)) {
56685 struct mm_struct *mm = vma->vm_mm;
56686 @@ -126,6 +130,12 @@ int anon_vma_prepare(struct vm_area_stru
56690 +#ifdef CONFIG_PAX_SEGMEXEC
56691 + avc_m = anon_vma_chain_alloc();
56693 + goto out_enomem_free_avc;
56696 anon_vma = find_mergeable_anon_vma(vma);
56699 @@ -144,6 +154,21 @@ int anon_vma_prepare(struct vm_area_stru
56700 /* page_table_lock to protect against threads */
56701 spin_lock(&mm->page_table_lock);
56702 if (likely(!vma->anon_vma)) {
56704 +#ifdef CONFIG_PAX_SEGMEXEC
56705 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
56708 + BUG_ON(vma_m->anon_vma);
56709 + vma_m->anon_vma = anon_vma;
56710 + avc_m->anon_vma = anon_vma;
56711 + avc_m->vma = vma;
56712 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
56713 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
56718 vma->anon_vma = anon_vma;
56719 avc->anon_vma = anon_vma;
56721 @@ -157,12 +182,24 @@ int anon_vma_prepare(struct vm_area_stru
56723 if (unlikely(allocated))
56724 anon_vma_free(allocated);
56726 +#ifdef CONFIG_PAX_SEGMEXEC
56727 + if (unlikely(avc_m))
56728 + anon_vma_chain_free(avc_m);
56732 anon_vma_chain_free(avc);
56736 out_enomem_free_avc:
56738 +#ifdef CONFIG_PAX_SEGMEXEC
56740 + anon_vma_chain_free(avc_m);
56743 anon_vma_chain_free(avc);
56746 @@ -189,7 +226,7 @@ static void anon_vma_chain_link(struct v
56747 * Attach the anon_vmas from src to dst.
56748 * Returns 0 on success, -ENOMEM on failure.
56750 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
56751 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
56753 struct anon_vma_chain *avc, *pavc;
56755 @@ -211,7 +248,7 @@ int anon_vma_clone(struct vm_area_struct
56756 * the corresponding VMA in the parent process is attached to.
56757 * Returns 0 on success, non-zero on failure.
56759 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
56760 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
56762 struct anon_vma_chain *avc;
56763 struct anon_vma *anon_vma;
56764 diff -urNp linux-2.6.38.4/mm/shmem.c linux-2.6.38.4/mm/shmem.c
56765 --- linux-2.6.38.4/mm/shmem.c 2011-04-18 17:27:16.000000000 -0400
56766 +++ linux-2.6.38.4/mm/shmem.c 2011-04-18 22:03:12.000000000 -0400
56768 #include <linux/percpu_counter.h>
56769 #include <linux/swap.h>
56771 -static struct vfsmount *shm_mnt;
56772 +struct vfsmount *shm_mnt;
56774 #ifdef CONFIG_SHMEM
56776 @@ -1070,6 +1070,8 @@ static int shmem_writepage(struct page *
56779 entry = shmem_swp_entry(info, index, NULL);
56784 * The more uptodate page coming down from a stacked
56785 @@ -1995,7 +1997,7 @@ static int shmem_symlink(struct inode *d
56787 info = SHMEM_I(inode);
56788 inode->i_size = len-1;
56789 - if (len <= (char *)inode - (char *)info) {
56790 + if (len <= min((char *)inode - (char *)info, 64)) {
56792 memcpy(info, symname, len);
56793 inode->i_op = &shmem_symlink_inline_operations;
56794 diff -urNp linux-2.6.38.4/mm/slab.c linux-2.6.38.4/mm/slab.c
56795 --- linux-2.6.38.4/mm/slab.c 2011-04-18 17:27:16.000000000 -0400
56796 +++ linux-2.6.38.4/mm/slab.c 2011-04-18 22:03:34.000000000 -0400
56797 @@ -150,7 +150,7 @@
56799 /* Legal flag mask for kmem_cache_create(). */
56801 -# define CREATE_MASK (SLAB_RED_ZONE | \
56802 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
56803 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
56805 SLAB_STORE_USER | \
56806 @@ -158,7 +158,7 @@
56807 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
56808 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
56810 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
56811 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
56813 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
56814 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
56815 @@ -284,7 +284,7 @@ struct kmem_list3 {
56816 * Need this for bootstrapping a per node allocator.
56818 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
56819 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
56820 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
56821 #define CACHE_CACHE 0
56822 #define SIZE_AC MAX_NUMNODES
56823 #define SIZE_L3 (2 * MAX_NUMNODES)
56824 @@ -534,7 +534,7 @@ static inline void *index_to_obj(struct
56825 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
56827 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
56828 - const struct slab *slab, void *obj)
56829 + const struct slab *slab, const void *obj)
56831 u32 offset = (obj - slab->s_mem);
56832 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
56833 @@ -560,14 +560,14 @@ struct cache_names {
56834 static struct cache_names __initdata cache_names[] = {
56835 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
56836 #include <linux/kmalloc_sizes.h>
56842 static struct arraycache_init initarray_cache __initdata =
56843 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
56844 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
56845 static struct arraycache_init initarray_generic =
56846 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
56847 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
56849 /* internal cache of cache description objs */
56850 static struct kmem_cache cache_cache = {
56851 @@ -1526,7 +1526,7 @@ void __init kmem_cache_init(void)
56852 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
56853 sizes[INDEX_AC].cs_size,
56854 ARCH_KMALLOC_MINALIGN,
56855 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
56856 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
56859 if (INDEX_AC != INDEX_L3) {
56860 @@ -1534,7 +1534,7 @@ void __init kmem_cache_init(void)
56861 kmem_cache_create(names[INDEX_L3].name,
56862 sizes[INDEX_L3].cs_size,
56863 ARCH_KMALLOC_MINALIGN,
56864 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
56865 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
56869 @@ -1552,7 +1552,7 @@ void __init kmem_cache_init(void)
56870 sizes->cs_cachep = kmem_cache_create(names->name,
56872 ARCH_KMALLOC_MINALIGN,
56873 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
56874 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
56877 #ifdef CONFIG_ZONE_DMA
56878 @@ -4535,15 +4535,66 @@ static const struct file_operations proc
56880 static int __init slab_proc_init(void)
56882 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
56883 + mode_t gr_mode = S_IRUGO;
56885 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
56886 + gr_mode = S_IRUSR;
56889 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
56890 #ifdef CONFIG_DEBUG_SLAB_LEAK
56891 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
56892 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
56896 module_init(slab_proc_init);
56899 +void check_object_size(const void *ptr, unsigned long n, bool to)
56902 +#ifdef CONFIG_PAX_USERCOPY
56903 + struct page *page;
56904 + struct kmem_cache *cachep = NULL;
56905 + struct slab *slabp;
56906 + unsigned int objnr;
56907 + unsigned long offset;
56912 + if (ZERO_OR_NULL_PTR(ptr))
56915 + if (!virt_addr_valid(ptr))
56918 + page = virt_to_head_page(ptr);
56920 + if (!PageSlab(page)) {
56921 + if (object_is_on_stack(ptr, n) == -1)
56926 + cachep = page_get_cache(page);
56927 + if (!(cachep->flags & SLAB_USERCOPY))
56930 + slabp = page_get_slab(page);
56931 + objnr = obj_to_index(cachep, slabp, ptr);
56932 + BUG_ON(objnr >= cachep->num);
56933 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
56934 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
56938 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
56942 +EXPORT_SYMBOL(check_object_size);
56945 * ksize - get the actual amount of memory allocated for a given object
56946 * @objp: Pointer to the object
56947 diff -urNp linux-2.6.38.4/mm/slob.c linux-2.6.38.4/mm/slob.c
56948 --- linux-2.6.38.4/mm/slob.c 2011-03-14 21:20:32.000000000 -0400
56949 +++ linux-2.6.38.4/mm/slob.c 2011-04-17 15:57:33.000000000 -0400
56951 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
56952 * alloc_pages() directly, allocating compound pages so the page order
56953 * does not have to be separately tracked, and also stores the exact
56954 - * allocation size in page->private so that it can be used to accurately
56955 + * allocation size in slob_page->size so that it can be used to accurately
56956 * provide ksize(). These objects are detected in kfree() because slob_page()
56957 * is false for them.
56962 #include <linux/kernel.h>
56963 +#include <linux/sched.h>
56964 #include <linux/slab.h>
56965 #include <linux/mm.h>
56966 #include <linux/swap.h> /* struct reclaim_state */
56967 @@ -102,7 +103,8 @@ struct slob_page {
56968 unsigned long flags; /* mandatory */
56969 atomic_t _count; /* mandatory */
56970 slobidx_t units; /* free units left in page */
56971 - unsigned long pad[2];
56972 + unsigned long pad[1];
56973 + unsigned long size; /* size when >=PAGE_SIZE */
56974 slob_t *free; /* first free slob_t in page */
56975 struct list_head list; /* linked list of free pages */
56977 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
56979 static inline int is_slob_page(struct slob_page *sp)
56981 - return PageSlab((struct page *)sp);
56982 + return PageSlab((struct page *)sp) && !sp->size;
56985 static inline void set_slob_page(struct slob_page *sp)
56986 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
56988 static inline struct slob_page *slob_page(const void *addr)
56990 - return (struct slob_page *)virt_to_page(addr);
56991 + return (struct slob_page *)virt_to_head_page(addr);
56995 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
56997 * Return the size of a slob block.
56999 -static slobidx_t slob_units(slob_t *s)
57000 +static slobidx_t slob_units(const slob_t *s)
57004 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
57006 * Return the next free slob block pointer after this one.
57008 -static slob_t *slob_next(slob_t *s)
57009 +static slob_t *slob_next(const slob_t *s)
57011 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
57013 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
57015 * Returns true if s is the last free block in its page.
57017 -static int slob_last(slob_t *s)
57018 +static int slob_last(const slob_t *s)
57020 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
57022 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
57026 + set_slob_page(page);
57027 return page_address(page);
57030 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
57034 - set_slob_page(sp);
57036 spin_lock_irqsave(&slob_lock, flags);
57037 sp->units = SLOB_UNITS(PAGE_SIZE);
57040 INIT_LIST_HEAD(&sp->list);
57041 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
57042 set_slob_page_free(sp, slob_list);
57043 @@ -476,10 +479,9 @@ out:
57044 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
57047 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
57048 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
57051 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
57055 lockdep_trace_alloc(gfp);
57056 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
57061 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
57062 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
57063 + m[0].units = size;
57064 + m[1].units = align;
57065 ret = (void *)m + align;
57067 trace_kmalloc_node(_RET_IP_, ret,
57068 @@ -504,9 +509,9 @@ void *__kmalloc_node(size_t size, gfp_t
57070 ret = slob_new_pages(gfp, order, node);
57072 - struct page *page;
57073 - page = virt_to_page(ret);
57074 - page->private = size;
57075 + struct slob_page *sp;
57076 + sp = slob_page(ret);
57080 trace_kmalloc_node(_RET_IP_, ret,
57081 @@ -516,6 +521,13 @@ void *__kmalloc_node(size_t size, gfp_t
57082 kmemleak_alloc(ret, size, 1, gfp);
57086 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
57088 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
57090 + return __kmalloc_node_align(size, gfp, node, align);
57092 EXPORT_SYMBOL(__kmalloc_node);
57094 void kfree(const void *block)
57095 @@ -531,13 +543,81 @@ void kfree(const void *block)
57096 sp = slob_page(block);
57097 if (is_slob_page(sp)) {
57098 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
57099 - unsigned int *m = (unsigned int *)(block - align);
57100 - slob_free(m, *m + align);
57102 + slob_t *m = (slob_t *)(block - align);
57103 + slob_free(m, m[0].units + align);
57105 + clear_slob_page(sp);
57106 + free_slob_page(sp);
57108 put_page(&sp->page);
57111 EXPORT_SYMBOL(kfree);
57113 +void check_object_size(const void *ptr, unsigned long n, bool to)
57116 +#ifdef CONFIG_PAX_USERCOPY
57117 + struct slob_page *sp;
57118 + const slob_t *free;
57119 + const void *base;
57124 + if (ZERO_OR_NULL_PTR(ptr))
57127 + if (!virt_addr_valid(ptr))
57130 + sp = slob_page(ptr);
57131 + if (!PageSlab((struct page*)sp)) {
57132 + if (object_is_on_stack(ptr, n) == -1)
57138 + base = page_address(&sp->page);
57139 + if (base <= ptr && n <= sp->size - (ptr - base))
57144 + /* some tricky double walking to find the chunk */
57145 + base = (void *)((unsigned long)ptr & PAGE_MASK);
57148 + while (!slob_last(free) && (void *)free <= ptr) {
57149 + base = free + slob_units(free);
57150 + free = slob_next(free);
57153 + while (base < (void *)free) {
57154 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
57155 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
57158 + if (ptr < base + align)
57161 + offset = ptr - base - align;
57162 + if (offset < m) {
57163 + if (n <= m - offset)
57171 + pax_report_usercopy(ptr, n, to, NULL);
57175 +EXPORT_SYMBOL(check_object_size);
57177 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
57178 size_t ksize(const void *block)
57180 @@ -550,10 +630,10 @@ size_t ksize(const void *block)
57181 sp = slob_page(block);
57182 if (is_slob_page(sp)) {
57183 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
57184 - unsigned int *m = (unsigned int *)(block - align);
57185 - return SLOB_UNITS(*m) * SLOB_UNIT;
57186 + slob_t *m = (slob_t *)(block - align);
57187 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
57189 - return sp->page.private;
57192 EXPORT_SYMBOL(ksize);
57194 @@ -608,17 +688,25 @@ void *kmem_cache_alloc_node(struct kmem_
57198 +#ifdef CONFIG_PAX_USERCOPY
57199 + b = __kmalloc_node_align(c->size, flags, node, c->align);
57201 if (c->size < PAGE_SIZE) {
57202 b = slob_alloc(c->size, flags, c->align, node);
57203 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
57204 SLOB_UNITS(c->size) * SLOB_UNIT,
57207 + struct slob_page *sp;
57209 b = slob_new_pages(flags, get_order(c->size), node);
57210 + sp = slob_page(b);
57211 + sp->size = c->size;
57212 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
57213 PAGE_SIZE << get_order(c->size),
57220 @@ -630,10 +718,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
57222 static void __kmem_cache_free(void *b, int size)
57224 - if (size < PAGE_SIZE)
57225 + struct slob_page *sp = slob_page(b);
57227 + if (is_slob_page(sp))
57228 slob_free(b, size);
57231 + clear_slob_page(sp);
57232 + free_slob_page(sp);
57234 slob_free_pages(b, get_order(size));
57238 static void kmem_rcu_free(struct rcu_head *head)
57239 @@ -646,14 +740,23 @@ static void kmem_rcu_free(struct rcu_hea
57241 void kmem_cache_free(struct kmem_cache *c, void *b)
57243 + int size = c->size;
57245 +#ifdef CONFIG_PAX_USERCOPY
57246 + if (size + c->align < PAGE_SIZE) {
57247 + size += c->align;
57252 kmemleak_free_recursive(b, c->flags);
57253 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
57254 struct slob_rcu *slob_rcu;
57255 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
57256 - slob_rcu->size = c->size;
57257 + slob_rcu = b + (size - sizeof(struct slob_rcu));
57258 + slob_rcu->size = size;
57259 call_rcu(&slob_rcu->head, kmem_rcu_free);
57261 - __kmem_cache_free(b, c->size);
57262 + __kmem_cache_free(b, size);
57265 trace_kmem_cache_free(_RET_IP_, b);
57266 diff -urNp linux-2.6.38.4/mm/slub.c linux-2.6.38.4/mm/slub.c
57267 --- linux-2.6.38.4/mm/slub.c 2011-03-14 21:20:32.000000000 -0400
57268 +++ linux-2.6.38.4/mm/slub.c 2011-04-17 15:57:33.000000000 -0400
57269 @@ -390,7 +390,7 @@ static void print_track(const char *s, s
57273 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
57274 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
57275 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
57278 @@ -1927,6 +1927,8 @@ void kmem_cache_free(struct kmem_cache *
57280 page = virt_to_head_page(x);
57282 + BUG_ON(!PageSlab(page));
57284 slab_free(s, page, x, _RET_IP_);
57286 trace_kmem_cache_free(_RET_IP_, x);
57287 @@ -1960,7 +1962,7 @@ static int slub_min_objects;
57288 * Merge control. If this is set then no merging of slab caches will occur.
57289 * (Could be removed. This was introduced to pacify the merge skeptics.)
57291 -static int slub_nomerge;
57292 +static int slub_nomerge = 1;
57295 * Calculate the order of allocation given an slab object size.
57296 @@ -2370,7 +2372,7 @@ static int kmem_cache_open(struct kmem_c
57297 * list to avoid pounding the page allocator excessively.
57299 set_min_partial(s, ilog2(s->size));
57301 + atomic_set(&s->refcount, 1);
57303 s->remote_node_defrag_ratio = 1000;
57305 @@ -2482,8 +2484,7 @@ static inline int kmem_cache_close(struc
57306 void kmem_cache_destroy(struct kmem_cache *s)
57308 down_write(&slub_lock);
57310 - if (!s->refcount) {
57311 + if (atomic_dec_and_test(&s->refcount)) {
57312 list_del(&s->list);
57313 if (kmem_cache_close(s)) {
57314 printk(KERN_ERR "SLUB %s: %s called for cache that "
57315 @@ -2693,6 +2694,46 @@ void *__kmalloc_node(size_t size, gfp_t
57316 EXPORT_SYMBOL(__kmalloc_node);
57319 +void check_object_size(const void *ptr, unsigned long n, bool to)
57322 +#ifdef CONFIG_PAX_USERCOPY
57323 + struct page *page;
57324 + struct kmem_cache *s = NULL;
57325 + unsigned long offset;
57330 + if (ZERO_OR_NULL_PTR(ptr))
57333 + if (!virt_addr_valid(ptr))
57336 + page = virt_to_head_page(ptr);
57338 + if (!PageSlab(page)) {
57339 + if (object_is_on_stack(ptr, n) == -1)
57345 + if (!(s->flags & SLAB_USERCOPY))
57348 + offset = (ptr - page_address(page)) % s->size;
57349 + if (offset <= s->objsize && n <= s->objsize - offset)
57353 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
57357 +EXPORT_SYMBOL(check_object_size);
57359 size_t ksize(const void *object)
57362 @@ -2958,7 +2999,7 @@ static void __init kmem_cache_bootstrap_
57365 list_add(&s->list, &slab_caches);
57366 - s->refcount = -1;
57367 + atomic_set(&s->refcount, -1);
57369 for_each_node_state(node, N_NORMAL_MEMORY) {
57370 struct kmem_cache_node *n = get_node(s, node);
57371 @@ -3075,17 +3116,17 @@ void __init kmem_cache_init(void)
57373 /* Caches that are not of the two-to-the-power-of size */
57374 if (KMALLOC_MIN_SIZE <= 32) {
57375 - kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
57376 + kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
57380 if (KMALLOC_MIN_SIZE <= 64) {
57381 - kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
57382 + kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
57386 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
57387 - kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
57388 + kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
57392 @@ -3153,7 +3194,7 @@ static int slab_unmergeable(struct kmem_
57394 * We may have set a slab to be unmergeable during bootstrap.
57396 - if (s->refcount < 0)
57397 + if (atomic_read(&s->refcount) < 0)
57401 @@ -3212,7 +3253,7 @@ struct kmem_cache *kmem_cache_create(con
57402 down_write(&slub_lock);
57403 s = find_mergeable(size, align, flags, name, ctor);
57406 + atomic_inc(&s->refcount);
57408 * Adjust the object sizes so that we clear
57409 * the complete object on kzalloc.
57410 @@ -3221,7 +3262,7 @@ struct kmem_cache *kmem_cache_create(con
57411 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
57413 if (sysfs_slab_alias(s, name)) {
57415 + atomic_dec(&s->refcount);
57418 up_write(&slub_lock);
57419 @@ -3954,7 +3995,7 @@ SLAB_ATTR_RO(ctor);
57421 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
57423 - return sprintf(buf, "%d\n", s->refcount - 1);
57424 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
57426 SLAB_ATTR_RO(aliases);
57428 @@ -4691,7 +4732,13 @@ static const struct file_operations proc
57430 static int __init slab_proc_init(void)
57432 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
57433 + mode_t gr_mode = S_IRUGO;
57435 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
57436 + gr_mode = S_IRUSR;
57439 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
57442 module_init(slab_proc_init);
57443 diff -urNp linux-2.6.38.4/mm/util.c linux-2.6.38.4/mm/util.c
57444 --- linux-2.6.38.4/mm/util.c 2011-03-14 21:20:32.000000000 -0400
57445 +++ linux-2.6.38.4/mm/util.c 2011-04-17 15:57:33.000000000 -0400
57446 @@ -219,6 +219,12 @@ EXPORT_SYMBOL(strndup_user);
57447 void arch_pick_mmap_layout(struct mm_struct *mm)
57449 mm->mmap_base = TASK_UNMAPPED_BASE;
57451 +#ifdef CONFIG_PAX_RANDMMAP
57452 + if (mm->pax_flags & MF_PAX_RANDMMAP)
57453 + mm->mmap_base += mm->delta_mmap;
57456 mm->get_unmapped_area = arch_get_unmapped_area;
57457 mm->unmap_area = arch_unmap_area;
57459 diff -urNp linux-2.6.38.4/mm/vmalloc.c linux-2.6.38.4/mm/vmalloc.c
57460 --- linux-2.6.38.4/mm/vmalloc.c 2011-03-14 21:20:32.000000000 -0400
57461 +++ linux-2.6.38.4/mm/vmalloc.c 2011-04-17 15:57:33.000000000 -0400
57462 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
57464 pte = pte_offset_kernel(pmd, addr);
57466 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
57467 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
57469 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
57470 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
57471 + BUG_ON(!pte_exec(*pte));
57472 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
57478 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
57479 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
57481 } while (pte++, addr += PAGE_SIZE, addr != end);
57484 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
57485 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
57488 + int ret = -ENOMEM;
57491 * nr is a running index into the array which helps higher level
57492 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
57493 pte = pte_alloc_kernel(pmd, addr);
57497 + pax_open_kernel();
57499 struct page *page = pages[*nr];
57501 - if (WARN_ON(!pte_none(*pte)))
57503 - if (WARN_ON(!page))
57505 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
57506 + if (pgprot_val(prot) & _PAGE_NX)
57509 + if (WARN_ON(!pte_none(*pte))) {
57513 + if (WARN_ON(!page)) {
57517 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
57519 } while (pte++, addr += PAGE_SIZE, addr != end);
57523 + pax_close_kernel();
57527 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
57528 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
57529 * and fall back on vmalloc() if that fails. Others
57530 * just put it in the vmalloc space.
57532 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
57533 +#ifdef CONFIG_MODULES
57534 +#ifdef MODULES_VADDR
57535 unsigned long addr = (unsigned long)x;
57536 if (addr >= MODULES_VADDR && addr < MODULES_END)
57540 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
57541 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
57547 return is_vmalloc_addr(x);
57550 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
57552 if (!pgd_none(*pgd)) {
57553 pud_t *pud = pud_offset(pgd, addr);
57555 + if (!pud_large(*pud))
57557 if (!pud_none(*pud)) {
57558 pmd_t *pmd = pmd_offset(pud, addr);
57560 + if (!pmd_large(*pmd))
57562 if (!pmd_none(*pmd)) {
57565 @@ -1244,6 +1284,16 @@ static struct vm_struct *__get_vm_area_n
57566 struct vm_struct *area;
57568 BUG_ON(in_interrupt());
57570 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
57571 + if (flags & VM_KERNEXEC) {
57572 + if (start != VMALLOC_START || end != VMALLOC_END)
57574 + start = (unsigned long)MODULES_EXEC_VADDR;
57575 + end = (unsigned long)MODULES_EXEC_END;
57579 if (flags & VM_IOREMAP) {
57580 int bit = fls(size);
57582 @@ -1462,6 +1512,11 @@ void *vmap(struct page **pages, unsigned
57583 if (count > totalram_pages)
57586 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
57587 + if (!(pgprot_val(prot) & _PAGE_NX))
57588 + flags |= VM_KERNEXEC;
57591 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
57592 __builtin_return_address(0));
57594 @@ -1558,6 +1613,13 @@ void *__vmalloc_node_range(unsigned long
57595 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
57598 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
57599 + if (!(pgprot_val(prot) & _PAGE_NX))
57600 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
57601 + node, gfp_mask, caller);
57605 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
57608 @@ -1597,6 +1659,7 @@ static void *__vmalloc_node(unsigned lon
57609 gfp_mask, prot, node, caller);
57613 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
57615 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
57616 @@ -1620,6 +1683,7 @@ static inline void *__vmalloc_node_flags
57617 * For tight control over page level allocator and protection flags
57618 * use __vmalloc() instead.
57621 void *vmalloc(unsigned long size)
57623 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
57624 @@ -1636,6 +1700,7 @@ EXPORT_SYMBOL(vmalloc);
57625 * For tight control over page level allocator and protection flags
57626 * use __vmalloc() instead.
57629 void *vzalloc(unsigned long size)
57631 return __vmalloc_node_flags(size, -1,
57632 @@ -1650,6 +1715,7 @@ EXPORT_SYMBOL(vzalloc);
57633 * The resulting memory area is zeroed so it can be mapped to userspace
57634 * without leaking data.
57636 +#undef vmalloc_user
57637 void *vmalloc_user(unsigned long size)
57639 struct vm_struct *area;
57640 @@ -1677,6 +1743,7 @@ EXPORT_SYMBOL(vmalloc_user);
57641 * For tight control over page level allocator and protection flags
57642 * use __vmalloc() instead.
57644 +#undef vmalloc_node
57645 void *vmalloc_node(unsigned long size, int node)
57647 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
57648 @@ -1696,6 +1763,7 @@ EXPORT_SYMBOL(vmalloc_node);
57649 * For tight control over page level allocator and protection flags
57650 * use __vmalloc_node() instead.
57652 +#undef vzalloc_node
57653 void *vzalloc_node(unsigned long size, int node)
57655 return __vmalloc_node_flags(size, node,
57656 @@ -1718,10 +1786,10 @@ EXPORT_SYMBOL(vzalloc_node);
57657 * For tight control over page level allocator and protection flags
57658 * use __vmalloc() instead.
57661 +#undef vmalloc_exec
57662 void *vmalloc_exec(unsigned long size)
57664 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
57665 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
57666 -1, __builtin_return_address(0));
57669 @@ -1740,6 +1808,7 @@ void *vmalloc_exec(unsigned long size)
57670 * Allocate enough 32bit PA addressable pages to cover @size from the
57671 * page level allocator and map them into contiguous kernel virtual space.
57674 void *vmalloc_32(unsigned long size)
57676 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
57677 @@ -1754,6 +1823,7 @@ EXPORT_SYMBOL(vmalloc_32);
57678 * The resulting memory area is 32bit addressable and zeroed so it can be
57679 * mapped to userspace without leaking data.
57681 +#undef vmalloc_32_user
57682 void *vmalloc_32_user(unsigned long size)
57684 struct vm_struct *area;
57685 @@ -2018,6 +2088,8 @@ int remap_vmalloc_range(struct vm_area_s
57686 unsigned long uaddr = vma->vm_start;
57687 unsigned long usize = vma->vm_end - vma->vm_start;
57689 + BUG_ON(vma->vm_mirror);
57691 if ((PAGE_SIZE-1) & (unsigned long)addr)
57694 diff -urNp linux-2.6.38.4/mm/vmstat.c linux-2.6.38.4/mm/vmstat.c
57695 --- linux-2.6.38.4/mm/vmstat.c 2011-03-14 21:20:32.000000000 -0400
57696 +++ linux-2.6.38.4/mm/vmstat.c 2011-04-17 15:57:33.000000000 -0400
57697 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
57699 * vm_stat contains the global counters
57701 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
57702 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
57703 EXPORT_SYMBOL(vm_stat);
57706 @@ -451,7 +451,7 @@ void refresh_cpu_vm_stats(int cpu)
57707 v = p->vm_stat_diff[i];
57708 p->vm_stat_diff[i] = 0;
57709 local_irq_restore(flags);
57710 - atomic_long_add(v, &zone->vm_stat[i]);
57711 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
57712 global_diff[i] += v;
57714 /* 3 seconds idle till flush */
57715 @@ -489,7 +489,7 @@ void refresh_cpu_vm_stats(int cpu)
57717 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
57718 if (global_diff[i])
57719 - atomic_long_add(global_diff[i], &vm_stat[i]);
57720 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
57724 @@ -1188,10 +1188,20 @@ static int __init setup_vmstat(void)
57725 start_cpu_timer(cpu);
57727 #ifdef CONFIG_PROC_FS
57728 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
57729 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
57730 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
57731 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
57733 + mode_t gr_mode = S_IRUGO;
57734 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
57735 + gr_mode = S_IRUSR;
57737 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
57738 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
57739 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
57740 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
57742 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
57744 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
57749 diff -urNp linux-2.6.38.4/net/8021q/vlan.c linux-2.6.38.4/net/8021q/vlan.c
57750 --- linux-2.6.38.4/net/8021q/vlan.c 2011-03-14 21:20:32.000000000 -0400
57751 +++ linux-2.6.38.4/net/8021q/vlan.c 2011-04-17 15:57:33.000000000 -0400
57752 @@ -589,8 +589,7 @@ static int vlan_ioctl_handler(struct net
57754 if (!capable(CAP_NET_ADMIN))
57756 - if ((args.u.name_type >= 0) &&
57757 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
57758 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
57759 struct vlan_net *vn;
57761 vn = net_generic(net, vlan_net_id);
57762 diff -urNp linux-2.6.38.4/net/atm/atm_misc.c linux-2.6.38.4/net/atm/atm_misc.c
57763 --- linux-2.6.38.4/net/atm/atm_misc.c 2011-03-14 21:20:32.000000000 -0400
57764 +++ linux-2.6.38.4/net/atm/atm_misc.c 2011-04-17 15:57:33.000000000 -0400
57765 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
57766 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
57768 atm_return(vcc, truesize);
57769 - atomic_inc(&vcc->stats->rx_drop);
57770 + atomic_inc_unchecked(&vcc->stats->rx_drop);
57773 EXPORT_SYMBOL(atm_charge);
57774 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
57777 atm_return(vcc, guess);
57778 - atomic_inc(&vcc->stats->rx_drop);
57779 + atomic_inc_unchecked(&vcc->stats->rx_drop);
57782 EXPORT_SYMBOL(atm_alloc_charge);
57783 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
57785 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
57787 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
57788 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
57790 #undef __HANDLE_ITEM
57792 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
57794 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
57796 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
57797 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
57799 #undef __HANDLE_ITEM
57801 diff -urNp linux-2.6.38.4/net/atm/proc.c linux-2.6.38.4/net/atm/proc.c
57802 --- linux-2.6.38.4/net/atm/proc.c 2011-03-14 21:20:32.000000000 -0400
57803 +++ linux-2.6.38.4/net/atm/proc.c 2011-04-17 15:57:33.000000000 -0400
57804 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
57805 const struct k_atm_aal_stats *stats)
57807 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
57808 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
57809 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
57810 - atomic_read(&stats->rx_drop));
57811 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
57812 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
57813 + atomic_read_unchecked(&stats->rx_drop));
57816 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
57817 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
57819 struct sock *sk = sk_atm(vcc);
57821 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57822 + seq_printf(seq, "%p ", NULL);
57824 seq_printf(seq, "%p ", vcc);
57828 seq_printf(seq, "Unassigned ");
57830 @@ -218,7 +223,11 @@ static void svc_info(struct seq_file *se
57833 seq_printf(seq, sizeof(void *) == 4 ?
57834 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57835 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
57837 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
57840 seq_printf(seq, "%3d %3d %5d ",
57841 vcc->dev->number, vcc->vpi, vcc->vci);
57842 diff -urNp linux-2.6.38.4/net/atm/resources.c linux-2.6.38.4/net/atm/resources.c
57843 --- linux-2.6.38.4/net/atm/resources.c 2011-03-14 21:20:32.000000000 -0400
57844 +++ linux-2.6.38.4/net/atm/resources.c 2011-04-17 15:57:33.000000000 -0400
57845 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
57846 static void copy_aal_stats(struct k_atm_aal_stats *from,
57847 struct atm_aal_stats *to)
57849 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
57850 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
57852 #undef __HANDLE_ITEM
57854 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
57855 static void subtract_aal_stats(struct k_atm_aal_stats *from,
57856 struct atm_aal_stats *to)
57858 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
57859 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
57861 #undef __HANDLE_ITEM
57863 diff -urNp linux-2.6.38.4/net/bridge/br_multicast.c linux-2.6.38.4/net/bridge/br_multicast.c
57864 --- linux-2.6.38.4/net/bridge/br_multicast.c 2011-04-22 19:20:59.000000000 -0400
57865 +++ linux-2.6.38.4/net/bridge/br_multicast.c 2011-04-22 19:21:47.000000000 -0400
57866 @@ -1482,7 +1482,7 @@ static int br_multicast_ipv6_rcv(struct
57867 nexthdr = ip6h->nexthdr;
57868 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
57870 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
57871 + if (nexthdr != IPPROTO_ICMPV6)
57874 /* Okay, we found ICMPv6 header */
57875 diff -urNp linux-2.6.38.4/net/bridge/netfilter/ebtables.c linux-2.6.38.4/net/bridge/netfilter/ebtables.c
57876 --- linux-2.6.38.4/net/bridge/netfilter/ebtables.c 2011-04-18 17:27:18.000000000 -0400
57877 +++ linux-2.6.38.4/net/bridge/netfilter/ebtables.c 2011-04-17 17:00:29.000000000 -0400
57878 @@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
57879 tmp.valid_hooks = t->table->valid_hooks;
57881 mutex_unlock(&ebt_mutex);
57882 - if (copy_to_user(user, &tmp, *len) != 0){
57883 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
57884 BUGPRINT("c2u Didn't work\n");
57887 diff -urNp linux-2.6.38.4/net/can/bcm.c linux-2.6.38.4/net/can/bcm.c
57888 --- linux-2.6.38.4/net/can/bcm.c 2011-03-14 21:20:32.000000000 -0400
57889 +++ linux-2.6.38.4/net/can/bcm.c 2011-04-17 15:57:33.000000000 -0400
57890 @@ -165,9 +165,15 @@ static int bcm_proc_show(struct seq_file
57891 struct bcm_sock *bo = bcm_sk(sk);
57894 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57895 + seq_printf(m, ">>> socket %p", NULL);
57896 + seq_printf(m, " / sk %p", NULL);
57897 + seq_printf(m, " / bo %p", NULL);
57899 seq_printf(m, ">>> socket %p", sk->sk_socket);
57900 seq_printf(m, " / sk %p", sk);
57901 seq_printf(m, " / bo %p", bo);
57903 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
57904 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
57905 seq_printf(m, " <<<\n");
57906 diff -urNp linux-2.6.38.4/net/can/raw.c linux-2.6.38.4/net/can/raw.c
57907 --- linux-2.6.38.4/net/can/raw.c 2011-03-14 21:20:32.000000000 -0400
57908 +++ linux-2.6.38.4/net/can/raw.c 2011-04-22 19:39:11.000000000 -0400
57909 @@ -305,7 +305,12 @@ static int raw_init(struct sock *sk)
57910 static int raw_release(struct socket *sock)
57912 struct sock *sk = sock->sk;
57913 - struct raw_sock *ro = raw_sk(sk);
57914 + struct raw_sock *ro;
57921 unregister_netdevice_notifier(&ro->notifier);
57923 diff -urNp linux-2.6.38.4/net/core/dev.c linux-2.6.38.4/net/core/dev.c
57924 --- linux-2.6.38.4/net/core/dev.c 2011-03-14 21:20:32.000000000 -0400
57925 +++ linux-2.6.38.4/net/core/dev.c 2011-04-17 15:57:33.000000000 -0400
57926 @@ -1124,10 +1124,14 @@ void dev_load(struct net *net, const cha
57927 if (no_module && capable(CAP_NET_ADMIN))
57928 no_module = request_module("netdev-%s", name);
57929 if (no_module && capable(CAP_SYS_MODULE)) {
57930 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
57931 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
57933 if (!request_module("%s", name))
57934 pr_err("Loading kernel module for a network device "
57935 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
57936 "instead\n", name);
57940 EXPORT_SYMBOL(dev_load);
57941 @@ -2787,7 +2791,7 @@ int netif_rx_ni(struct sk_buff *skb)
57943 EXPORT_SYMBOL(netif_rx_ni);
57945 -static void net_tx_action(struct softirq_action *h)
57946 +static void net_tx_action(void)
57948 struct softnet_data *sd = &__get_cpu_var(softnet_data);
57950 @@ -3697,7 +3701,7 @@ void netif_napi_del(struct napi_struct *
57952 EXPORT_SYMBOL(netif_napi_del);
57954 -static void net_rx_action(struct softirq_action *h)
57955 +static void net_rx_action(void)
57957 struct softnet_data *sd = &__get_cpu_var(softnet_data);
57958 unsigned long time_limit = jiffies + 2;
57959 diff -urNp linux-2.6.38.4/net/core/sock.c linux-2.6.38.4/net/core/sock.c
57960 --- linux-2.6.38.4/net/core/sock.c 2011-03-14 21:20:32.000000000 -0400
57961 +++ linux-2.6.38.4/net/core/sock.c 2011-04-17 15:57:33.000000000 -0400
57962 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
57966 - if (copy_to_user(optval, address, len))
57967 + if (len > sizeof(address) || copy_to_user(optval, address, len))
57971 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
57975 - if (copy_to_user(optval, &v, len))
57976 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
57979 if (put_user(len, optlen))
57980 diff -urNp linux-2.6.38.4/net/dccp/ccids/ccid3.c linux-2.6.38.4/net/dccp/ccids/ccid3.c
57981 --- linux-2.6.38.4/net/dccp/ccids/ccid3.c 2011-03-14 21:20:32.000000000 -0400
57982 +++ linux-2.6.38.4/net/dccp/ccids/ccid3.c 2011-04-17 15:57:33.000000000 -0400
57984 static int ccid3_debug;
57985 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
57987 -#define ccid3_pr_debug(format, a...)
57988 +#define ccid3_pr_debug(format, a...) do {} while (0)
57992 diff -urNp linux-2.6.38.4/net/dccp/dccp.h linux-2.6.38.4/net/dccp/dccp.h
57993 --- linux-2.6.38.4/net/dccp/dccp.h 2011-03-14 21:20:32.000000000 -0400
57994 +++ linux-2.6.38.4/net/dccp/dccp.h 2011-04-17 15:57:33.000000000 -0400
57995 @@ -44,9 +44,9 @@ extern int dccp_debug;
57996 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
57997 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
57999 -#define dccp_pr_debug(format, a...)
58000 -#define dccp_pr_debug_cat(format, a...)
58001 -#define dccp_debug(format, a...)
58002 +#define dccp_pr_debug(format, a...) do {} while (0)
58003 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
58004 +#define dccp_debug(format, a...) do {} while (0)
58007 extern struct inet_hashinfo dccp_hashinfo;
58008 diff -urNp linux-2.6.38.4/net/decnet/sysctl_net_decnet.c linux-2.6.38.4/net/decnet/sysctl_net_decnet.c
58009 --- linux-2.6.38.4/net/decnet/sysctl_net_decnet.c 2011-03-14 21:20:32.000000000 -0400
58010 +++ linux-2.6.38.4/net/decnet/sysctl_net_decnet.c 2011-04-17 15:57:33.000000000 -0400
58011 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
58013 if (len > *lenp) len = *lenp;
58015 - if (copy_to_user(buffer, addr, len))
58016 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
58020 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
58022 if (len > *lenp) len = *lenp;
58024 - if (copy_to_user(buffer, devname, len))
58025 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
58029 diff -urNp linux-2.6.38.4/net/econet/Kconfig linux-2.6.38.4/net/econet/Kconfig
58030 --- linux-2.6.38.4/net/econet/Kconfig 2011-03-14 21:20:32.000000000 -0400
58031 +++ linux-2.6.38.4/net/econet/Kconfig 2011-04-17 15:57:33.000000000 -0400
58035 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
58036 - depends on EXPERIMENTAL && INET
58037 + depends on EXPERIMENTAL && INET && BROKEN
58039 Econet is a fairly old and slow networking protocol mainly used by
58040 Acorn computers to access file and print servers. It uses native
58041 diff -urNp linux-2.6.38.4/net/ipv4/inet_diag.c linux-2.6.38.4/net/ipv4/inet_diag.c
58042 --- linux-2.6.38.4/net/ipv4/inet_diag.c 2011-03-14 21:20:32.000000000 -0400
58043 +++ linux-2.6.38.4/net/ipv4/inet_diag.c 2011-04-17 15:57:33.000000000 -0400
58044 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
58045 r->idiag_retrans = 0;
58047 r->id.idiag_if = sk->sk_bound_dev_if;
58049 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58050 + r->id.idiag_cookie[0] = 0;
58051 + r->id.idiag_cookie[1] = 0;
58053 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
58054 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
58057 r->id.idiag_sport = inet->inet_sport;
58058 r->id.idiag_dport = inet->inet_dport;
58059 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
58060 r->idiag_family = tw->tw_family;
58061 r->idiag_retrans = 0;
58062 r->id.idiag_if = tw->tw_bound_dev_if;
58064 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58065 + r->id.idiag_cookie[0] = 0;
58066 + r->id.idiag_cookie[1] = 0;
58068 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
58069 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
58072 r->id.idiag_sport = tw->tw_sport;
58073 r->id.idiag_dport = tw->tw_dport;
58074 r->id.idiag_src[0] = tw->tw_rcv_saddr;
58075 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
58079 +#ifndef CONFIG_GRKERNSEC_HIDESYM
58081 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
58082 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
58083 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
58084 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
58089 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
58090 @@ -582,8 +597,14 @@ static int inet_diag_fill_req(struct sk_
58091 r->idiag_retrans = req->retrans;
58093 r->id.idiag_if = sk->sk_bound_dev_if;
58095 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58096 + r->id.idiag_cookie[0] = 0;
58097 + r->id.idiag_cookie[1] = 0;
58099 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
58100 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
58103 tmo = req->expires - jiffies;
58105 diff -urNp linux-2.6.38.4/net/ipv4/inet_hashtables.c linux-2.6.38.4/net/ipv4/inet_hashtables.c
58106 --- linux-2.6.38.4/net/ipv4/inet_hashtables.c 2011-03-14 21:20:32.000000000 -0400
58107 +++ linux-2.6.38.4/net/ipv4/inet_hashtables.c 2011-04-17 15:57:33.000000000 -0400
58108 @@ -18,11 +18,14 @@
58109 #include <linux/sched.h>
58110 #include <linux/slab.h>
58111 #include <linux/wait.h>
58112 +#include <linux/security.h>
58114 #include <net/inet_connection_sock.h>
58115 #include <net/inet_hashtables.h>
58116 #include <net/route.h>
58117 #include <net/ip.h>
58119 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
58122 * Allocate and initialize a new local port bind bucket.
58123 * The bindhash mutex for snum's hash chain must be held here.
58124 @@ -529,6 +532,8 @@ ok:
58125 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
58126 spin_unlock(&head->lock);
58128 + gr_update_task_in_ip_table(current, inet_sk(sk));
58131 inet_twsk_deschedule(tw, death_row);
58133 diff -urNp linux-2.6.38.4/net/ipv4/inetpeer.c linux-2.6.38.4/net/ipv4/inetpeer.c
58134 --- linux-2.6.38.4/net/ipv4/inetpeer.c 2011-03-14 21:20:32.000000000 -0400
58135 +++ linux-2.6.38.4/net/ipv4/inetpeer.c 2011-04-17 15:57:33.000000000 -0400
58136 @@ -509,8 +509,8 @@ struct inet_peer *inet_getpeer(struct in
58139 atomic_set(&p->refcnt, 1);
58140 - atomic_set(&p->rid, 0);
58141 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->a4));
58142 + atomic_set_unchecked(&p->rid, 0);
58143 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->a4));
58144 p->tcp_ts_stamp = 0;
58145 INIT_LIST_HEAD(&p->unused);
58147 diff -urNp linux-2.6.38.4/net/ipv4/ip_fragment.c linux-2.6.38.4/net/ipv4/ip_fragment.c
58148 --- linux-2.6.38.4/net/ipv4/ip_fragment.c 2011-03-14 21:20:32.000000000 -0400
58149 +++ linux-2.6.38.4/net/ipv4/ip_fragment.c 2011-04-17 15:57:33.000000000 -0400
58150 @@ -298,7 +298,7 @@ static inline int ip_frag_too_far(struct
58154 - end = atomic_inc_return(&peer->rid);
58155 + end = atomic_inc_return_unchecked(&peer->rid);
58158 rc = qp->q.fragments && (end - start) > max;
58159 diff -urNp linux-2.6.38.4/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.38.4/net/ipv4/netfilter/nf_nat_snmp_basic.c
58160 --- linux-2.6.38.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-14 21:20:32.000000000 -0400
58161 +++ linux-2.6.38.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-04-17 15:57:33.000000000 -0400
58162 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
58166 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
58167 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
58168 if (*octets == NULL) {
58169 if (net_ratelimit())
58170 pr_notice("OOM in bsalg (%d)\n", __LINE__);
58171 diff -urNp linux-2.6.38.4/net/ipv4/raw.c linux-2.6.38.4/net/ipv4/raw.c
58172 --- linux-2.6.38.4/net/ipv4/raw.c 2011-03-14 21:20:32.000000000 -0400
58173 +++ linux-2.6.38.4/net/ipv4/raw.c 2011-04-17 15:57:33.000000000 -0400
58174 @@ -724,15 +724,19 @@ static int raw_init(struct sock *sk)
58176 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
58178 + struct icmp_filter filter;
58180 if (optlen > sizeof(struct icmp_filter))
58181 optlen = sizeof(struct icmp_filter);
58182 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
58183 + if (copy_from_user(&filter, optval, optlen))
58185 + memcpy(&raw_sk(sk)->filter, &filter, sizeof(filter));
58189 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
58191 + struct icmp_filter filter;
58192 int len, ret = -EFAULT;
58194 if (get_user(len, optlen))
58195 @@ -743,8 +747,9 @@ static int raw_geticmpfilter(struct sock
58196 if (len > sizeof(struct icmp_filter))
58197 len = sizeof(struct icmp_filter);
58199 + memcpy(&filter, &raw_sk(sk)->filter, len);
58200 if (put_user(len, optlen) ||
58201 - copy_to_user(optval, &raw_sk(sk)->filter, len))
58202 + copy_to_user(optval, &filter, len))
58206 diff -urNp linux-2.6.38.4/net/ipv4/route.c linux-2.6.38.4/net/ipv4/route.c
58207 --- linux-2.6.38.4/net/ipv4/route.c 2011-04-22 19:20:59.000000000 -0400
58208 +++ linux-2.6.38.4/net/ipv4/route.c 2011-04-22 19:21:47.000000000 -0400
58209 @@ -2857,7 +2857,7 @@ static int rt_fill_info(struct net *net,
58210 expires = rt->dst.expires ? rt->dst.expires - jiffies : 0;
58212 inet_peer_refcheck(rt->peer);
58213 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
58214 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
58215 if (rt->peer->tcp_ts_stamp) {
58216 ts = rt->peer->tcp_ts;
58217 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
58218 diff -urNp linux-2.6.38.4/net/ipv4/tcp_ipv4.c linux-2.6.38.4/net/ipv4/tcp_ipv4.c
58219 --- linux-2.6.38.4/net/ipv4/tcp_ipv4.c 2011-03-14 21:20:32.000000000 -0400
58220 +++ linux-2.6.38.4/net/ipv4/tcp_ipv4.c 2011-04-17 15:57:33.000000000 -0400
58221 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
58222 int sysctl_tcp_low_latency __read_mostly;
58223 EXPORT_SYMBOL(sysctl_tcp_low_latency);
58225 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58226 +extern int grsec_enable_blackhole;
58229 #ifdef CONFIG_TCP_MD5SIG
58230 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
58231 @@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
58235 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58236 + if (!grsec_enable_blackhole)
58238 tcp_v4_send_reset(rsk, skb);
58241 @@ -1655,12 +1661,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
58242 TCP_SKB_CB(skb)->sacked = 0;
58244 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
58247 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58250 goto no_tcp_socket;
58254 - if (sk->sk_state == TCP_TIME_WAIT)
58255 + if (sk->sk_state == TCP_TIME_WAIT) {
58256 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58262 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
58263 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
58264 @@ -1710,6 +1723,10 @@ no_tcp_socket:
58266 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
58268 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58269 + if (!grsec_enable_blackhole || (ret == 1 &&
58270 + (skb->dev->flags & IFF_LOOPBACK)))
58272 tcp_v4_send_reset(NULL, skb);
58275 @@ -2373,7 +2390,11 @@ static void get_openreq4(struct sock *sk
58276 0, /* non standard timer */
58277 0, /* open_requests have no inode */
58278 atomic_read(&sk->sk_refcnt),
58279 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58287 @@ -2423,7 +2444,12 @@ static void get_tcp4_sock(struct sock *s
58289 icsk->icsk_probes_out,
58291 - atomic_read(&sk->sk_refcnt), sk,
58292 + atomic_read(&sk->sk_refcnt),
58293 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58298 jiffies_to_clock_t(icsk->icsk_rto),
58299 jiffies_to_clock_t(icsk->icsk_ack.ato),
58300 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
58301 @@ -2451,7 +2477,13 @@ static void get_timewait4_sock(struct in
58302 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
58303 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
58304 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
58305 - atomic_read(&tw->tw_refcnt), tw, len);
58306 + atomic_read(&tw->tw_refcnt),
58307 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58316 diff -urNp linux-2.6.38.4/net/ipv4/tcp_minisocks.c linux-2.6.38.4/net/ipv4/tcp_minisocks.c
58317 --- linux-2.6.38.4/net/ipv4/tcp_minisocks.c 2011-03-14 21:20:32.000000000 -0400
58318 +++ linux-2.6.38.4/net/ipv4/tcp_minisocks.c 2011-04-17 15:57:33.000000000 -0400
58320 #include <net/inet_common.h>
58321 #include <net/xfrm.h>
58323 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58324 +extern int grsec_enable_blackhole;
58327 int sysctl_tcp_syncookies __read_mostly = 1;
58328 EXPORT_SYMBOL(sysctl_tcp_syncookies);
58330 @@ -745,6 +749,10 @@ listen_overflow:
58333 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
58335 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58336 + if (!grsec_enable_blackhole)
58338 if (!(flg & TCP_FLAG_RST))
58339 req->rsk_ops->send_reset(sk, skb);
58341 diff -urNp linux-2.6.38.4/net/ipv4/tcp_probe.c linux-2.6.38.4/net/ipv4/tcp_probe.c
58342 --- linux-2.6.38.4/net/ipv4/tcp_probe.c 2011-03-14 21:20:32.000000000 -0400
58343 +++ linux-2.6.38.4/net/ipv4/tcp_probe.c 2011-04-17 15:57:33.000000000 -0400
58344 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
58345 if (cnt + width >= len)
58348 - if (copy_to_user(buf + cnt, tbuf, width))
58349 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
58353 diff -urNp linux-2.6.38.4/net/ipv4/tcp_timer.c linux-2.6.38.4/net/ipv4/tcp_timer.c
58354 --- linux-2.6.38.4/net/ipv4/tcp_timer.c 2011-03-14 21:20:32.000000000 -0400
58355 +++ linux-2.6.38.4/net/ipv4/tcp_timer.c 2011-04-17 15:57:33.000000000 -0400
58357 #include <linux/gfp.h>
58358 #include <net/tcp.h>
58360 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58361 +extern int grsec_lastack_retries;
58364 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
58365 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
58366 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
58367 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
58371 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58372 + if ((sk->sk_state == TCP_LAST_ACK) &&
58373 + (grsec_lastack_retries > 0) &&
58374 + (grsec_lastack_retries < retry_until))
58375 + retry_until = grsec_lastack_retries;
58378 if (retransmits_timed_out(sk, retry_until,
58379 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
58380 /* Has it gone just too far? */
58381 diff -urNp linux-2.6.38.4/net/ipv4/udp.c linux-2.6.38.4/net/ipv4/udp.c
58382 --- linux-2.6.38.4/net/ipv4/udp.c 2011-03-14 21:20:32.000000000 -0400
58383 +++ linux-2.6.38.4/net/ipv4/udp.c 2011-04-17 15:57:33.000000000 -0400
58385 #include <linux/types.h>
58386 #include <linux/fcntl.h>
58387 #include <linux/module.h>
58388 +#include <linux/security.h>
58389 #include <linux/socket.h>
58390 #include <linux/sockios.h>
58391 #include <linux/igmp.h>
58392 @@ -107,6 +108,10 @@
58393 #include <net/xfrm.h>
58394 #include "udp_impl.h"
58396 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58397 +extern int grsec_enable_blackhole;
58400 struct udp_table udp_table __read_mostly;
58401 EXPORT_SYMBOL(udp_table);
58403 @@ -564,6 +569,9 @@ found:
58407 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
58408 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
58411 * This routine is called by the ICMP module when it gets some
58412 * sort of error condition. If err < 0 then the socket should
58413 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
58414 dport = usin->sin_port;
58418 + err = gr_search_udp_sendmsg(sk, usin);
58422 if (sk->sk_state != TCP_ESTABLISHED)
58423 return -EDESTADDRREQ;
58425 + err = gr_search_udp_sendmsg(sk, NULL);
58429 daddr = inet->inet_daddr;
58430 dport = inet->inet_dport;
58431 /* Open fast path for connected socket.
58432 @@ -1139,6 +1156,10 @@ try_again:
58436 + err = gr_search_udp_recvmsg(sk, skb);
58440 ulen = skb->len - sizeof(struct udphdr);
58443 @@ -1623,6 +1644,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
58446 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
58447 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58448 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
58450 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
58453 @@ -2050,7 +2074,12 @@ static void udp4_format_sock(struct sock
58454 sk_wmem_alloc_get(sp),
58455 sk_rmem_alloc_get(sp),
58456 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
58457 - atomic_read(&sp->sk_refcnt), sp,
58458 + atomic_read(&sp->sk_refcnt),
58459 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58464 atomic_read(&sp->sk_drops), len);
58467 diff -urNp linux-2.6.38.4/net/ipv6/exthdrs.c linux-2.6.38.4/net/ipv6/exthdrs.c
58468 --- linux-2.6.38.4/net/ipv6/exthdrs.c 2011-03-14 21:20:32.000000000 -0400
58469 +++ linux-2.6.38.4/net/ipv6/exthdrs.c 2011-04-17 15:57:33.000000000 -0400
58470 @@ -634,7 +634,7 @@ static struct tlvtype_proc tlvprochopopt
58471 .type = IPV6_TLV_JUMBO,
58472 .func = ipv6_hop_jumbo,
58478 int ipv6_parse_hopopts(struct sk_buff *skb)
58479 diff -urNp linux-2.6.38.4/net/ipv6/raw.c linux-2.6.38.4/net/ipv6/raw.c
58480 --- linux-2.6.38.4/net/ipv6/raw.c 2011-03-14 21:20:32.000000000 -0400
58481 +++ linux-2.6.38.4/net/ipv6/raw.c 2011-04-17 15:57:33.000000000 -0400
58482 @@ -602,7 +602,7 @@ out:
58486 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
58487 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
58488 struct flowi *fl, struct dst_entry **dstp,
58489 unsigned int flags)
58491 @@ -919,12 +919,15 @@ do_confirm:
58492 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
58493 char __user *optval, int optlen)
58495 + struct icmp6_filter filter;
58498 case ICMPV6_FILTER:
58499 if (optlen > sizeof(struct icmp6_filter))
58500 optlen = sizeof(struct icmp6_filter);
58501 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
58502 + if (copy_from_user(&filter, optval, optlen))
58504 + memcpy(&raw6_sk(sk)->filter, &filter, optlen);
58507 return -ENOPROTOOPT;
58508 @@ -936,6 +939,7 @@ static int rawv6_seticmpfilter(struct so
58509 static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
58510 char __user *optval, int __user *optlen)
58512 + struct icmp6_filter filter;
58516 @@ -948,7 +952,8 @@ static int rawv6_geticmpfilter(struct so
58517 len = sizeof(struct icmp6_filter);
58518 if (put_user(len, optlen))
58520 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
58521 + memcpy(&filter, &raw6_sk(sk)->filter, len);
58522 + if (copy_to_user(optval, &filter, len))
58526 @@ -1262,7 +1267,13 @@ static void raw6_sock_seq_show(struct se
58530 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
58531 + atomic_read(&sp->sk_refcnt),
58532 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58537 + atomic_read(&sp->sk_drops));
58540 static int raw6_seq_show(struct seq_file *seq, void *v)
58541 diff -urNp linux-2.6.38.4/net/ipv6/tcp_ipv6.c linux-2.6.38.4/net/ipv6/tcp_ipv6.c
58542 --- linux-2.6.38.4/net/ipv6/tcp_ipv6.c 2011-03-14 21:20:32.000000000 -0400
58543 +++ linux-2.6.38.4/net/ipv6/tcp_ipv6.c 2011-04-17 15:57:33.000000000 -0400
58544 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
58548 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58549 +extern int grsec_enable_blackhole;
58552 static void tcp_v6_hash(struct sock *sk)
58554 if (sk->sk_state != TCP_CLOSE) {
58555 @@ -1676,6 +1680,9 @@ static int tcp_v6_do_rcv(struct sock *sk
58559 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58560 + if (!grsec_enable_blackhole)
58562 tcp_v6_send_reset(sk, skb);
58565 @@ -1755,12 +1762,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
58566 TCP_SKB_CB(skb)->sacked = 0;
58568 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
58571 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58574 goto no_tcp_socket;
58578 - if (sk->sk_state == TCP_TIME_WAIT)
58579 + if (sk->sk_state == TCP_TIME_WAIT) {
58580 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58586 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
58587 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
58588 @@ -1808,6 +1823,10 @@ no_tcp_socket:
58590 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
58592 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58593 + if (!grsec_enable_blackhole || (ret == 1 &&
58594 + (skb->dev->flags & IFF_LOOPBACK)))
58596 tcp_v6_send_reset(NULL, skb);
58599 @@ -2068,7 +2087,13 @@ static void get_openreq6(struct seq_file
58601 0, /* non standard timer */
58602 0, /* open_requests have no inode */
58605 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58613 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
58614 @@ -2118,7 +2143,12 @@ static void get_tcp6_sock(struct seq_fil
58616 icsk->icsk_probes_out,
58618 - atomic_read(&sp->sk_refcnt), sp,
58619 + atomic_read(&sp->sk_refcnt),
58620 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58625 jiffies_to_clock_t(icsk->icsk_rto),
58626 jiffies_to_clock_t(icsk->icsk_ack.ato),
58627 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
58628 @@ -2153,7 +2183,13 @@ static void get_timewait6_sock(struct se
58629 dest->s6_addr32[2], dest->s6_addr32[3], destp,
58630 tw->tw_substate, 0, 0,
58631 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
58632 - atomic_read(&tw->tw_refcnt), tw);
58633 + atomic_read(&tw->tw_refcnt),
58634 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58642 static int tcp6_seq_show(struct seq_file *seq, void *v)
58643 diff -urNp linux-2.6.38.4/net/ipv6/udp.c linux-2.6.38.4/net/ipv6/udp.c
58644 --- linux-2.6.38.4/net/ipv6/udp.c 2011-03-14 21:20:32.000000000 -0400
58645 +++ linux-2.6.38.4/net/ipv6/udp.c 2011-04-17 15:57:33.000000000 -0400
58647 #include <linux/seq_file.h>
58648 #include "udp_impl.h"
58650 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58651 +extern int grsec_enable_blackhole;
58654 int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
58656 const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
58657 @@ -773,6 +777,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
58658 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
58659 proto == IPPROTO_UDPLITE);
58661 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
58662 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
58664 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
58667 @@ -1407,7 +1414,12 @@ static void udp6_sock_seq_show(struct se
58671 - atomic_read(&sp->sk_refcnt), sp,
58672 + atomic_read(&sp->sk_refcnt),
58673 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58678 atomic_read(&sp->sk_drops));
58681 diff -urNp linux-2.6.38.4/net/irda/ircomm/ircomm_tty.c linux-2.6.38.4/net/irda/ircomm/ircomm_tty.c
58682 --- linux-2.6.38.4/net/irda/ircomm/ircomm_tty.c 2011-03-14 21:20:32.000000000 -0400
58683 +++ linux-2.6.38.4/net/irda/ircomm/ircomm_tty.c 2011-04-17 15:57:33.000000000 -0400
58684 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
58685 add_wait_queue(&self->open_wait, &wait);
58687 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
58688 - __FILE__,__LINE__, tty->driver->name, self->open_count );
58689 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
58691 /* As far as I can see, we protect open_count - Jean II */
58692 spin_lock_irqsave(&self->spinlock, flags);
58693 if (!tty_hung_up_p(filp)) {
58695 - self->open_count--;
58696 + local_dec(&self->open_count);
58698 spin_unlock_irqrestore(&self->spinlock, flags);
58699 - self->blocked_open++;
58700 + local_inc(&self->blocked_open);
58703 if (tty->termios->c_cflag & CBAUD) {
58704 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
58707 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
58708 - __FILE__,__LINE__, tty->driver->name, self->open_count );
58709 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
58713 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
58715 /* ++ is not atomic, so this should be protected - Jean II */
58716 spin_lock_irqsave(&self->spinlock, flags);
58717 - self->open_count++;
58718 + local_inc(&self->open_count);
58719 spin_unlock_irqrestore(&self->spinlock, flags);
58721 - self->blocked_open--;
58722 + local_dec(&self->blocked_open);
58724 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
58725 - __FILE__,__LINE__, tty->driver->name, self->open_count);
58726 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
58729 self->flags |= ASYNC_NORMAL_ACTIVE;
58730 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
58732 /* ++ is not atomic, so this should be protected - Jean II */
58733 spin_lock_irqsave(&self->spinlock, flags);
58734 - self->open_count++;
58735 + local_inc(&self->open_count);
58737 tty->driver_data = self;
58739 spin_unlock_irqrestore(&self->spinlock, flags);
58741 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
58742 - self->line, self->open_count);
58743 + self->line, local_read(&self->open_count));
58745 /* Not really used by us, but lets do it anyway */
58746 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
58747 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
58751 - if ((tty->count == 1) && (self->open_count != 1)) {
58752 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
58754 * Uh, oh. tty->count is 1, which means that the tty
58755 * structure will be freed. state->count should always
58756 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
58758 IRDA_DEBUG(0, "%s(), bad serial port count; "
58759 "tty->count is 1, state->count is %d\n", __func__ ,
58760 - self->open_count);
58761 - self->open_count = 1;
58762 + local_read(&self->open_count));
58763 + local_set(&self->open_count, 1);
58766 - if (--self->open_count < 0) {
58767 + if (local_dec_return(&self->open_count) < 0) {
58768 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
58769 - __func__, self->line, self->open_count);
58770 - self->open_count = 0;
58771 + __func__, self->line, local_read(&self->open_count));
58772 + local_set(&self->open_count, 0);
58774 - if (self->open_count) {
58775 + if (local_read(&self->open_count)) {
58776 spin_unlock_irqrestore(&self->spinlock, flags);
58778 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
58779 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
58783 - if (self->blocked_open) {
58784 + if (local_read(&self->blocked_open)) {
58785 if (self->close_delay)
58786 schedule_timeout_interruptible(self->close_delay);
58787 wake_up_interruptible(&self->open_wait);
58788 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
58789 spin_lock_irqsave(&self->spinlock, flags);
58790 self->flags &= ~ASYNC_NORMAL_ACTIVE;
58792 - self->open_count = 0;
58793 + local_set(&self->open_count, 0);
58794 spin_unlock_irqrestore(&self->spinlock, flags);
58796 wake_up_interruptible(&self->open_wait);
58797 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
58800 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
58801 - seq_printf(m, "Open count: %d\n", self->open_count);
58802 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
58803 seq_printf(m, "Max data size: %d\n", self->max_data_size);
58804 seq_printf(m, "Max header size: %d\n", self->max_header_size);
58806 diff -urNp linux-2.6.38.4/net/key/af_key.c linux-2.6.38.4/net/key/af_key.c
58807 --- linux-2.6.38.4/net/key/af_key.c 2011-03-14 21:20:32.000000000 -0400
58808 +++ linux-2.6.38.4/net/key/af_key.c 2011-04-17 15:57:33.000000000 -0400
58809 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
58810 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
58812 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
58813 +#ifdef CONFIG_GRKERNSEC_HIDESYM
58818 atomic_read(&s->sk_refcnt),
58819 sk_rmem_alloc_get(s),
58820 sk_wmem_alloc_get(s),
58821 diff -urNp linux-2.6.38.4/net/mac80211/cfg.c linux-2.6.38.4/net/mac80211/cfg.c
58822 --- linux-2.6.38.4/net/mac80211/cfg.c 2011-03-14 21:20:32.000000000 -0400
58823 +++ linux-2.6.38.4/net/mac80211/cfg.c 2011-04-17 15:57:33.000000000 -0400
58824 @@ -1939,7 +1939,7 @@ static int ieee80211_get_antenna(struct
58825 return drv_get_antenna(local, tx_ant, rx_ant);
58828 -struct cfg80211_ops mac80211_config_ops = {
58829 +const struct cfg80211_ops mac80211_config_ops = {
58830 .add_virtual_intf = ieee80211_add_iface,
58831 .del_virtual_intf = ieee80211_del_iface,
58832 .change_virtual_intf = ieee80211_change_iface,
58833 diff -urNp linux-2.6.38.4/net/mac80211/cfg.h linux-2.6.38.4/net/mac80211/cfg.h
58834 --- linux-2.6.38.4/net/mac80211/cfg.h 2011-03-14 21:20:32.000000000 -0400
58835 +++ linux-2.6.38.4/net/mac80211/cfg.h 2011-04-17 15:57:33.000000000 -0400
58840 -extern struct cfg80211_ops mac80211_config_ops;
58841 +extern const struct cfg80211_ops mac80211_config_ops;
58843 #endif /* __CFG_H */
58844 diff -urNp linux-2.6.38.4/net/mac80211/ieee80211_i.h linux-2.6.38.4/net/mac80211/ieee80211_i.h
58845 --- linux-2.6.38.4/net/mac80211/ieee80211_i.h 2011-03-14 21:20:32.000000000 -0400
58846 +++ linux-2.6.38.4/net/mac80211/ieee80211_i.h 2011-04-17 15:57:33.000000000 -0400
58848 #include <net/ieee80211_radiotap.h>
58849 #include <net/cfg80211.h>
58850 #include <net/mac80211.h>
58851 +#include <asm/local.h>
58853 #include "sta_info.h"
58855 @@ -716,7 +717,7 @@ struct ieee80211_local {
58856 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
58857 spinlock_t queue_stop_reason_lock;
58860 + local_t open_count;
58861 int monitors, cooked_mntrs;
58862 /* number of interfaces with corresponding FIF_ flags */
58863 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
58864 diff -urNp linux-2.6.38.4/net/mac80211/iface.c linux-2.6.38.4/net/mac80211/iface.c
58865 --- linux-2.6.38.4/net/mac80211/iface.c 2011-03-14 21:20:32.000000000 -0400
58866 +++ linux-2.6.38.4/net/mac80211/iface.c 2011-04-17 15:57:33.000000000 -0400
58867 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
58871 - if (local->open_count == 0) {
58872 + if (local_read(&local->open_count) == 0) {
58873 res = drv_start(local);
58876 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
58877 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
58879 if (!is_valid_ether_addr(dev->dev_addr)) {
58880 - if (!local->open_count)
58881 + if (!local_read(&local->open_count))
58883 return -EADDRNOTAVAIL;
58885 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
58886 mutex_unlock(&local->mtx);
58889 - local->open_count++;
58890 + local_inc(&local->open_count);
58892 if (hw_reconf_flags) {
58893 ieee80211_hw_config(local, hw_reconf_flags);
58894 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
58896 drv_remove_interface(local, &sdata->vif);
58898 - if (!local->open_count)
58899 + if (!local_read(&local->open_count))
58903 @@ -473,7 +473,7 @@ static void ieee80211_do_stop(struct iee
58907 - local->open_count--;
58908 + local_dec(&local->open_count);
58910 switch (sdata->vif.type) {
58911 case NL80211_IFTYPE_AP_VLAN:
58912 @@ -532,7 +532,7 @@ static void ieee80211_do_stop(struct iee
58914 ieee80211_recalc_ps(local, -1);
58916 - if (local->open_count == 0) {
58917 + if (local_read(&local->open_count) == 0) {
58918 if (local->ops->napi_poll)
58919 napi_disable(&local->napi);
58920 ieee80211_clear_tx_pending(local);
58921 diff -urNp linux-2.6.38.4/net/mac80211/main.c linux-2.6.38.4/net/mac80211/main.c
58922 --- linux-2.6.38.4/net/mac80211/main.c 2011-03-14 21:20:32.000000000 -0400
58923 +++ linux-2.6.38.4/net/mac80211/main.c 2011-04-17 15:57:33.000000000 -0400
58924 @@ -161,7 +161,7 @@ int ieee80211_hw_config(struct ieee80211
58925 local->hw.conf.power_level = power;
58928 - if (changed && local->open_count) {
58929 + if (changed && local_read(&local->open_count)) {
58930 ret = drv_config(local, changed);
58933 diff -urNp linux-2.6.38.4/net/mac80211/pm.c linux-2.6.38.4/net/mac80211/pm.c
58934 --- linux-2.6.38.4/net/mac80211/pm.c 2011-03-14 21:20:32.000000000 -0400
58935 +++ linux-2.6.38.4/net/mac80211/pm.c 2011-04-17 15:57:33.000000000 -0400
58936 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
58939 /* stop hardware - this must stop RX */
58940 - if (local->open_count)
58941 + if (local_read(&local->open_count))
58942 ieee80211_stop_device(local);
58944 local->suspended = true;
58945 diff -urNp linux-2.6.38.4/net/mac80211/rate.c linux-2.6.38.4/net/mac80211/rate.c
58946 --- linux-2.6.38.4/net/mac80211/rate.c 2011-03-14 21:20:32.000000000 -0400
58947 +++ linux-2.6.38.4/net/mac80211/rate.c 2011-04-17 15:57:33.000000000 -0400
58948 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
58952 - if (local->open_count)
58953 + if (local_read(&local->open_count))
58956 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
58957 diff -urNp linux-2.6.38.4/net/mac80211/rc80211_pid_debugfs.c linux-2.6.38.4/net/mac80211/rc80211_pid_debugfs.c
58958 --- linux-2.6.38.4/net/mac80211/rc80211_pid_debugfs.c 2011-03-14 21:20:32.000000000 -0400
58959 +++ linux-2.6.38.4/net/mac80211/rc80211_pid_debugfs.c 2011-04-17 15:57:33.000000000 -0400
58960 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
58962 spin_unlock_irqrestore(&events->lock, status);
58964 - if (copy_to_user(buf, pb, p))
58965 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
58969 diff -urNp linux-2.6.38.4/net/mac80211/tx.c linux-2.6.38.4/net/mac80211/tx.c
58970 --- linux-2.6.38.4/net/mac80211/tx.c 2011-03-14 21:20:32.000000000 -0400
58971 +++ linux-2.6.38.4/net/mac80211/tx.c 2011-04-17 15:57:33.000000000 -0400
58972 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
58973 return cpu_to_le16(dur);
58976 -static int inline is_ieee80211_device(struct ieee80211_local *local,
58977 +static inline int is_ieee80211_device(struct ieee80211_local *local,
58978 struct net_device *dev)
58980 return local == wdev_priv(dev->ieee80211_ptr);
58981 diff -urNp linux-2.6.38.4/net/mac80211/util.c linux-2.6.38.4/net/mac80211/util.c
58982 --- linux-2.6.38.4/net/mac80211/util.c 2011-03-14 21:20:32.000000000 -0400
58983 +++ linux-2.6.38.4/net/mac80211/util.c 2011-04-17 15:57:33.000000000 -0400
58984 @@ -1135,7 +1135,7 @@ int ieee80211_reconfig(struct ieee80211_
58985 local->resuming = true;
58987 /* restart hardware */
58988 - if (local->open_count) {
58989 + if (local_read(&local->open_count)) {
58991 * Upon resume hardware can sometimes be goofy due to
58992 * various platform / driver / bus issues, so restarting
58993 diff -urNp linux-2.6.38.4/net/netfilter/Kconfig linux-2.6.38.4/net/netfilter/Kconfig
58994 --- linux-2.6.38.4/net/netfilter/Kconfig 2011-03-14 21:20:32.000000000 -0400
58995 +++ linux-2.6.38.4/net/netfilter/Kconfig 2011-04-17 15:57:33.000000000 -0400
58996 @@ -709,6 +709,16 @@ config NETFILTER_XT_MATCH_ESP
58998 To compile it as a module, choose M here. If unsure, say N.
59000 +config NETFILTER_XT_MATCH_GRADM
59001 + tristate '"gradm" match support'
59002 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
59003 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
59005 + The gradm match allows to match on grsecurity RBAC being enabled.
59006 + It is useful when iptables rules are applied early on bootup to
59007 + prevent connections to the machine (except from a trusted host)
59008 + while the RBAC system is disabled.
59010 config NETFILTER_XT_MATCH_HASHLIMIT
59011 tristate '"hashlimit" match support'
59012 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
59013 diff -urNp linux-2.6.38.4/net/netfilter/Makefile linux-2.6.38.4/net/netfilter/Makefile
59014 --- linux-2.6.38.4/net/netfilter/Makefile 2011-03-14 21:20:32.000000000 -0400
59015 +++ linux-2.6.38.4/net/netfilter/Makefile 2011-04-17 15:57:33.000000000 -0400
59016 @@ -74,6 +74,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) +=
59017 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
59018 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
59019 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
59020 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
59021 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
59022 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
59023 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
59024 diff -urNp linux-2.6.38.4/net/netfilter/nf_conntrack_netlink.c linux-2.6.38.4/net/netfilter/nf_conntrack_netlink.c
59025 --- linux-2.6.38.4/net/netfilter/nf_conntrack_netlink.c 2011-03-14 21:20:32.000000000 -0400
59026 +++ linux-2.6.38.4/net/netfilter/nf_conntrack_netlink.c 2011-04-17 15:57:33.000000000 -0400
59027 @@ -761,7 +761,7 @@ static const struct nla_policy tuple_nla
59029 ctnetlink_parse_tuple(const struct nlattr * const cda[],
59030 struct nf_conntrack_tuple *tuple,
59031 - enum ctattr_tuple type, u_int8_t l3num)
59032 + enum ctattr_type type, u_int8_t l3num)
59034 struct nlattr *tb[CTA_TUPLE_MAX+1];
59036 diff -urNp linux-2.6.38.4/net/netfilter/xt_gradm.c linux-2.6.38.4/net/netfilter/xt_gradm.c
59037 --- linux-2.6.38.4/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
59038 +++ linux-2.6.38.4/net/netfilter/xt_gradm.c 2011-04-17 15:57:33.000000000 -0400
59041 + * gradm match for netfilter
59042 + * Copyright © Zbigniew Krzystolik, 2010
59044 + * This program is free software; you can redistribute it and/or modify
59045 + * it under the terms of the GNU General Public License; either version
59046 + * 2 or 3 as published by the Free Software Foundation.
59048 +#include <linux/module.h>
59049 +#include <linux/moduleparam.h>
59050 +#include <linux/skbuff.h>
59051 +#include <linux/netfilter/x_tables.h>
59052 +#include <linux/grsecurity.h>
59053 +#include <linux/netfilter/xt_gradm.h>
59056 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
59058 + const struct xt_gradm_mtinfo *info = par->matchinfo;
59059 + bool retval = false;
59060 + if (gr_acl_is_enabled())
59062 + return retval ^ info->invflags;
59065 +static struct xt_match gradm_mt_reg __read_mostly = {
59068 + .family = NFPROTO_UNSPEC,
59069 + .match = gradm_mt,
59070 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
59071 + .me = THIS_MODULE,
59074 +static int __init gradm_mt_init(void)
59076 + return xt_register_match(&gradm_mt_reg);
59079 +static void __exit gradm_mt_exit(void)
59081 + xt_unregister_match(&gradm_mt_reg);
59084 +module_init(gradm_mt_init);
59085 +module_exit(gradm_mt_exit);
59086 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
59087 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
59088 +MODULE_LICENSE("GPL");
59089 +MODULE_ALIAS("ipt_gradm");
59090 +MODULE_ALIAS("ip6t_gradm");
59091 diff -urNp linux-2.6.38.4/net/netlink/af_netlink.c linux-2.6.38.4/net/netlink/af_netlink.c
59092 --- linux-2.6.38.4/net/netlink/af_netlink.c 2011-03-14 21:20:32.000000000 -0400
59093 +++ linux-2.6.38.4/net/netlink/af_netlink.c 2011-04-17 15:57:33.000000000 -0400
59094 @@ -2001,13 +2001,21 @@ static int netlink_seq_show(struct seq_f
59095 struct netlink_sock *nlk = nlk_sk(s);
59097 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
59098 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59105 nlk->groups ? (u32)nlk->groups[0] : 0,
59106 sk_rmem_alloc_get(s),
59107 sk_wmem_alloc_get(s),
59108 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59113 atomic_read(&s->sk_refcnt),
59114 atomic_read(&s->sk_drops),
59116 diff -urNp linux-2.6.38.4/net/netrom/af_netrom.c linux-2.6.38.4/net/netrom/af_netrom.c
59117 --- linux-2.6.38.4/net/netrom/af_netrom.c 2011-03-14 21:20:32.000000000 -0400
59118 +++ linux-2.6.38.4/net/netrom/af_netrom.c 2011-04-17 15:57:33.000000000 -0400
59119 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
59120 struct sock *sk = sock->sk;
59121 struct nr_sock *nr = nr_sk(sk);
59123 + memset(sax, 0, sizeof(*sax));
59126 if (sk->sk_state != TCP_ESTABLISHED) {
59127 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
59128 *uaddr_len = sizeof(struct full_sockaddr_ax25);
59130 sax->fsa_ax25.sax25_family = AF_NETROM;
59131 - sax->fsa_ax25.sax25_ndigis = 0;
59132 sax->fsa_ax25.sax25_call = nr->source_addr;
59133 *uaddr_len = sizeof(struct sockaddr_ax25);
59135 diff -urNp linux-2.6.38.4/net/packet/af_packet.c linux-2.6.38.4/net/packet/af_packet.c
59136 --- linux-2.6.38.4/net/packet/af_packet.c 2011-03-14 21:20:32.000000000 -0400
59137 +++ linux-2.6.38.4/net/packet/af_packet.c 2011-04-17 15:57:33.000000000 -0400
59138 @@ -2134,7 +2134,7 @@ static int packet_getsockopt(struct sock
59139 case PACKET_HDRLEN:
59140 if (len > sizeof(int))
59142 - if (copy_from_user(&val, optval, len))
59143 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
59147 @@ -2172,7 +2172,7 @@ static int packet_getsockopt(struct sock
59149 if (put_user(len, optlen))
59151 - if (copy_to_user(optval, data, len))
59152 + if (len > sizeof(st) || copy_to_user(optval, data, len))
59156 @@ -2684,7 +2684,11 @@ static int packet_seq_show(struct seq_fi
59159 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
59160 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59165 atomic_read(&s->sk_refcnt),
59168 diff -urNp linux-2.6.38.4/net/phonet/af_phonet.c linux-2.6.38.4/net/phonet/af_phonet.c
59169 --- linux-2.6.38.4/net/phonet/af_phonet.c 2011-03-14 21:20:32.000000000 -0400
59170 +++ linux-2.6.38.4/net/phonet/af_phonet.c 2011-04-17 15:57:33.000000000 -0400
59171 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
59173 struct phonet_protocol *pp;
59175 - if (protocol >= PHONET_NPROTO)
59176 + if (protocol < 0 || protocol >= PHONET_NPROTO)
59180 @@ -463,7 +463,7 @@ int __init_or_module phonet_proto_regist
59184 - if (protocol >= PHONET_NPROTO)
59185 + if (protocol < 0 || protocol >= PHONET_NPROTO)
59188 err = proto_register(pp->prot, 1);
59189 diff -urNp linux-2.6.38.4/net/phonet/socket.c linux-2.6.38.4/net/phonet/socket.c
59190 --- linux-2.6.38.4/net/phonet/socket.c 2011-03-14 21:20:32.000000000 -0400
59191 +++ linux-2.6.38.4/net/phonet/socket.c 2011-04-17 15:57:33.000000000 -0400
59192 @@ -637,7 +637,12 @@ static int pn_sock_seq_show(struct seq_f
59194 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
59195 sock_i_uid(sk), sock_i_ino(sk),
59196 - atomic_read(&sk->sk_refcnt), sk,
59197 + atomic_read(&sk->sk_refcnt),
59198 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59203 atomic_read(&sk->sk_drops), &len);
59205 seq_printf(seq, "%*s\n", 127 - len, "");
59206 diff -urNp linux-2.6.38.4/net/sctp/proc.c linux-2.6.38.4/net/sctp/proc.c
59207 --- linux-2.6.38.4/net/sctp/proc.c 2011-03-14 21:20:32.000000000 -0400
59208 +++ linux-2.6.38.4/net/sctp/proc.c 2011-04-17 15:57:33.000000000 -0400
59209 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
59210 sctp_for_each_hentry(epb, node, &head->chain) {
59213 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
59214 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
59215 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59220 sctp_sk(sk)->type, sk->sk_state, hash,
59221 epb->bind_addr.port,
59222 sock_i_uid(sk), sock_i_ino(sk));
59223 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
59225 "%8p %8p %-3d %-3d %-2d %-4d "
59226 "%4d %8d %8d %7d %5lu %-5d %5d ",
59227 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
59228 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59233 + sctp_sk(sk)->type, sk->sk_state,
59234 assoc->state, hash,
59236 assoc->sndbuf_used,
59237 diff -urNp linux-2.6.38.4/net/sctp/socket.c linux-2.6.38.4/net/sctp/socket.c
59238 --- linux-2.6.38.4/net/sctp/socket.c 2011-03-14 21:20:32.000000000 -0400
59239 +++ linux-2.6.38.4/net/sctp/socket.c 2011-04-17 15:57:33.000000000 -0400
59240 @@ -1496,7 +1496,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
59241 struct sctp_sndrcvinfo *sinfo;
59242 struct sctp_initmsg *sinit;
59243 sctp_assoc_t associd = 0;
59244 - sctp_cmsgs_t cmsgs = { NULL };
59245 + sctp_cmsgs_t cmsgs = { NULL, NULL };
59247 sctp_scope_t scope;
59249 @@ -4435,7 +4435,7 @@ static int sctp_getsockopt_peer_addrs(st
59250 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
59251 if (space_left < addrlen)
59253 - if (copy_to_user(to, &temp, addrlen))
59254 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
59258 diff -urNp linux-2.6.38.4/net/socket.c linux-2.6.38.4/net/socket.c
59259 --- linux-2.6.38.4/net/socket.c 2011-04-18 17:27:16.000000000 -0400
59260 +++ linux-2.6.38.4/net/socket.c 2011-04-17 15:57:33.000000000 -0400
59262 #include <linux/nsproxy.h>
59263 #include <linux/magic.h>
59264 #include <linux/slab.h>
59265 +#include <linux/in.h>
59267 #include <asm/uaccess.h>
59268 #include <asm/unistd.h>
59269 @@ -105,6 +106,8 @@
59270 #include <linux/sockios.h>
59271 #include <linux/atalk.h>
59273 +#include <linux/grsock.h>
59275 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
59276 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
59277 unsigned long nr_segs, loff_t pos);
59278 @@ -326,7 +329,7 @@ static struct dentry *sockfs_mount(struc
59279 &sockfs_dentry_operations, SOCKFS_MAGIC);
59282 -static struct vfsmount *sock_mnt __read_mostly;
59283 +struct vfsmount *sock_mnt __read_mostly;
59285 static struct file_system_type sock_fs_type = {
59287 @@ -1174,6 +1177,8 @@ int __sock_create(struct net *net, int f
59288 return -EAFNOSUPPORT;
59289 if (type < 0 || type >= SOCK_MAX)
59291 + if (protocol < 0)
59296 @@ -1306,6 +1311,16 @@ SYSCALL_DEFINE3(socket, int, family, int
59297 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
59298 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
59300 + if(!gr_search_socket(family, type, protocol)) {
59301 + retval = -EACCES;
59305 + if (gr_handle_sock_all(family, type, protocol)) {
59306 + retval = -EACCES;
59310 retval = sock_create(family, type, protocol, &sock);
59313 @@ -1418,6 +1433,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
59315 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
59317 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
59321 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
59325 err = security_socket_bind(sock,
59326 (struct sockaddr *)&address,
59328 @@ -1426,6 +1449,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
59329 (struct sockaddr *)
59330 &address, addrlen);
59333 fput_light(sock->file, fput_needed);
59336 @@ -1449,10 +1473,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
59337 if ((unsigned)backlog > somaxconn)
59338 backlog = somaxconn;
59340 + if (gr_handle_sock_server_other(sock->sk)) {
59345 + err = gr_search_listen(sock);
59349 err = security_socket_listen(sock, backlog);
59351 err = sock->ops->listen(sock, backlog);
59354 fput_light(sock->file, fput_needed);
59357 @@ -1496,6 +1530,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
59358 newsock->type = sock->type;
59359 newsock->ops = sock->ops;
59361 + if (gr_handle_sock_server_other(sock->sk)) {
59363 + sock_release(newsock);
59367 + err = gr_search_accept(sock);
59369 + sock_release(newsock);
59374 * We don't need try_module_get here, as the listening socket (sock)
59375 * has the protocol module (sock->ops->owner) held.
59376 @@ -1534,6 +1580,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
59377 fd_install(newfd, newfile);
59380 + gr_attach_curr_ip(newsock->sk);
59383 fput_light(sock->file, fput_needed);
59385 @@ -1566,6 +1614,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
59388 struct socket *sock;
59389 + struct sockaddr *sck;
59390 struct sockaddr_storage address;
59391 int err, fput_needed;
59393 @@ -1576,6 +1625,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
59397 + sck = (struct sockaddr *)&address;
59399 + if (gr_handle_sock_client(sck)) {
59404 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
59409 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
59411 diff -urNp linux-2.6.38.4/net/sunrpc/sched.c linux-2.6.38.4/net/sunrpc/sched.c
59412 --- linux-2.6.38.4/net/sunrpc/sched.c 2011-04-18 17:27:14.000000000 -0400
59413 +++ linux-2.6.38.4/net/sunrpc/sched.c 2011-04-17 15:57:33.000000000 -0400
59414 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
59416 static void rpc_task_set_debuginfo(struct rpc_task *task)
59418 - static atomic_t rpc_pid;
59419 + static atomic_unchecked_t rpc_pid;
59421 - task->tk_pid = atomic_inc_return(&rpc_pid);
59422 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
59425 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
59426 diff -urNp linux-2.6.38.4/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.38.4/net/sunrpc/xprtrdma/svc_rdma.c
59427 --- linux-2.6.38.4/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-14 21:20:32.000000000 -0400
59428 +++ linux-2.6.38.4/net/sunrpc/xprtrdma/svc_rdma.c 2011-04-17 15:57:33.000000000 -0400
59429 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
59433 - if (len && copy_to_user(buffer, str_buf, len))
59434 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
59438 diff -urNp linux-2.6.38.4/net/sysctl_net.c linux-2.6.38.4/net/sysctl_net.c
59439 --- linux-2.6.38.4/net/sysctl_net.c 2011-03-14 21:20:32.000000000 -0400
59440 +++ linux-2.6.38.4/net/sysctl_net.c 2011-04-17 15:57:33.000000000 -0400
59441 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
59442 struct ctl_table *table)
59444 /* Allow network administrator to have same access as root. */
59445 - if (capable(CAP_NET_ADMIN)) {
59446 + if (capable_nolog(CAP_NET_ADMIN)) {
59447 int mode = (table->mode >> 6) & 7;
59448 return (mode << 6) | (mode << 3) | mode;
59450 diff -urNp linux-2.6.38.4/net/tipc/socket.c linux-2.6.38.4/net/tipc/socket.c
59451 --- linux-2.6.38.4/net/tipc/socket.c 2011-03-14 21:20:32.000000000 -0400
59452 +++ linux-2.6.38.4/net/tipc/socket.c 2011-04-17 15:57:33.000000000 -0400
59453 @@ -1447,8 +1447,9 @@ static int connect(struct socket *sock,
59458 - ; /* leave "res" unchanged */
59460 + /* leave "res" unchanged */
59462 sock->state = SS_DISCONNECTING;
59465 diff -urNp linux-2.6.38.4/net/unix/af_unix.c linux-2.6.38.4/net/unix/af_unix.c
59466 --- linux-2.6.38.4/net/unix/af_unix.c 2011-03-14 21:20:32.000000000 -0400
59467 +++ linux-2.6.38.4/net/unix/af_unix.c 2011-04-17 15:57:33.000000000 -0400
59468 @@ -765,6 +765,12 @@ static struct sock *unix_find_other(stru
59469 err = -ECONNREFUSED;
59470 if (!S_ISSOCK(inode->i_mode))
59473 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
59478 u = unix_find_socket_byinode(inode);
59481 @@ -785,6 +791,13 @@ static struct sock *unix_find_other(stru
59483 struct dentry *dentry;
59484 dentry = unix_sk(u)->dentry;
59486 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
59493 touch_atime(unix_sk(u)->mnt, dentry);
59495 @@ -870,11 +883,18 @@ static int unix_bind(struct socket *sock
59496 err = security_path_mknod(&nd.path, dentry, mode, 0);
59498 goto out_mknod_drop_write;
59499 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
59501 + goto out_mknod_drop_write;
59503 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
59504 out_mknod_drop_write:
59505 mnt_drop_write(nd.path.mnt);
59507 goto out_mknod_dput;
59509 + gr_handle_create(dentry, nd.path.mnt);
59511 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
59512 dput(nd.path.dentry);
59513 nd.path.dentry = dentry;
59514 @@ -892,6 +912,11 @@ out_mknod_drop_write:
59518 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59519 + put_pid(sk->sk_peer_pid);
59520 + sk->sk_peer_pid = get_pid(task_tgid(current));
59523 list = &unix_socket_table[addr->hash];
59525 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
59526 @@ -2235,7 +2260,11 @@ static int unix_seq_show(struct seq_file
59527 unix_state_lock(s);
59529 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
59530 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59535 atomic_read(&s->sk_refcnt),
59537 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
59538 diff -urNp linux-2.6.38.4/net/wireless/reg.c linux-2.6.38.4/net/wireless/reg.c
59539 --- linux-2.6.38.4/net/wireless/reg.c 2011-03-14 21:20:32.000000000 -0400
59540 +++ linux-2.6.38.4/net/wireless/reg.c 2011-04-17 15:57:33.000000000 -0400
59542 printk(KERN_DEBUG pr_fmt(format), ##args); \
59545 -#define REG_DBG_PRINT(args...)
59546 +#define REG_DBG_PRINT(args...) do {} while (0)
59549 /* Receipt of information from last regulatory request */
59550 diff -urNp linux-2.6.38.4/net/wireless/wext-core.c linux-2.6.38.4/net/wireless/wext-core.c
59551 --- linux-2.6.38.4/net/wireless/wext-core.c 2011-03-14 21:20:32.000000000 -0400
59552 +++ linux-2.6.38.4/net/wireless/wext-core.c 2011-04-17 15:57:33.000000000 -0400
59553 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
59556 /* Support for very large requests */
59557 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
59558 - (user_length > descr->max_tokens)) {
59559 + if (user_length > descr->max_tokens) {
59560 /* Allow userspace to GET more than max so
59561 * we can support any size GET requests.
59562 * There is still a limit : -ENOMEM.
59563 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
59567 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
59569 - * If this is a GET, but not NOMAX, it means that the extra
59570 - * data is not bounded by userspace, but by max_tokens. Thus
59571 - * set the length to max_tokens. This matches the extra data
59573 - * The driver should fill it with the number of tokens it
59574 - * provided, and it may check iwp->length rather than having
59575 - * knowledge of max_tokens. If the driver doesn't change the
59576 - * iwp->length, this ioctl just copies back max_token tokens
59577 - * filled with zeroes. Hopefully the driver isn't claiming
59578 - * them to be valid data.
59580 - iwp->length = descr->max_tokens;
59583 err = handler(dev, info, (union iwreq_data *) iwp, extra);
59585 iwp->length += essid_compat;
59586 diff -urNp linux-2.6.38.4/net/x25/x25_facilities.c linux-2.6.38.4/net/x25/x25_facilities.c
59587 --- linux-2.6.38.4/net/x25/x25_facilities.c 2011-03-14 21:20:32.000000000 -0400
59588 +++ linux-2.6.38.4/net/x25/x25_facilities.c 2011-04-17 15:57:33.000000000 -0400
59589 @@ -167,7 +167,8 @@ int x25_parse_facilities(struct sk_buff
59592 printk(KERN_DEBUG "X.25: unknown facility %02X,"
59593 - "length %d\n", p[0], p[1]);
59594 + "length %d, values %02X, %02X\n",
59595 + p[0], p[1], p[2], p[3]);
59599 diff -urNp linux-2.6.38.4/net/xfrm/xfrm_policy.c linux-2.6.38.4/net/xfrm/xfrm_policy.c
59600 --- linux-2.6.38.4/net/xfrm/xfrm_policy.c 2011-04-22 19:20:59.000000000 -0400
59601 +++ linux-2.6.38.4/net/xfrm/xfrm_policy.c 2011-04-22 19:21:47.000000000 -0400
59602 @@ -1507,7 +1507,7 @@ free_dst:
59608 xfrm_dst_alloc_copy(void **target, void *src, int size)
59611 @@ -1519,7 +1519,7 @@ xfrm_dst_alloc_copy(void **target, void
59617 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
59619 #ifdef CONFIG_XFRM_SUB_POLICY
59620 @@ -1531,7 +1531,7 @@ xfrm_dst_update_parent(struct dst_entry
59626 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
59628 #ifdef CONFIG_XFRM_SUB_POLICY
59629 diff -urNp linux-2.6.38.4/scripts/basic/fixdep.c linux-2.6.38.4/scripts/basic/fixdep.c
59630 --- linux-2.6.38.4/scripts/basic/fixdep.c 2011-03-14 21:20:32.000000000 -0400
59631 +++ linux-2.6.38.4/scripts/basic/fixdep.c 2011-04-17 15:57:33.000000000 -0400
59632 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
59634 static void parse_config_file(const char *map, size_t len)
59636 - const int *end = (const int *) (map + len);
59637 + const unsigned int *end = (const unsigned int *) (map + len);
59638 /* start at +1, so that p can never be < map */
59639 - const int *m = (const int *) map + 1;
59640 + const unsigned int *m = (const unsigned int *) map + 1;
59643 for (; m < end; m++) {
59644 @@ -405,7 +405,7 @@ static void print_deps(void)
59645 static void traps(void)
59647 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
59648 - int *p = (int *)test;
59649 + unsigned int *p = (unsigned int *)test;
59651 if (*p != INT_CONF) {
59652 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
59653 diff -urNp linux-2.6.38.4/scripts/kallsyms.c linux-2.6.38.4/scripts/kallsyms.c
59654 --- linux-2.6.38.4/scripts/kallsyms.c 2011-03-14 21:20:32.000000000 -0400
59655 +++ linux-2.6.38.4/scripts/kallsyms.c 2011-04-17 15:57:33.000000000 -0400
59656 @@ -43,10 +43,10 @@ struct text_range {
59658 static unsigned long long _text;
59659 static struct text_range text_ranges[] = {
59660 - { "_stext", "_etext" },
59661 - { "_sinittext", "_einittext" },
59662 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
59663 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
59664 + { "_stext", "_etext", 0, 0 },
59665 + { "_sinittext", "_einittext", 0, 0 },
59666 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
59667 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
59669 #define text_range_text (&text_ranges[0])
59670 #define text_range_inittext (&text_ranges[1])
59671 diff -urNp linux-2.6.38.4/scripts/mod/file2alias.c linux-2.6.38.4/scripts/mod/file2alias.c
59672 --- linux-2.6.38.4/scripts/mod/file2alias.c 2011-03-14 21:20:32.000000000 -0400
59673 +++ linux-2.6.38.4/scripts/mod/file2alias.c 2011-04-17 15:57:33.000000000 -0400
59674 @@ -72,7 +72,7 @@ static void device_id_check(const char *
59675 unsigned long size, unsigned long id_size,
59681 if (size % id_size || size < id_size) {
59682 if (cross_build != 0)
59683 @@ -102,7 +102,7 @@ static void device_id_check(const char *
59684 /* USB is special because the bcdDevice can be matched against a numeric range */
59685 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
59686 static void do_usb_entry(struct usb_device_id *id,
59687 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
59688 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
59689 unsigned char range_lo, unsigned char range_hi,
59690 unsigned char max, struct module *mod)
59692 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
59693 for (i = 0; i < count; i++) {
59694 const char *id = (char *)devs[i].id;
59695 char acpi_id[sizeof(devs[0].id)];
59699 buf_printf(&mod->dev_table_buf,
59700 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
59701 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
59703 for (j = 0; j < PNP_MAX_DEVICES; j++) {
59704 const char *id = (char *)card->devs[j].id;
59706 + unsigned int i2, j2;
59710 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
59711 /* add an individual alias for every device entry */
59713 char acpi_id[sizeof(card->devs[0].id)];
59717 buf_printf(&mod->dev_table_buf,
59718 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
59719 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
59720 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
59724 + unsigned int i, j;
59726 sprintf(alias, "dmi*");
59728 diff -urNp linux-2.6.38.4/scripts/mod/modpost.c linux-2.6.38.4/scripts/mod/modpost.c
59729 --- linux-2.6.38.4/scripts/mod/modpost.c 2011-03-14 21:20:32.000000000 -0400
59730 +++ linux-2.6.38.4/scripts/mod/modpost.c 2011-04-17 15:57:33.000000000 -0400
59731 @@ -896,6 +896,7 @@ enum mismatch {
59732 ANY_INIT_TO_ANY_EXIT,
59733 ANY_EXIT_TO_ANY_INIT,
59734 EXPORT_TO_INIT_EXIT,
59738 struct sectioncheck {
59739 @@ -1004,6 +1005,12 @@ const struct sectioncheck sectioncheck[]
59740 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
59741 .mismatch = EXPORT_TO_INIT_EXIT,
59742 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
59744 +/* Do not reference code from writable data */
59746 + .fromsec = { DATA_SECTIONS, NULL },
59747 + .tosec = { TEXT_SECTIONS, NULL },
59748 + .mismatch = DATA_TO_TEXT
59752 @@ -1126,10 +1133,10 @@ static Elf_Sym *find_elf_symbol(struct e
59754 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
59756 - if (sym->st_value == addr)
59758 /* Find a symbol nearby - addr are maybe negative */
59759 d = sym->st_value - addr;
59763 d = addr - sym->st_value;
59764 if (d < distance) {
59765 @@ -1401,6 +1408,14 @@ static void report_sec_mismatch(const ch
59766 tosym, prl_to, prl_to, tosym);
59769 + case DATA_TO_TEXT:
59772 + "The variable %s references\n"
59773 + "the %s %s%s%s\n",
59774 + fromsym, to, sec2annotation(tosec), tosym, to_p);
59778 fprintf(stderr, "\n");
59780 @@ -1724,7 +1739,7 @@ void __attribute__((format(printf, 2, 3)
59784 -void buf_write(struct buffer *buf, const char *s, int len)
59785 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
59787 if (buf->size - buf->pos < len) {
59788 buf->size += len + SZ;
59789 @@ -1936,7 +1951,7 @@ static void write_if_changed(struct buff
59790 if (fstat(fileno(file), &st) < 0)
59793 - if (st.st_size != b->pos)
59794 + if (st.st_size != (off_t)b->pos)
59797 tmp = NOFAIL(malloc(b->pos));
59798 diff -urNp linux-2.6.38.4/scripts/mod/modpost.h linux-2.6.38.4/scripts/mod/modpost.h
59799 --- linux-2.6.38.4/scripts/mod/modpost.h 2011-03-14 21:20:32.000000000 -0400
59800 +++ linux-2.6.38.4/scripts/mod/modpost.h 2011-04-17 15:57:33.000000000 -0400
59801 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
59807 + unsigned int pos;
59808 + unsigned int size;
59811 void __attribute__((format(printf, 2, 3)))
59812 buf_printf(struct buffer *buf, const char *fmt, ...);
59815 -buf_write(struct buffer *buf, const char *s, int len);
59816 +buf_write(struct buffer *buf, const char *s, unsigned int len);
59819 struct module *next;
59820 diff -urNp linux-2.6.38.4/scripts/mod/sumversion.c linux-2.6.38.4/scripts/mod/sumversion.c
59821 --- linux-2.6.38.4/scripts/mod/sumversion.c 2011-03-14 21:20:32.000000000 -0400
59822 +++ linux-2.6.38.4/scripts/mod/sumversion.c 2011-04-17 15:57:33.000000000 -0400
59823 @@ -470,7 +470,7 @@ static void write_version(const char *fi
59827 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
59828 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
59829 warn("writing sum in %s failed: %s\n",
59830 filename, strerror(errno));
59832 diff -urNp linux-2.6.38.4/scripts/pnmtologo.c linux-2.6.38.4/scripts/pnmtologo.c
59833 --- linux-2.6.38.4/scripts/pnmtologo.c 2011-03-14 21:20:32.000000000 -0400
59834 +++ linux-2.6.38.4/scripts/pnmtologo.c 2011-04-17 15:57:33.000000000 -0400
59835 @@ -237,14 +237,14 @@ static void write_header(void)
59836 fprintf(out, " * Linux logo %s\n", logoname);
59837 fputs(" */\n\n", out);
59838 fputs("#include <linux/linux_logo.h>\n\n", out);
59839 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
59840 + fprintf(out, "static unsigned char %s_data[] = {\n",
59844 static void write_footer(void)
59846 fputs("\n};\n\n", out);
59847 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
59848 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
59849 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
59850 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
59851 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
59852 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
59853 fputs("\n};\n\n", out);
59855 /* write logo clut */
59856 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
59857 + fprintf(out, "static unsigned char %s_clut[] = {\n",
59860 for (i = 0; i < logo_clutsize; i++) {
59861 diff -urNp linux-2.6.38.4/security/apparmor/lsm.c linux-2.6.38.4/security/apparmor/lsm.c
59862 --- linux-2.6.38.4/security/apparmor/lsm.c 2011-03-14 21:20:32.000000000 -0400
59863 +++ linux-2.6.38.4/security/apparmor/lsm.c 2011-04-17 15:57:33.000000000 -0400
59864 @@ -619,7 +619,7 @@ static int apparmor_task_setrlimit(struc
59868 -static struct security_operations apparmor_ops = {
59869 +static struct security_operations apparmor_ops __read_only = {
59870 .name = "apparmor",
59872 .ptrace_access_check = apparmor_ptrace_access_check,
59873 diff -urNp linux-2.6.38.4/security/commoncap.c linux-2.6.38.4/security/commoncap.c
59874 --- linux-2.6.38.4/security/commoncap.c 2011-03-14 21:20:32.000000000 -0400
59875 +++ linux-2.6.38.4/security/commoncap.c 2011-04-17 15:57:33.000000000 -0400
59877 #include <linux/prctl.h>
59878 #include <linux/securebits.h>
59879 // #include <linux/vs_context.h>
59880 +#include <net/sock.h>
59883 * If a non-root user executes a setuid-root binary in
59884 @@ -50,9 +51,11 @@ static void warn_setuid_and_fcaps_mixed(
59888 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
59890 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
59892 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
59893 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
59897 @@ -534,6 +537,9 @@ int cap_bprm_secureexec(struct linux_bin
59899 const struct cred *cred = current_cred();
59901 + if (gr_acl_enable_at_secure())
59904 if (cred->uid != 0) {
59905 if (bprm->cap_effective)
59907 diff -urNp linux-2.6.38.4/security/integrity/ima/ima_api.c linux-2.6.38.4/security/integrity/ima/ima_api.c
59908 --- linux-2.6.38.4/security/integrity/ima/ima_api.c 2011-03-14 21:20:32.000000000 -0400
59909 +++ linux-2.6.38.4/security/integrity/ima/ima_api.c 2011-04-17 15:57:33.000000000 -0400
59910 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
59913 /* can overflow, only indicator */
59914 - atomic_long_inc(&ima_htable.violations);
59915 + atomic_long_inc_unchecked(&ima_htable.violations);
59917 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
59919 diff -urNp linux-2.6.38.4/security/integrity/ima/ima_fs.c linux-2.6.38.4/security/integrity/ima/ima_fs.c
59920 --- linux-2.6.38.4/security/integrity/ima/ima_fs.c 2011-03-14 21:20:32.000000000 -0400
59921 +++ linux-2.6.38.4/security/integrity/ima/ima_fs.c 2011-04-17 15:57:33.000000000 -0400
59922 @@ -28,12 +28,12 @@
59923 static int valid_policy = 1;
59924 #define TMPBUFLEN 12
59925 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
59926 - loff_t *ppos, atomic_long_t *val)
59927 + loff_t *ppos, atomic_long_unchecked_t *val)
59929 char tmpbuf[TMPBUFLEN];
59932 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
59933 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
59934 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
59937 diff -urNp linux-2.6.38.4/security/integrity/ima/ima.h linux-2.6.38.4/security/integrity/ima/ima.h
59938 --- linux-2.6.38.4/security/integrity/ima/ima.h 2011-03-14 21:20:32.000000000 -0400
59939 +++ linux-2.6.38.4/security/integrity/ima/ima.h 2011-04-17 15:57:33.000000000 -0400
59940 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
59941 extern spinlock_t ima_queue_lock;
59943 struct ima_h_table {
59944 - atomic_long_t len; /* number of stored measurements in the list */
59945 - atomic_long_t violations;
59946 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
59947 + atomic_long_unchecked_t violations;
59948 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
59950 extern struct ima_h_table ima_htable;
59951 diff -urNp linux-2.6.38.4/security/integrity/ima/ima_queue.c linux-2.6.38.4/security/integrity/ima/ima_queue.c
59952 --- linux-2.6.38.4/security/integrity/ima/ima_queue.c 2011-03-14 21:20:32.000000000 -0400
59953 +++ linux-2.6.38.4/security/integrity/ima/ima_queue.c 2011-04-17 15:57:33.000000000 -0400
59954 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
59955 INIT_LIST_HEAD(&qe->later);
59956 list_add_tail_rcu(&qe->later, &ima_measurements);
59958 - atomic_long_inc(&ima_htable.len);
59959 + atomic_long_inc_unchecked(&ima_htable.len);
59960 key = ima_hash_key(entry->digest);
59961 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
59963 diff -urNp linux-2.6.38.4/security/Kconfig linux-2.6.38.4/security/Kconfig
59964 --- linux-2.6.38.4/security/Kconfig 2011-03-14 21:20:32.000000000 -0400
59965 +++ linux-2.6.38.4/security/Kconfig 2011-04-17 15:57:33.000000000 -0400
59968 menu "Security options"
59970 +source grsecurity/Kconfig
59974 + config ARCH_TRACK_EXEC_LIMIT
59977 + config PAX_PER_CPU_PGD
59980 + config TASK_SIZE_MAX_SHIFT
59982 + depends on X86_64
59983 + default 47 if !PAX_PER_CPU_PGD
59984 + default 42 if PAX_PER_CPU_PGD
59986 + config PAX_ENABLE_PAE
59988 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
59991 + bool "Enable various PaX features"
59992 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
59994 + This allows you to enable various PaX features. PaX adds
59995 + intrusion prevention mechanisms to the kernel that reduce
59996 + the risks posed by exploitable memory corruption bugs.
59998 +menu "PaX Control"
60001 +config PAX_SOFTMODE
60002 + bool 'Support soft mode'
60003 + select PAX_PT_PAX_FLAGS
60005 + Enabling this option will allow you to run PaX in soft mode, that
60006 + is, PaX features will not be enforced by default, only on executables
60007 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
60008 + is the only way to mark executables for soft mode use.
60010 + Soft mode can be activated by using the "pax_softmode=1" kernel command
60011 + line option on boot. Furthermore you can control various PaX features
60012 + at runtime via the entries in /proc/sys/kernel/pax.
60015 + bool 'Use legacy ELF header marking'
60017 + Enabling this option will allow you to control PaX features on
60018 + a per executable basis via the 'chpax' utility available at
60019 + http://pax.grsecurity.net/. The control flags will be read from
60020 + an otherwise reserved part of the ELF header. This marking has
60021 + numerous drawbacks (no support for soft-mode, toolchain does not
60022 + know about the non-standard use of the ELF header) therefore it
60023 + has been deprecated in favour of PT_PAX_FLAGS support.
60025 + Note that if you enable PT_PAX_FLAGS marking support as well,
60026 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
60028 +config PAX_PT_PAX_FLAGS
60029 + bool 'Use ELF program header marking'
60031 + Enabling this option will allow you to control PaX features on
60032 + a per executable basis via the 'paxctl' utility available at
60033 + http://pax.grsecurity.net/. The control flags will be read from
60034 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
60035 + has the benefits of supporting both soft mode and being fully
60036 + integrated into the toolchain (the binutils patch is available
60037 + from http://pax.grsecurity.net).
60039 + If your toolchain does not support PT_PAX_FLAGS markings,
60040 + you can create one in most cases with 'paxctl -C'.
60042 + Note that if you enable the legacy EI_PAX marking support as well,
60043 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
60046 + prompt 'MAC system integration'
60047 + default PAX_HAVE_ACL_FLAGS
60049 + Mandatory Access Control systems have the option of controlling
60050 + PaX flags on a per executable basis, choose the method supported
60051 + by your particular system.
60053 + - "none": if your MAC system does not interact with PaX,
60054 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
60055 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
60057 + NOTE: this option is for developers/integrators only.
60059 + config PAX_NO_ACL_FLAGS
60062 + config PAX_HAVE_ACL_FLAGS
60065 + config PAX_HOOK_ACL_FLAGS
60071 +menu "Non-executable pages"
60075 + bool "Enforce non-executable pages"
60076 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
60078 + By design some architectures do not allow for protecting memory
60079 + pages against execution or even if they do, Linux does not make
60080 + use of this feature. In practice this means that if a page is
60081 + readable (such as the stack or heap) it is also executable.
60083 + There is a well known exploit technique that makes use of this
60084 + fact and a common programming mistake where an attacker can
60085 + introduce code of his choice somewhere in the attacked program's
60086 + memory (typically the stack or the heap) and then execute it.
60088 + If the attacked program was running with different (typically
60089 + higher) privileges than that of the attacker, then he can elevate
60090 + his own privilege level (e.g. get a root shell, write to files for
60091 + which he does not have write access to, etc).
60093 + Enabling this option will let you choose from various features
60094 + that prevent the injection and execution of 'foreign' code in
60097 + This will also break programs that rely on the old behaviour and
60098 + expect that dynamically allocated memory via the malloc() family
60099 + of functions is executable (which it is not). Notable examples
60100 + are the XFree86 4.x server, the java runtime and wine.
60102 +config PAX_PAGEEXEC
60103 + bool "Paging based non-executable pages"
60104 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
60105 + select S390_SWITCH_AMODE if S390
60106 + select S390_EXEC_PROTECT if S390
60107 + select ARCH_TRACK_EXEC_LIMIT if X86_32
60109 + This implementation is based on the paging feature of the CPU.
60110 + On i386 without hardware non-executable bit support there is a
60111 + variable but usually low performance impact, however on Intel's
60112 + P4 core based CPUs it is very high so you should not enable this
60113 + for kernels meant to be used on such CPUs.
60115 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
60116 + with hardware non-executable bit support there is no performance
60117 + impact, on ppc the impact is negligible.
60119 + Note that several architectures require various emulations due to
60120 + badly designed userland ABIs, this will cause a performance impact
60121 + but will disappear as soon as userland is fixed. For example, ppc
60122 + userland MUST have been built with secure-plt by a recent toolchain.
60124 +config PAX_SEGMEXEC
60125 + bool "Segmentation based non-executable pages"
60126 + depends on PAX_NOEXEC && X86_32
60128 + This implementation is based on the segmentation feature of the
60129 + CPU and has a very small performance impact, however applications
60130 + will be limited to a 1.5 GB address space instead of the normal
60133 +config PAX_EMUTRAMP
60134 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
60135 + default y if PARISC
60137 + There are some programs and libraries that for one reason or
60138 + another attempt to execute special small code snippets from
60139 + non-executable memory pages. Most notable examples are the
60140 + signal handler return code generated by the kernel itself and
60141 + the GCC trampolines.
60143 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
60144 + such programs will no longer work under your kernel.
60146 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
60147 + utilities to enable trampoline emulation for the affected programs
60148 + yet still have the protection provided by the non-executable pages.
60150 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
60151 + your system will not even boot.
60153 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
60154 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
60155 + for the affected files.
60157 + NOTE: enabling this feature *may* open up a loophole in the
60158 + protection provided by non-executable pages that an attacker
60159 + could abuse. Therefore the best solution is to not have any
60160 + files on your system that would require this option. This can
60161 + be achieved by not using libc5 (which relies on the kernel
60162 + signal handler return code) and not using or rewriting programs
60163 + that make use of the nested function implementation of GCC.
60164 + Skilled users can just fix GCC itself so that it implements
60165 + nested function calls in a way that does not interfere with PaX.
60167 +config PAX_EMUSIGRT
60168 + bool "Automatically emulate sigreturn trampolines"
60169 + depends on PAX_EMUTRAMP && PARISC
60172 + Enabling this option will have the kernel automatically detect
60173 + and emulate signal return trampolines executing on the stack
60174 + that would otherwise lead to task termination.
60176 + This solution is intended as a temporary one for users with
60177 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
60178 + Modula-3 runtime, etc) or executables linked to such, basically
60179 + everything that does not specify its own SA_RESTORER function in
60180 + normal executable memory like glibc 2.1+ does.
60182 + On parisc you MUST enable this option, otherwise your system will
60185 + NOTE: this feature cannot be disabled on a per executable basis
60186 + and since it *does* open up a loophole in the protection provided
60187 + by non-executable pages, the best solution is to not have any
60188 + files on your system that would require this option.
60190 +config PAX_MPROTECT
60191 + bool "Restrict mprotect()"
60192 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
60194 + Enabling this option will prevent programs from
60195 + - changing the executable status of memory pages that were
60196 + not originally created as executable,
60197 + - making read-only executable pages writable again,
60198 + - creating executable pages from anonymous memory,
60199 + - making read-only-after-relocations (RELRO) data pages writable again.
60201 + You should say Y here to complete the protection provided by
60202 + the enforcement of non-executable pages.
60204 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
60205 + this feature on a per file basis.
60207 +config PAX_MPROTECT_COMPAT
60208 + bool "Use legacy/compat protection demoting (read help)"
60209 + depends on PAX_MPROTECT
60212 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
60213 + by sending the proper error code to the application. For some broken
60214 + userland, this can cause problems with Python or other applications. The
60215 + current implementation however allows for applications like clamav to
60216 + detect if JIT compilation/execution is allowed and to fall back gracefully
60217 + to an interpreter-based mode if it does not. While we encourage everyone
60218 + to use the current implementation as-is and push upstream to fix broken
60219 + userland (note that the RWX logging option can assist with this), in some
60220 + environments this may not be possible. Having to disable MPROTECT
60221 + completely on certain binaries reduces the security benefit of PaX,
60222 + so this option is provided for those environments to revert to the old
60225 +config PAX_ELFRELOCS
60226 + bool "Allow ELF text relocations (read help)"
60227 + depends on PAX_MPROTECT
60230 + Non-executable pages and mprotect() restrictions are effective
60231 + in preventing the introduction of new executable code into an
60232 + attacked task's address space. There remain only two venues
60233 + for this kind of attack: if the attacker can execute already
60234 + existing code in the attacked task then he can either have it
60235 + create and mmap() a file containing his code or have it mmap()
60236 + an already existing ELF library that does not have position
60237 + independent code in it and use mprotect() on it to make it
60238 + writable and copy his code there. While protecting against
60239 + the former approach is beyond PaX, the latter can be prevented
60240 + by having only PIC ELF libraries on one's system (which do not
60241 + need to relocate their code). If you are sure this is your case,
60242 + as is the case with all modern Linux distributions, then leave
60243 + this option disabled. You should say 'n' here.
60245 +config PAX_ETEXECRELOCS
60246 + bool "Allow ELF ET_EXEC text relocations"
60247 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
60248 + select PAX_ELFRELOCS
60251 + On some architectures there are incorrectly created applications
60252 + that require text relocations and would not work without enabling
60253 + this option. If you are an alpha, ia64 or parisc user, you should
60254 + enable this option and disable it once you have made sure that
60255 + none of your applications need it.
60258 + bool "Automatically emulate ELF PLT"
60259 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
60262 + Enabling this option will have the kernel automatically detect
60263 + and emulate the Procedure Linkage Table entries in ELF files.
60264 + On some architectures such entries are in writable memory, and
60265 + become non-executable leading to task termination. Therefore
60266 + it is mandatory that you enable this option on alpha, parisc,
60267 + sparc and sparc64, otherwise your system would not even boot.
60269 + NOTE: this feature *does* open up a loophole in the protection
60270 + provided by the non-executable pages, therefore the proper
60271 + solution is to modify the toolchain to produce a PLT that does
60272 + not need to be writable.
60274 +config PAX_DLRESOLVE
60275 + bool 'Emulate old glibc resolver stub'
60276 + depends on PAX_EMUPLT && SPARC
60279 + This option is needed if userland has an old glibc (before 2.4)
60280 + that puts a 'save' instruction into the runtime generated resolver
60281 + stub that needs special emulation.
60283 +config PAX_KERNEXEC
60284 + bool "Enforce non-executable kernel pages"
60285 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
60286 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
60288 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
60289 + that is, enabling this option will make it harder to inject
60290 + and execute 'foreign' code in kernel memory itself.
60292 +config PAX_KERNEXEC_MODULE_TEXT
60293 + int "Minimum amount of memory reserved for module code"
60295 + depends on PAX_KERNEXEC && X86_32 && MODULES
60297 + Due to implementation details the kernel must reserve a fixed
60298 + amount of memory for module code at compile time that cannot be
60299 + changed at runtime. Here you can specify the minimum amount
60300 + in MB that will be reserved. Due to the same implementation
60301 + details this size will always be rounded up to the next 2/4 MB
60302 + boundary (depends on PAE) so the actually available memory for
60303 + module code will usually be more than this minimum.
60305 + The default 4 MB should be enough for most users but if you have
60306 + an excessive number of modules (e.g., most distribution configs
60307 + compile many drivers as modules) or use huge modules such as
60308 + nvidia's kernel driver, you will need to adjust this amount.
60309 + A good rule of thumb is to look at your currently loaded kernel
60310 + modules and add up their sizes.
60314 +menu "Address Space Layout Randomization"
60318 + bool "Address Space Layout Randomization"
60319 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
60321 + Many if not most exploit techniques rely on the knowledge of
60322 + certain addresses in the attacked program. The following options
60323 + will allow the kernel to apply a certain amount of randomization
60324 + to specific parts of the program thereby forcing an attacker to
60325 + guess them in most cases. Any failed guess will most likely crash
60326 + the attacked program which allows the kernel to detect such attempts
60327 + and react on them. PaX itself provides no reaction mechanisms,
60328 + instead it is strongly encouraged that you make use of Nergal's
60329 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
60330 + (http://www.grsecurity.net/) built-in crash detection features or
60331 + develop one yourself.
60333 + By saying Y here you can choose to randomize the following areas:
60334 + - top of the task's kernel stack
60335 + - top of the task's userland stack
60336 + - base address for mmap() requests that do not specify one
60337 + (this includes all libraries)
60338 + - base address of the main executable
60340 + It is strongly recommended to say Y here as address space layout
60341 + randomization has negligible impact on performance yet it provides
60342 + a very effective protection.
60344 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
60345 + this feature on a per file basis.
60347 +config PAX_RANDKSTACK
60348 + bool "Randomize kernel stack base"
60349 + depends on PAX_ASLR && X86_TSC && X86
60351 + By saying Y here the kernel will randomize every task's kernel
60352 + stack on every system call. This will not only force an attacker
60353 + to guess it but also prevent him from making use of possible
60354 + leaked information about it.
60356 + Since the kernel stack is a rather scarce resource, randomization
60357 + may cause unexpected stack overflows, therefore you should very
60358 + carefully test your system. Note that once enabled in the kernel
60359 + configuration, this feature cannot be disabled on a per file basis.
60361 +config PAX_RANDUSTACK
60362 + bool "Randomize user stack base"
60363 + depends on PAX_ASLR
60365 + By saying Y here the kernel will randomize every task's userland
60366 + stack. The randomization is done in two steps where the second
60367 + one may apply a big amount of shift to the top of the stack and
60368 + cause problems for programs that want to use lots of memory (more
60369 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
60370 + For this reason the second step can be controlled by 'chpax' or
60371 + 'paxctl' on a per file basis.
60373 +config PAX_RANDMMAP
60374 + bool "Randomize mmap() base"
60375 + depends on PAX_ASLR
60377 + By saying Y here the kernel will use a randomized base address for
60378 + mmap() requests that do not specify one themselves. As a result
60379 + all dynamically loaded libraries will appear at random addresses
60380 + and therefore be harder to exploit by a technique where an attacker
60381 + attempts to execute library code for his purposes (e.g. spawn a
60382 + shell from an exploited program that is running at an elevated
60383 + privilege level).
60385 + Furthermore, if a program is relinked as a dynamic ELF file, its
60386 + base address will be randomized as well, completing the full
60387 + randomization of the address space layout. Attacking such programs
60388 + becomes a guess game. You can find an example of doing this at
60389 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
60390 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
60392 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
60393 + feature on a per file basis.
60397 +menu "Miscellaneous hardening features"
60399 +config PAX_MEMORY_SANITIZE
60400 + bool "Sanitize all freed memory"
60402 + By saying Y here the kernel will erase memory pages as soon as they
60403 + are freed. This in turn reduces the lifetime of data stored in the
60404 + pages, making it less likely that sensitive information such as
60405 + passwords, cryptographic secrets, etc stay in memory for too long.
60407 + This is especially useful for programs whose runtime is short, long
60408 + lived processes and the kernel itself benefit from this as long as
60409 + they operate on whole memory pages and ensure timely freeing of pages
60410 + that may hold sensitive information.
60412 + The tradeoff is performance impact, on a single CPU system kernel
60413 + compilation sees a 3% slowdown, other systems and workloads may vary
60414 + and you are advised to test this feature on your expected workload
60415 + before deploying it.
60417 + Note that this feature does not protect data stored in live pages,
60418 + e.g., process memory swapped to disk may stay there for a long time.
60420 +config PAX_MEMORY_UDEREF
60421 + bool "Prevent invalid userland pointer dereference"
60422 + depends on X86 && !UML_X86 && !XEN
60423 + select PAX_PER_CPU_PGD if X86_64
60425 + By saying Y here the kernel will be prevented from dereferencing
60426 + userland pointers in contexts where the kernel expects only kernel
60427 + pointers. This is both a useful runtime debugging feature and a
60428 + security measure that prevents exploiting a class of kernel bugs.
60430 + The tradeoff is that some virtualization solutions may experience
60431 + a huge slowdown and therefore you should not enable this feature
60432 + for kernels meant to run in such environments. Whether a given VM
60433 + solution is affected or not is best determined by simply trying it
60434 + out, the performance impact will be obvious right on boot as this
60435 + mechanism engages from very early on. A good rule of thumb is that
60436 + VMs running on CPUs without hardware virtualization support (i.e.,
60437 + the majority of IA-32 CPUs) will likely experience the slowdown.
60439 +config PAX_REFCOUNT
60440 + bool "Prevent various kernel object reference counter overflows"
60441 + depends on GRKERNSEC && (X86 || SPARC64)
60443 + By saying Y here the kernel will detect and prevent overflowing
60444 + various (but not all) kinds of object reference counters. Such
60445 + overflows can normally occur due to bugs only and are often, if
60446 + not always, exploitable.
60448 + The tradeoff is that data structures protected by an overflowed
60449 + refcount will never be freed and therefore will leak memory. Note
60450 + that this leak also happens even without this protection but in
60451 + that case the overflow can eventually trigger the freeing of the
60452 + data structure while it is still being used elsewhere, resulting
60453 + in the exploitable situation that this feature prevents.
60455 + Since this has a negligible performance impact, you should enable
60458 +config PAX_USERCOPY
60459 + bool "Harden heap object copies between kernel and userland"
60460 + depends on X86 || PPC || SPARC
60461 + depends on GRKERNSEC && (SLAB || SLUB)
60463 + By saying Y here the kernel will enforce the size of heap objects
60464 + when they are copied in either direction between the kernel and
60465 + userland, even if only a part of the heap object is copied.
60467 + Specifically, this checking prevents information leaking from the
60468 + kernel heap during kernel to userland copies (if the kernel heap
60469 + object is otherwise fully initialized) and prevents kernel heap
60470 + overflows during userland to kernel copies.
60472 + Note that the current implementation provides the strictest bounds
60473 + checks for the SLUB allocator.
60475 + Enabling this option also enables per-slab cache protection against
60476 + data in a given cache being copied into/out of via userland
60477 + accessors. Though the whitelist of regions will be reduced over
60478 + time, it notably protects important data structures like task structs.
60480 + If frame pointers are enabled on x86, this option will also restrict
60481 + copies into and out of the kernel stack to local variables within a
60484 + Since this has a negligible performance impact, you should enable
60492 bool "Enable access key retention support"
60494 @@ -167,7 +688,7 @@ config INTEL_TXT
60495 config LSM_MMAP_MIN_ADDR
60496 int "Low address space for LSM to protect from user allocation"
60497 depends on SECURITY && SECURITY_SELINUX
60501 This is the portion of low virtual memory which should be protected
60502 from userspace allocation. Keeping a user from writing to low pages
60503 diff -urNp linux-2.6.38.4/security/keys/keyring.c linux-2.6.38.4/security/keys/keyring.c
60504 --- linux-2.6.38.4/security/keys/keyring.c 2011-03-14 21:20:32.000000000 -0400
60505 +++ linux-2.6.38.4/security/keys/keyring.c 2011-04-18 22:03:12.000000000 -0400
60506 @@ -213,15 +213,15 @@ static long keyring_read(const struct ke
60509 for (loop = 0; loop < klist->nkeys; loop++) {
60510 + key_serial_t serial;
60511 key = klist->keys[loop];
60512 + serial = key->serial;
60514 tmp = sizeof(key_serial_t);
60518 - if (copy_to_user(buffer,
60521 + if (copy_to_user(buffer, &serial, tmp))
60525 diff -urNp linux-2.6.38.4/security/min_addr.c linux-2.6.38.4/security/min_addr.c
60526 --- linux-2.6.38.4/security/min_addr.c 2011-03-14 21:20:32.000000000 -0400
60527 +++ linux-2.6.38.4/security/min_addr.c 2011-04-17 15:57:33.000000000 -0400
60528 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
60530 static void update_mmap_min_addr(void)
60533 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
60534 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
60535 mmap_min_addr = dac_mmap_min_addr;
60536 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
60538 mmap_min_addr = dac_mmap_min_addr;
60544 diff -urNp linux-2.6.38.4/security/security.c linux-2.6.38.4/security/security.c
60545 --- linux-2.6.38.4/security/security.c 2011-03-14 21:20:32.000000000 -0400
60546 +++ linux-2.6.38.4/security/security.c 2011-04-17 15:57:33.000000000 -0400
60547 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
60548 /* things that live in capability.c */
60549 extern void __init security_fixup_ops(struct security_operations *ops);
60551 -static struct security_operations *security_ops;
60552 -static struct security_operations default_security_ops = {
60553 +static struct security_operations *security_ops __read_only;
60554 +static struct security_operations default_security_ops __read_only = {
60558 @@ -67,7 +67,9 @@ int __init security_init(void)
60560 void reset_security_ops(void)
60562 + pax_open_kernel();
60563 security_ops = &default_security_ops;
60564 + pax_close_kernel();
60567 /* Save user chosen LSM */
60568 diff -urNp linux-2.6.38.4/security/selinux/hooks.c linux-2.6.38.4/security/selinux/hooks.c
60569 --- linux-2.6.38.4/security/selinux/hooks.c 2011-03-14 21:20:32.000000000 -0400
60570 +++ linux-2.6.38.4/security/selinux/hooks.c 2011-04-17 15:57:33.000000000 -0400
60572 #define NUM_SEL_MNT_OPTS 5
60574 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
60575 -extern struct security_operations *security_ops;
60577 /* SECMARK reference count */
60578 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
60579 @@ -5395,7 +5394,7 @@ static int selinux_key_getsecurity(struc
60583 -static struct security_operations selinux_ops = {
60584 +static struct security_operations selinux_ops __read_only = {
60587 .ptrace_access_check = selinux_ptrace_access_check,
60588 diff -urNp linux-2.6.38.4/security/smack/smack_lsm.c linux-2.6.38.4/security/smack/smack_lsm.c
60589 --- linux-2.6.38.4/security/smack/smack_lsm.c 2011-03-14 21:20:32.000000000 -0400
60590 +++ linux-2.6.38.4/security/smack/smack_lsm.c 2011-04-17 15:57:33.000000000 -0400
60591 @@ -3179,7 +3179,7 @@ static int smack_inode_getsecctx(struct
60595 -struct security_operations smack_ops = {
60596 +struct security_operations smack_ops __read_only = {
60599 .ptrace_access_check = smack_ptrace_access_check,
60600 diff -urNp linux-2.6.38.4/security/tomoyo/tomoyo.c linux-2.6.38.4/security/tomoyo/tomoyo.c
60601 --- linux-2.6.38.4/security/tomoyo/tomoyo.c 2011-03-14 21:20:32.000000000 -0400
60602 +++ linux-2.6.38.4/security/tomoyo/tomoyo.c 2011-04-17 15:57:33.000000000 -0400
60603 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
60604 * tomoyo_security_ops is a "struct security_operations" which is used for
60605 * registering TOMOYO.
60607 -static struct security_operations tomoyo_security_ops = {
60608 +static struct security_operations tomoyo_security_ops __read_only = {
60610 .cred_alloc_blank = tomoyo_cred_alloc_blank,
60611 .cred_prepare = tomoyo_cred_prepare,
60612 diff -urNp linux-2.6.38.4/sound/aoa/codecs/onyx.c linux-2.6.38.4/sound/aoa/codecs/onyx.c
60613 --- linux-2.6.38.4/sound/aoa/codecs/onyx.c 2011-03-14 21:20:32.000000000 -0400
60614 +++ linux-2.6.38.4/sound/aoa/codecs/onyx.c 2011-04-17 15:57:33.000000000 -0400
60615 @@ -54,7 +54,7 @@ struct onyx {
60620 + local_t open_count;
60621 struct codec_info *codec_info;
60623 /* mutex serializes concurrent access to the device
60624 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
60625 struct onyx *onyx = cii->codec_data;
60627 mutex_lock(&onyx->mutex);
60628 - onyx->open_count++;
60629 + local_inc(&onyx->open_count);
60630 mutex_unlock(&onyx->mutex);
60633 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
60634 struct onyx *onyx = cii->codec_data;
60636 mutex_lock(&onyx->mutex);
60637 - onyx->open_count--;
60638 - if (!onyx->open_count)
60639 + if (local_dec_and_test(&onyx->open_count))
60640 onyx->spdif_locked = onyx->analog_locked = 0;
60641 mutex_unlock(&onyx->mutex);
60643 diff -urNp linux-2.6.38.4/sound/aoa/codecs/onyx.h linux-2.6.38.4/sound/aoa/codecs/onyx.h
60644 --- linux-2.6.38.4/sound/aoa/codecs/onyx.h 2011-03-14 21:20:32.000000000 -0400
60645 +++ linux-2.6.38.4/sound/aoa/codecs/onyx.h 2011-04-17 15:57:33.000000000 -0400
60647 #include <linux/i2c.h>
60648 #include <asm/pmac_low_i2c.h>
60649 #include <asm/prom.h>
60650 +#include <asm/local.h>
60652 /* PCM3052 register definitions */
60654 diff -urNp linux-2.6.38.4/sound/core/oss/pcm_oss.c linux-2.6.38.4/sound/core/oss/pcm_oss.c
60655 --- linux-2.6.38.4/sound/core/oss/pcm_oss.c 2011-03-14 21:20:32.000000000 -0400
60656 +++ linux-2.6.38.4/sound/core/oss/pcm_oss.c 2011-04-17 15:57:33.000000000 -0400
60657 @@ -2971,8 +2971,8 @@ static void snd_pcm_oss_proc_done(struct
60660 #else /* !CONFIG_SND_VERBOSE_PROCFS */
60661 -#define snd_pcm_oss_proc_init(pcm)
60662 -#define snd_pcm_oss_proc_done(pcm)
60663 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
60664 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
60665 #endif /* CONFIG_SND_VERBOSE_PROCFS */
60668 diff -urNp linux-2.6.38.4/sound/core/seq/seq_lock.h linux-2.6.38.4/sound/core/seq/seq_lock.h
60669 --- linux-2.6.38.4/sound/core/seq/seq_lock.h 2011-03-14 21:20:32.000000000 -0400
60670 +++ linux-2.6.38.4/sound/core/seq/seq_lock.h 2011-04-17 15:57:33.000000000 -0400
60671 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
60672 #else /* SMP || CONFIG_SND_DEBUG */
60674 typedef spinlock_t snd_use_lock_t; /* dummy */
60675 -#define snd_use_lock_init(lockp) /**/
60676 -#define snd_use_lock_use(lockp) /**/
60677 -#define snd_use_lock_free(lockp) /**/
60678 -#define snd_use_lock_sync(lockp) /**/
60679 +#define snd_use_lock_init(lockp) do {} while (0)
60680 +#define snd_use_lock_use(lockp) do {} while (0)
60681 +#define snd_use_lock_free(lockp) do {} while (0)
60682 +#define snd_use_lock_sync(lockp) do {} while (0)
60684 #endif /* SMP || CONFIG_SND_DEBUG */
60686 diff -urNp linux-2.6.38.4/sound/drivers/mts64.c linux-2.6.38.4/sound/drivers/mts64.c
60687 --- linux-2.6.38.4/sound/drivers/mts64.c 2011-03-14 21:20:32.000000000 -0400
60688 +++ linux-2.6.38.4/sound/drivers/mts64.c 2011-04-17 15:57:33.000000000 -0400
60690 #include <sound/initval.h>
60691 #include <sound/rawmidi.h>
60692 #include <sound/control.h>
60693 +#include <asm/local.h>
60695 #define CARD_NAME "Miditerminal 4140"
60696 #define DRIVER_NAME "MTS64"
60697 @@ -66,7 +67,7 @@ struct mts64 {
60698 struct pardevice *pardev;
60699 int pardev_claimed;
60702 + local_t open_count;
60703 int current_midi_output_port;
60704 int current_midi_input_port;
60705 u8 mode[MTS64_NUM_INPUT_PORTS];
60706 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
60708 struct mts64 *mts = substream->rmidi->private_data;
60710 - if (mts->open_count == 0) {
60711 + if (local_read(&mts->open_count) == 0) {
60712 /* We don't need a spinlock here, because this is just called
60713 if the device has not been opened before.
60714 So there aren't any IRQs from the device */
60715 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
60719 - ++(mts->open_count);
60720 + local_inc(&mts->open_count);
60724 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
60725 struct mts64 *mts = substream->rmidi->private_data;
60726 unsigned long flags;
60728 - --(mts->open_count);
60729 - if (mts->open_count == 0) {
60730 + if (local_dec_return(&mts->open_count) == 0) {
60731 /* We need the spinlock_irqsave here because we can still
60732 have IRQs at this point */
60733 spin_lock_irqsave(&mts->lock, flags);
60734 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
60738 - } else if (mts->open_count < 0)
60739 - mts->open_count = 0;
60740 + } else if (local_read(&mts->open_count) < 0)
60741 + local_set(&mts->open_count, 0);
60745 diff -urNp linux-2.6.38.4/sound/drivers/portman2x4.c linux-2.6.38.4/sound/drivers/portman2x4.c
60746 --- linux-2.6.38.4/sound/drivers/portman2x4.c 2011-03-14 21:20:32.000000000 -0400
60747 +++ linux-2.6.38.4/sound/drivers/portman2x4.c 2011-04-17 15:57:33.000000000 -0400
60749 #include <sound/initval.h>
60750 #include <sound/rawmidi.h>
60751 #include <sound/control.h>
60752 +#include <asm/local.h>
60754 #define CARD_NAME "Portman 2x4"
60755 #define DRIVER_NAME "portman"
60756 @@ -84,7 +85,7 @@ struct portman {
60757 struct pardevice *pardev;
60758 int pardev_claimed;
60761 + local_t open_count;
60762 int mode[PORTMAN_NUM_INPUT_PORTS];
60763 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
60765 diff -urNp linux-2.6.38.4/sound/oss/sb_audio.c linux-2.6.38.4/sound/oss/sb_audio.c
60766 --- linux-2.6.38.4/sound/oss/sb_audio.c 2011-03-14 21:20:32.000000000 -0400
60767 +++ linux-2.6.38.4/sound/oss/sb_audio.c 2011-04-17 15:57:33.000000000 -0400
60768 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
60769 buf16 = (signed short *)(localbuf + localoffs);
60772 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
60773 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
60774 if (copy_from_user(lbuf8,
60775 userbuf+useroffs + p,
60777 diff -urNp linux-2.6.38.4/sound/oss/swarm_cs4297a.c linux-2.6.38.4/sound/oss/swarm_cs4297a.c
60778 --- linux-2.6.38.4/sound/oss/swarm_cs4297a.c 2011-03-14 21:20:32.000000000 -0400
60779 +++ linux-2.6.38.4/sound/oss/swarm_cs4297a.c 2011-04-17 15:57:33.000000000 -0400
60780 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
60782 struct cs4297a_state *s;
60786 #ifndef CONFIG_BCM_CS4297A_CSWARM
60788 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
60790 char *sb1250_duart_present;
60797 val = SOUND_MASK_LINE;
60798 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
60799 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
60800 val = initvol[i].vol;
60801 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
60804 // cs4297a_write_ac97(s, 0x18, 0x0808);
60806 // cs4297a_write_ac97(s, 0x5e, 0x180);
60807 cs4297a_write_ac97(s, 0x02, 0x0808);
60808 cs4297a_write_ac97(s, 0x18, 0x0808);
60812 list_add(&s->list, &cs4297a_devs);
60814 diff -urNp linux-2.6.38.4/sound/pci/ac97/ac97_patch.c linux-2.6.38.4/sound/pci/ac97/ac97_patch.c
60815 --- linux-2.6.38.4/sound/pci/ac97/ac97_patch.c 2011-03-14 21:20:32.000000000 -0400
60816 +++ linux-2.6.38.4/sound/pci/ac97/ac97_patch.c 2011-04-17 15:57:33.000000000 -0400
60817 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
60818 { AC97_VIDEO, 0x9f1f },
60819 { AC97_AUX, 0x9f1f },
60820 { AC97_PCM, 0x9f1f },
60821 - { } /* terminator */
60822 + { 0, 0 } /* terminator */
60825 static int patch_ad1819(struct snd_ac97 * ac97)
60826 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
60827 { AC97_AUX, 0x1f1f },
60828 { AC97_PCM, 0x1f1f },
60829 { AC97_REC_GAIN, 0x0f0f },
60830 - { } /* terminator */
60831 + { 0, 0 } /* terminator */
60834 static int patch_lm4550(struct snd_ac97 *ac97)
60835 diff -urNp linux-2.6.38.4/sound/pci/ens1370.c linux-2.6.38.4/sound/pci/ens1370.c
60836 --- linux-2.6.38.4/sound/pci/ens1370.c 2011-04-18 17:27:18.000000000 -0400
60837 +++ linux-2.6.38.4/sound/pci/ens1370.c 2011-04-17 16:54:08.000000000 -0400
60838 @@ -453,7 +453,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
60839 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
60840 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
60843 + { 0, 0, 0, 0, 0, 0, 0 }
60846 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
60847 diff -urNp linux-2.6.38.4/sound/pci/hda/patch_hdmi.c linux-2.6.38.4/sound/pci/hda/patch_hdmi.c
60848 --- linux-2.6.38.4/sound/pci/hda/patch_hdmi.c 2011-04-18 17:27:18.000000000 -0400
60849 +++ linux-2.6.38.4/sound/pci/hda/patch_hdmi.c 2011-04-17 16:54:08.000000000 -0400
60850 @@ -733,10 +733,10 @@ static void hdmi_non_intrinsic_event(str
60865 diff -urNp linux-2.6.38.4/sound/pci/intel8x0.c linux-2.6.38.4/sound/pci/intel8x0.c
60866 --- linux-2.6.38.4/sound/pci/intel8x0.c 2011-03-14 21:20:32.000000000 -0400
60867 +++ linux-2.6.38.4/sound/pci/intel8x0.c 2011-04-17 15:57:33.000000000 -0400
60868 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
60869 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
60870 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
60871 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
60873 + { 0, 0, 0, 0, 0, 0, 0 }
60876 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
60877 @@ -2141,7 +2141,7 @@ static struct ac97_quirk ac97_quirks[] _
60878 .type = AC97_TUNE_HP_ONLY
60881 - { } /* terminator */
60882 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
60885 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
60886 diff -urNp linux-2.6.38.4/sound/pci/intel8x0m.c linux-2.6.38.4/sound/pci/intel8x0m.c
60887 --- linux-2.6.38.4/sound/pci/intel8x0m.c 2011-03-14 21:20:32.000000000 -0400
60888 +++ linux-2.6.38.4/sound/pci/intel8x0m.c 2011-04-17 15:57:33.000000000 -0400
60889 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
60890 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
60891 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
60894 + { 0, 0, 0, 0, 0, 0, 0 }
60897 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
60898 @@ -1264,7 +1264,7 @@ static struct shortname_table {
60899 { 0x5455, "ALi M5455" },
60900 { 0x746d, "AMD AMD8111" },
60906 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
60907 diff -urNp linux-2.6.38.4/usr/gen_init_cpio.c linux-2.6.38.4/usr/gen_init_cpio.c
60908 --- linux-2.6.38.4/usr/gen_init_cpio.c 2011-03-14 21:20:32.000000000 -0400
60909 +++ linux-2.6.38.4/usr/gen_init_cpio.c 2011-04-17 15:57:33.000000000 -0400
60910 @@ -305,7 +305,7 @@ static int cpio_mkfile(const char *name,
60919 @@ -394,9 +394,10 @@ static char *cpio_replace_env(char *new_
60920 *env_var = *expanded = '\0';
60921 strncat(env_var, start + 2, end - start - 2);
60922 strncat(expanded, new_location, start - new_location);
60923 - strncat(expanded, getenv(env_var), PATH_MAX);
60924 - strncat(expanded, end + 1, PATH_MAX);
60925 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
60926 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
60927 strncpy(new_location, expanded, PATH_MAX);
60928 + new_location[PATH_MAX] = 0;
60932 diff -urNp linux-2.6.38.4/virt/kvm/kvm_main.c linux-2.6.38.4/virt/kvm/kvm_main.c
60933 --- linux-2.6.38.4/virt/kvm/kvm_main.c 2011-03-14 21:20:32.000000000 -0400
60934 +++ linux-2.6.38.4/virt/kvm/kvm_main.c 2011-04-17 15:57:33.000000000 -0400
60935 @@ -1521,7 +1521,7 @@ static int kvm_vcpu_release(struct inode
60939 -static struct file_operations kvm_vcpu_fops = {
60940 +static struct file_operations kvm_vcpu_fops = { /* cannot be const */
60941 .release = kvm_vcpu_release,
60942 .unlocked_ioctl = kvm_vcpu_ioctl,
60943 .compat_ioctl = kvm_vcpu_ioctl,
60944 @@ -1990,7 +1990,7 @@ static int kvm_vm_mmap(struct file *file
60948 -static struct file_operations kvm_vm_fops = {
60949 +static struct file_operations kvm_vm_fops = { /* cannot be const */
60950 .release = kvm_vm_release,
60951 .unlocked_ioctl = kvm_vm_ioctl,
60952 #ifdef CONFIG_COMPAT
60953 @@ -2088,7 +2088,7 @@ out:
60957 -static struct file_operations kvm_chardev_ops = {
60958 +static struct file_operations kvm_chardev_ops = { /* cannot be const */
60959 .unlocked_ioctl = kvm_dev_ioctl,
60960 .compat_ioctl = kvm_dev_ioctl,
60961 .llseek = noop_llseek,
60962 @@ -2098,6 +2098,9 @@ static struct miscdevice kvm_dev = {
60971 static void hardware_enable_nolock(void *junk)
60972 @@ -2443,7 +2446,7 @@ static void kvm_sched_out(struct preempt
60973 kvm_arch_vcpu_put(vcpu);
60976 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
60977 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
60978 struct module *module)